diff --git a/.backportrc.json b/.backportrc.json index 3dce189d671..8bfd891160c 100644 --- a/.backportrc.json +++ b/.backportrc.json @@ -1,6 +1,6 @@ { "upstream": "elastic/beats", - "branches": [{ "name": "7.9"}, { "name": "7.8"}, { "name": "7.7"}, { "name": "7.x"}], + "branches": [ { "name": "7.x", "checked": true }, "7.10", "7.9", "7.8", "7.7"], "labels": ["backport"], "autoAssign": true, "prTitle": "Cherry-pick to {targetBranch}: {commitMessages}" diff --git a/.ci/jobs/apm-beats-update.yml b/.ci/jobs/apm-beats-update.yml index 8bdc322f65a..678a9fbcd67 100644 --- a/.ci/jobs/apm-beats-update.yml +++ b/.ci/jobs/apm-beats-update.yml @@ -18,7 +18,7 @@ discover-pr-forks-trust: 'permission' discover-pr-origin: 'merge-current' discover-tags: true - head-filter-regex: '(master|7\.[x789]|8\.\d+|PR-.*|v\d+\.\d+\.\d+)' + head-filter-regex: '(master|7\.[x789]|7\.1\d|8\.\d+|PR-.*|v\d+\.\d+\.\d+)' disable-pr-notifications: true notification-context: 'apm-beats-update' repo: 'beats' @@ -38,6 +38,9 @@ - regex-name: regex: '7\.[x789]' case-sensitive: true + - regex-name: + regex: '7\.1\d' + case-sensitive: true - regex-name: regex: '8\.\d+' case-sensitive: true @@ -48,7 +51,7 @@ before: true prune: true shallow-clone: true - depth: 3 + depth: 10 do-not-fetch-tags: true submodule: disable: false diff --git a/.ci/jobs/beats-release-changelog.yml b/.ci/jobs/beats-release-changelog.yml new file mode 100644 index 00000000000..1cbd94c7168 --- /dev/null +++ b/.ci/jobs/beats-release-changelog.yml @@ -0,0 +1,20 @@ +--- +- job: + name: Beats/Release/beats-release-changelog + display-name: 'Prepare the Changelog for a Release' + description: 'Automate the steps to prepare the Changelog for a Release' + view: Beats + project-type: pipeline + pipeline-scm: + script-path: release_scripts/pipeline-release-changelog.groovy + scm: + - git: + url: git@github.com:elastic/ingest-dev.git + refspec: +refs/heads/*:refs/remotes/origin/* +refs/pull/*/head:refs/remotes/origin/pr/* + wipe-workspace: 'True' + name: origin + shallow-clone: true + credentials-id: f6c7695a-671e-4f4f-a331-acdce44ff9ba + reference-repo: /var/lib/jenkins/.git-references/ingest-dev.git + branches: + - master diff --git a/.ci/jobs/beats-release-minor-major.yml b/.ci/jobs/beats-release-minor-major.yml new file mode 100644 index 00000000000..91c7d105fb8 --- /dev/null +++ b/.ci/jobs/beats-release-minor-major.yml @@ -0,0 +1,20 @@ +--- +- job: + name: Beats/Release/beats-release-minor-major + display-name: 'Prepare Major/minor Release' + description: 'Automate the steps to prepare a new Release branch' + view: Beats + project-type: pipeline + pipeline-scm: + script-path: release_scripts/pipeline-release-minor-major.groovy + scm: + - git: + url: git@github.com:elastic/ingest-dev.git + refspec: +refs/heads/*:refs/remotes/origin/* +refs/pull/*/head:refs/remotes/origin/pr/* + wipe-workspace: 'True' + name: origin + shallow-clone: true + credentials-id: f6c7695a-671e-4f4f-a331-acdce44ff9ba + reference-repo: /var/lib/jenkins/.git-references/ingest-dev.git + branches: + - master diff --git a/.ci/jobs/beats-release-patch.yml b/.ci/jobs/beats-release-patch.yml new file mode 100644 index 00000000000..4d205f79647 --- /dev/null +++ b/.ci/jobs/beats-release-patch.yml @@ -0,0 +1,20 @@ +--- +- job: + name: Beats/Release/beats-release-patch + display-name: 'Prepare Patch Release' + description: 'Automate the steps to prepare a new Patch' + view: Beats + project-type: pipeline + pipeline-scm: + script-path: release_scripts/pipeline-release-patch.groovy + scm: + - git: + url: git@github.com:elastic/ingest-dev.git + refspec: +refs/heads/*:refs/remotes/origin/* +refs/pull/*/head:refs/remotes/origin/pr/* + wipe-workspace: 'True' + name: origin + shallow-clone: true + credentials-id: f6c7695a-671e-4f4f-a331-acdce44ff9ba + reference-repo: /var/lib/jenkins/.git-references/ingest-dev.git + branches: + - master diff --git a/.ci/jobs/beats-tester.yml b/.ci/jobs/beats-tester.yml index 522abfa5e5c..808123a225e 100644 --- a/.ci/jobs/beats-tester.yml +++ b/.ci/jobs/beats-tester.yml @@ -44,7 +44,7 @@ before: true prune: true shallow-clone: true - depth: 3 + depth: 10 do-not-fetch-tags: true submodule: disable: false diff --git a/.ci/jobs/beats-windows-mbp.yml b/.ci/jobs/beats-windows-mbp.yml deleted file mode 100644 index 64efa009979..00000000000 --- a/.ci/jobs/beats-windows-mbp.yml +++ /dev/null @@ -1,56 +0,0 @@ ---- -- job: - name: Beats/beats-windows-mbp - display-name: Beats Pipeline for Windows - description: Jenkins pipeline for the Beats project running on windows agents. - view: Beats - project-type: multibranch - script-path: .ci/windows.groovy - scm: - - github: - branch-discovery: no-pr - discover-pr-forks-strategy: merge-current - discover-pr-forks-trust: permission - discover-pr-origin: merge-current - discover-tags: false - # Run MBP for the master branch and PRs - head-filter-regex: '(master|PR-.*)' - notification-context: 'beats-ci/windows' - repo: beats - repo-owner: elastic - credentials-id: github-app-beats-ci - ssh-checkout: - credentials: f6c7695a-671e-4f4f-a331-acdce44ff9ba - build-strategies: - - tags: - ignore-tags-older-than: -1 - ignore-tags-newer-than: -1 - - regular-branches: true - - change-request: - ignore-target-only-changes: true - property-strategies: - # Builds for PRs won't be triggered automatically. - # Only the master branch will be triggered automatically. - named-branches: - defaults: - - suppress-scm-triggering: true - exceptions: - - exception: - branch-name: master - properties: - - suppress-scm-triggering: false - clean: - after: true - before: true - prune: true - shallow-clone: true - depth: 4 - do-not-fetch-tags: true - submodule: - disable: false - recursive: true - parent-credentials: true - timeout: 100 - timeout: '15' - use-author: true - wipe-workspace: 'True' diff --git a/.ci/jobs/beats.yml b/.ci/jobs/beats.yml index 1e393bab6b9..27095b2fecb 100644 --- a/.ci/jobs/beats.yml +++ b/.ci/jobs/beats.yml @@ -17,7 +17,7 @@ discover-pr-forks-strategy: 'merge-current' discover-pr-forks-trust: 'permission' discover-pr-origin: 'merge-current' - head-filter-regex: '(master|7\.[x789]|8\.\d+|PR-.*|v\d+\.\d+\.\d+)' + head-filter-regex: '(master|7\.[x789]|7\.1\d|8\.\d+|PR-.*|v\d+\.\d+\.\d+)' discover-tags: true notification-context: "beats-ci" repo: 'beats' @@ -38,6 +38,9 @@ - regex-name: regex: '7\.[x789]' case-sensitive: true + - regex-name: + regex: '7\.1\d' + case-sensitive: true - regex-name: regex: '8\.\d+' case-sensitive: true @@ -46,13 +49,14 @@ before: true prune: true shallow-clone: true - depth: 3 + depth: 10 do-not-fetch-tags: true submodule: disable: false recursive: true parent-credentials: true timeout: 100 + reference-repo: /var/lib/jenkins/.git-references/beats.git timeout: '15' use-author: true wipe-workspace: true diff --git a/.ci/jobs/folders.yml b/.ci/jobs/folders.yml index 60b6e3eff92..4b6cc5c4944 100644 --- a/.ci/jobs/folders.yml +++ b/.ci/jobs/folders.yml @@ -4,3 +4,8 @@ name: Beats description: Beats project-type: folder + +- job: + name: Beats/Release + description: Jobs for release preparation + project-type: folder diff --git a/.ci/jobs/golang-crossbuild-mbp.yml b/.ci/jobs/golang-crossbuild-mbp.yml index 46303790610..45175d169f6 100644 --- a/.ci/jobs/golang-crossbuild-mbp.yml +++ b/.ci/jobs/golang-crossbuild-mbp.yml @@ -31,7 +31,7 @@ before: true prune: true shallow-clone: true - depth: 4 + depth: 10 do-not-fetch-tags: true submodule: disable: false diff --git a/.ci/jobs/packaging.yml b/.ci/jobs/packaging.yml index 0dce4d4672b..baa3ce45035 100644 --- a/.ci/jobs/packaging.yml +++ b/.ci/jobs/packaging.yml @@ -14,7 +14,7 @@ discover-pr-forks-trust: 'permission' discover-pr-origin: 'merge-current' discover-tags: true - head-filter-regex: '(master|7\.[x789]|8\.\d+|PR-.*|v\d+\.\d+\.\d+)' + head-filter-regex: '(master|7\.[x789]|7\.1\d|8\.\d+|PR-.*|v\d+\.\d+\.\d+)' disable-pr-notifications: true notification-context: 'beats-packaging' repo: 'beats' @@ -34,6 +34,9 @@ - regex-name: regex: '7\.[x789]' case-sensitive: true + - regex-name: + regex: '7\.1\d' + case-sensitive: true - regex-name: regex: '8\.\d+' case-sensitive: true @@ -44,7 +47,7 @@ before: true prune: true shallow-clone: true - depth: 3 + depth: 10 do-not-fetch-tags: true submodule: disable: false diff --git a/.ci/packaging.groovy b/.ci/packaging.groovy index 2be78aac68f..9087cf48de4 100644 --- a/.ci/packaging.groovy +++ b/.ci/packaging.groovy @@ -5,12 +5,14 @@ pipeline { agent none environment { - BASE_DIR = 'src/github.com/elastic/beats' + REPO = 'beats' + BASE_DIR = "src/github.com/elastic/${env.REPO}" JOB_GCS_BUCKET = 'beats-ci-artifacts' JOB_GCS_BUCKET_STASH = 'beats-ci-temp' JOB_GCS_CREDENTIALS = 'beats-ci-gcs-plugin' DOCKERELASTIC_SECRET = 'secret/observability-team/ci/docker-registry/prod' DOCKER_REGISTRY = 'docker.elastic.co' + GITHUB_CHECK_E2E_TESTS_NAME = 'E2E Tests' SNAPSHOT = "true" PIPELINE_LOG_LEVEL = "INFO" } @@ -119,6 +121,7 @@ pipeline { release() pushCIDockerImages() } + runE2ETestForPackages() } } stage('Package Mac OS'){ @@ -195,17 +198,49 @@ def tagAndPush(name){ tagName = "pr-${env.CHANGE_ID}" } - def oldName = "${DOCKER_REGISTRY}/beats/${name}:${libbetaVer}" - def newName = "${DOCKER_REGISTRY}/observability-ci/${name}:${tagName}" - def commitName = "${DOCKER_REGISTRY}/observability-ci/${name}:${env.GIT_BASE_COMMIT}" dockerLogin(secret: "${DOCKERELASTIC_SECRET}", registry: "${DOCKER_REGISTRY}") - retry(3){ - sh(label:'Change tag and push', script: """ - docker tag ${oldName} ${newName} - docker push ${newName} - docker tag ${oldName} ${commitName} - docker push ${commitName} - """) + + // supported image flavours + def variants = ["", "-oss", "-ubi8"] + variants.each { variant -> + def oldName = "${DOCKER_REGISTRY}/beats/${name}${variant}:${libbetaVer}" + def newName = "${DOCKER_REGISTRY}/observability-ci/${name}${variant}:${tagName}" + def commitName = "${DOCKER_REGISTRY}/observability-ci/${name}${variant}:${env.GIT_BASE_COMMIT}" + + def iterations = 0 + retryWithSleep(retries: 3, seconds: 5, backoff: true) + iterations++ + def status = sh(label:'Change tag and push', script: """ + docker tag ${oldName} ${newName} + docker push ${newName} + docker tag ${oldName} ${commitName} + docker push ${commitName} + """, returnStatus: true) + + if ( status > 0 && iterations < 3) { + error('tag and push failed, retry') + } else if ( status > 0 ) { + log(level: 'WARN', text: "${name} doesn't have ${variant} docker images. See https://github.com/elastic/beats/pull/21621") + } + } +} + +def runE2ETestForPackages(){ + def suite = '' + + catchError(buildResult: 'UNSTABLE', message: 'Unable to run e2e tests', stageResult: 'FAILURE') { + if ("${env.BEATS_FOLDER}" == "filebeat" || "${env.BEATS_FOLDER}" == "x-pack/filebeat") { + suite = 'helm,fleet' + } else if ("${env.BEATS_FOLDER}" == "metricbeat" || "${env.BEATS_FOLDER}" == "x-pack/metricbeat") { + suite = '' + } else if ("${env.BEATS_FOLDER}" == "x-pack/elastic-agent") { + suite = 'fleet' + } else { + echo("Skipping E2E tests for ${env.BEATS_FOLDER}.") + return + } + + triggerE2ETests(suite) } } @@ -218,6 +253,38 @@ def release(){ } } +def triggerE2ETests(String suite) { + echo("Triggering E2E tests for ${env.BEATS_FOLDER}. Test suite: ${suite}.") + + def branchName = isPR() ? "${env.CHANGE_TARGET}" : "${env.JOB_BASE_NAME}" + def e2eTestsPipeline = "e2e-tests/e2e-testing-mbp/${branchName}" + + def parameters = [ + booleanParam(name: 'forceSkipGitChecks', value: true), + booleanParam(name: 'forceSkipPresubmit', value: true), + booleanParam(name: 'notifyOnGreenBuilds', value: !isPR()), + string(name: 'runTestsSuites', value: suite), + string(name: 'GITHUB_CHECK_NAME', value: env.GITHUB_CHECK_E2E_TESTS_NAME), + string(name: 'GITHUB_CHECK_REPO', value: env.REPO), + string(name: 'GITHUB_CHECK_SHA1', value: env.GIT_BASE_COMMIT), + ] + if (isPR()) { + def version = "pr-${env.CHANGE_ID}" + parameters.push(booleanParam(name: 'USE_CI_SNAPSHOTS', value: true)) + parameters.push(string(name: 'ELASTIC_AGENT_VERSION', value: "${version}")) + parameters.push(string(name: 'METRICBEAT_VERSION', value: "${version}")) + } + + build(job: "${e2eTestsPipeline}", + parameters: parameters, + propagate: false, + wait: false + ) + + def notifyContext = "${env.GITHUB_CHECK_E2E_TESTS_NAME} for ${env.BEATS_FOLDER}" + githubNotify(context: "${notifyContext}", description: "${notifyContext} ...", status: 'PENDING', targetUrl: "${env.JENKINS_URL}search/?q=${e2eTestsPipeline.replaceAll('/','+')}") +} + def withMacOSEnv(Closure body){ withEnvMask( vars: [ [var: "KEYCHAIN_PASS", password: getVaultSecret(secret: "secret/jenkins-ci/macos-codesign-keychain").data.password], diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index b0b31734005..c4d0f48005f 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -3,6 +3,47 @@ :issue: https://github.com/elastic/beats/issues/ :pull: https://github.com/elastic/beats/pull/ +[[release-notes-7.9.2]] +=== Beats version 7.9.2 +https://github.com/elastic/beats/compare/v7.9.1...v7.9.2[View commits] + +==== Breaking changes + +*Affecting all Beats* + +- Autodiscover doesn't generate any configuration when a variable is missing. Previously it generated an incomplete configuration. {pull}20898[20898] + +==== Bugfixes + +*Affecting all Beats* + +- Explicitly detect missing variables in autodiscover configuration, log them at the debug level. {issue}20568[20568] {pull}20898[20898] +- Fix `libbeat.output.write.bytes` and `libbeat.output.read.bytes` metrics of the Elasticsearch output. {issue}20752[20752] {pull}21197[21197] + +*Filebeat* + +- Provide backwards compatibility for the `set` processor when Elasticsearch is less than 7.9.0. {pull}20908[20908] +- Fix an error updating file size being logged when EOF is reached. {pull}21048[21048] +- Fix error when processing AWS Cloudtrail Digest logs. {pull}21086[21086] {issue}20943[20943] + +*Metricbeat* + +- The Kibana collector applies backoff when errored at getting usage stats {pull}20772[20772] +- The `elasticsearch/index` metricset only requests wildcard expansion for hidden indices if the monitored Elasticsearch cluster supports it. {pull}20938[20938] +- Fix panic index out of range error when getting AWS account name. {pull}21101[21101] {issue}21095[21095] +- Handle missing counters in the application_pool metricset. {pull}21071[21071] + +*Functionbeat* + +- Do not need Google credentials if not required for the operation. {issue}17329[17329] {pull}21072[21072] +- Fix dependency issues of GCP functions. {issue}20830[20830] {pull}21070[21070] + +==== Added + +*Affecting all Beats* + +- Add container ECS fields in kubernetes metadata. {pull}20984[20984] + [[release-notes-7.9.1]] === Beats version 7.9.1 https://github.com/elastic/beats/compare/v7.9.0...v7.9.1[View commits] diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 67cac68940c..660fa25a10d 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -22,6 +22,9 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Added `certificate` TLS verification mode to ignore server name mismatch. {issue}12283[12283] {pull}20293[20293] - Autodiscover doesn't generate any configuration when a variable is missing. Previously it generated an incomplete configuration. {pull}20898[20898] - Remove redundant `cloudfoundry.*.timestamp` fields. This value is set in `@timestamp`. {pull}21175[21175] +- Allow embedding of CAs, Certificate of private keys for anything that support TLS in ouputs and inputs https://github.com/elastic/beats/pull/21179 +- Update to Golang 1.12.1. {pull}11330[11330] +- Disable Alibaba Cloud and Tencent Cloud metadata providers by default. {pull}13812[12812] *Auditbeat* @@ -29,6 +32,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Change event.kind=error to event.kind=event to comply with ECS. {issue}18870[18870] {pull}20685[20685] - Change network.direction values to ECS recommended values (inbound, outbound). {issue}12445[12445] {pull}20695[20695] - Docker container needs to be explicitly run as user root for auditing. {pull}21202[21202] +- File integrity dataset no longer includes the leading dot in `file.extension` values (e.g. it will report "png" instead of ".png") to comply with ECS. {pull}21644[21644] *Filebeat* @@ -73,6 +77,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix PANW field spelling "veredict" to "verdict" on event.action {pull}18808[18808] - Removed experimental modules `citrix`, `kaspersky`, `rapid7` and `tenable`. {pull}20706[20706] - Add support for GMT timezone offsets in `decode_cef`. {pull}20993[20993] +- Fix parsing of Elasticsearch node name by `elasticsearch/slowlog` fileset. {pull}14547[14547] *Heartbeat* @@ -89,6 +94,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Move service config under metrics and simplify metric types. {pull}18691[18691] - Fix ECS compliance of user.id field in system/users metricset {pull}19019[19019] - Rename googlecloud stackdriver metricset to metrics. {pull}19718[19718] +- Remove "invalid zero" metrics on Windows and Darwin, don't report linux-only memory and diskio metrics when running under agent. {pull}21457[21457] *Packetbeat* @@ -174,6 +180,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - [Autodiscover] Handle input-not-finished errors in config reload. {pull}20915[20915] - Explicitly detect missing variables in autodiscover configuration, log them at the debug level. {issue}20568[20568] {pull}20898[20898] - Fix `libbeat.output.write.bytes` and `libbeat.output.read.bytes` metrics of the Elasticsearch output. {issue}20752[20752] {pull}21197[21197] +- The `o365input` and `o365` module now recover from an authentication problem or other fatal errors, instead of terminating. {pull}21259[21258] +- Orderly close processors when processing pipelines are not needed anymore to release their resources. {pull}16349[16349] *Auditbeat* @@ -189,6 +197,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - auditd: Fix typo in `event.action` of `removed-user-role-from`. {pull}19300[19300] - auditd: Fix typo in `event.action` of `used-suspicious-link`. {pull}19300[19300] - system/socket: Fix kprobe grouping to allow running more than one instance. {pull}20325[20325] +- system/socket: Fixed a crash due to concurrent map read and write. {issue}21192[21192] {pull}21690[21690] *Filebeat* @@ -267,7 +276,10 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Remove wrongly mapped `tls.client.server_name` from `fortinet/firewall` fileset. {pull}20983[20983] - Fix an error updating file size being logged when EOF is reached. {pull}21048[21048] - Fix error when processing AWS Cloudtrail Digest logs. {pull}21086[21086] {issue}20943[20943] +- Handle multiple upstreams in ingress-controller. {pull}21215[21215] - Provide backwards compatibility for the `append` processor when Elasticsearch is less than 7.10.0. {pull}21159[21159] +- Fix checkpoint module when logs contain time field. {pull}20567[20567] +- Add field limit check for AWS Cloudtrail flattened fields. {pull}21388[21388] {issue}21382[21382] *Heartbeat* @@ -341,6 +353,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add missing info about the rest of the azure metricsets in the documentation. {pull}19601[19601] - Fix k8s scheduler compatibility issue. {pull}19699[19699] - Fix SQL module mapping NULL values as string {pull}18955[18955] {issue}18898[18898 +- Add support for azure light metricset app_stats. {pull}20639[20639] - Fix ec2 disk and network metrics to use Sum statistic method. {pull}20680[20680] - Fill cloud.account.name with accountID if account alias doesn't exist. {pull}20736[20736] - The Kibana collector applies backoff when errored at getting usage stats {pull}20772[20772] @@ -352,6 +365,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix timestamp handling in remote_write. {pull}21166[21166] - Fix remote_write flaky test. {pull}21173[21173] - Visualization title fixes in aws, azure and googlecloud compute dashboards. {pull}21098[21098] +- Add a switch to the driver definition on SQL module to use pretty names {pull}17378[17378] +- Use timestamp from CloudWatch API when creating events. {pull}21498[21498] *Packetbeat* @@ -363,6 +378,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix invalid IP addresses in DNS query results from Sysmon data. {issue}18432[18432] {pull}18436[18436] - Fields from Winlogbeat modules were not being included in index templates and patterns. {pull}18983[18983] +- Add source.ip validation for event ID 4778 in the Security module. {issue}19627[19627] *Functionbeat* @@ -437,7 +453,11 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Added experimental dataset `juniper/netscreen`. {pull}20820[20820] - Added experimental dataset `sophos/utm`. {pull}20820[20820] - Add Cloud Foundry tags in related events. {pull}21177[21177] +- Cloud Foundry metadata is cached to disk. {pull}20775[20775] - Add option to select the type of index template to load: legacy, component, index. {pull}21212[21212] +- Add istiod metricset. {pull}21519[21519] +- Release `add_cloudfoundry_metadata` as GA. {pull}21525[21525] +- Add support for OpenStack SSL metadata APIs in `add_cloud_metadata`. {pull}21590[21590] *Auditbeat* @@ -592,6 +612,14 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add type and sub_type to panw panos fileset {pull}20912[20912] - Always attempt community_id processor on zeek module {pull}21155[21155] - Add related.hosts ecs field to all modules {pull}21160[21160] +- Keep cursor state between httpjson input restarts {pull}20751[20751] +- Convert aws s3 to v2 input {pull}20005[20005] +- Add support for additional fields from V2 ALB logs. {pull}21540[21540] +- Release Cloud Foundry input as GA. {pull}21525[21525] +- New Cisco Umbrella dataset {pull}21504[21504] +- New juniper.srx dataset for Juniper SRX logs. {pull}20017[20017] +- Adding support for Microsoft 365 Defender (Microsoft Threat Protection) {pull}21446[21446] +- Adding support for FIPS in s3 input {pull}21446[21446] *Heartbeat* @@ -711,12 +739,17 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add billing data collection from Cost Explorer into aws billing metricset. {pull}20527[20527] {issue}20103[20103] - Migrate `compute_vm` metricset to a light one, map `cloud.instance.id` field. {pull}20889[20889] - Request prometheus endpoints to be gzipped by default {pull}20766[20766] +- Add latency config parameter into aws module. {pull}20875[20875] - Release all kubernetes `state` metricsets as GA {pull}20901[20901] - Add billing metricset into googlecloud module. {pull}20812[20812] {issue}20738[20738] - Move `compute_vm_scaleset` to light metricset. {pull}21038[21038] {issue}20985[20985] - Sanitize `event.host`. {pull}21022[21022] - Add overview and platform health dashboards to Cloud Foundry module. {pull}21124[21124] - Release lambda metricset in aws module as GA. {issue}21251[21251] {pull}21255[21255] +- Add dashboard for pubsub metricset in googlecloud module. {pull}21326[21326] {issue}17137[17137] +- Move Prometheus query & remote_write to GA. {pull}21507[21507] +- Expand unsupported option from namespace to metrics in the azure module. {pull}21486[21486] +- Map cloud data filed `cloud.account.id` to azure subscription. {pull}21483[21483] {issue}21381[21381] *Packetbeat* @@ -725,6 +758,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d port. {pull}19209[19209] - Add ECS fields for x509 certs, event categorization, and related IP info. {pull}19167[19167] - Add 100-continue support {issue}15830[15830] {pull}19349[19349] +- Add initial SIP protocol support {pull}21221[21221] *Functionbeat* diff --git a/Jenkinsfile b/Jenkinsfile index e7f91ef95e5..17041987b27 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -12,7 +12,8 @@ pipeline { agent { label 'ubuntu-18 && immutable' } environment { AWS_ACCOUNT_SECRET = 'secret/observability-team/ci/elastic-observability-aws-account-auth' - BASE_DIR = 'src/github.com/elastic/beats' + REPO = 'beats' + BASE_DIR = "src/github.com/elastic/${env.REPO}" DOCKERELASTIC_SECRET = 'secret/observability-team/ci/docker-registry/prod' DOCKER_COMPOSE_VERSION = "1.21.0" DOCKER_REGISTRY = 'docker.elastic.co' @@ -21,7 +22,9 @@ pipeline { JOB_GCS_CREDENTIALS = 'beats-ci-gcs-plugin' OSS_MODULE_PATTERN = '^[a-z0-9]+beat\\/module\\/([^\\/]+)\\/.*' PIPELINE_LOG_LEVEL = 'INFO' + PYTEST_ADDOPTS = "${params.PYTEST_ADDOPTS}" RUNBLD_DISABLE_NOTIFICATIONS = 'true' + SLACK_CHANNEL = "#beats-build" TERRAFORM_VERSION = "0.12.24" XPACK_MODULE_PATTERN = '^x-pack\\/[a-z0-9]+beat\\/module\\/([^\\/]+)\\/.*' } @@ -44,6 +47,7 @@ pipeline { string(name: 'awsRegion', defaultValue: 'eu-central-1', description: 'Default AWS region to use for testing.') booleanParam(name: 'runAllStages', defaultValue: false, description: 'Allow to run all stages.') booleanParam(name: 'macosTest', defaultValue: false, description: 'Allow macOS stages.') + string(name: 'PYTEST_ADDOPTS', defaultValue: '', description: 'Additional options to pass to pytest. Use PYTEST_ADDOPTS="-k pattern" to only run tests matching the specified pattern. For retries you can use `--reruns 3 --reruns-delay 15`') } stages { stage('Checkout') { @@ -70,7 +74,7 @@ pipeline { } steps { withGithubNotify(context: 'Lint') { - withBeatsEnv(archive: true) { + withBeatsEnv(archive: true, id: 'lint') { dumpVariables() cmd(label: 'make check', script: 'make check') } @@ -104,26 +108,21 @@ pipeline { mapParallelTasks["${k}"] = v } } + notifyBuildReason() parallel(mapParallelTasks) } } } - post { - always { - dir("${BASE_DIR}"){ - // Archive the markdown files that contain the build reasons - archiveArtifacts(allowEmptyArchive: false, artifacts: 'build-reasons/*.md') - } - } - } } } post { always { - runbld() + deleteDir() + unstashV2(name: 'source', bucket: "${JOB_GCS_BUCKET}", credentialsId: "${JOB_GCS_CREDENTIALS}") + runbld(stashedTestReports: stashedTestReports, project: env.REPO) } cleanup { - notifyBuildResult(prComment: true) + notifyBuildResult(prComment: true, slackComment: true, slackNotify: (isBranch() || isTag())) } } } @@ -266,8 +265,8 @@ def withBeatsEnv(Map args = [:], Closure body) { // See https://github.com/elastic/beats/issues/17787. sh(label: 'check git config', script: ''' if [ -z "$(git config --get user.email)" ]; then - git config user.email "beatsmachine@users.noreply.github.com" - git config user.name "beatsmachine" + git config --global user.email "beatsmachine@users.noreply.github.com" + git config --global user.name "beatsmachine" fi''') } try { @@ -346,8 +345,13 @@ def archiveTestOutput(Map args = [:]) { } cmd(label: 'Prepare test output', script: 'python .ci/scripts/pre_archive_test.py') dir('build') { - junitAndStore(allowEmptyResults: true, keepLongStdio: true, testResults: args.testResults, id: args.id) - archiveArtifacts(allowEmptyArchive: true, artifacts: args.artifacts) + if (isUnix()) { + cmd(label: 'Delete folders that are causing exceptions (See JENKINS-58421)', + returnStatus: true, + script: 'rm -rf ve || true; find . -type d -name vendor -exec rm -r {} \\;') + } else { log(level: 'INFO', text: 'Delete folders that are causing exceptions (See JENKINS-58421) is disabled for Windows.') } + junitAndStore(allowEmptyResults: true, keepLongStdio: true, testResults: args.testResults, stashedTestReports: stashedTestReports, id: args.id) + tar(file: "test-build-artifacts-${args.id}.tgz", dir: '.', archive: true, allowMissing: true) } catchError(buildResult: 'SUCCESS', message: 'Failed to archive the build test results', stageResult: 'SUCCESS') { def folder = cmd(label: 'Find system-tests', returnStdout: true, script: 'python .ci/scripts/search_system_tests.py').trim() @@ -360,50 +364,6 @@ def archiveTestOutput(Map args = [:]) { } } -/** -* This method wraps the junit built-in step to archive the test reports that gonna be populated later on -* with the runbld post build step. -*/ -def junitAndStore(Map args = [:]) { - junit(args) - // args.id could be null in some cases, so let's use the currentmilliseconds - def stageName = args.id ? args.id?.replaceAll("[\\W]|_",'-') : "uncategorized-${new java.util.Date().getTime()}" - stash(includes: args.testResults, allowEmpty: true, name: stageName, useDefaultExcludes: true) - stashedTestReports[stageName] = stageName -} - -/** -* This method populates the test output using the runbld approach. For such it requires the -* global variable stashedTestReports. -* TODO: should be moved to the shared library -*/ -def runbld() { - catchError(buildResult: 'SUCCESS', message: 'runbld post build action failed.') { - if (stashedTestReports) { - def jobName = isPR() ? 'elastic+beats+pull-request' : 'elastic+beats' - deleteDir() - unstashV2(name: 'source', bucket: "${JOB_GCS_BUCKET}", credentialsId: "${JOB_GCS_CREDENTIALS}") - dir("${env.BASE_DIR}") { - // Unstash the test reports - stashedTestReports.each { k, v -> - dir(k) { - unstash(v) - } - } - } - sh(label: 'Process JUnit reports with runbld', - script: """\ - ## for debugging purposes - find . -name "TEST-*.xml" - cat >./runbld-script < @@ -10907,6 +11093,36 @@ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +-------------------------------------------------------------------------------- +Dependency : github.com/blakerouse/service +Version: v1.1.1-0.20200924160513-057808572ffa +Licence type (autodetected): Zlib +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/blakerouse/service@v1.1.1-0.20200924160513-057808572ffa/LICENSE: + +Copyright (c) 2015 Daniel Theophanes + +This software is provided 'as-is', without any express or implied +warranty. In no event will the authors be held liable for any damages +arising from the use of this software. + +Permission is granted to anyone to use this software for any purpose, +including commercial applications, and to alter it and redistribute it +freely, subject to the following restrictions: + + 1. The origin of this software must not be misrepresented; you must not + claim that you wrote the original software. If you use this software + in a product, an acknowledgment in the product documentation would be + appreciated but is not required. + + 2. Altered source versions must be plainly marked as such, and must not be + misrepresented as being the original software. + + 3. This notice may not be removed or altered from any source + distribution. + + -------------------------------------------------------------------------------- Dependency : github.com/lib/pq Version: v1.1.2-0.20190507191818-2ff3cb3adc01 @@ -11843,6 +12059,37 @@ Contents of probable licence file $GOMODCACHE/github.com/oklog/ulid@v1.3.1/LICEN limitations under the License. +-------------------------------------------------------------------------------- +Dependency : github.com/otiai10/copy +Version: v1.2.0 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/otiai10/copy@v1.2.0/LICENSE: + +The MIT License (MIT) + +Copyright (c) 2018 otiai10 + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + + -------------------------------------------------------------------------------- Dependency : github.com/pierrre/gotestcover Version: v0.0.0-20160517101806-924dca7d15f0 @@ -13005,11 +13252,11 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -------------------------------------------------------------------------------- Dependency : github.com/spf13/cobra -Version: v0.0.3 +Version: v0.0.5 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/spf13/cobra@v0.0.3/LICENSE.txt: +Contents of probable licence file $GOMODCACHE/github.com/spf13/cobra@v0.0.5/LICENSE.txt: Apache License Version 2.0, January 2004 @@ -13331,6 +13578,38 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +-------------------------------------------------------------------------------- +Dependency : github.com/ugorji/go/codec +Version: v1.1.8 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/ugorji/go/codec@v1.1.8/LICENSE: + +The MIT License (MIT) + +Copyright (c) 2012-2015 Ugorji Nwoke. +All rights reserved. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + + -------------------------------------------------------------------------------- Dependency : github.com/urso/sderr Version: v0.0.0-20200210124243-c2a16f3d43ec @@ -19421,6 +19700,43 @@ Contents of probable licence file $GOMODCACHE/github.com/!burnt!sushi/xgb@v0.0.0 // such litigation is filed. +-------------------------------------------------------------------------------- +Dependency : github.com/DataDog/zstd +Version: v1.4.1 +Licence type (autodetected): BSD-3-Clause +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/!data!dog/zstd@v1.4.1/LICENSE: + +Simplified BSD License + +Copyright (c) 2016, Datadog +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + + * Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + * Neither the name of the copyright holder nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + -------------------------------------------------------------------------------- Dependency : github.com/Masterminds/semver Version: v1.4.2 @@ -19504,6 +19820,203 @@ See the License for the specific language governing permissions and limitations under the License. +-------------------------------------------------------------------------------- +Dependency : github.com/OneOfOne/xxhash +Version: v1.2.2 +Licence type (autodetected): Apache-2.0 +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/!one!of!one/xxhash@v1.2.2/LICENSE: + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + -------------------------------------------------------------------------------- Dependency : github.com/PuerkitoBio/purell Version: v1.0.0 @@ -19742,42 +20255,1262 @@ SOFTWARE. -------------------------------------------------------------------------------- -Dependency : github.com/armon/go-radix -Version: v1.0.0 -Licence type (autodetected): MIT +Dependency : github.com/armon/consul-api +Version: v0.0.0-20180202201655-eb2c6b5be1b6 +Licence type (autodetected): MPL-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/armon/go-radix@v1.0.0/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/armon/consul-api@v0.0.0-20180202201655-eb2c6b5be1b6/LICENSE: -The MIT License (MIT) +Mozilla Public License, version 2.0 -Copyright (c) 2014 Armon Dadgar +1. Definitions -Permission is hereby granted, free of charge, to any person obtaining a copy of -this software and associated documentation files (the "Software"), to deal in -the Software without restriction, including without limitation the rights to -use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -the Software, and to permit persons to whom the Software is furnished to do so, -subject to the following conditions: +1.1. "Contributor" -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. + means each individual or legal entity that creates, contributes to the + creation of, or owns Covered Software. -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +1.2. "Contributor Version" + + means the combination of the Contributions of others (if any) used by a + Contributor and that particular Contributor's Contribution. +1.3. "Contribution" --------------------------------------------------------------------------------- -Dependency : github.com/awslabs/goformation/v3 -Version: v3.1.0 -Licence type (autodetected): Apache-2.0 --------------------------------------------------------------------------------- + means Covered Software of a particular Contributor. -Contents of probable licence file $GOMODCACHE/github.com/awslabs/goformation/v3@v3.1.0/LICENSE: +1.4. "Covered Software" + + means Source Code Form to which the initial Contributor has attached the + notice in Exhibit A, the Executable Form of such Source Code Form, and + Modifications of such Source Code Form, in each case including portions + thereof. + +1.5. "Incompatible With Secondary Licenses" + means + + a. that the initial Contributor has attached the notice described in + Exhibit B to the Covered Software; or + + b. that the Covered Software was made available under the terms of + version 1.1 or earlier of the License, but not also under the terms of + a Secondary License. + +1.6. "Executable Form" + + means any form of the work other than Source Code Form. + +1.7. "Larger Work" + + means a work that combines Covered Software with other material, in a + separate file or files, that is not Covered Software. + +1.8. "License" + + means this document. + +1.9. "Licensable" + + means having the right to grant, to the maximum extent possible, whether + at the time of the initial grant or subsequently, any and all of the + rights conveyed by this License. + +1.10. "Modifications" + + means any of the following: + + a. any file in Source Code Form that results from an addition to, + deletion from, or modification of the contents of Covered Software; or + + b. any new file in Source Code Form that contains any Covered Software. + +1.11. "Patent Claims" of a Contributor + + means any patent claim(s), including without limitation, method, + process, and apparatus claims, in any patent Licensable by such + Contributor that would be infringed, but for the grant of the License, + by the making, using, selling, offering for sale, having made, import, + or transfer of either its Contributions or its Contributor Version. + +1.12. "Secondary License" + + means either the GNU General Public License, Version 2.0, the GNU Lesser + General Public License, Version 2.1, the GNU Affero General Public + License, Version 3.0, or any later versions of those licenses. + +1.13. "Source Code Form" + + means the form of the work preferred for making modifications. + +1.14. "You" (or "Your") + + means an individual or a legal entity exercising rights under this + License. For legal entities, "You" includes any entity that controls, is + controlled by, or is under common control with You. For purposes of this + definition, "control" means (a) the power, direct or indirect, to cause + the direction or management of such entity, whether by contract or + otherwise, or (b) ownership of more than fifty percent (50%) of the + outstanding shares or beneficial ownership of such entity. + + +2. License Grants and Conditions + +2.1. Grants + + Each Contributor hereby grants You a world-wide, royalty-free, + non-exclusive license: + + a. under intellectual property rights (other than patent or trademark) + Licensable by such Contributor to use, reproduce, make available, + modify, display, perform, distribute, and otherwise exploit its + Contributions, either on an unmodified basis, with Modifications, or + as part of a Larger Work; and + + b. under Patent Claims of such Contributor to make, use, sell, offer for + sale, have made, import, and otherwise transfer either its + Contributions or its Contributor Version. + +2.2. Effective Date + + The licenses granted in Section 2.1 with respect to any Contribution + become effective for each Contribution on the date the Contributor first + distributes such Contribution. + +2.3. Limitations on Grant Scope + + The licenses granted in this Section 2 are the only rights granted under + this License. No additional rights or licenses will be implied from the + distribution or licensing of Covered Software under this License. + Notwithstanding Section 2.1(b) above, no patent license is granted by a + Contributor: + + a. for any code that a Contributor has removed from Covered Software; or + + b. for infringements caused by: (i) Your and any other third party's + modifications of Covered Software, or (ii) the combination of its + Contributions with other software (except as part of its Contributor + Version); or + + c. under Patent Claims infringed by Covered Software in the absence of + its Contributions. + + This License does not grant any rights in the trademarks, service marks, + or logos of any Contributor (except as may be necessary to comply with + the notice requirements in Section 3.4). + +2.4. Subsequent Licenses + + No Contributor makes additional grants as a result of Your choice to + distribute the Covered Software under a subsequent version of this + License (see Section 10.2) or under the terms of a Secondary License (if + permitted under the terms of Section 3.3). + +2.5. Representation + + Each Contributor represents that the Contributor believes its + Contributions are its original creation(s) or it has sufficient rights to + grant the rights to its Contributions conveyed by this License. + +2.6. Fair Use + + This License is not intended to limit any rights You have under + applicable copyright doctrines of fair use, fair dealing, or other + equivalents. + +2.7. Conditions + + Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in + Section 2.1. + + +3. Responsibilities + +3.1. Distribution of Source Form + + All distribution of Covered Software in Source Code Form, including any + Modifications that You create or to which You contribute, must be under + the terms of this License. You must inform recipients that the Source + Code Form of the Covered Software is governed by the terms of this + License, and how they can obtain a copy of this License. You may not + attempt to alter or restrict the recipients' rights in the Source Code + Form. + +3.2. Distribution of Executable Form + + If You distribute Covered Software in Executable Form then: + + a. such Covered Software must also be made available in Source Code Form, + as described in Section 3.1, and You must inform recipients of the + Executable Form how they can obtain a copy of such Source Code Form by + reasonable means in a timely manner, at a charge no more than the cost + of distribution to the recipient; and + + b. You may distribute such Executable Form under the terms of this + License, or sublicense it under different terms, provided that the + license for the Executable Form does not attempt to limit or alter the + recipients' rights in the Source Code Form under this License. + +3.3. Distribution of a Larger Work + + You may create and distribute a Larger Work under terms of Your choice, + provided that You also comply with the requirements of this License for + the Covered Software. If the Larger Work is a combination of Covered + Software with a work governed by one or more Secondary Licenses, and the + Covered Software is not Incompatible With Secondary Licenses, this + License permits You to additionally distribute such Covered Software + under the terms of such Secondary License(s), so that the recipient of + the Larger Work may, at their option, further distribute the Covered + Software under the terms of either this License or such Secondary + License(s). + +3.4. Notices + + You may not remove or alter the substance of any license notices + (including copyright notices, patent notices, disclaimers of warranty, or + limitations of liability) contained within the Source Code Form of the + Covered Software, except that You may alter any license notices to the + extent required to remedy known factual inaccuracies. + +3.5. Application of Additional Terms + + You may choose to offer, and to charge a fee for, warranty, support, + indemnity or liability obligations to one or more recipients of Covered + Software. However, You may do so only on Your own behalf, and not on + behalf of any Contributor. You must make it absolutely clear that any + such warranty, support, indemnity, or liability obligation is offered by + You alone, and You hereby agree to indemnify every Contributor for any + liability incurred by such Contributor as a result of warranty, support, + indemnity or liability terms You offer. You may include additional + disclaimers of warranty and limitations of liability specific to any + jurisdiction. + +4. Inability to Comply Due to Statute or Regulation + + If it is impossible for You to comply with any of the terms of this License + with respect to some or all of the Covered Software due to statute, + judicial order, or regulation then You must: (a) comply with the terms of + this License to the maximum extent possible; and (b) describe the + limitations and the code they affect. Such description must be placed in a + text file included with all distributions of the Covered Software under + this License. Except to the extent prohibited by statute or regulation, + such description must be sufficiently detailed for a recipient of ordinary + skill to be able to understand it. + +5. Termination + +5.1. The rights granted under this License will terminate automatically if You + fail to comply with any of its terms. However, if You become compliant, + then the rights granted under this License from a particular Contributor + are reinstated (a) provisionally, unless and until such Contributor + explicitly and finally terminates Your grants, and (b) on an ongoing + basis, if such Contributor fails to notify You of the non-compliance by + some reasonable means prior to 60 days after You have come back into + compliance. Moreover, Your grants from a particular Contributor are + reinstated on an ongoing basis if such Contributor notifies You of the + non-compliance by some reasonable means, this is the first time You have + received notice of non-compliance with this License from such + Contributor, and You become compliant prior to 30 days after Your receipt + of the notice. + +5.2. If You initiate litigation against any entity by asserting a patent + infringement claim (excluding declaratory judgment actions, + counter-claims, and cross-claims) alleging that a Contributor Version + directly or indirectly infringes any patent, then the rights granted to + You by any and all Contributors for the Covered Software under Section + 2.1 of this License shall terminate. + +5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user + license agreements (excluding distributors and resellers) which have been + validly granted by You or Your distributors under this License prior to + termination shall survive termination. + +6. Disclaimer of Warranty + + Covered Software is provided under this License on an "as is" basis, + without warranty of any kind, either expressed, implied, or statutory, + including, without limitation, warranties that the Covered Software is free + of defects, merchantable, fit for a particular purpose or non-infringing. + The entire risk as to the quality and performance of the Covered Software + is with You. Should any Covered Software prove defective in any respect, + You (not any Contributor) assume the cost of any necessary servicing, + repair, or correction. This disclaimer of warranty constitutes an essential + part of this License. No use of any Covered Software is authorized under + this License except under this disclaimer. + +7. Limitation of Liability + + Under no circumstances and under no legal theory, whether tort (including + negligence), contract, or otherwise, shall any Contributor, or anyone who + distributes Covered Software as permitted above, be liable to You for any + direct, indirect, special, incidental, or consequential damages of any + character including, without limitation, damages for lost profits, loss of + goodwill, work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses, even if such party shall have been + informed of the possibility of such damages. This limitation of liability + shall not apply to liability for death or personal injury resulting from + such party's negligence to the extent applicable law prohibits such + limitation. Some jurisdictions do not allow the exclusion or limitation of + incidental or consequential damages, so this exclusion and limitation may + not apply to You. + +8. Litigation + + Any litigation relating to this License may be brought only in the courts + of a jurisdiction where the defendant maintains its principal place of + business and such litigation shall be governed by laws of that + jurisdiction, without reference to its conflict-of-law provisions. Nothing + in this Section shall prevent a party's ability to bring cross-claims or + counter-claims. + +9. Miscellaneous + + This License represents the complete agreement concerning the subject + matter hereof. If any provision of this License is held to be + unenforceable, such provision shall be reformed only to the extent + necessary to make it enforceable. Any law or regulation which provides that + the language of a contract shall be construed against the drafter shall not + be used to construe this License against a Contributor. + + +10. Versions of the License + +10.1. New Versions + + Mozilla Foundation is the license steward. Except as provided in Section + 10.3, no one other than the license steward has the right to modify or + publish new versions of this License. Each version will be given a + distinguishing version number. + +10.2. Effect of New Versions + + You may distribute the Covered Software under the terms of the version + of the License under which You originally received the Covered Software, + or under the terms of any subsequent version published by the license + steward. + +10.3. Modified Versions + + If you create software not governed by this License, and you want to + create a new license for such software, you may create and use a + modified version of this License if you rename the license and remove + any references to the name of the license steward (except to note that + such modified license differs from this License). + +10.4. Distributing Source Code Form that is Incompatible With Secondary + Licenses If You choose to distribute Source Code Form that is + Incompatible With Secondary Licenses under the terms of this version of + the License, the notice described in Exhibit B of this License must be + attached. + +Exhibit A - Source Code Form License Notice + + This Source Code Form is subject to the + terms of the Mozilla Public License, v. + 2.0. If a copy of the MPL was not + distributed with this file, You can + obtain one at + http://mozilla.org/MPL/2.0/. + +If it is not possible or desirable to put the notice in a particular file, +then You may include the notice in a location (such as a LICENSE file in a +relevant directory) where a recipient would be likely to look for such a +notice. + +You may add additional accurate notices of copyright ownership. + +Exhibit B - "Incompatible With Secondary Licenses" Notice + + This Source Code Form is "Incompatible + With Secondary Licenses", as defined by + the Mozilla Public License, v. 2.0. + +-------------------------------------------------------------------------------- +Dependency : github.com/armon/go-radix +Version: v1.0.0 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/armon/go-radix@v1.0.0/LICENSE: + +The MIT License (MIT) + +Copyright (c) 2014 Armon Dadgar + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +the Software, and to permit persons to whom the Software is furnished to do so, +subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + +-------------------------------------------------------------------------------- +Dependency : github.com/awslabs/goformation/v3 +Version: v3.1.0 +Licence type (autodetected): Apache-2.0 +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/awslabs/goformation/v3@v3.1.0/LICENSE: + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + +-------------------------------------------------------------------------------- +Dependency : github.com/beorn7/perks +Version: v1.0.1 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/beorn7/perks@v1.0.1/LICENSE: + +Copyright (C) 2013 Blake Mizerany + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + +-------------------------------------------------------------------------------- +Dependency : github.com/blang/semver +Version: v3.1.0+incompatible +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/blang/semver@v3.1.0+incompatible/LICENSE: + +The MIT License + +Copyright (c) 2014 Benedikt Lang + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + + + +-------------------------------------------------------------------------------- +Dependency : github.com/bradleyfalzon/ghinstallation +Version: v1.1.0 +Licence type (autodetected): Apache-2.0 +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/bradleyfalzon/ghinstallation@v1.1.0/LICENSE: + + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + Copyright 2019 ghinstallation AUTHORS + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + +-------------------------------------------------------------------------------- +Dependency : github.com/cavaliercoder/badio +Version: v0.0.0-20160213150051-ce5280129e9e +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/cavaliercoder/badio@v0.0.0-20160213150051-ce5280129e9e/LICENSE: + +Copyright (c) 2015 Ryan Armstrong + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +the Software, and to permit persons to whom the Software is furnished to do so, +subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + +-------------------------------------------------------------------------------- +Dependency : github.com/census-instrumentation/opencensus-proto +Version: v0.2.1 +Licence type (autodetected): Apache-2.0 +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/census-instrumentation/opencensus-proto@v0.2.1/LICENSE: + + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + +-------------------------------------------------------------------------------- +Dependency : github.com/cespare/xxhash +Version: v1.1.0 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/cespare/xxhash@v1.1.0/LICENSE.txt: + +Copyright (c) 2016 Caleb Spare + +MIT License + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + +-------------------------------------------------------------------------------- +Dependency : github.com/chzyer/logex +Version: v1.1.10 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +No licence file provided. + +-------------------------------------------------------------------------------- +Dependency : github.com/chzyer/readline +Version: v0.0.0-20180603132655-2972be24d48e +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/chzyer/readline@v0.0.0-20180603132655-2972be24d48e/LICENSE: + +The MIT License (MIT) + +Copyright (c) 2015 Chzyer + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + + + +-------------------------------------------------------------------------------- +Dependency : github.com/chzyer/test +Version: v0.0.0-20180213035817-a1ea475d72b1 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/chzyer/test@v0.0.0-20180213035817-a1ea475d72b1/LICENSE: + +The MIT License (MIT) + +Copyright (c) 2016 chzyer + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + + +-------------------------------------------------------------------------------- +Dependency : github.com/client9/misspell +Version: v0.3.4 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/client9/misspell@v0.3.4/LICENSE: + +The MIT License (MIT) + +Copyright (c) 2015-2017 Nick Galbreath + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + + + +-------------------------------------------------------------------------------- +Dependency : github.com/cncf/udpa/go +Version: v0.0.0-20191209042840-269d4d468f6f +Licence type (autodetected): Apache-2.0 +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/cncf/udpa/go@v0.0.0-20191209042840-269d4d468f6f/LICENSE: Apache License Version 2.0, January 2004 @@ -19959,7 +21692,7 @@ Contents of probable licence file $GOMODCACHE/github.com/awslabs/goformation/v3@ APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" + boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a @@ -19967,7 +21700,7 @@ Contents of probable licence file $GOMODCACHE/github.com/awslabs/goformation/v3@ same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright {yyyy} {name of copyright owner} + Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -19983,75 +21716,42 @@ Contents of probable licence file $GOMODCACHE/github.com/awslabs/goformation/v3@ -------------------------------------------------------------------------------- -Dependency : github.com/beorn7/perks -Version: v1.0.1 -Licence type (autodetected): MIT --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/beorn7/perks@v1.0.1/LICENSE: - -Copyright (C) 2013 Blake Mizerany - -Permission is hereby granted, free of charge, to any person obtaining -a copy of this software and associated documentation files (the -"Software"), to deal in the Software without restriction, including -without limitation the rights to use, copy, modify, merge, publish, -distribute, sublicense, and/or sell copies of the Software, and to -permit persons to whom the Software is furnished to do so, subject to -the following conditions: - -The above copyright notice and this permission notice shall be -included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE -LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION -OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION -WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - - --------------------------------------------------------------------------------- -Dependency : github.com/blang/semver -Version: v3.1.0+incompatible +Dependency : github.com/codegangsta/inject +Version: v0.0.0-20150114235600-33e0aa1cb7c0 Licence type (autodetected): MIT -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/blang/semver@v3.1.0+incompatible/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/codegangsta/inject@v0.0.0-20150114235600-33e0aa1cb7c0/LICENSE: -The MIT License +The MIT License (MIT) -Copyright (c) 2014 Benedikt Lang +Copyright (c) 2013 Jeremy Saenz -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +the Software, and to permit persons to whom the Software is furnished to do so, +subject to the following conditions: -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. - +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -------------------------------------------------------------------------------- -Dependency : github.com/bradleyfalzon/ghinstallation -Version: v1.1.0 +Dependency : github.com/containerd/cgroups +Version: v0.0.0-20190919134610-bf292b21730f Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/bradleyfalzon/ghinstallation@v1.1.0/LICENSE: - +Contents of probable licence file $GOMODCACHE/github.com/containerd/cgroups@v0.0.0-20190919134610-bf292b21730f/LICENSE: Apache License Version 2.0, January 2004 @@ -20230,7 +21930,18 @@ Contents of probable licence file $GOMODCACHE/github.com/bradleyfalzon/ghinstall END OF TERMS AND CONDITIONS - Copyright 2019 ghinstallation AUTHORS + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -20246,41 +21957,12 @@ Contents of probable licence file $GOMODCACHE/github.com/bradleyfalzon/ghinstall -------------------------------------------------------------------------------- -Dependency : github.com/cavaliercoder/badio -Version: v0.0.0-20160213150051-ce5280129e9e -Licence type (autodetected): MIT --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/cavaliercoder/badio@v0.0.0-20160213150051-ce5280129e9e/LICENSE: - -Copyright (c) 2015 Ryan Armstrong - -Permission is hereby granted, free of charge, to any person obtaining a copy of -this software and associated documentation files (the "Software"), to deal in -the Software without restriction, including without limitation the rights to -use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -the Software, and to permit persons to whom the Software is furnished to do so, -subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - - --------------------------------------------------------------------------------- -Dependency : github.com/census-instrumentation/opencensus-proto -Version: v0.2.1 +Dependency : github.com/containerd/console +Version: v0.0.0-20180822173158-c12b1e7919c1 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/census-instrumentation/opencensus-proto@v0.2.1/LICENSE: - +Contents of probable licence file $GOMODCACHE/github.com/containerd/console@v0.0.0-20180822173158-c12b1e7919c1/LICENSE: Apache License Version 2.0, January 2004 @@ -20486,119 +22168,218 @@ Contents of probable licence file $GOMODCACHE/github.com/census-instrumentation/ -------------------------------------------------------------------------------- -Dependency : github.com/chzyer/logex -Version: v1.1.10 -Licence type (autodetected): MIT +Dependency : github.com/containerd/containerd +Version: v1.3.3 +Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -No licence file provided. +Contents of probable licence file $GOMODCACHE/github.com/containerd/containerd@v1.3.3/LICENSE: --------------------------------------------------------------------------------- -Dependency : github.com/chzyer/readline -Version: v0.0.0-20180603132655-2972be24d48e -Licence type (autodetected): MIT --------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/chzyer/readline@v0.0.0-20180603132655-2972be24d48e/LICENSE: + Apache License + Version 2.0, January 2004 + https://www.apache.org/licenses/ -The MIT License (MIT) + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION -Copyright (c) 2015 Chzyer + 1. Definitions. -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. --------------------------------------------------------------------------------- -Dependency : github.com/chzyer/test -Version: v0.0.0-20180213035817-a1ea475d72b1 -Licence type (autodetected): MIT --------------------------------------------------------------------------------- + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. -Contents of probable licence file $GOMODCACHE/github.com/chzyer/test@v0.0.0-20180213035817-a1ea475d72b1/LICENSE: + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). -The MIT License (MIT) + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. -Copyright (c) 2016 chzyer + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: --------------------------------------------------------------------------------- -Dependency : github.com/client9/misspell -Version: v0.3.4 -Licence type (autodetected): MIT --------------------------------------------------------------------------------- + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and -Contents of probable licence file $GOMODCACHE/github.com/client9/misspell@v0.3.4/LICENSE: + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and -The MIT License (MIT) + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and -Copyright (c) 2015-2017 Nick Galbreath + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + Copyright The containerd Authors + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. -------------------------------------------------------------------------------- -Dependency : github.com/cncf/udpa/go -Version: v0.0.0-20191209042840-269d4d468f6f +Dependency : github.com/containerd/continuity +Version: v0.0.0-20200107194136-26c1120b8d41 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/cncf/udpa/go@v0.0.0-20191209042840-269d4d468f6f/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/containerd/continuity@v0.0.0-20200107194136-26c1120b8d41/LICENSE: + Apache License Version 2.0, January 2004 - http://www.apache.org/licenses/ + https://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION @@ -20773,24 +22554,13 @@ Contents of probable licence file $GOMODCACHE/github.com/cncf/udpa/go@v0.0.0-201 END OF TERMS AND CONDITIONS - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] + Copyright The containerd Authors Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, @@ -20800,42 +22570,12 @@ Contents of probable licence file $GOMODCACHE/github.com/cncf/udpa/go@v0.0.0-201 -------------------------------------------------------------------------------- -Dependency : github.com/codegangsta/inject -Version: v0.0.0-20150114235600-33e0aa1cb7c0 -Licence type (autodetected): MIT --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/codegangsta/inject@v0.0.0-20150114235600-33e0aa1cb7c0/LICENSE: - -The MIT License (MIT) - -Copyright (c) 2013 Jeremy Saenz - -Permission is hereby granted, free of charge, to any person obtaining a copy of -this software and associated documentation files (the "Software"), to deal in -the Software without restriction, including without limitation the rights to -use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -the Software, and to permit persons to whom the Software is furnished to do so, -subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - - --------------------------------------------------------------------------------- -Dependency : github.com/containerd/cgroups -Version: v0.0.0-20190919134610-bf292b21730f +Dependency : github.com/containerd/go-runc +Version: v0.0.0-20180907222934-5a6d9f37cfa3 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/containerd/cgroups@v0.0.0-20190919134610-bf292b21730f/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/containerd/go-runc@v0.0.0-20180907222934-5a6d9f37cfa3/LICENSE: Apache License Version 2.0, January 2004 @@ -21041,12 +22781,12 @@ Contents of probable licence file $GOMODCACHE/github.com/containerd/cgroups@v0.0 -------------------------------------------------------------------------------- -Dependency : github.com/containerd/console -Version: v0.0.0-20180822173158-c12b1e7919c1 +Dependency : github.com/containerd/ttrpc +Version: v0.0.0-20190828154514-0e0f228740de Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/containerd/console@v0.0.0-20180822173158-c12b1e7919c1/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/containerd/ttrpc@v0.0.0-20190828154514-0e0f228740de/LICENSE: Apache License Version 2.0, January 2004 @@ -21252,218 +22992,16 @@ Contents of probable licence file $GOMODCACHE/github.com/containerd/console@v0.0 -------------------------------------------------------------------------------- -Dependency : github.com/containerd/containerd -Version: v1.3.3 -Licence type (autodetected): Apache-2.0 --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/containerd/containerd@v1.3.3/LICENSE: - - - Apache License - Version 2.0, January 2004 - https://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - Copyright The containerd Authors - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - https://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - - --------------------------------------------------------------------------------- -Dependency : github.com/containerd/continuity -Version: v0.0.0-20200107194136-26c1120b8d41 +Dependency : github.com/containerd/typeurl +Version: v0.0.0-20180627222232-a93fcdb778cd Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/containerd/continuity@v0.0.0-20200107194136-26c1120b8d41/LICENSE: - +Contents of probable licence file $GOMODCACHE/github.com/containerd/typeurl@v0.0.0-20180627222232-a93fcdb778cd/LICENSE: Apache License Version 2.0, January 2004 - https://www.apache.org/licenses/ + http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION @@ -21638,13 +23176,24 @@ Contents of probable licence file $GOMODCACHE/github.com/containerd/continuity@v END OF TERMS AND CONDITIONS - Copyright The containerd Authors + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - https://www.apache.org/licenses/LICENSE-2.0 + http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, @@ -21654,12 +23203,13 @@ Contents of probable licence file $GOMODCACHE/github.com/containerd/continuity@v -------------------------------------------------------------------------------- -Dependency : github.com/containerd/go-runc -Version: v0.0.0-20180907222934-5a6d9f37cfa3 +Dependency : github.com/coreos/etcd +Version: v3.3.10+incompatible Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/containerd/go-runc@v0.0.0-20180907222934-5a6d9f37cfa3/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/coreos/etcd@v3.3.10+incompatible/LICENSE: + Apache License Version 2.0, January 2004 @@ -21865,12 +23415,13 @@ Contents of probable licence file $GOMODCACHE/github.com/containerd/go-runc@v0.0 -------------------------------------------------------------------------------- -Dependency : github.com/containerd/ttrpc -Version: v0.0.0-20190828154514-0e0f228740de +Dependency : github.com/coreos/go-etcd +Version: v2.0.0+incompatible Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/containerd/ttrpc@v0.0.0-20190828154514-0e0f228740de/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/coreos/go-etcd@v2.0.0+incompatible/LICENSE: + Apache License Version 2.0, January 2004 @@ -22076,12 +23627,13 @@ Contents of probable licence file $GOMODCACHE/github.com/containerd/ttrpc@v0.0.0 -------------------------------------------------------------------------------- -Dependency : github.com/containerd/typeurl -Version: v0.0.0-20180627222232-a93fcdb778cd +Dependency : github.com/coreos/go-semver +Version: v0.2.0 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/containerd/typeurl@v0.0.0-20180627222232-a93fcdb778cd/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/coreos/go-semver@v0.2.0/LICENSE: + Apache License Version 2.0, January 2004 @@ -22487,6 +24039,37 @@ third-party archives. limitations under the License. +-------------------------------------------------------------------------------- +Dependency : github.com/cpuguy83/go-md2man +Version: v1.0.10 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/cpuguy83/go-md2man@v1.0.10/LICENSE.md: + +The MIT License (MIT) + +Copyright (c) 2014 Brian Goff + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + + -------------------------------------------------------------------------------- Dependency : github.com/cucumber/godog Version: v0.8.1 @@ -22634,6 +24217,192 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +-------------------------------------------------------------------------------- +Dependency : github.com/dgraph-io/ristretto +Version: v0.0.3-0.20200630154024-f66de99634de +Licence type (autodetected): Apache-2.0 +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/dgraph-io/ristretto@v0.0.3-0.20200630154024-f66de99634de/LICENSE: + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + -------------------------------------------------------------------------------- Dependency : github.com/dgrijalva/jwt-go Version: v3.2.1-0.20190620180102-5e25c22bd5d6+incompatible @@ -22652,6 +24421,39 @@ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLI +-------------------------------------------------------------------------------- +Dependency : github.com/dgryski/go-farm +Version: v0.0.0-20190423205320-6a90982ecee2 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/dgryski/go-farm@v0.0.0-20190423205320-6a90982ecee2/LICENSE: + +As this is a highly derivative work, I have placed it under the same license as the original implementation: + +Copyright (c) 2014-2017 Damian Gryski +Copyright (c) 2016-2017 Nicola Asuni - Tecnick.com + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + + + -------------------------------------------------------------------------------- Dependency : github.com/dimchansky/utfbom Version: v1.1.0 @@ -30761,6 +32563,370 @@ Exhibit B - "Incompatible With Secondary Licenses" Notice the Mozilla Public License, v. 2.0. +-------------------------------------------------------------------------------- +Dependency : github.com/hashicorp/hcl +Version: v1.0.0 +Licence type (autodetected): MPL-2.0 +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/hashicorp/hcl@v1.0.0/LICENSE: + +Mozilla Public License, version 2.0 + +1. Definitions + +1.1. “Contributor” + + means each individual or legal entity that creates, contributes to the + creation of, or owns Covered Software. + +1.2. “Contributor Version” + + means the combination of the Contributions of others (if any) used by a + Contributor and that particular Contributor’s Contribution. + +1.3. “Contribution” + + means Covered Software of a particular Contributor. + +1.4. “Covered Software” + + means Source Code Form to which the initial Contributor has attached the + notice in Exhibit A, the Executable Form of such Source Code Form, and + Modifications of such Source Code Form, in each case including portions + thereof. + +1.5. “Incompatible With Secondary Licenses” + means + + a. that the initial Contributor has attached the notice described in + Exhibit B to the Covered Software; or + + b. that the Covered Software was made available under the terms of version + 1.1 or earlier of the License, but not also under the terms of a + Secondary License. + +1.6. “Executable Form” + + means any form of the work other than Source Code Form. + +1.7. “Larger Work” + + means a work that combines Covered Software with other material, in a separate + file or files, that is not Covered Software. + +1.8. “License” + + means this document. + +1.9. “Licensable” + + means having the right to grant, to the maximum extent possible, whether at the + time of the initial grant or subsequently, any and all of the rights conveyed by + this License. + +1.10. “Modifications” + + means any of the following: + + a. any file in Source Code Form that results from an addition to, deletion + from, or modification of the contents of Covered Software; or + + b. any new file in Source Code Form that contains any Covered Software. + +1.11. “Patent Claims” of a Contributor + + means any patent claim(s), including without limitation, method, process, + and apparatus claims, in any patent Licensable by such Contributor that + would be infringed, but for the grant of the License, by the making, + using, selling, offering for sale, having made, import, or transfer of + either its Contributions or its Contributor Version. + +1.12. “Secondary License” + + means either the GNU General Public License, Version 2.0, the GNU Lesser + General Public License, Version 2.1, the GNU Affero General Public + License, Version 3.0, or any later versions of those licenses. + +1.13. “Source Code Form” + + means the form of the work preferred for making modifications. + +1.14. “You” (or “Your”) + + means an individual or a legal entity exercising rights under this + License. For legal entities, “You” includes any entity that controls, is + controlled by, or is under common control with You. For purposes of this + definition, “control” means (a) the power, direct or indirect, to cause + the direction or management of such entity, whether by contract or + otherwise, or (b) ownership of more than fifty percent (50%) of the + outstanding shares or beneficial ownership of such entity. + + +2. License Grants and Conditions + +2.1. Grants + + Each Contributor hereby grants You a world-wide, royalty-free, + non-exclusive license: + + a. under intellectual property rights (other than patent or trademark) + Licensable by such Contributor to use, reproduce, make available, + modify, display, perform, distribute, and otherwise exploit its + Contributions, either on an unmodified basis, with Modifications, or as + part of a Larger Work; and + + b. under Patent Claims of such Contributor to make, use, sell, offer for + sale, have made, import, and otherwise transfer either its Contributions + or its Contributor Version. + +2.2. Effective Date + + The licenses granted in Section 2.1 with respect to any Contribution become + effective for each Contribution on the date the Contributor first distributes + such Contribution. + +2.3. Limitations on Grant Scope + + The licenses granted in this Section 2 are the only rights granted under this + License. No additional rights or licenses will be implied from the distribution + or licensing of Covered Software under this License. Notwithstanding Section + 2.1(b) above, no patent license is granted by a Contributor: + + a. for any code that a Contributor has removed from Covered Software; or + + b. for infringements caused by: (i) Your and any other third party’s + modifications of Covered Software, or (ii) the combination of its + Contributions with other software (except as part of its Contributor + Version); or + + c. under Patent Claims infringed by Covered Software in the absence of its + Contributions. + + This License does not grant any rights in the trademarks, service marks, or + logos of any Contributor (except as may be necessary to comply with the + notice requirements in Section 3.4). + +2.4. Subsequent Licenses + + No Contributor makes additional grants as a result of Your choice to + distribute the Covered Software under a subsequent version of this License + (see Section 10.2) or under the terms of a Secondary License (if permitted + under the terms of Section 3.3). + +2.5. Representation + + Each Contributor represents that the Contributor believes its Contributions + are its original creation(s) or it has sufficient rights to grant the + rights to its Contributions conveyed by this License. + +2.6. Fair Use + + This License is not intended to limit any rights You have under applicable + copyright doctrines of fair use, fair dealing, or other equivalents. + +2.7. Conditions + + Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in + Section 2.1. + + +3. Responsibilities + +3.1. Distribution of Source Form + + All distribution of Covered Software in Source Code Form, including any + Modifications that You create or to which You contribute, must be under the + terms of this License. You must inform recipients that the Source Code Form + of the Covered Software is governed by the terms of this License, and how + they can obtain a copy of this License. You may not attempt to alter or + restrict the recipients’ rights in the Source Code Form. + +3.2. Distribution of Executable Form + + If You distribute Covered Software in Executable Form then: + + a. such Covered Software must also be made available in Source Code Form, + as described in Section 3.1, and You must inform recipients of the + Executable Form how they can obtain a copy of such Source Code Form by + reasonable means in a timely manner, at a charge no more than the cost + of distribution to the recipient; and + + b. You may distribute such Executable Form under the terms of this License, + or sublicense it under different terms, provided that the license for + the Executable Form does not attempt to limit or alter the recipients’ + rights in the Source Code Form under this License. + +3.3. Distribution of a Larger Work + + You may create and distribute a Larger Work under terms of Your choice, + provided that You also comply with the requirements of this License for the + Covered Software. If the Larger Work is a combination of Covered Software + with a work governed by one or more Secondary Licenses, and the Covered + Software is not Incompatible With Secondary Licenses, this License permits + You to additionally distribute such Covered Software under the terms of + such Secondary License(s), so that the recipient of the Larger Work may, at + their option, further distribute the Covered Software under the terms of + either this License or such Secondary License(s). + +3.4. Notices + + You may not remove or alter the substance of any license notices (including + copyright notices, patent notices, disclaimers of warranty, or limitations + of liability) contained within the Source Code Form of the Covered + Software, except that You may alter any license notices to the extent + required to remedy known factual inaccuracies. + +3.5. Application of Additional Terms + + You may choose to offer, and to charge a fee for, warranty, support, + indemnity or liability obligations to one or more recipients of Covered + Software. However, You may do so only on Your own behalf, and not on behalf + of any Contributor. You must make it absolutely clear that any such + warranty, support, indemnity, or liability obligation is offered by You + alone, and You hereby agree to indemnify every Contributor for any + liability incurred by such Contributor as a result of warranty, support, + indemnity or liability terms You offer. You may include additional + disclaimers of warranty and limitations of liability specific to any + jurisdiction. + +4. Inability to Comply Due to Statute or Regulation + + If it is impossible for You to comply with any of the terms of this License + with respect to some or all of the Covered Software due to statute, judicial + order, or regulation then You must: (a) comply with the terms of this License + to the maximum extent possible; and (b) describe the limitations and the code + they affect. Such description must be placed in a text file included with all + distributions of the Covered Software under this License. Except to the + extent prohibited by statute or regulation, such description must be + sufficiently detailed for a recipient of ordinary skill to be able to + understand it. + +5. Termination + +5.1. The rights granted under this License will terminate automatically if You + fail to comply with any of its terms. However, if You become compliant, + then the rights granted under this License from a particular Contributor + are reinstated (a) provisionally, unless and until such Contributor + explicitly and finally terminates Your grants, and (b) on an ongoing basis, + if such Contributor fails to notify You of the non-compliance by some + reasonable means prior to 60 days after You have come back into compliance. + Moreover, Your grants from a particular Contributor are reinstated on an + ongoing basis if such Contributor notifies You of the non-compliance by + some reasonable means, this is the first time You have received notice of + non-compliance with this License from such Contributor, and You become + compliant prior to 30 days after Your receipt of the notice. + +5.2. If You initiate litigation against any entity by asserting a patent + infringement claim (excluding declaratory judgment actions, counter-claims, + and cross-claims) alleging that a Contributor Version directly or + indirectly infringes any patent, then the rights granted to You by any and + all Contributors for the Covered Software under Section 2.1 of this License + shall terminate. + +5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user + license agreements (excluding distributors and resellers) which have been + validly granted by You or Your distributors under this License prior to + termination shall survive termination. + +6. Disclaimer of Warranty + + Covered Software is provided under this License on an “as is” basis, without + warranty of any kind, either expressed, implied, or statutory, including, + without limitation, warranties that the Covered Software is free of defects, + merchantable, fit for a particular purpose or non-infringing. The entire + risk as to the quality and performance of the Covered Software is with You. + Should any Covered Software prove defective in any respect, You (not any + Contributor) assume the cost of any necessary servicing, repair, or + correction. This disclaimer of warranty constitutes an essential part of this + License. No use of any Covered Software is authorized under this License + except under this disclaimer. + +7. Limitation of Liability + + Under no circumstances and under no legal theory, whether tort (including + negligence), contract, or otherwise, shall any Contributor, or anyone who + distributes Covered Software as permitted above, be liable to You for any + direct, indirect, special, incidental, or consequential damages of any + character including, without limitation, damages for lost profits, loss of + goodwill, work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses, even if such party shall have been + informed of the possibility of such damages. This limitation of liability + shall not apply to liability for death or personal injury resulting from such + party’s negligence to the extent applicable law prohibits such limitation. + Some jurisdictions do not allow the exclusion or limitation of incidental or + consequential damages, so this exclusion and limitation may not apply to You. + +8. Litigation + + Any litigation relating to this License may be brought only in the courts of + a jurisdiction where the defendant maintains its principal place of business + and such litigation shall be governed by laws of that jurisdiction, without + reference to its conflict-of-law provisions. Nothing in this Section shall + prevent a party’s ability to bring cross-claims or counter-claims. + +9. Miscellaneous + + This License represents the complete agreement concerning the subject matter + hereof. If any provision of this License is held to be unenforceable, such + provision shall be reformed only to the extent necessary to make it + enforceable. Any law or regulation which provides that the language of a + contract shall be construed against the drafter shall not be used to construe + this License against a Contributor. + + +10. Versions of the License + +10.1. New Versions + + Mozilla Foundation is the license steward. Except as provided in Section + 10.3, no one other than the license steward has the right to modify or + publish new versions of this License. Each version will be given a + distinguishing version number. + +10.2. Effect of New Versions + + You may distribute the Covered Software under the terms of the version of + the License under which You originally received the Covered Software, or + under the terms of any subsequent version published by the license + steward. + +10.3. Modified Versions + + If you create software not governed by this License, and you want to + create a new license for such software, you may create and use a modified + version of this License if you rename the license and remove any + references to the name of the license steward (except to note that such + modified license differs from this License). + +10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses + If You choose to distribute Source Code Form that is Incompatible With + Secondary Licenses under the terms of this version of the License, the + notice described in Exhibit B of this License must be attached. + +Exhibit A - Source Code Form License Notice + + This Source Code Form is subject to the + terms of the Mozilla Public License, v. + 2.0. If a copy of the MPL was not + distributed with this file, You can + obtain one at + http://mozilla.org/MPL/2.0/. + +If it is not possible or desirable to put the notice in a particular file, then +You may include the notice in a location (such as a LICENSE file in a relevant +directory) where a recipient would be likely to look for such a notice. + +You may add additional accurate notices of copyright ownership. + +Exhibit B - “Incompatible With Secondary Licenses” Notice + + This Source Code Form is “Incompatible + With Secondary Licenses”, as defined by + the Mozilla Public License, v. 2.0. + + + -------------------------------------------------------------------------------- Dependency : github.com/haya14busa/go-actions-toolkit Version: v0.0.0-20200105081403-ca0307860f01 @@ -31768,6 +33934,41 @@ Contents of probable licence file $GOMODCACHE/github.com/kylelemons/godebug@v1.1 limitations under the License. +-------------------------------------------------------------------------------- +Dependency : github.com/magiconair/properties +Version: v1.8.0 +Licence type (autodetected): BSD-2-Clause +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/magiconair/properties@v1.8.0/LICENSE: + +goproperties - properties file decoder for Go + +Copyright (c) 2013-2018 - Frank Schroeder + +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR +ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + -------------------------------------------------------------------------------- Dependency : github.com/mailru/easyjson Version: v0.7.1 @@ -34009,6 +36210,54 @@ Contents of probable licence file $GOMODCACHE/github.com/opencontainers/runtime- limitations under the License. +-------------------------------------------------------------------------------- +Dependency : github.com/otiai10/curr +Version: v1.0.0 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/otiai10/curr@v1.0.0/LICENSE: + +The MIT License (MIT) + +Copyright (c) 2020 Hiromu Ochiai + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + + +-------------------------------------------------------------------------------- +Dependency : github.com/otiai10/mint +Version: v1.3.1 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/otiai10/mint@v1.3.1/LICENSE: + +Copyright 2017 otiai10 (Hiromu OCHIAI) + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + -------------------------------------------------------------------------------- Dependency : github.com/oxtoacart/bpool Version: v0.0.0-20150712133111-4e1c5567d7c2 @@ -34221,6 +36470,37 @@ Contents of probable licence file $GOMODCACHE/github.com/oxtoacart/bpool@v0.0.0- limitations under the License. +-------------------------------------------------------------------------------- +Dependency : github.com/pelletier/go-toml +Version: v1.2.0 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/pelletier/go-toml@v1.2.0/LICENSE: + +The MIT License (MIT) + +Copyright (c) 2013 - 2017 Thomas Pelletier, Eric Anderton + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + + -------------------------------------------------------------------------------- Dependency : github.com/peterbourgon/diskv Version: v2.0.1+incompatible @@ -34846,6 +37126,45 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +-------------------------------------------------------------------------------- +Dependency : github.com/russross/blackfriday +Version: v1.5.2 +Licence type (autodetected): BSD-2-Clause +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/russross/blackfriday@v1.5.2/LICENSE.txt: + +Blackfriday is distributed under the Simplified BSD License: + +> Copyright © 2011 Russ Ross +> All rights reserved. +> +> Redistribution and use in source and binary forms, with or without +> modification, are permitted provided that the following conditions +> are met: +> +> 1. Redistributions of source code must retain the above copyright +> notice, this list of conditions and the following disclaimer. +> +> 2. Redistributions in binary form must reproduce the above +> copyright notice, this list of conditions and the following +> disclaimer in the documentation and/or other materials provided with +> the distribution. +> +> THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +> "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +> LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +> FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +> COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +> INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +> BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +> LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +> CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +> LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +> ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +> POSSIBILITY OF SUCH DAMAGE. + + -------------------------------------------------------------------------------- Dependency : github.com/samuel/go-parser Version: v0.0.0-20130731160455-ca8abbf65d0e @@ -35318,6 +37637,40 @@ requirements and restrictions. Use of those components is subject to the terms and conditions outlined the respective license of each component. +-------------------------------------------------------------------------------- +Dependency : github.com/spaolacci/murmur3 +Version: v1.1.0 +Licence type (autodetected): BSD-3-Clause +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/spaolacci/murmur3@v1.1.0/LICENSE: + +Copyright 2013, Sébastien Paolacci. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the library nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + -------------------------------------------------------------------------------- Dependency : github.com/spf13/afero Version: v1.2.2 @@ -35502,6 +37855,96 @@ Contents of probable licence file $GOMODCACHE/github.com/spf13/afero@v1.2.2/LICE of your accepting any such warranty or additional liability. +-------------------------------------------------------------------------------- +Dependency : github.com/spf13/cast +Version: v1.3.0 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/spf13/cast@v1.3.0/LICENSE: + +The MIT License (MIT) + +Copyright (c) 2014 Steve Francia + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + +-------------------------------------------------------------------------------- +Dependency : github.com/spf13/jwalterweatherman +Version: v1.0.0 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/spf13/jwalterweatherman@v1.0.0/LICENSE: + +The MIT License (MIT) + +Copyright (c) 2014 Steve Francia + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + +-------------------------------------------------------------------------------- +Dependency : github.com/spf13/viper +Version: v1.3.2 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/spf13/viper@v1.3.2/LICENSE: + +The MIT License (MIT) + +Copyright (c) 2014 Steve Francia + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + -------------------------------------------------------------------------------- Dependency : github.com/stretchr/objx Version: v0.2.0 @@ -35568,6 +38011,38 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +-------------------------------------------------------------------------------- +Dependency : github.com/ugorji/go +Version: v1.1.8 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/ugorji/go@v1.1.8/LICENSE: + +The MIT License (MIT) + +Copyright (c) 2012-2015 Ugorji Nwoke. +All rights reserved. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + + -------------------------------------------------------------------------------- Dependency : github.com/urfave/cli Version: v0.0.0-20171014202726-7bc6a0acffa5 @@ -37311,6 +39786,25 @@ Contents of probable licence file $GOMODCACHE/github.com/xeipuuv/gojsonschema@v0 limitations under the License. +-------------------------------------------------------------------------------- +Dependency : github.com/xordataexchange/crypt +Version: v0.0.3-0.20170626215501-b2862e3d0a77 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/xordataexchange/crypt@v0.0.3-0.20170626215501-b2862e3d0a77/LICENSE: + +The MIT License (MIT) + +Copyright (c) 2014 XOR Data Exchange, Inc. + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + -------------------------------------------------------------------------------- Dependency : github.com/yuin/gopher-lua Version: v0.0.0-20170403160031-b402f3114ec7 diff --git a/auditbeat/Jenkinsfile.yml b/auditbeat/Jenkinsfile.yml index e56b8255874..6f5374224d4 100644 --- a/auditbeat/Jenkinsfile.yml +++ b/auditbeat/Jenkinsfile.yml @@ -21,15 +21,27 @@ stages: mage: "mage build unitTest" platforms: ## override default label in this specific stage. - "macosx" - when: ## Aggregate when with the top-level one. + when: ## Override the top-level when. comments: - "/test auditbeat for macos" labels: - "macOS" parameters: - "macosTest" + branches: true ## for all the branches + tags: true ## for all the tags windows: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2019" - - "windows-10" + windows-2016: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2016" + when: ## Override the top-level when. + comments: + - "/test auditbeat for windows-2016" + labels: + - "windows-2016" + branches: true ## for all the branches + tags: true ## for all the tags diff --git a/auditbeat/cmd/root.go b/auditbeat/cmd/root.go index 89d0bfd20ca..bf3167e7106 100644 --- a/auditbeat/cmd/root.go +++ b/auditbeat/cmd/root.go @@ -35,7 +35,7 @@ const ( Name = "auditbeat" // ecsVersion specifies the version of ECS that Auditbeat is implementing. - ecsVersion = "1.5.0" + ecsVersion = "1.6.0" ) // RootCmd for running auditbeat. diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc index 7ba194357ee..cb95eb4da12 100644 --- a/auditbeat/docs/fields.asciidoc +++ b/auditbeat/docs/fields.asciidoc @@ -2914,8 +2914,15 @@ type: object [[exported-fields-ecs]] == ECS fields -ECS Fields. +This section defines Elastic Common Schema (ECS) fields—a common set of fields +to be used when storing event data in {es}. + +This is an exhaustive list, and fields listed here are not necessarily used by {beatname_uc}. +The goal of ECS is to enable and encourage users of {es} to normalize their event data, +so that they can better analyze, visualize, and correlate the data represented in their events. + +See the {ecs-ref}[ECS reference] for more information. *`@timestamp`*:: + diff --git a/auditbeat/module/file_integrity/event.go b/auditbeat/module/file_integrity/event.go index 41e4d5a3795..1ee28b7ce35 100644 --- a/auditbeat/module/file_integrity/event.go +++ b/auditbeat/module/file_integrity/event.go @@ -257,7 +257,7 @@ func buildMetricbeatEvent(e *Event, existedBefore bool) mb.Event { if e.Info.Type == FileType { if extension := filepath.Ext(e.Path); extension != "" { - file["extension"] = extension + file["extension"] = strings.TrimLeft(extension, ".") } if mimeType := getMimeType(e.Path); mimeType != "" { file["mime_type"] = mimeType diff --git a/auditbeat/module/file_integrity/event_test.go b/auditbeat/module/file_integrity/event_test.go index 79d1309903d..efaafd02041 100644 --- a/auditbeat/module/file_integrity/event_test.go +++ b/auditbeat/module/file_integrity/event_test.go @@ -28,6 +28,7 @@ import ( "time" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "github.com/elastic/beats/v7/libbeat/common" ) @@ -295,7 +296,11 @@ func TestBuildEvent(t *testing.T) { assertHasKey(t, fields, "event.type") assertHasKey(t, fields, "file.path") - assertHasKey(t, fields, "file.extension") + if assertHasKey(t, fields, "file.extension") { + ext, err := fields.GetValue("file.extension") + require.NoError(t, err) + assert.Equal(t, ext, "txt") + } assertHasKey(t, fields, "file.target_path") assertHasKey(t, fields, "file.inode") assertHasKey(t, fields, "file.uid") @@ -427,10 +432,12 @@ func mustDecodeHex(v string) []byte { return data } -func assertHasKey(t testing.TB, m common.MapStr, key string) { +func assertHasKey(t testing.TB, m common.MapStr, key string) bool { t.Helper() found, err := m.HasKey(key) if err != nil || !found { t.Errorf("key %v not found: %v", key, err) + return false } + return true } diff --git a/auditbeat/module/file_integrity/eventreader_test.go b/auditbeat/module/file_integrity/eventreader_test.go index 6d9b02f7867..a00367f350a 100644 --- a/auditbeat/module/file_integrity/eventreader_test.go +++ b/auditbeat/module/file_integrity/eventreader_test.go @@ -41,6 +41,7 @@ func init() { const ErrorSharingViolation syscall.Errno = 32 func TestEventReader(t *testing.T) { + t.Skip("Flaky test: about 1/10 of bulds fails https://github.com/elastic/beats/issues/21302") // Make dir to monitor. dir, err := ioutil.TempDir("", "audit") if err != nil { @@ -240,6 +241,7 @@ func TestEventReader(t *testing.T) { } func TestRaces(t *testing.T) { + t.Skip("Flaky test: about 1/20 of bulds fails https://github.com/elastic/beats/issues/21303") const ( fileMode os.FileMode = 0640 N = 100 diff --git a/deploy/kubernetes/metricbeat-kubernetes.yaml b/deploy/kubernetes/metricbeat-kubernetes.yaml index 4bc1976e40e..32d1010f4d0 100644 --- a/deploy/kubernetes/metricbeat-kubernetes.yaml +++ b/deploy/kubernetes/metricbeat-kubernetes.yaml @@ -36,8 +36,6 @@ data: - state_cronjob - state_resourcequota - state_statefulset - # Uncomment this to get k8s events: - #- event - module: kubernetes metricsets: - apiserver @@ -46,6 +44,10 @@ data: ssl.certificate_authorities: - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt period: 30s + # Uncomment this to get k8s events: + #- module: kubernetes + # metricsets: + # - event # To enable hints based autodiscover uncomment this: #- type: kubernetes # node: ${NODE_NAME} diff --git a/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml b/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml index 98fffb86ad0..b95bf478765 100644 --- a/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml +++ b/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml @@ -36,8 +36,6 @@ data: - state_cronjob - state_resourcequota - state_statefulset - # Uncomment this to get k8s events: - #- event - module: kubernetes metricsets: - apiserver @@ -46,6 +44,10 @@ data: ssl.certificate_authorities: - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt period: 30s + # Uncomment this to get k8s events: + #- module: kubernetes + # metricsets: + # - event # To enable hints based autodiscover uncomment this: #- type: kubernetes # node: ${NODE_NAME} diff --git a/dev-tools/dependencies-report b/dev-tools/dependencies-report index a824d0f4bf9..928de5367ca 100755 --- a/dev-tools/dependencies-report +++ b/dev-tools/dependencies-report @@ -41,3 +41,14 @@ go list -m -json all $@ | go run go.elastic.co/go-licence-detector \ -noticeTemplate "$SRCPATH/notice/dependencies.csv.tmpl" \ -noticeOut "$outfile" \ -depsOut "" + + +# Fill-in required values for UBI images +# Check headers in $SRCPATH/notice/dependencies.csv.tmpl: +# name,url,version,revision,license +ubi8url='https://catalog.redhat.com/software/containers/ubi8/ubi-minimal/5c359a62bed8bd75a2c3fba8' +ubi8source='https://oss-dependencies.elastic.co/redhat/ubi/ubi-minimal-8-source.tar.gz' +ubilicense='Custom;https://www.redhat.com/licenses/EULA_Red_Hat_Universal_Base_Image_English_20190422.pdf' +cat <> $outfile +Red Hat Universal Base Image,$ubi8url,8,,$ubilicense,$ubi8source +EOF diff --git a/dev-tools/mage/integtest_docker.go b/dev-tools/mage/integtest_docker.go index 2ed09db711e..8b366bad315 100644 --- a/dev-tools/mage/integtest_docker.go +++ b/dev-tools/mage/integtest_docker.go @@ -27,6 +27,7 @@ import ( "runtime" "strings" "sync" + "time" "github.com/pkg/errors" @@ -246,5 +247,17 @@ func dockerComposeBuildImages() error { os.Stderr, "docker-compose", args..., ) + + // This sleep is to avoid hitting the docker build issues when resources are not available. + if err != nil { + fmt.Println(">> Building docker images again") + time.Sleep(10) + _, err = sh.Exec( + composeEnv, + out, + os.Stderr, + "docker-compose", args..., + ) + } return err } diff --git a/dev-tools/notice/dependencies.csv.tmpl b/dev-tools/notice/dependencies.csv.tmpl index 6ab2a970199..088314378f6 100644 --- a/dev-tools/notice/dependencies.csv.tmpl +++ b/dev-tools/notice/dependencies.csv.tmpl @@ -1,7 +1,7 @@ {{- define "depInfo" -}} {{- range $i, $dep := . }} -{{ $dep.Name }},{{ $dep.URL }},{{ $dep.Version | canonicalVersion }},{{ $dep.Version | revision }},{{ $dep.LicenceType }} +{{ $dep.Name }},{{ $dep.URL }},{{ $dep.Version | canonicalVersion }},{{ $dep.Version | revision }},{{ $dep.LicenceType }},{{ $dep.URL }} {{- end -}} {{- end -}} -name,url,version,revision,license{{ template "depInfo" .Direct }}{{ template "depInfo" .Indirect }} +name,url,version,revision,license,sourceURL{{ template "depInfo" .Direct }}{{ template "depInfo" .Indirect }} diff --git a/dev-tools/notice/rules.json b/dev-tools/notice/rules.json index 73ce763cdae..c9638a9c6cf 100644 --- a/dev-tools/notice/rules.json +++ b/dev-tools/notice/rules.json @@ -9,7 +9,8 @@ "ISC", "MIT", "MPL-2.0", - "Public Domain" + "Public Domain", + "Zlib" ], "maybelist": [ "EPL-1.0", diff --git a/dev-tools/packaging/templates/docker/docker-entrypoint.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/docker-entrypoint.elastic-agent.tmpl index 91f043d2799..d4c8d6e4645 100644 --- a/dev-tools/packaging/templates/docker/docker-entrypoint.elastic-agent.tmpl +++ b/dev-tools/packaging/templates/docker/docker-entrypoint.elastic-agent.tmpl @@ -13,8 +13,8 @@ set -eo pipefail # KIBANA_USERNAME - username for accessing kibana API [elastic] function setup(){ - curl -X POST ${KIBANA_HOST:-http://localhost:5601}/api/ingest_manager/setup -H 'kbn-xsrf: true' -u ${KIBANA_USERNAME:-elastic}:${KIBANA_PASSWORD:-changeme} - curl -X POST ${KIBANA_HOST:-http://localhost:5601}/api/ingest_manager/fleet/setup \ + curl -X POST ${KIBANA_HOST:-http://localhost:5601}/api/fleet/setup -H 'kbn-xsrf: true' -u ${KIBANA_USERNAME:-elastic}:${KIBANA_PASSWORD:-changeme} + curl -X POST ${KIBANA_HOST:-http://localhost:5601}/api/fleet/agents/setup \ -H 'Content-Type: application/json' \ -H 'kbn-xsrf: true' \ -u ${KIBANA_USERNAME:-elastic}:${KIBANA_PASSWORD:-changeme} @@ -27,7 +27,7 @@ function enroll(){ if [[ -n "${FLEET_ENROLLMENT_TOKEN}" ]]; then apikey="${FLEET_ENROLLMENT_TOKEN}" else - enrollResp=$(curl ${KIBANA_HOST:-http://localhost:5601}/api/ingest_manager/fleet/enrollment-api-keys \ + enrollResp=$(curl ${KIBANA_HOST:-http://localhost:5601}/api/fleet/enrollment-api-keys \ -H 'Content-Type: application/json' \ -H 'kbn-xsrf: true' \ -u ${KIBANA_USERNAME:-elastic}:${KIBANA_PASSWORD:-changeme} ) @@ -40,7 +40,7 @@ function enroll(){ local apikeyId=$(echo $enrollResp | jq -r '.list[0].id') echo $apikeyId - enrollResp=$(curl ${KIBANA_HOST:-http://localhost:5601}/api/ingest_manager/fleet/enrollment-api-keys/$apikeyId \ + enrollResp=$(curl ${KIBANA_HOST:-http://localhost:5601}/api/fleet/enrollment-api-keys/$apikeyId \ -H 'Content-Type: application/json' \ -H 'kbn-xsrf: true' \ -u ${KIBANA_USERNAME:-elastic}:${KIBANA_PASSWORD:-changeme} ) diff --git a/dev-tools/packaging/templates/linux/elastic-agent.sh.tmpl b/dev-tools/packaging/templates/linux/elastic-agent.sh.tmpl index 744abc05702..835b5955324 100644 --- a/dev-tools/packaging/templates/linux/elastic-agent.sh.tmpl +++ b/dev-tools/packaging/templates/linux/elastic-agent.sh.tmpl @@ -6,6 +6,5 @@ exec /usr/share/{{.BeatName}}/bin/{{.BeatName}} \ --path.home /var/lib/{{.BeatName}} \ --path.config /etc/{{.BeatName}} \ - --path.data /var/lib/{{.BeatName}}/data \ --path.logs /var/log/{{.BeatName}} \ "$@" diff --git a/filebeat/Jenkinsfile.yml b/filebeat/Jenkinsfile.yml index f74f5ed372c..6b5a23b7fb2 100644 --- a/filebeat/Jenkinsfile.yml +++ b/filebeat/Jenkinsfile.yml @@ -20,15 +20,17 @@ stages: mage: "mage build unitTest" platforms: ## override default label in this specific stage. - "macosx" - when: ## Aggregate when with the top-level one. + when: ## Override the top-level when. comments: - "/test filebeat for macos" labels: - "macOS" parameters: - "macosTest" + branches: true ## for all the branches + tags: true ## for all the tags windows: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2019" - - "windows-10" + #- "windows-2016" https://github.com/elastic/beats/issues/19641 diff --git a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl index c920b7dbec8..7eceb559f16 100644 --- a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl +++ b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl @@ -11,6 +11,7 @@ filebeat.inputs: # # Possible options are: # * log: Reads every line of the log file (default) +# * filestream: Improved version of log input. Experimental. # * stdin: Reads the standard in #------------------------------ Log input -------------------------------- @@ -231,6 +232,145 @@ filebeat.inputs: # Defines if inputs is enabled #enabled: true +#--------------------------- Filestream input ---------------------------- +- type: filestream + + # Change to true to enable this input configuration. + enabled: false + + # Paths that should be crawled and fetched. Glob based paths. + # To fetch all ".log" files from a specific level of subdirectories + # /var/log/*/*.log can be used. + # For each file found under this path, a harvester is started. + # Make sure not file is defined twice as this can lead to unexpected behaviour. + paths: + - /var/log/*.log + #- c:\programdata\elasticsearch\logs\* + + # Configure the file encoding for reading files with international characters + # following the W3C recommendation for HTML5 (http://www.w3.org/TR/encoding). + # Some sample encodings: + # plain, utf-8, utf-16be-bom, utf-16be, utf-16le, big5, gb18030, gbk, + # hz-gb-2312, euc-kr, euc-jp, iso-2022-jp, shift-jis, ... + #encoding: plain + + + # Exclude lines. A list of regular expressions to match. It drops the lines that are + # matching any regular expression from the list. The include_lines is called before + # exclude_lines. By default, no lines are dropped. + #exclude_lines: ['^DBG'] + + # Include lines. A list of regular expressions to match. It exports the lines that are + # matching any regular expression from the list. The include_lines is called before + # exclude_lines. By default, all the lines are exported. + #include_lines: ['^ERR', '^WARN'] + + ### Prospector options + + # How often the input checks for new files in the paths that are specified + # for harvesting. Specify 1s to scan the directory as frequently as possible + # without causing Filebeat to scan too frequently. Default: 10s. + #prospector.scanner.check_interval: 10s + + # Exclude files. A list of regular expressions to match. Filebeat drops the files that + # are matching any regular expression from the list. By default, no files are dropped. + #prospector.scanner.exclude_files: ['.gz$'] + + # Expand "**" patterns into regular glob patterns. + #prospector.scanner.recursive_glob: true + + # If symlinks is enabled, symlinks are opened and harvested. The harvester is opening the + # original for harvesting but will report the symlink name as source. + #prospector.scanner.symlinks: false + + ### State options + + # Files for the modification data is older then clean_inactive the state from the registry is removed + # By default this is disabled. + #clean_inactive: 0 + + # Removes the state for file which cannot be found on disk anymore immediately + #clean_removed: true + + # Method to determine if two files are the same or not. By default + # the Beat considers two files the same if their inode and device id are the same. + #file_identity.native: ~ + + # Optional additional fields. These fields can be freely picked + # to add additional information to the crawled log files for filtering + #fields: + # level: debug + # review: 1 + + # Set to true to publish fields with null values in events. + #keep_null: false + + # By default, all events contain `host.name`. This option can be set to true + # to disable the addition of this field to all events. The default value is + # false. + #publisher_pipeline.disable_host: false + + # Ignore files which were modified more then the defined timespan in the past. + # ignore_older is disabled by default, so no files are ignored by setting it to 0. + # Time strings like 2h (2 hours), 5m (5 minutes) can be used. + #ignore_older: 0 + + # Defines the buffer size every harvester uses when fetching the file + #harvester_buffer_size: 16384 + + # Maximum number of bytes a single log event can have + # All bytes after max_bytes are discarded and not sent. The default is 10MB. + # This is especially useful for multiline log messages which can get large. + #message_max_bytes: 10485760 + + # Characters which separate the lines. Valid values: auto, line_feed, vertical_tab, form_feed, + # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator. + #line_terminator: auto + + # The Ingest Node pipeline ID associated with this input. If this is set, it + # overwrites the pipeline option from the Elasticsearch output. + #pipeline: + + # Backoff values define how aggressively filebeat crawls new files for updates + # The default values can be used in most cases. Backoff defines how long it is waited + # to check a file again after EOF is reached. Default is 1s which means the file + # is checked every second if new lines were added. This leads to a near real time crawling. + # Every time a new line appears, backoff is reset to the initial value. + #backoff.init: 1s + + # Max backoff defines what the maximum backoff time is. After having backed off multiple times + # from checking the files, the waiting time will never exceed max_backoff independent of the + # backoff factor. Having it set to 10s means in the worst case a new line can be added to a log + # file after having backed off multiple times, it takes a maximum of 10s to read the new line + #backoff.max: 10s + + ### Harvester closing options + + # Close inactive closes the file handler after the predefined period. + # The period starts when the last line of the file was, not the file ModTime. + # Time strings like 2h (2 hours), 5m (5 minutes) can be used. + #close.on_state_change.inactive: 5m + + # Close renamed closes a file handler when the file is renamed or rotated. + # Note: Potential data loss. Make sure to read and understand the docs for this option. + #close.on_state_change.renamed: false + + # When enabling this option, a file handler is closed immediately in case a file can't be found + # any more. In case the file shows up again later, harvesting will continue at the last known position + # after scan_frequency. + #close.on_state_change.removed: true + + # Closes the file handler as soon as the harvesters reaches the end of the file. + # By default this option is disabled. + # Note: Potential data loss. Make sure to read and understand the docs for this option. + #close.reader.eof: false + + # Close timeout closes the harvester after the predefined time. + # This is independent if the harvester did finish reading the file or not. + # By default this option is disabled. + # Note: Potential data loss. Make sure to read and understand the docs for this option. + #close.reader.after_interval: 0 + #----------------------------- Stdin input ------------------------------- # Configuration to use stdin input #- type: stdin diff --git a/filebeat/_meta/config/filebeat.inputs.yml.tmpl b/filebeat/_meta/config/filebeat.inputs.yml.tmpl index a7bd1b5eaa6..70d52cbb9c6 100644 --- a/filebeat/_meta/config/filebeat.inputs.yml.tmpl +++ b/filebeat/_meta/config/filebeat.inputs.yml.tmpl @@ -49,3 +49,32 @@ filebeat.inputs: # that was (not) matched before or after or as long as a pattern is not matched based on negate. # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash #multiline.match: after + +# filestream is an experimental input. It is going to replace log input in the future. +- type: filestream + + # Change to true to enable this input configuration. + enabled: false + + # Paths that should be crawled and fetched. Glob based paths. + paths: + - /var/log/*.log + #- c:\programdata\elasticsearch\logs\* + + # Exclude lines. A list of regular expressions to match. It drops the lines that are + # matching any regular expression from the list. + #exclude_lines: ['^DBG'] + + # Include lines. A list of regular expressions to match. It exports the lines that are + # matching any regular expression from the list. + #include_lines: ['^ERR', '^WARN'] + + # Exclude files. A list of regular expressions to match. Filebeat drops the files that + # are matching any regular expression from the list. By default, no files are dropped. + #prospector.scanner.exclude_files: ['.gz$'] + + # Optional additional fields. These fields can be freely picked + # to add additional information to the crawled log files for filtering + #fields: + # level: debug + # review: 1 diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index b4888ec8c5e..b4f6a158ad7 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -1884,6 +1884,46 @@ type: keyword The error reason if the executed action failed. +type: keyword + +-- + +*`aws.elb.target_port`*:: ++ +-- +List of IP addresses and ports for the targets that processed this request. + + +type: keyword + +-- + +*`aws.elb.target_status_code`*:: ++ +-- +List of status codes from the responses of the targets. + + +type: keyword + +-- + +*`aws.elb.classification`*:: ++ +-- +The classification for desync mitigation. + + +type: keyword + +-- + +*`aws.elb.classification_reason`*:: ++ +-- +The classification reason code. + + type: keyword -- @@ -26581,6 +26621,153 @@ type: keyword -- This key captures values or decorators used within a registry entry +type: keyword + +-- + +[float] +=== cisco.umbrella + +Fields for Cisco Umbrella. + + + +*`cisco.umbrella.identities`*:: ++ +-- +An array of the different identities related to the event. + + +type: keyword + +-- + +*`cisco.umbrella.categories`*:: ++ +-- +The security or content categories that the destination matches. + + +type: keyword + +-- + +*`cisco.umbrella.policy_identity_type`*:: ++ +-- +The first identity type matched with this request. Available in version 3 and above. + + +type: keyword + +-- + +*`cisco.umbrella.identity_types`*:: ++ +-- +The type of identity that made the request. For example, Roaming Computer or Network. + + +type: keyword + +-- + +*`cisco.umbrella.blocked_categories`*:: ++ +-- +The categories that resulted in the destination being blocked. Available in version 4 and above. + + +type: keyword + +-- + +*`cisco.umbrella.content_type`*:: ++ +-- +The type of web content, typically text/html. + + +type: keyword + +-- + +*`cisco.umbrella.sha_sha256`*:: ++ +-- +Hex digest of the response content. + + +type: keyword + +-- + +*`cisco.umbrella.av_detections`*:: ++ +-- +The detection name according to the antivirus engine used in file inspection. + + +type: keyword + +-- + +*`cisco.umbrella.puas`*:: ++ +-- +A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. + + +type: keyword + +-- + +*`cisco.umbrella.amp_disposition`*:: ++ +-- +The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. + + +type: keyword + +-- + +*`cisco.umbrella.amp_malware_name`*:: ++ +-- +If Malicious, the name of the malware according to AMP. + + +type: keyword + +-- + +*`cisco.umbrella.amp_score`*:: ++ +-- +The score of the malware from AMP. This field is not currently used and will be blank. + + +type: keyword + +-- + +*`cisco.umbrella.datacenter`*:: ++ +-- +The name of the Umbrella Data Center that processed the user-generated traffic. + + +type: keyword + +-- + +*`cisco.umbrella.origin_id`*:: ++ +-- +The unique identity of the network tunnel. + + type: keyword -- @@ -44041,8 +44228,15 @@ type: object [[exported-fields-ecs]] == ECS fields -ECS Fields. +This section defines Elastic Common Schema (ECS) fields—a common set of fields +to be used when storing event data in {es}. + +This is an exhaustive list, and fields listed here are not necessarily used by {beatname_uc}. +The goal of ECS is to enable and encourage users of {es} to normalize their event data, +so that they can better analyze, visualize, and correlate the data represented in their events. + +See the {ecs-ref}[ECS reference] for more information. *`@timestamp`*:: + @@ -87929,6 +88123,973 @@ type: keyword -- This key captures values or decorators used within a registry entry +type: keyword + +-- + +[float] +=== juniper.srx + +Module for parsing junipersrx syslog. + + + +*`juniper.srx.reason`*:: ++ +-- +reason + + +type: keyword + +-- + +*`juniper.srx.connection_tag`*:: ++ +-- +connection tag + + +type: keyword + +-- + +*`juniper.srx.service_name`*:: ++ +-- +service name + + +type: keyword + +-- + +*`juniper.srx.nat_connection_tag`*:: ++ +-- +nat connection tag + + +type: keyword + +-- + +*`juniper.srx.src_nat_rule_type`*:: ++ +-- +src nat rule type + + +type: keyword + +-- + +*`juniper.srx.src_nat_rule_name`*:: ++ +-- +src nat rule name + + +type: keyword + +-- + +*`juniper.srx.dst_nat_rule_type`*:: ++ +-- +dst nat rule type + + +type: keyword + +-- + +*`juniper.srx.dst_nat_rule_name`*:: ++ +-- +dst nat rule name + + +type: keyword + +-- + +*`juniper.srx.protocol_id`*:: ++ +-- +protocol id + + +type: keyword + +-- + +*`juniper.srx.policy_name`*:: ++ +-- +policy name + + +type: keyword + +-- + +*`juniper.srx.session_id_32`*:: ++ +-- +session id 32 + + +type: keyword + +-- + +*`juniper.srx.session_id`*:: ++ +-- +session id + + +type: keyword + +-- + +*`juniper.srx.outbound_packets`*:: ++ +-- +packets from client + + +type: integer + +-- + +*`juniper.srx.outbound_bytes`*:: ++ +-- +bytes from client + + +type: integer + +-- + +*`juniper.srx.inbound_packets`*:: ++ +-- +packets from server + + +type: integer + +-- + +*`juniper.srx.inbound_bytes`*:: ++ +-- +bytes from server + + +type: integer + +-- + +*`juniper.srx.elapsed_time`*:: ++ +-- +elapsed time + + +type: date + +-- + +*`juniper.srx.application`*:: ++ +-- +application + + +type: keyword + +-- + +*`juniper.srx.nested_application`*:: ++ +-- +nested application + + +type: keyword + +-- + +*`juniper.srx.username`*:: ++ +-- +username + + +type: keyword + +-- + +*`juniper.srx.roles`*:: ++ +-- +roles + + +type: keyword + +-- + +*`juniper.srx.encrypted`*:: ++ +-- +encrypted + + +type: keyword + +-- + +*`juniper.srx.application_category`*:: ++ +-- +application category + + +type: keyword + +-- + +*`juniper.srx.application_sub_category`*:: ++ +-- +application sub category + + +type: keyword + +-- + +*`juniper.srx.application_characteristics`*:: ++ +-- +application characteristics + + +type: keyword + +-- + +*`juniper.srx.secure_web_proxy_session_type`*:: ++ +-- +secure web proxy session type + + +type: keyword + +-- + +*`juniper.srx.peer_session_id`*:: ++ +-- +peer session id + + +type: keyword + +-- + +*`juniper.srx.peer_source_address`*:: ++ +-- +peer source address + + +type: ip + +-- + +*`juniper.srx.peer_source_port`*:: ++ +-- +peer source port + + +type: integer + +-- + +*`juniper.srx.peer_destination_address`*:: ++ +-- +peer destination address + + +type: ip + +-- + +*`juniper.srx.peer_destination_port`*:: ++ +-- +peer destination port + + +type: integer + +-- + +*`juniper.srx.hostname`*:: ++ +-- +hostname + + +type: keyword + +-- + +*`juniper.srx.src_vrf_grp`*:: ++ +-- +src_vrf_grp + + +type: keyword + +-- + +*`juniper.srx.dst_vrf_grp`*:: ++ +-- +dst_vrf_grp + + +type: keyword + +-- + +*`juniper.srx.icmp_type`*:: ++ +-- +icmp type + + +type: integer + +-- + +*`juniper.srx.process`*:: ++ +-- +process that generated the message + + +type: keyword + +-- + +*`juniper.srx.apbr_rule_type`*:: ++ +-- +apbr rule type + + +type: keyword + +-- + +*`juniper.srx.dscp_value`*:: ++ +-- +apbr rule type + + +type: integer + +-- + +*`juniper.srx.logical_system_name`*:: ++ +-- +logical system name + + +type: keyword + +-- + +*`juniper.srx.profile_name`*:: ++ +-- +profile name + + +type: keyword + +-- + +*`juniper.srx.routing_instance`*:: ++ +-- +routing instance + + +type: keyword + +-- + +*`juniper.srx.rule_name`*:: ++ +-- +rule name + + +type: keyword + +-- + +*`juniper.srx.uplink_tx_bytes`*:: ++ +-- +uplink tx bytes + + +type: integer + +-- + +*`juniper.srx.uplink_rx_bytes`*:: ++ +-- +uplink rx bytes + + +type: integer + +-- + +*`juniper.srx.obj`*:: ++ +-- +url path + + +type: keyword + +-- + +*`juniper.srx.url`*:: ++ +-- +url domain + + +type: keyword + +-- + +*`juniper.srx.profile`*:: ++ +-- +filter profile + + +type: keyword + +-- + +*`juniper.srx.category`*:: ++ +-- +filter category + + +type: keyword + +-- + +*`juniper.srx.filename`*:: ++ +-- +filename + + +type: keyword + +-- + +*`juniper.srx.temporary_filename`*:: ++ +-- +temporary_filename + + +type: keyword + +-- + +*`juniper.srx.name`*:: ++ +-- +name + + +type: keyword + +-- + +*`juniper.srx.error_message`*:: ++ +-- +error_message + + +type: keyword + +-- + +*`juniper.srx.error_code`*:: ++ +-- +error_code + + +type: keyword + +-- + +*`juniper.srx.action`*:: ++ +-- +action + + +type: keyword + +-- + +*`juniper.srx.protocol`*:: ++ +-- +protocol + + +type: keyword + +-- + +*`juniper.srx.protocol_name`*:: ++ +-- +protocol name + + +type: keyword + +-- + +*`juniper.srx.type`*:: ++ +-- +type + + +type: keyword + +-- + +*`juniper.srx.repeat_count`*:: ++ +-- +repeat count + + +type: integer + +-- + +*`juniper.srx.alert`*:: ++ +-- +repeat alert + + +type: keyword + +-- + +*`juniper.srx.message_type`*:: ++ +-- +message type + + +type: keyword + +-- + +*`juniper.srx.threat_severity`*:: ++ +-- +threat severity + + +type: keyword + +-- + +*`juniper.srx.application_name`*:: ++ +-- +application name + + +type: keyword + +-- + +*`juniper.srx.attack_name`*:: ++ +-- +attack name + + +type: keyword + +-- + +*`juniper.srx.index`*:: ++ +-- +index + + +type: keyword + +-- + +*`juniper.srx.message`*:: ++ +-- +mesagge + + +type: keyword + +-- + +*`juniper.srx.epoch_time`*:: ++ +-- +epoch time + + +type: date + +-- + +*`juniper.srx.packet_log_id`*:: ++ +-- +packet log id + + +type: integer + +-- + +*`juniper.srx.export_id`*:: ++ +-- +packet log id + + +type: integer + +-- + +*`juniper.srx.ddos_application_name`*:: ++ +-- +ddos application name + + +type: keyword + +-- + +*`juniper.srx.connection_hit_rate`*:: ++ +-- +connection hit rate + + +type: integer + +-- + +*`juniper.srx.time_scope`*:: ++ +-- +time scope + + +type: keyword + +-- + +*`juniper.srx.context_hit_rate`*:: ++ +-- +context hit rate + + +type: integer + +-- + +*`juniper.srx.context_value_hit_rate`*:: ++ +-- +context value hit rate + + +type: integer + +-- + +*`juniper.srx.time_count`*:: ++ +-- +time count + + +type: integer + +-- + +*`juniper.srx.time_period`*:: ++ +-- +time period + + +type: integer + +-- + +*`juniper.srx.context_value`*:: ++ +-- +context value + + +type: keyword + +-- + +*`juniper.srx.context_name`*:: ++ +-- +context name + + +type: keyword + +-- + +*`juniper.srx.ruleebase_name`*:: ++ +-- +ruleebase name + + +type: keyword + +-- + +*`juniper.srx.verdict_source`*:: ++ +-- +verdict source + + +type: keyword + +-- + +*`juniper.srx.verdict_number`*:: ++ +-- +verdict number + + +type: integer + +-- + +*`juniper.srx.file_category`*:: ++ +-- +file category + + +type: keyword + +-- + +*`juniper.srx.sample_sha256`*:: ++ +-- +sample sha256 + + +type: keyword + +-- + +*`juniper.srx.malware_info`*:: ++ +-- +malware info + + +type: keyword + +-- + +*`juniper.srx.client_ip`*:: ++ +-- +client ip + + +type: ip + +-- + +*`juniper.srx.tenant_id`*:: ++ +-- +tenant id + + +type: keyword + +-- + +*`juniper.srx.timestamp`*:: ++ +-- +timestamp + + +type: date + +-- + +*`juniper.srx.th`*:: ++ +-- +th + + +type: keyword + +-- + +*`juniper.srx.status`*:: ++ +-- +status + + +type: keyword + +-- + +*`juniper.srx.state`*:: ++ +-- +state + + +type: keyword + +-- + +*`juniper.srx.file_hash_lookup`*:: ++ +-- +file hash lookup + + +type: keyword + +-- + +*`juniper.srx.file_name`*:: ++ +-- +file name + + +type: keyword + +-- + +*`juniper.srx.action_detail`*:: ++ +-- +action detail + + +type: keyword + +-- + +*`juniper.srx.sub_category`*:: ++ +-- +sub category + + +type: keyword + +-- + +*`juniper.srx.feed_name`*:: ++ +-- +feed name + + +type: keyword + +-- + +*`juniper.srx.occur_count`*:: ++ +-- +occur count + + +type: integer + +-- + +*`juniper.srx.tag`*:: ++ +-- +system log message tag, which uniquely identifies the message. + + type: keyword -- @@ -94409,6 +95570,433 @@ type: keyword -- +[float] +=== microsoft.m365_defender + +Module for ingesting Microsoft Defender ATP. + + + +*`microsoft.m365_defender.incidentId`*:: ++ +-- +Unique identifier to represent the incident. + + +type: keyword + +-- + +*`microsoft.m365_defender.redirectIncidentId`*:: ++ +-- +Only populated in case an incident is being grouped together with another incident, as part of the incident processing logic. + + +type: keyword + +-- + +*`microsoft.m365_defender.incidentName`*:: ++ +-- +Name of the Incident. + + +type: keyword + +-- + +*`microsoft.m365_defender.determination`*:: ++ +-- +Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other. + + +type: keyword + +-- + +*`microsoft.m365_defender.investigationState`*:: ++ +-- +The current state of the Investigation. + + +type: keyword + +-- + +*`microsoft.m365_defender.assignedTo`*:: ++ +-- +Owner of the alert. + + +type: keyword + +-- + +*`microsoft.m365_defender.tags`*:: ++ +-- +Array of custom tags associated with an incident, for example to flag a group of incidents with a common characteristic. + + +type: keyword + +-- + +*`microsoft.m365_defender.status`*:: ++ +-- +Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. + + +type: keyword + +-- + +*`microsoft.m365_defender.classification`*:: ++ +-- +Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.incidentId`*:: ++ +-- +Unique identifier to represent the incident this alert is associated with. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.resolvedTime`*:: ++ +-- +Time when alert was resolved. + + +type: date + +-- + +*`microsoft.m365_defender.alerts.status`*:: ++ +-- +Categorize alerts (as New, Active, or Resolved). + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.severity`*:: ++ +-- +The severity of the related alert. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.creationTime`*:: ++ +-- +Time when alert was first created. + + +type: date + +-- + +*`microsoft.m365_defender.alerts.lastUpdatedTime`*:: ++ +-- +Time when alert was last updated. + + +type: date + +-- + +*`microsoft.m365_defender.alerts.investigationId`*:: ++ +-- +The automated investigation id triggered by this alert. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.userSid`*:: ++ +-- +The SID of the related user + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.detectionSource`*:: ++ +-- +The service that initially detected the threat. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.classification`*:: ++ +-- +The specification for the incident. The property values are: Unknown, FalsePositive, TruePositive or null. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.investigationState`*:: ++ +-- +Information on the investigation's current status. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.determination`*:: ++ +-- +Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other or null + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.assignedTo`*:: ++ +-- +Owner of the incident, or null if no owner is assigned. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.actorName`*:: ++ +-- +The activity group, if any, the associated with this alert. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.threatFamilyName`*:: ++ +-- +Threat family associated with this alert. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.mitreTechniques`*:: ++ +-- +The attack techniques, as aligned with the MITRE ATT&CK™ framework. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.entityType`*:: ++ +-- +Entities that have been identified to be part of, or related to, a given alert. The properties values are: User, Ip, Url, File, Process, MailBox, MailMessage, MailCluster, Registry. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.accountName`*:: ++ +-- +Account name of the related user. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.mailboxDisplayName`*:: ++ +-- +The display name of the related mailbox. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.mailboxAddress`*:: ++ +-- +The mail address of the related mailbox. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.clusterBy`*:: ++ +-- +A list of metadata if the entityType is MailCluster. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.sender`*:: ++ +-- +The sender for the related email message. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.recipient`*:: ++ +-- +The recipient for the related email message. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.subject`*:: ++ +-- +The subject for the related email message. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.deliveryAction`*:: ++ +-- +The delivery status for the related email message. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.securityGroupId`*:: ++ +-- +The Security Group ID for the user related to the email message. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.securityGroupName`*:: ++ +-- +The Security Group Name for the user related to the email message. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.registryHive`*:: ++ +-- +Reference to which Hive in registry the event is related to, if eventType is registry. Example: HKEY_LOCAL_MACHINE. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.registryKey`*:: ++ +-- +Reference to the related registry key to the event. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.registryValueType`*:: ++ +-- +Value type of the registry key/value pair related to the event. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.deviceId`*:: ++ +-- +The unique ID of the device related to the event. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.ipAddress`*:: ++ +-- +The related IP address to the event. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.devices`*:: ++ +-- +The devices related to the investigation. + + +type: flattened + +-- + [[exported-fields-misp]] == MISP fields @@ -105135,6 +106723,46 @@ type: array -- +*`nginx.ingress_controller.upstream_address_list`*:: ++ +-- +An array of the upstream addresses. It is a list because it is common that several upstream servers were contacted during request processing. + + +type: keyword + +-- + +*`nginx.ingress_controller.upstream.response.length_list`*:: ++ +-- +An array of upstream response lengths. It is a list because it is common that several upstream servers were contacted during request processing. + + +type: keyword + +-- + +*`nginx.ingress_controller.upstream.response.time_list`*:: ++ +-- +An array of upstream response durations. It is a list because it is common that several upstream servers were contacted during request processing. + + +type: keyword + +-- + +*`nginx.ingress_controller.upstream.response.status_code_list`*:: ++ +-- +An array of upstream response status codes. It is a list because it is common that several upstream servers were contacted during request processing. + + +type: keyword + +-- + *`nginx.ingress_controller.http.request.length`*:: + -- @@ -105182,7 +106810,7 @@ type: keyword *`nginx.ingress_controller.upstream.response.length`*:: + -- -The length of the response obtained from the upstream server +The length of the response obtained from the upstream server. If several servers were contacted during request process, the summary of the multiple response lengths is stored. type: long @@ -105194,7 +106822,7 @@ format: bytes *`nginx.ingress_controller.upstream.response.time`*:: + -- -The time spent on receiving the response from the upstream server as seconds with millisecond resolution +The time spent on receiving the response from the upstream as seconds with millisecond resolution. If several servers were contacted during request process, the summary of the multiple response times is stored. type: double @@ -105206,40 +106834,40 @@ format: duration *`nginx.ingress_controller.upstream.response.status_code`*:: + -- -The status code of the response obtained from the upstream server +The status code of the response obtained from the upstream server. If several servers were contacted during request process, only the status code of the response from the last one is stored in this field. type: long -- -*`nginx.ingress_controller.http.request.id`*:: +*`nginx.ingress_controller.upstream.ip`*:: + -- -The randomly generated ID of the request +The IP address of the upstream server. If several servers were contacted during request process, only the last one is stored in this field. -type: keyword +type: ip -- -*`nginx.ingress_controller.upstream.ip`*:: +*`nginx.ingress_controller.upstream.port`*:: + -- -The IP address of the upstream server. If several servers were contacted during request processing, their addresses are separated by commas. +The port of the upstream server. If several servers were contacted during request process, only the last one is stored in this field. -type: ip +type: long -- -*`nginx.ingress_controller.upstream.port`*:: +*`nginx.ingress_controller.http.request.id`*:: + -- -The port of the upstream server. +The randomly generated ID of the request -type: long +type: keyword -- diff --git a/filebeat/docs/modules/cisco.asciidoc b/filebeat/docs/modules/cisco.asciidoc index c12f818caca..d087826245e 100644 --- a/filebeat/docs/modules/cisco.asciidoc +++ b/filebeat/docs/modules/cisco.asciidoc @@ -10,13 +10,15 @@ This file is generated! See scripts/docs_collector.py == Cisco module -This is a module for Cisco network device's logs. It includes the following +This is a module for Cisco network device's logs and Cisco Umbrella. It includes the following filesets for receiving logs over syslog or read from a file: - `asa` fileset: supports Cisco ASA firewall logs. - `ftd` fileset: supports Cisco Firepower Threat Defense logs. - `ios` fileset: supports Cisco IOS router and switch logs. - `nexus` fileset: supports Cisco Nexus switch logs. +- `meraki` fileset: supports Cisco Meraki logs. +- `umbrella` fileset: supports Cisco Umbrella logs. Cisco ASA devices also support exporting flow records using NetFlow, which is supported by the {filebeat-ref}/filebeat-module-netflow.html[netflow module] in @@ -32,6 +34,8 @@ The module is by default configured to run via syslog on port 9001 for ASA and port 9002 for IOS. However it can also be configured to read from a file path. See the following example. +Cisco Umbrella publishes its logs in a compressed CSV format to a S3 bucket. + ["source","yaml",subs="attributes"] ----- - module: cisco @@ -379,6 +383,59 @@ will be found under `rsa.raw`. The default is false. :fileset_ex!: +[float] +==== `umbrella` fileset settings + +The Cisco Umbrella fileset primarily focuses on reading CSV files from an S3 bucket using the filebeat S3 input. + +To configure Cisco Umbrella to log to either your own S3 bucket or one that is managed by Cisco please follow the https://docs.umbrella.com/deployment-umbrella/docs/log-management[Cisco Umbrella User Guide.] + +This fileset supports all 4 log types: +- Proxy +- Cloud Firewall +- IP Logs +- DNS logs + +The Cisco Umbrella fileset depends on the original file path structure being followed. This structure is documented https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning[Umbrella Log Formats and Versioning]: + +/--
/--
---.csv.gz +dnslogs/--/----.csv.gz + +When configuring the fileset, please ensure that the Queue URL is set to the root folder that includes each of these subfolders above. + +Example config: + +[source,yaml] +---- +- module: cisco + umbrella: + enabled: true + var.input: s3 + var.queue_url: https://sqs.us-east-1.amazonaws.com/ID/CiscoQueue + var.access_key_id: 123456 + var.secret_access_key: PASSWORD +---- + +*`var.input`*:: + +The input from which messages are read. Can be S3 or file. + +*`var.queue_url`*:: + +The URL to the SQS queue if the input type is S3. + +*`var.access_key_id`*:: + +The ID for the access key used to read from the SQS queue. + +*`var.secret_access_key`*:: + +The secret token used for authenticating to the SQS queue. + +:has-dashboards!: + +:fileset_ex!: + [float] === Example dashboard diff --git a/filebeat/docs/modules/juniper.asciidoc b/filebeat/docs/modules/juniper.asciidoc index 047e847bc5a..a2d2a0100d3 100644 --- a/filebeat/docs/modules/juniper.asciidoc +++ b/filebeat/docs/modules/juniper.asciidoc @@ -10,18 +10,131 @@ This file is generated! See scripts/docs_collector.py == Juniper module -experimental[] +This is a module for ingesting data from the different Juniper Products. Currently supports these filesets: -This is a module for receiving Juniper JUNOS logs over Syslog or a file. +- `srx` fileset: Supports Juniper SRX logs +- `junos` fileset: Supports Juniper JUNOS logs +- `netscreen` fileset: Supports Juniper Netscreen logs include::../include/gs-link.asciidoc[] include::../include/configuring-intro.asciidoc[] -:fileset_ex: junos - include::../include/config-option-intro.asciidoc[] +:fileset_ex: srx +beta[] + +[float] +==== `srx` fileset settings + +The Juniper-SRX module only supports syslog messages in the format "structured-data + brief" https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/structured-data-edit-system.html[JunOS Documentation structured-data] + +To configure a remote syslog destination, please reference the https://kb.juniper.net/InfoCenter/index?page=content&id=kb16502[SRX Getting Started - Configure System Logging]. + +The following processes and tags are supported: + +[options="header"] +|============================================================== +| JunOS processes | JunOS tags | +| RT_FLOW | RT_FLOW_SESSION_CREATE | +| | RT_FLOW_SESSION_CLOSE | +| | RT_FLOW_SESSION_DENY | +| | APPTRACK_SESSION_CREATE | +| | APPTRACK_SESSION_CLOSE | +| | APPTRACK_SESSION_VOL_UPDATE | +| RT_IDS | RT_SCREEN_TCP | +| | RT_SCREEN_UDP | +| | RT_SCREEN_ICMP | +| | RT_SCREEN_IP | +| | RT_SCREEN_TCP_DST_IP | +| | RT_SCREEN_TCP_SRC_IP | +| RT_UTM | WEBFILTER_URL_PERMITTED | +| | WEBFILTER_URL_BLOCKED | +| | AV_VIRUS_DETECTED_MT | +| | CONTENT_FILTERING_BLOCKED_MT | +| | ANTISPAM_SPAM_DETECTED_MT | +| RT_IDP | IDP_ATTACK_LOG_EVENT | +| | IDP_APPDDOS_APP_STATE_EVENT | +| RT_AAMW | SRX_AAMW_ACTION_LOG | +| | AAMW_MALWARE_EVENT_LOG | +| | AAMW_HOST_INFECTED_EVENT_LOG | +| | AAMW_ACTION_LOG | +| RT_SECINTEL | SECINTEL_ACTION_LOG | +|============================================================== + +The syslog format choosen should be `Default`. + +[float] +=== Compatibility + +This module has been tested against JunOS version 19.x and 20.x. +Versions above this are expected to work but have not been tested. + +[source,yaml] +---- +- module: sophosxg + firewall: + enabled: true + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9006 +---- + +include::../include/var-paths.asciidoc[] + +*`var.input`*:: + +The input to use, can be either the value `tcp`, `udp` or `file`. + +*`var.syslog_host`*:: + +The interface to listen to all syslog traffic. Defaults to localhost. +Set to 0.0.0.0 to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to 9006. + + +[float] +==== Juniper SRX ECS fields + +This is a list of JunOS fields that are mapped to ECS. + +[options="header"] +|============================================================== +| Juniper SRX Fields | ECS Fields | +| application-risk | event.risk_score | +| bytes-from-client | source.bytes | +| bytes-from-server | destination.bytes | +| destination-interface-name | observer.egress.interface.name | +| destination-zone-name | observer.egress.zone | +| destination-address | destination.ip | +| destination-port | destination.port | +| dst_domainname | url.domain | +| elapsed-time | event.duration | +| filename | file.name | +| nat-destination-address | destination.nat.ip | +| nat-destination-port | destination.nat.port | +| nat-source-address | source.nat.ip | +| nat-source-port | source.nat.port | +| message | message | +| obj | url.path | +| packets-from-client | source.packets | +| packets-from-server | destination.packets | +| policy-name | rule.name | +| protocol | network.transport | +| source-address | source.ip | +| source-interface-name | observer.ingress.interface.name| +| source-port | source.port | +| source-zone-name | observer.ingress.zone | +| url | url.domain | +|============================================================== + + +:fileset_ex: junos + [float] ==== `junos` fileset settings diff --git a/filebeat/docs/modules/microsoft.asciidoc b/filebeat/docs/modules/microsoft.asciidoc index 513ca155be6..5edbbf027d0 100644 --- a/filebeat/docs/modules/microsoft.asciidoc +++ b/filebeat/docs/modules/microsoft.asciidoc @@ -12,7 +12,8 @@ This file is generated! See scripts/docs_collector.py This is a module for ingesting data from the different Microsoft Products. Currently supports these filesets: -- `defender_atp` fileset: Supports Microsoft Defender ATP +- `defender_atp` fileset: Supports Microsoft Defender for Endpoint (Microsoft Defender ATP) +- `m365_defender` fileset: Supports Microsoft 365 Defender (Microsoft Threat Protection) - `dhcp` fileset: Supports Microsoft DHCP logs include::../include/what-happens.asciidoc[] @@ -25,6 +26,84 @@ include::../include/configuring-intro.asciidoc[] include::../include/config-option-intro.asciidoc[] +[float] +==== `m365_defender` fileset settings + +beta[] + +To configure access for Filebeat to Microsoft 365 Defender you will have to create a new Azure Application registration, this will again return Oauth tokens with access to the Microsoft 365 Defender API + +The procedure to create an application is found on the below link: + +https://docs.microsoft.com/en-us/microsoft-365/security/mtp/api-create-app-web?view=o365-worldwide#create-an-app[Create a new Azure Application] + +When giving the application the API permissions described in the documentation (Incident.Read.All) it will only grant access to read Incidents from 365 Defender and nothing else in the Azure Domain. + +After the application has been created, it should contain 3 values that you need to apply to the module configuration. + +These values are: + +- Client ID +- Client Secret +- Tenant ID + +Example config: + +[source,yaml] +---- +- module: microsoft + m365_defender: + enabled: true + var.oauth2.client.id: "123abc-879546asd-349587-ad64508" + var.oauth2.client.secret: "980453~-Sg99gedf" + var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token" +---- + +*`var.oauth2.client.id`*:: + +This is the client ID related to creating a new application on Azure. + +*`var.oauth2.client.secret`*:: + +The secret related to the client ID. + +*`var.oauth2.token_url`*:: + +A predefined URL towards the Oauth2 service for Microsoft. The URL should always be the same with the exception of the Tenant ID that needs to be added to the full URL. + +[float] +==== 365 Defender ECS fields + +This is a list of 365 Defender fields that are mapped to ECS. + +[options="header"] +|====================================================================== +| 365 Defender Fields | ECS Fields | +| lastUpdateTime | @timestamp | +| severity | event.severity | +| createdTime | event.created | +| alerts.category | threat.technique.name | +| alerts.description | rule.description | +| alerts.serviceSource | event.provider | +| alerts.alertId | event.id | +| alerts.firstActivity | event.start | +| alerts.lastActivity | event.end | +| alerts.title | message | +| entities.processId | process.pid | +| entities.processCommandLine | process.command_line | +| entities.processCreationTime | process.start | +| entities.parentProcessId | process.parent.pid | +| entities.parentProcessCreationTime | process.parent.start | +| entities.sha1 | file.hash.sha1 | +| entities.sha256 | file.hash.sha256 | +| entities.url | url.full | +| entities.filePath | file.path | +| entities.fileName | file.name | +| entities.userPrincipalName | host.user.name | +| entities.domainName | host.user.domain | +| entities.aadUserId | host.user.id | +|====================================================================== + [float] ==== `defender_atp` fileset settings @@ -114,7 +193,7 @@ This module comes with a sample dashboard for Defender ATP. [role="screenshot"] image::./images/filebeat-defender-atp-overview.png[] -The best way to view Defender ATP events and alert data is in the SIEM. +The best way to view Defender ATP events and alert data is in the SIEM. [role="screenshot"] image::./images/siem-alerts-cs.jpg[] diff --git a/filebeat/docs/reload-configuration.asciidoc b/filebeat/docs/reload-configuration.asciidoc index 10a706d4020..14c4826b6d8 100644 --- a/filebeat/docs/reload-configuration.asciidoc +++ b/filebeat/docs/reload-configuration.asciidoc @@ -33,9 +33,11 @@ definitions. TIP: The first line of each external configuration file must be an input definition that starts with `- type`. Make sure you omit the line -+{beatname_lc}.config.inputs+ from this file. - -For example: ++{beatname_lc}.config.inputs+ from this file. All <> +must be specified within each external configuration file. Specifying these +configuration options at the global `filebeat.config.inputs` level is not supported. + +Example external configuration file: [source,yaml] ------------------------------------------------------------------------------ diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index bf29e0715ed..3a0d1d5d19c 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -398,6 +398,7 @@ filebeat.inputs: # # Possible options are: # * log: Reads every line of the log file (default) +# * filestream: Improved version of log input. Experimental. # * stdin: Reads the standard in #------------------------------ Log input -------------------------------- @@ -618,6 +619,145 @@ filebeat.inputs: # Defines if inputs is enabled #enabled: true +#--------------------------- Filestream input ---------------------------- +- type: filestream + + # Change to true to enable this input configuration. + enabled: false + + # Paths that should be crawled and fetched. Glob based paths. + # To fetch all ".log" files from a specific level of subdirectories + # /var/log/*/*.log can be used. + # For each file found under this path, a harvester is started. + # Make sure not file is defined twice as this can lead to unexpected behaviour. + paths: + - /var/log/*.log + #- c:\programdata\elasticsearch\logs\* + + # Configure the file encoding for reading files with international characters + # following the W3C recommendation for HTML5 (http://www.w3.org/TR/encoding). + # Some sample encodings: + # plain, utf-8, utf-16be-bom, utf-16be, utf-16le, big5, gb18030, gbk, + # hz-gb-2312, euc-kr, euc-jp, iso-2022-jp, shift-jis, ... + #encoding: plain + + + # Exclude lines. A list of regular expressions to match. It drops the lines that are + # matching any regular expression from the list. The include_lines is called before + # exclude_lines. By default, no lines are dropped. + #exclude_lines: ['^DBG'] + + # Include lines. A list of regular expressions to match. It exports the lines that are + # matching any regular expression from the list. The include_lines is called before + # exclude_lines. By default, all the lines are exported. + #include_lines: ['^ERR', '^WARN'] + + ### Prospector options + + # How often the input checks for new files in the paths that are specified + # for harvesting. Specify 1s to scan the directory as frequently as possible + # without causing Filebeat to scan too frequently. Default: 10s. + #prospector.scanner.check_interval: 10s + + # Exclude files. A list of regular expressions to match. Filebeat drops the files that + # are matching any regular expression from the list. By default, no files are dropped. + #prospector.scanner.exclude_files: ['.gz$'] + + # Expand "**" patterns into regular glob patterns. + #prospector.scanner.recursive_glob: true + + # If symlinks is enabled, symlinks are opened and harvested. The harvester is opening the + # original for harvesting but will report the symlink name as source. + #prospector.scanner.symlinks: false + + ### State options + + # Files for the modification data is older then clean_inactive the state from the registry is removed + # By default this is disabled. + #clean_inactive: 0 + + # Removes the state for file which cannot be found on disk anymore immediately + #clean_removed: true + + # Method to determine if two files are the same or not. By default + # the Beat considers two files the same if their inode and device id are the same. + #file_identity.native: ~ + + # Optional additional fields. These fields can be freely picked + # to add additional information to the crawled log files for filtering + #fields: + # level: debug + # review: 1 + + # Set to true to publish fields with null values in events. + #keep_null: false + + # By default, all events contain `host.name`. This option can be set to true + # to disable the addition of this field to all events. The default value is + # false. + #publisher_pipeline.disable_host: false + + # Ignore files which were modified more then the defined timespan in the past. + # ignore_older is disabled by default, so no files are ignored by setting it to 0. + # Time strings like 2h (2 hours), 5m (5 minutes) can be used. + #ignore_older: 0 + + # Defines the buffer size every harvester uses when fetching the file + #harvester_buffer_size: 16384 + + # Maximum number of bytes a single log event can have + # All bytes after max_bytes are discarded and not sent. The default is 10MB. + # This is especially useful for multiline log messages which can get large. + #message_max_bytes: 10485760 + + # Characters which separate the lines. Valid values: auto, line_feed, vertical_tab, form_feed, + # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator. + #line_terminator: auto + + # The Ingest Node pipeline ID associated with this input. If this is set, it + # overwrites the pipeline option from the Elasticsearch output. + #pipeline: + + # Backoff values define how aggressively filebeat crawls new files for updates + # The default values can be used in most cases. Backoff defines how long it is waited + # to check a file again after EOF is reached. Default is 1s which means the file + # is checked every second if new lines were added. This leads to a near real time crawling. + # Every time a new line appears, backoff is reset to the initial value. + #backoff.init: 1s + + # Max backoff defines what the maximum backoff time is. After having backed off multiple times + # from checking the files, the waiting time will never exceed max_backoff independent of the + # backoff factor. Having it set to 10s means in the worst case a new line can be added to a log + # file after having backed off multiple times, it takes a maximum of 10s to read the new line + #backoff.max: 10s + + ### Harvester closing options + + # Close inactive closes the file handler after the predefined period. + # The period starts when the last line of the file was, not the file ModTime. + # Time strings like 2h (2 hours), 5m (5 minutes) can be used. + #close.on_state_change.inactive: 5m + + # Close renamed closes a file handler when the file is renamed or rotated. + # Note: Potential data loss. Make sure to read and understand the docs for this option. + #close.on_state_change.renamed: false + + # When enabling this option, a file handler is closed immediately in case a file can't be found + # any more. In case the file shows up again later, harvesting will continue at the last known position + # after scan_frequency. + #close.on_state_change.removed: true + + # Closes the file handler as soon as the harvesters reaches the end of the file. + # By default this option is disabled. + # Note: Potential data loss. Make sure to read and understand the docs for this option. + #close.reader.eof: false + + # Close timeout closes the harvester after the predefined time. + # This is independent if the harvester did finish reading the file or not. + # By default this option is disabled. + # Note: Potential data loss. Make sure to read and understand the docs for this option. + #close.reader.after_interval: 0 + #----------------------------- Stdin input ------------------------------- # Configuration to use stdin input #- type: stdin diff --git a/filebeat/filebeat.yml b/filebeat/filebeat.yml index 2a3e678c542..9a29bc76962 100644 --- a/filebeat/filebeat.yml +++ b/filebeat/filebeat.yml @@ -62,6 +62,35 @@ filebeat.inputs: # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash #multiline.match: after +# filestream is an experimental input. It is going to replace log input in the future. +- type: filestream + + # Change to true to enable this input configuration. + enabled: false + + # Paths that should be crawled and fetched. Glob based paths. + paths: + - /var/log/*.log + #- c:\programdata\elasticsearch\logs\* + + # Exclude lines. A list of regular expressions to match. It drops the lines that are + # matching any regular expression from the list. + #exclude_lines: ['^DBG'] + + # Include lines. A list of regular expressions to match. It exports the lines that are + # matching any regular expression from the list. + #include_lines: ['^ERR', '^WARN'] + + # Exclude files. A list of regular expressions to match. Filebeat drops the files that + # are matching any regular expression from the list. By default, no files are dropped. + #prospector.scanner.exclude_files: ['.gz$'] + + # Optional additional fields. These fields can be freely picked + # to add additional information to the crawled log files for filtering + #fields: + # level: debug + # review: 1 + # ============================== Filebeat modules ============================== filebeat.config.modules: diff --git a/filebeat/input/default-inputs/inputs.go b/filebeat/input/default-inputs/inputs.go index 52338a0af98..881f3664efd 100644 --- a/filebeat/input/default-inputs/inputs.go +++ b/filebeat/input/default-inputs/inputs.go @@ -19,6 +19,7 @@ package inputs import ( "github.com/elastic/beats/v7/filebeat/beater" + "github.com/elastic/beats/v7/filebeat/input/filestream" "github.com/elastic/beats/v7/filebeat/input/unix" v2 "github.com/elastic/beats/v7/filebeat/input/v2" "github.com/elastic/beats/v7/libbeat/beat" @@ -27,13 +28,14 @@ import ( func Init(info beat.Info, log *logp.Logger, components beater.StateStore) []v2.Plugin { return append( - genericInputs(), + genericInputs(log, components), osInputs(info, log, components)..., ) } -func genericInputs() []v2.Plugin { +func genericInputs(log *logp.Logger, components beater.StateStore) []v2.Plugin { return []v2.Plugin{ + filestream.Plugin(log, components), unix.Plugin(), } } diff --git a/filebeat/input/filestream/config.go b/filebeat/input/filestream/config.go new file mode 100644 index 00000000000..c2b1e838ee5 --- /dev/null +++ b/filebeat/input/filestream/config.go @@ -0,0 +1,147 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package filestream + +import ( + "fmt" + "time" + + "github.com/dustin/go-humanize" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/match" + "github.com/elastic/beats/v7/libbeat/reader/readfile" +) + +// Config stores the options of a file stream. +type config struct { + readerConfig + + Paths []string `config:"paths"` + Close closerConfig `config:"close"` + FileWatcher *common.ConfigNamespace `config:"file_watcher"` + FileIdentity *common.ConfigNamespace `config:"file_identity"` + CleanInactive time.Duration `config:"clean_inactive" validate:"min=0"` + CleanRemoved bool `config:"clean_removed"` + HarvesterLimit uint32 `config:"harvester_limit" validate:"min=0"` + IgnoreOlder time.Duration `config:"ignore_older"` +} + +type closerConfig struct { + OnStateChange stateChangeCloserConfig `config:"on_state_change"` + Reader readerCloserConfig `config:"reader"` +} + +type readerCloserConfig struct { + AfterInterval time.Duration `config:"after_interval"` + OnEOF bool `config:"on_eof"` +} + +type stateChangeCloserConfig struct { + CheckInterval time.Duration `config:"check_interval" validate:"nonzero"` + Inactive time.Duration `config:"inactive"` + Removed bool `config:"removed"` + Renamed bool `config:"renamed"` +} + +type readerConfig struct { + Backoff backoffConfig `config:"backoff"` + BufferSize int `config:"buffer_size"` + Encoding string `config:"encoding"` + ExcludeLines []match.Matcher `config:"exclude_lines"` + IncludeLines []match.Matcher `config:"include_lines"` + LineTerminator readfile.LineTerminator `config:"line_terminator"` + MaxBytes int `config:"message_max_bytes" validate:"min=0,nonzero"` + Tail bool `config:"seek_to_tail"` + + Parsers []*common.ConfigNamespace `config:"parsers"` // TODO multiline, json, syslog? +} + +type backoffConfig struct { + Init time.Duration `config:"init" validate:"nonzero"` + Max time.Duration `config:"max" validate:"nonzero"` +} + +func defaultConfig() config { + return config{ + readerConfig: defaultReaderConfig(), + Paths: []string{}, + Close: defaultCloserConfig(), + CleanInactive: 0, + CleanRemoved: true, + HarvesterLimit: 0, + IgnoreOlder: 0, + } +} + +func defaultCloserConfig() closerConfig { + return closerConfig{ + OnStateChange: stateChangeCloserConfig{ + CheckInterval: 5 * time.Second, + Removed: true, // TODO check clean_removed option + Inactive: 0 * time.Second, + Renamed: false, + }, + Reader: readerCloserConfig{ + OnEOF: false, + AfterInterval: 0 * time.Second, + }, + } +} + +func defaultReaderConfig() readerConfig { + return readerConfig{ + Backoff: backoffConfig{ + Init: 1 * time.Second, + Max: 10 * time.Second, + }, + BufferSize: 16 * humanize.KiByte, + LineTerminator: readfile.AutoLineTerminator, + MaxBytes: 10 * humanize.MiByte, + Tail: false, + Parsers: nil, + } +} + +func (c *config) Validate() error { + if len(c.Paths) == 0 { + return fmt.Errorf("no path is configured") + } + // TODO + //if c.CleanInactive != 0 && c.IgnoreOlder == 0 { + // return fmt.Errorf("ignore_older must be enabled when clean_inactive is used") + //} + + // TODO + //if c.CleanInactive != 0 && c.CleanInactive <= c.IgnoreOlder+c.ScanFrequency { + // return fmt.Errorf("clean_inactive must be > ignore_older + scan_frequency to make sure only files which are not monitored anymore are removed") + //} + + // TODO + //if c.JSON != nil && len(c.JSON.MessageKey) == 0 && + // c.Multiline != nil { + // return fmt.Errorf("When using the JSON decoder and multiline together, you need to specify a message_key value") + //} + + //if c.JSON != nil && len(c.JSON.MessageKey) == 0 && + // (len(c.IncludeLines) > 0 || len(c.ExcludeLines) > 0) { + // return fmt.Errorf("When using the JSON decoder and line filtering together, you need to specify a message_key value") + //} + + return nil +} diff --git a/filebeat/input/filestream/filestream.go b/filebeat/input/filestream/filestream.go new file mode 100644 index 00000000000..4d42bbf6242 --- /dev/null +++ b/filebeat/input/filestream/filestream.go @@ -0,0 +1,276 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package filestream + +import ( + "context" + "errors" + "io" + "os" + "time" + + input "github.com/elastic/beats/v7/filebeat/input/v2" + "github.com/elastic/beats/v7/libbeat/common/backoff" + "github.com/elastic/beats/v7/libbeat/common/file" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/go-concert/ctxtool" + "github.com/elastic/go-concert/unison" +) + +var ( + ErrFileTruncate = errors.New("detected file being truncated") + ErrClosed = errors.New("reader closed") +) + +// logFile contains all log related data +type logFile struct { + file *os.File + log *logp.Logger + ctx context.Context + cancelReading context.CancelFunc + + closeAfterInterval time.Duration + closeOnEOF bool + + checkInterval time.Duration + closeInactive time.Duration + closeRemoved bool + closeRenamed bool + + offset int64 + lastTimeRead time.Time + backoff backoff.Backoff + tg unison.TaskGroup +} + +// newFileReader creates a new log instance to read log sources +func newFileReader( + log *logp.Logger, + canceler input.Canceler, + f *os.File, + config readerConfig, + closerConfig closerConfig, +) (*logFile, error) { + offset, err := f.Seek(0, os.SEEK_CUR) + if err != nil { + return nil, err + } + + l := &logFile{ + file: f, + log: log, + closeAfterInterval: closerConfig.Reader.AfterInterval, + closeOnEOF: closerConfig.Reader.OnEOF, + checkInterval: closerConfig.OnStateChange.CheckInterval, + closeInactive: closerConfig.OnStateChange.Inactive, + closeRemoved: closerConfig.OnStateChange.Removed, + closeRenamed: closerConfig.OnStateChange.Renamed, + offset: offset, + lastTimeRead: time.Now(), + backoff: backoff.NewExpBackoff(canceler.Done(), config.Backoff.Init, config.Backoff.Max), + tg: unison.TaskGroup{}, + } + + l.ctx, l.cancelReading = ctxtool.WithFunc(ctxtool.FromCanceller(canceler), func() { + err := l.tg.Stop() + if err != nil { + l.log.Errorf("Error while stopping filestream logFile reader: %v", err) + } + }) + + l.startFileMonitoringIfNeeded() + + return l, nil +} + +// Read reads from the reader and updates the offset +// The total number of bytes read is returned. +func (f *logFile) Read(buf []byte) (int, error) { + totalN := 0 + + for f.ctx.Err() == nil { + n, err := f.file.Read(buf) + if n > 0 { + f.offset += int64(n) + f.lastTimeRead = time.Now() + } + totalN += n + + // Read from source completed without error + // Either end reached or buffer full + if err == nil { + // reset backoff for next read + f.backoff.Reset() + return totalN, nil + } + + // Move buffer forward for next read + buf = buf[n:] + + // Checks if an error happened or buffer is full + // If buffer is full, cannot continue reading. + // Can happen if n == bufferSize + io.EOF error + err = f.errorChecks(err) + if err != nil || len(buf) == 0 { + return totalN, err + } + + f.log.Debugf("End of file reached: %s; Backoff now.", f.file.Name()) + f.backoff.Wait() + } + + return 0, ErrClosed +} + +func (f *logFile) startFileMonitoringIfNeeded() { + if f.closeInactive == 0 && f.closeAfterInterval == 0 { + return + } + + if f.closeInactive > 0 { + f.tg.Go(func(ctx unison.Canceler) error { + f.closeIfTimeout(ctx) + return nil + }) + } + + if f.closeAfterInterval > 0 { + f.tg.Go(func(ctx unison.Canceler) error { + f.periodicStateCheck(ctx) + return nil + }) + } +} + +func (f *logFile) closeIfTimeout(ctx unison.Canceler) { + timer := time.NewTimer(f.closeAfterInterval) + defer timer.Stop() + + for { + select { + case <-ctx.Done(): + return + case <-timer.C: + f.cancelReading() + return + } + } +} + +func (f *logFile) periodicStateCheck(ctx unison.Canceler) { + ticker := time.NewTicker(f.checkInterval) + defer ticker.Stop() + + for { + select { + case <-ctx.Done(): + return + case <-ticker.C: + if f.shouldBeClosed() { + f.cancelReading() + return + } + } + } +} + +func (f *logFile) shouldBeClosed() bool { + if f.closeInactive > 0 { + if time.Since(f.lastTimeRead) > f.closeInactive { + return true + } + } + + if !f.closeRemoved && !f.closeRenamed { + return false + + } + + info, statErr := f.file.Stat() + if statErr != nil { + f.log.Errorf("Unexpected error reading from %s; error: %s", f.file.Name(), statErr) + return true + } + + if f.closeRenamed { + // Check if the file can still be found under the same path + if !isSameFile(f.file.Name(), info) { + f.log.Debugf("close_renamed is enabled and file %s has been renamed", f.file.Name()) + return true + } + } + + if f.closeRemoved { + // Check if the file name exists. See https://github.com/elastic/filebeat/issues/93 + if file.IsRemoved(f.file) { + f.log.Debugf("close_removed is enabled and file %s has been removed", f.file.Name()) + return true + } + } + + return false +} + +func isSameFile(path string, info os.FileInfo) bool { + fileInfo, err := os.Stat(path) + if err != nil { + return false + } + + return os.SameFile(fileInfo, info) +} + +// errorChecks determines the cause for EOF errors, and how the EOF event should be handled +// based on the config options. +func (f *logFile) errorChecks(err error) error { + if err != io.EOF { + f.log.Error("Unexpected state reading from %s; error: %s", f.file.Name(), err) + return err + } + + return f.handleEOF() +} + +func (f *logFile) handleEOF() error { + if f.closeOnEOF { + return io.EOF + } + + // Refetch fileinfo to check if the file was truncated. + // Errors if the file was removed/rotated after reading and before + // calling the stat function + info, statErr := f.file.Stat() + if statErr != nil { + f.log.Error("Unexpected error reading from %s; error: %s", f.file.Name(), statErr) + return statErr + } + + // check if file was truncated + if info.Size() < f.offset { + f.log.Debugf("File was truncated as offset (%d) > size (%d): %s", f.offset, info.Size(), f.file.Name()) + return ErrFileTruncate + } + + return nil +} + +// Close +func (f *logFile) Close() error { + f.cancelReading() + return f.file.Close() +} diff --git a/filebeat/input/filestream/fswatch.go b/filebeat/input/filestream/fswatch.go new file mode 100644 index 00000000000..1b80971d835 --- /dev/null +++ b/filebeat/input/filestream/fswatch.go @@ -0,0 +1,375 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package filestream + +import ( + "fmt" + "os" + "path/filepath" + "time" + + "github.com/elastic/beats/v7/filebeat/input/file" + loginp "github.com/elastic/beats/v7/filebeat/input/filestream/internal/input-logfile" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/match" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/go-concert/unison" +) + +const ( + recursiveGlobDepth = 8 + scannerName = "scanner" + watcherDebugKey = "file_watcher" +) + +var ( + watcherFactories = map[string]watcherFactory{ + scannerName: newScannerWatcher, + } +) + +type watcherFactory func(paths []string, cfg *common.Config) (loginp.FSWatcher, error) + +// fileScanner looks for files which match the patterns in paths. +// It is able to exclude files and symlinks. +type fileScanner struct { + paths []string + excludedFiles []match.Matcher + symlinks bool + + log *logp.Logger +} + +type fileWatcherConfig struct { + // Interval is the time between two scans. + Interval time.Duration + // Scanner is the configuration of the scanner. + Scanner fileScannerConfig +} + +// fileWatcher gets the list of files from a FSWatcher and creates events by +// comparing the files between its last two runs. +type fileWatcher struct { + interval time.Duration + prev map[string]os.FileInfo + scanner loginp.FSScanner + log *logp.Logger + events chan loginp.FSEvent +} + +func newFileWatcher(paths []string, ns *common.ConfigNamespace) (loginp.FSWatcher, error) { + if ns == nil { + return newScannerWatcher(paths, common.NewConfig()) + } + + watcherType := ns.Name() + f, ok := watcherFactories[watcherType] + if !ok { + return nil, fmt.Errorf("no such file watcher: %s", watcherType) + } + + return f(paths, ns.Config()) +} + +func newScannerWatcher(paths []string, c *common.Config) (loginp.FSWatcher, error) { + config := defaultFileWatcherConfig() + err := c.Unpack(&config) + if err != nil { + return nil, err + } + scanner, err := newFileScanner(paths, config.Scanner) + if err != nil { + return nil, err + } + return &fileWatcher{ + log: logp.NewLogger(watcherDebugKey), + interval: config.Interval, + prev: make(map[string]os.FileInfo, 0), + scanner: scanner, + events: make(chan loginp.FSEvent), + }, nil +} + +func defaultFileWatcherConfig() fileWatcherConfig { + return fileWatcherConfig{ + Interval: 10 * time.Second, + Scanner: defaultFileScannerConfig(), + } +} + +func (w *fileWatcher) Run(ctx unison.Canceler) { + defer close(w.events) + + ticker := time.NewTicker(w.interval) + defer ticker.Stop() + for { + select { + case <-ctx.Done(): + return + case <-ticker.C: + w.watch(ctx) + } + } +} + +func (w *fileWatcher) watch(ctx unison.Canceler) { + w.log.Info("Start next scan") + + paths := w.scanner.GetFiles() + + newFiles := make(map[string]os.FileInfo) + + for path, info := range paths { + + prevInfo, ok := w.prev[path] + if !ok { + newFiles[path] = paths[path] + continue + } + + if prevInfo.ModTime() != info.ModTime() { + select { + case <-ctx.Done(): + return + case w.events <- writeEvent(path, info): + } + } + + // delete from previous state, as we have more up to date info + delete(w.prev, path) + } + + // remaining files are in the prev map are the ones that are missing + // either because they have been deleted or renamed + for removedPath, removedInfo := range w.prev { + for newPath, newInfo := range newFiles { + if os.SameFile(removedInfo, newInfo) { + select { + case <-ctx.Done(): + return + case w.events <- renamedEvent(removedPath, newPath, newInfo): + delete(newFiles, newPath) + goto CHECK_NEXT_REMOVED + } + } + } + + select { + case <-ctx.Done(): + return + case w.events <- deleteEvent(removedPath, removedInfo): + } + CHECK_NEXT_REMOVED: + } + + // remaining files in newFiles are new + for path, info := range newFiles { + select { + case <-ctx.Done(): + return + case w.events <- createEvent(path, info): + } + + } + + w.log.Debugf("Found %d paths", len(paths)) + w.prev = paths +} + +func createEvent(path string, fi os.FileInfo) loginp.FSEvent { + return loginp.FSEvent{Op: loginp.OpCreate, OldPath: "", NewPath: path, Info: fi} +} + +func writeEvent(path string, fi os.FileInfo) loginp.FSEvent { + return loginp.FSEvent{Op: loginp.OpWrite, OldPath: path, NewPath: path, Info: fi} +} + +func renamedEvent(oldPath, path string, fi os.FileInfo) loginp.FSEvent { + return loginp.FSEvent{Op: loginp.OpRename, OldPath: oldPath, NewPath: path, Info: fi} +} + +func deleteEvent(path string, fi os.FileInfo) loginp.FSEvent { + return loginp.FSEvent{Op: loginp.OpDelete, OldPath: path, NewPath: "", Info: fi} +} + +func (w *fileWatcher) Event() loginp.FSEvent { + return <-w.events +} + +type fileScannerConfig struct { + Paths []string + ExcludedFiles []match.Matcher + Symlinks bool + RecursiveGlob bool +} + +func defaultFileScannerConfig() fileScannerConfig { + return fileScannerConfig{ + Symlinks: false, + RecursiveGlob: true, + } +} + +func newFileScanner(paths []string, cfg fileScannerConfig) (loginp.FSScanner, error) { + fs := fileScanner{ + paths: paths, + excludedFiles: cfg.ExcludedFiles, + symlinks: cfg.Symlinks, + log: logp.NewLogger(scannerName), + } + err := fs.resolveRecursiveGlobs(cfg) + if err != nil { + return nil, err + } + err = fs.normalizeGlobPatterns() + if err != nil { + return nil, err + } + + return &fs, nil +} + +// resolveRecursiveGlobs expands `**` from the globs in multiple patterns +func (s *fileScanner) resolveRecursiveGlobs(c fileScannerConfig) error { + if !c.RecursiveGlob { + s.log.Debug("recursive glob disabled") + return nil + } + + s.log.Debug("recursive glob enabled") + var paths []string + for _, path := range s.paths { + patterns, err := file.GlobPatterns(path, recursiveGlobDepth) + if err != nil { + return err + } + if len(patterns) > 1 { + s.log.Debugf("%q expanded to %#v", path, patterns) + } + paths = append(paths, patterns...) + } + s.paths = paths + return nil +} + +// normalizeGlobPatterns calls `filepath.Abs` on all the globs from config +func (s *fileScanner) normalizeGlobPatterns() error { + var paths []string + for _, path := range s.paths { + pathAbs, err := filepath.Abs(path) + if err != nil { + return fmt.Errorf("failed to get the absolute path for %s: %v", path, err) + } + paths = append(paths, pathAbs) + } + s.paths = paths + return nil +} + +// GetFiles returns a map of files and fileinfos which +// match the configured paths. +func (s *fileScanner) GetFiles() map[string]os.FileInfo { + pathInfo := map[string]os.FileInfo{} + + for _, path := range s.paths { + matches, err := filepath.Glob(path) + if err != nil { + s.log.Errorf("glob(%s) failed: %v", path, err) + continue + } + + for _, file := range matches { + if s.shouldSkipFile(file) { + continue + } + + // If symlink is enabled, it is checked that original is not part of same input + // If original is harvested by other input, states will potentially overwrite each other + if s.isOriginalAndSymlinkConfigured(file, pathInfo) { + continue + } + + fileInfo, err := os.Stat(file) + if err != nil { + s.log.Debug("stat(%s) failed: %s", file, err) + continue + } + pathInfo[file] = fileInfo + } + } + + return pathInfo +} + +func (s *fileScanner) shouldSkipFile(file string) bool { + if s.isFileExcluded(file) { + s.log.Debugf("Exclude file: %s", file) + return true + } + + fileInfo, err := os.Lstat(file) + if err != nil { + s.log.Debugf("lstat(%s) failed: %s", file, err) + return true + } + + if fileInfo.IsDir() { + s.log.Debugf("Skipping directory: %s", file) + return true + } + + isSymlink := fileInfo.Mode()&os.ModeSymlink > 0 + if isSymlink && !s.symlinks { + s.log.Debugf("File %s skipped as it is a symlink", file) + return true + } + + return false +} + +func (s *fileScanner) isOriginalAndSymlinkConfigured(file string, paths map[string]os.FileInfo) bool { + if s.symlinks { + fileInfo, err := os.Stat(file) + if err != nil { + s.log.Debugf("stat(%s) failed: %s", file, err) + return false + } + + for _, finfo := range paths { + if os.SameFile(finfo, fileInfo) { + s.log.Info("Same file found as symlink and original. Skipping file: %s (as it same as %s)", file, finfo.Name()) + return true + } + } + } + return false +} + +func (s *fileScanner) isFileExcluded(file string) bool { + return len(s.excludedFiles) > 0 && s.matchAny(s.excludedFiles, file) +} + +// matchAny checks if the text matches any of the regular expressions +func (s *fileScanner) matchAny(matchers []match.Matcher, text string) bool { + for _, m := range matchers { + if m.MatchString(text) { + return true + } + } + return false +} diff --git a/filebeat/input/filestream/fswatch_test.go b/filebeat/input/filestream/fswatch_test.go new file mode 100644 index 00000000000..2435fad1500 --- /dev/null +++ b/filebeat/input/filestream/fswatch_test.go @@ -0,0 +1,254 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package filestream + +import ( + "context" + "os" + "path/filepath" + "testing" + "time" + + "github.com/stretchr/testify/assert" + + loginp "github.com/elastic/beats/v7/filebeat/input/filestream/internal/input-logfile" + "github.com/elastic/beats/v7/libbeat/common/match" + "github.com/elastic/beats/v7/libbeat/logp" +) + +var ( + excludedFilePath = filepath.Join("testdata", "excluded_file") + includedFilePath = filepath.Join("testdata", "included_file") + directoryPath = filepath.Join("testdata", "unharvestable_dir") +) + +func TestFileScanner(t *testing.T) { + testCases := map[string]struct { + paths []string + excludedFiles []match.Matcher + symlinks bool + expectedFiles []string + }{ + "select all files": { + paths: []string{excludedFilePath, includedFilePath}, + expectedFiles: []string{ + mustAbsPath(excludedFilePath), + mustAbsPath(includedFilePath), + }, + }, + "skip excluded files": { + paths: []string{excludedFilePath, includedFilePath}, + excludedFiles: []match.Matcher{ + match.MustCompile("excluded_file"), + }, + expectedFiles: []string{ + mustAbsPath(includedFilePath), + }, + }, + "skip directories": { + paths: []string{directoryPath}, + expectedFiles: []string{}, + }, + } + + setupFilesForScannerTest(t) + defer removeFilesOfScannerTest(t) + + for name, test := range testCases { + test := test + + t.Run(name, func(t *testing.T) { + cfg := fileScannerConfig{ + ExcludedFiles: test.excludedFiles, + Symlinks: test.symlinks, + RecursiveGlob: false, + } + fs, err := newFileScanner(test.paths, cfg) + if err != nil { + t.Fatal(err) + } + files := fs.GetFiles() + paths := make([]string, 0) + for p, _ := range files { + paths = append(paths, p) + } + assert.ElementsMatch(t, paths, test.expectedFiles) + }) + } +} + +func setupFilesForScannerTest(t *testing.T) { + err := os.MkdirAll(directoryPath, 0750) + if err != nil { + t.Fatal(t) + } + + for _, path := range []string{excludedFilePath, includedFilePath} { + f, err := os.Create(path) + if err != nil { + t.Fatalf("file %s, error %v", path, err) + } + f.Close() + } +} + +func removeFilesOfScannerTest(t *testing.T) { + err := os.RemoveAll("testdata") + if err != nil { + t.Fatal(err) + } +} + +func TestFileWatchNewDeleteModified(t *testing.T) { + oldTs := time.Now() + newTs := oldTs.Add(5 * time.Second) + testCases := map[string]struct { + prevFiles map[string]os.FileInfo + nextFiles map[string]os.FileInfo + expectedEvents []loginp.FSEvent + }{ + "one new file": { + prevFiles: map[string]os.FileInfo{}, + nextFiles: map[string]os.FileInfo{ + "new_path": testFileInfo{"new_path", 5, oldTs}, + }, + expectedEvents: []loginp.FSEvent{ + loginp.FSEvent{Op: loginp.OpCreate, OldPath: "", NewPath: "new_path", Info: testFileInfo{"new_path", 5, oldTs}}, + }, + }, + "one deleted file": { + prevFiles: map[string]os.FileInfo{ + "old_path": testFileInfo{"old_path", 5, oldTs}, + }, + nextFiles: map[string]os.FileInfo{}, + expectedEvents: []loginp.FSEvent{ + loginp.FSEvent{Op: loginp.OpDelete, OldPath: "old_path", NewPath: "", Info: testFileInfo{"old_path", 5, oldTs}}, + }, + }, + "one modified file": { + prevFiles: map[string]os.FileInfo{ + "path": testFileInfo{"path", 5, oldTs}, + }, + nextFiles: map[string]os.FileInfo{ + "path": testFileInfo{"path", 10, newTs}, + }, + expectedEvents: []loginp.FSEvent{ + loginp.FSEvent{Op: loginp.OpWrite, OldPath: "path", NewPath: "path", Info: testFileInfo{"path", 10, newTs}}, + }, + }, + "two modified files": { + prevFiles: map[string]os.FileInfo{ + "path1": testFileInfo{"path1", 5, oldTs}, + "path2": testFileInfo{"path2", 5, oldTs}, + }, + nextFiles: map[string]os.FileInfo{ + "path1": testFileInfo{"path1", 10, newTs}, + "path2": testFileInfo{"path2", 10, newTs}, + }, + expectedEvents: []loginp.FSEvent{ + loginp.FSEvent{Op: loginp.OpWrite, OldPath: "path1", NewPath: "path1", Info: testFileInfo{"path1", 10, newTs}}, + loginp.FSEvent{Op: loginp.OpWrite, OldPath: "path2", NewPath: "path2", Info: testFileInfo{"path2", 10, newTs}}, + }, + }, + "one modified file, one new file": { + prevFiles: map[string]os.FileInfo{ + "path1": testFileInfo{"path1", 5, oldTs}, + }, + nextFiles: map[string]os.FileInfo{ + "path1": testFileInfo{"path1", 10, newTs}, + "path2": testFileInfo{"path2", 10, newTs}, + }, + expectedEvents: []loginp.FSEvent{ + loginp.FSEvent{Op: loginp.OpWrite, OldPath: "path1", NewPath: "path1", Info: testFileInfo{"path1", 10, newTs}}, + loginp.FSEvent{Op: loginp.OpCreate, OldPath: "", NewPath: "path2", Info: testFileInfo{"path2", 10, newTs}}, + }, + }, + "one new file, one deleted file": { + prevFiles: map[string]os.FileInfo{ + "path_deleted": testFileInfo{"path_deleted", 5, oldTs}, + }, + nextFiles: map[string]os.FileInfo{ + "path_new": testFileInfo{"path_new", 10, newTs}, + }, + expectedEvents: []loginp.FSEvent{ + loginp.FSEvent{Op: loginp.OpDelete, OldPath: "path_deleted", NewPath: "", Info: testFileInfo{"path_deleted", 5, oldTs}}, + loginp.FSEvent{Op: loginp.OpCreate, OldPath: "", NewPath: "path_new", Info: testFileInfo{"path_new", 10, newTs}}, + }, + }, + } + + for name, test := range testCases { + test := test + + t.Run(name, func(t *testing.T) { + w := fileWatcher{ + log: logp.L(), + prev: test.prevFiles, + scanner: &mockScanner{test.nextFiles}, + events: make(chan loginp.FSEvent), + } + + go w.watch(context.Background()) + + count := len(test.expectedEvents) + actual := make([]loginp.FSEvent, count) + for i := 0; i < count; i++ { + actual[i] = w.Event() + } + + assert.ElementsMatch(t, actual, test.expectedEvents) + }) + } +} + +type mockScanner struct { + files map[string]os.FileInfo +} + +func (m *mockScanner) GetFiles() map[string]os.FileInfo { + return m.files +} + +type testFileInfo struct { + path string + size int64 + time time.Time +} + +func (t testFileInfo) Name() string { return t.path } +func (t testFileInfo) Size() int64 { return t.size } +func (t testFileInfo) Mode() os.FileMode { return 0 } +func (t testFileInfo) ModTime() time.Time { return t.time } +func (t testFileInfo) IsDir() bool { return false } +func (t testFileInfo) Sys() interface{} { return nil } + +func mustAbsPath(path string) string { + p, err := filepath.Abs(path) + if err != nil { + panic(err) + } + return p +} + +func mustDuration(durStr string) time.Duration { + dur, err := time.ParseDuration(durStr) + if err != nil { + panic(err) + } + return dur +} diff --git a/filebeat/input/filestream/fswatch_test_non_windows.go b/filebeat/input/filestream/fswatch_test_non_windows.go new file mode 100644 index 00000000000..3c316efdfc9 --- /dev/null +++ b/filebeat/input/filestream/fswatch_test_non_windows.go @@ -0,0 +1,144 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build !windows + +package filestream + +import ( + "context" + "os" + "path/filepath" + "testing" + + "github.com/stretchr/testify/assert" + + loginp "github.com/elastic/beats/v7/filebeat/input/filestream/internal/input-logfile" + "github.com/elastic/beats/v7/libbeat/common/match" + "github.com/elastic/beats/v7/libbeat/logp" +) + +func TestFileScannerSymlinks(t *testing.T) { + testCases := map[string]struct { + paths []string + excludedFiles []match.Matcher + symlinks bool + expectedFiles []string + }{ + // covers test_input.py/test_skip_symlinks + "skip symlinks": { + paths: []string{ + filepath.Join("testdata", "symlink_to_included_file"), + filepath.Join("testdata", "included_file"), + }, + symlinks: false, + expectedFiles: []string{ + mustAbsPath(filepath.Join("testdata", "included_file")), + }, + }, + "return a file once if symlinks are enabled": { + paths: []string{ + filepath.Join("testdata", "symlink_to_included_file"), + filepath.Join("testdata", "included_file"), + }, + symlinks: true, + expectedFiles: []string{ + mustAbsPath(filepath.Join("testdata", "included_file")), + }, + }, + } + + err := os.Symlink( + mustAbsPath(filepath.Join("testdata", "included_file")), + mustAbsPath(filepath.Join("testdata", "symlink_to_included_file")), + ) + if err != nil { + t.Fatal(err) + } + + for name, test := range testCases { + test := test + + t.Run(name, func(t *testing.T) { + cfg := fileScannerConfig{ + ExcludedFiles: test.excludedFiles, + Symlinks: true, + RecursiveGlob: false, + } + fs, err := newFileScanner(test.paths, cfg) + if err != nil { + t.Fatal(err) + } + files := fs.GetFiles() + paths := make([]string, 0) + for p, _ := range files { + paths = append(paths, p) + } + assert.ElementsMatch(t, test.expectedFiles, paths) + }) + } +} + +func TestFileWatcherRenamedFile(t *testing.T) { + testPath := mustAbsPath("first_name") + renamedPath := mustAbsPath("renamed") + + f, err := os.Create(testPath) + if err != nil { + t.Fatal(err) + } + f.Close() + fi, err := os.Stat(testPath) + if err != nil { + t.Fatal(err) + } + + cfg := fileScannerConfig{ + ExcludedFiles: nil, + Symlinks: false, + RecursiveGlob: false, + } + scanner, err := newFileScanner([]string{testPath, renamedPath}, cfg) + if err != nil { + t.Fatal(err) + } + w := fileWatcher{ + log: logp.L(), + scanner: scanner, + events: make(chan loginp.FSEvent), + } + + go w.watch(context.Background()) + assert.Equal(t, loginp.FSEvent{Op: loginp.OpCreate, OldPath: "", NewPath: testPath, Info: fi}, w.Event()) + + err = os.Rename(testPath, renamedPath) + if err != nil { + t.Fatal(err) + } + defer os.Remove(renamedPath) + fi, err = os.Stat(renamedPath) + if err != nil { + t.Fatal(err) + } + + go w.watch(context.Background()) + evt := w.Event() + + assert.Equal(t, loginp.OpRename, evt.Op) + assert.Equal(t, testPath, evt.OldPath) + assert.Equal(t, renamedPath, evt.NewPath) +} diff --git a/filebeat/input/filestream/identifier.go b/filebeat/input/filestream/identifier.go new file mode 100644 index 00000000000..736c66da2f0 --- /dev/null +++ b/filebeat/input/filestream/identifier.go @@ -0,0 +1,139 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package filestream + +import ( + "fmt" + "os" + + loginp "github.com/elastic/beats/v7/filebeat/input/filestream/internal/input-logfile" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/file" +) + +const ( + nativeName = "native" + pathName = "path" + inodeMarkerName = "inode_marker" + + DefaultIdentifierName = nativeName + identitySep = "::" +) + +var ( + identifierFactories = map[string]identifierFactory{ + nativeName: newINodeDeviceIdentifier, + pathName: newPathIdentifier, + inodeMarkerName: newINodeMarkerIdentifier, + } +) + +type identifierFactory func(*common.Config) (fileIdentifier, error) + +type fileIdentifier interface { + GetSource(loginp.FSEvent) fileSource + Name() string +} + +// fileSource implements the Source interface +// It is required to identify and manage file sources. +type fileSource struct { + info os.FileInfo + newPath string + oldPath string + + name string + identifierGenerator string +} + +// Name returns the registry identifier of the file. +func (f fileSource) Name() string { + return f.name +} + +// newFileIdentifier creates a new state identifier for a log input. +func newFileIdentifier(ns *common.ConfigNamespace) (fileIdentifier, error) { + if ns == nil { + return newINodeDeviceIdentifier(nil) + } + + identifierType := ns.Name() + f, ok := identifierFactories[identifierType] + if !ok { + return nil, fmt.Errorf("no such file_identity generator: %s", identifierType) + } + + return f(ns.Config()) +} + +type inodeDeviceIdentifier struct { + name string +} + +func newINodeDeviceIdentifier(_ *common.Config) (fileIdentifier, error) { + return &inodeDeviceIdentifier{ + name: nativeName, + }, nil +} + +func (i *inodeDeviceIdentifier) GetSource(e loginp.FSEvent) fileSource { + return fileSource{ + info: e.Info, + newPath: e.NewPath, + oldPath: e.OldPath, + name: pluginName + identitySep + i.name + identitySep + file.GetOSState(e.Info).String(), + identifierGenerator: i.name, + } +} + +func (i *inodeDeviceIdentifier) Name() string { + return i.name +} + +type pathIdentifier struct { + name string +} + +func newPathIdentifier(_ *common.Config) (fileIdentifier, error) { + return &pathIdentifier{ + name: pathName, + }, nil +} + +func (p *pathIdentifier) GetSource(e loginp.FSEvent) fileSource { + return fileSource{ + info: e.Info, + newPath: e.NewPath, + oldPath: e.OldPath, + name: pluginName + identitySep + p.name + identitySep + e.NewPath, + identifierGenerator: p.name, + } +} + +func (p *pathIdentifier) Name() string { + return p.name +} + +// mockIdentifier is used for testing +type MockIdentifier struct{} + +func (m *MockIdentifier) GetSource(e loginp.FSEvent) fileSource { + return fileSource{identifierGenerator: "mock"} +} + +func (m *MockIdentifier) Name() string { return "mock" } diff --git a/filebeat/input/filestream/identifier_inode_deviceid.go b/filebeat/input/filestream/identifier_inode_deviceid.go new file mode 100644 index 00000000000..25254d97fdc --- /dev/null +++ b/filebeat/input/filestream/identifier_inode_deviceid.go @@ -0,0 +1,108 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build !windows + +package filestream + +import ( + "fmt" + "io/ioutil" + "os" + "path/filepath" + "time" + + loginp "github.com/elastic/beats/v7/filebeat/input/filestream/internal/input-logfile" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/file" + "github.com/elastic/beats/v7/libbeat/logp" +) + +type inodeMarkerIdentifier struct { + log *logp.Logger + name string + markerPath string + + markerFileLastModifitaion time.Time + markerTxt string +} + +func newINodeMarkerIdentifier(cfg *common.Config) (fileIdentifier, error) { + var config struct { + MarkerPath string `config:"path" validate:"required"` + } + err := cfg.Unpack(&config) + if err != nil { + return nil, fmt.Errorf("error while reading configuration of INode + marker file configuration: %v", err) + } + + fi, err := os.Stat(config.MarkerPath) + if err != nil { + return nil, fmt.Errorf("error while opening marker file at %s: %v", config.MarkerPath, err) + } + markerContent, err := ioutil.ReadFile(config.MarkerPath) + if err != nil { + return nil, fmt.Errorf("error while reading marker file at %s: %v", config.MarkerPath, err) + } + return &inodeMarkerIdentifier{ + log: logp.NewLogger("inode_marker_identifier_" + filepath.Base(config.MarkerPath)), + name: inodeMarkerName, + markerPath: config.MarkerPath, + markerFileLastModifitaion: fi.ModTime(), + markerTxt: string(markerContent), + }, nil +} + +func (i *inodeMarkerIdentifier) markerContents() string { + f, err := os.Open(i.markerPath) + if err != nil { + i.log.Errorf("Failed to open marker file %s: %v", i.markerPath, err) + return "" + } + defer f.Close() + + fi, err := f.Stat() + if err != nil { + i.log.Errorf("Failed to fetch file information for %s: %v", i.markerPath, err) + return "" + } + if i.markerFileLastModifitaion.Before(fi.ModTime()) { + contents, err := ioutil.ReadFile(i.markerPath) + if err != nil { + i.log.Errorf("Error while reading contents of marker file: %v", err) + return "" + } + i.markerTxt = string(contents) + } + + return i.markerTxt +} + +func (i *inodeMarkerIdentifier) GetSource(e loginp.FSEvent) fileSource { + osstate := file.GetOSState(e.Info) + return fileSource{ + info: e.Info, + newPath: e.NewPath, + oldPath: e.OldPath, + name: fmt.Sprintf("%s%s%s-%s", i.name, identitySep, osstate.InodeString(), i.markerContents()), + identifierGenerator: i.name, + } +} + +func (i *inodeMarkerIdentifier) Name() string { + return i.name +} diff --git a/filebeat/input/filestream/identifier_inode_deviceid_windows.go b/filebeat/input/filestream/identifier_inode_deviceid_windows.go new file mode 100644 index 00000000000..4ee8d866124 --- /dev/null +++ b/filebeat/input/filestream/identifier_inode_deviceid_windows.go @@ -0,0 +1,30 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build windows + +package filestream + +import ( + "fmt" + + "github.com/elastic/beats/v7/libbeat/common" +) + +func newINodeMarkerIdentifier(cfg *common.Config) (fileIdentifier, error) { + return nil, fmt.Errorf("inode_deviceid is not supported on Windows") +} diff --git a/filebeat/input/filestream/input.go b/filebeat/input/filestream/input.go new file mode 100644 index 00000000000..9f715d1183e --- /dev/null +++ b/filebeat/input/filestream/input.go @@ -0,0 +1,367 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package filestream + +import ( + "fmt" + "os" + + "golang.org/x/text/transform" + + "github.com/elastic/go-concert/ctxtool" + + loginp "github.com/elastic/beats/v7/filebeat/input/filestream/internal/input-logfile" + input "github.com/elastic/beats/v7/filebeat/input/v2" + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/match" + "github.com/elastic/beats/v7/libbeat/feature" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/reader" + "github.com/elastic/beats/v7/libbeat/reader/debug" + "github.com/elastic/beats/v7/libbeat/reader/readfile" + "github.com/elastic/beats/v7/libbeat/reader/readfile/encoding" +) + +const pluginName = "filestream" + +type state struct { + Source string `json:"source" struct:"source"` + Offset int64 `json:"offset" struct:"offset"` + IdentifierName string `json:"identifier_name" struct:"identifier_name"` +} + +// filestream is the input for reading from files which +// are actively written by other applications. +type filestream struct { + readerConfig readerConfig + bufferSize int + tailFile bool // TODO + encodingFactory encoding.EncodingFactory + encoding encoding.Encoding + lineTerminator readfile.LineTerminator + excludeLines []match.Matcher + includeLines []match.Matcher + maxBytes int + closerConfig closerConfig +} + +// Plugin creates a new filestream input plugin for creating a stateful input. +func Plugin(log *logp.Logger, store loginp.StateStore) input.Plugin { + return input.Plugin{ + Name: pluginName, + Stability: feature.Experimental, + Deprecated: false, + Info: "filestream input", + Doc: "The filestream input collects logs from the local filestream service", + Manager: &loginp.InputManager{ + Logger: log, + StateStore: store, + Type: pluginName, + Configure: configure, + }, + } +} + +func configure(cfg *common.Config) (loginp.Prospector, loginp.Harvester, error) { + config := defaultConfig() + if err := cfg.Unpack(&config); err != nil { + return nil, nil, err + } + + prospector, err := newFileProspector( + config.Paths, + config.IgnoreOlder, + config.FileWatcher, + config.FileIdentity, + ) + if err != nil { + return nil, nil, err + } + + encodingFactory, ok := encoding.FindEncoding(config.Encoding) + if !ok || encodingFactory == nil { + return nil, nil, fmt.Errorf("unknown encoding('%v')", config.Encoding) + } + + return prospector, &filestream{ + readerConfig: config.readerConfig, + bufferSize: config.BufferSize, + encodingFactory: encodingFactory, + lineTerminator: config.LineTerminator, + excludeLines: config.ExcludeLines, + includeLines: config.IncludeLines, + maxBytes: config.MaxBytes, + closerConfig: config.Close, + }, nil +} + +func (inp *filestream) Name() string { return pluginName } + +func (inp *filestream) Test(src loginp.Source, ctx input.TestContext) error { + reader, err := inp.open(ctx.Logger, ctx.Cancelation, state{}) + if err != nil { + return err + } + return reader.Close() +} + +func (inp *filestream) Run( + ctx input.Context, + src loginp.Source, + cursor loginp.Cursor, + publisher loginp.Publisher, +) error { + fs, ok := src.(fileSource) + if !ok { + return fmt.Errorf("not file source") + } + + log := ctx.Logger.With("path", fs.newPath).With("state-id", src.Name()) + state := initState(log, cursor, fs) + + r, err := inp.open(log, ctx.Cancelation, state) + if err != nil { + log.Errorf("File could not be opened for reading: %v", err) + return err + } + + _, streamCancel := ctxtool.WithFunc(ctxtool.FromCanceller(ctx.Cancelation), func() { + log.Debug("Closing reader of filestream") + err := r.Close() + if err != nil { + log.Errorf("Error stopping filestream reader %v", err) + } + }) + defer streamCancel() + + return inp.readFromSource(ctx, log, r, fs.newPath, state, publisher) +} + +func initState(log *logp.Logger, c loginp.Cursor, s fileSource) state { + state := state{Source: s.newPath, IdentifierName: s.identifierGenerator} + if c.IsNew() { + return state + } + + err := c.Unpack(&state) + if err != nil { + log.Error("Cannot serialize cursor data into file state: %+v", err) + } + + return state +} + +func (inp *filestream) open(log *logp.Logger, canceler input.Canceler, s state) (reader.Reader, error) { + f, err := inp.openFile(s.Source, s.Offset) + if err != nil { + return nil, err + } + + log.Debug("newLogFileReader with config.MaxBytes:", inp.maxBytes) + + // TODO: NewLineReader uses additional buffering to deal with encoding and testing + // for new lines in input stream. Simple 8-bit based encodings, or plain + // don't require 'complicated' logic. + logReader, err := newFileReader(log, canceler, f, inp.readerConfig, inp.closerConfig) + if err != nil { + return nil, err + } + + dbgReader, err := debug.AppendReaders(logReader) + if err != nil { + f.Close() + return nil, err + } + + // Configure MaxBytes limit for EncodeReader as multiplied by 4 + // for the worst case scenario where incoming UTF32 charchers are decoded to the single byte UTF-8 characters. + // This limit serves primarily to avoid memory bload or potential OOM with expectedly long lines in the file. + // The further size limiting is performed by LimitReader at the end of the readers pipeline as needed. + encReaderMaxBytes := inp.maxBytes * 4 + + var r reader.Reader + r, err = readfile.NewEncodeReader(dbgReader, readfile.Config{ + Codec: inp.encoding, + BufferSize: inp.bufferSize, + Terminator: inp.lineTerminator, + MaxBytes: encReaderMaxBytes, + }) + if err != nil { + f.Close() + return nil, err + } + + r = readfile.NewStripNewline(r, inp.lineTerminator) + r = readfile.NewLimitReader(r, inp.maxBytes) + + return r, nil +} + +// openFile opens a file and checks for the encoding. In case the encoding cannot be detected +// or the file cannot be opened because for example of failing read permissions, an error +// is returned and the harvester is closed. The file will be picked up again the next time +// the file system is scanned +func (inp *filestream) openFile(path string, offset int64) (*os.File, error) { + err := inp.checkFileBeforeOpening(path) + if err != nil { + return nil, err + } + + f, err := os.OpenFile(path, os.O_RDONLY, os.FileMode(0)) + if err != nil { + return nil, fmt.Errorf("failed opening %s: %s", path, err) + } + + err = inp.initFileOffset(f, offset) + if err != nil { + f.Close() + return nil, err + } + + inp.encoding, err = inp.encodingFactory(f) + if err != nil { + f.Close() + if err == transform.ErrShortSrc { + return nil, fmt.Errorf("initialising encoding for '%v' failed due to file being too short", f) + } + return nil, fmt.Errorf("initialising encoding for '%v' failed: %v", f, err) + } + + return f, nil +} + +func (inp *filestream) checkFileBeforeOpening(path string) error { + fi, err := os.Stat(path) + if err != nil { + return fmt.Errorf("failed to stat source file %s: %v", path, err) + } + + if !fi.Mode().IsRegular() { + return fmt.Errorf("tried to open non regular file: %q %s", fi.Mode(), fi.Name()) + } + + if fi.Mode()&os.ModeNamedPipe != 0 { + return fmt.Errorf("failed to open file %s, named pipes are not supported", path) + } + + return nil +} + +func (inp *filestream) initFileOffset(file *os.File, offset int64) error { + if offset > 0 { + _, err := file.Seek(offset, os.SEEK_SET) + return err + } + + // get offset from file in case of encoding factory was required to read some data. + _, err := file.Seek(0, os.SEEK_CUR) + return err +} + +func (inp *filestream) readFromSource( + ctx input.Context, + log *logp.Logger, + r reader.Reader, + path string, + s state, + p loginp.Publisher, +) error { + for ctx.Cancelation.Err() == nil { + message, err := r.Next() + if err != nil { + switch err { + case ErrFileTruncate: + log.Info("File was truncated. Begin reading file from offset 0.") + s.Offset = 0 + case ErrClosed: + log.Info("Reader was closed. Closing.") + case reader.ErrLineUnparsable: + log.Info("Skipping unparsable line in file.") + continue + default: + log.Errorf("Read line error: %v", err) + } + return nil + } + + if message.IsEmpty() || inp.isDroppedLine(log, string(message.Content)) { + continue + } + + event := inp.eventFromMessage(message, path) + s.Offset += int64(message.Bytes) + + if err := p.Publish(event, s); err != nil { + return err + } + } + return nil +} + +// isDroppedLine decides if the line is exported or not based on +// the include_lines and exclude_lines options. +func (inp *filestream) isDroppedLine(log *logp.Logger, line string) bool { + if len(inp.includeLines) > 0 { + if !matchAny(inp.includeLines, line) { + log.Debug("Drop line as it does not match any of the include patterns %s", line) + return true + } + } + if len(inp.excludeLines) > 0 { + if matchAny(inp.excludeLines, line) { + log.Debug("Drop line as it does match one of the exclude patterns%s", line) + return true + } + } + + return false +} + +func matchAny(matchers []match.Matcher, text string) bool { + for _, m := range matchers { + if m.MatchString(text) { + return true + } + } + return false +} + +func (inp *filestream) eventFromMessage(m reader.Message, path string) beat.Event { + fields := common.MapStr{ + "log": common.MapStr{ + "offset": m.Bytes, // Offset here is the offset before the starting char. + "file": common.MapStr{ + "path": path, + }, + }, + } + fields.DeepUpdate(m.Fields) + + if len(m.Content) > 0 { + if fields == nil { + fields = common.MapStr{} + } + fields["message"] = string(m.Content) + } + + return beat.Event{ + Timestamp: m.Ts, + Fields: fields, + } +} diff --git a/filebeat/input/filestream/internal/input-logfile/clean.go b/filebeat/input/filestream/internal/input-logfile/clean.go new file mode 100644 index 00000000000..d738dabbc55 --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/clean.go @@ -0,0 +1,124 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "time" + + "github.com/elastic/go-concert/timed" + "github.com/elastic/go-concert/unison" + + "github.com/elastic/beats/v7/libbeat/logp" +) + +// cleaner removes finished entries from the registry file. +type cleaner struct { + log *logp.Logger +} + +// run starts a loop that tries to clean entries from the registry. +// The cleaner locks the store, such that no new states can be created +// during the cleanup phase. Only resources that are finished and whos TTL +// (clean_timeout setting) has expired will be removed. +// +// Resources are considered "Finished" if they do not have a current owner (active input), and +// if they have no pending updates that still need to be written to the registry file after associated +// events have been ACKed by the outputs. +// The event acquisition timestamp is used as reference to clean resources. If a resources was blocked +// for a long time, and the life time has been exhausted, then the resource will be removed immediately +// once the last event has been ACKed. +func (c *cleaner) run(canceler unison.Canceler, store *store, interval time.Duration) { + started := time.Now() + timed.Periodic(canceler, interval, func() error { + gcStore(c.log, started, store) + return nil + }) +} + +// gcStore looks for resources to remove and deletes these. `gcStore` receives +// the start timestamp of the cleaner as reference. If we have entries without +// updates in the registry, that are older than `started`, we will use `started +// + ttl` to decide if an entry will be removed. This way old entries are not +// removed immediately on startup if the Beat is down for a longer period of +// time. +func gcStore(log *logp.Logger, started time.Time, store *store) { + log.Debugf("Start store cleanup") + defer log.Debugf("Done store cleanup") + + states := store.ephemeralStore + states.mu.Lock() + defer states.mu.Unlock() + + keys := gcFind(states.table, started, time.Now()) + if len(keys) == 0 { + log.Debug("No entries to remove were found") + return + } + + if err := gcClean(store, keys); err != nil { + log.Errorf("Failed to remove all entries from the registry: %+v", err) + } +} + +// gcFind searches the store of resources that can be removed. A set of keys to delete is returned. +func gcFind(table map[string]*resource, started, now time.Time) map[string]struct{} { + keys := map[string]struct{}{} + for key, resource := range table { + clean := checkCleanResource(started, now, resource) + if !clean { + // do not clean the resource if it is still live or not serialized to the persistent store yet. + continue + } + keys[key] = struct{}{} + } + + return keys +} + +// gcClean removes key value pairs in the removeSet from the store. +// If deletion in the persistent store fails the entry is kept in memory and +// eventually cleaned up later. +func gcClean(store *store, removeSet map[string]struct{}) error { + for key := range removeSet { + if err := store.persistentStore.Remove(key); err != nil { + return err + } + delete(store.ephemeralStore.table, key) + } + return nil +} + +// checkCleanResource returns true for a key-value pair is assumed to be old, +// if is not in use and there are no more pending updates that still need to be +// written to the persistent store anymore. +func checkCleanResource(started, now time.Time, resource *resource) bool { + if !resource.Finished() { + return false + } + + resource.stateMutex.Lock() + defer resource.stateMutex.Unlock() + + ttl := resource.internalState.TTL + reference := resource.internalState.Updated + if started.After(reference) { + reference = started + } + + return reference.Add(ttl).Before(now) && resource.stored +} diff --git a/filebeat/input/filestream/internal/input-logfile/clean_test.go b/filebeat/input/filestream/internal/input-logfile/clean_test.go new file mode 100644 index 00000000000..83e5bff412f --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/clean_test.go @@ -0,0 +1,162 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "testing" + "time" + + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/logp" +) + +func TestGCStore(t *testing.T) { + t.Run("empty store", func(t *testing.T) { + started := time.Now() + + backend := createSampleStore(t, nil) + store := testOpenStore(t, "test", backend) + defer store.Release() + + gcStore(logp.NewLogger("test"), started, store) + + want := map[string]state{} + checkEqualStoreState(t, want, backend.snapshot()) + }) + + t.Run("state is still alive", func(t *testing.T) { + started := time.Now() + const ttl = 60 * time.Second + + initState := map[string]state{ + "test::key": { + TTL: ttl, + Updated: started.Add(-ttl / 2), + }, + } + + backend := createSampleStore(t, initState) + store := testOpenStore(t, "test", backend) + defer store.Release() + + gcStore(logp.NewLogger("test"), started, store) + + checkEqualStoreState(t, initState, backend.snapshot()) + }) + + t.Run("old state can be removed", func(t *testing.T) { + const ttl = 60 * time.Second + started := time.Now().Add(-5 * ttl) // cleanup process is running for a while already + + initState := map[string]state{ + "test::key": { + TTL: ttl, + Updated: started.Add(-ttl), + }, + } + + backend := createSampleStore(t, initState) + store := testOpenStore(t, "test", backend) + defer store.Release() + + gcStore(logp.NewLogger("test"), started, store) + + want := map[string]state{} + checkEqualStoreState(t, want, backend.snapshot()) + }) + + t.Run("old state is not removed if cleanup is not active long enough", func(t *testing.T) { + const ttl = 60 * time.Minute + started := time.Now() + + initState := map[string]state{ + "test::key": { + TTL: ttl, + Updated: started.Add(-2 * ttl), + }, + } + + backend := createSampleStore(t, initState) + store := testOpenStore(t, "test", backend) + defer store.Release() + + gcStore(logp.NewLogger("test"), started, store) + + checkEqualStoreState(t, initState, backend.snapshot()) + }) + + t.Run("old state but resource is accessed", func(t *testing.T) { + const ttl = 60 * time.Second + started := time.Now().Add(-5 * ttl) // cleanup process is running for a while already + + initState := map[string]state{ + "test::key": { + TTL: ttl, + Updated: started.Add(-ttl), + }, + } + + backend := createSampleStore(t, initState) + store := testOpenStore(t, "test", backend) + defer store.Release() + + // access resource and check it is not gc'ed + res := store.Get("test::key") + gcStore(logp.NewLogger("test"), started, store) + checkEqualStoreState(t, initState, backend.snapshot()) + + // release resource and check it gets gc'ed + res.Release() + want := map[string]state{} + gcStore(logp.NewLogger("test"), started, store) + checkEqualStoreState(t, want, backend.snapshot()) + }) + + t.Run("old state but resource has pending updates", func(t *testing.T) { + const ttl = 60 * time.Second + started := time.Now().Add(-5 * ttl) // cleanup process is running for a while already + + initState := map[string]state{ + "test::key": { + TTL: ttl, + Updated: started.Add(-ttl), + }, + } + + backend := createSampleStore(t, initState) + store := testOpenStore(t, "test", backend) + defer store.Release() + + // create pending update operation + res := store.Get("test::key") + op, err := createUpdateOp(store, res, "test-state-update") + require.NoError(t, err) + res.Release() + + // cleanup fails + gcStore(logp.NewLogger("test"), started, store) + checkEqualStoreState(t, initState, backend.snapshot()) + + // cancel operation (no more pending operations) and try to gc again + op.done(1) + gcStore(logp.NewLogger("test"), started, store) + want := map[string]state{} + checkEqualStoreState(t, want, backend.snapshot()) + }) +} diff --git a/filebeat/input/filestream/internal/input-logfile/cursor.go b/filebeat/input/filestream/internal/input-logfile/cursor.go new file mode 100644 index 00000000000..37de24fe56c --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/cursor.go @@ -0,0 +1,43 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +// Cursor allows the input to check if cursor status has been stored +// in the past and unpack the status into a custom structure. +type Cursor struct { + store *store + resource *resource +} + +func makeCursor(store *store, res *resource) Cursor { + return Cursor{store: store, resource: res} +} + +// IsNew returns true if no cursor information has been stored +// for the current Source. +func (c Cursor) IsNew() bool { return c.resource.IsNew() } + +// Unpack deserialized the cursor state into to. Unpack fails if no pointer is +// given, or if the structure to points to is not compatible with the document +// stored. +func (c Cursor) Unpack(to interface{}) error { + if c.IsNew() { + return nil + } + return c.resource.UnpackCursor(to) +} diff --git a/filebeat/input/filestream/internal/input-logfile/cursor_test.go b/filebeat/input/filestream/internal/input-logfile/cursor_test.go new file mode 100644 index 00000000000..db2ff0c3a30 --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/cursor_test.go @@ -0,0 +1,124 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "testing" + + "github.com/stretchr/testify/require" +) + +func TestCursor_IsNew(t *testing.T) { + t.Run("true if key is not in store", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + + cursor := makeCursor(store, store.Get("test::key")) + require.True(t, cursor.IsNew()) + }) + + t.Run("true if key is in store but without cursor value", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, map[string]state{ + "test::key": {Cursor: nil}, + })) + defer store.Release() + + cursor := makeCursor(store, store.Get("test::key")) + require.True(t, cursor.IsNew()) + }) + + t.Run("false if key with cursor value is in persistent store", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, map[string]state{ + "test::key": {Cursor: "test"}, + })) + defer store.Release() + + cursor := makeCursor(store, store.Get("test::key")) + require.False(t, cursor.IsNew()) + }) + + t.Run("false if key with cursor value is in memory store only", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, map[string]state{ + "test::key": {Cursor: nil}, + })) + defer store.Release() + + res := store.Get("test::key") + op, err := createUpdateOp(store, res, "test-state-update") + require.NoError(t, err) + defer op.done(1) + + cursor := makeCursor(store, res) + require.False(t, cursor.IsNew()) + }) +} + +func TestCursor_Unpack(t *testing.T) { + t.Run("nothing to unpack if key is new", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + + var st string + cursor := makeCursor(store, store.Get("test::key")) + + require.NoError(t, cursor.Unpack(&st)) + require.Equal(t, "", st) + }) + + t.Run("unpack fails if types are not compatible", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, map[string]state{ + "test::key": {Cursor: "test"}, + })) + defer store.Release() + + var st struct{ A uint } + cursor := makeCursor(store, store.Get("test::key")) + require.Error(t, cursor.Unpack(&st)) + }) + + t.Run("unpack from state in persistent store", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, map[string]state{ + "test::key": {Cursor: "test"}, + })) + defer store.Release() + + var st string + cursor := makeCursor(store, store.Get("test::key")) + + require.NoError(t, cursor.Unpack(&st)) + require.Equal(t, "test", st) + }) + + t.Run("unpack from in memory state if updates are pending", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, map[string]state{ + "test::key": {Cursor: "test"}, + })) + defer store.Release() + + res := store.Get("test::key") + op, err := createUpdateOp(store, res, "test-state-update") + require.NoError(t, err) + defer op.done(1) + + var st string + cursor := makeCursor(store, store.Get("test::key")) + + require.NoError(t, cursor.Unpack(&st)) + require.Equal(t, "test-state-update", st) + }) +} diff --git a/filebeat/input/filestream/internal/input-logfile/doc.go b/filebeat/input/filestream/internal/input-logfile/doc.go new file mode 100644 index 00000000000..cf318d4bfed --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/doc.go @@ -0,0 +1,58 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Package cursor provides an InputManager for use with the v2 API, that is +// capable of storing an internal cursor state between restarts. +// +// The InputManager requires authors to Implement a configuration function and +// the cursor.Input interface. The configuration function returns a slice of +// sources ([]Source) that it has read from the configuration object, and the +// actual Input that will be used to collect events from each configured +// source. +// When Run a go-routine will be started per configured source. If two inputs have +// configured the same source, only one will be active, while the other waits +// for the resource to become free. +// The manager keeps track of the state per source. When publishing an event a +// new cursor value can be passed as well. Future instance of the input can +// read the last published cursor state. +// +// For each source an in-memory and a persitent state are tracked. Internal +// meta updates by the input manager can not be read by Inputs, and will be +// written to the persistent store immediately. Cursor state updates are read +// and update by the input. Cursor updates are written to the persistent store +// only after the events have been ACKed by the output. Internally the input +// manager keeps track of already ACKed updates and pending ACKs. +// In order to guarantee progress even if the pbulishing is slow or blocked, all cursor +// updates are written to the in-memory state immediately. Source without any +// pending updates are in-sync (in-memory state == persistet state). All +// updates are ordered, but we allow the in-memory state to be ahead of the +// persistent state. +// When an input is started, the cursor state is read from the in-memory state. +// This way a new input instance can continue where other inputs have been +// stopped, even if we still have in-flight events from older input instances. +// The coordination between inputs guarantees that all updates are always in +// order. +// +// When a shutdown signal is received, the publisher is directly disconnected +// from the outputs. As all coordination is directly handled by the +// InputManager, shutdown will be immediate (once the input itself has +// returned), and can not be blocked by the outputs. +// +// An input that is about to collect a source that is already collected by +// another input will wait until the other input has returned or the current +// input did receive a shutdown signal. +package input_logfile diff --git a/filebeat/input/filestream/internal/input-logfile/fswatch.go b/filebeat/input/filestream/internal/input-logfile/fswatch.go new file mode 100644 index 00000000000..685b54253a4 --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/fswatch.go @@ -0,0 +1,65 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "os" + + "github.com/elastic/go-concert/unison" +) + +const ( + OpDone Operation = iota + OpCreate + OpWrite + OpDelete + OpRename +) + +// Operation describes what happened to a file. +type Operation uint8 + +// FSEvent returns inforamation about file system changes. +type FSEvent struct { + // NewPath is the new path of the file. + NewPath string + // OldPath is the previous path to the file, is it was + // deleted or renamed. + OldPath string + // Op is the file system event: create, write, rename, remove + Op Operation + // Info describes the file in the event. + Info os.FileInfo +} + +// FSScanner retrieves a list of files from the file system. +type FSScanner interface { + // GetFiles returns the list of monitored files. + // The keys of the map are the paths to the files and + // the values are the FileInfos describing the file. + GetFiles() map[string]os.FileInfo +} + +// FSWatcher returns file events of the monitored files. +type FSWatcher interface { + // Run is the event loop which watchers for changes + // in the file system and returns events based on the data. + Run(unison.Canceler) + // Event returns the next event captured by FSWatcher. + Event() FSEvent +} diff --git a/filebeat/input/filestream/internal/input-logfile/harvester.go b/filebeat/input/filestream/internal/input-logfile/harvester.go new file mode 100644 index 00000000000..d2f184cac7b --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/harvester.go @@ -0,0 +1,125 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "context" + "fmt" + "runtime/debug" + "time" + + input "github.com/elastic/beats/v7/filebeat/input/v2" + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/go-concert/ctxtool" + "github.com/elastic/go-concert/unison" +) + +// Harvester is the reader which collects the lines from +// the configured source. +type Harvester interface { + // Name returns the type of the Harvester + Name() string + // Test checks if the Harvester can be started with the given configuration. + Test(Source, input.TestContext) error + // Run is the event loop which reads from the source + // and forwards it to the publisher. + Run(input.Context, Source, Cursor, Publisher) error +} + +// HarvesterGroup is responsible for running the +// Harvesters started by the Prospector. +type HarvesterGroup struct { + manager *InputManager + readers map[string]context.CancelFunc + pipeline beat.PipelineConnector + harvester Harvester + cleanTimeout time.Duration + store *store + tg unison.TaskGroup +} + +// Run starts the Harvester for a Source. +func (hg *HarvesterGroup) Run(ctx input.Context, s Source) error { + log := ctx.Logger.With("source", s.Name()) + log.Debug("Starting harvester for file") + + harvesterCtx, cancelHarvester := context.WithCancel(ctxtool.FromCanceller(ctx.Cancelation)) + ctx.Cancelation = harvesterCtx + + resource, err := hg.manager.lock(ctx, s.Name()) + if err != nil { + cancelHarvester() + return err + } + + if _, ok := hg.readers[s.Name()]; ok { + cancelHarvester() + log.Debug("A harvester is already running for file") + return nil + } + hg.readers[s.Name()] = cancelHarvester + + hg.store.UpdateTTL(resource, hg.cleanTimeout) + + client, err := hg.pipeline.ConnectWith(beat.ClientConfig{ + CloseRef: ctx.Cancelation, + ACKHandler: newInputACKHandler(ctx.Logger), + }) + if err != nil { + cancelHarvester() + return err + } + + cursor := makeCursor(hg.store, resource) + publisher := &cursorPublisher{canceler: ctx.Cancelation, client: client, cursor: &cursor} + + go func(cancel context.CancelFunc) { + defer client.Close() + defer log.Debug("Stopped harvester for file") + defer cancel() + defer releaseResource(resource) + defer delete(hg.readers, s.Name()) + + defer func() { + if v := recover(); v != nil { + err := fmt.Errorf("harvester panic with: %+v\n%s", v, debug.Stack()) + ctx.Logger.Errorf("Harvester crashed with: %+v", err) + } + }() + + err := hg.harvester.Run(ctx, s, cursor, publisher) + if err != nil { + log.Errorf("Harvester stopped: %v", err) + } + }(cancelHarvester) + return nil +} + +// Cancel stops the running Harvester for a given Source. +func (hg *HarvesterGroup) Cancel(s Source) error { + if cancel, ok := hg.readers[s.Name()]; ok { + cancel() + return nil + } + return fmt.Errorf("no such harvester %s", s.Name()) +} + +func releaseResource(resource *resource) { + resource.lock.Unlock() + resource.Release() +} diff --git a/filebeat/input/filestream/internal/input-logfile/input.go b/filebeat/input/filestream/internal/input-logfile/input.go new file mode 100644 index 00000000000..7084315b0c1 --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/input.go @@ -0,0 +1,106 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "context" + "time" + + input "github.com/elastic/beats/v7/filebeat/input/v2" + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common/acker" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/go-concert/ctxtool" + "github.com/elastic/go-concert/unison" +) + +type managedInput struct { + manager *InputManager + prospector Prospector + harvester Harvester + cleanTimeout time.Duration +} + +// Name is required to implement the v2.Input interface +func (inp *managedInput) Name() string { return inp.harvester.Name() } + +// Test runs the Test method for each configured source. +func (inp *managedInput) Test(ctx input.TestContext) error { + return inp.prospector.Test() +} + +// Run +func (inp *managedInput) Run( + ctx input.Context, + pipeline beat.PipelineConnector, +) (err error) { + // Setup cancellation using a custom cancel context. All workers will be + // stopped if one failed badly by returning an error. + cancelCtx, cancel := context.WithCancel(ctxtool.FromCanceller(ctx.Cancelation)) + defer cancel() + ctx.Cancelation = cancelCtx + + store := inp.manager.store + store.Retain() + defer store.Release() + + hg := &HarvesterGroup{ + pipeline: pipeline, + readers: make(map[string]context.CancelFunc), + manager: inp.manager, + cleanTimeout: inp.cleanTimeout, + harvester: inp.harvester, + store: store, + tg: unison.TaskGroup{}, + } + + stateStore, err := inp.manager.StateStore.Access() + if err != nil { + return err + } + defer stateStore.Close() + + inp.prospector.Run(ctx, stateStore, hg) + + return nil +} + +func newInputACKHandler(log *logp.Logger) beat.ACKer { + return acker.EventPrivateReporter(func(acked int, private []interface{}) { + var n uint + var last int + for i := 0; i < len(private); i++ { + current := private[i] + if current == nil { + continue + } + + if _, ok := current.(*updateOp); !ok { + continue + } + + n++ + last = i + } + + if n == 0 { + return + } + private[last].(*updateOp).Execute(n) + }) +} diff --git a/filebeat/input/filestream/internal/input-logfile/manager.go b/filebeat/input/filestream/internal/input-logfile/manager.go new file mode 100644 index 00000000000..db3c600d2bc --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/manager.go @@ -0,0 +1,199 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "errors" + "sync" + "time" + + "github.com/urso/sderr" + + "github.com/elastic/go-concert/unison" + + input "github.com/elastic/beats/v7/filebeat/input/v2" + v2 "github.com/elastic/beats/v7/filebeat/input/v2" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/statestore" +) + +// InputManager is used to create, manage, and coordinate stateful inputs and +// their persistent state. +// The InputManager ensures that only one input can be active for a unique source. +// If two inputs have overlapping sources, both can still collect data, but +// only one input will collect from the common source. +// +// The InputManager automatically cleans up old entries without an active +// input, and without any pending update operations for the persistent store. +// +// The Type field is used to create the key name in the persistent store. Users +// are allowed to add a custome per input configuration ID using the `id` +// setting, to collect the same source multiple times, but with different +// state. The key name in the persistent store becomes -[]- +type InputManager struct { + Logger *logp.Logger + + // StateStore gives the InputManager access to the persitent key value store. + StateStore StateStore + + // Type must contain the name of the input type. It is used to create the key name + // for all sources the inputs collect from. + Type string + + // DefaultCleanTimeout configures the key/value garbage collection interval. + // The InputManager will only collect keys for the configured 'Type' + DefaultCleanTimeout time.Duration + + // Configure returns an array of Sources, and a configured Input instances + // that will be used to collect events from each source. + Configure func(cfg *common.Config) (Prospector, Harvester, error) + + initOnce sync.Once + initErr error + store *store +} + +// Source describe a source the input can collect data from. +// The `Name` method must return an unique name, that will be used to identify +// the source in the persistent state store. +type Source interface { + Name() string +} + +var errNoSourceConfigured = errors.New("no source has been configured") +var errNoInputRunner = errors.New("no input runner available") + +// StateStore interface and configurations used to give the Manager access to the persistent store. +type StateStore interface { + Access() (*statestore.Store, error) + CleanupInterval() time.Duration +} + +func (cim *InputManager) init() error { + cim.initOnce.Do(func() { + if cim.DefaultCleanTimeout <= 0 { + cim.DefaultCleanTimeout = 30 * time.Minute + } + + log := cim.Logger.With("input_type", cim.Type) + var store *store + store, cim.initErr = openStore(log, cim.StateStore, cim.Type) + if cim.initErr != nil { + return + } + + cim.store = store + }) + + return cim.initErr +} + +// Init starts background processes for deleting old entries from the +// persistent store if mode is ModeRun. +func (cim *InputManager) Init(group unison.Group, mode v2.Mode) error { + if mode != v2.ModeRun { + return nil + } + + if err := cim.init(); err != nil { + return err + } + + log := cim.Logger.With("input_type", cim.Type) + + store := cim.store + cleaner := &cleaner{log: log} + store.Retain() + err := group.Go(func(canceler unison.Canceler) error { + defer cim.shutdown() + defer store.Release() + interval := cim.StateStore.CleanupInterval() + if interval <= 0 { + interval = 5 * time.Minute + } + cleaner.run(canceler, store, interval) + return nil + }) + if err != nil { + store.Release() + cim.shutdown() + return sderr.Wrap(err, "Can not start registry cleanup process") + } + + return nil +} + +func (cim *InputManager) shutdown() { + cim.store.Release() +} + +// Create builds a new v2.Input using the provided Configure function. +// The Input will run a go-routine per source that has been configured. +func (cim *InputManager) Create(config *common.Config) (input.Input, error) { + if err := cim.init(); err != nil { + return nil, err + } + + settings := struct { + ID string `config:"id"` + CleanTimeout time.Duration `config:"clean_timeout"` + }{ID: "", CleanTimeout: cim.DefaultCleanTimeout} + if err := config.Unpack(&settings); err != nil { + return nil, err + } + + prospector, harvester, err := cim.Configure(config) + if err != nil { + return nil, err + } + if harvester == nil { + return nil, errNoInputRunner + } + + return &managedInput{ + manager: cim, + prospector: prospector, + harvester: harvester, + cleanTimeout: settings.CleanTimeout, + }, nil +} + +// Lock locks a key for exclusive access and returns an resource that can be used to modify +// the cursor state and unlock the key. +func (cim *InputManager) lock(ctx input.Context, key string) (*resource, error) { + resource := cim.store.Get(key) + err := lockResource(ctx.Logger, resource, ctx.Cancelation) + if err != nil { + resource.Release() + return nil, err + } + return resource, nil +} + +func lockResource(log *logp.Logger, resource *resource, canceler input.Canceler) error { + if !resource.lock.TryLock() { + log.Infof("Resource '%v' currently in use, waiting...", resource.key) + err := resource.lock.LockContext(canceler) + if err != nil { + log.Infof("Input for resource '%v' has been stopped while waiting", resource.key) + return err + } + } + return nil +} diff --git a/filebeat/input/filestream/internal/input-logfile/prospector.go b/filebeat/input/filestream/internal/input-logfile/prospector.go new file mode 100644 index 00000000000..9488596eb2c --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/prospector.go @@ -0,0 +1,35 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + input "github.com/elastic/beats/v7/filebeat/input/v2" + "github.com/elastic/beats/v7/libbeat/statestore" +) + +// Prospector is responsible for starting, stopping harvesters +// based on the retrieved information about the configured paths. +// It also updates the statestore with the meta data of the running harvesters. +type Prospector interface { + // Run starts the event loop and handles the incoming events + // either by starting/stopping a harvester, or updating the statestore. + Run(input.Context, *statestore.Store, *HarvesterGroup) + // Test checks if the Prospector is able to run the configuration + // specified by the user. + Test() error +} diff --git a/filebeat/input/filestream/internal/input-logfile/publish.go b/filebeat/input/filestream/internal/input-logfile/publish.go new file mode 100644 index 00000000000..547a82c479f --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/publish.go @@ -0,0 +1,153 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "time" + + input "github.com/elastic/beats/v7/filebeat/input/v2" + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common/transform/typeconv" + "github.com/elastic/beats/v7/libbeat/statestore" +) + +// Publisher is used to publish an event and update the cursor in a single call to Publish. +// Inputs are allowed to pass `nil` as cursor state. In this case the state is not updated, but the +// event will still be published as is. +type Publisher interface { + Publish(event beat.Event, cursor interface{}) error +} + +// cursorPublisher implements the Publisher interface and used internally by the managedInput. +// When publishing an event with cursor state updates, the cursorPublisher +// updates the in memory state and create an updateOp that is used to schedule +// an update for the persistent store. The updateOp is run by the inputs ACK +// handler, persisting the pending update. +type cursorPublisher struct { + canceler input.Canceler + client beat.Client + cursor *Cursor +} + +// updateOp keeps track of pending updates that are not written to the persistent store yet. +// Update operations are ordered. The input manager guarantees that only one +// input can create update operation for a source, such that new input +// instances can add update operations to be executed after already pending +// update operations from older inputs instances that have been shutdown. +type updateOp struct { + store *store + resource *resource + + // state updates to persist + timestamp time.Time + ttl time.Duration + delta interface{} +} + +// Publish publishes an event. Publish returns false if the inputs cancellation context has been marked as done. +// If cursorUpdate is not nil, Publish updates the in memory state and create and updateOp for the pending update. +// It overwrite event.Private with the update operation, before finally sending the event. +// The ACK ordering in the publisher pipeline guarantees that update operations +// will be ACKed and executed in the correct order. +func (c *cursorPublisher) Publish(event beat.Event, cursorUpdate interface{}) error { + if cursorUpdate == nil { + return c.forward(event) + } + + op, err := createUpdateOp(c.cursor.store, c.cursor.resource, cursorUpdate) + if err != nil { + return err + } + + event.Private = op + return c.forward(event) +} + +func (c *cursorPublisher) forward(event beat.Event) error { + c.client.Publish(event) + if c.canceler == nil { + return nil + } + return c.canceler.Err() +} + +func createUpdateOp(store *store, resource *resource, updates interface{}) (*updateOp, error) { + ts := time.Now() + + resource.stateMutex.Lock() + defer resource.stateMutex.Unlock() + + cursor := resource.pendingCursor + if resource.activeCursorOperations == 0 { + var tmp interface{} + typeconv.Convert(&tmp, cursor) + resource.pendingCursor = tmp + cursor = tmp + } + if err := typeconv.Convert(&cursor, updates); err != nil { + return nil, err + } + resource.pendingCursor = cursor + + resource.Retain() + resource.activeCursorOperations++ + return &updateOp{ + resource: resource, + store: store, + timestamp: ts, + delta: updates, + }, nil +} + +// done releases resources held by the last N updateOps. +func (op *updateOp) done(n uint) { + op.resource.UpdatesReleaseN(n) + op.resource = nil + *op = updateOp{} +} + +// Execute updates the persistent store with the scheduled changes and releases the resource. +func (op *updateOp) Execute(n uint) { + resource := op.resource + defer op.done(n) + + resource.stateMutex.Lock() + defer resource.stateMutex.Unlock() + + resource.activeCursorOperations -= n + if resource.activeCursorOperations == 0 { + resource.cursor = resource.pendingCursor + resource.pendingCursor = nil + } else { + typeconv.Convert(&resource.cursor, op.delta) + } + + if resource.internalState.Updated.Before(op.timestamp) { + resource.internalState.Updated = op.timestamp + } + + err := op.store.persistentStore.Set(resource.key, resource.inSyncStateSnapshot()) + if err != nil { + if !statestore.IsClosed(err) { + op.store.log.Errorf("Failed to update state in the registry for '%v'", resource.key) + } + } else { + resource.internalInSync = true + resource.stored = true + } +} diff --git a/filebeat/input/filestream/internal/input-logfile/publish_test.go b/filebeat/input/filestream/internal/input-logfile/publish_test.go new file mode 100644 index 00000000000..ede25670a95 --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/publish_test.go @@ -0,0 +1,158 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "context" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/beat" + pubtest "github.com/elastic/beats/v7/libbeat/publisher/testing" +) + +func TestPublish(t *testing.T) { + t.Run("event with cursor state creates update operation", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + cursor := makeCursor(store, store.Get("test::key")) + + var actual beat.Event + client := &pubtest.FakeClient{ + PublishFunc: func(event beat.Event) { actual = event }, + } + publisher := cursorPublisher{nil, client, &cursor} + publisher.Publish(beat.Event{}, "test") + + require.NotNil(t, actual.Private) + }) + + t.Run("event without cursor creates no update operation", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + cursor := makeCursor(store, store.Get("test::key")) + + var actual beat.Event + client := &pubtest.FakeClient{ + PublishFunc: func(event beat.Event) { actual = event }, + } + publisher := cursorPublisher{nil, client, &cursor} + publisher.Publish(beat.Event{}, nil) + require.Nil(t, actual.Private) + }) + + t.Run("publish returns error if context has been cancelled", func(t *testing.T) { + ctx, cancel := context.WithCancel(context.TODO()) + cancel() + + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + cursor := makeCursor(store, store.Get("test::key")) + + publisher := cursorPublisher{ctx, &pubtest.FakeClient{}, &cursor} + err := publisher.Publish(beat.Event{}, nil) + require.Equal(t, context.Canceled, err) + }) +} + +func TestOp_Execute(t *testing.T) { + t.Run("applying final op marks the key as finished", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + res := store.Get("test::key") + + // create op and release resource. The 'resource' must still be active + op := mustCreateUpdateOp(t, store, res, "test-updated-cursor-state") + res.Release() + require.False(t, res.Finished()) + + // this was the last op, the resource should become inactive + op.Execute(1) + require.True(t, res.Finished()) + + // validate state: + inSyncCursor := storeInSyncSnapshot(store)["test::key"].Cursor + inMemCursor := storeMemorySnapshot(store)["test::key"].Cursor + want := "test-updated-cursor-state" + assert.Equal(t, want, inSyncCursor) + assert.Equal(t, want, inMemCursor) + }) + + t.Run("acking multiple ops applies the latest update and marks key as finished", func(t *testing.T) { + // when acking N events, intermediate updates are dropped in favor of the latest update operation. + // This test checks that the resource is correctly marked as finished. + + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + res := store.Get("test::key") + + // create update operations and release resource. The 'resource' must still be active + mustCreateUpdateOp(t, store, res, "test-updated-cursor-state-dropped") + op := mustCreateUpdateOp(t, store, res, "test-updated-cursor-state-final") + res.Release() + require.False(t, res.Finished()) + + // this was the last op, the resource should become inactive + op.Execute(2) + require.True(t, res.Finished()) + + // validate state: + inSyncCursor := storeInSyncSnapshot(store)["test::key"].Cursor + inMemCursor := storeMemorySnapshot(store)["test::key"].Cursor + want := "test-updated-cursor-state-final" + assert.Equal(t, want, inSyncCursor) + assert.Equal(t, want, inMemCursor) + }) + + t.Run("ACK only subset of pending ops will only update up to ACKed state", func(t *testing.T) { + // when acking N events, intermediate updates are dropped in favor of the latest update operation. + // This test checks that the resource is correctly marked as finished. + + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + res := store.Get("test::key") + + // create update operations and release resource. The 'resource' must still be active + op1 := mustCreateUpdateOp(t, store, res, "test-updated-cursor-state-intermediate") + op2 := mustCreateUpdateOp(t, store, res, "test-updated-cursor-state-final") + res.Release() + require.False(t, res.Finished()) + + defer op2.done(1) // cleanup after test + + // this was the intermediate op, the resource should still be active + op1.Execute(1) + require.False(t, res.Finished()) + + // validate state (in memory state is always up to data to most recent update): + inSyncCursor := storeInSyncSnapshot(store)["test::key"].Cursor + inMemCursor := storeMemorySnapshot(store)["test::key"].Cursor + assert.Equal(t, "test-updated-cursor-state-intermediate", inSyncCursor) + assert.Equal(t, "test-updated-cursor-state-final", inMemCursor) + }) +} + +func mustCreateUpdateOp(t *testing.T, store *store, resource *resource, updates interface{}) *updateOp { + op, err := createUpdateOp(store, resource, updates) + if err != nil { + t.Fatalf("Failed to create update op: %v", err) + } + return op +} diff --git a/filebeat/input/filestream/internal/input-logfile/store.go b/filebeat/input/filestream/internal/input-logfile/store.go new file mode 100644 index 00000000000..8267565f551 --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/store.go @@ -0,0 +1,324 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "strings" + "sync" + "time" + + "github.com/elastic/beats/v7/libbeat/common/atomic" + "github.com/elastic/beats/v7/libbeat/common/cleanup" + "github.com/elastic/beats/v7/libbeat/common/transform/typeconv" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/statestore" + "github.com/elastic/go-concert" + "github.com/elastic/go-concert/unison" +) + +// store encapsulates the persistent store and the in memory state store, that +// can be ahead of the the persistent store. +// The store lifetime is managed by a reference counter. Once all owners (the +// session, and the resource cleaner) have dropped ownership, backing resources +// will be released and closed. +type store struct { + log *logp.Logger + refCount concert.RefCount + persistentStore *statestore.Store + ephemeralStore *states +} + +// states stores resource states in memory. When a cursor for an input is updated, +// it's state is updated first. The entry in the persistent store 'follows' the internal state. +// As long as a resources stored in states is not 'Finished', the in memory +// store is assumed to be ahead (in memory and persistent state are out of +// sync). +type states struct { + mu sync.Mutex + table map[string]*resource +} + +// resource holds the in memory state and keeps track of pending updates and inputs collecting +// event for the resource its key. +// A resource is assumed active for as long as at least one input has (or tries +// to) acuired the lock, and as long as there are pending updateOp instances in +// the pipeline not ACKed yet. The key can not gc'ed by the cleaner, as long as the resource is active. +// +// State chagnes and writes to the persistent store are protected using the +// stateMutex, to ensure full consistency between direct writes and updates +// after ACK. +type resource struct { + // pending counts the number of Inputs and outstanding registry updates. + // as long as pending is > 0 the resource is in used and must not be garbage collected. + pending atomic.Uint64 + + // lock guarantees only one input create updates for this entry + lock unison.Mutex + + // key of the resource as used for the registry. + key string + + // stateMutex is used to lock the resource when it is update/read from + // multiple go-routines like the ACK handler or the input publishing an + // event. + // stateMutex is used to access the fields 'stored', 'state' and 'internalInSync' + stateMutex sync.Mutex + + // stored indicates that the state is available in the registry file. It is false for new entries. + stored bool + + // internalInSync is true if all 'Internal' metadata like TTL or update timestamp are in sync. + // Normally resources are added when being created. But if operations failed we will retry inserting + // them on each update operation until we eventually succeeded + internalInSync bool + + activeCursorOperations uint + internalState stateInternal + + // cursor states. The cursor holds the state as it is currently known to the + // persistent store, while pendingCursor contains the most recent update + // (in-memory state), that still needs to be synced to the persistent store. + // The pendingCursor is nil if there are no pending updates. + // When processing update operations on ACKs, the state is applied to cursor + // first, which is finally written to the persistent store. This ensures that + // we always write the complete state of the key/value pair. + cursor interface{} + pendingCursor interface{} +} + +type ( + // state represents the full document as it is stored in the registry. + // + // The TTL and Update fields are for internal use only. + // + // The `Cursor` namespace is used to store the cursor information that are + // required to continue processing from the last known position. Cursor + // updates in the registry file are only executed after events have been + // ACKed by the outputs. Therefore the cursor MUST NOT include any + // information that are require to identify/track the source we are + // collecting from. + state struct { + TTL time.Duration + Updated time.Time + Cursor interface{} + } + + stateInternal struct { + TTL time.Duration + Updated time.Time + } +) + +// hook into store close for testing purposes +var closeStore = (*store).close + +func openStore(log *logp.Logger, statestore StateStore, prefix string) (*store, error) { + ok := false + + persistentStore, err := statestore.Access() + if err != nil { + return nil, err + } + defer cleanup.IfNot(&ok, func() { persistentStore.Close() }) + + states, err := readStates(log, persistentStore, prefix) + if err != nil { + return nil, err + } + + ok = true + return &store{ + log: log, + persistentStore: persistentStore, + ephemeralStore: states, + }, nil +} + +func (s *store) Retain() { s.refCount.Retain() } +func (s *store) Release() { + if s.refCount.Release() { + closeStore(s) + } +} + +func (s *store) close() { + if err := s.persistentStore.Close(); err != nil { + s.log.Errorf("Closing registry store did report an error: %+v", err) + } +} + +// Get returns the resource for the key. +// A new shared resource is generated if the key is not known. The generated +// resource is not synced to disk yet. +func (s *store) Get(key string) *resource { + return s.ephemeralStore.Find(key, true) +} + +// UpdateTTL updates the time-to-live of a resource. Inactive resources with expired TTL are subject to removal. +// The TTL value is part of the internal state, and will be written immediately to the persistent store. +// On update the resource its `cursor` state is used, to keep the cursor state in sync with the current known +// on disk store state. +func (s *store) UpdateTTL(resource *resource, ttl time.Duration) { + resource.stateMutex.Lock() + defer resource.stateMutex.Unlock() + if resource.stored && resource.internalState.TTL == ttl { + return + } + + resource.internalState.TTL = ttl + if resource.internalState.Updated.IsZero() { + resource.internalState.Updated = time.Now() + } + + err := s.persistentStore.Set(resource.key, state{ + TTL: resource.internalState.TTL, + Updated: resource.internalState.Updated, + Cursor: resource.cursor, + }) + if err != nil { + s.log.Errorf("Failed to update resource management fields for '%v'", resource.key) + resource.internalInSync = false + } else { + resource.stored = true + resource.internalInSync = true + } +} + +// Find returns the resource for a given key. If the key is unknown and create is set to false nil will be returned. +// The resource returned by Find is marked as active. (*resource).Release must be called to mark the resource as inactive again. +func (s *states) Find(key string, create bool) *resource { + s.mu.Lock() + defer s.mu.Unlock() + + if resource := s.table[key]; resource != nil { + resource.Retain() + return resource + } + + if !create { + return nil + } + + // resource is owned by table(session) and input that uses the resource. + resource := &resource{ + stored: false, + key: key, + lock: unison.MakeMutex(), + } + s.table[key] = resource + resource.Retain() + return resource +} + +// IsNew returns true if we have no state recorded for the current resource. +func (r *resource) IsNew() bool { + r.stateMutex.Lock() + defer r.stateMutex.Unlock() + return r.pendingCursor == nil && r.cursor == nil +} + +// Retain is used to indicate that 'resource' gets an additional 'owner'. +// Owners of an resource can be active inputs or pending update operations +// not yet written to disk. +func (r *resource) Retain() { r.pending.Inc() } + +// Release reduced the owner ship counter of the resource. +func (r *resource) Release() { r.pending.Dec() } + +// UpdatesReleaseN is used to release ownership of N pending update operations. +func (r *resource) UpdatesReleaseN(n uint) { + r.pending.Sub(uint64(n)) +} + +// Finished returns true if the resource is not in use and if there are no pending updates +// that still need to be written to the registry. +func (r *resource) Finished() bool { return r.pending.Load() == 0 } + +// UnpackCursor deserializes the in memory state. +func (r *resource) UnpackCursor(to interface{}) error { + r.stateMutex.Lock() + defer r.stateMutex.Unlock() + if r.activeCursorOperations == 0 { + return typeconv.Convert(to, r.cursor) + } + return typeconv.Convert(to, r.pendingCursor) +} + +// syncStateSnapshot returns the current insync state based on already ACKed update operations. +func (r *resource) inSyncStateSnapshot() state { + return state{ + TTL: r.internalState.TTL, + Updated: r.internalState.Updated, + Cursor: r.cursor, + } +} + +// stateSnapshot returns the current in memory state, that already contains state updates +// not yet ACKed. +func (r *resource) stateSnapshot() state { + cursor := r.pendingCursor + if r.activeCursorOperations == 0 { + cursor = r.cursor + } + + return state{ + TTL: r.internalState.TTL, + Updated: r.internalState.Updated, + Cursor: cursor, + } +} + +func readStates(log *logp.Logger, store *statestore.Store, prefix string) (*states, error) { + keyPrefix := prefix + "::" + states := &states{ + table: map[string]*resource{}, + } + + err := store.Each(func(key string, dec statestore.ValueDecoder) (bool, error) { + if !strings.HasPrefix(string(key), keyPrefix) { + return true, nil + } + + var st state + if err := dec.Decode(&st); err != nil { + log.Errorf("Failed to read regisry state for '%v', cursor state will be ignored. Error was: %+v", + key, err) + return true, nil + } + + resource := &resource{ + key: key, + stored: true, + lock: unison.MakeMutex(), + internalInSync: true, + internalState: stateInternal{ + TTL: st.TTL, + Updated: st.Updated, + }, + cursor: st.Cursor, + } + states.table[resource.key] = resource + + return true, nil + }) + + if err != nil { + return nil, err + } + return states, nil +} diff --git a/filebeat/input/filestream/internal/input-logfile/store_test.go b/filebeat/input/filestream/internal/input-logfile/store_test.go new file mode 100644 index 00000000000..71ea41298b2 --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/store_test.go @@ -0,0 +1,351 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "errors" + "testing" + "time" + + "github.com/google/go-cmp/cmp" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/statestore" + "github.com/elastic/beats/v7/libbeat/statestore/storetest" +) + +type testStateStore struct { + Store *statestore.Store + GCPeriod time.Duration +} + +func TestStore_OpenClose(t *testing.T) { + t.Run("releasing store closes", func(t *testing.T) { + var closed bool + cleanup := closeStoreWith(func(s *store) { + closed = true + s.close() + }) + defer cleanup() + + store := testOpenStore(t, "test", nil) + store.Release() + + require.True(t, closed) + }) + + t.Run("fail if persistent store can not be accessed", func(t *testing.T) { + _, err := openStore(logp.NewLogger("test"), testStateStore{}, "test") + require.Error(t, err) + }) + + t.Run("load from empty", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + require.Equal(t, 0, len(storeMemorySnapshot(store))) + require.Equal(t, 0, len(storeInSyncSnapshot(store))) + }) + + t.Run("already available state is loaded", func(t *testing.T) { + states := map[string]state{ + "test::key0": {Cursor: "1"}, + "test::key1": {Cursor: "2"}, + } + + store := testOpenStore(t, "test", createSampleStore(t, states)) + defer store.Release() + + checkEqualStoreState(t, states, storeMemorySnapshot(store)) + checkEqualStoreState(t, states, storeInSyncSnapshot(store)) + }) + + t.Run("ignore entries with wrong index on open", func(t *testing.T) { + states := map[string]state{ + "test::key0": {Cursor: "1"}, + "other::key": {Cursor: "2"}, + } + + store := testOpenStore(t, "test", createSampleStore(t, states)) + defer store.Release() + + want := map[string]state{ + "test::key0": {Cursor: "1"}, + } + checkEqualStoreState(t, want, storeMemorySnapshot(store)) + checkEqualStoreState(t, want, storeInSyncSnapshot(store)) + }) +} + +func TestStore_Get(t *testing.T) { + t.Run("find existing resource", func(t *testing.T) { + cursorState := state{Cursor: "1"} + store := testOpenStore(t, "test", createSampleStore(t, map[string]state{ + "test::key0": cursorState, + })) + defer store.Release() + + res := store.Get("test::key0") + require.NotNil(t, res) + defer res.Release() + + // check in memory state matches matches original persistent state + require.Equal(t, cursorState, res.stateSnapshot()) + // check assumed in-sync state matches matches original persistent state + require.Equal(t, cursorState, res.inSyncStateSnapshot()) + }) + + t.Run("access unknown resource", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + + res := store.Get("test::key") + require.NotNil(t, res) + defer res.Release() + + // new resource has empty state + require.Equal(t, state{}, res.stateSnapshot()) + }) + + t.Run("same resource is returned", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + + res1 := store.Get("test::key") + require.NotNil(t, res1) + defer res1.Release() + + res2 := store.Get("test::key") + require.NotNil(t, res2) + defer res2.Release() + + assert.Equal(t, res1, res2) + }) +} + +func TestStore_UpdateTTL(t *testing.T) { + t.Run("add TTL for new entry to store", func(t *testing.T) { + // when creating a resource we set the TTL and insert a new key value pair without cursor value into the store: + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + + res := store.Get("test::key") + store.UpdateTTL(res, 60*time.Second) + + want := map[string]state{ + "test::key": { + TTL: 60 * time.Second, + Updated: res.internalState.Updated, + Cursor: nil, + }, + } + + checkEqualStoreState(t, want, storeMemorySnapshot(store)) + checkEqualStoreState(t, want, storeInSyncSnapshot(store)) + }) + + t.Run("update TTL for in-sync resource does not overwrite state", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, map[string]state{ + "test::key": { + TTL: 1 * time.Second, + Cursor: "test", + }, + })) + defer store.Release() + + res := store.Get("test::key") + store.UpdateTTL(res, 60*time.Second) + want := map[string]state{ + "test::key": { + Updated: res.internalState.Updated, + TTL: 60 * time.Second, + Cursor: "test", + }, + } + + checkEqualStoreState(t, want, storeMemorySnapshot(store)) + checkEqualStoreState(t, want, storeInSyncSnapshot(store)) + }) + + t.Run("update TTL for resource with pending updates", func(t *testing.T) { + // This test updates the resource TTL while update operations are still + // pending, but not synced to the persistent store yet. + // UpdateTTL changes the state in the persistent store immediately, and must therefore + // serialize the old in-sync state with update meta-data. + + // create store + backend := createSampleStore(t, map[string]state{ + "test::key": { + TTL: 1 * time.Second, + Cursor: "test", + }, + }) + store := testOpenStore(t, "test", backend) + defer store.Release() + + // create pending update operation + res := store.Get("test::key") + op, err := createUpdateOp(store, res, "test-state-update") + require.NoError(t, err) + defer op.done(1) + + // Update key/value pair TTL. This will update the internal state in the + // persistent store only, not modifying the old cursor state yet. + store.UpdateTTL(res, 60*time.Second) + + // validate + wantMemoryState := state{ + Updated: res.internalState.Updated, + TTL: 60 * time.Second, + Cursor: "test-state-update", + } + wantInSyncState := state{ + Updated: res.internalState.Updated, + TTL: 60 * time.Second, + Cursor: "test", + } + + checkEqualStoreState(t, map[string]state{"test::key": wantMemoryState}, storeMemorySnapshot(store)) + checkEqualStoreState(t, map[string]state{"test::key": wantInSyncState}, storeInSyncSnapshot(store)) + checkEqualStoreState(t, map[string]state{"test::key": wantInSyncState}, backend.snapshot()) + }) +} + +func closeStoreWith(fn func(s *store)) func() { + old := closeStore + closeStore = fn + return func() { + closeStore = old + } +} + +func testOpenStore(t *testing.T, prefix string, persistentStore StateStore) *store { + if persistentStore == nil { + persistentStore = createSampleStore(t, nil) + } + + store, err := openStore(logp.NewLogger("test"), persistentStore, prefix) + if err != nil { + t.Fatalf("failed to open the store") + } + return store +} + +func createSampleStore(t *testing.T, data map[string]state) testStateStore { + storeReg := statestore.NewRegistry(storetest.NewMemoryStoreBackend()) + store, err := storeReg.Get("test") + if err != nil { + t.Fatalf("Failed to access store: %v", err) + } + + for k, v := range data { + if err := store.Set(k, v); err != nil { + t.Fatalf("Error when populating the sample store: %v", err) + } + } + + return testStateStore{ + Store: store, + } +} + +func (ts testStateStore) WithGCPeriod(d time.Duration) testStateStore { ts.GCPeriod = d; return ts } +func (ts testStateStore) CleanupInterval() time.Duration { return ts.GCPeriod } +func (ts testStateStore) Access() (*statestore.Store, error) { + if ts.Store == nil { + return nil, errors.New("no store configured") + } + return ts.Store, nil +} + +// snapshot copies all key/value pairs from the persistent store into a table for inspection. +func (ts testStateStore) snapshot() map[string]state { + states := map[string]state{} + err := ts.Store.Each(func(key string, dec statestore.ValueDecoder) (bool, error) { + var st state + if err := dec.Decode(&st); err != nil { + return false, err + } + states[key] = st + return true, nil + }) + + if err != nil { + panic("unexpected decode error from persistent test store") + } + return states +} + +// storeMemorySnapshot copies all key/value pairs into a table for inspection. +// The state returned reflects the in memory state, which can be ahead of the +// persistent state. +// +// Note: The state returned by storeMemorySnapshot is always ahead of the state returned by storeInSyncSnapshot. +// All key value pairs are fully in-sync, if both snapshot functions return the same state. +func storeMemorySnapshot(store *store) map[string]state { + store.ephemeralStore.mu.Lock() + defer store.ephemeralStore.mu.Unlock() + + states := map[string]state{} + for k, res := range store.ephemeralStore.table { + states[k] = res.stateSnapshot() + } + return states +} + +// storeInSyncSnapshot copies all key/value pairs into the table for inspection. +// The state returned reflects the current state that the in-memory tables assumed to be +// written to the persistent store already. + +// Note: The state returned by storeMemorySnapshot is always ahead of the state returned by storeInSyncSnapshot. +// All key value pairs are fully in-sync, if both snapshot functions return the same state. +func storeInSyncSnapshot(store *store) map[string]state { + store.ephemeralStore.mu.Lock() + defer store.ephemeralStore.mu.Unlock() + + states := map[string]state{} + for k, res := range store.ephemeralStore.table { + states[k] = res.inSyncStateSnapshot() + } + return states +} + +// checkEqualStoreState compares 2 store snapshot tables for equality. The test +// fails with Errorf if the state differ. +// +// Note: testify is too strict when comparing timestamp, better use checkEqualStoreState. +func checkEqualStoreState(t *testing.T, want, got map[string]state) bool { + if d := cmp.Diff(want, got); d != "" { + t.Errorf("store state mismatch (-want +got):\n%s", d) + return false + } + return true +} + +// requireEqualStoreState compares 2 store snapshot tables for equality. The test +// fails with Fatalf if the state differ. +// +// Note: testify is too strict when comparing timestamp, better use checkEqualStoreState. +func requireEqualStoreState(t *testing.T, want, got map[string]state) bool { + if d := cmp.Diff(want, got); d != "" { + t.Fatalf("store state mismatch (-want +got):\n%s", d) + return false + } + return true +} diff --git a/filebeat/input/filestream/prospector.go b/filebeat/input/filestream/prospector.go new file mode 100644 index 00000000000..94670e18ce7 --- /dev/null +++ b/filebeat/input/filestream/prospector.go @@ -0,0 +1,210 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package filestream + +import ( + "os" + "strings" + "time" + + "github.com/urso/sderr" + + loginp "github.com/elastic/beats/v7/filebeat/input/filestream/internal/input-logfile" + input "github.com/elastic/beats/v7/filebeat/input/v2" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/statestore" + "github.com/elastic/go-concert/unison" +) + +const ( + prospectorDebugKey = "file_prospector" +) + +// fileProspector implements the Prospector interface. +// It contains a file scanner which returns file system events. +// The FS events then trigger either new Harvester runs or updates +// the statestore. +type fileProspector struct { + filewatcher loginp.FSWatcher + identifier fileIdentifier + ignoreOlder time.Duration + cleanRemoved bool +} + +func newFileProspector( + paths []string, + ignoreOlder time.Duration, + fileWatcherNs, identifierNs *common.ConfigNamespace, +) (loginp.Prospector, error) { + + filewatcher, err := newFileWatcher(paths, fileWatcherNs) + if err != nil { + return nil, err + } + + identifier, err := newFileIdentifier(identifierNs) + if err != nil { + return nil, err + } + + return &fileProspector{ + filewatcher: filewatcher, + identifier: identifier, + ignoreOlder: ignoreOlder, + cleanRemoved: true, + }, nil +} + +// Run starts the fileProspector which accepts FS events from a file watcher. +func (p *fileProspector) Run(ctx input.Context, s *statestore.Store, hg *loginp.HarvesterGroup) { + log := ctx.Logger.With("prospector", prospectorDebugKey) + log.Debug("Starting prospector") + defer log.Debug("Prospector has stopped") + + if p.cleanRemoved { + p.cleanRemovedBetweenRuns(log, s) + } + + p.updateIdentifiersBetweenRuns(log, s) + + var tg unison.MultiErrGroup + + tg.Go(func() error { + p.filewatcher.Run(ctx.Cancelation) + return nil + }) + + tg.Go(func() error { + for ctx.Cancelation.Err() == nil { + fe := p.filewatcher.Event() + + if fe.Op == loginp.OpDone { + return nil + } + + src := p.identifier.GetSource(fe) + switch fe.Op { + case loginp.OpCreate: + log.Debugf("A new file %s has been found", fe.NewPath) + + if p.ignoreOlder > 0 { + now := time.Now() + if now.Sub(fe.Info.ModTime()) > p.ignoreOlder { + log.Debugf("Ignore file because ignore_older reached. File %s", fe.NewPath) + break + } + } + + hg.Run(ctx, src) + + case loginp.OpWrite: + log.Debugf("File %s has been updated", fe.NewPath) + + hg.Run(ctx, src) + + case loginp.OpDelete: + log.Debugf("File %s has been removed", fe.OldPath) + + if p.cleanRemoved { + log.Debugf("Remove state for file as file removed: %s", fe.OldPath) + + err := s.Remove(src.Name()) + if err != nil { + log.Errorf("Error while removing state from statestore: %v", err) + } + } + + case loginp.OpRename: + log.Debugf("File %s has been renamed to %s", fe.OldPath, fe.NewPath) + // TODO update state information in the store + + default: + log.Error("Unkown return value %v", fe.Op) + } + } + return nil + }) + + errs := tg.Wait() + if len(errs) > 0 { + log.Error("%s", sderr.WrapAll(errs, "running prospector failed")) + } +} + +func (p *fileProspector) cleanRemovedBetweenRuns(log *logp.Logger, s *statestore.Store) { + keyPrefix := pluginName + "::" + s.Each(func(key string, dec statestore.ValueDecoder) (bool, error) { + if !strings.HasPrefix(string(key), keyPrefix) { + return true, nil + } + + var st state + if err := dec.Decode(&st); err != nil { + log.Errorf("Failed to read regisry state for '%v', cursor state will be ignored. Error was: %+v", + key, err) + return true, nil + } + + _, err := os.Stat(st.Source) + if err != nil { + s.Remove(key) + } + + return true, nil + }) +} + +func (p *fileProspector) updateIdentifiersBetweenRuns(log *logp.Logger, s *statestore.Store) { + keyPrefix := pluginName + "::" + s.Each(func(key string, dec statestore.ValueDecoder) (bool, error) { + if !strings.HasPrefix(string(key), keyPrefix) { + return true, nil + } + + var st state + if err := dec.Decode(&st); err != nil { + log.Errorf("Failed to read regisry state for '%v', cursor state will be ignored. Error was: %+v", key, err) + return true, nil + } + + if st.IdentifierName == p.identifier.Name() { + return true, nil + } + + fi, err := os.Stat(st.Source) + if err != nil { + return true, nil + } + newKey := p.identifier.GetSource(loginp.FSEvent{NewPath: st.Source, Info: fi}).Name() + st.IdentifierName = p.identifier.Name() + + err = s.Set(newKey, st) + if err != nil { + log.Errorf("Failed to add updated state for '%v', cursor state will be ignored. Error was: %+v", key, err) + return true, nil + } + s.Remove(key) + + return true, nil + }) +} + +func (p *fileProspector) Test() error { + panic("TODO: implement me") +} diff --git a/filebeat/input/v2/input-cursor/manager.go b/filebeat/input/v2/input-cursor/manager.go index 2a4310dc778..766d6f17fa0 100644 --- a/filebeat/input/v2/input-cursor/manager.go +++ b/filebeat/input/v2/input-cursor/manager.go @@ -26,7 +26,6 @@ import ( "github.com/elastic/go-concert/unison" - input "github.com/elastic/beats/v7/filebeat/input/v2" v2 "github.com/elastic/beats/v7/filebeat/input/v2" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/logp" @@ -145,7 +144,7 @@ func (cim *InputManager) shutdown() { // Create builds a new v2.Input using the provided Configure function. // The Input will run a go-routine per source that has been configured. -func (cim *InputManager) Create(config *common.Config) (input.Input, error) { +func (cim *InputManager) Create(config *common.Config) (v2.Input, error) { if err := cim.init(); err != nil { return nil, err } @@ -180,7 +179,7 @@ func (cim *InputManager) Create(config *common.Config) (input.Input, error) { // Lock locks a key for exclusive access and returns an resource that can be used to modify // the cursor state and unlock the key. -func (cim *InputManager) lock(ctx input.Context, key string) (*resource, error) { +func (cim *InputManager) lock(ctx v2.Context, key string) (*resource, error) { resource := cim.store.Get(key) err := lockResource(ctx.Logger, resource, ctx.Cancelation) if err != nil { @@ -190,7 +189,7 @@ func (cim *InputManager) lock(ctx input.Context, key string) (*resource, error) return resource, nil } -func lockResource(log *logp.Logger, resource *resource, canceler input.Canceler) error { +func lockResource(log *logp.Logger, resource *resource, canceler v2.Canceler) error { if !resource.lock.TryLock() { log.Infof("Resource '%v' currently in use, waiting...", resource.key) err := resource.lock.LockContext(canceler) diff --git a/filebeat/module/apache/access/config/access.yml b/filebeat/module/apache/access/config/access.yml index 183de629867..b39221031f3 100644 --- a/filebeat/module/apache/access/config/access.yml +++ b/filebeat/module/apache/access/config/access.yml @@ -8,4 +8,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/apache/access/test/darwin-2.4.23.log-expected.json b/filebeat/module/apache/access/test/darwin-2.4.23.log-expected.json index 9c61a6065af..1f3600f2e09 100644 --- a/filebeat/module/apache/access/test/darwin-2.4.23.log-expected.json +++ b/filebeat/module/apache/access/test/darwin-2.4.23.log-expected.json @@ -76,6 +76,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -105,6 +106,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -134,6 +136,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", diff --git a/filebeat/module/apache/access/test/ssl-request.log-expected.json b/filebeat/module/apache/access/test/ssl-request.log-expected.json index 9898d82cef0..3eb3e283b19 100644 --- a/filebeat/module/apache/access/test/ssl-request.log-expected.json +++ b/filebeat/module/apache/access/test/ssl-request.log-expected.json @@ -38,6 +38,7 @@ "source.address": "11.19.0.217", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "11.19.0.217", diff --git a/filebeat/module/apache/error/config/error.yml b/filebeat/module/apache/error/config/error.yml index 7aa0cdb7cf8..b8aa75eef7c 100644 --- a/filebeat/module/apache/error/config/error.yml +++ b/filebeat/module/apache/error/config/error.yml @@ -10,4 +10,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/apache/error/test/test.log-expected.json b/filebeat/module/apache/error/test/test.log-expected.json index fbc9605ef38..d9f470db46a 100644 --- a/filebeat/module/apache/error/test/test.log-expected.json +++ b/filebeat/module/apache/error/test/test.log-expected.json @@ -56,6 +56,7 @@ "source.geo.city_name": "Newnan", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 33.3708, "source.geo.location.lon": -84.8154, "source.geo.region_iso_code": "US-GA", @@ -84,6 +85,7 @@ "source.geo.city_name": "Beijing", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 39.9288, "source.geo.location.lon": 116.3889, "source.geo.region_iso_code": "CN-BJ", diff --git a/filebeat/module/auditd/log/config/log.yml b/filebeat/module/auditd/log/config/log.yml index 183de629867..b39221031f3 100644 --- a/filebeat/module/auditd/log/config/log.yml +++ b/filebeat/module/auditd/log/config/log.yml @@ -8,4 +8,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/elasticsearch/audit/config/audit.yml b/filebeat/module/elasticsearch/audit/config/audit.yml index 7aa0cdb7cf8..b8aa75eef7c 100644 --- a/filebeat/module/elasticsearch/audit/config/audit.yml +++ b/filebeat/module/elasticsearch/audit/config/audit.yml @@ -10,4 +10,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/elasticsearch/deprecation/config/log.yml b/filebeat/module/elasticsearch/deprecation/config/log.yml index f6c37b9e426..aa6f7d220f0 100644 --- a/filebeat/module/elasticsearch/deprecation/config/log.yml +++ b/filebeat/module/elasticsearch/deprecation/config/log.yml @@ -15,4 +15,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/elasticsearch/gc/config/gc.yml b/filebeat/module/elasticsearch/gc/config/gc.yml index 5f62e00c54c..12b9a0f874d 100644 --- a/filebeat/module/elasticsearch/gc/config/gc.yml +++ b/filebeat/module/elasticsearch/gc/config/gc.yml @@ -13,4 +13,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/elasticsearch/server/config/log.yml b/filebeat/module/elasticsearch/server/config/log.yml index b0b9e3f55d0..45a7f84018d 100644 --- a/filebeat/module/elasticsearch/server/config/log.yml +++ b/filebeat/module/elasticsearch/server/config/log.yml @@ -15,4 +15,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/elasticsearch/slowlog/config/slowlog.yml b/filebeat/module/elasticsearch/slowlog/config/slowlog.yml index 2d98286de6d..4c861ea7dc7 100644 --- a/filebeat/module/elasticsearch/slowlog/config/slowlog.yml +++ b/filebeat/module/elasticsearch/slowlog/config/slowlog.yml @@ -16,4 +16,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/haproxy/log/config/file.yml b/filebeat/module/haproxy/log/config/file.yml index c3e104f56d4..ac3846087c3 100644 --- a/filebeat/module/haproxy/log/config/file.yml +++ b/filebeat/module/haproxy/log/config/file.yml @@ -9,4 +9,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/haproxy/log/config/syslog.yml b/filebeat/module/haproxy/log/config/syslog.yml index 6fa56f8fe3c..e919d732e74 100644 --- a/filebeat/module/haproxy/log/config/syslog.yml +++ b/filebeat/module/haproxy/log/config/syslog.yml @@ -6,4 +6,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/haproxy/log/test/default.log-expected.json b/filebeat/module/haproxy/log/test/default.log-expected.json index f58515d6172..4da9bc98f17 100644 --- a/filebeat/module/haproxy/log/test/default.log-expected.json +++ b/filebeat/module/haproxy/log/test/default.log-expected.json @@ -30,6 +30,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", diff --git a/filebeat/module/haproxy/log/test/haproxy.log-expected.json b/filebeat/module/haproxy/log/test/haproxy.log-expected.json index 474b7a5e5d3..b33e80ab073 100644 --- a/filebeat/module/haproxy/log/test/haproxy.log-expected.json +++ b/filebeat/module/haproxy/log/test/haproxy.log-expected.json @@ -47,6 +47,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", diff --git a/filebeat/module/icinga/debug/config/debug.yml b/filebeat/module/icinga/debug/config/debug.yml index 33c47850878..8b5c2ae7422 100644 --- a/filebeat/module/icinga/debug/config/debug.yml +++ b/filebeat/module/icinga/debug/config/debug.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/icinga/main/config/main.yml b/filebeat/module/icinga/main/config/main.yml index 33c47850878..8b5c2ae7422 100644 --- a/filebeat/module/icinga/main/config/main.yml +++ b/filebeat/module/icinga/main/config/main.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/icinga/startup/config/startup.yml b/filebeat/module/icinga/startup/config/startup.yml index a69343bd796..acc8bd2b782 100644 --- a/filebeat/module/icinga/startup/config/startup.yml +++ b/filebeat/module/icinga/startup/config/startup.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/iis/access/config/iis-access.yml b/filebeat/module/iis/access/config/iis-access.yml index b4797039397..2c845646a4e 100644 --- a/filebeat/module/iis/access/config/iis-access.yml +++ b/filebeat/module/iis/access/config/iis-access.yml @@ -9,4 +9,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/iis/access/test/test.log-expected.json b/filebeat/module/iis/access/test/test.log-expected.json index adb56a2eadd..786333c1379 100644 --- a/filebeat/module/iis/access/test/test.log-expected.json +++ b/filebeat/module/iis/access/test/test.log-expected.json @@ -34,6 +34,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", @@ -127,6 +128,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", diff --git a/filebeat/module/iis/error/config/iis-error.yml b/filebeat/module/iis/error/config/iis-error.yml index b4797039397..2c845646a4e 100644 --- a/filebeat/module/iis/error/config/iis-error.yml +++ b/filebeat/module/iis/error/config/iis-error.yml @@ -9,4 +9,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/iis/error/test/iis_error_url.log-expected.json b/filebeat/module/iis/error/test/iis_error_url.log-expected.json index 0cb2fb038b4..8adb2e6d1d0 100644 --- a/filebeat/module/iis/error/test/iis_error_url.log-expected.json +++ b/filebeat/module/iis/error/test/iis_error_url.log-expected.json @@ -30,6 +30,7 @@ "source.address": "149.42.83.135", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "149.42.83.135", @@ -67,6 +68,7 @@ "source.address": "149.42.83.135", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "149.42.83.135", @@ -104,6 +106,7 @@ "source.address": "149.42.83.135", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "149.42.83.135", @@ -141,6 +144,7 @@ "source.address": "149.42.83.135", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "149.42.83.135", @@ -178,6 +182,7 @@ "source.address": "149.42.83.135", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "149.42.83.135", @@ -215,6 +220,7 @@ "source.address": "149.42.83.135", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "149.42.83.135", @@ -252,6 +258,7 @@ "source.address": "149.42.83.135", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "149.42.83.135", @@ -289,6 +296,7 @@ "source.address": "149.42.83.135", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "149.42.83.135", diff --git a/filebeat/module/iis/error/test/test.log-expected.json b/filebeat/module/iis/error/test/test.log-expected.json index 50ec549dd6b..506ee6ba2ed 100644 --- a/filebeat/module/iis/error/test/test.log-expected.json +++ b/filebeat/module/iis/error/test/test.log-expected.json @@ -66,6 +66,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", @@ -108,6 +109,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", @@ -146,6 +148,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", diff --git a/filebeat/module/kafka/log/config/log.yml b/filebeat/module/kafka/log/config/log.yml index a745c79562c..f3cfc687526 100644 --- a/filebeat/module/kafka/log/config/log.yml +++ b/filebeat/module/kafka/log/config/log.yml @@ -13,4 +13,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/kibana/log/config/log.yml b/filebeat/module/kibana/log/config/log.yml index 1ad204c62fe..93daa116791 100644 --- a/filebeat/module/kibana/log/config/log.yml +++ b/filebeat/module/kibana/log/config/log.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/logstash/log/config/log.yml b/filebeat/module/logstash/log/config/log.yml index af0e4c33735..407078dc115 100644 --- a/filebeat/module/logstash/log/config/log.yml +++ b/filebeat/module/logstash/log/config/log.yml @@ -16,4 +16,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/logstash/slowlog/config/slowlog.yml b/filebeat/module/logstash/slowlog/config/slowlog.yml index 080a2c4310d..4c6abc278c6 100644 --- a/filebeat/module/logstash/slowlog/config/slowlog.yml +++ b/filebeat/module/logstash/slowlog/config/slowlog.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/mongodb/log/config/log.yml b/filebeat/module/mongodb/log/config/log.yml index 183de629867..b39221031f3 100644 --- a/filebeat/module/mongodb/log/config/log.yml +++ b/filebeat/module/mongodb/log/config/log.yml @@ -8,4 +8,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/mysql/error/config/error.yml b/filebeat/module/mysql/error/config/error.yml index 818cbab297d..8ceba377810 100644 --- a/filebeat/module/mysql/error/config/error.yml +++ b/filebeat/module/mysql/error/config/error.yml @@ -16,4 +16,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/mysql/slowlog/config/slowlog.yml b/filebeat/module/mysql/slowlog/config/slowlog.yml index 7b1a3bc28fd..6893491d869 100644 --- a/filebeat/module/mysql/slowlog/config/slowlog.yml +++ b/filebeat/module/mysql/slowlog/config/slowlog.yml @@ -13,4 +13,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/nats/log/config/log.yml b/filebeat/module/nats/log/config/log.yml index 183de629867..b39221031f3 100644 --- a/filebeat/module/nats/log/config/log.yml +++ b/filebeat/module/nats/log/config/log.yml @@ -8,4 +8,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/nginx/access/config/nginx-access.yml b/filebeat/module/nginx/access/config/nginx-access.yml index 7aa0cdb7cf8..b8aa75eef7c 100644 --- a/filebeat/module/nginx/access/config/nginx-access.yml +++ b/filebeat/module/nginx/access/config/nginx-access.yml @@ -10,4 +10,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/nginx/access/test/access.log-expected.json b/filebeat/module/nginx/access/test/access.log-expected.json index 92519cc1e81..7981a316c95 100644 --- a/filebeat/module/nginx/access/test/access.log-expected.json +++ b/filebeat/module/nginx/access/test/access.log-expected.json @@ -32,6 +32,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -80,6 +81,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -127,6 +129,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -174,6 +177,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -222,6 +226,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -269,6 +274,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -316,6 +322,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -363,6 +370,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", diff --git a/filebeat/module/nginx/access/test/test-with-host.log-expected.json b/filebeat/module/nginx/access/test/test-with-host.log-expected.json index a1968695184..e07836ce520 100644 --- a/filebeat/module/nginx/access/test/test-with-host.log-expected.json +++ b/filebeat/module/nginx/access/test/test-with-host.log-expected.json @@ -115,6 +115,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", @@ -164,6 +165,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", @@ -216,6 +218,7 @@ "source.geo.city_name": "Springfield", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 39.7647, "source.geo.location.lon": -89.7379, "source.geo.region_iso_code": "US-IL", @@ -260,6 +263,7 @@ "source.address": "2a03:0000:10ff:f00f:0000:0000:0:8000", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PT", + "source.geo.country_name": "Portugal", "source.geo.location.lat": 39.5, "source.geo.location.lon": -8.0, "source.ip": "2a03:0000:10ff:f00f:0000:0000:0:8000", diff --git a/filebeat/module/nginx/access/test/test.log-expected.json b/filebeat/module/nginx/access/test/test.log-expected.json index 75caf6cf9f8..b27c9ccf19b 100644 --- a/filebeat/module/nginx/access/test/test.log-expected.json +++ b/filebeat/module/nginx/access/test/test.log-expected.json @@ -112,6 +112,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", @@ -159,6 +160,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", @@ -209,6 +211,7 @@ "source.geo.city_name": "Springfield", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 39.7647, "source.geo.location.lon": -89.7379, "source.geo.region_iso_code": "US-IL", @@ -251,6 +254,7 @@ "source.address": "2a03:0000:10ff:f00f:0000:0000:0:8000", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PT", + "source.geo.country_name": "Portugal", "source.geo.location.lat": 39.5, "source.geo.location.lon": -8.0, "source.ip": "2a03:0000:10ff:f00f:0000:0000:0:8000", diff --git a/filebeat/module/nginx/error/config/nginx-error.yml b/filebeat/module/nginx/error/config/nginx-error.yml index 797c45f6c38..173a43c5a1e 100644 --- a/filebeat/module/nginx/error/config/nginx-error.yml +++ b/filebeat/module/nginx/error/config/nginx-error.yml @@ -14,4 +14,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/nginx/fields.go b/filebeat/module/nginx/fields.go index 2f9e50ceb60..4e622f85db6 100644 --- a/filebeat/module/nginx/fields.go +++ b/filebeat/module/nginx/fields.go @@ -32,5 +32,5 @@ func init() { // AssetNginx returns asset data. // This is the base64 encoded gzipped contents of module/nginx. func AssetNginx() string { - return "eJzsWM9u48YPvucpiP1dfgUSPYAPBYotFsihRVH00Jt3rKFkIqOhSo6c+u2LkeQ/kUe25GS3PUinRDK/7+OQwxnyCV5wvwJfkv/7ASBQcLiCT7/G/z89AFjUXKgOxH4FPz4AAPzCtnEIBQvURpR8CWGL0JqA4xIKcqjZA4BuWcI6Z19QuYIgDT4AFITO6qqFegJvKjzRxyfsa1xBKdzU/ZuEhvh8aYGgEK7GBMTnnO+c0+Q5qh5fp4ivkMfnM/tgyGtP0a7ISUiHH/UcpaTknEsSrDjgmuq1Iw1vfnKQZ0TMfvDlisT4/OQ7K+CiZ4Dn38BYK6iKmsFzAFIwEElhg7lpFIHalzlXFXsIDORz11h8hA0qWdTW09wR+qFQOIN/fEPVxWqLxqIoOHpB+Prn0xeWVyMWbfzra3aB9jsaB8qN5K1wUhDUwII26vrafcmoPjNNru6G7X6t6EO22QfU9PI6MsMvtQnbFWxDqDNBrdkrZhErCVNRKaaLRJ/vl0IaRVnHP2dKiHZZwm4KZ4Vhy/Y+n/9qUEOWRJjkrri5jorLWKgkb4amUwij7PUORYn9PR6nTacwH/JjnbOdG923CabBhEZTONN0FCiC8p54j2BMoTflZVWYktzr1nBu6Mf32LiOYZWHkcp8DmlxR/kwGtddS7rX4aQ28jUvh2pGzGdqeacITpHMlMCaFY1zqYI4T8oYwnw975WSzt97tIwjzdoNJTIN0/3+jZCzD+TRh/eseH9sl8jZTbypC59z44Ps16Scqpx3SbuJOFWc47z92ftFXUGaKkawJPYfFL/rYJODR2H/UQl1BWrmCn1cKt0GHJN2kIQiLN+uYWnhZ/UrOXuPeWjdSt8tHftyXrfy+YgJZNEHKgjlxs3e4Q7n3jEdl1nKbsr9ph7xdpytFo7dYHZpOYUv3M0XtoLGZnexVqhqyrnX2LTVrdQmX8YWcR2PAmHn8Jvk+XPH0uf7iWvp1f8rvfr/DpnwdBYdrTGngvI+HqM937F1cejLsJ1akAqWyoQVpNr5G+H6Y4vQk0JHCv/vFp98efpCHh/7pXwE4+3xy4bt/ofb/gQamRVYbjZu+Ongj20kdU245RJVCOhMrWhByefYZk9BEvXGJYJXlOi2safZWyK5jp1YrUHQVKlbdefFC+5fWYYlasLSR8S4U6KCI811EcYFFG8C7XB8BPMhgs6Ypoo7dv/fNYH7xO1lHzQAb2INxbMgH3SCouwGg4FxX75r8m4RIl8sGT4AexDMkXaHGfXRuTGfwCgo5uytwiuFLVTkHHVvojW75kLVuOvjQ5x7b0fRwQ4VIuoHBe1NsRm5a9y9J8R4y5XbQ4kexQS08PzzSXhLen09R1rXi9cTxJxOuGHd6Ncng+cCFHco8SBrX/UFLx5IJo/ybSPn5b2/a5EvHyMiydkhagRBsTad35t9e0gbvVEHapb0jeK+hIlwY+5ev1gvI/NlZL6MzJeR+TIyX0bm1/UsI/NlZL6MzJeR+b88Mv8nAAD///5cnQ8=" + return "eJzsWcFu4zYQvecrBttLCyT6AB8KFFsskEOLouihNy8tjuTBUhx1SCX13xeUZFmRKFuSkzQLWKdEMue9eTNDDskH+IaHDdic7L93AJ68wQ18+j38/+kOQKNLhUpPbDfw8x0AwG+sK4OQsUCpxJHNwe8R6iFgOIeMDLrkDsDtWfw2ZZtRvgEvFd4BZIRGu01t6gGsKvAEHx5/KHEDuXBVtm8iHMLzpTYEmXAxRSA8fbw+pkpTdK57HQM+Ax6ez2y9IutaiFqRE5HGfuDTUYnR6VMSLNjjlsqtIedf/ORIT4mow+DLGYrh+cU2o4CzFgEe/wCltaBz6BJ49EAOFARQ2GGqKodA9cuUi4IteAayqak03sMOHWl0taepIbRDotAzf/8CqonVHpVGcWDoG8LXvx++sDwr0ajDX1+TkbU/URlwXElaEycHgs6zoA68vjZfEip7Q6Pq7lgftg6tT3YHjy4uryE1/FIqv9/A3vsyEXQlW4dJsBU1U1AuqolEm+9jIpVD2YY/F1II45LIuDmYBfo963U+/1Oh80nUwix3xSx1VEzCQjlZNRw6BzDQ3j6hOGK7xuP40DnIx/zYpqyXRvdlgjmvfOVidubxyFAE5Zp4T9iYA6/y8awwJ7m39cCloZ+usWkew1keJmbmvkmNT5QOo3Hetah7jZ1YIZ/zcshmYvhCLleS4BjIQgrskqwyJjYhLqMyZWE5n2upxPN3DZdpS4uqIUemYbqvL4SUrSeL1l+jeLts58jJRXtzhU+5sl4OW3IcmzlXUbtocS45w2n9s+tJnbE0l4xgTmxfKX7njc0OHvnDayXUGVMLFXq9VLpscIrakRKKsLzdhqU2v2i/krK1mPrarXhvadjmy3YrnzubQBqtp4xQLnT2Bp9waY9pOE9i4+b0N+WEt9NopXDYDSbjkXPw/Go8vxdUOlmFWqBzKl/axsZHXUptsnnYIm7DUiBsDL5Jnj82KG2+n7Bue/WPslf/4ZgJD73ouBJTyiht4xHv90vnBVWxbR2Yjso3PDyzDAtiQVyCmEe4haHZKw8On1CUOZlwKGHHOcJ8RsE6SVXqUYOuhGwO7fbsWOFk8+SsIKctpUGb+/0bCtN5dISEBvI70MZTge+qjK6a+fA70KZ3FPGuEjW4EHA/nEovTkqaLJ/b/2QshfIbiJ0eXtDrrz12DBtQ+LGZ6/vcDVm8b2fue1BWd192rA8/XfYnFEPUG83Vzgw/Hf05ZvRCl6hAQKNKhxoc2RTr+TUjCXyDRE2kQhtzOuqPrGWj/J08YF2VqkH6YHG4AFwoImU8ilWennD6xPdVCPWQ5pIbrAzvlMBt4ra0u2rnXWjZsBfkQQkn8Jh15d1W9bwqvh/xCOZdVRRKuhW9qIyn0uBo8QozTNPCLFlM3q1+9ggBLzRJ1gNbEEyRno63cp03Y1mVA4cpW+3gmfweCjKGmjdhGJsqgI57vNVhmCd78GaF6NMH5mt3okHa3hr0lhk7wh5Jx9YcGv3OMOqIGOVCLuBJRqCwQFK7Jbog6sRZ4ej1DAFPW4pR6/z6Zd2JdKX/JUu8y1mXRMHcx/f+RQswceCweqUSZTUX5gA5WhQV3Hr89ZS/Nej5M57b7e3t9vZ2e3u7vb3d3t5ub8/zud3e3m5vb7e3t9vb//n29r8AAAD//ydZrLw=" } diff --git a/filebeat/module/nginx/ingress_controller/_meta/fields.yml b/filebeat/module/nginx/ingress_controller/_meta/fields.yml index 2c467e3856a..30bc1f5ad9e 100644 --- a/filebeat/module/nginx/ingress_controller/_meta/fields.yml +++ b/filebeat/module/nginx/ingress_controller/_meta/fields.yml @@ -11,6 +11,26 @@ Real source IP is restored to `source.ip`. # ingress-controller specific fields + - name: upstream_address_list + type: keyword + description: > + An array of the upstream addresses. It is a list because it is common that several upstream servers + were contacted during request processing. + - name: upstream.response.length_list + type: keyword + description: > + An array of upstream response lengths. It is a list because it is common that several upstream servers + were contacted during request processing. + - name: upstream.response.time_list + type: keyword + description: > + An array of upstream response durations. It is a list because it is common that several upstream servers + were contacted during request processing. + - name: upstream.response.status_code_list + type: keyword + description: > + An array of upstream response status codes. It is a list because it is common that several upstream servers + were contacted during request processing. - name: http.request.length type: long format: bytes @@ -33,28 +53,33 @@ type: long format: bytes description: > - The length of the response obtained from the upstream server + The length of the response obtained from the upstream server. If several servers were contacted during request process, + the summary of the multiple response lengths is stored. - name: upstream.response.time type: double format: duration description: > - The time spent on receiving the response from the upstream server as seconds with millisecond resolution + The time spent on receiving the response from the upstream as seconds with millisecond resolution. + If several servers were contacted during request process, the summary of the multiple response times is stored. - name: upstream.response.status_code type: long description: > - The status code of the response obtained from the upstream server - - name: http.request.id - type: keyword - description: > - The randomly generated ID of the request + The status code of the response obtained from the upstream server. If several servers were contacted during + request process, only the status code of the response from the last one is stored in this field. - name: upstream.ip type: ip description: > - The IP address of the upstream server. If several servers were contacted during request processing, their addresses are separated by commas. + The IP address of the upstream server. If several servers were contacted during request process, + only the last one is stored in this field. - name: upstream.port type: long description: > - The port of the upstream server. + The port of the upstream server. If several servers were contacted during request process, + only the last one is stored in this field. + - name: http.request.id + type: keyword + description: > + The randomly generated ID of the request - name: body_sent.bytes type: alias diff --git a/filebeat/module/nginx/ingress_controller/config/ingress_controller.yml b/filebeat/module/nginx/ingress_controller/config/ingress_controller.yml index 7aa0cdb7cf8..b8aa75eef7c 100644 --- a/filebeat/module/nginx/ingress_controller/config/ingress_controller.yml +++ b/filebeat/module/nginx/ingress_controller/config/ingress_controller.yml @@ -10,4 +10,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml b/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml index c9f4a5860c7..0eca28c6084 100644 --- a/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml +++ b/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml @@ -12,14 +12,17 @@ processors: %{NUMBER:http.response.status_code:long} %{NUMBER:http.response.body.bytes:long} "(-|%{DATA:http.request.referrer})" "(-|%{DATA:user_agent.original})" %{NUMBER:nginx.ingress_controller.http.request.length:long} %{NUMBER:nginx.ingress_controller.http.request.time:double} \[%{DATA:nginx.ingress_controller.upstream.name}\] - \[%{DATA:nginx.ingress_controller.upstream.alternative_name}\] (%{UPSTREAM_ADDRESS}|-) - (%{NUMBER:nginx.ingress_controller.upstream.response.length:long}|-) (%{NUMBER:nginx.ingress_controller.upstream.response.time:double}|-) - (%{NUMBER:nginx.ingress_controller.upstream.response.status_code:long}|-) %{GREEDYDATA:nginx.ingress_controller.http.request.id} + \[%{DATA:nginx.ingress_controller.upstream.alternative_name}\] (%{UPSTREAM_ADDRESS_LIST:nginx.ingress_controller.upstream_address_list}|-) + (%{UPSTREAM_RESPONSE_LENGTH_LIST:nginx.ingress_controller.upstream.response.length_list}|-) (%{UPSTREAM_RESPONSE_TIME_LIST:nginx.ingress_controller.upstream.response.time_list}|-) + (%{UPSTREAM_RESPONSE_STATUS_CODE_LIST:nginx.ingress_controller.upstream.response.status_code_list}|-) %{GREEDYDATA:nginx.ingress_controller.http.request.id} pattern_definitions: NGINX_HOST: (?:%{IP:destination.ip}|%{NGINX_NOTSEPARATOR:destination.domain})(:%{NUMBER:destination.port})? NGINX_NOTSEPARATOR: "[^\t ,:]+" NGINX_ADDRESS_LIST: (?:%{IP}|%{WORD})("?,?\s*(?:%{IP}|%{WORD}))* - UPSTREAM_ADDRESS: '%{IP:nginx.ingress_controller.upstream.ip}(:%{NUMBER:nginx.ingress_controller.upstream.port})?' + UPSTREAM_ADDRESS_LIST: (?:%{IP}(:%{NUMBER})?)("?,?\s*(?:%{IP}(:%{NUMBER})?))* + UPSTREAM_RESPONSE_LENGTH_LIST: (?:%{NUMBER})("?,?\s*(?:%{NUMBER}))* + UPSTREAM_RESPONSE_TIME_LIST: (?:%{NUMBER})("?,?\s*(?:%{NUMBER}))* + UPSTREAM_RESPONSE_STATUS_CODE_LIST: (?:%{NUMBER})("?,?\s*(?:%{NUMBER}))* ignore_missing: true - grok: field: nginx.ingress_controller.info @@ -33,6 +36,22 @@ processors: field: nginx.ingress_controller.remote_ip_list separator: '"?,?\s+' ignore_missing: true +- split: + field: nginx.ingress_controller.upstream_address_list + separator: '"?,?\s+' + ignore_missing: true +- split: + field: nginx.ingress_controller.upstream.response.length_list + separator: '"?,?\s+' + ignore_missing: true +- split: + field: nginx.ingress_controller.upstream.response.time_list + separator: '"?,?\s+' + ignore_missing: true +- split: + field: nginx.ingress_controller.upstream.response.status_code_list + separator: '"?,?\s+' + ignore_missing: true - split: field: nginx.ingress_controller.origin separator: '"?,?\s+' @@ -41,6 +60,81 @@ processors: field: source.address if: ctx.source?.address == null value: "" +- script: + if: ctx.nginx?.ingress_controller?.upstream?.response?.length_list != null && ctx.nginx.ingress_controller.upstream.response.length_list.length > 0 + lang: painless + source: >- + try { + if (ctx.nginx.ingress_controller.upstream.response.length_list.length == null) { + return; + } + int last_length = 0; + for (def item : ctx.nginx.ingress_controller.upstream.response.length_list) { + last_length = Integer.parseInt(item); + } + ctx.nginx.ingress_controller.upstream.response.length = last_length; + } + catch (Exception e) { + ctx.nginx.ingress_controller.upstream.response.length = null; + } +- script: + if: ctx.nginx?.ingress_controller?.upstream?.response?.time_list != null && ctx.nginx.ingress_controller.upstream.response.time_list.length > 0 + lang: painless + source: >- + try { + if (ctx.nginx.ingress_controller.upstream.response.time_list.length == null) { + return; + } + float res_time = 0; + for (def item : ctx.nginx.ingress_controller.upstream.response.time_list) { + res_time = res_time + Float.parseFloat(item); + } + ctx.nginx.ingress_controller.upstream.response.time = res_time; + } + catch (Exception e) { + ctx.nginx.ingress_controller.upstream.response.time = null; + } +- script: + if: ctx.nginx?.ingress_controller?.upstream?.response?.status_code_list != null && ctx.nginx.ingress_controller.upstream.response.status_code_list.length > 0 + lang: painless + source: >- + try { + if (ctx.nginx.ingress_controller.upstream.response.status_code_list.length == null) { + return; + } + int last_status_code; + for (def item : ctx.nginx.ingress_controller.upstream.response.status_code_list) { + last_status_code = Integer.parseInt(item); + } + ctx.nginx.ingress_controller.upstream.response.status_code = last_status_code; + } + catch (Exception e) { + ctx.nginx.ingress_controller.upstream.response.time = null; + } +- script: + if: ctx.nginx?.ingress_controller?.upstream_address_list != null && ctx.nginx.ingress_controller.upstream_address_list.length > 0 + lang: painless + source: >- + try { + if (ctx.nginx.ingress_controller.upstream_address_list.length == null) { + return; + } + def last_upstream = ""; + for (def item : ctx.nginx.ingress_controller.upstream_address_list) { + last_upstream = item; + } + StringTokenizer tok = new StringTokenizer(last_upstream, ":"); + if (tok.countTokens()>1) { + ctx.nginx.ingress_controller.upstream.ip = tok.nextToken(); + ctx.nginx.ingress_controller.upstream.port = Integer.parseInt(tok.nextToken()); + } else { + ctx.nginx.ingress_controller.upstream.ip = last_upstream; + } + } + catch (Exception e) { + ctx.nginx.ingress_controller.upstream.ip = null; + ctx.nginx.ingress_controller.upstream.port = null; + } - script: if: ctx.nginx?.ingress_controller?.remote_ip_list != null && ctx.nginx.ingress_controller.remote_ip_list.length > 0 lang: painless diff --git a/filebeat/module/nginx/ingress_controller/test/test.log b/filebeat/module/nginx/ingress_controller/test/test.log index 862c03a4af2..c8ba580f64d 100644 --- a/filebeat/module/nginx/ingress_controller/test/test.log +++ b/filebeat/module/nginx/ingress_controller/test/test.log @@ -20,3 +20,4 @@ 192.168.64.1 - - [07/Feb/2020:12:02:38 +0000] "GET /v2 HTTP/1.1" 200 61 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0" 343 0.000 [default-web2-8080] [] 172.17.0.6:8080 61 0.001 200 ba91c30454893c121879396b0a78be79 192.168.64.1 - - [07/Feb/2020:12:02:38 +0000] "GET /favicon.ico HTTP/1.1" 200 59 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0" 262 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 98c81aa2d50c67f6fb1fa16d5ce62f8f 192.168.64.1 - - [07/Feb/2020:12:02:42 +0000] "GET /v2/some HTTP/1.1" 200 61 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0" 348 0.001 [default-web2-8080] [] 172.17.0.6:8080 61 0.000 200 835136ae24486dbb4156dcbe21f5d402 +192.168.64.14 - - [07/Feb/2020:12:02:42 +0000] "GET /v2/some HTTP/1.1" 200 61 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0" 348 0.001 [default-web2-8080] [] 172.17.0.6:8080, 172.17.0.7:8080 61, 100 0.100, 0.004 200, 203 835136ae24486dbb4156dcbe21f5d402 diff --git a/filebeat/module/nginx/ingress_controller/test/test.log-expected.json b/filebeat/module/nginx/ingress_controller/test/test.log-expected.json index 4bf393a5906..89c37b4a38e 100644 --- a/filebeat/module/nginx/ingress_controller/test/test.log-expected.json +++ b/filebeat/module/nginx/ingress_controller/test/test.log-expected.json @@ -28,10 +28,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.0, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.000" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -73,10 +85,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.0, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.000" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -118,10 +142,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.001, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.001" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -163,10 +199,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.0, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.000" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -280,10 +328,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.0, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.000" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -325,10 +385,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.0, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.000" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -374,10 +446,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.0, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.000" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -422,10 +506,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.6", "nginx.ingress_controller.upstream.name": "default-web2-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 61, + "nginx.ingress_controller.upstream.response.length_list": [ + "61" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.001, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.001" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.6:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -471,10 +567,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.002, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.002" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -519,10 +627,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.001, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.001" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -568,10 +688,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.001, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.001" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -616,10 +748,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.002, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.002" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -664,10 +808,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.001, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.001" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -713,10 +869,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.002, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.002" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -761,10 +929,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.6", "nginx.ingress_controller.upstream.name": "default-web2-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 61, + "nginx.ingress_controller.upstream.response.length_list": [ + "61" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.002, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.002" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.6:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -810,10 +990,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.0, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.000" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -858,10 +1050,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.001, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.001" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -903,10 +1107,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.6", "nginx.ingress_controller.upstream.name": "default-web2-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 61, + "nginx.ingress_controller.upstream.response.length_list": [ + "61" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.001, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.001" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.6:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -951,10 +1167,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.0, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.000" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -999,10 +1227,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.6", "nginx.ingress_controller.upstream.name": "default-web2-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 61, + "nginx.ingress_controller.upstream.response.length_list": [ + "61" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.0, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.000" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.6:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -1017,5 +1257,69 @@ "user_agent.os.name": "Mac OS X", "user_agent.os.version": "10.14", "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T12:02:42.000Z", + "event.category": [ + "web" + ], + "event.dataset": "nginx.ingress_controller", + "event.kind": "event", + "event.module": "nginx", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "ingress_controller", + "http.request.method": "GET", + "http.response.body.bytes": 61, + "http.response.status_code": 200, + "http.version": "1.1", + "input.type": "log", + "log.offset": 5730, + "nginx.ingress_controller.http.request.id": "835136ae24486dbb4156dcbe21f5d402", + "nginx.ingress_controller.http.request.length": 348, + "nginx.ingress_controller.http.request.time": 0.001, + "nginx.ingress_controller.remote_ip_list": [ + "192.168.64.14" + ], + "nginx.ingress_controller.upstream.alternative_name": "", + "nginx.ingress_controller.upstream.ip": "172.17.0.7", + "nginx.ingress_controller.upstream.name": "default-web2-8080", + "nginx.ingress_controller.upstream.port": 8080, + "nginx.ingress_controller.upstream.response.length": 100, + "nginx.ingress_controller.upstream.response.length_list": [ + "61", + "100" + ], + "nginx.ingress_controller.upstream.response.status_code": 203, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200", + "203" + ], + "nginx.ingress_controller.upstream.response.time": 0.104, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.100", + "0.004" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.6:8080", + "172.17.0.7:8080" + ], + "related.ip": [ + "192.168.64.14" + ], + "service.type": "nginx", + "source.address": "192.168.64.14", + "source.ip": "192.168.64.14", + "url.original": "/v2/some", + "user_agent.device.name": "Mac", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." } ] \ No newline at end of file diff --git a/filebeat/module/postgresql/log/config/log.yml b/filebeat/module/postgresql/log/config/log.yml index f69d3e4d387..eeac43780bf 100644 --- a/filebeat/module/postgresql/log/config/log.yml +++ b/filebeat/module/postgresql/log/config/log.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/redis/log/config/log.yml b/filebeat/module/redis/log/config/log.yml index 9d6cae46b38..1c6b6d6c084 100644 --- a/filebeat/module/redis/log/config/log.yml +++ b/filebeat/module/redis/log/config/log.yml @@ -9,4 +9,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/system/auth/test/secure-rhel7.log-expected.json b/filebeat/module/system/auth/test/secure-rhel7.log-expected.json index 7d8ece1d7f2..50134594bfc 100644 --- a/filebeat/module/system/auth/test/secure-rhel7.log-expected.json +++ b/filebeat/module/system/auth/test/secure-rhel7.log-expected.json @@ -33,6 +33,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -94,6 +95,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -155,6 +157,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -284,6 +287,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -345,6 +349,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -406,6 +411,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -467,6 +473,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -528,6 +535,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -691,6 +699,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -752,6 +761,7 @@ "source.as.organization.name": "CHINANET Guangdong province network", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 23.1167, "source.geo.location.lon": 113.25, "source.geo.region_iso_code": "CN-GD", @@ -813,6 +823,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -874,6 +885,7 @@ "source.as.organization.name": "CHINANET Guangdong province network", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 23.1167, "source.geo.location.lon": 113.25, "source.geo.region_iso_code": "CN-GD", @@ -935,6 +947,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -996,6 +1009,7 @@ "source.as.organization.name": "CHINANET Guangdong province network", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 23.1167, "source.geo.location.lon": 113.25, "source.geo.region_iso_code": "CN-GD", @@ -1074,6 +1088,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1135,6 +1150,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1264,6 +1280,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1325,6 +1342,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1386,6 +1404,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1447,6 +1466,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1508,6 +1528,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1637,6 +1658,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1698,6 +1720,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1759,6 +1782,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1820,6 +1844,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1881,6 +1906,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -2010,6 +2036,7 @@ "source.as.organization.name": "CHINANET Guangdong province network", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 23.1167, "source.geo.location.lon": 113.25, "source.geo.region_iso_code": "CN-GD", @@ -2071,6 +2098,7 @@ "source.as.organization.name": "CHINANET Guangdong province network", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 23.1167, "source.geo.location.lon": 113.25, "source.geo.region_iso_code": "CN-GD", @@ -2132,6 +2160,7 @@ "source.as.organization.name": "CHINANET Guangdong province network", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 23.1167, "source.geo.location.lon": 113.25, "source.geo.region_iso_code": "CN-GD", @@ -2244,6 +2273,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -2305,6 +2335,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -2366,6 +2397,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -2427,6 +2459,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -2488,6 +2521,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -2617,6 +2651,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", diff --git a/filebeat/module/system/auth/test/test.log-expected.json b/filebeat/module/system/auth/test/test.log-expected.json index 88d32188bb7..dc677ebb58c 100644 --- a/filebeat/module/system/auth/test/test.log-expected.json +++ b/filebeat/module/system/auth/test/test.log-expected.json @@ -140,6 +140,7 @@ "source.as.organization.name": "CHINANET Guangdong province network", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 23.1167, "source.geo.location.lon": 113.25, "source.geo.region_iso_code": "CN-GD", @@ -196,6 +197,7 @@ "source.geo.city_name": "Hangzhou", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 30.294, "source.geo.location.lon": 120.1619, "source.geo.region_iso_code": "CN-ZJ", diff --git a/filebeat/module/traefik/access/config/traefik-access.yml b/filebeat/module/traefik/access/config/traefik-access.yml index 183de629867..b39221031f3 100644 --- a/filebeat/module/traefik/access/config/traefik-access.yml +++ b/filebeat/module/traefik/access/config/traefik-access.yml @@ -8,4 +8,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/traefik/access/test/test.log-expected.json b/filebeat/module/traefik/access/test/test.log-expected.json index a5723ed5c27..631673fe351 100644 --- a/filebeat/module/traefik/access/test/test.log-expected.json +++ b/filebeat/module/traefik/access/test/test.log-expected.json @@ -69,6 +69,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", @@ -116,6 +117,7 @@ "source.geo.city_name": "Ottawa", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "CA", + "source.geo.country_name": "Canada", "source.geo.location.lat": 45.2691, "source.geo.location.lon": -75.7518, "source.geo.region_iso_code": "CA-ON", @@ -203,6 +205,7 @@ "source.geo.city_name": "Warsaw", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PL", + "source.geo.country_name": "Poland", "source.geo.location.lat": 52.25, "source.geo.location.lon": 21.0, "source.geo.region_iso_code": "PL-14", @@ -249,6 +252,7 @@ "source.geo.city_name": "Gda\u0144sk", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PL", + "source.geo.country_name": "Poland", "source.geo.location.lat": 54.3605, "source.geo.location.lon": 18.649, "source.geo.region_iso_code": "PL-22", diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py index d449258c40f..fa3caa93475 100644 --- a/filebeat/tests/system/test_modules.py +++ b/filebeat/tests/system/test_modules.py @@ -131,22 +131,29 @@ def run_on_file(self, module, fileset, test_file, cfgfile): cmd.append("{module}.{fileset}.var.format=json".format(module=module, fileset=fileset)) output_path = os.path.join(self.working_dir) - output = open(os.path.join(output_path, "output.log"), "ab") - output.write(bytes(" ".join(cmd) + "\n", "utf-8")) - - # Use a fixed timezone so results don't vary depending on the environment - # Don't use UTC to avoid hiding that non-UTC timezones are not being converted as needed, - # this can happen because UTC uses to be the default timezone in date parsers when no other - # timezone is specified. - local_env = os.environ.copy() - local_env["TZ"] = 'Etc/GMT+2' - - subprocess.Popen(cmd, - env=local_env, - stdin=None, - stdout=output, - stderr=subprocess.STDOUT, - bufsize=0).wait() + # Runs inside a with block to ensure file is closed afterwards + with open(os.path.join(output_path, "output.log"), "ab") as output: + output.write(bytes(" ".join(cmd) + "\n", "utf-8")) + + # Use a fixed timezone so results don't vary depending on the environment + # Don't use UTC to avoid hiding that non-UTC timezones are not being converted as needed, + # this can happen because UTC uses to be the default timezone in date parsers when no other + # timezone is specified. + local_env = os.environ.copy() + local_env["TZ"] = 'Etc/GMT+2' + + subprocess.Popen(cmd, + env=local_env, + stdin=None, + stdout=output, + stderr=subprocess.STDOUT, + bufsize=0).wait() + + # List of errors to check in filebeat output logs + errors = ["Error loading pipeline for fileset"] + # Checks if the output of filebeat includes errors + contains_error, error_line = file_contains(os.path.join(output_path, "output.log"), errors) + assert contains_error is False, "Error found in log:{}".format(error_line) # Make sure index exists self.wait_until(lambda: self.es.indices.exists(self.index_name)) @@ -305,5 +312,14 @@ def delete_key(obj, key): del obj[key] +def file_contains(filepath, strings): + with open(filepath, 'r') as file: + for line in file: + for string in strings: + if string in line: + return True, line + return False, None + + def pretty_json(obj): return json.dumps(obj, indent=2, separators=(',', ': ')) diff --git a/filebeat/tests/system/test_reload_inputs.py b/filebeat/tests/system/test_reload_inputs.py index 4de554fe2c6..4c5fa1abfba 100644 --- a/filebeat/tests/system/test_reload_inputs.py +++ b/filebeat/tests/system/test_reload_inputs.py @@ -1,4 +1,5 @@ import os +import pytest import time from filebeat import BaseTest @@ -249,6 +250,8 @@ def test_load_configs(self): assert output[0]["message"] == first_line assert output[1]["message"] == second_line + # 1/20 build fails https://github.com/elastic/beats/issues/21307 + @pytest.mark.flaky(reruns=1, reruns_delay=10) def test_reload_same_config(self): """ Test reload same config with same file but different config. Makes sure reloading also works on conflicts. diff --git a/generator/Jenkinsfile.yml b/generator/Jenkinsfile.yml index 071d24858bb..b20081956ee 100644 --- a/generator/Jenkinsfile.yml +++ b/generator/Jenkinsfile.yml @@ -23,21 +23,25 @@ stages: make: "make -C generator/_templates/metricbeat test" platforms: ## override default label in this specific stage. - "macosx" - when: ## Aggregate when with the top-level one. + when: ## Override the top-level when. comments: - "/test generator for macos" labels: - "macOS" parameters: - "macosTest" + branches: true ## for all the branches + tags: true ## for all the tags macos-beat: make: "make -C generator/_templates/beat test" platforms: ## override default label in this specific stage. - "macosx" - when: ## Aggregate when with the top-level one. + when: ## Override the top-level when. comments: - "/test generator for macos" labels: - "macOS" parameters: - "macosTest" + branches: true ## for all the branches + tags: true ## for all the tags diff --git a/go.mod b/go.mod index 2fafe750879..0f0bdb3a422 100644 --- a/go.mod +++ b/go.mod @@ -45,6 +45,7 @@ require ( github.com/davecgh/go-xdr v0.0.0-20161123171359-e6a2ba005892 // indirect github.com/denisenkom/go-mssqldb v0.0.0-20200206145737-bbfc9a55622e github.com/devigned/tab v0.1.2-0.20190607222403-0c15cf42f9a2 // indirect + github.com/dgraph-io/badger/v2 v2.2007.2 github.com/dgrijalva/jwt-go v3.2.1-0.20190620180102-5e25c22bd5d6+incompatible // indirect github.com/digitalocean/go-libvirt v0.0.0-20180301200012-6075ea3c39a1 github.com/dlclark/regexp2 v1.1.7-0.20171009020623-7632a260cbaf // indirect @@ -55,7 +56,7 @@ require ( github.com/docker/go-units v0.4.0 github.com/dop251/goja v0.0.0-20200831102558-9af81ddcf0e1 github.com/dop251/goja_nodejs v0.0.0-20171011081505-adff31b136e6 - github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4 + github.com/dustin/go-humanize v1.0.0 github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2 github.com/elastic/ecs v1.6.0 github.com/elastic/elastic-agent-client/v7 v7.0.0-20200709172729-d43b7ad5833a @@ -107,6 +108,7 @@ require ( github.com/josephspurrier/goversioninfo v0.0.0-20190209210621-63e6d1acd3dd github.com/jpillora/backoff v1.0.0 // indirect github.com/jstemmer/go-junit-report v0.9.1 + github.com/kardianos/service v1.1.0 github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect github.com/lib/pq v1.1.2-0.20190507191818-2ff3cb3adc01 github.com/magefile/mage v1.10.0 @@ -123,6 +125,7 @@ require ( github.com/oklog/ulid v1.3.1 github.com/opencontainers/go-digest v1.0.0-rc1.0.20190228220655-ac19fd6e7483 // indirect github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6 // indirect + github.com/otiai10/copy v1.2.0 github.com/pierrre/gotestcover v0.0.0-20160517101806-924dca7d15f0 github.com/pkg/errors v0.9.1 github.com/pmezard/go-difflib v1.0.0 @@ -140,12 +143,13 @@ require ( github.com/satori/go.uuid v1.2.0 // indirect github.com/shirou/gopsutil v2.19.11+incompatible github.com/shopspring/decimal v1.2.0 - github.com/spf13/cobra v0.0.3 + github.com/spf13/cobra v0.0.5 github.com/spf13/pflag v1.0.5 github.com/stretchr/objx v0.2.0 // indirect github.com/stretchr/testify v1.6.1 github.com/tsg/go-daemon v0.0.0-20200207173439-e704b93fd89b github.com/tsg/gopacket v0.0.0-20200626092518-2ab8e397a786 + github.com/ugorji/go/codec v1.1.8 github.com/urso/sderr v0.0.0-20200210124243-c2a16f3d43ec github.com/vmware/govmomi v0.0.0-20170802214208-2cad15190b41 github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c @@ -187,6 +191,7 @@ replace ( github.com/Azure/go-autorest => github.com/Azure/go-autorest v12.2.0+incompatible github.com/Shopify/sarama => github.com/elastic/sarama v1.19.1-0.20200629123429-0e7b69039eec github.com/cucumber/godog => github.com/cucumber/godog v0.8.1 + github.com/dgraph-io/badger/v2 => github.com/elastic/badger/v2 v2.2007.2-beats github.com/docker/docker => github.com/docker/engine v0.0.0-20191113042239-ea84732a7725 github.com/docker/go-plugins-helpers => github.com/elastic/go-plugins-helpers v0.0.0-20200207104224-bdf17607b79f github.com/dop251/goja => github.com/andrewkroh/goja v0.0.0-20190128172624-dd2ac4456e20 @@ -195,6 +200,7 @@ replace ( github.com/fsnotify/fsnotify => github.com/adriansr/fsnotify v0.0.0-20180417234312-c9bbe1f46f1d github.com/google/gopacket => github.com/adriansr/gopacket v1.1.18-0.20200327165309-dd62abfa8a41 github.com/insomniacslk/dhcp => github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3 // indirect + github.com/kardianos/service => github.com/blakerouse/service v1.1.1-0.20200924160513-057808572ffa github.com/tonistiigi/fifo => github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c golang.org/x/tools => golang.org/x/tools v0.0.0-20200602230032-c00d67ef29d0 // release 1.14 ) diff --git a/go.sum b/go.sum index 44f6eeb2ba0..6f737d7cee2 100644 --- a/go.sum +++ b/go.sum @@ -76,6 +76,8 @@ github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbt github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/DataDog/zstd v1.4.1 h1:3oxKN3wbHibqx897utPC2LTQU4J+IHWWJO+glkAkpFM= +github.com/DataDog/zstd v1.4.1/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo= github.com/Masterminds/semver v1.4.2 h1:WBLTQ37jOCzSLtXNdoo8bNM8876KhNqOKvrlGITgsTc= github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5 h1:ygIc8M6trr62pF5DucadTWGdEB4mEyvzi0e2nbcmcyA= @@ -83,6 +85,8 @@ github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5/go.mod h1:tT github.com/Microsoft/hcsshim v0.8.7 h1:ptnOoufxGSzauVTsdE+wMYnCWA301PdoN4xg5oRdZpg= github.com/Microsoft/hcsshim v0.8.7/go.mod h1:OHd7sQqRFrYd3RmSgbgji+ctCwkbq2wbEYNSzOYtcBQ= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/OneOfOne/xxhash v1.2.2 h1:KMrpdQIwFcEqXDklaen+P1axHaj9BSKzvpUUfnHldSE= +github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/Shopify/toxiproxy v2.1.4+incompatible h1:TKdv8HiTLgE5wdJuEML90aBgNWsokNbMijUGhmcoBJc= @@ -112,6 +116,7 @@ github.com/antlr/antlr4 v0.0.0-20200820155224-be881fa6b91d h1:OE3kzLBpy7pOJEzE55 github.com/antlr/antlr4 v0.0.0-20200820155224-be881fa6b91d/go.mod h1:T7PbCXFs94rrTttyxjbyT5+/1V8T2TYDejxUfHJjw1Y= github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77 h1:afT88tB6u9JCKQZVAAaa9ICz/uGn5Uw9ekn6P22mYKM= github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77/go.mod h1:bXvGk6IkT1Agy7qzJ+DjIw/SJ1AaB3AvAuMDVV+Vkoo= +github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI= github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= @@ -127,6 +132,8 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/blakerouse/service v1.1.1-0.20200924160513-057808572ffa h1:aXHPZwx8Y5z8r+1WPylnu095usTf6QSshaHs6nVMBc0= +github.com/blakerouse/service v1.1.1-0.20200924160513-057808572ffa/go.mod h1:RrJI2xn5vve/r32U5suTbeaSGoMU6GbNPoj36CVYcHc= github.com/blakesmith/ar v0.0.0-20150311145944-8bd4349a67f2 h1:oMCHnXa6CCCafdPDbMh/lWRhRByN0VFLvv+g+ayx1SI= github.com/blakesmith/ar v0.0.0-20150311145944-8bd4349a67f2/go.mod h1:PkYb9DJNAwrSvRx5DYA+gUcOIgTGVMNkfSCbZM8cWpI= github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= @@ -139,6 +146,8 @@ github.com/cavaliercoder/badio v0.0.0-20160213150051-ce5280129e9e/go.mod h1:V284 github.com/cavaliercoder/go-rpm v0.0.0-20190131055624-7a9c54e3d83e h1:Gbx+iVCXG/1m5WSnidDGuHgN+vbIwl+6fR092ANU+Y8= github.com/cavaliercoder/go-rpm v0.0.0-20190131055624-7a9c54e3d83e/go.mod h1:AZIh1CCnMrcVm6afFf96PBvE2MRpWFco91z8ObJtgDY= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= +github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= @@ -168,12 +177,16 @@ github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c/go.mod h1:ODA38xgv github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0= github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o= github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc= +github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= +github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e h1:Wf6HqHfScWJN9/ZjdUKyjop4mf3Qdd+1TvvltAvM3m8= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd/v22 v22.0.0 h1:XJIw/+VlJ+87J+doOxznsAWIdmWuViOVhkQamW5YV28= github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea h1:n2Ltr3SrfQlf/9nOna1DoGKxLx3qTSI8Ttl6Xrqp6mw= github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= github.com/cucumber/godog v0.8.1 h1:lVb+X41I4YDreE+ibZ50bdXmySxgRviYFgKY6Aw4XE8= github.com/cucumber/godog v0.8.1/go.mod h1:vSh3r/lM+psC1BPXvdkSEuNjmXfpVqrMGYAElF6hxnA= github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg= @@ -188,9 +201,13 @@ github.com/denisenkom/go-mssqldb v0.0.0-20200206145737-bbfc9a55622e/go.mod h1:xb github.com/devigned/tab v0.1.1/go.mod h1:XG9mPq0dFghrYvoBF3xdRrJzSTX1b7IQrvaL9mzjeJY= github.com/devigned/tab v0.1.2-0.20190607222403-0c15cf42f9a2 h1:6+hM8KeYKV0Z9EIINNqIEDyyIRAcNc2FW+/TUYNmWyw= github.com/devigned/tab v0.1.2-0.20190607222403-0c15cf42f9a2/go.mod h1:XG9mPq0dFghrYvoBF3xdRrJzSTX1b7IQrvaL9mzjeJY= +github.com/dgraph-io/ristretto v0.0.3-0.20200630154024-f66de99634de h1:t0UHb5vdojIDUqktM6+xJAfScFBsVpXZmqC9dsgJmeA= +github.com/dgraph-io/ristretto v0.0.3-0.20200630154024-f66de99634de/go.mod h1:KPxhHT9ZxKefz+PCeOGsrHpl1qZ7i70dGTu2u+Ahh6E= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgrijalva/jwt-go v3.2.1-0.20190620180102-5e25c22bd5d6+incompatible h1:4jGdduO4ceTJFKf0IhgaB8NJapGqKHwC2b4xQ/cXujM= github.com/dgrijalva/jwt-go v3.2.1-0.20190620180102-5e25c22bd5d6+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2 h1:tdlZCpZ/P9DhczCTSixgIKmwPv6+wP5DGjqLYw5SUiA= +github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw= github.com/digitalocean/go-libvirt v0.0.0-20180301200012-6075ea3c39a1 h1:eG5K5GNAAHvQlFmfIuy0Ocjg5dvyX22g/KknwTpmBko= github.com/digitalocean/go-libvirt v0.0.0-20180301200012-6075ea3c39a1/go.mod h1:PRcPVAAma6zcLpFd4GZrjR/MRpood3TamjKI2m/z/Uw= github.com/dimchansky/utfbom v1.1.0 h1:FcM3g+nofKgUteL8dm/UpdRXNC9KmADgTpLKsu0TRo4= @@ -211,8 +228,9 @@ github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96 h1:cenwrSVm+Z7QL github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= github.com/dop251/goja_nodejs v0.0.0-20171011081505-adff31b136e6 h1:RrkoB0pT3gnjXhL/t10BSP1mcr/0Ldea2uMyuBr2SWk= github.com/dop251/goja_nodejs v0.0.0-20171011081505-adff31b136e6/go.mod h1:hn7BA7c8pLvoGndExHudxTDKZ84Pyvv+90pbBjbTz0Y= -github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4 h1:qk/FSDDxo05wdJH28W+p5yivv7LuLYLRXPPD8KQCtZs= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo= +github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/eapache/go-resiliency v1.2.0 h1:v7g92e/KSN71Rq7vSThKaWIq68fL4YHvWyiUKorFR1Q= github.com/eapache/go-resiliency v1.2.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs= github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21 h1:YEetp8/yCZMuEPMUDHG0CW/brkkEp8mzqk2+ODEitlw= @@ -221,6 +239,8 @@ github.com/eapache/queue v1.1.0 h1:YOEu7KNc61ntiQlcEeUIoDTJ2o8mQznoNvUhiigpIqc= github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2 h1:DW6WrARxK5J+o8uAKCiACi5wy9EK1UzrsCpGBPsKHAA= github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2/go.mod h1:H9keYFcgq3Qr5OUJm/JZI/i6U7joQ8SYLhZwfeOo6Ts= +github.com/elastic/badger/v2 v2.2007.2-beats h1:/rV4bM6fdYvPQhFf2bHHivIb0H4nX8Or7nkWbQ/Q6Ko= +github.com/elastic/badger/v2 v2.2007.2-beats/go.mod h1:26P/7fbL4kUZVEVKLAKXkBXKOydDmM2p1e+NhhnBCAE= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3 h1:lnDkqiRFKm0rxdljqrj3lotWinO9+jFmeDXIC4gvIQs= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3/go.mod h1:aPqzac6AYkipvp4hufTyMj5PDIphF3+At8zr7r51xjY= github.com/elastic/ecs v1.6.0 h1:8NmgfnsjmKXh9hVsK3H2tZtfUptepNc3msJOAynhtmc= @@ -325,7 +345,6 @@ github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= -github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -337,7 +356,6 @@ github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFU github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= @@ -364,7 +382,6 @@ github.com/google/go-github/v29 v29.0.2 h1:opYN6Wc7DOz7Ku3Oh4l7prmkOMwEcQxpFtxdU github.com/google/go-github/v29 v29.0.2/go.mod h1:CHKiKKPHJ0REzfwc14QMklvtHwCveD0PxlMjLlzAM5E= github.com/google/go-querystring v1.0.0 h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk= github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= -github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -401,7 +418,6 @@ github.com/grpc-ecosystem/grpc-gateway v1.13.0 h1:sBDQoHXrOlfPobnKw69FIKa1wg9qsL github.com/grpc-ecosystem/grpc-gateway v1.13.0/go.mod h1:8XEsbTttt/W+VvjtQhLACqCisSPWTxCZ7sBRjU6iH9c= github.com/h2non/filetype v1.0.12 h1:yHCsIe0y2cvbDARtJhGBTD2ecvqMSTvlIcph9En/Zao= github.com/h2non/filetype v1.0.12/go.mod h1:319b3zT68BvV+WRj7cwy856M2ehB3HqNOt6sy1HndBY= -github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce h1:prjrVgOk2Yg6w+PflHoszQNLTUh4kaByUcEWM/9uin4= github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -422,6 +438,7 @@ github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.2-0.20190520140433-59383c442f7d h1:Ft6PtvobE9vwkCsuoNO5DZDbhKkKuktAlSsiOi1X5NA= github.com/hashicorp/golang-lru v0.5.2-0.20190520140433-59383c442f7d/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/haya14busa/go-actions-toolkit v0.0.0-20200105081403-ca0307860f01 h1:HiJF8Mek+I7PY0Bm+SuhkwaAZSZP83sw6rrTMrgZ0io= github.com/haya14busa/go-actions-toolkit v0.0.0-20200105081403-ca0307860f01/go.mod h1:1DWDZmeYf0LX30zscWb7K9rUMeirNeBMd5Dum+seUhc= github.com/haya14busa/go-checkstyle v0.0.0-20170303121022-5e9d09f51fa1/go.mod h1:RsN5RGgVYeXpcXNtWyztD5VIe7VNSEqpJvF2iEH7QvI= @@ -453,7 +470,6 @@ github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgb github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA= github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= -github.com/json-iterator/go v1.1.7 h1:KfgG9LzI+pYjr4xvmz/5H4FXjokeP+rlHLhv3iH62Fo= github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok= github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= @@ -476,7 +492,6 @@ github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515 h1:T+h1c/A9Gawja4Y9mFVWj2vyii2bbUNDw3kt9VxK2EY= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= -github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.0 h1:s5hAObm+yFO5uHYt5dYjxi2rXrsnmRpJx4OYvIWUaQs= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= @@ -488,10 +503,10 @@ github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+ github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.1.2-0.20190507191818-2ff3cb3adc01 h1:EPw7R3OAyxHBCyl0oqh3lUZqS5lu3KSxzzGasE0opXQ= github.com/lib/pq v1.1.2-0.20190507191818-2ff3cb3adc01/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= -github.com/magefile/mage v1.9.0 h1:t3AU2wNwehMCW97vuqQLtw6puppWXHO+O2MHo5a50XE= github.com/magefile/mage v1.9.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= github.com/magefile/mage v1.10.0 h1:3HiXzCUY12kh9bIuyXShaVe529fJfyqoVM42o/uom2g= github.com/magefile/mage v1.10.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= +github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.7.1 h1:mdxE1MF9o53iCb2Ghj1VfWvh7ZOwHpnVG/xwXrV90U8= github.com/mailru/easyjson v0.7.1/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= @@ -541,7 +556,6 @@ github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.5.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.10.1 h1:q/mM8GF/n0shIN8SaAZ0V+jnLPzen6WIVZdiwrRlMlo= github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.11.0 h1:JAKSXpt1YjtLA7YpPiqO9ss6sNXEsPfSGdwN0UHqzrw= github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= @@ -563,8 +577,17 @@ github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rm github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs= +github.com/otiai10/copy v1.2.0 h1:HvG945u96iNadPoG2/Ja2+AUJeW5YuFQMixq9yirC+k= +github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw= +github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE= +github.com/otiai10/curr v1.0.0 h1:TJIWdbX0B+kpNagQrjgq8bCMrbhiuX73M2XwgtDMoOI= +github.com/otiai10/curr v1.0.0/go.mod h1:LskTG5wDwr8Rs+nNQ+1LlxRjAtTZZjtJW4rMXl6j4vs= +github.com/otiai10/mint v1.3.0/go.mod h1:F5AjcsTsWUqX+Na9fpHb52P8pcRX2CI6A3ctIT91xUo= +github.com/otiai10/mint v1.3.1 h1:BCmzIS3n71sGfHB5NMNDB3lHYPz8fWSkCAErHed//qc= +github.com/otiai10/mint v1.3.1/go.mod h1:/yxELlJQ0ufhjUwhshSj+wFjZ78CnZ48/1wtmBH1OTc= github.com/oxtoacart/bpool v0.0.0-20150712133111-4e1c5567d7c2 h1:CXwSGu/LYmbjEab5aMCs5usQRVBGThelUKBNnoSOuso= github.com/oxtoacart/bpool v0.0.0-20150712133111-4e1c5567d7c2/go.mod h1:L3UMQOThbttwfYRNFOWLLVXMhk5Lkio4GGOtw5UrxS0= +github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/pierrec/lz4 v2.4.1+incompatible h1:mFe7ttWaflA46Mhqh+jUfjp2qTbPYxLB2/OyBppH9dg= github.com/pierrec/lz4 v2.4.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= @@ -611,6 +634,7 @@ github.com/reviewdog/reviewdog v0.9.17 h1:MKb3rlQZgkEXr3d85iqtYNITXn7gDJr2kT0Ihg github.com/reviewdog/reviewdog v0.9.17/go.mod h1:Y0yPFDTi9L5ohkoecJdgbvAhq+dUXp+zI7atqVibwKg= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= github.com/samuel/go-parser v0.0.0-20130731160455-ca8abbf65d0e h1:hUGyBE/4CXRPThr4b6kt+f1CN90no4Fs5CNrYOKYSIg= github.com/samuel/go-parser v0.0.0-20130731160455-ca8abbf65d0e/go.mod h1:Sb6li54lXV0yYEjI4wX8cucdQ9gqUJV3+Ngg3l9g30I= github.com/samuel/go-thrift v0.0.0-20140522043831-2187045faa54 h1:jbchLJWyhKcmOjkbC4zDvT/n5EEd7g6hnnF760rEyRA= @@ -640,14 +664,22 @@ github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykE github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a h1:pa8hGb/2YqsZKovtsgrwcDH1RZhVbTKCjLp47XpqCDs= github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= +github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= +github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0bLI= +github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= +github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= +github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= -github.com/spf13/cobra v0.0.3 h1:ZlrZ4XsMRm04Fr5pSFxBgfND2EBVa1nLpiy1stUsX/8= -github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= +github.com/spf13/cobra v0.0.5 h1:f0B+LkLX6DtmRH1isoNA9VTtNUK9K8xYd28JNNfOv/s= +github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= +github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.1-0.20171106142849-4c012f6dcd95/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.2.0 h1:Hbg2NidpLE8veEBkEZTL3CvlkUIVzuU9jDplZO54c48= @@ -656,9 +688,7 @@ github.com/stretchr/testify v1.1.5-0.20170601210322-f6abca593680/go.mod h1:a8OnR github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= -github.com/stretchr/testify v1.5.0 h1:DMOzIV76tmoDNE9pX6RSN0aDtCYeCg5VueieJaAo1uw= github.com/stretchr/testify v1.5.0/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= -github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= @@ -667,6 +697,11 @@ github.com/tsg/go-daemon v0.0.0-20200207173439-e704b93fd89b h1:X/8hkb4rQq3+QuOxp github.com/tsg/go-daemon v0.0.0-20200207173439-e704b93fd89b/go.mod h1:jAqhj/JBVC1PwcLTWd6rjQyGyItxxrhpiBl8LSuAGmw= github.com/tsg/gopacket v0.0.0-20200626092518-2ab8e397a786 h1:B/IVHYiI0d04dudYw+CvCAGqSMq8d0yWy56eD6p85BQ= github.com/tsg/gopacket v0.0.0-20200626092518-2ab8e397a786/go.mod h1:RIkfovP3Y7my19aXEjjbNd9E5TlHozzAyt7B8AaEcwg= +github.com/ugorji/go v1.1.8 h1:/D9x7IRpfMHDlizVOgxrag5Fh+/NY+LtI8bsr+AswRA= +github.com/ugorji/go v1.1.8/go.mod h1:0lNM99SwWUIRhCXnigEMClngXBk/EmpTXa7mgiewYWA= +github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= +github.com/ugorji/go/codec v1.1.8 h1:4dryPvxMP9OtkjIbuNeK2nb27M38XMHLGlfNSNph/5s= +github.com/ugorji/go/codec v1.1.8/go.mod h1:X00B19HDtwvKbQY2DcYjvZxKQp8mzrJoQ6EgoIY/D2E= github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/urso/diag v0.0.0-20200210123136-21b3cc8eb797 h1:OHNw/6pXODJAB32NujjdQO/KIYQ3KAbHQfCzH81XdCs= github.com/urso/diag v0.0.0-20200210123136-21b3cc8eb797/go.mod h1:pNWFTeQ+V1OYT/TzWpnWb6eQBdoXpdx+H+lrH97/Oyo= @@ -695,9 +730,9 @@ github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1: github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs= github.com/xeipuuv/gojsonschema v0.0.0-20181112162635-ac52e6811b56 h1:yhqBHs09SmmUoNOHc9jgK4a60T3XFRtPAkYxVnqgY50= github.com/xeipuuv/gojsonschema v0.0.0-20181112162635-ac52e6811b56/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs= +github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= github.com/yuin/gopher-lua v0.0.0-20170403160031-b402f3114ec7 h1:0gYLpmzecnaDCoeWxSfEJ7J1b6B/67+NV++4HKQXx+Y= github.com/yuin/gopher-lua v0.0.0-20170403160031-b402f3114ec7/go.mod h1:aEV29XrmTYFr3CiRxZeGHpkvbwq+prZduBqMaascyCU= -go.elastic.co/apm v1.7.2 h1:0nwzVIPp4PDBXSYYtN19+1W5V+sj+C25UjqxDVoKcA8= go.elastic.co/apm v1.7.2/go.mod h1:tCw6CkOJgkWnzEthFN9HUP1uL3Gjc/Ur6m7gRPLaoH0= go.elastic.co/apm v1.8.1-0.20200909061013-2aef45b9cf4b h1:Sf+V3eV91ZuXjF3824SABFgXU+z4ZEuIX5ikDvt2lCE= go.elastic.co/apm v1.8.1-0.20200909061013-2aef45b9cf4b/go.mod h1:qoOSi09pnzJDh5fKnfY7bPmQgl8yl2tULdOu03xhui0= @@ -707,7 +742,6 @@ go.elastic.co/apm/module/apmhttp v1.7.2 h1:2mRh7SwBuEVLmJlX+hsMdcSg9xaielCLElaPn go.elastic.co/apm/module/apmhttp v1.7.2/go.mod h1:sTFWiWejnhSdZv6+dMgxGec2Nxe/ZKfHfz/xtRM+cRY= go.elastic.co/ecszap v0.1.1-0.20200424093508-cdd95a104193 h1:NjYJ/beChqugXSavTkH5tF6shvr/is8jdgJ331wfwT8= go.elastic.co/ecszap v0.1.1-0.20200424093508-cdd95a104193/go.mod h1:HTUi+QRmr3EuZMqxPX+5fyOdMNfUu5iPebgfhgsTJYQ= -go.elastic.co/fastjson v1.0.0 h1:ooXV/ABvf+tBul26jcVViPT3sBir0PvXgibYB1IQQzg= go.elastic.co/fastjson v1.0.0/go.mod h1:PmeUOMMtLHQr9ZS9J9owrAVg0FkaZDRZJEFTTGHtchs= go.elastic.co/fastjson v1.1.0 h1:3MrGBWWVIxe/xvsbpghtkFoPciPhOCmjsR/HfwEeQR4= go.elastic.co/fastjson v1.1.0/go.mod h1:boNGISWMjQsUPy/t6yqt2/1Wx4YNPSe+mZjlyw9vKKI= @@ -731,6 +765,7 @@ go.uber.org/zap v1.14.0 h1:/pduUoebOeeJzTDFuoMgC6nRkiasr1sBCIEorly7m4o= go.uber.org/zap v1.14.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM= golang.org/x/crypto v0.0.0-20171113213409-9f005a07e0d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= @@ -757,7 +792,6 @@ golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHl golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f h1:J5lckAjkw6qYlOZNj90mLYNTEKDvWeuc1yieZ8qUzUE= golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= golang.org/x/lint v0.0.0-20200130185559-910be7a94367 h1:0IiAsCRByjO2QjX7ZPkw5oU9x+n1YqRL802rjC0c3Aw= golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= @@ -791,7 +825,6 @@ golang.org/x/net v0.0.0-20191021144547-ec77196f6094/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20191112182307-2180aed22343/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200202094626-16171245cfb2 h1:CCH4IOTTfewWjGOlSp+zGcjutRKlBEZQ6wTn8ozI/nI= golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b h1:0mm1VjtFUOIlE1SbDlwjYaDxZVDP2S5ou6y0gSgXHu8= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -808,7 +841,6 @@ golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e h1:vcxGaoTs7kV8m5Np9uUNQin4BrLOthgV7252N8V+FwY= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a h1:WXEvlFVvvGxCJLG6REjsT03iWnKLEWinaScsxF2Vm2o= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -817,6 +849,8 @@ golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190204203706-41f3e6584952/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -829,6 +863,7 @@ golang.org/x/sys v0.0.0-20190514135907-3a4b5fb9f71f/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190529164535-6a60838ec259/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -837,12 +872,9 @@ golang.org/x/sys v0.0.0-20191025021431-6c3a3bfe00ae/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20191112214154-59a1497f0cea/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200102141924-c96a22e43c9c h1:OYFUffxXPezb7BVTx9AaD4Vl0qtxmklBIkwCKH1YwDY= golang.org/x/sys v0.0.0-20200102141924-c96a22e43c9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e h1:LwyF2AFISC9nVbS6MgzsaQNSUsRXI49GS+YQ5KX/QH0= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1 h1:ogLJMz+qpzav7lGMh10LMvAkM/fAoGlaiiHYiFYdm80= golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae h1:Ih9Yo4hSPImZOpfGuA4bR/ORKTAbhZo2AbWNRCnevdo= golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -893,7 +925,6 @@ google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyac google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.27.1 h1:zvIju4sqAGvwKspUQOhwnpcqSbzi7/H6QomNNjTL4sk= google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.29.1 h1:EC2SB8S04d2r73uptxphDSUG+kTKVgjRPF+N3xpxRB4= google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= @@ -905,7 +936,6 @@ google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzi google.golang.org/protobuf v1.23.0 h1:4MY060fB1DLGMB/7MBTLnwQUY6+F09GEiz6SsrNqyzM= google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U= -gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -937,7 +967,6 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/heartbeat/Jenkinsfile.yml b/heartbeat/Jenkinsfile.yml index 0a352c3dfc0..c465138791b 100644 --- a/heartbeat/Jenkinsfile.yml +++ b/heartbeat/Jenkinsfile.yml @@ -19,15 +19,27 @@ stages: mage: "mage build unitTest" platforms: ## override default label in this specific stage. - "macosx" - when: ## Aggregate when with the top-level one. + when: ## Override the top-level when. comments: - "/test heartbeat for macos" labels: - "macOS" parameters: - "macosTest" + branches: true ## for all the branches + tags: true ## for all the tags windows: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2019" - - "windows-10" + windows-2016: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2016" + when: ## Override the top-level when. + comments: + - "/test heartbeat for windows-2016" + labels: + - "windows-2016" + branches: true ## for all the branches + tags: true ## for all the tags diff --git a/heartbeat/docs/fields.asciidoc b/heartbeat/docs/fields.asciidoc index 20e797faf1a..e80238bca4c 100644 --- a/heartbeat/docs/fields.asciidoc +++ b/heartbeat/docs/fields.asciidoc @@ -361,8 +361,15 @@ type: object [[exported-fields-ecs]] == ECS fields -ECS Fields. +This section defines Elastic Common Schema (ECS) fields—a common set of fields +to be used when storing event data in {es}. + +This is an exhaustive list, and fields listed here are not necessarily used by {beatname_uc}. +The goal of ECS is to enable and encourage users of {es} to normalize their event data, +so that they can better analyze, visualize, and correlate the data represented in their events. + +See the {ecs-ref}[ECS reference] for more information. *`@timestamp`*:: + diff --git a/heartbeat/docs/getting-started.asciidoc b/heartbeat/docs/getting-started.asciidoc index 21da1fb0547..1cd73dbb04f 100644 --- a/heartbeat/docs/getting-started.asciidoc +++ b/heartbeat/docs/getting-started.asciidoc @@ -96,9 +96,43 @@ was started. Heartbeat adds the `@every` keyword to the syntax provided by the include::{libbeat-dir}/shared/config-check.asciidoc[] +[float] +[[configurelocation]] +=== Step 4: Configure the Heartbeat location + +Heartbeat can be deployed in multiple locations so that you can detect +differences in availability and response times across those locations. +Configure the Heartbeat location to allow {kib} to display location-specific +information on Uptime maps and perform Uptime anomaly detection based +on location. + +To configure the location of a Heartbeat instance, modify the +`add_observer_metadata` processor in +{beatname_lc}.yml+. The following +example specifies the `geo.name` of the `add_observer_metadata` processor as +`us-east-1a`: + +[source,yaml] +---------------------------------------------------------------------- +# ============================ Processors ============================ + +processors: + - add_observer_metadata: + # Optional, but recommended geo settings for the location Heartbeat is running in + geo: <1> + # Token describing this location + name: us-east-1a <2> + # Lat, Lon " + #location: "37.926868, -78.024902" <3> +---------------------------------------------------------------------- +<1> Uncomment the `geo` setting. +<2> Uncomment `name` and assign the name of the location of the Heartbeat server. +<3> Optionally uncomment `location` and assign the latitude and longitude. + +include::{libbeat-dir}/shared/config-check.asciidoc[] + [float] [[setup-assets]] -=== Step 4: Set up assets +=== Step 5: Set up assets {beatname_uc} comes with predefined assets for parsing, indexing, and visualizing your data. To load these assets: @@ -128,7 +162,7 @@ environment. If you're using a different output, such as {ls}, see [float] [[start]] -=== Step 5: Start Heartbeat +=== Step 6: Start Heartbeat Before starting {beatname_uc}, modify the user credentials in +{beatname_lc}.yml+ and specify a user who is @@ -145,7 +179,7 @@ events to your defined output. [float] [[view-data]] -=== Step 6: View your data in {kib} +=== Step 7: View your data in {kib} {beatname_uc} comes with pre-built {kib} dashboards and UIs for visualizing the status of your services. The dashboards are available in the diff --git a/journalbeat/docs/fields.asciidoc b/journalbeat/docs/fields.asciidoc index bb7627508a4..57f97a4162e 100644 --- a/journalbeat/docs/fields.asciidoc +++ b/journalbeat/docs/fields.asciidoc @@ -914,8 +914,15 @@ type: object [[exported-fields-ecs]] == ECS fields -ECS Fields. +This section defines Elastic Common Schema (ECS) fields—a common set of fields +to be used when storing event data in {es}. + +This is an exhaustive list, and fields listed here are not necessarily used by {beatname_uc}. +The goal of ECS is to enable and encourage users of {es} to normalize their event data, +so that they can better analyze, visualize, and correlate the data represented in their events. + +See the {ecs-ref}[ECS reference] for more information. *`@timestamp`*:: + diff --git a/libbeat/beat/pipeline.go b/libbeat/beat/pipeline.go index 699c96d8b62..f13b3c39ff2 100644 --- a/libbeat/beat/pipeline.go +++ b/libbeat/beat/pipeline.go @@ -138,6 +138,7 @@ type ClientEventer interface { type ProcessorList interface { Processor + Close() error All() []Processor } diff --git a/libbeat/cmd/instance/beat.go b/libbeat/cmd/instance/beat.go index ca58b9b321f..714b266ea84 100644 --- a/libbeat/cmd/instance/beat.go +++ b/libbeat/cmd/instance/beat.go @@ -371,6 +371,11 @@ func (b *Beat) launch(settings Settings, bt beat.Creator) error { if err != nil { return err } + defer func() { + if err := b.processing.Close(); err != nil { + logp.Warn("Failed to close global processing: %v", err) + } + }() // Windows: Mark service as stopped. // After this is run, a Beat service is considered by the OS to be stopped diff --git a/libbeat/cmd/instance/metrics.go b/libbeat/cmd/instance/metrics.go index fa0d42bbeaf..24d3d12e3e1 100644 --- a/libbeat/cmd/instance/metrics.go +++ b/libbeat/cmd/instance/metrics.go @@ -285,6 +285,10 @@ func reportBeatCgroups(_ monitoring.Mode, V monitoring.Visitor) { logp.Err("error getting group status: %v", err) return } + // GetStatsForProcess returns a nil selfStats and no error when there's no stats + if selfStats == nil { + return + } if cpu := selfStats.CPU; cpu != nil { monitoring.ReportNamespace(V, "cpu", func() { diff --git a/libbeat/common/cli/input.go b/libbeat/common/cli/input.go new file mode 100644 index 00000000000..a6a516fd3d4 --- /dev/null +++ b/libbeat/common/cli/input.go @@ -0,0 +1,43 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package cli + +import ( + "bufio" + "fmt" + "io" + "os" + + "github.com/pkg/errors" +) + +// ReadInput shows the text and ask the user to provide input. +func ReadInput(prompt string) (string, error) { + reader := bufio.NewReader(os.Stdin) + return input(reader, prompt) +} + +func input(r io.Reader, prompt string) (string, error) { + reader := bufio.NewScanner(r) + fmt.Print(prompt + " ") + + if !reader.Scan() { + return "", errors.New("error reading user input") + } + return reader.Text(), nil +} diff --git a/libbeat/common/cli/input_test.go b/libbeat/common/cli/input_test.go new file mode 100644 index 00000000000..de87b5efe2a --- /dev/null +++ b/libbeat/common/cli/input_test.go @@ -0,0 +1,63 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package cli + +import ( + "strings" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestReadInput(t *testing.T) { + tests := []struct { + name string + input string + res string + }{ + { + name: "Question 1?", + input: "\n", + res: "", + }, + { + name: "Question 2?", + input: "full string input\n", + res: "full string input", + }, + { + name: "Question 3?", + input: "123456789\n", + res: "123456789", + }, + { + name: "Question 4?", + input: "false\n", + res: "false", + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + r := strings.NewReader(test.input) + result, err := input(r, test.name) + assert.NoError(t, err) + assert.Equal(t, test.res, result) + }) + } +} diff --git a/libbeat/common/docker/watcher.go b/libbeat/common/docker/watcher.go index 0543d37e9c3..2421c232eee 100644 --- a/libbeat/common/docker/watcher.go +++ b/libbeat/common/docker/watcher.go @@ -138,6 +138,7 @@ func NewWatcher(log *logp.Logger, host string, tls *TLSConfig, storeShortID bool // Extra check to confirm that Docker is available _, err = client.Info(context.Background()) if err != nil { + client.Close() return nil, err } @@ -395,14 +396,12 @@ func (w *watcher) cleanupWorker() { log := w.log for { - // Wait a full period - time.Sleep(w.cleanupTimeout) - select { case <-w.ctx.Done(): w.stopped.Done() return - default: + // Wait a full period + case <-time.After(w.cleanupTimeout): // Check entries for timeout var toDelete []string timeout := time.Now().Add(-w.cleanupTimeout) diff --git a/libbeat/common/transport/tlscommon/tls.go b/libbeat/common/transport/tlscommon/tls.go index 5dea417637e..ba44310727c 100644 --- a/libbeat/common/transport/tlscommon/tls.go +++ b/libbeat/common/transport/tlscommon/tls.go @@ -24,7 +24,10 @@ import ( "encoding/pem" "errors" "fmt" + "io" "io/ioutil" + "os" + "strings" "github.com/elastic/beats/v7/libbeat/logp" ) @@ -63,17 +66,23 @@ func LoadCertificate(config *CertificateConfig) (*tls.Certificate, error) { return nil, err } - log.Debugf("tls", "loading certificate: %v and key %v", certificate, key) + log.Debugf("Loading certificate: %v and key %v", certificate, key) return &cert, nil } -// ReadPEMFile reads a PEM format file on disk and decrypt it with the privided password and -// return the raw content. -func ReadPEMFile(log *logp.Logger, path, passphrase string) ([]byte, error) { +// ReadPEMFile reads a PEM formatted string either from disk or passed as a plain text starting with a "-" +// and decrypt it with the provided password and return the raw content. +func ReadPEMFile(log *logp.Logger, s, passphrase string) ([]byte, error) { pass := []byte(passphrase) var blocks []*pem.Block - content, err := ioutil.ReadFile(path) + r, err := NewPEMReader(s) + if err != nil { + return nil, err + } + defer r.Close() + + content, err := ioutil.ReadAll(r) if err != nil { return nil, err } @@ -102,7 +111,7 @@ func ReadPEMFile(log *logp.Logger, path, passphrase string) ([]byte, error) { if err != nil { log.Errorf("Dropping encrypted pem '%v' block read from %v. %+v", - block.Type, path, err) + block.Type, r, err) continue } @@ -139,20 +148,28 @@ func LoadCertificateAuthorities(CAs []string) (*x509.CertPool, []error) { log := logp.NewLogger(logSelector) roots := x509.NewCertPool() - for _, path := range CAs { - pemData, err := ioutil.ReadFile(path) + for _, s := range CAs { + r, err := NewPEMReader(s) if err != nil { log.Errorf("Failed reading CA certificate: %+v", err) - errors = append(errors, fmt.Errorf("%v reading %v", err, path)) + errors = append(errors, fmt.Errorf("%v reading %v", err, r)) + continue + } + defer r.Close() + + pemData, err := ioutil.ReadAll(r) + if err != nil { + log.Errorf("Failed reading CA certificate: %+v", err) + errors = append(errors, fmt.Errorf("%v reading %v", err, r)) continue } if ok := roots.AppendCertsFromPEM(pemData); !ok { - log.Error("Failed to add CA to the cert pool, CA is not a valid PEM file") - errors = append(errors, fmt.Errorf("%v adding %v to the list of known CAs", ErrNotACertificate, path)) + log.Error("Failed to add CA to the cert pool, CA is not a valid PEM document") + errors = append(errors, fmt.Errorf("%v adding %v to the list of known CAs", ErrNotACertificate, r)) continue } - log.Debugf("tls", "successfully loaded CA certificate: %v", path) + log.Debugf("Successfully loaded CA certificate: %v", r) } return roots, errors @@ -187,3 +204,45 @@ func ResolveTLSVersion(v uint16) string { func ResolveCipherSuite(cipher uint16) string { return tlsCipherSuite(cipher).String() } + +// PEMReader allows to read a certificate in PEM format either through the disk or from a string. +type PEMReader struct { + reader io.ReadCloser + debugStr string +} + +// NewPEMReader returns a new PEMReader. +func NewPEMReader(certificate string) (*PEMReader, error) { + if IsPEMString(certificate) { + // Take a substring of the certificate so we do not leak the whole certificate or private key in the log. + debugStr := certificate[0:256] + "..." + return &PEMReader{reader: ioutil.NopCloser(strings.NewReader(certificate)), debugStr: debugStr}, nil + } + + r, err := os.Open(certificate) + if err != nil { + return nil, err + } + return &PEMReader{reader: r, debugStr: certificate}, nil +} + +// Close closes the target io.ReadCloser. +func (p *PEMReader) Close() error { + return p.reader.Close() +} + +// Read read bytes from the io.ReadCloser. +func (p *PEMReader) Read(b []byte) (n int, err error) { + return p.reader.Read(b) +} + +func (p *PEMReader) String() string { + return p.debugStr +} + +// IsPEMString returns true if the provided string match a PEM formatted certificate. try to pem decode to validate. +func IsPEMString(s string) bool { + // Trim the certificates to make sure we tolerate any yaml weirdness, we assume that the string starts + // with "-" and let further validation verifies the PEM format. + return strings.HasPrefix(strings.TrimSpace(s), "-") +} diff --git a/libbeat/common/transport/tlscommon/tls_test.go b/libbeat/common/transport/tlscommon/tls_test.go index 42748770069..53e9da18db3 100644 --- a/libbeat/common/transport/tlscommon/tls_test.go +++ b/libbeat/common/transport/tlscommon/tls_test.go @@ -22,6 +22,8 @@ package tlscommon import ( "crypto/tls" "fmt" + "io/ioutil" + "os" "testing" "github.com/stretchr/testify/assert" @@ -331,3 +333,267 @@ func TestResolveCipherSuite(t *testing.T) { c := ResolveCipherSuite(tls.TLS_RSA_WITH_AES_128_CBC_SHA) assert.Equal(t, "RSA-AES-128-CBC-SHA", c) } + +func TestPEMString(t *testing.T) { + t.Run("is PEM formatted String", func(t *testing.T) { + c := `-----BEGIN CERTIFICATE----- +MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF +ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 +MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n +fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl +94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t +/D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP +PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 +CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O +BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux +8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D +874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw +3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA +H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu +8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 +yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk +sxSmbIUfc2SGJGCJD4I= +-----END CERTIFICATE-----` + assert.True(t, IsPEMString(c)) + }) + + // Well use `|` if you want to keep the newline, theses are required so the PEM document is valid. + t.Run("From the YAML/multiline", func(t *testing.T) { + cfg, err := load(` +enabled: true +verification_mode: null +certificate: null +key: null +key_passphrase: null +certificate_authorities: + - | + -----BEGIN CERTIFICATE----- + MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + sxSmbIUfc2SGJGCJD4I= + -----END CERTIFICATE----- +cipher_suites: null +curve_types: null +supported_protocols: null + `) + assert.NoError(t, err) + assert.True(t, IsPEMString(cfg.CAs[0])) + }) + + t.Run("is not a PEM formatted String", func(t *testing.T) { + c := "/tmp/certificate" + assert.False(t, IsPEMString(c)) + }) + + t.Run("is an empty string", func(t *testing.T) { + c := "" + assert.False(t, IsPEMString(c)) + }) +} + +func TestCertificate(t *testing.T) { + // Write certificate to a temporary file. + c := `-----BEGIN CERTIFICATE----- +MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF +ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 +MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n +fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl +94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t +/D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP +PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 +CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O +BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux +8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D +874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw +3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA +H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu +8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 +yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk +sxSmbIUfc2SGJGCJD4I= +-----END CERTIFICATE-----` + f, err := ioutil.TempFile("", "certificate.crt") + f.WriteString(c) + f.Close() + assert.NoError(t, err) + defer os.Remove(f.Name()) + + t.Run("certificate authorities", func(t *testing.T) { + t.Run("From configuration", func(t *testing.T) { + cfg, err := load(` +enabled: true +verification_mode: null +certificate: null +key: null +key_passphrase: null +certificate_authorities: + - | + -----BEGIN CERTIFICATE----- + MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + sxSmbIUfc2SGJGCJD4I= + -----END CERTIFICATE----- +cipher_suites: null +curve_types: null +supported_protocols: null + `) + assert.NoError(t, err) + tlsC, err := LoadTLSConfig(cfg) + assert.NoError(t, err) + assert.NotNil(t, tlsC) + }) + + t.Run("From disk", func(t *testing.T) { + // Create a dummy configuration and append the CA after. + cfg, err := load(` +enabled: true +verification_mode: null +certificate: null +key: null +key_passphrase: null +certificate_authorities: +cipher_suites: null +curve_types: null +supported_protocols: null + `) + + cfg.CAs = []string{f.Name()} + tlsC, err := LoadTLSConfig(cfg) + assert.NoError(t, err) + + assert.NotNil(t, tlsC) + }) + + t.Run("mixed from disk and embed", func(t *testing.T) { + // Create a dummy configuration and append the CA after. + cfg, err := load(` +enabled: true +verification_mode: null +certificate: null +key: null +key_passphrase: null +certificate_authorities: +cipher_suites: null +curve_types: null +supported_protocols: null + `) + + cfg.CAs = []string{f.Name(), c} + tlsC, err := LoadTLSConfig(cfg) + assert.NoError(t, err) + + assert.NotNil(t, tlsC) + }) + }) + + t.Run("Certificate and Private keys", func(t *testing.T) { + key := ` +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI +sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP +Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F +KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2 +MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z +HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ +nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx +Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0 +eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/ +Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM +epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve +Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn +BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8 +VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU +zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5 +GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA +5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7 +TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF +hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li +e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze +Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T +kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+ +kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav +NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K +0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc +nygO9KTJuUiBrLr0AHEnqko= +-----END PRIVATE KEY----- +` + t.Run("embed", func(t *testing.T) { + // Create a dummy configuration and append the CA after. + cfg, err := load(` +enabled: true +verification_mode: null +certificate: null +key: null +key_passphrase: null +certificate_authorities: +cipher_suites: null +curve_types: null +supported_protocols: null + `) + cfg.Certificate.Certificate = c + cfg.Certificate.Key = key + + tlsC, err := LoadTLSConfig(cfg) + assert.NoError(t, err) + + assert.NotNil(t, tlsC) + }) + + t.Run("From disk", func(t *testing.T) { + k, err := ioutil.TempFile("", "certificate.key") + k.WriteString(key) + k.Close() + assert.NoError(t, err) + defer os.Remove(k.Name()) + // Create a dummy configuration and append the CA after. + cfg, err := load(` +enabled: true +verification_mode: null +certificate: null +key: null +key_passphrase: null +certificate_authorities: +cipher_suites: null +curve_types: null +supported_protocols: null + `) + + cfg.Certificate.Certificate = f.Name() + cfg.Certificate.Key = k.Name() + + tlsC, err := LoadTLSConfig(cfg) + assert.NoError(t, err) + + assert.NotNil(t, tlsC) + }) + }) +} diff --git a/libbeat/docs/release.asciidoc b/libbeat/docs/release.asciidoc index 4215186d430..24e0ee43651 100644 --- a/libbeat/docs/release.asciidoc +++ b/libbeat/docs/release.asciidoc @@ -8,6 +8,7 @@ This section summarizes the changes in each release. Also read <> for more detail about changes that affect upgrade. +* <> * <> * <> * <> diff --git a/libbeat/docs/repositories.asciidoc b/libbeat/docs/repositories.asciidoc index a7104414465..1b27a6c0b44 100644 --- a/libbeat/docs/repositories.asciidoc +++ b/libbeat/docs/repositories.asciidoc @@ -122,7 +122,7 @@ sudo apt-get update && sudo apt-get install {beatname_pkg} -------------------------------------------------- sudo systemctl enable {beatname_pkg} -------------------------------------------------- - ++ If your system does not use `systemd` then run: + ["source","sh",subs="attributes"] @@ -224,7 +224,7 @@ sudo yum install {beatname_pkg} -------------------------------------------------- sudo systemctl enable {beatname_pkg} -------------------------------------------------- - ++ If your system does not use `systemd` then run: + ["source","sh",subs="attributes"] @@ -233,4 +233,3 @@ sudo chkconfig --add {beatname_pkg} -------------------------------------------------- endif::[] - diff --git a/libbeat/docs/shared-securing-beat.asciidoc b/libbeat/docs/shared-securing-beat.asciidoc index b8dcc3b1957..e1c47d91f2c 100644 --- a/libbeat/docs/shared-securing-beat.asciidoc +++ b/libbeat/docs/shared-securing-beat.asciidoc @@ -29,11 +29,13 @@ For secure communication between APM Server and APM Agents, see <> endif::[] +endif::[] // APM HTTPS information ifdef::beat-specific-security[] @@ -70,5 +72,7 @@ endif::[] // Linux Seccomp ifndef::serverless[] +ifndef::win_only[] include::./security/linux-seccomp.asciidoc[] endif::[] +endif::[] diff --git a/libbeat/docs/shared-ssl-config.asciidoc b/libbeat/docs/shared-ssl-config.asciidoc index 8aa9a33a828..43a88002bcd 100644 --- a/libbeat/docs/shared-ssl-config.asciidoc +++ b/libbeat/docs/shared-ssl-config.asciidoc @@ -105,6 +105,32 @@ NOTE: SSL settings are disabled if either `enabled` is set to `false` or the ==== `certificate_authorities` The list of root certificates for server verifications. If `certificate_authorities` is empty or not set, the trusted certificate authorities of the host system are used. +By default you can specify a list of file that +{beatname_lc} will read, but you can also embed a certificate directly in the `YAML` configuration: + +[source,yaml] +---- +certificate_authorities: + - | + -----BEGIN CERTIFICATE----- + MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + sxSmbIUfc2SGJGCJD4I= + -----END CERTIFICATE----- +---- [float] [[certificate]] @@ -117,12 +143,72 @@ require client authentication, the certificate will be loaded, but not requested by the server. When this option is configured, the <> option is also required. +The certificate option support embedding of the certificate: + +[source,yaml] +---- +certificate: | + -----BEGIN CERTIFICATE----- + MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + sxSmbIUfc2SGJGCJD4I= + -----END CERTIFICATE----- +---- + [float] [[key]] ==== `key: "/etc/pki/client/cert.key"` The client certificate key used for client authentication. This option is required if <> is specified. +The key option support embedding of the private key: + +[source,yaml] +---- +key: | + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI + sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP + Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F + KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2 + MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z + HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ + nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx + Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0 + eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/ + Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM + epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve + Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn + BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8 + VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU + zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5 + GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA + 5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7 + TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF + hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li + e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze + Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T + kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+ + kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav + NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K + 0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc + nygO9KTJuUiBrLr0AHEnqko= + -----END PRIVATE KEY----- +---- [float] ==== `key_passphrase` diff --git a/libbeat/docs/shared/obs-apps.asciidoc b/libbeat/docs/shared/obs-apps.asciidoc index 9b5f7354ea0..26698700c21 100644 --- a/libbeat/docs/shared/obs-apps.asciidoc +++ b/libbeat/docs/shared/obs-apps.asciidoc @@ -38,13 +38,13 @@ endif::[] |=== |Elastic apps | Use to -|{kibana-ref}/xpack-infra.html[{metrics-app}] +|{observability-guide}/analyze-metrics.html[{metrics-app}] |Explore metrics about systems and services across your ecosystem -|{kibana-ref}/xpack-logs.html[{logs-app}] +|{observability-guide}/monitor-logs.html[{logs-app}] |Tail related log data in real time -|{kibana-ref}/xpack-uptime.html[{uptime-app}] +|{observability-guide}/monitor-uptime.html[{uptime-app}] |Monitor availability issues across your apps and services |{kibana-ref}/xpack-apm.html[APM app] diff --git a/libbeat/logp/logger.go b/libbeat/logp/logger.go index 6f1c42fe022..2bbe6b3ce53 100644 --- a/libbeat/logp/logger.go +++ b/libbeat/logp/logger.go @@ -50,6 +50,12 @@ func NewLogger(selector string, options ...LogOption) *Logger { return newLogger(loadLogger().rootLogger, selector, options...) } +// WithOptions returns a clone of l with options applied. +func (l *Logger) WithOptions(options ...LogOption) *Logger { + cloned := l.logger.WithOptions(options...) + return &Logger{cloned, cloned.Sugar()} +} + // With creates a child logger and adds structured context to it. Fields added // to the child don't affect the parent, and vice versa. func (l *Logger) With(args ...interface{}) *Logger { diff --git a/libbeat/logp/logger_test.go b/libbeat/logp/logger_test.go new file mode 100644 index 00000000000..eaf8a1070ce --- /dev/null +++ b/libbeat/logp/logger_test.go @@ -0,0 +1,52 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package logp + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "go.uber.org/zap" + "go.uber.org/zap/zapcore" + "go.uber.org/zap/zaptest/observer" +) + +func TestLoggerWithOptions(t *testing.T) { + core1, observed1 := observer.New(zapcore.DebugLevel) + core2, observed2 := observer.New(zapcore.DebugLevel) + + logger1 := NewLogger("bo", zap.WrapCore(func(in zapcore.Core) zapcore.Core { + return zapcore.NewTee(in, core1) + })) + logger2 := logger1.WithOptions(zap.WrapCore(func(in zapcore.Core) zapcore.Core { + return zapcore.NewTee(in, core2) + })) + + logger1.Info("hello logger1") // should just go to the first observer + logger2.Info("hello logger1 and logger2") // should go to both observers + + observedEntries1 := observed1.All() + require.Len(t, observedEntries1, 2) + assert.Equal(t, "hello logger1", observedEntries1[0].Message) + assert.Equal(t, "hello logger1 and logger2", observedEntries1[1].Message) + + observedEntries2 := observed2.All() + require.Len(t, observedEntries2, 1) + assert.Equal(t, "hello logger1 and logger2", observedEntries2[0].Message) +} diff --git a/metricbeat/module/system/diskio/disk_performance_386.go b/libbeat/metric/system/diskio/disk_performance_386.go similarity index 100% rename from metricbeat/module/system/diskio/disk_performance_386.go rename to libbeat/metric/system/diskio/disk_performance_386.go diff --git a/metricbeat/module/system/diskio/disk_performance_amd64.go b/libbeat/metric/system/diskio/disk_performance_amd64.go similarity index 100% rename from metricbeat/module/system/diskio/disk_performance_amd64.go rename to libbeat/metric/system/diskio/disk_performance_amd64.go diff --git a/metricbeat/module/system/diskio/diskstat.go b/libbeat/metric/system/diskio/diskstat.go similarity index 88% rename from metricbeat/module/system/diskio/diskstat.go rename to libbeat/metric/system/diskio/diskstat.go index 949d69778fa..3cea37c552a 100644 --- a/metricbeat/module/system/diskio/diskstat.go +++ b/libbeat/metric/system/diskio/diskstat.go @@ -25,11 +25,11 @@ import ( sigar "github.com/elastic/gosigar" ) -// mapping fields which output by `iostat -x` on linux +// IOMetric contains mapping fields which are outputed by `iostat -x` on linux // // Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s avgrq-sz avgqu-sz await r_await w_await svctm %util // sda 0.06 0.78 0.09 0.27 9.42 8.06 48.64 0.00 1.34 0.99 1.45 0.77 0.03 -type DiskIOMetric struct { +type IOMetric struct { ReadRequestMergeCountPerSec float64 `json:"rrqmCps"` WriteRequestMergeCountPerSec float64 `json:"wrqmCps"` ReadRequestCountPerSec float64 `json:"rrqCps"` @@ -46,8 +46,9 @@ type DiskIOMetric struct { BusyPct float64 `json:"busy"` } -type DiskIOStat struct { +// IOStat carries disk statistics for all devices +type IOStat struct { lastDiskIOCounters map[string]disk.IOCountersStat - lastCpu sigar.Cpu - curCpu sigar.Cpu + lastCPU sigar.Cpu + curCPU sigar.Cpu } diff --git a/metricbeat/module/system/diskio/diskstat_linux.go b/libbeat/metric/system/diskio/diskstat_linux.go similarity index 55% rename from metricbeat/module/system/diskio/diskstat_linux.go rename to libbeat/metric/system/diskio/diskstat_linux.go index 4ecfdf700ac..826aed78c27 100644 --- a/metricbeat/module/system/diskio/diskstat_linux.go +++ b/libbeat/metric/system/diskio/diskstat_linux.go @@ -26,7 +26,8 @@ import ( "github.com/elastic/beats/v7/libbeat/metric/system/cpu" ) -func Get_CLK_TCK() uint32 { +// GetCLKTCK emulates the _SC_CLK_TCK syscall +func GetCLKTCK() uint32 { // return uint32(C.sysconf(C._SC_CLK_TCK)) // NOTE: _SC_CLK_TCK should be fetched from sysconf using cgo return uint32(100) @@ -38,77 +39,78 @@ func IOCounters(names ...string) (map[string]disk.IOCountersStat, error) { } // NewDiskIOStat :init DiskIOStat object. -func NewDiskIOStat() *DiskIOStat { - return &DiskIOStat{ +func NewDiskIOStat() *IOStat { + return &IOStat{ lastDiskIOCounters: map[string]disk.IOCountersStat{}, } } // OpenSampling creates current cpu sampling // need call as soon as get IOCounters. -func (stat *DiskIOStat) OpenSampling() error { - return stat.curCpu.Get() +func (stat *IOStat) OpenSampling() error { + return stat.curCPU.Get() } -// CalIOStatistics calculates IO statistics. -func (stat *DiskIOStat) CalIOStatistics(result *DiskIOMetric, counter disk.IOCountersStat) error { +// CalcIOStatistics calculates IO statistics. +func (stat *IOStat) CalcIOStatistics(counter disk.IOCountersStat) (IOMetric, error) { var last disk.IOCountersStat var ok bool // if last counter not found, create one and return all 0 if last, ok = stat.lastDiskIOCounters[counter.Name]; !ok { stat.lastDiskIOCounters[counter.Name] = counter - return nil + return IOMetric{}, nil } // calculate the delta ms between the CloseSampling and OpenSampling - deltams := 1000.0 * float64(stat.curCpu.Total()-stat.lastCpu.Total()) / float64(cpu.NumCores) / float64(Get_CLK_TCK()) + deltams := 1000.0 * float64(stat.curCPU.Total()-stat.lastCPU.Total()) / float64(cpu.NumCores) / float64(GetCLKTCK()) if deltams <= 0 { - return errors.New("The delta cpu time between close sampling and open sampling is less or equal to 0") + return IOMetric{}, errors.New("The delta cpu time between close sampling and open sampling is less or equal to 0") } - rd_ios := counter.ReadCount - last.ReadCount - rd_merges := counter.MergedReadCount - last.MergedReadCount - rd_bytes := counter.ReadBytes - last.ReadBytes - rd_ticks := counter.ReadTime - last.ReadTime - wr_ios := counter.WriteCount - last.WriteCount - wr_merges := counter.MergedWriteCount - last.MergedWriteCount - wr_bytes := counter.WriteBytes - last.WriteBytes - wr_ticks := counter.WriteTime - last.WriteTime + rdIOs := counter.ReadCount - last.ReadCount + rdMerges := counter.MergedReadCount - last.MergedReadCount + rdBytes := counter.ReadBytes - last.ReadBytes + rdTicks := counter.ReadTime - last.ReadTime + wrIOs := counter.WriteCount - last.WriteCount + wrMerges := counter.MergedWriteCount - last.MergedWriteCount + wrBytes := counter.WriteBytes - last.WriteBytes + wrTicks := counter.WriteTime - last.WriteTime ticks := counter.IoTime - last.IoTime aveq := counter.WeightedIO - last.WeightedIO - n_ios := rd_ios + wr_ios - n_ticks := rd_ticks + wr_ticks - n_bytes := rd_bytes + wr_bytes + nIOs := rdIOs + wrIOs + nTicks := rdTicks + wrTicks + nBytes := rdBytes + wrBytes size := float64(0) wait := float64(0) svct := float64(0) - if n_ios > 0 { - size = float64(n_bytes) / float64(n_ios) - wait = float64(n_ticks) / float64(n_ios) - svct = float64(ticks) / float64(n_ios) + if nIOs > 0 { + size = float64(nBytes) / float64(nIOs) + wait = float64(nTicks) / float64(nIOs) + svct = float64(ticks) / float64(nIOs) } queue := float64(aveq) / deltams - per_sec := func(x uint64) float64 { + perSec := func(x uint64) float64 { return 1000.0 * float64(x) / deltams } - result.ReadRequestMergeCountPerSec = per_sec(rd_merges) - result.WriteRequestMergeCountPerSec = per_sec(wr_merges) - result.ReadRequestCountPerSec = per_sec(rd_ios) - result.WriteRequestCountPerSec = per_sec(wr_ios) - result.ReadBytesPerSec = per_sec(rd_bytes) - result.WriteBytesPerSec = per_sec(wr_bytes) + result := IOMetric{} + result.ReadRequestMergeCountPerSec = perSec(rdMerges) + result.WriteRequestMergeCountPerSec = perSec(wrMerges) + result.ReadRequestCountPerSec = perSec(rdIOs) + result.WriteRequestCountPerSec = perSec(wrIOs) + result.ReadBytesPerSec = perSec(rdBytes) + result.WriteBytesPerSec = perSec(wrBytes) result.AvgRequestSize = size result.AvgQueueSize = queue result.AvgAwaitTime = wait - if rd_ios > 0 { - result.AvgReadAwaitTime = float64(rd_ticks) / float64(rd_ios) + if rdIOs > 0 { + result.AvgReadAwaitTime = float64(rdTicks) / float64(rdIOs) } - if wr_ios > 0 { - result.AvgWriteAwaitTime = float64(wr_ticks) / float64(wr_ios) + if wrIOs > 0 { + result.AvgWriteAwaitTime = float64(wrTicks) / float64(wrIOs) } result.AvgServiceTime = svct result.BusyPct = 100.0 * float64(ticks) / deltams @@ -117,10 +119,11 @@ func (stat *DiskIOStat) CalIOStatistics(result *DiskIOMetric, counter disk.IOCou } stat.lastDiskIOCounters[counter.Name] = counter - return nil + return result, nil } -func (stat *DiskIOStat) CloseSampling() { - stat.lastCpu = stat.curCpu +// CloseSampling closes the disk sampler +func (stat *IOStat) CloseSampling() { + stat.lastCPU = stat.curCPU } diff --git a/metricbeat/module/system/diskio/diskstat_linux_test.go b/libbeat/metric/system/diskio/diskstat_linux_test.go similarity index 55% rename from metricbeat/module/system/diskio/diskstat_linux_test.go rename to libbeat/metric/system/diskio/diskstat_linux_test.go index 56a8d9dc7cc..74c0bef231e 100644 --- a/metricbeat/module/system/diskio/diskstat_linux_test.go +++ b/libbeat/metric/system/diskio/diskstat_linux_test.go @@ -27,53 +27,11 @@ import ( "github.com/stretchr/testify/assert" sigar "github.com/elastic/gosigar" - - mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" - "github.com/elastic/beats/v7/metricbeat/module/system" ) -func Test_Get_CLK_TCK(t *testing.T) { +func Test_GetCLKTCK(t *testing.T) { //usually the tick is 100 - assert.Equal(t, uint32(100), Get_CLK_TCK()) -} - -func TestDataNameFilter(t *testing.T) { - oldFS := system.HostFS - newFS := "_meta/testdata" - system.HostFS = &newFS - defer func() { - system.HostFS = oldFS - }() - - conf := map[string]interface{}{ - "module": "system", - "metricsets": []string{"diskio"}, - "diskio.include_devices": []string{"sda", "sda1", "sda2"}, - } - - f := mbtest.NewReportingMetricSetV2Error(t, conf) - data, errs := mbtest.ReportingFetchV2Error(f) - assert.Empty(t, errs) - assert.Equal(t, 3, len(data)) -} - -func TestDataEmptyFilter(t *testing.T) { - oldFS := system.HostFS - newFS := "_meta/testdata" - system.HostFS = &newFS - defer func() { - system.HostFS = oldFS - }() - - conf := map[string]interface{}{ - "module": "system", - "metricsets": []string{"diskio"}, - } - - f := mbtest.NewReportingMetricSetV2Error(t, conf) - data, errs := mbtest.ReportingFetchV2Error(f) - assert.Empty(t, errs) - assert.Equal(t, 10, len(data)) + assert.Equal(t, uint32(100), GetCLKTCK()) } func TestDiskIOStat_CalIOStatistics(t *testing.T) { @@ -85,9 +43,9 @@ func TestDiskIOStat_CalIOStatistics(t *testing.T) { Name: "iostat", } - stat := &DiskIOStat{ + stat := &IOStat{ lastDiskIOCounters: map[string]disk.IOCountersStat{ - "iostat": disk.IOCountersStat{ + "iostat": { ReadCount: 3, WriteCount: 5, ReadTime: 7, @@ -95,17 +53,17 @@ func TestDiskIOStat_CalIOStatistics(t *testing.T) { Name: "iostat", }, }, - lastCpu: sigar.Cpu{Idle: 100}, - curCpu: sigar.Cpu{Idle: 1}, + lastCPU: sigar.Cpu{Idle: 100}, + curCPU: sigar.Cpu{Idle: 1}, } - expected := DiskIOMetric{ + expected := IOMetric{ AvgAwaitTime: 24.0 / 22.0, AvgReadAwaitTime: 1.2, AvgWriteAwaitTime: 1, } - var got DiskIOMetric - err := stat.CalIOStatistics(&got, counter) + + got, err := stat.CalcIOStatistics(counter) if err != nil { t.Fatal(err) } diff --git a/metricbeat/module/system/diskio/diskstat_other.go b/libbeat/metric/system/diskio/diskstat_other.go similarity index 79% rename from metricbeat/module/system/diskio/diskstat_other.go rename to libbeat/metric/system/diskio/diskstat_other.go index d2669117d9e..ad5208b1b4f 100644 --- a/metricbeat/module/system/diskio/diskstat_other.go +++ b/libbeat/metric/system/diskio/diskstat_other.go @@ -25,24 +25,24 @@ import ( ) // NewDiskIOStat :init DiskIOStat object. -func NewDiskIOStat() *DiskIOStat { - return &DiskIOStat{ +func NewDiskIOStat() *IOStat { + return &IOStat{ lastDiskIOCounters: map[string]disk.IOCountersStat{}, } } // OpenSampling stub for linux implementation. -func (stat *DiskIOStat) OpenSampling() error { +func (stat *IOStat) OpenSampling() error { return nil } -// CalIOStatistics stub for linux implementation. -func (stat *DiskIOStat) CalIOStatistics(result *DiskIOMetric, counter disk.IOCountersStat) error { - return errors.New("not implemented out of linux") +// CalcIOStatistics stub for linux implementation. +func (stat *IOStat) CalcIOStatistics(rcounter disk.IOCountersStat) (IOMetric, error) { + return IOMetric{}, errors.New("not implemented out of linux") } // CloseSampling stub for linux implementation. -func (stat *DiskIOStat) CloseSampling() {} +func (stat *IOStat) CloseSampling() {} // IOCounters should map functionality to disk package for linux os. func IOCounters(names ...string) (map[string]disk.IOCountersStat, error) { diff --git a/metricbeat/module/system/diskio/diskstat_windows.go b/libbeat/metric/system/diskio/diskstat_windows.go similarity index 78% rename from metricbeat/module/system/diskio/diskstat_windows.go rename to libbeat/metric/system/diskio/diskstat_windows.go index 1e2b363074b..665caab9130 100644 --- a/metricbeat/module/system/diskio/diskstat_windows.go +++ b/libbeat/metric/system/diskio/diskstat_windows.go @@ -25,24 +25,24 @@ import ( ) // NewDiskIOStat :init DiskIOStat object. -func NewDiskIOStat() *DiskIOStat { - return &DiskIOStat{ +func NewDiskIOStat() *IOStat { + return &IOStat{ lastDiskIOCounters: map[string]disk.IOCountersStat{}, } } // OpenSampling stub for linux implementation. -func (stat *DiskIOStat) OpenSampling() error { +func (stat *IOStat) OpenSampling() error { return nil } -// CalIOStatistics stub for linux implementation. -func (stat *DiskIOStat) CalIOStatistics(result *DiskIOMetric, counter disk.IOCountersStat) error { - return errors.New("iostat is not implement for Windows") +// CalcIOStatistics stub for linux implementation. +func (stat *IOStat) CalcIOStatistics(counter disk.IOCountersStat) (IOMetric, error) { + return IOMetric{}, errors.New("iostat is not implement for Windows") } // CloseSampling stub for linux implementation. -func (stat *DiskIOStat) CloseSampling() {} +func (stat *IOStat) CloseSampling() {} // IOCounters should map functionality to disk package for linux os. func IOCounters(names ...string) (map[string]disk.IOCountersStat, error) { diff --git a/metricbeat/module/system/diskio/diskstat_windows_helper.go b/libbeat/metric/system/diskio/diskstat_windows_helper.go similarity index 100% rename from metricbeat/module/system/diskio/diskstat_windows_helper.go rename to libbeat/metric/system/diskio/diskstat_windows_helper.go diff --git a/metricbeat/module/system/diskio/diskstat_windows_test.go b/libbeat/metric/system/diskio/diskstat_windows_test.go similarity index 100% rename from metricbeat/module/system/diskio/diskstat_windows_test.go rename to libbeat/metric/system/diskio/diskstat_windows_test.go diff --git a/libbeat/outputs/elasticsearch/client_integration_test.go b/libbeat/outputs/elasticsearch/client_integration_test.go index e243cb7d1e4..67ccc34b8f7 100644 --- a/libbeat/outputs/elasticsearch/client_integration_test.go +++ b/libbeat/outputs/elasticsearch/client_integration_test.go @@ -55,6 +55,8 @@ func TestClientPublishEvent(t *testing.T) { } func TestClientPublishEventKerberosAware(t *testing.T) { + t.Skip("Flaky test: https://github.com/elastic/beats/issues/21295") + err := setupRoleMapping(t, eslegtest.GetEsKerberosHost()) if err != nil { t.Fatal(err) diff --git a/libbeat/processors/add_cloud_metadata/add_cloud_metadata.go b/libbeat/processors/add_cloud_metadata/add_cloud_metadata.go index de1a8063667..5376d563fca 100644 --- a/libbeat/processors/add_cloud_metadata/add_cloud_metadata.go +++ b/libbeat/processors/add_cloud_metadata/add_cloud_metadata.go @@ -26,6 +26,7 @@ import ( "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/libbeat/processors" jsprocessor "github.com/elastic/beats/v7/libbeat/processors/script/javascript/module/processor" @@ -53,6 +54,7 @@ type addCloudMetadata struct { type initData struct { fetchers []metadataFetcher timeout time.Duration + tlsConfig *tlscommon.TLSConfig overwrite bool } @@ -63,14 +65,24 @@ func New(c *common.Config) (processors.Processor, error) { return nil, errors.Wrap(err, "failed to unpack add_cloud_metadata config") } + tlsConfig, err := tlscommon.LoadTLSConfig(config.TLS) + if err != nil { + return nil, errors.Wrap(err, "TLS configuration load") + } + initProviders := selectProviders(config.Providers, cloudMetaProviders) fetchers, err := setupFetchers(initProviders, c) if err != nil { return nil, err } p := &addCloudMetadata{ - initData: &initData{fetchers, config.Timeout, config.Overwrite}, - logger: logp.NewLogger("add_cloud_metadata"), + initData: &initData{ + fetchers: fetchers, + timeout: config.Timeout, + tlsConfig: tlsConfig, + overwrite: config.Overwrite, + }, + logger: logp.NewLogger("add_cloud_metadata"), } go p.init() diff --git a/libbeat/processors/add_cloud_metadata/config.go b/libbeat/processors/add_cloud_metadata/config.go index 08f4a241483..93a31137592 100644 --- a/libbeat/processors/add_cloud_metadata/config.go +++ b/libbeat/processors/add_cloud_metadata/config.go @@ -20,12 +20,15 @@ package add_cloud_metadata import ( "fmt" "time" + + "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" ) type config struct { - Timeout time.Duration `config:"timeout"` // Amount of time to wait for responses from the metadata services. - Overwrite bool `config:"overwrite"` // Overwrite if cloud.* fields already exist. - Providers providerList `config:"providers"` // List of providers to probe + Timeout time.Duration `config:"timeout"` // Amount of time to wait for responses from the metadata services. + TLS *tlscommon.Config `config:"ssl"` // TLS configuration + Overwrite bool `config:"overwrite"` // Overwrite if cloud.* fields already exist. + Providers providerList `config:"providers"` // List of providers to probe } type providerList []string diff --git a/libbeat/processors/add_cloud_metadata/docs/add_cloud_metadata.asciidoc b/libbeat/processors/add_cloud_metadata/docs/add_cloud_metadata.asciidoc index 41c0dd6d9f3..44497f31539 100644 --- a/libbeat/processors/add_cloud_metadata/docs/add_cloud_metadata.asciidoc +++ b/libbeat/processors/add_cloud_metadata/docs/add_cloud_metadata.asciidoc @@ -52,12 +52,16 @@ List of names the `providers` setting supports: - "aws", or "ec2" for Amazon Web Services (enabled by default). - "gcp" for Google Copmute Enging (enabled by default). - "openstack", or "nova" for Openstack Nova (enabled by default). +- "openstack-ssl", or "nova-ssl" for Openstack Nova when SSL metadata APIs are enabled (enabled by default). - "tencent", or "qcloud" for Tencent Cloud (disabled by default). The third optional configuration setting is `overwrite`. When `overwrite` is `true`, `add_cloud_metadata` overwrites existing `cloud.*` fields (`false` by default). +The `add_cloud_metadata` processor supports SSL options to configure the http +client used to query cloud metadata. See <> for more information. + The metadata that is added to events varies by hosting provider. Below are examples for each of the supported providers. diff --git a/libbeat/processors/add_cloud_metadata/http_fetcher.go b/libbeat/processors/add_cloud_metadata/http_fetcher.go index e9b18478661..e337edd5be9 100644 --- a/libbeat/processors/add_cloud_metadata/http_fetcher.go +++ b/libbeat/processors/add_cloud_metadata/http_fetcher.go @@ -27,6 +27,7 @@ import ( "github.com/pkg/errors" "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" ) type httpMetadataFetcher struct { @@ -127,9 +128,15 @@ func (f *httpMetadataFetcher) fetchRaw( // getMetadataURLs loads config and generates the metadata URLs. func getMetadataURLs(c *common.Config, defaultHost string, metadataURIs []string) ([]string, error) { + return getMetadataURLsWithScheme(c, "http", defaultHost, metadataURIs) +} + +// getMetadataURLsWithScheme loads config and generates the metadata URLs. +func getMetadataURLsWithScheme(c *common.Config, scheme string, defaultHost string, metadataURIs []string) ([]string, error) { var urls []string config := struct { - MetadataHostAndPort string `config:"host"` // Specifies the host and port of the metadata service (for testing purposes only). + MetadataHostAndPort string `config:"host"` // Specifies the host and port of the metadata service (for testing purposes only). + TLSConfig *tlscommon.Config `config:"ssl"` }{ MetadataHostAndPort: defaultHost, } @@ -138,7 +145,7 @@ func getMetadataURLs(c *common.Config, defaultHost string, metadataURIs []string return urls, errors.Wrap(err, "failed to unpack add_cloud_metadata config") } for _, uri := range metadataURIs { - urls = append(urls, "http://"+config.MetadataHostAndPort+uri) + urls = append(urls, scheme+"://"+config.MetadataHostAndPort+uri) } return urls, nil } diff --git a/libbeat/processors/add_cloud_metadata/provider_azure_vm.go b/libbeat/processors/add_cloud_metadata/provider_azure_vm.go index 9cd3eba55b8..3028d531c1e 100644 --- a/libbeat/processors/add_cloud_metadata/provider_azure_vm.go +++ b/libbeat/processors/add_cloud_metadata/provider_azure_vm.go @@ -34,6 +34,9 @@ var azureVMMetadataFetcher = provider{ azHeaders := map[string]string{"Metadata": "true"} azSchema := func(m map[string]interface{}) common.MapStr { out, _ := s.Schema{ + "account": s.Object{ + "id": c.Str("subscriptionId"), + }, "instance": s.Object{ "id": c.Str("vmId"), "name": c.Str("name"), diff --git a/libbeat/processors/add_cloud_metadata/provider_azure_vm_test.go b/libbeat/processors/add_cloud_metadata/provider_azure_vm_test.go index 307ac60abad..a988cc8873f 100644 --- a/libbeat/processors/add_cloud_metadata/provider_azure_vm_test.go +++ b/libbeat/processors/add_cloud_metadata/provider_azure_vm_test.go @@ -40,7 +40,8 @@ const azInstanceIdentityDocument = `{ "sku": "14.04.4-LTS", "version": "14.04.201605091", "vmId": "04ab04c3-63de-4709-a9f9-9ab8c0411d5e", - "vmSize": "Standard_D3_v2" + "vmSize": "Standard_D3_v2", + "subscriptionId": "5tfb04c3-63de-4709-a9f9-9ab8c0411d5e" }` func initAzureTestServer() *httptest.Server { @@ -87,6 +88,9 @@ func TestRetrieveAzureMetadata(t *testing.T) { "machine": common.MapStr{ "type": "Standard_D3_v2", }, + "account": common.MapStr{ + "id": "5tfb04c3-63de-4709-a9f9-9ab8c0411d5e", + }, "region": "eastus2", }, } diff --git a/libbeat/processors/add_cloud_metadata/provider_openstack_nova.go b/libbeat/processors/add_cloud_metadata/provider_openstack_nova.go index 17bc5abf689..7c9a997e0e2 100644 --- a/libbeat/processors/add_cloud_metadata/provider_openstack_nova.go +++ b/libbeat/processors/add_cloud_metadata/provider_openstack_nova.go @@ -32,16 +32,24 @@ const ( // OpenStack Nova Metadata Service // Document https://docs.openstack.org/nova/latest/user/metadata-service.html var openstackNovaMetadataFetcher = provider{ - Name: "openstack-nova", + Name: "openstack-nova", + Local: true, + Create: buildOpenstackNovaCreate("http"), +} - Local: true, +var openstackNovaSSLMetadataFetcher = provider{ + Name: "openstack-nova-ssl", + Local: true, + Create: buildOpenstackNovaCreate("https"), +} - Create: func(provider string, c *common.Config) (metadataFetcher, error) { +func buildOpenstackNovaCreate(scheme string) func(provider string, c *common.Config) (metadataFetcher, error) { + return func(provider string, c *common.Config) (metadataFetcher, error) { osSchema := func(m map[string]interface{}) common.MapStr { return common.MapStr(m) } - urls, err := getMetadataURLs(c, metadataHost, []string{ + urls, err := getMetadataURLsWithScheme(c, scheme, metadataHost, []string{ osMetadataInstanceIDURI, osMetadataInstanceTypeURI, osMetadataHostnameURI, @@ -71,5 +79,5 @@ var openstackNovaMetadataFetcher = provider{ } fetcher := &httpMetadataFetcher{"openstack", nil, responseHandlers, osSchema} return fetcher, nil - }, + } } diff --git a/libbeat/processors/add_cloud_metadata/provider_openstack_nova_test.go b/libbeat/processors/add_cloud_metadata/provider_openstack_nova_test.go index d5c38a8437b..0a63c026cde 100644 --- a/libbeat/processors/add_cloud_metadata/provider_openstack_nova_test.go +++ b/libbeat/processors/add_cloud_metadata/provider_openstack_nova_test.go @@ -29,8 +29,8 @@ import ( "github.com/elastic/beats/v7/libbeat/logp" ) -func initOpenstackNovaTestServer() *httptest.Server { - return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { +func openstackNovaMetadataHandler() http.HandlerFunc { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if r.RequestURI == osMetadataInstanceIDURI { w.Write([]byte("i-0000ffac")) return @@ -49,13 +49,13 @@ func initOpenstackNovaTestServer() *httptest.Server { } http.Error(w, "not found", http.StatusNotFound) - })) + }) } func TestRetrieveOpenstackNovaMetadata(t *testing.T) { logp.TestingSetup() - server := initOpenstackNovaTestServer() + server := httptest.NewServer(openstackNovaMetadataHandler()) defer server.Close() config, err := common.NewConfigFrom(map[string]interface{}{ @@ -66,6 +66,28 @@ func TestRetrieveOpenstackNovaMetadata(t *testing.T) { t.Fatal(err) } + assertOpenstackNova(t, config) +} + +func TestRetrieveOpenstackNovaMetadataWithHTTPS(t *testing.T) { + logp.TestingSetup() + + server := httptest.NewTLSServer(openstackNovaMetadataHandler()) + defer server.Close() + + config, err := common.NewConfigFrom(map[string]interface{}{ + "host": server.Listener.Addr().String(), + "ssl.verification_mode": "none", + }) + + if err != nil { + t.Fatal(err) + } + + assertOpenstackNova(t, config) +} + +func assertOpenstackNova(t *testing.T, config *common.Config) { p, err := New(config) if err != nil { t.Fatal(err) diff --git a/libbeat/processors/add_cloud_metadata/providers.go b/libbeat/processors/add_cloud_metadata/providers.go index f93e8cf78f4..ea03b64258a 100644 --- a/libbeat/processors/add_cloud_metadata/providers.go +++ b/libbeat/processors/add_cloud_metadata/providers.go @@ -51,17 +51,19 @@ type result struct { } var cloudMetaProviders = map[string]provider{ - "alibaba": alibabaCloudMetadataFetcher, - "ecs": alibabaCloudMetadataFetcher, - "azure": azureVMMetadataFetcher, - "digitalocean": doMetadataFetcher, - "aws": ec2MetadataFetcher, - "ec2": ec2MetadataFetcher, - "gcp": gceMetadataFetcher, - "openstack": openstackNovaMetadataFetcher, - "nova": openstackNovaMetadataFetcher, - "qcloud": qcloudMetadataFetcher, - "tencent": qcloudMetadataFetcher, + "alibaba": alibabaCloudMetadataFetcher, + "ecs": alibabaCloudMetadataFetcher, + "azure": azureVMMetadataFetcher, + "digitalocean": doMetadataFetcher, + "aws": ec2MetadataFetcher, + "ec2": ec2MetadataFetcher, + "gcp": gceMetadataFetcher, + "openstack": openstackNovaMetadataFetcher, + "nova": openstackNovaMetadataFetcher, + "openstack-ssl": openstackNovaSSLMetadataFetcher, + "nova-ssl": openstackNovaSSLMetadataFetcher, + "qcloud": qcloudMetadataFetcher, + "tencent": qcloudMetadataFetcher, } func selectProviders(configList providerList, providers map[string]provider) map[string]provider { @@ -138,6 +140,7 @@ func (p *addCloudMetadata) fetchMetadata() *result { Timeout: p.initData.timeout, KeepAlive: 0, }).DialContext, + TLSClientConfig: p.initData.tlsConfig.ToConfig(), }, } diff --git a/libbeat/processors/add_docker_metadata/add_docker_metadata.go b/libbeat/processors/add_docker_metadata/add_docker_metadata.go index cf0fda79d8d..beaca3bb46b 100644 --- a/libbeat/processors/add_docker_metadata/add_docker_metadata.go +++ b/libbeat/processors/add_docker_metadata/add_docker_metadata.go @@ -209,6 +209,18 @@ func (d *addDockerMetadata) Run(event *beat.Event) (*beat.Event, error) { return event, nil } +func (d *addDockerMetadata) Close() error { + if d.cgroups != nil { + d.cgroups.StopJanitor() + } + d.watcher.Stop() + err := processors.Close(d.sourceProcessor) + if err != nil { + return errors.Wrap(err, "closing source processor of add_docker_metadata") + } + return nil +} + func (d *addDockerMetadata) String() string { return fmt.Sprintf("%v=[match_fields=[%v] match_pids=[%v]]", processorName, strings.Join(d.fields, ", "), strings.Join(d.pidFields, ", ")) diff --git a/libbeat/processors/add_docker_metadata/add_docker_metadata_integration_test.go b/libbeat/processors/add_docker_metadata/add_docker_metadata_integration_test.go new file mode 100644 index 00000000000..91d3315a401 --- /dev/null +++ b/libbeat/processors/add_docker_metadata/add_docker_metadata_integration_test.go @@ -0,0 +1,120 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build linux darwin windows +// +build integration + +package add_docker_metadata + +import ( + "testing" + "time" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/docker" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/processors" + dockertest "github.com/elastic/beats/v7/libbeat/tests/docker" + "github.com/elastic/beats/v7/libbeat/tests/resources" +) + +func TestAddDockerMetadata(t *testing.T) { + goroutines := resources.NewGoroutinesChecker() + defer goroutines.Check(t) + + client, err := docker.NewClient(defaultConfig().Host, nil, nil) + require.NoError(t, err) + + // Docker clients can affect the goroutines checker because they keep + // idle keep-alive connections, so we explicitly close them. + // These idle connections in principle wouldn't represent leaks even if + // the client is not explicitly closed because they are eventually closed. + defer client.Close() + + // Start a container to have some data to enrich events + testClient, err := dockertest.NewClient() + require.NoError(t, err) + // Explicitly close client to don't affect goroutines checker + defer testClient.Close() + + image := "busybox" + cmd := []string{"sleep", "60"} + labels := map[string]string{"label": "foo"} + id, err := testClient.ContainerStart(image, cmd, labels) + require.NoError(t, err) + defer testClient.ContainerRemove(id) + + info, err := testClient.ContainerInspect(id) + require.NoError(t, err) + pid := info.State.Pid + + config, err := common.NewConfigFrom(map[string]interface{}{ + "match_fields": []string{"cid"}, + }) + watcherConstructor := newWatcherWith(client) + processor, err := buildDockerMetadataProcessor(logp.L(), config, watcherConstructor) + require.NoError(t, err) + + t.Run("match container by container id", func(t *testing.T) { + input := &beat.Event{Fields: common.MapStr{ + "cid": id, + }} + result, err := processor.Run(input) + require.NoError(t, err) + + resultLabels, _ := result.Fields.GetValue("container.labels") + expectedLabels := common.MapStr{"label": "foo"} + assert.Equal(t, expectedLabels, resultLabels) + assert.Equal(t, id, result.Fields["cid"]) + }) + + t.Run("match container by process id", func(t *testing.T) { + input := &beat.Event{Fields: common.MapStr{ + "cid": id, + "process.pid": pid, + }} + result, err := processor.Run(input) + require.NoError(t, err) + + resultLabels, _ := result.Fields.GetValue("container.labels") + expectedLabels := common.MapStr{"label": "foo"} + assert.Equal(t, expectedLabels, resultLabels) + assert.Equal(t, id, result.Fields["cid"]) + }) + + t.Run("don't enrich non existing container", func(t *testing.T) { + input := &beat.Event{Fields: common.MapStr{ + "cid": "notexists", + }} + result, err := processor.Run(input) + require.NoError(t, err) + assert.Equal(t, input.Fields, result.Fields) + }) + + err = processors.Close(processor) + require.NoError(t, err) +} + +func newWatcherWith(client docker.Client) docker.WatcherConstructor { + return func(log *logp.Logger, host string, tls *docker.TLSConfig, storeShortID bool) (docker.Watcher, error) { + return docker.NewWatcherWithClient(log, client, 60*time.Second, storeShortID) + } +} diff --git a/libbeat/processors/add_docker_metadata/add_docker_metadata_test.go b/libbeat/processors/add_docker_metadata/add_docker_metadata_test.go index 2d8a5a9e970..f246d597e13 100644 --- a/libbeat/processors/add_docker_metadata/add_docker_metadata_test.go +++ b/libbeat/processors/add_docker_metadata/add_docker_metadata_test.go @@ -16,6 +16,7 @@ // under the License. // +build linux darwin windows +// +build !integration package add_docker_metadata diff --git a/libbeat/processors/add_kubernetes_metadata/cache.go b/libbeat/processors/add_kubernetes_metadata/cache.go index da7492b43a9..5de52efdc1b 100644 --- a/libbeat/processors/add_kubernetes_metadata/cache.go +++ b/libbeat/processors/add_kubernetes_metadata/cache.go @@ -31,6 +31,7 @@ type cache struct { timeout time.Duration deleted map[string]time.Time // key -> when should this obj be deleted metadata map[string]common.MapStr + done chan struct{} } func newCache(cleanupTimeout time.Duration) *cache { @@ -38,6 +39,7 @@ func newCache(cleanupTimeout time.Duration) *cache { timeout: cleanupTimeout, deleted: make(map[string]time.Time), metadata: make(map[string]common.MapStr), + done: make(chan struct{}), } go c.cleanup() return c @@ -67,15 +69,29 @@ func (c *cache) set(key string, data common.MapStr) { } func (c *cache) cleanup() { - ticker := time.Tick(timeout) - for now := range ticker { - c.Lock() - for k, t := range c.deleted { - if now.After(t) { - delete(c.deleted, k) - delete(c.metadata, k) + if timeout <= 0 { + return + } + + ticker := time.NewTicker(timeout) + defer ticker.Stop() + for { + select { + case <-c.done: + return + case now := <-ticker.C: + c.Lock() + for k, t := range c.deleted { + if now.After(t) { + delete(c.deleted, k) + delete(c.metadata, k) + } } + c.Unlock() } - c.Unlock() } } + +func (c *cache) stop() { + close(c.done) +} diff --git a/libbeat/processors/add_kubernetes_metadata/kubernetes.go b/libbeat/processors/add_kubernetes_metadata/kubernetes.go index 2a5f4d2faed..535eb1187ea 100644 --- a/libbeat/processors/add_kubernetes_metadata/kubernetes.go +++ b/libbeat/processors/add_kubernetes_metadata/kubernetes.go @@ -242,6 +242,16 @@ func (k *kubernetesAnnotator) Run(event *beat.Event) (*beat.Event, error) { return event, nil } +func (k *kubernetesAnnotator) Close() error { + if k.watcher != nil { + k.watcher.Stop() + } + if k.cache != nil { + k.cache.stop() + } + return nil +} + func (k *kubernetesAnnotator) addPod(pod *kubernetes.Pod) { metadata := k.indexers.GetMetadata(pod) for _, m := range metadata { diff --git a/libbeat/processors/add_process_metadata/add_process_metadata.go b/libbeat/processors/add_process_metadata/add_process_metadata.go index c41ca9a73d6..01e2cf1e9fe 100644 --- a/libbeat/processors/add_process_metadata/add_process_metadata.go +++ b/libbeat/processors/add_process_metadata/add_process_metadata.go @@ -55,11 +55,12 @@ var ( ) type addProcessMetadata struct { - config config - provider processMetadataProvider - cidProvider cidProvider - log *logp.Logger - mappings common.MapStr + config config + provider processMetadataProvider + cgroupsCache *common.Cache + cidProvider cidProvider + log *logp.Logger + mappings common.MapStr } type processMetadata struct { @@ -81,16 +82,22 @@ type cidProvider interface { } func init() { - processors.RegisterPlugin(processorName, New) + processors.RegisterPlugin(processorName, NewWithCache) jsprocessor.RegisterPlugin("AddProcessMetadata", New) } // New constructs a new add_process_metadata processor. func New(cfg *common.Config) (processors.Processor, error) { - return newProcessMetadataProcessorWithProvider(cfg, &procCache) + return newProcessMetadataProcessorWithProvider(cfg, &procCache, false) } -func newProcessMetadataProcessorWithProvider(cfg *common.Config, provider processMetadataProvider) (proc processors.Processor, err error) { +// NewWithCache construct a new add_process_metadata processor with cache for container IDs. +// Resulting processor implements `Close()` to release the cache resources. +func NewWithCache(cfg *common.Config) (processors.Processor, error) { + return newProcessMetadataProcessorWithProvider(cfg, &procCache, true) +} + +func newProcessMetadataProcessorWithProvider(cfg *common.Config, provider processMetadataProvider, withCache bool) (proc processors.Processor, err error) { // Logging (each processor instance has a unique ID). var ( id = int(instanceID.Inc()) @@ -118,21 +125,25 @@ func newProcessMetadataProcessorWithProvider(cfg *common.Config, provider proces } // don't use cgroup.ProcessCgroupPaths to save it from doing the work when container id disabled if ok := containsValue(mappings, "container.id"); ok { - if config.CgroupCacheExpireTime != 0 { + if withCache && config.CgroupCacheExpireTime != 0 { p.log.Debug("Initializing cgroup cache") evictionListener := func(k common.Key, v common.Value) { p.log.Debugf("Evicted cached cgroups for PID=%v", k) } - cgroupsCache := common.NewCacheWithRemovalListener(config.CgroupCacheExpireTime, 100, evictionListener) - cgroupsCache.StartJanitor(config.CgroupCacheExpireTime) - p.cidProvider = newCidProvider(config.HostPath, config.CgroupPrefixes, config.CgroupRegex, processCgroupPaths, cgroupsCache) + p.cgroupsCache = common.NewCacheWithRemovalListener(config.CgroupCacheExpireTime, 100, evictionListener) + p.cgroupsCache.StartJanitor(config.CgroupCacheExpireTime) + p.cidProvider = newCidProvider(config.HostPath, config.CgroupPrefixes, config.CgroupRegex, processCgroupPaths, p.cgroupsCache) } else { p.cidProvider = newCidProvider(config.HostPath, config.CgroupPrefixes, config.CgroupRegex, processCgroupPaths, nil) } } + if withCache { + return &addProcessMetadataCloser{p}, nil + } + return &p, nil } @@ -253,6 +264,17 @@ func (p *addProcessMetadata) getContainerID(pid int) (string, error) { return cid, nil } +type addProcessMetadataCloser struct { + addProcessMetadata +} + +func (p *addProcessMetadataCloser) Close() error { + if p.addProcessMetadata.cgroupsCache != nil { + p.addProcessMetadata.cgroupsCache.StopJanitor() + } + return nil +} + // String returns the processor representation formatted as a string func (p *addProcessMetadata) String() string { return fmt.Sprintf("%v=[match_pids=%v, mappings=%v, ignore_missing=%v, overwrite_fields=%v, restricted_fields=%v, host_path=%v, cgroup_prefixes=%v]", diff --git a/libbeat/processors/add_process_metadata/add_process_metadata_test.go b/libbeat/processors/add_process_metadata/add_process_metadata_test.go index f9b4aaa681c..493034098cf 100644 --- a/libbeat/processors/add_process_metadata/add_process_metadata_test.go +++ b/libbeat/processors/add_process_metadata/add_process_metadata_test.go @@ -651,7 +651,7 @@ func TestAddProcessMetadata(t *testing.T) { t.Fatal(err) } - proc, err := newProcessMetadataProcessorWithProvider(config, testProcs) + proc, err := newProcessMetadataProcessorWithProvider(config, testProcs, true) if test.initErr == nil { if err != nil { t.Fatal(err) diff --git a/libbeat/processors/dns/config.go b/libbeat/processors/dns/config.go index b5e7cf0a0d3..8b0d6c9bd97 100644 --- a/libbeat/processors/dns/config.go +++ b/libbeat/processors/dns/config.go @@ -29,7 +29,7 @@ import ( // Config defines the configuration options for the DNS processor. type Config struct { - CacheConfig + CacheConfig `config:",inline"` Nameservers []string `config:"nameservers"` // Required on Windows. /etc/resolv.conf is used if none are given. Timeout time.Duration `conifg:"timeout"` // Per request timeout (with 2 nameservers the total timeout would be 2x). Type string `config:"type" validate:"required"` // Reverse is the only supported type currently. @@ -89,7 +89,7 @@ type CacheSettings struct { TTL time.Duration `config:"ttl"` // Minimum TTL value for successful DNS responses. - MinTTL time.Duration `config:"min_ttl" validate:"min=1"` + MinTTL time.Duration `config:"min_ttl" validate:"min=1ns"` // Initial capacity. How much space is allocated at initialization. InitialCapacity int `config:"capacity.initial" validate:"min=0"` @@ -166,6 +166,7 @@ var defaultConfig = Config{ MaxCapacity: 10000, }, FailureCache: CacheSettings{ + MinTTL: time.Minute, TTL: time.Minute, InitialCapacity: 1000, MaxCapacity: 10000, diff --git a/libbeat/processors/processor.go b/libbeat/processors/processor.go index c5002b7cebd..0e772a524da 100644 --- a/libbeat/processors/processor.go +++ b/libbeat/processors/processor.go @@ -20,6 +20,7 @@ package processors import ( "strings" + "github.com/joeshaw/multierror" "github.com/pkg/errors" "github.com/elastic/beats/v7/libbeat/beat" @@ -35,11 +36,29 @@ type Processors struct { log *logp.Logger } +// Processor is the interface that all processors must implement type Processor interface { Run(event *beat.Event) (*beat.Event, error) String() string } +// Closer defines the interface for processors that should be closed after using +// them. +// Close() is not part of the Processor interface because implementing this method +// is also a way to indicate that the processor keeps some resource that needs to +// be released or orderly closed. +type Closer interface { + Close() error +} + +// Close closes a processor if it implements the Closer interface +func Close(p Processor) error { + if closer, ok := p.(Closer); ok { + return closer.Close() + } + return nil +} + // NewList creates a new empty processor list. // Additional processors can be added to the List field. func NewList(log *logp.Logger) *Processors { @@ -153,6 +172,17 @@ func (procs *Processors) All() []beat.Processor { return ret } +func (procs *Processors) Close() error { + var errs multierror.Errors + for _, p := range procs.List { + err := Close(p) + if err != nil { + errs = append(errs, err) + } + } + return errs.Err() +} + // Run executes the all processors serially and returns the event and possibly // an error. If the event has been dropped (canceled) by a processor in the // list then a nil event is returned. diff --git a/libbeat/processors/script/javascript/module/include.go b/libbeat/processors/script/javascript/module/include.go index f30e423e7a2..b498dc90e21 100644 --- a/libbeat/processors/script/javascript/module/include.go +++ b/libbeat/processors/script/javascript/module/include.go @@ -24,4 +24,5 @@ import ( _ "github.com/elastic/beats/v7/libbeat/processors/script/javascript/module/path" _ "github.com/elastic/beats/v7/libbeat/processors/script/javascript/module/processor" _ "github.com/elastic/beats/v7/libbeat/processors/script/javascript/module/require" + _ "github.com/elastic/beats/v7/libbeat/processors/script/javascript/module/windows" ) diff --git a/libbeat/processors/script/javascript/module/processor/chain.go b/libbeat/processors/script/javascript/module/processor/chain.go index e58aac29372..9ef3da7859e 100644 --- a/libbeat/processors/script/javascript/module/processor/chain.go +++ b/libbeat/processors/script/javascript/module/processor/chain.go @@ -151,6 +151,17 @@ func newNativeProcessor(constructor processors.Constructor, call gojaCall) (proc if err != nil { return nil, err } + + if closer, ok := p.(processors.Closer); ok { + closer.Close() + // Script processor doesn't support releasing resources of stateful processors, + // what can lead to leaks, so prevent use of these processors. They shouldn't + // be registered. If this error happens, a processor that needs to be closed is + // being registered, this should be avoided. + // See https://github.com/elastic/beats/pull/16349 + return nil, errors.Errorf("stateful processor cannot be used in script processor, this is probably a bug: %s", p) + } + return &nativeProcessor{p}, nil } diff --git a/libbeat/processors/script/javascript/module/processor/processor_test.go b/libbeat/processors/script/javascript/module/processor/processor_test.go index 6ea66f409ff..9e958ee7035 100644 --- a/libbeat/processors/script/javascript/module/processor/processor_test.go +++ b/libbeat/processors/script/javascript/module/processor/processor_test.go @@ -23,6 +23,7 @@ import ( "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" @@ -35,6 +36,7 @@ import ( func init() { RegisterPlugin("Mock", newMock) + RegisterPlugin("MockWithCloser", newMockWithCloser) } func testEvent() *beat.Event { @@ -67,14 +69,10 @@ function process(evt) { logp.TestingSetup() p, err := javascript.NewFromConfig(javascript.Config{Source: script}, nil) - if err != nil { - t.Fatal(err) - } + require.NoError(t, err) evt, err := p.Run(testEvent()) - if err != nil { - t.Fatal(err) - } + require.NoError(t, err) checkEvent(t, evt, "added", "new_value") } @@ -107,14 +105,10 @@ function process(evt) { logp.TestingSetup() p, err := javascript.NewFromConfig(javascript.Config{Source: script}, nil) - if err != nil { - t.Fatal(err) - } + require.NoError(t, err) evt, err := p.Run(testEvent()) - if err != nil { - t.Fatal(err) - } + require.NoError(t, err) // checking if hello world is added to the event in different languages checkEvent(t, evt, "helló", "világ") @@ -123,6 +117,22 @@ function process(evt) { checkEvent(t, evt, "hallo", "Welt") } +func TestProcessorWithCloser(t *testing.T) { + const script = ` +var processor = require('processor'); + +var processorWithCloser = new processor.MockWithCloser().Build() + +function process(evt) { + processorWithCloser.Run(evt); +} +` + + logp.TestingSetup() + _, err := javascript.NewFromConfig(javascript.Config{Source: script}, nil) + require.Error(t, err, "processor that implements Closer() shouldn't be allowed") +} + func checkEvent(t *testing.T, evt *beat.Event, key, value string) { s, err := evt.GetValue(key) assert.NoError(t, err) @@ -162,3 +172,23 @@ func (m *mockProcessor) String() string { s, _ := json.Marshal(m.fields) return fmt.Sprintf("mock=%s", s) } + +type mockProcessorWithCloser struct{} + +func newMockWithCloser(c *common.Config) (processors.Processor, error) { + return &mockProcessorWithCloser{}, nil +} + +func (m *mockProcessorWithCloser) Run(event *beat.Event) (*beat.Event, error) { + // Nothing to do, we only want this struct to implement processors.Closer + return event, nil +} + +func (m *mockProcessorWithCloser) Close() error { + // Nothing to do, we only want this struct to implement processors.Closer + return nil +} + +func (m *mockProcessorWithCloser) String() string { + return "mockWithCloser" +} diff --git a/winlogbeat/processors/script/javascript/module/winlogbeat/doc.go b/libbeat/processors/script/javascript/module/windows/doc.go similarity index 82% rename from winlogbeat/processors/script/javascript/module/winlogbeat/doc.go rename to libbeat/processors/script/javascript/module/windows/doc.go index fc782636d09..bca46a94340 100644 --- a/winlogbeat/processors/script/javascript/module/winlogbeat/doc.go +++ b/libbeat/processors/script/javascript/module/windows/doc.go @@ -15,7 +15,7 @@ // specific language governing permissions and limitations // under the License. -// Package winlogbeat registers the winlogbeat module with the javascript script -// processor. The module has utilities specific to Winlogbeat like parsing +// Package windows registers the windows module with the javascript script +// processor. The module has utilities specific to Windows like parsing // Windows command lines. -package winlogbeat +package windows diff --git a/winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat.go b/libbeat/processors/script/javascript/module/windows/windows.go similarity index 87% rename from winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat.go rename to libbeat/processors/script/javascript/module/windows/windows.go index dc9439c5c67..2bbe7817fad 100644 --- a/winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat.go +++ b/libbeat/processors/script/javascript/module/windows/windows.go @@ -17,7 +17,7 @@ // +build windows -package winlogbeat +package windows import ( "syscall" @@ -60,11 +60,11 @@ func commandLineToArgvW(in string) ([]string, error) { return args, nil } -// Require registers the winlogbeat module that has utilities specific to -// Winlogbeat like parsing Windows command lines. It can be accessed using: +// Require registers the windows module that has utilities specific to +// Windows like parsing Windows command lines. It can be accessed using: // // // javascript -// var winlogbeat = require('winlogbeat'); +// var windows = require('windows'); // func Require(vm *goja.Runtime, module *goja.Object) { o := module.Get("exports").(*goja.Object) @@ -74,9 +74,11 @@ func Require(vm *goja.Runtime, module *goja.Object) { // Enable adds path to the given runtime. func Enable(runtime *goja.Runtime) { + runtime.Set("windows", require.Require(runtime, "windows")) runtime.Set("winlogbeat", require.Require(runtime, "winlogbeat")) } func init() { + require.RegisterNativeModule("windows", Require) require.RegisterNativeModule("winlogbeat", Require) } diff --git a/winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat_test.go b/libbeat/processors/script/javascript/module/windows/windows_test.go similarity index 99% rename from winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat_test.go rename to libbeat/processors/script/javascript/module/windows/windows_test.go index 45c339cc1f2..be213a79ba8 100644 --- a/winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat_test.go +++ b/libbeat/processors/script/javascript/module/windows/windows_test.go @@ -17,7 +17,7 @@ // +build windows -package winlogbeat +package windows import ( "testing" diff --git a/libbeat/processors/timestamp/docs/timestamp.asciidoc b/libbeat/processors/timestamp/docs/timestamp.asciidoc index 83421c584a7..eb5ba628995 100644 --- a/libbeat/processors/timestamp/docs/timestamp.asciidoc +++ b/libbeat/processors/timestamp/docs/timestamp.asciidoc @@ -50,7 +50,7 @@ If a layout does not contain a year then the current year in the specified Here is an example that parses the `start_time` field and writes the result to the `@timestamp` field then deletes the `start_time` field. When the -processor is loaded it will immediately validate that the two `test` timestamps +processor is loaded, it will immediately validate that the two `test` timestamps parse with this configuration. [source,yaml] @@ -61,9 +61,11 @@ processors: layouts: - '2006-01-02T15:04:05Z' - '2006-01-02T15:04:05.999Z' + - '2006-01-02T15:04:05.999-07:00' test: - '2019-06-22T16:33:51Z' - '2019-11-18T04:59:51.123Z' + - '2020-08-03T07:10:20.123456+02:00' - drop_fields: fields: [start_time] ---- diff --git a/libbeat/publisher/includes/includes.go b/libbeat/publisher/includes/includes.go index e6f3ded0bee..a14dd16d3ba 100644 --- a/libbeat/publisher/includes/includes.go +++ b/libbeat/publisher/includes/includes.go @@ -27,6 +27,7 @@ import ( _ "github.com/elastic/beats/v7/libbeat/outputs/kafka" _ "github.com/elastic/beats/v7/libbeat/outputs/logstash" _ "github.com/elastic/beats/v7/libbeat/outputs/redis" + _ "github.com/elastic/beats/v7/libbeat/publisher/queue/diskqueue" _ "github.com/elastic/beats/v7/libbeat/publisher/queue/memqueue" _ "github.com/elastic/beats/v7/libbeat/publisher/queue/spool" ) diff --git a/libbeat/publisher/pipeline/client.go b/libbeat/publisher/pipeline/client.go index 2ce792ed887..edb5a3f1eb3 100644 --- a/libbeat/publisher/pipeline/client.go +++ b/libbeat/publisher/pipeline/client.go @@ -24,6 +24,7 @@ import ( "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common/atomic" "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/processors" "github.com/elastic/beats/v7/libbeat/publisher" "github.com/elastic/beats/v7/libbeat/publisher/queue" ) @@ -164,6 +165,15 @@ func (c *client) Close() error { log.Debug("client: unlink from queue") c.unlink() log.Debug("client: done unlink") + + if c.processors != nil { + log.Debug("client: closing processors") + err := processors.Close(c.processors) + if err != nil { + log.Errorf("client: error closing processors: %v", err) + } + log.Debug("client: done closing processors") + } }) return nil } diff --git a/libbeat/publisher/pipeline/controller_test.go b/libbeat/publisher/pipeline/controller_test.go index fba98018894..1e400476a30 100644 --- a/libbeat/publisher/pipeline/controller_test.go +++ b/libbeat/publisher/pipeline/controller_test.go @@ -31,7 +31,8 @@ import ( "github.com/elastic/beats/v7/libbeat/publisher" "github.com/elastic/beats/v7/libbeat/publisher/queue" "github.com/elastic/beats/v7/libbeat/publisher/queue/memqueue" - "github.com/elastic/beats/v7/libbeat/tests/resources" + + //"github.com/elastic/beats/v7/libbeat/tests/resources" "github.com/stretchr/testify/require" ) @@ -46,8 +47,9 @@ func TestOutputReload(t *testing.T) { t.Run(name, func(t *testing.T) { testutil.SeedPRNG(t) - goroutines := resources.NewGoroutinesChecker() - defer goroutines.Check(t) + // Flaky check: https://github.com/elastic/beats/issues/21656 + //goroutines := resources.NewGoroutinesChecker() + //defer goroutines.Check(t) err := quick.Check(func(q uint) bool { numEventsToPublish := 15000 + (q % 500) // 15000 to 19999 diff --git a/libbeat/publisher/pipeline/output_test.go b/libbeat/publisher/pipeline/output_test.go index 5be34fa9436..7bde6e137ab 100644 --- a/libbeat/publisher/pipeline/output_test.go +++ b/libbeat/publisher/pipeline/output_test.go @@ -95,6 +95,8 @@ func TestMakeClientWorker(t *testing.T) { } func TestReplaceClientWorker(t *testing.T) { + t.Skip("Flaky test: https://github.com/elastic/beats/issues/17965") + tests := map[string]func(mockPublishFn) outputs.Client{ "client": newMockClient, "network_client": newMockNetworkClient, diff --git a/libbeat/publisher/processing/default.go b/libbeat/publisher/processing/default.go index b2a65642e17..f9eab88fe48 100644 --- a/libbeat/publisher/processing/default.go +++ b/libbeat/publisher/processing/default.go @@ -338,7 +338,10 @@ func (b *builder) Create(cfg beat.ProcessingConfig, drop bool) (beat.Processor, } // setup 8: pipeline processors list - processors.add(b.processors) + if b.processors != nil { + // Add the global pipeline as a function processor, so clients cannot close it + processors.add(newProcessor(b.processors.title, b.processors.Run)) + } // setup 9: time series metadata if b.timeSeries { @@ -358,6 +361,13 @@ func (b *builder) Create(cfg beat.ProcessingConfig, drop bool) (beat.Processor, return processors, nil } +func (b *builder) Close() error { + if b.processors != nil { + return b.processors.Close() + } + return nil +} + func makeClientProcessors( log *logp.Logger, cfg beat.ProcessingConfig, diff --git a/libbeat/publisher/processing/default_test.go b/libbeat/publisher/processing/default_test.go index 56dfa75bdd2..637b38cf44d 100644 --- a/libbeat/publisher/processing/default_test.go +++ b/libbeat/publisher/processing/default_test.go @@ -29,6 +29,7 @@ import ( "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/processors" "github.com/elastic/beats/v7/libbeat/processors/actions" "github.com/elastic/ecs/code/go/ecs" ) @@ -317,6 +318,9 @@ func TestNormalization(t *testing.T) { fields.DeepUpdate(test.mod) assert.Equal(t, test.want, actual.Fields) + + err = s.Close() + require.NoError(t, err) }) } } @@ -331,6 +335,9 @@ func TestAlwaysDrop(t *testing.T) { actual, err := prog.Run(&beat.Event{}) require.NoError(t, err) assert.Nil(t, actual) + + err = s.Close() + require.NoError(t, err) } func TestDynamicFields(t *testing.T) { @@ -351,6 +358,52 @@ func TestDynamicFields(t *testing.T) { actual, err = prog.Run(&beat.Event{Fields: common.MapStr{"hello": "world"}}) require.NoError(t, err) assert.Equal(t, common.MapStr{"hello": "world", "dyn": "field"}, actual.Fields) + + err = factory.Close() + require.NoError(t, err) +} + +func TestProcessingClose(t *testing.T) { + factory, err := MakeDefaultSupport(true)(beat.Info{}, logp.L(), common.NewConfig()) + require.NoError(t, err) + + // Inject a processor in the builder that we can check if has been closed. + factoryProcessor := &processorWithClose{} + b := factory.(*builder) + if b.processors == nil { + b.processors = newGroup("global", logp.L()) + } + b.processors.add(factoryProcessor) + + clientProcessor := &processorWithClose{} + g := newGroup("test", logp.L()) + g.add(clientProcessor) + + prog, err := factory.Create(beat.ProcessingConfig{ + Processor: g, + }, false) + require.NoError(t, err) + + // Check that both processors are called + assert.False(t, factoryProcessor.called) + assert.False(t, clientProcessor.called) + _, err = prog.Run(&beat.Event{Fields: common.MapStr{"hello": "world"}}) + require.NoError(t, err) + assert.True(t, factoryProcessor.called) + assert.True(t, clientProcessor.called) + + // Check that closing the client processing pipeline doesn't close the global pipeline + assert.False(t, factoryProcessor.closed) + assert.False(t, clientProcessor.closed) + err = processors.Close(prog) + require.NoError(t, err) + assert.False(t, factoryProcessor.closed) + assert.True(t, clientProcessor.closed) + + // Check that closing the factory closes the processor in the global pipeline + err = factory.Close() + require.NoError(t, err) + assert.True(t, factoryProcessor.closed) } func fromJSON(in string) common.MapStr { @@ -361,3 +414,22 @@ func fromJSON(in string) common.MapStr { } return tmp } + +type processorWithClose struct { + closed bool + called bool +} + +func (p *processorWithClose) Run(e *beat.Event) (*beat.Event, error) { + p.called = true + return e, nil +} + +func (p *processorWithClose) Close() error { + p.closed = true + return nil +} + +func (p *processorWithClose) String() string { + return "processorWithClose" +} diff --git a/libbeat/publisher/processing/processing.go b/libbeat/publisher/processing/processing.go index 4f615fb1422..88feb62c7b2 100644 --- a/libbeat/publisher/processing/processing.go +++ b/libbeat/publisher/processing/processing.go @@ -33,6 +33,8 @@ type SupportFactory func(info beat.Info, log *logp.Logger, cfg *common.Config) ( // will merge the global and local configurations into a common event // processor. // If `drop` is set, then the processor generated must always drop all events. +// A Supporter needs to be closed with `Close()` to release its global resources. type Supporter interface { Create(cfg beat.ProcessingConfig, drop bool) (beat.Processor, error) + Close() error } diff --git a/libbeat/publisher/processing/processors.go b/libbeat/publisher/processing/processors.go index e994eef48cc..3a400d36dad 100644 --- a/libbeat/publisher/processing/processors.go +++ b/libbeat/publisher/processing/processors.go @@ -22,6 +22,8 @@ import ( "strings" "sync" + "github.com/joeshaw/multierror" + "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/logp" @@ -77,6 +79,20 @@ func (p *group) add(processor processors.Processor) { } } +func (p *group) Close() error { + if p == nil { + return nil + } + var errs multierror.Errors + for _, processor := range p.list { + err := processors.Close(processor) + if err != nil { + errs = append(errs, err) + } + } + return errs.Err() +} + func (p *group) String() string { var s []string for _, p := range p.list { diff --git a/libbeat/publisher/queue/diskqueue/acks.go b/libbeat/publisher/queue/diskqueue/acks.go new file mode 100644 index 00000000000..ed9d7589db2 --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/acks.go @@ -0,0 +1,146 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import ( + "os" + "sync" + + "github.com/elastic/beats/v7/libbeat/logp" +) + +// queuePosition represents a logical position within the queue buffer. +type queuePosition struct { + segmentID segmentID + offset segmentOffset +} + +type diskQueueACKs struct { + logger *logp.Logger + + // This lock must be held to access diskQueueACKs fields (except for + // diskQueueACKs.done, which is always safe). + lock sync.Mutex + + // The id and position of the first unacknowledged frame. + nextFrameID frameID + nextPosition queuePosition + + // If a frame has been ACKed, then frameSize[frameID] contains its size on + // disk. The size is used to track the queuePosition of the oldest + // remaining frame, which is written to disk as ACKs are received. (We do + // this to avoid duplicating events if the beat terminates without a clean + // shutdown.) + frameSize map[frameID]uint64 + + // segmentBoundaries maps the first frameID of each segment to its + // corresponding segment ID. + segmentBoundaries map[frameID]segmentID + + // When a segment has been completely acknowledged by a consumer, it sends + // the segment ID to this channel, where it is read by the core loop and + // scheduled for deletion. + segmentACKChan chan segmentID + + // An open writable file handle to the file that stores the queue position. + // This position is advanced as we receive ACKs, confirming it is safe + // to move forward, so the acking code is responsible for updating this + // file. + positionFile *os.File + + // When the queue is closed, diskQueueACKs.done is closed to signal that + // the core loop will not accept any more acked segments and any future + // ACKs should be ignored. + done chan struct{} +} + +func newDiskQueueACKs( + logger *logp.Logger, position queuePosition, positionFile *os.File, +) *diskQueueACKs { + return &diskQueueACKs{ + logger: logger, + nextFrameID: 0, + nextPosition: position, + frameSize: make(map[frameID]uint64), + segmentBoundaries: make(map[frameID]segmentID), + segmentACKChan: make(chan segmentID), + positionFile: positionFile, + done: make(chan struct{}), + } +} + +func (dqa *diskQueueACKs) addFrames(frames []*readFrame) { + dqa.lock.Lock() + defer dqa.lock.Unlock() + select { + case <-dqa.done: + // We are already done and should ignore any leftover ACKs we receive. + return + default: + } + for _, frame := range frames { + segment := frame.segment + if frame.id != 0 && frame.id == segment.firstFrameID { + // This is the first frame in its segment, mark it so we know when + // we're starting a new segment. + // + // Subtlety: we don't count the very first frame as a "boundary" even + // though it is the first frame we read from its segment. This prevents + // us from resetting our segment offset to zero, in case the initial + // offset was restored from a previous session instead of starting at + // the beginning of the first file. + dqa.segmentBoundaries[frame.id] = segment.id + } + dqa.frameSize[frame.id] = frame.bytesOnDisk + } + oldSegmentID := dqa.nextPosition.segmentID + if dqa.frameSize[dqa.nextFrameID] != 0 { + for ; dqa.frameSize[dqa.nextFrameID] != 0; dqa.nextFrameID++ { + newSegment, ok := dqa.segmentBoundaries[dqa.nextFrameID] + if ok { + // This is the start of a new segment. Remove this frame from the + // segment boundary list and set the position to the start of the + // new segment. + delete(dqa.segmentBoundaries, dqa.nextFrameID) + dqa.nextPosition = queuePosition{ + segmentID: newSegment, + offset: 0, + } + } + dqa.nextPosition.offset += segmentOffset(dqa.frameSize[dqa.nextFrameID]) + delete(dqa.frameSize, dqa.nextFrameID) + } + // We advanced the ACK position at least somewhat, so write its + // new value. + err := writeQueuePositionToHandle(dqa.positionFile, dqa.nextPosition) + if err != nil { + // TODO: Don't spam this warning on every ACK if it's a permanent error. + dqa.logger.Warnf("Couldn't save queue position: %v", err) + } + } + if oldSegmentID != dqa.nextPosition.segmentID { + // We crossed at least one segment boundary, inform the listener that + // everything before the current segment has been acknowledged (but bail + // out if our done channel has been closed, since that means there is no + // listener on the other end.) + select { + case dqa.segmentACKChan <- dqa.nextPosition.segmentID - 1: + case <-dqa.done: + } + } +} diff --git a/libbeat/publisher/queue/diskqueue/checksum.go b/libbeat/publisher/queue/diskqueue/checksum.go new file mode 100644 index 00000000000..87cdb7b1aef --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/checksum.go @@ -0,0 +1,33 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import ( + "encoding/binary" + "hash/crc32" +) + +// Computes the checksum that should be written / read in a frame footer +// based on the raw content of that frame (excluding header / footer). +func computeChecksum(data []byte) uint32 { + hash := crc32.NewIEEE() + frameLength := uint32(len(data) + frameMetadataSize) + binary.Write(hash, binary.LittleEndian, &frameLength) + hash.Write(data) + return hash.Sum32() +} diff --git a/libbeat/publisher/queue/diskqueue/config.go b/libbeat/publisher/queue/diskqueue/config.go new file mode 100644 index 00000000000..b8ef456d03d --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/config.go @@ -0,0 +1,208 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import ( + "errors" + "fmt" + "path/filepath" + "time" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/cfgtype" + "github.com/elastic/beats/v7/libbeat/paths" + "github.com/elastic/beats/v7/libbeat/publisher/queue" +) + +// Settings contains the configuration fields to create a new disk queue +// or open an existing one. +type Settings struct { + // The path on disk of the queue's containing directory, which will be + // created if it doesn't exist. Within the directory, the queue's state + // is stored in state.dat and each segment's data is stored in + // {segmentIndex}.seg + // If blank, the default directory is "diskqueue" within the beat's data + // directory. + Path string + + // MaxBufferSize is the maximum number of bytes that the queue should + // ever occupy on disk. A value of 0 means the queue can grow until the + // disk is full (this is not recommended on a primary system disk). + MaxBufferSize uint64 + + // MaxSegmentSize is the maximum number of bytes that should be written + // to a single segment file before creating a new one. + MaxSegmentSize uint64 + + // How many events will be read from disk while waiting for a consumer + // request. + ReadAheadLimit int + + // How many events will be queued in memory waiting to be written to disk. + // This setting should rarely matter in practice, but if data is coming + // in faster than it can be written to disk for an extended period, + // this limit can keep it from overflowing memory. + WriteAheadLimit int + + // A listener that should be sent ACKs when an event is successfully + // written to disk. + WriteToDiskListener queue.ACKListener + + // RetryInterval specifies how long to wait before retrying a fatal error + // writing to disk. If MaxRetryInterval is nonzero, subsequent retries will + // use exponential backoff up to the specified limit. + RetryInterval time.Duration + MaxRetryInterval time.Duration +} + +// userConfig holds the parameters for a disk queue that are configurable +// by the end user in the beats yml file. +type userConfig struct { + Path string `config:"path"` + MaxSize cfgtype.ByteSize `config:"max_size" validate:"required"` + SegmentSize *cfgtype.ByteSize `config:"segment_size"` + + ReadAheadLimit *int `config:"read_ahead"` + WriteAheadLimit *int `config:"write_ahead"` + + RetryInterval *time.Duration `config:"retry_interval" validate:"positive"` + MaxRetryInterval *time.Duration `config:"max_retry_interval" validate:"positive"` +} + +func (c *userConfig) Validate() error { + // If the segment size is explicitly specified, the total queue size must + // be at least twice as large. + if c.SegmentSize != nil && c.MaxSize != 0 && c.MaxSize < *c.SegmentSize*2 { + return errors.New( + "Disk queue max_size must be at least twice as big as segment_size") + } + + // We require a total queue size of at least 10MB, and a segment size of + // at least 1MB. The queue can support lower thresholds, but it will perform + // terribly, so we give an explicit error in that case. + // These bounds are still extremely low for Beats ingestion, but if all you + // need is for a low-volume stream on a tiny device to persist between + // restarts, it will work fine. + if c.MaxSize != 0 && c.MaxSize < 10*1000*1000 { + return fmt.Errorf( + "Disk queue max_size (%d) cannot be less than 10MB", c.MaxSize) + } + if c.SegmentSize != nil && *c.SegmentSize < 1000*1000 { + return fmt.Errorf( + "Disk queue segment_size (%d) cannot be less than 1MB", *c.SegmentSize) + } + + if c.RetryInterval != nil && c.MaxRetryInterval != nil && + *c.MaxRetryInterval < *c.RetryInterval { + return fmt.Errorf( + "Disk queue max_retry_interval (%v) can't be less than retry_interval (%v)", + *c.MaxRetryInterval, *c.RetryInterval) + } + + return nil +} + +// DefaultSettings returns a Settings object with reasonable default values +// for all important fields. +func DefaultSettings() Settings { + return Settings{ + MaxSegmentSize: 100 * (1 << 20), // 100MiB + MaxBufferSize: (1 << 30), // 1GiB + + ReadAheadLimit: 512, + WriteAheadLimit: 2048, + + RetryInterval: 1 * time.Second, + MaxRetryInterval: 30 * time.Second, + } +} + +// SettingsForUserConfig returns a Settings struct initialized with the +// end-user-configurable settings in the given config tree. +func SettingsForUserConfig(config *common.Config) (Settings, error) { + userConfig := userConfig{} + if err := config.Unpack(&userConfig); err != nil { + return Settings{}, fmt.Errorf("parsing user config: %w", err) + } + settings := DefaultSettings() + settings.Path = userConfig.Path + + settings.MaxBufferSize = uint64(userConfig.MaxSize) + if userConfig.SegmentSize != nil { + settings.MaxSegmentSize = uint64(*userConfig.SegmentSize) + } else { + // If no value is specified, default segment size is total queue size + // divided by 10. + settings.MaxSegmentSize = uint64(userConfig.MaxSize) / 10 + } + + if userConfig.ReadAheadLimit != nil { + settings.ReadAheadLimit = *userConfig.ReadAheadLimit + } + if userConfig.WriteAheadLimit != nil { + settings.WriteAheadLimit = *userConfig.WriteAheadLimit + } + + if userConfig.RetryInterval != nil { + settings.RetryInterval = *userConfig.RetryInterval + } + if userConfig.MaxRetryInterval != nil { + settings.MaxRetryInterval = *userConfig.RetryInterval + } + + return settings, nil +} + +// +// bookkeeping helpers +// + +func (settings Settings) directoryPath() string { + if settings.Path == "" { + return paths.Resolve(paths.Data, "diskqueue") + } + return settings.Path +} + +func (settings Settings) stateFilePath() string { + return filepath.Join(settings.directoryPath(), "state.dat") +} + +func (settings Settings) segmentPath(segmentID segmentID) string { + return filepath.Join( + settings.directoryPath(), + fmt.Sprintf("%v.seg", segmentID)) +} + +func (settings Settings) maxSegmentOffset() segmentOffset { + return segmentOffset(settings.MaxSegmentSize - segmentHeaderSize) +} + +// Given a retry interval, nextRetryInterval returns the next higher level +// of backoff. +func (settings Settings) nextRetryInterval( + currentInterval time.Duration, +) time.Duration { + if settings.MaxRetryInterval > 0 { + currentInterval *= 2 + if currentInterval > settings.MaxRetryInterval { + currentInterval = settings.MaxRetryInterval + } + } + return currentInterval +} diff --git a/libbeat/publisher/queue/diskqueue/consumer.go b/libbeat/publisher/queue/diskqueue/consumer.go new file mode 100644 index 00000000000..b2922778ea5 --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/consumer.go @@ -0,0 +1,114 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import ( + "fmt" + + "github.com/elastic/beats/v7/libbeat/publisher" + "github.com/elastic/beats/v7/libbeat/publisher/queue" +) + +type diskQueueConsumer struct { + queue *diskQueue + closed bool +} + +type diskQueueBatch struct { + queue *diskQueue + frames []*readFrame +} + +// +// diskQueueConsumer implementation of the queue.Consumer interface +// + +func (consumer *diskQueueConsumer) Get(eventCount int) (queue.Batch, error) { + if consumer.closed { + return nil, fmt.Errorf("Tried to read from a closed disk queue consumer") + } + + // Read at least one frame. This is guaranteed to eventually + // succeed unless the queue is closed. + frame, ok := <-consumer.queue.readerLoop.output + if !ok { + return nil, fmt.Errorf("Tried to read from a closed disk queue") + } + frames := []*readFrame{frame} +eventLoop: + for eventCount <= 0 || len(frames) < eventCount { + select { + case frame, ok := <-consumer.queue.readerLoop.output: + if !ok { + // The queue was closed while we were reading it, just send back + // what we have so far. + break eventLoop + } + frames = append(frames, frame) + default: + // We can't read any more frames without blocking, so send back + // what we have now. + break eventLoop + } + } + + // There is a mild race condition here based on queue closure: events + // written to readerLoop.output may have been buffered before the + // queue was closed, and we may be reading its leftovers afterwards. + // We could try to detect this case here by checking the + // consumer.queue.done channel, and return nothing if it's been closed. + // But this gives rise to another race: maybe the queue was + // closed _after_ we read those frames, and we _ought_ to return them + // to the reader. The queue interface doesn't specify the proper + // behavior in this case. + // + // Lacking formal requirements, we elect to be permissive: if we have + // managed to read frames, then the queue already knows and considers them + // "read," so we lose no consistency by returning them. If someone closes + // the queue while we are draining the channel, nothing changes functionally + // except that any ACKs after that point will be ignored. A well-behaved + // Beats shutdown will always ACK / close its consumers before closing the + // queue itself, so we expect this corner case not to arise in practice, but + // if it does it is innocuous. + + return &diskQueueBatch{ + queue: consumer.queue, + frames: frames, + }, nil +} + +func (consumer *diskQueueConsumer) Close() error { + consumer.closed = true + return nil +} + +// +// diskQueueBatch implementation of the queue.Batch interface +// + +func (batch *diskQueueBatch) Events() []publisher.Event { + events := make([]publisher.Event, len(batch.frames)) + for i, frame := range batch.frames { + events[i] = frame.event + } + return events +} + +func (batch *diskQueueBatch) ACK() { + batch.queue.acks.addFrames(batch.frames) +} diff --git a/libbeat/publisher/queue/diskqueue/core_loop.go b/libbeat/publisher/queue/diskqueue/core_loop.go new file mode 100644 index 00000000000..638d9da2f40 --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/core_loop.go @@ -0,0 +1,457 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import "fmt" + +// This file contains the queue's "core loop" -- the central goroutine +// that owns all queue state that is not encapsulated in one of the +// self-contained helper loops. This is the only file that is allowed to +// modify the queue state after its creation, and it contains the full +// logical "state transition diagram" for queue operation. + +func (dq *diskQueue) run() { + // Wake up the reader and deleter loops if there are segments to process + // from a previous instantiation of the queue. + dq.maybeReadPending() + dq.maybeDeleteACKed() + + for { + select { + // Endpoints used by the producer / consumer API implementation. + case producerWriteRequest := <-dq.producerWriteRequestChan: + dq.handleProducerWriteRequest(producerWriteRequest) + + // After a write request, there may be data ready to send to the + // writer loop. + dq.maybeWritePending() + + case ackedSegmentID := <-dq.acks.segmentACKChan: + dq.handleSegmentACK(ackedSegmentID) + + // After receiving new ACKs, a segment might be ready to delete. + dq.maybeDeleteACKed() + + case <-dq.done: + dq.handleShutdown() + return + + // Writer loop handling + case writerLoopResponse := <-dq.writerLoop.responseChan: + dq.handleWriterLoopResponse(writerLoopResponse) + + // The writer loop completed a request, so check if there is more + // data to be sent. + dq.maybeWritePending() + + // The data that was just written is now available for reading, so check + // if we should start a new read request. + dq.maybeReadPending() + + // pendingFrames should now be empty. If any producers were blocked + // because pendingFrames hit settings.WriteAheadLimit, wake them up. + dq.maybeUnblockProducers() + + // Reader loop handling + case readerLoopResponse := <-dq.readerLoop.responseChan: + dq.handleReaderLoopResponse(readerLoopResponse) + + // If there is more data to read, start a new read request. + dq.maybeReadPending() + + // Deleter loop handling + case deleterLoopResponse := <-dq.deleterLoop.responseChan: + dq.handleDeleterLoopResponse(deleterLoopResponse) + + // If there are still files waiting to be deleted, send another request. + dq.maybeDeleteACKed() + + // If there were blocked producers waiting for more queue space, + // we might be able to unblock them now. + dq.maybeUnblockProducers() + } + } +} + +func (dq *diskQueue) handleProducerWriteRequest(request producerWriteRequest) { + // Pathological case checking: make sure the incoming frame isn't bigger + // than an entire segment all by itself (as long as it isn't, it is + // guaranteed to eventually enter the queue assuming no disk errors). + frameSize := request.frame.sizeOnDisk() + if dq.settings.MaxSegmentSize < frameSize { + dq.logger.Warnf( + "Rejecting event with size %v because the maximum segment size is %v", + frameSize, dq.settings.MaxSegmentSize) + request.responseChan <- false + return + } + + // If no one else is blocked waiting for queue capacity, and there is + // enough space, then we add the new frame and report success. + // Otherwise, we either add to the end of blockedProducers to wait for + // the requested space or report immediate failure, depending on the + // producer settings. + if len(dq.blockedProducers) == 0 && dq.canAcceptFrameOfSize(frameSize) { + // There is enough space for the new frame! Add it to the + // pending list and report success, then dispatch it to the + // writer loop if no other requests are outstanding. + dq.enqueueWriteFrame(request.frame) + request.responseChan <- true + } else { + // The queue is too full. Either add the request to blockedProducers, + // or send an immediate reject. + if request.shouldBlock { + dq.blockedProducers = append(dq.blockedProducers, request) + } else { + request.responseChan <- false + } + } +} + +func (dq *diskQueue) handleWriterLoopResponse(response writerLoopResponse) { + dq.writing = false + + // The writer loop response contains the number of bytes written to + // each segment that appeared in the request. Entries always appear in + // the same sequence as (the beginning of) segments.writing. + for index, bytesWritten := range response.bytesWritten { + // Update the segment with its new size. + dq.segments.writing[index].endOffset += segmentOffset(bytesWritten) + } + + // If there is more than one segment in the response, then all but the + // last have been closed and are ready to move to the reading list. + closedCount := len(response.bytesWritten) - 1 + if closedCount > 0 { + // Remove the prefix of the writing array and append to to reading. + closedSegments := dq.segments.writing[:closedCount] + dq.segments.writing = dq.segments.writing[closedCount:] + dq.segments.reading = + append(dq.segments.reading, closedSegments...) + } +} + +func (dq *diskQueue) handleReaderLoopResponse(response readerLoopResponse) { + dq.reading = false + + // Advance the frame / offset based on what was just completed. + dq.segments.nextReadFrameID += frameID(response.frameCount) + dq.segments.nextReadOffset += segmentOffset(response.byteCount) + + var segment *queueSegment + if len(dq.segments.reading) > 0 { + // A segment is finished if we have read all the data, or + // the read response reports an error. + // Segments in the reading list have been completely written, + // so we can rely on their endOffset field to determine their size. + segment = dq.segments.reading[0] + if dq.segments.nextReadOffset >= segment.endOffset || response.err != nil { + dq.segments.reading = dq.segments.reading[1:] + dq.segments.acking = append(dq.segments.acking, segment) + dq.segments.nextReadOffset = 0 + } + } else { + // A segment in the writing list can't be finished writing, + // so we don't check the endOffset. + segment = dq.segments.writing[0] + } + segment.framesRead = uint64(dq.segments.nextReadFrameID - segment.firstFrameID) + + // If there was an error, report it. + if response.err != nil { + dq.logger.Errorf( + "Error reading segment file %s: %v", + dq.settings.segmentPath(segment.id), response.err) + } +} + +func (dq *diskQueue) handleDeleterLoopResponse(response deleterLoopResponse) { + dq.deleting = false + newAckedSegments := []*queueSegment{} + errors := []error{} + for i, err := range response.results { + if err != nil { + // This segment had an error, so it stays in the acked list. + newAckedSegments = append(newAckedSegments, dq.segments.acked[i]) + errors = append(errors, + fmt.Errorf("Couldn't delete segment %d: %w", + dq.segments.acked[i].id, err)) + } + } + if len(dq.segments.acked) > len(response.results) { + // Preserve any new acked segments that were added during the deletion + // request. + tail := dq.segments.acked[len(response.results):] + newAckedSegments = append(newAckedSegments, tail...) + } + dq.segments.acked = newAckedSegments + if len(errors) > 0 { + dq.logger.Errorw("Deleting segment files", "errors", errors) + } +} + +func (dq *diskQueue) handleSegmentACK(ackedSegmentID segmentID) { + acking := dq.segments.acking + if len(acking) == 0 { + return + } + ackedSegmentCount := 0 + for ; ackedSegmentCount < len(acking); ackedSegmentCount++ { + if acking[ackedSegmentCount].id > ackedSegmentID { + // This segment has not been acked yet, we're done. + break + } + } + if ackedSegmentCount > 0 { + // Move fully acked segments to the acked list and remove them + // from the acking list. + dq.segments.acked = + append(dq.segments.acked, acking[:ackedSegmentCount]...) + dq.segments.acking = acking[ackedSegmentCount:] + } +} + +func (dq *diskQueue) handleShutdown() { + // Shutdown: first, we wait for any outstanding requests to complete, to + // make sure the helper loops are idle and all state is finalized, then + // we do final cleanup and write our position to disk. + + // Close the reader loop's request channel to signal an abort in case it's + // still processing a request (we don't need any more frames). + // We still wait for acknowledgement afterwards: if there is a request in + // progress, it's possible that a consumer already read and acknowledged + // some of its data, so we want the final metadata before we write our + // closing state. + close(dq.readerLoop.requestChan) + if dq.reading { + response := <-dq.readerLoop.responseChan + dq.handleReaderLoopResponse(response) + } + + // We are assured by our callers within Beats that we will not be sent a + // shutdown signal until all our producers have been finalized / + // shut down -- thus, there should be no writer requests outstanding, and + // writerLoop.requestChan should be idle. But just in case (and in + // particular to handle the case where a request is stuck retrying a fatal + // error), we signal abort by closing the request channel, and read the + // final state if there is any. + close(dq.writerLoop.requestChan) + if dq.writing { + response := <-dq.writerLoop.responseChan + dq.handleWriterLoopResponse(response) + } + + // We let the deleter loop finish its current request, but we don't send + // the abort signal yet, since we might want to do one last deletion + // after checking the final consumer ACK state. + if dq.deleting { + response := <-dq.deleterLoop.responseChan + dq.handleDeleterLoopResponse(response) + } + + // If there are any blocked producers still hoping for space to open up + // in the queue, send them the bad news. + for _, request := range dq.blockedProducers { + request.responseChan <- false + } + dq.blockedProducers = nil + + // The reader and writer loops are now shut down, and the deleter loop is + // idle. The remaining cleanup is in finalizing the read position in the + // queue (the first event that hasn't been acknowledged by consumers), and + // in deleting any older segment files that may be left. + // + // Events read by consumers have been accumulating their ACK data in + // dq.acks. During regular operation the core loop is not allowed to use + // this data, since it requires holding a mutex, but during shutdown we're + // allowed to block to acquire it. However, we still must close its done + // channel first, otherwise the lock may be held by a consumer that is + // blocked trying to send us a message we're no longer listening to... + close(dq.acks.done) + dq.acks.lock.Lock() + finalPosition := dq.acks.nextPosition + // We won't be updating the position anymore, so we can close the file. + dq.acks.positionFile.Sync() + dq.acks.positionFile.Close() + dq.acks.lock.Unlock() + + // First check for the rare and fortunate case that every single event we + // wrote to the queue was ACKed. In this case it is safe to delete + // everything up to and including the current segment. Otherwise, we only + // delete things before the current segment. + if len(dq.segments.writing) > 0 && + finalPosition.segmentID == dq.segments.writing[0].id && + finalPosition.offset >= dq.segments.writing[0].endOffset { + dq.handleSegmentACK(finalPosition.segmentID) + } else if finalPosition.segmentID > 0 { + dq.handleSegmentACK(finalPosition.segmentID - 1) + } + + // Do one last round of deletions, then shut down the deleter loop. + dq.maybeDeleteACKed() + if dq.deleting { + response := <-dq.deleterLoop.responseChan + dq.handleDeleterLoopResponse(response) + } + close(dq.deleterLoop.requestChan) +} + +// If the pendingFrames list is nonempty, and there are no outstanding +// requests to the writer loop, send the next batch of frames. +func (dq *diskQueue) maybeWritePending() { + if dq.writing || len(dq.pendingFrames) == 0 { + // Nothing to do right now + return + } + // Remove everything from pendingFrames and forward it to the writer loop. + frames := dq.pendingFrames + dq.pendingFrames = nil + + dq.writerLoop.requestChan <- writerLoopRequest{ + frames: frames, + } + dq.writing = true +} + +// Returns the active read segment, or nil if there is none. +func (segments *diskQueueSegments) readingSegment() *queueSegment { + if len(segments.reading) > 0 { + return segments.reading[0] + } + if len(segments.writing) > 0 { + return segments.writing[0] + } + return nil +} + +// If the reading list is nonempty, and there are no outstanding read +// requests, send one. +func (dq *diskQueue) maybeReadPending() { + if dq.reading { + // A read request is already pending + return + } + segment := dq.segments.readingSegment() + if segment == nil || + dq.segments.nextReadOffset >= segmentOffset(segment.endOffset) { + // Nothing to read + return + } + if dq.segments.nextReadOffset == 0 { + // If we're reading the beginning of this segment, assign its firstFrameID. + segment.firstFrameID = dq.segments.nextReadFrameID + } + request := readerLoopRequest{ + segment: segment, + startFrameID: dq.segments.nextReadFrameID, + startOffset: dq.segments.nextReadOffset, + endOffset: segment.endOffset, + } + dq.readerLoop.requestChan <- request + dq.reading = true +} + +// If the acked list is nonempty, and there are no outstanding deletion +// requests, send one. +func (dq *diskQueue) maybeDeleteACKed() { + if !dq.deleting && len(dq.segments.acked) > 0 { + dq.deleterLoop.requestChan <- deleterLoopRequest{ + segments: dq.segments.acked} + dq.deleting = true + } +} + +// maybeUnblockProducers checks whether the queue has enough free space +// to accept any of the requests in the blockedProducers list, and if so +// accepts them in order and updates the list. +func (dq *diskQueue) maybeUnblockProducers() { + unblockedCount := 0 + for _, request := range dq.blockedProducers { + if !dq.canAcceptFrameOfSize(request.frame.sizeOnDisk()) { + // Not enough space for this frame, we're done. + break + } + // Add the frame to pendingFrames and report success. + dq.enqueueWriteFrame(request.frame) + request.responseChan <- true + unblockedCount++ + } + if unblockedCount > 0 { + dq.blockedProducers = dq.blockedProducers[unblockedCount:] + } +} + +// enqueueWriteFrame determines which segment an incoming frame should be +// written to and adds the resulting segmentedFrame to pendingFrames. +func (dq *diskQueue) enqueueWriteFrame(frame *writeFrame) { + // Start with the most recent writing segment if there is one. + var segment *queueSegment + if len(dq.segments.writing) > 0 { + segment = dq.segments.writing[len(dq.segments.writing)-1] + } + frameLen := segmentOffset(frame.sizeOnDisk()) + // If segment is nil, or the new segment exceeds its bounds, + // we need to create a new writing segment. + if segment == nil || + dq.segments.nextWriteOffset+frameLen > dq.settings.maxSegmentOffset() { + segment = &queueSegment{id: dq.segments.nextID} + dq.segments.writing = append(dq.segments.writing, segment) + dq.segments.nextID++ + dq.segments.nextWriteOffset = 0 + } + + dq.segments.nextWriteOffset += frameLen + dq.pendingFrames = append(dq.pendingFrames, segmentedFrame{ + frame: frame, + segment: segment, + }) +} + +// canAcceptFrameOfSize checks whether there is enough free space in the queue +// (subject to settings.{MaxBufferSize, WriteAheadLimit}) to accept a new +// frame with the given size. Size includes both the serialized data and the +// frame header / footer; the easy way to do this for a writeFrame is to pass +// in frame.sizeOnDisk(). +// Capacity calculations do not include requests in the blockedProducers +// list (that data is owned by its callers and we can't touch it until +// we are ready to respond). That allows this helper to be used both while +// handling producer requests and while deciding whether to unblock +// producers after free capacity increases. +func (dq *diskQueue) canAcceptFrameOfSize(frameSize uint64) bool { + // If pendingFrames is already at the WriteAheadLimit, we can't accept + // any new frames right now. + if len(dq.pendingFrames) >= dq.settings.WriteAheadLimit { + return false + } + + // If the queue size is unbounded (max == 0), we accept. + if dq.settings.MaxBufferSize == 0 { + return true + } + + // Compute the current queue size. We accept if there is enough capacity + // left in the queue after accounting for the existing segments and the + // pending writes that were already accepted. + pendingBytes := uint64(0) + for _, request := range dq.pendingFrames { + pendingBytes += request.frame.sizeOnDisk() + } + currentSize := pendingBytes + dq.segments.sizeOnDisk() + + return currentSize+frameSize <= dq.settings.MaxBufferSize +} diff --git a/libbeat/publisher/queue/diskqueue/core_loop_test.go b/libbeat/publisher/queue/diskqueue/core_loop_test.go new file mode 100644 index 00000000000..b5f0d301d15 --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/core_loop_test.go @@ -0,0 +1,94 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import "testing" + +func TestProducerWriteRequest(t *testing.T) { + dq := &diskQueue{settings: DefaultSettings()} + frame := &writeFrame{ + serialized: make([]byte, 100), + } + request := producerWriteRequest{ + frame: frame, + shouldBlock: true, + responseChan: make(chan bool, 1), + } + dq.handleProducerWriteRequest(request) + + // The request inserts 100 bytes into an empty queue, so it should succeed. + // We expect: + // - the response channel should contain the value true + // - the frame should be added to pendingFrames and assigned to + // segment 0. + success, ok := <-request.responseChan + if !ok { + t.Error("Expected a response from the producer write request.") + } + if !success { + t.Error("Expected write request to succeed") + } + + if len(dq.pendingFrames) != 1 { + t.Error("Expected 1 pending frame after a write request.") + } + if dq.pendingFrames[0].frame != frame { + t.Error("Expected pendingFrames to contain the new frame.") + } + if dq.pendingFrames[0].segment.id != 0 { + t.Error("Expected new frame to be assigned to segment 0.") + } +} + +func TestHandleWriterLoopResponse(t *testing.T) { + // Initialize the queue with two writing segments only. + dq := &diskQueue{ + settings: DefaultSettings(), + segments: diskQueueSegments{ + writing: []*queueSegment{ + {id: 1}, + {id: 2}, + }, + }, + } + // This response says that the writer loop wrote 200 bytes to the first + // segment and 100 bytes to the second. + dq.handleWriterLoopResponse(writerLoopResponse{ + bytesWritten: []int64{200, 100}, + }) + + // After the response is handled, we expect: + // - Each segment's endOffset should be incremented by the bytes written + // - Segment 1 should be moved to the reading list (because all but the + // last segment in a writer loop response has been closed) + // - Segment 2 should remain in the writing list + if len(dq.segments.reading) != 1 || dq.segments.reading[0].id != 1 { + t.Error("Expected segment 1 to move to the reading list") + } + if len(dq.segments.writing) != 1 || dq.segments.writing[0].id != 2 { + t.Error("Expected segment 2 to remain in the writing list") + } + if dq.segments.reading[0].endOffset != 200 { + t.Errorf("Expected segment 1 endOffset 200, got %d", + dq.segments.reading[0].endOffset) + } + if dq.segments.writing[0].endOffset != 100 { + t.Errorf("Expected segment 2 endOffset 100, got %d", + dq.segments.writing[0].endOffset) + } +} diff --git a/libbeat/publisher/queue/diskqueue/deleter_loop.go b/libbeat/publisher/queue/diskqueue/deleter_loop.go new file mode 100644 index 00000000000..3948d200cbc --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/deleter_loop.go @@ -0,0 +1,104 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import ( + "errors" + "os" + "time" +) + +type deleterLoop struct { + // The settings for the queue that created this loop. + settings Settings + + // When one or more segments are ready to delete, they are sent to + // requestChan. At most one deleteRequest may be outstanding at any time. + requestChan chan deleterLoopRequest + + // When a request has been completely processed, a response is sent on + // responseChan. If at least one deletion was successful, the response + // is sent immediately. Otherwise, the deleter loop delays for + // queueSettings.RetryWriteInterval before returning, so timed retries + // don't have to be handled by the core loop. + responseChan chan deleterLoopResponse +} + +type deleterLoopRequest struct { + segments []*queueSegment +} + +type deleterLoopResponse struct { + results []error +} + +func newDeleterLoop(settings Settings) *deleterLoop { + return &deleterLoop{ + settings: settings, + + requestChan: make(chan deleterLoopRequest, 1), + responseChan: make(chan deleterLoopResponse), + } +} + +func (dl *deleterLoop) run() { + currentRetryInterval := dl.settings.RetryInterval + for { + request, ok := <-dl.requestChan + if !ok { + // The channel has been closed, time to shut down. + return + } + results := []error{} + deletedCount := 0 + for _, segment := range request.segments { + path := dl.settings.segmentPath(segment.id) + err := os.Remove(path) + // We ignore errors caused by the file not existing: this shouldn't + // happen, but it is still safe to report it as successfully removed. + if err == nil || errors.Is(err, os.ErrNotExist) { + deletedCount++ + results = append(results, nil) + } else { + results = append(results, err) + } + } + if len(request.segments) > 0 && deletedCount == 0 { + // If we were asked to delete segments but could not delete + // _any_ of them, we haven't made progress. Returning an error + // will log the issue and retry, but in this situation we + // want to delay before retrying. The core loop itself can't + // delay (it can never sleep or block), so we handle the + // delay here, by waiting before sending the result. + // The delay can be interrupted if the request channel is closed, + // indicating queue shutdown. + select { + case <-time.After(currentRetryInterval): + case <-dl.requestChan: + } + currentRetryInterval = + dl.settings.nextRetryInterval(currentRetryInterval) + } else { + // If we made progress, reset the retry interval. + currentRetryInterval = dl.settings.RetryInterval + } + dl.responseChan <- deleterLoopResponse{ + results: results, + } + } +} diff --git a/libbeat/publisher/queue/diskqueue/frames.go b/libbeat/publisher/queue/diskqueue/frames.go new file mode 100644 index 00000000000..02571a65ce9 --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/frames.go @@ -0,0 +1,72 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import "github.com/elastic/beats/v7/libbeat/publisher" + +// Every data frame read from the queue is assigned a unique sequential +// integer, which is used to keep track of which frames have been +// acknowledged. +// This id is not stable between restarts; the value 0 is always assigned +// to the oldest remaining frame on startup. +type frameID uint64 + +// A data frame created through the producer API and waiting to be +// written to disk. +type writeFrame struct { + // The event, serialized for writing to disk and wrapped in a frame + // header / footer. + serialized []byte + + // The producer that created this frame. This is included in the + // frame structure itself because we may need the producer and / or + // its config at any time up until it has been completely written: + // - While the core loop is tracking frames to send to the writer, + // it may receive a Cancel request, which requires us to know + // the producer / config each frame came from. + // - After the writer loop has finished writing the frame to disk, + // it needs to call the ACK function specified in ProducerConfig. + producer *diskQueueProducer +} + +// A frame that has been read from disk and is waiting to be read / +// acknowledged through the consumer API. +type readFrame struct { + // The segment containing this frame. + segment *queueSegment + + // The id of this frame. + id frameID + + // The event decoded from the data frame. + event publisher.Event + + // How much space this frame occupied on disk (before deserialization), + // including the frame header / footer. + bytesOnDisk uint64 +} + +// Each data frame has a 32-bit length in the header, and a 32-bit checksum +// and a duplicate 32-bit length in the footer. +const frameHeaderSize = 4 +const frameFooterSize = 8 +const frameMetadataSize = frameHeaderSize + frameFooterSize + +func (frame writeFrame) sizeOnDisk() uint64 { + return uint64(len(frame.serialized) + frameMetadataSize) +} diff --git a/libbeat/publisher/queue/diskqueue/producer.go b/libbeat/publisher/queue/diskqueue/producer.go new file mode 100644 index 00000000000..f4ff4ef2706 --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/producer.go @@ -0,0 +1,109 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import ( + "github.com/elastic/beats/v7/libbeat/publisher" + "github.com/elastic/beats/v7/libbeat/publisher/queue" +) + +type diskQueueProducer struct { + // The disk queue that created this producer. + queue *diskQueue + + // The configuration this producer was created with. + config queue.ProducerConfig + + encoder *eventEncoder + + // When a producer is cancelled, cancelled is set to true and the done + // channel is closed. (We could get by with just a done channel, but we + // need to make sure that calling Cancel repeatedly doesn't close an + // already-closed channel, which would panic.) + cancelled bool + done chan struct{} +} + +// A request sent from a producer to the core loop to add a frame to the queue. +type producerWriteRequest struct { + frame *writeFrame + shouldBlock bool + responseChan chan bool +} + +// +// diskQueueProducer implementation of the queue.Producer interface +// + +func (producer *diskQueueProducer) Publish(event publisher.Event) bool { + return producer.publish(event, true) +} + +func (producer *diskQueueProducer) TryPublish(event publisher.Event) bool { + return producer.publish(event, false) +} + +func (producer *diskQueueProducer) publish( + event publisher.Event, shouldBlock bool, +) bool { + if producer.cancelled { + return false + } + serialized, err := producer.encoder.encode(&event) + if err != nil { + producer.queue.logger.Errorf( + "Couldn't serialize incoming event: %v", err) + return false + } + request := producerWriteRequest{ + frame: &writeFrame{ + serialized: serialized, + producer: producer, + }, + shouldBlock: shouldBlock, + // This response channel will be used by the core loop, so it must have + // buffer size 1 to guarantee that the core loop will not need to block. + responseChan: make(chan bool, 1), + } + + select { + case producer.queue.producerWriteRequestChan <- request: + // The request has been sent, and we are now guaranteed to get a result on + // the response channel, so we must read from it immediately to avoid + // blocking the core loop. + response := <-request.responseChan + return response + case <-producer.queue.done: + return false + case <-producer.done: + return false + } +} + +func (producer *diskQueueProducer) Cancel() int { + if producer.cancelled { + return 0 + } + producer.cancelled = true + close(producer.done) + + // TODO (possibly?): message the core loop to remove any pending events that + // were sent through this producer. If we do, return the number of cancelled + // events here instead of zero. + return 0 +} diff --git a/libbeat/publisher/queue/diskqueue/queue.go b/libbeat/publisher/queue/diskqueue/queue.go new file mode 100644 index 00000000000..5f756996e5f --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/queue.go @@ -0,0 +1,249 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import ( + "errors" + "fmt" + "os" + "sync" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/feature" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/publisher/queue" +) + +// diskQueue is the internal type representing a disk-based implementation +// of queue.Queue. +type diskQueue struct { + logger *logp.Logger + settings Settings + + // Metadata related to the segment files. + segments diskQueueSegments + + // Metadata related to consumer acks / positions of the oldest remaining + // frame. + acks *diskQueueACKs + + // The queue's helper loops, each of which is run in its own goroutine. + readerLoop *readerLoop + writerLoop *writerLoop + deleterLoop *deleterLoop + + // Wait group for shutdown of the goroutines associated with this queue: + // reader loop, writer loop, deleter loop, and core loop (diskQueue.run()). + waitGroup sync.WaitGroup + + // writing is true if the writer loop is processing a request, false + // otherwise. + writing bool + + // reading is true if the reader loop is processing a request, false + // otherwise. + reading bool + + // deleting is true if the deleter loop is processing a request, false + // otherwise. + deleting bool + + // The API channel used by diskQueueProducer to write events. + producerWriteRequestChan chan producerWriteRequest + + // pendingFrames is a list of all incoming data frames that have been + // accepted by the queue and are waiting to be sent to the writer loop. + // Segment ids in this list always appear in sorted order, even between + // requests (that is, a frame added to this list always has segment id + // at least as high as every previous frame that has ever been added). + pendingFrames []segmentedFrame + + // blockedProducers is a list of all producer write requests that are + // waiting for free space in the queue. + blockedProducers []producerWriteRequest + + // The channel to signal our goroutines to shut down. + done chan struct{} +} + +func init() { + queue.RegisterQueueType( + "disk", + queueFactory, + feature.MakeDetails( + "Disk queue", + "Buffer events on disk before sending to the output.", + feature.Beta)) +} + +// queueFactory matches the queue.Factory interface, and is used to add the +// disk queue to the registry. +func queueFactory( + ackListener queue.ACKListener, logger *logp.Logger, cfg *common.Config, +) (queue.Queue, error) { + settings, err := SettingsForUserConfig(cfg) + if err != nil { + return nil, fmt.Errorf("disk queue couldn't load user config: %w", err) + } + settings.WriteToDiskListener = ackListener + return NewQueue(logger, settings) +} + +// NewQueue returns a disk-based queue configured with the given logger +// and settings, creating it if it doesn't exist. +func NewQueue(logger *logp.Logger, settings Settings) (queue.Queue, error) { + logger = logger.Named("diskqueue") + logger.Debugf( + "Initializing disk queue at path %v", settings.directoryPath()) + + if settings.MaxBufferSize > 0 && + settings.MaxBufferSize < settings.MaxSegmentSize*2 { + return nil, fmt.Errorf( + "disk queue buffer size (%v) must be at least "+ + "twice the segment size (%v)", + settings.MaxBufferSize, settings.MaxSegmentSize) + } + + // Create the given directory path if it doesn't exist. + err := os.MkdirAll(settings.directoryPath(), os.ModePerm) + if err != nil { + return nil, fmt.Errorf("couldn't create disk queue directory: %w", err) + } + + // Load the previous queue position, if any. + nextReadPosition, err := queuePositionFromPath(settings.stateFilePath()) + if err != nil && !errors.Is(err, os.ErrNotExist) { + // Errors reading / writing the position are non-fatal -- we just log a + // warning and fall back on the oldest existing segment, if any. + logger.Warnf("Couldn't load most recent queue position: %v", err) + } + positionFile, err := os.OpenFile( + settings.stateFilePath(), os.O_WRONLY|os.O_CREATE, 0600) + if err != nil { + // This is not the _worst_ error: we could try operating even without a + // position file. But it indicates a problem with the queue permissions on + // disk, which keeps us from tracking our position within the segment files + // and could also prevent us from creating new ones, so we treat this as a + // fatal error on startup rather than quietly providing degraded + // performance. + return nil, fmt.Errorf("couldn't write to state file: %v", err) + } + + // Index any existing data segments to be placed in segments.reading. + initialSegments, err := scanExistingSegments(settings.directoryPath()) + if err != nil { + return nil, err + } + var nextSegmentID segmentID + if len(initialSegments) > 0 { + // Initialize nextSegmentID to the first ID after the existing segments. + lastID := initialSegments[len(initialSegments)-1].id + nextSegmentID = lastID + 1 + } + + // If any of the initial segments are older than the current queue + // position, move them directly to the acked list where they can be + // deleted. + ackedSegments := []*queueSegment{} + readSegmentID := nextReadPosition.segmentID + for len(initialSegments) > 0 && initialSegments[0].id < readSegmentID { + ackedSegments = append(ackedSegments, initialSegments[0]) + initialSegments = initialSegments[1:] + } + + // If the queue position is older than all existing segments, advance + // it to the beginning of the first one. + if len(initialSegments) > 0 && readSegmentID < initialSegments[0].id { + nextReadPosition = queuePosition{segmentID: initialSegments[0].id} + } + + queue := &diskQueue{ + logger: logger, + settings: settings, + + segments: diskQueueSegments{ + reading: initialSegments, + nextID: nextSegmentID, + nextReadOffset: nextReadPosition.offset, + }, + + acks: newDiskQueueACKs(logger, nextReadPosition, positionFile), + + readerLoop: newReaderLoop(settings), + writerLoop: newWriterLoop(logger, settings), + deleterLoop: newDeleterLoop(settings), + + producerWriteRequestChan: make(chan producerWriteRequest), + + done: make(chan struct{}), + } + + // We wait for four goroutines on shutdown: core loop, reader loop, + // writer loop, deleter loop. + queue.waitGroup.Add(4) + + // Start the goroutines and return the queue! + go func() { + queue.readerLoop.run() + queue.waitGroup.Done() + }() + go func() { + queue.writerLoop.run() + queue.waitGroup.Done() + }() + go func() { + queue.deleterLoop.run() + queue.waitGroup.Done() + }() + go func() { + queue.run() + queue.waitGroup.Done() + }() + + return queue, nil +} + +// +// diskQueue implementation of the queue.Queue interface +// + +func (dq *diskQueue) Close() error { + // Closing the done channel signals to the core loop that it should + // shut down the other helper goroutines and wrap everything up. + close(dq.done) + dq.waitGroup.Wait() + + return nil +} + +func (dq *diskQueue) BufferConfig() queue.BufferConfig { + return queue.BufferConfig{MaxEvents: 0} +} + +func (dq *diskQueue) Producer(cfg queue.ProducerConfig) queue.Producer { + return &diskQueueProducer{ + queue: dq, + config: cfg, + encoder: newEventEncoder(), + done: make(chan struct{}), + } +} + +func (dq *diskQueue) Consumer() queue.Consumer { + return &diskQueueConsumer{queue: dq} +} diff --git a/libbeat/publisher/queue/diskqueue/reader_loop.go b/libbeat/publisher/queue/diskqueue/reader_loop.go new file mode 100644 index 00000000000..dc2bb95777f --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/reader_loop.go @@ -0,0 +1,247 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import ( + "encoding/binary" + "fmt" + "os" +) + +type readerLoopRequest struct { + segment *queueSegment + startOffset segmentOffset + startFrameID frameID + endOffset segmentOffset +} + +type readerLoopResponse struct { + // The number of frames successfully read from the requested segment file. + frameCount uint64 + + // The number of bytes successfully read from the requested segment file. + byteCount uint64 + + // If there was an error in the segment file (i.e. inconsistent data), the + // err field is set. + err error +} + +type readerLoop struct { + // The settings for the queue that created this loop. + settings Settings + + // When there is a block available for reading, it will be sent to + // requestChan. When the reader loop has finished processing it, it + // sends the result to finishedReading. If there is more than one block + // available for reading, the core loop will wait until it gets a + // finishedReadingMessage before it + requestChan chan readerLoopRequest + responseChan chan readerLoopResponse + + // Frames that have been read from disk are sent to this channel. + // Unlike most of the queue's API channels, this one is buffered to allow + // the reader to read ahead and cache pending frames before a consumer + // explicitly requests them. + output chan *readFrame + + // The helper object to deserialize binary blobs from the queue into + // publisher.Event objects that can be returned in a readFrame. + decoder *eventDecoder +} + +func newReaderLoop(settings Settings) *readerLoop { + return &readerLoop{ + settings: settings, + + requestChan: make(chan readerLoopRequest, 1), + responseChan: make(chan readerLoopResponse), + output: make(chan *readFrame, settings.ReadAheadLimit), + decoder: newEventDecoder(), + } +} + +func (rl *readerLoop) run() { + for { + request, ok := <-rl.requestChan + if !ok { + // The channel is closed, we are shutting down. + close(rl.output) + return + } + response := rl.processRequest(request) + rl.responseChan <- response + } +} + +func (rl *readerLoop) processRequest(request readerLoopRequest) readerLoopResponse { + frameCount := uint64(0) + byteCount := uint64(0) + nextFrameID := request.startFrameID + + // Open the file and seek to the starting position. + handle, err := request.segment.getReader(rl.settings) + if err != nil { + return readerLoopResponse{err: err} + } + defer handle.Close() + _, err = handle.Seek(segmentHeaderSize+int64(request.startOffset), 0) + if err != nil { + return readerLoopResponse{err: err} + } + + targetLength := uint64(request.endOffset - request.startOffset) + for { + remainingLength := targetLength - byteCount + + // Try to read the next frame, clipping to the given bound. + // If the next frame extends past this boundary, nextFrame will return + // an error. + frame, err := rl.nextFrame(handle, remainingLength) + if frame != nil { + // Add the segment / frame ID, which nextFrame leaves blank. + frame.segment = request.segment + frame.id = nextFrameID + nextFrameID++ + // We've read the frame, try sending it to the output channel. + select { + case rl.output <- frame: + // Successfully sent! Increment the total for this request. + frameCount++ + byteCount += frame.bytesOnDisk + case <-rl.requestChan: + // Since we haven't sent a finishedReading message yet, we can only + // reach this case when the nextReadBlock channel is closed, indicating + // queue shutdown. In this case we immediately return. + return readerLoopResponse{ + frameCount: frameCount, + byteCount: byteCount, + err: nil, + } + } + } + + // We are done with this request if: + // - there was an error reading the frame, + // - there are no more frames to read, or + // - we have reached the end of the requested region + if err != nil || frame == nil || byteCount >= targetLength { + return readerLoopResponse{ + frameCount: frameCount, + byteCount: byteCount, + err: err, + } + } + + // If the output channel's buffer is not full, the previous select + // might not recognize when the queue is being closed, so check that + // again separately before we move on to the next data frame. + select { + case <-rl.requestChan: + return readerLoopResponse{ + frameCount: frameCount, + byteCount: byteCount, + err: nil, + } + default: + } + } +} + +// nextFrame reads and decodes one frame from the given file handle, as long +// it does not exceed the given length bound. The returned frame leaves the +// segment and frame IDs unset. +func (rl *readerLoop) nextFrame( + handle *os.File, maxLength uint64, +) (*readFrame, error) { + // Ensure we are allowed to read the frame header. + if maxLength < frameHeaderSize { + return nil, fmt.Errorf( + "Can't read next frame: remaining length %d is too low", maxLength) + } + // Wrap the handle to retry non-fatal errors and always return the full + // requested data length if possible. + reader := autoRetryReader{handle} + var frameLength uint32 + err := binary.Read(reader, binary.LittleEndian, &frameLength) + if err != nil { + return nil, fmt.Errorf("Couldn't read data frame header: %w", err) + } + + // If the frame extends past the area we were told to read, return an error. + // This should never happen unless the segment file is corrupted. + if maxLength < uint64(frameLength) { + return nil, fmt.Errorf( + "Can't read next frame: frame size is %d but remaining data is only %d", + frameLength, maxLength) + } + if frameLength <= frameMetadataSize { + // Valid enqueued data must have positive length + return nil, fmt.Errorf( + "Data frame with no data (length %d)", frameLength) + } + + // Read the actual frame data + dataLength := frameLength - frameMetadataSize + bytes := rl.decoder.Buffer(int(dataLength)) + _, err = reader.Read(bytes) + if err != nil { + return nil, fmt.Errorf("Couldn't read data frame content: %w", err) + } + + // Read the footer (checksum + duplicate length) + var checksum uint32 + err = binary.Read(reader, binary.LittleEndian, &checksum) + if err != nil { + return nil, fmt.Errorf("Couldn't read data frame checksum: %w", err) + } + expected := computeChecksum(bytes) + if checksum != expected { + return nil, fmt.Errorf( + "Data frame checksum mismatch (%x != %x)", checksum, expected) + } + + var duplicateLength uint32 + err = binary.Read(reader, binary.LittleEndian, &duplicateLength) + if err != nil { + return nil, fmt.Errorf("Couldn't read data frame footer: %w", err) + } + if duplicateLength != frameLength { + return nil, fmt.Errorf( + "Inconsistent data frame length (%d vs %d)", + frameLength, duplicateLength) + } + + event, err := rl.decoder.Decode() + if err != nil { + // Unlike errors in the segment or frame metadata, this is entirely + // a problem in the event [de]serialization which may be isolated (i.e. + // may not indicate data corruption in the segment). + // TODO: Rather than pass this error back to the read request, which + // discards the rest of the segment, we should just log the error and + // advance to the next frame, which is likely still valid. + return nil, fmt.Errorf("Couldn't decode data frame: %w", err) + } + + frame := &readFrame{ + event: event, + bytesOnDisk: uint64(frameLength), + } + + return frame, nil +} diff --git a/libbeat/publisher/queue/diskqueue/segments.go b/libbeat/publisher/queue/diskqueue/segments.go new file mode 100644 index 00000000000..617b089110e --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/segments.go @@ -0,0 +1,259 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import ( + "encoding/binary" + "fmt" + "io/ioutil" + "os" + "sort" + "strconv" + "strings" +) + +// diskQueueSegments encapsulates segment-related queue metadata. +type diskQueueSegments struct { + + // A list of the segments that have not yet been completely written, sorted + // by increasing segment ID. When the first entry has been completely + // written, it is removed from this list and appended to reading. + // + // If the reading list is empty, the queue may read from a segment that is + // still being written, but it will always be writing[0], since later + // entries do not yet exist on disk. + writing []*queueSegment + + // A list of the segments that have been completely written but have + // not yet been completely read, sorted by increasing segment ID. When the + // first entry has been completely read, it is removed from this list and + // appended to acking. + reading []*queueSegment + + // A list of the segments that have been completely read but have not yet + // been completely acknowledged, sorted by increasing segment ID. When the + // first entry has been completely acknowledged, it is removed from this + // list and appended to acked. + acking []*queueSegment + + // A list of the segments that have been completely read and acknowledged + // and are ready to be deleted. When a segment is successfully deleted, it + // is removed from this list and discarded. + acked []*queueSegment + + // The next sequential unused segment ID. This is what will be assigned + // to the next queueSegment we create. + nextID segmentID + + // nextWriteOffset is the segment offset at which the next new frame + // should be written. This offset always applies to the last entry of + // writing[]. This is distinct from the endOffset field within a segment: + // endOffset tracks how much data _has_ been written to a segment, while + // nextWriteOffset also includes everything that is _scheduled_ to be + // written. + nextWriteOffset segmentOffset + + // nextReadFrameID is the first frame ID in the current or pending + // read request. + nextReadFrameID frameID + + // nextReadOffset is the segment offset corresponding to the frame + // nextReadFrameID. This offset always applies to the first reading + // segment: either reading[0], or writing[0] if reading is empty. + nextReadOffset segmentOffset +} + +// segmentID is a unique persistent integer id assigned to each created +// segment in ascending order. +type segmentID uint64 + +// segmentOffset is a byte index into the segment's data region. +// An offset of 0 means the first byte after the segment file header. +type segmentOffset uint64 + +// The metadata for a single segment file. +type queueSegment struct { + // A segment id is globally unique within its originating queue. + id segmentID + + // The byte offset of the end of the segment's data region. This is + // updated when the segment is written to, and should always correspond + // to the end of a complete data frame. The total size of a segment file + // on disk is segmentHeaderSize + segment.endOffset. + endOffset segmentOffset + + // The ID of the first frame that was / will be read from this segment. + // This field is only valid after a read request has been sent for + // this segment. (Currently it is only used to handle consumer ACKs, + // which can only happen after reading has begun on the segment.) + firstFrameID frameID + + // The number of frames read from this segment during this session. This + // does not necessarily equal the number of frames in the segment, even + // after reading is complete, since the segment may have been partially + // read during a previous session. + // + // Used to count how many frames still need to be acknowledged by consumers. + framesRead uint64 +} + +type segmentHeader struct { + version uint32 +} + +// Segment headers are currently just a 32-bit version. +const segmentHeaderSize = 4 + +// Sort order: we store loaded segments in ascending order by their id. +type bySegmentID []*queueSegment + +func (s bySegmentID) Len() int { return len(s) } +func (s bySegmentID) Swap(i, j int) { s[i], s[j] = s[j], s[i] } +func (s bySegmentID) Less(i, j int) bool { return s[i].id < s[j].id } + +// Scan the given path for segment files, and return them in a list +// ordered by segment id. +func scanExistingSegments(path string) ([]*queueSegment, error) { + files, err := ioutil.ReadDir(path) + if err != nil { + return nil, fmt.Errorf("Couldn't read queue directory '%s': %w", path, err) + } + + segments := []*queueSegment{} + for _, file := range files { + if file.Size() <= segmentHeaderSize { + // Ignore segments that don't have at least some data beyond the + // header (this will always be true of segments we write unless there + // is an error). + continue + } + components := strings.Split(file.Name(), ".") + if len(components) == 2 && strings.ToLower(components[1]) == "seg" { + // Parse the id as base-10 64-bit unsigned int. We ignore file names that + // don't match the "[uint64].seg" pattern. + if id, err := strconv.ParseUint(components[0], 10, 64); err == nil { + segments = append(segments, + &queueSegment{ + id: segmentID(id), + endOffset: segmentOffset(file.Size() - segmentHeaderSize), + }) + } + } + } + sort.Sort(bySegmentID(segments)) + return segments, nil +} + +func (segment *queueSegment) sizeOnDisk() uint64 { + return uint64(segment.endOffset) + segmentHeaderSize +} + +// Should only be called from the reader loop. +func (segment *queueSegment) getReader( + queueSettings Settings, +) (*os.File, error) { + path := queueSettings.segmentPath(segment.id) + file, err := os.Open(path) + if err != nil { + return nil, fmt.Errorf( + "Couldn't open segment %d: %w", segment.id, err) + } + // Right now there is only one valid header (indicating schema version + // zero) so we don't need the value itself. + _, err = readSegmentHeader(file) + if err != nil { + file.Close() + return nil, fmt.Errorf("Couldn't read segment header: %w", err) + } + + return file, nil +} + +// Should only be called from the writer loop. +func (segment *queueSegment) getWriter( + queueSettings Settings, +) (*os.File, error) { + path := queueSettings.segmentPath(segment.id) + file, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) + if err != nil { + return nil, err + } + header := &segmentHeader{version: 0} + err = writeSegmentHeader(file, header) + if err != nil { + return nil, fmt.Errorf("Couldn't write segment header: %w", err) + } + + return file, nil +} + +// getWriterWithRetry tries to create a file handle for writing via +// queueSegment.getWriter. On error, it retries as long as the given +// retry callback returns true. This is used for timed retries when +// creating a queue segment from the writer loop. +func (segment *queueSegment) getWriterWithRetry( + queueSettings Settings, retry func(err error, firstTime bool) bool, +) (*os.File, error) { + firstTime := true + file, err := segment.getWriter(queueSettings) + for err != nil && retry(err, firstTime) { + // Set firstTime to false so the retry callback can perform backoff + // etc if needed. + firstTime = false + + // Try again + file, err = segment.getWriter(queueSettings) + } + return file, err +} + +func readSegmentHeader(in *os.File) (*segmentHeader, error) { + header := &segmentHeader{} + err := binary.Read(in, binary.LittleEndian, &header.version) + if err != nil { + return nil, err + } + if header.version != 0 { + return nil, fmt.Errorf("Unrecognized schema version %d", header.version) + } + return header, nil +} + +func writeSegmentHeader(out *os.File, header *segmentHeader) error { + err := binary.Write(out, binary.LittleEndian, header.version) + return err +} + +// The number of bytes occupied by all the queue's segment files. This +// should only be called from the core loop. +func (segments *diskQueueSegments) sizeOnDisk() uint64 { + total := uint64(0) + for _, segment := range segments.writing { + total += segment.sizeOnDisk() + } + for _, segment := range segments.reading { + total += segment.sizeOnDisk() + } + for _, segment := range segments.acking { + total += segment.sizeOnDisk() + } + for _, segment := range segments.acked { + total += segment.sizeOnDisk() + } + return total +} diff --git a/libbeat/publisher/queue/diskqueue/serialize.go b/libbeat/publisher/queue/diskqueue/serialize.go new file mode 100644 index 00000000000..9db8e7b1bd9 --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/serialize.go @@ -0,0 +1,154 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Encoding / decoding routines adapted from +// libbeat/publisher/queue/spool/codec.go. + +package diskqueue + +import ( + "bytes" + "time" + + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/outputs/codec" + "github.com/elastic/beats/v7/libbeat/publisher" + "github.com/elastic/go-structform/gotype" + "github.com/elastic/go-structform/json" +) + +type eventEncoder struct { + buf bytes.Buffer + folder *gotype.Iterator +} + +type eventDecoder struct { + buf []byte + + parser *json.Parser + unfolder *gotype.Unfolder +} + +type entry struct { + Timestamp int64 + Flags uint8 + Meta common.MapStr + Fields common.MapStr +} + +const ( + // If + flagGuaranteed uint8 = 1 << 0 +) + +func newEventEncoder() *eventEncoder { + e := &eventEncoder{} + e.reset() + return e +} + +func (e *eventEncoder) reset() { + e.folder = nil + + visitor := json.NewVisitor(&e.buf) + // This can't return an error: NewIterator is deterministic based on its + // input, and doesn't return an error when called with valid options. In + // this case the options are hard-coded to fixed values, so they are + // guaranteed to be valid and we can safely proceed. + folder, _ := gotype.NewIterator(visitor, + gotype.Folders( + codec.MakeTimestampEncoder(), + codec.MakeBCTimestampEncoder(), + ), + ) + + e.folder = folder +} + +func (e *eventEncoder) encode(event *publisher.Event) ([]byte, error) { + e.buf.Reset() + + err := e.folder.Fold(entry{ + Timestamp: event.Content.Timestamp.UTC().UnixNano(), + Flags: uint8(event.Flags), + Meta: event.Content.Meta, + Fields: event.Content.Fields, + }) + if err != nil { + e.reset() + return nil, err + } + + // Copy the encoded bytes to a new array owned by the caller. + bytes := e.buf.Bytes() + result := make([]byte, len(bytes)) + copy(result, bytes) + + return result, nil +} + +func newEventDecoder() *eventDecoder { + d := &eventDecoder{} + d.reset() + return d +} + +func (d *eventDecoder) reset() { + // When called on nil, NewUnfolder deterministically returns a nil error, + // so it's safe to ignore the error result. + unfolder, _ := gotype.NewUnfolder(nil) + + d.unfolder = unfolder + d.parser = json.NewParser(unfolder) +} + +// Buffer prepares the read buffer to hold the next event of n bytes. +func (d *eventDecoder) Buffer(n int) []byte { + if cap(d.buf) > n { + d.buf = d.buf[:n] + } else { + d.buf = make([]byte, n) + } + return d.buf +} + +func (d *eventDecoder) Decode() (publisher.Event, error) { + var ( + to entry + err error + ) + + d.unfolder.SetTarget(&to) + defer d.unfolder.Reset() + + err = d.parser.Parse(d.buf) + + if err != nil { + d.reset() // reset parser just in case + return publisher.Event{}, err + } + + return publisher.Event{ + Flags: publisher.EventFlags(to.Flags), + Content: beat.Event{ + Timestamp: time.Unix(0, to.Timestamp), + Fields: to.Fields, + Meta: to.Meta, + }, + }, nil +} diff --git a/libbeat/publisher/queue/diskqueue/state_file.go b/libbeat/publisher/queue/diskqueue/state_file.go new file mode 100644 index 00000000000..d8cbb5690ac --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/state_file.go @@ -0,0 +1,95 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import ( + "bufio" + "encoding/binary" + "fmt" + "os" +) + +// Given an open file handle to the queue state, decode the current position +// and return the result if successful, otherwise an error. +func queuePositionFromHandle( + file *os.File, +) (queuePosition, error) { + _, err := file.Seek(0, 0) + if err != nil { + return queuePosition{}, err + } + + reader := bufio.NewReader(file) + var version uint32 + err = binary.Read(reader, binary.LittleEndian, &version) + if err != nil { + return queuePosition{}, err + } + if version != 0 { + return queuePosition{}, + fmt.Errorf("Unsupported queue metadata version (%d)", version) + } + + position := queuePosition{} + err = binary.Read(reader, binary.LittleEndian, &position.segmentID) + if err != nil { + return queuePosition{}, err + } + + err = binary.Read( + reader, binary.LittleEndian, &position.offset) + if err != nil { + return queuePosition{}, err + } + + return position, nil +} + +func queuePositionFromPath(path string) (queuePosition, error) { + // Try to open an existing state file. + file, err := os.OpenFile(path, os.O_RDONLY, 0600) + if err != nil { + return queuePosition{}, err + } + defer file.Close() + return queuePositionFromHandle(file) +} + +// Given the queue position, encode and write it to the given file handle. +// Returns nil if successful, otherwise an error. +func writeQueuePositionToHandle( + file *os.File, + position queuePosition, +) error { + _, err := file.Seek(0, 0) + if err != nil { + return err + } + + // Want to write: version (0), segment id, segment offset. + err = binary.Write(file, binary.LittleEndian, uint32(0)) + if err != nil { + return err + } + err = binary.Write(file, binary.LittleEndian, position.segmentID) + if err != nil { + return err + } + err = binary.Write(file, binary.LittleEndian, position.offset) + return err +} diff --git a/libbeat/publisher/queue/diskqueue/util.go b/libbeat/publisher/queue/diskqueue/util.go new file mode 100644 index 00000000000..c54a26154e8 --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/util.go @@ -0,0 +1,105 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import ( + "errors" + "io" + "syscall" +) + +// A wrapper for an io.Reader that tries to read the full number of bytes +// requested, retrying on EAGAIN and EINTR, and returns an error if +// and only if the number of bytes read is less than requested. +// This is similar to io.ReadFull but with retrying. +type autoRetryReader struct { + wrapped io.Reader +} + +func (r autoRetryReader) Read(p []byte) (int, error) { + bytesRead := 0 + reader := r.wrapped + n, err := reader.Read(p) + for n < len(p) { + if err != nil && !readErrorIsRetriable(err) { + return bytesRead + n, err + } + // If there is an error, it is retriable, so advance p and try again. + bytesRead += n + p = p[n:] + n, err = reader.Read(p) + } + return bytesRead + n, nil +} + +func readErrorIsRetriable(err error) bool { + return errors.Is(err, syscall.EINTR) || errors.Is(err, syscall.EAGAIN) +} + +// writeErrorIsRetriable returns true if the given IO error can be +// immediately retried. +func writeErrorIsRetriable(err error) bool { + return errors.Is(err, syscall.EINTR) || errors.Is(err, syscall.EAGAIN) +} + +// callbackRetryWriter is an io.Writer that wraps another writer and enables +// write-with-retry. When a Write encounters an error, it is passed to the +// retry callback. If the callback returns true, the the writer retries +// any unwritten portion of the input, otherwise it passes the error back +// to the caller. +// This helper is specifically for working with the writer loop, which needs +// to be able to retry forever at configurable intervals, but also cancel +// immediately if the queue is closed. +// This writer is unbuffered. In particular, it is safe to modify the +// "wrapped" field in-place as long as it isn't captured by the callback. +type callbackRetryWriter struct { + wrapped io.Writer + + // The retry callback is called with the error that was produced and whether + // this is the first (subsequent) error arising from this particular + // write call. + retry func(err error, firstTime bool) bool +} + +func (w callbackRetryWriter) Write(p []byte) (int, error) { + // firstTime tracks whether the current error is the first subsequent error + // being passed to the retry callback. This is so that the callback can + // reset its internal counters in case it is using exponential backoff or + // a retry limit. + firstTime := true + bytesWritten := 0 + writer := w.wrapped + n, err := writer.Write(p) + for n < len(p) { + if err != nil { + shouldRetry := w.retry(err, firstTime) + firstTime = false + if !shouldRetry { + return bytesWritten + n, err + } + } else { + // If we made progress without an error, reset firstTime. + firstTime = true + } + // Advance p and try again. + bytesWritten += n + p = p[n:] + n, err = writer.Write(p) + } + return bytesWritten + n, nil +} diff --git a/libbeat/publisher/queue/diskqueue/writer_loop.go b/libbeat/publisher/queue/diskqueue/writer_loop.go new file mode 100644 index 00000000000..ff1ff97616a --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/writer_loop.go @@ -0,0 +1,259 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import ( + "encoding/binary" + "os" + "time" + + "github.com/elastic/beats/v7/libbeat/logp" +) + +// A segmentedFrame is a data frame waiting to be written to disk along with +// the segment it has been assigned to. +type segmentedFrame struct { + // The frame to be written to disk. + frame *writeFrame + + // The segment to which this frame should be written. + segment *queueSegment +} + +// A writer loop request contains a list of writeFrames with the +// segment each should be written to. +// +// Input invariant (segment ids are sorted): If a frame f is included in a +// writerLoopRequest, then every subsequent frame in this and future +// requests must have segment id at least f.segment.id. +// +// That is: we must write all frames for segment 0 before we start writing +// to frame 1, etc. This assumption allows all file operations to happen +// safely in the writer loop without any knowledge of the broader queue state. +type writerLoopRequest struct { + frames []segmentedFrame +} + +// A writerLoopResponse reports the number of bytes written to each +// segment in the request. There is guaranteed to be one entry for each +// segment that appeared in the request, in the same order. If there is +// more than one entry, then all but the last segment have been closed. +type writerLoopResponse struct { + bytesWritten []int64 +} + +type writerLoop struct { + // The settings for the queue that created this loop. + settings Settings + + // The logger for the writer loop, assigned when the queue creates it. + logger *logp.Logger + + // The writer loop listens on requestChan for frames to write, and + // writes them to disk immediately (all queue capacity checking etc. is + // done by the core loop before sending it to the writer). + // When this channel is closed, any in-progress writes are aborted and + // the run loop terminates. + requestChan chan writerLoopRequest + + // The writer loop sends to responseChan when it has finished handling a + // request, to signal the core loop that it is ready for the next one. + responseChan chan writerLoopResponse + + // The most recent segment that has been written to, if there is one. + // This segment + currentSegment *queueSegment + + // The file handle corresponding to currentSegment. When currentSegment + // changes, this handle is closed and a new one is created. + outputFile *os.File + + currentRetryInterval time.Duration +} + +func newWriterLoop(logger *logp.Logger, settings Settings) *writerLoop { + return &writerLoop{ + logger: logger, + settings: settings, + + requestChan: make(chan writerLoopRequest, 1), + responseChan: make(chan writerLoopResponse), + + currentRetryInterval: settings.RetryInterval, + } +} + +func (wl *writerLoop) run() { + for { + block, ok := <-wl.requestChan + if !ok { + // The request channel is closed, we are done + return + } + bytesWritten := wl.processRequest(block) + wl.responseChan <- writerLoopResponse{bytesWritten: bytesWritten} + } +} + +// processRequest writes the frames in the given request to disk and returns +// the number of bytes written to each segment, in the order they were +// encountered. +func (wl *writerLoop) processRequest(request writerLoopRequest) []int64 { + // retryWriter wraps the file handle with timed retries. + // retryWriter.Write is guaranteed to return only if the write + // completely succeeded or the queue is being closed. + retryWriter := callbackRetryWriter{retry: wl.retryCallback} + + // We keep track of how many frames are written during this request, + // and send the associated ACKs to the queue / producer listeners + // in a batch at the end (since each ACK call can involve a round-trip + // to the registry). + totalACKCount := 0 + producerACKCounts := make(map[*diskQueueProducer]int) + + var bytesWritten []int64 // Bytes written to all segments. + curBytesWritten := int64(0) // Bytes written to the current segment. +outerLoop: + for _, frameRequest := range request.frames { + // If the new segment doesn't match the last one, we need to open a new + // file handle and possibly clean up the old one. + if wl.currentSegment != frameRequest.segment { + wl.logger.Debugf( + "Creating new segment file with id %v\n", frameRequest.segment.id) + if wl.outputFile != nil { + // Try to sync to disk, then close the file. + wl.outputFile.Sync() + wl.outputFile.Close() + wl.outputFile = nil + // We are done with this segment, add the byte count to the list and + // reset the current counter. + bytesWritten = append(bytesWritten, curBytesWritten) + curBytesWritten = 0 + } + wl.currentSegment = frameRequest.segment + file, err := wl.currentSegment.getWriterWithRetry( + wl.settings, wl.retryCallback) + if err != nil { + // This can only happen if the queue is being closed; abort. + break + } + wl.outputFile = file + } + // Make sure our writer points to the current file handle. + retryWriter.wrapped = wl.outputFile + + // We have the data and a file to write it to. We are now committed + // to writing this block unless the queue is closed in the meantime. + frameSize := uint32(frameRequest.frame.sizeOnDisk()) + + // The Write calls below all pass through retryWriter, so they can + // only return an error if the write should be aborted. Thus, all we + // need to do when we see an error is break out of the request loop. + err := binary.Write(retryWriter, binary.LittleEndian, frameSize) + if err != nil { + break + } + _, err = retryWriter.Write(frameRequest.frame.serialized) + if err != nil { + break + } + // Compute / write the frame's checksum + checksum := computeChecksum(frameRequest.frame.serialized) + err = binary.Write(wl.outputFile, binary.LittleEndian, checksum) + if err != nil { + break + } + // Write the frame footer's (duplicate) length + err = binary.Write(wl.outputFile, binary.LittleEndian, frameSize) + if err != nil { + break + } + // Update the byte count as the last step: that way if we abort while + // a frame is partially written, we only report up to the last + // complete frame. (This almost never matters, but it allows for + // more controlled recovery after a bad shutdown.) + curBytesWritten += int64(frameSize) + + // Update the ACKs that will be sent at the end of the request. + totalACKCount++ + if frameRequest.frame.producer.config.ACK != nil { + producerACKCounts[frameRequest.frame.producer]++ + } + + // Explicitly check if we should abort before starting the next frame. + select { + case <-wl.requestChan: + break outerLoop + default: + } + } + // Try to sync the written data to disk. + wl.outputFile.Sync() + + // If the queue has an ACK listener, notify it the frames were written. + if wl.settings.WriteToDiskListener != nil { + wl.settings.WriteToDiskListener.OnACK(totalACKCount) + } + + // Notify any producers with ACK listeners that their frames were written. + for producer, ackCount := range producerACKCounts { + producer.config.ACK(ackCount) + } + + // Return the total byte counts, including the final segment. + return append(bytesWritten, curBytesWritten) +} + +func (wl *writerLoop) applyRetryBackoff() { + wl.currentRetryInterval = + wl.settings.nextRetryInterval(wl.currentRetryInterval) +} + +func (wl *writerLoop) resetRetryBackoff() { + wl.currentRetryInterval = wl.settings.RetryInterval +} + +// retryCallback is called (by way of callbackRetryWriter) when there is +// an error writing to a segment file. It pauses for a configurable +// interval and returns true if the operation should be retried (which +// it always should, unless the queue is being closed). +func (wl *writerLoop) retryCallback(err error, firstTime bool) bool { + if firstTime { + // Reset any exponential backoff in the retry interval. + wl.resetRetryBackoff() + } + if writeErrorIsRetriable(err) { + return true + } + // If this error isn't immediately retriable, increase the exponential + // backoff afterwards. + defer wl.applyRetryBackoff() + + // If the error is not immediately retriable, log the error + // and wait for the retry interval before trying again, but + // abort if the queue is closed (indicated by the request channel + // becoming unblocked). + wl.logger.Errorf("Writing to segment %v: %v", + wl.currentSegment.id, err) + select { + case <-time.After(wl.currentRetryInterval): + return true + case <-wl.requestChan: + return false + } +} diff --git a/libbeat/scripts/generate_fields_docs.py b/libbeat/scripts/generate_fields_docs.py index 89a80d83d27..8e0a7c77c32 100644 --- a/libbeat/scripts/generate_fields_docs.py +++ b/libbeat/scripts/generate_fields_docs.py @@ -1,6 +1,7 @@ import argparse from collections import OrderedDict import os +import re import yaml @@ -20,11 +21,24 @@ def document_fields(output, section, sections, path): output.write("[float]\n") if "description" in section: - if "anchor" in section: + if "anchor" in section and section["name"] == "ECS": output.write("== {} fields\n\n".format(section["name"])) + output.write(""" +This section defines Elastic Common Schema (ECS) fields—a common set of fields +to be used when storing event data in {es}. + +This is an exhaustive list, and fields listed here are not necessarily used by {beatname_uc}. +The goal of ECS is to enable and encourage users of {es} to normalize their event data, +so that they can better analyze, visualize, and correlate the data represented in their events. + +See the {ecs-ref}[ECS reference] for more information. +""") + elif "anchor" in section: + output.write("== {} fields\n\n".format(section["name"])) + output.write("{}\n\n".format(section["description"])) else: output.write("=== {}\n\n".format(section["name"])) - output.write("{}\n\n".format(section["description"])) + output.write("{}\n\n".format(section["description"])) if "fields" not in section or not section["fields"]: return @@ -70,6 +84,14 @@ def document_field(output, field, field_path): if "path" in field: output.write("alias to: {}\n\n".format(field["path"])) + # For Apm-Server docs only + # Assign an ECS badge for fields containing "overwrite" + if beat_title == "Apm-Server": + if "overwrite" in field: + # And it's not a Kubernetes field + if re.match("^kubernetes.*", field["field_path"]) is None: + output.write("{yes-icon} {ecs-ref}[ECS] field.\n\n") + if "index" in field: if not field["index"]: output.write("{}\n\n".format("Field is not indexed.")) diff --git a/libbeat/tests/docker/docker.go b/libbeat/tests/docker/docker.go index b81ffa285ea..888347c5cc7 100644 --- a/libbeat/tests/docker/docker.go +++ b/libbeat/tests/docker/docker.go @@ -77,8 +77,28 @@ func (c Client) ContainerWait(ID string) error { return nil } +// ContainerInspect recovers information of the container +func (c Client) ContainerInspect(ID string) (types.ContainerJSON, error) { + ctx := context.Background() + return c.cli.ContainerInspect(ctx, ID) +} + // ContainerKill kills the given container func (c Client) ContainerKill(ID string) error { ctx := context.Background() return c.cli.ContainerKill(ctx, ID, "KILL") } + +// ContainerRemove kills and removed the given container +func (c Client) ContainerRemove(ID string) error { + ctx := context.Background() + return c.cli.ContainerRemove(ctx, ID, types.ContainerRemoveOptions{ + RemoveVolumes: true, + Force: true, + }) +} + +// Close closes the underlying client +func (c *Client) Close() error { + return c.cli.Close() +} diff --git a/libbeat/tests/system/beat/common_tests.py b/libbeat/tests/system/beat/common_tests.py index c9cdbc52cc0..920ee35e72e 100644 --- a/libbeat/tests/system/beat/common_tests.py +++ b/libbeat/tests/system/beat/common_tests.py @@ -4,6 +4,12 @@ from beat.beat import INTEGRATION_TESTS +# Fail if the exported index pattern is larger than 10MiB +# This is to avoid problems with Kibana when the payload +# of the request to install the index pattern exceeds the +# default limit. +index_pattern_size_limit = 10 * 1024 * 1024 + class TestExportsMixin: @@ -56,7 +62,7 @@ def test_export_index_pattern(self): js = json.loads(output) assert "objects" in js size = len(output.encode('utf-8')) - assert size < 1024 * 1024, "Kibana index pattern must be less than 1MiB " \ + assert size < index_pattern_size_limit, "Kibana index pattern must be less than 10MiB " \ "to keep the Beat setup request size below " \ "Kibana's server.maxPayloadBytes." @@ -68,7 +74,7 @@ def test_export_index_pattern_migration(self): js = json.loads(output) assert "objects" in js size = len(output.encode('utf-8')) - assert size < 1024 * 1024, "Kibana index pattern must be less than 1MiB " \ + assert size < index_pattern_size_limit, "Kibana index pattern must be less than 10MiB " \ "to keep the Beat setup request size below " \ "Kibana's server.maxPayloadBytes." diff --git a/libbeat/tests/system/requirements.txt b/libbeat/tests/system/requirements.txt index 08843d6144d..86071d5dd65 100644 --- a/libbeat/tests/system/requirements.txt +++ b/libbeat/tests/system/requirements.txt @@ -37,6 +37,7 @@ PyYAML==5.3.1 redis==2.10.6 requests==2.20.0 semver==2.8.1 +setuptools==47.3.2 six==1.15.0 stomp.py==4.1.22 termcolor==1.1.0 diff --git a/libbeat/tests/system/test_cmd_completion.py b/libbeat/tests/system/test_cmd_completion.py index 2e523c0831d..a06259a5046 100644 --- a/libbeat/tests/system/test_cmd_completion.py +++ b/libbeat/tests/system/test_cmd_completion.py @@ -17,7 +17,7 @@ def test_bash_completion(self): def test_zsh_completion(self): exit_code = self.run_beat(extra_args=["completion", "zsh"]) assert exit_code == 0 - assert self.log_contains("#compdef mockbeat") + assert self.log_contains("#compdef _mockbeat mockbeat") def test_unknown_completion(self): exit_code = self.run_beat(extra_args=["completion", "awesomeshell"]) diff --git a/metricbeat/Jenkinsfile.yml b/metricbeat/Jenkinsfile.yml index 0424be69a84..9860919d006 100644 --- a/metricbeat/Jenkinsfile.yml +++ b/metricbeat/Jenkinsfile.yml @@ -27,15 +27,27 @@ stages: mage: "mage build unitTest" platforms: ## override default label in this specific stage. - "macosx" - when: ## Aggregate when with the top-level one. + when: ## Override the top-level when. comments: - "/test metricbeat for macos" labels: - "macOS" parameters: - "macosTest" + branches: true ## for all the branches + tags: true ## for all the tags windows: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2019" - - "windows-10" + windows-2016: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2016" + when: ## Override the top-level when. + comments: + - "/test metricbeat for windows-2016" + labels: + - "windows-2016" + branches: true ## for all the branches + tags: true ## for all the tags diff --git a/metricbeat/docs/fields.asciidoc b/metricbeat/docs/fields.asciidoc index ae34419db2e..7f1d0f69ab9 100644 --- a/metricbeat/docs/fields.asciidoc +++ b/metricbeat/docs/fields.asciidoc @@ -4665,6 +4665,16 @@ type: keyword The subscription ID +type: keyword + +-- + +*`azure.application_id`*:: ++ +-- +The application ID + + type: keyword -- @@ -4696,17 +4706,44 @@ application insights -*`azure.app_insights.application_id`*:: +*`azure.app_insights.start_date`*:: + -- -The application ID +The start date -type: keyword +type: date -- -*`azure.app_insights.start_date`*:: +*`azure.app_insights.end_date`*:: ++ +-- +The end date + + +type: date + +-- + +*`azure.app_insights.metrics.*.*`*:: ++ +-- +The metrics + + +type: object + +-- + +[float] +=== app_state + +application state + + + +*`azure.app_state.start_date`*:: + -- The start date @@ -4716,7 +4753,7 @@ type: date -- -*`azure.app_insights.end_date`*:: +*`azure.app_state.end_date`*:: + -- The end date @@ -4726,13 +4763,183 @@ type: date -- -*`azure.app_insights.metrics.*.*`*:: +*`azure.app_state.requests_count.sum`*:: + -- -The metrics +Request count -type: object +type: float + +-- + +*`azure.app_state.requests_failed.sum`*:: ++ +-- +Request failed count + + +type: float + +-- + +*`azure.app_state.users_count.unique`*:: ++ +-- +User count + + +type: float + +-- + +*`azure.app_state.sessions_count.unique`*:: ++ +-- +Session count + + +type: float + +-- + +*`azure.app_state.users_authenticated.unique`*:: ++ +-- +Authenticated users count + + +type: float + +-- + +*`azure.app_state.browser_timings_network_duration.avg`*:: ++ +-- +Browser timings network duration + + +type: float + +-- + +*`azure.app_state.browser_timings_send_duration.avg`*:: ++ +-- +Browser timings send duration + + +type: float + +-- + +*`azure.app_state.browser_timings_receive_uration.avg`*:: ++ +-- +Browser timings receive duration + + +type: float + +-- + +*`azure.app_state.browser_timings_processing_duration.avg`*:: ++ +-- +Browser timings processing duration + + +type: float + +-- + +*`azure.app_state.browser_timings_total_duration.avg`*:: ++ +-- +Browser timings total duration + + +type: float + +-- + +*`azure.app_state.exceptions_count.sum`*:: ++ +-- +Exception count + + +type: float + +-- + +*`azure.app_state.exceptions_browser.sum`*:: ++ +-- +Exception count at browser level + + +type: float + +-- + +*`azure.app_state.exceptions_server.sum`*:: ++ +-- +Exception count at server level + + +type: float + +-- + +*`azure.app_state.performance_counters_memory_available_bytes.avg`*:: ++ +-- +Performance counters memory available bytes + + +type: float + +-- + +*`azure.app_state.performance_counters_process_private_bytes.avg`*:: ++ +-- +Performance counters process private bytes + + +type: float + +-- + +*`azure.app_state.performance_counters_process_cpu_percentage_total.avg`*:: ++ +-- +Performance counters process cpu percentage total + + +type: float + +-- + +*`azure.app_state.performance_counters_process_cpu_percentage.avg`*:: ++ +-- +Performance counters process cpu percentage + + +type: float + +-- + +*`azure.app_state.performance_counters_processiobytes_per_second.avg`*:: ++ +-- +Performance counters process IO bytes per second + + +type: float -- @@ -9164,8 +9371,15 @@ Stats collected from Dropwizard. [[exported-fields-ecs]] == ECS fields -ECS Fields. +This section defines Elastic Common Schema (ECS) fields—a common set of fields +to be used when storing event data in {es}. + +This is an exhaustive list, and fields listed here are not necessarily used by {beatname_uc}. +The goal of ECS is to enable and encourage users of {es} to normalize their event data, +so that they can better analyze, visualize, and correlate the data represented in their events. + +See the {ecs-ref}[ECS reference] for more information. *`@timestamp`*:: + @@ -28953,6 +29167,7 @@ linux module [float] === linux +linux system metrics @@ -29050,6 +29265,147 @@ type: long -- +[float] +=== iostat + +iostat + + + +*`linux.iostat.read.request.merges_per_sec`*:: ++ +-- +The number of read requests merged per second that were queued to the device. + + +type: float + +-- + +*`linux.iostat.write.request.merges_per_sec`*:: ++ +-- +The number of write requests merged per second that were queued to the device. + + +type: float + +-- + +*`linux.iostat.read.request.per_sec`*:: ++ +-- +The number of read requests that were issued to the device per second + + +type: float + +-- + +*`linux.iostat.write.request.per_sec`*:: ++ +-- +The number of write requests that were issued to the device per second + + +type: float + +-- + +*`linux.iostat.read.per_sec.bytes`*:: ++ +-- +The number of Bytes read from the device per second. + + +type: float + +format: bytes + +-- + +*`linux.iostat.read.await`*:: ++ +-- +The average time spent for read requests issued to the device to be served. + + +type: float + +-- + +*`linux.iostat.write.per_sec.bytes`*:: ++ +-- +The number of Bytes write from the device per second. + + +type: float + +format: bytes + +-- + +*`linux.iostat.write.await`*:: ++ +-- +The average time spent for write requests issued to the device to be served. + + +type: float + +-- + +*`linux.iostat.request.avg_size`*:: ++ +-- +The average size (in bytes) of the requests that were issued to the device. + + +type: float + +-- + +*`linux.iostat.queue.avg_size`*:: ++ +-- +The average queue length of the requests that were issued to the device. + + +type: float + +-- + +*`linux.iostat.await`*:: ++ +-- +The average time spent for requests issued to the device to be served. + + +type: float + +-- + +*`linux.iostat.service_time`*:: ++ +-- +The average service time (in milliseconds) for I/O requests that were issued to the device. + + +type: float + +-- + +*`linux.iostat.busy`*:: ++ +-- +Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. + + +type: float + +-- + [float] === ksm @@ -29124,6 +29480,186 @@ type: long -- +[float] +=== memory + +Linux memory data + + + +[float] +=== page_stats + +memory page statistics + + +*`linux.memory.page_stats.pgscan_kswapd.pages`*:: ++ +-- +pages scanned by kswapd + +type: long + +format: number + +-- + +*`linux.memory.page_stats.pgscan_direct.pages`*:: ++ +-- +pages scanned directly + +type: long + +format: number + +-- + +*`linux.memory.page_stats.pgfree.pages`*:: ++ +-- +pages freed by the system + +type: long + +format: number + +-- + +*`linux.memory.page_stats.pgsteal_kswapd.pages`*:: ++ +-- +number of pages reclaimed by kswapd + +type: long + +format: number + +-- + +*`linux.memory.page_stats.pgsteal_direct.pages`*:: ++ +-- +number of pages reclaimed directly + +type: long + +format: number + +-- + +*`linux.memory.page_stats.direct_efficiency.pct`*:: ++ +-- +direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. + +type: scaled_float + +format: percent + +-- + +*`linux.memory.page_stats.kswapd_efficiency.pct`*:: ++ +-- +kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. + +type: scaled_float + +format: percent + +-- + +[float] +=== hugepages + +This group contains statistics related to huge pages usage on the system. + + +*`linux.memory.hugepages.total`*:: ++ +-- +Number of huge pages in the pool. + + +type: long + +format: number + +-- + +*`linux.memory.hugepages.used.bytes`*:: ++ +-- +Memory used in allocated huge pages. + + +type: long + +format: bytes + +-- + +*`linux.memory.hugepages.used.pct`*:: ++ +-- +Percentage of huge pages used. + + +type: long + +format: percent + +-- + +*`linux.memory.hugepages.free`*:: ++ +-- +Number of available huge pages in the pool. + + +type: long + +format: number + +-- + +*`linux.memory.hugepages.reserved`*:: ++ +-- +Number of reserved but not allocated huge pages in the pool. + + +type: long + +format: number + +-- + +*`linux.memory.hugepages.surplus`*:: ++ +-- +Number of overcommited huge pages. + + +type: long + +format: number + +-- + +*`linux.memory.hugepages.default_size`*:: ++ +-- +Default size for huge pages. + + +type: long + +format: bytes + +-- + [float] === pageinfo @@ -40495,7 +41031,7 @@ type: long *`system.fsstat.total_files`*:: + -- -Total number of files. +Total number of files. Not on Windows. type: long @@ -41357,7 +41893,7 @@ format: bytes *`system.process.memory.rss.bytes`*:: + -- -The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. +The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. Not available on Windows. type: long @@ -41369,7 +41905,31 @@ format: bytes *`system.process.memory.rss.pct`*:: + -- -The percentage of memory the process occupied in main memory (RAM). +The percentage of memory the process occupied in main memory (RAM). Not available on Windows. + + +type: scaled_float + +format: percent + +-- + +*`system.process.memory.wss.bytes`*:: ++ +-- +The Working Set Size. The amount of memory the process occupied in main memory (RAM). Windows only. + + +type: long + +format: bytes + +-- + +*`system.process.memory.wss.pct`*:: ++ +-- +The percentage of memory the process occupied in main memory (RAM). Windows only. type: scaled_float @@ -41381,7 +41941,7 @@ format: percent *`system.process.memory.share`*:: + -- -The shared memory the process uses. +The shared memory the process uses. Not available on Windows. type: long diff --git a/metricbeat/docs/images/metricbeat-azure-app-state-overview.png b/metricbeat/docs/images/metricbeat-azure-app-state-overview.png new file mode 100644 index 00000000000..cffc6e4ef03 Binary files /dev/null and b/metricbeat/docs/images/metricbeat-azure-app-state-overview.png differ diff --git a/metricbeat/docs/images/metricbeat-googlecloud-pubsub-overview.png b/metricbeat/docs/images/metricbeat-googlecloud-pubsub-overview.png index 5d0ffd588fe..b1bfdd4531f 100644 Binary files a/metricbeat/docs/images/metricbeat-googlecloud-pubsub-overview.png and b/metricbeat/docs/images/metricbeat-googlecloud-pubsub-overview.png differ diff --git a/metricbeat/docs/images/metricbeat-istio-overview.png b/metricbeat/docs/images/metricbeat-istio-overview.png new file mode 100644 index 00000000000..139fe9260d4 Binary files /dev/null and b/metricbeat/docs/images/metricbeat-istio-overview.png differ diff --git a/metricbeat/docs/modules/aws.asciidoc b/metricbeat/docs/modules/aws.asciidoc index 42d24c65ccd..e02a7a81460 100644 --- a/metricbeat/docs/modules/aws.asciidoc +++ b/metricbeat/docs/modules/aws.asciidoc @@ -19,16 +19,27 @@ module. Please see <> for more details. [float] == Module-specific configuration notes +* *AWS Credentials* + The `aws` module requires AWS credentials configuration in order to make AWS API calls. Users can either use `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and/or `AWS_SESSION_TOKEN`, or use shared AWS credentials file. Please see <> for more details. +* *regions* + This module also accepts optional configuration `regions` to specify which AWS regions to query metrics from. If the `regions` parameter is not set in the config file, then by default, the `aws` module will query metrics from all available AWS regions. +* *latency* + +Some AWS services send monitoring metrics to CloudWatch with a latency to +process larger than Metricbeat collection period. This case, please specify a +`latency` parameter so collection start time and end time will be shifted by the +given latency amount. + The aws module comes with a predefined dashboard. For example: image::./images/metricbeat-aws-overview.png[] diff --git a/metricbeat/docs/modules/azure.asciidoc b/metricbeat/docs/modules/azure.asciidoc index 4db38120041..42d4d619c02 100644 --- a/metricbeat/docs/modules/azure.asciidoc +++ b/metricbeat/docs/modules/azure.asciidoc @@ -45,6 +45,10 @@ The Azure billing dashboards show relevant usage and forecast information: image::./images/metricbeat-azure-billing-overview.png[] +The Azure app_state dashboard shows relevant application insights information: + +image::./images/metricbeat-azure-app-state-overview.png[] + [float] === Module-specific configuration notes @@ -120,6 +124,10 @@ so the `period` for `billing` metricset should be `24h` or multiples of `24h`. === `app_insights` This metricset will collect application insights metrics, the `period` (interval) for the `app-insights` metricset is set by default at `300s`. +[float] +=== `app_state` +This metricset concentrate on the most relevant application insights metrics and provides a dashboard for visualization, the `period` (interval) for the `app_state` metricset is set by default at `300s`. + [float] [[azure-api-cost]] == Additional notes about metrics and costs @@ -242,6 +250,14 @@ metricbeat.modules: api_key: '' metrics: - id: ["requests/count", "requests/duration"] + +- module: azure + metricsets: + - app_state + enabled: true + period: 300s + application_id: '' + api_key: '' ---- [float] @@ -251,6 +267,8 @@ The following metricsets are available: * <> +* <> + * <> * <> @@ -271,6 +289,8 @@ The following metricsets are available: include::azure/app_insights.asciidoc[] +include::azure/app_state.asciidoc[] + include::azure/billing.asciidoc[] include::azure/compute_vm.asciidoc[] diff --git a/metricbeat/docs/modules/azure/app_state.asciidoc b/metricbeat/docs/modules/azure/app_state.asciidoc new file mode 100644 index 00000000000..10485dc818e --- /dev/null +++ b/metricbeat/docs/modules/azure/app_state.asciidoc @@ -0,0 +1,24 @@ +//// +This file is generated! See scripts/mage/docs_collector.go +//// + +[[metricbeat-metricset-azure-app_state]] +[role="xpack"] +=== Azure app_state metricset + +beta[] + +include::../../../../x-pack/metricbeat/module/azure/app_state/_meta/docs.asciidoc[] + + +==== Fields + +For a description of each field in the metricset, see the +<> section. + +Here is an example document generated by this metricset: + +[source,json] +---- +include::../../../../x-pack/metricbeat/module/azure/app_state/_meta/data.json[] +---- diff --git a/metricbeat/docs/modules/istio.asciidoc b/metricbeat/docs/modules/istio.asciidoc index 52be7886e04..bfda2a9588d 100644 --- a/metricbeat/docs/modules/istio.asciidoc +++ b/metricbeat/docs/modules/istio.asciidoc @@ -8,15 +8,28 @@ This file is generated! See scripts/mage/docs_collector.go beta[] -This is the Istio module. The Istio module collects metrics from the +This is the Istio module. +This module is compatible with versions before `1.5` of Istio where microservices architecture is used. If using +versions priot to `1.5` then `mesh`, `mixer`, `pilot`, `galley`, `citadel` metricsets should be used. +wehre the Istio module collects metrics from the Istio https://istio.io/v1.4/docs/tasks/observability/metrics/querying-metrics/#about-the-prometheus-add-on[prometheus exporters endpoints]. +For versions after `1.5`, `istiod` metricset can be used which collects metrics directly from Istio Daemon. The default metricsets are `mesh`, `mixer`, `pilot`, `galley`, `citadel`. [float] === Compatibility -The Istio module is tested with Istio `1.4`. +The Istio module is tested with Istio `1.4` for `mesh`, `mixer`, `pilot`, `galley`, `citadel`. +The Istio module is tested with Istio `1.7` for `istiod`. + +[float] +=== Dashboard + +The Istio module includes a predefined dashboard with overview information about Istio Daemon. +This dashboard is only compatible with versions of Istio after `1.5` which should be monitored with `istiod` metricset. + +image::./images/metricbeat-istio-overview.png[] [float] @@ -62,6 +75,13 @@ metricbeat.modules: period: 10s # use istio-pilot.istio-system:15014, when deploying Metricbeat in a kubernetes cluster as Pod or Daemonset hosts: ["localhost:15014"] + +# Istio istiod to monitor the Istio Daemon for versions after 1.5 of Istio. +- module: istio + metricsets: ['istiod'] + period: 10s + # use istiod.istio-system:15014, when deploying Metricbeat in a kubernetes cluster as Pod or Daemonset + hosts: ['localhost:15014'] ---- [float] diff --git a/metricbeat/docs/modules/linux.asciidoc b/metricbeat/docs/modules/linux.asciidoc index d63528730cb..ab911885afd 100644 --- a/metricbeat/docs/modules/linux.asciidoc +++ b/metricbeat/docs/modules/linux.asciidoc @@ -22,8 +22,10 @@ metricbeat.modules: period: 10s metricsets: - "pageinfo" + - "memory" # - ksm # - conntrack + # - iostat enabled: true #hostfs: /hostfs @@ -36,13 +38,21 @@ The following metricsets are available: * <> +* <> + * <> +* <> + * <> include::linux/conntrack.asciidoc[] +include::linux/iostat.asciidoc[] + include::linux/ksm.asciidoc[] +include::linux/memory.asciidoc[] + include::linux/pageinfo.asciidoc[] diff --git a/metricbeat/docs/modules/linux/iostat.asciidoc b/metricbeat/docs/modules/linux/iostat.asciidoc new file mode 100644 index 00000000000..7a41297b819 --- /dev/null +++ b/metricbeat/docs/modules/linux/iostat.asciidoc @@ -0,0 +1,23 @@ +//// +This file is generated! See scripts/mage/docs_collector.go +//// + +[[metricbeat-metricset-linux-iostat]] +=== linux iostat metricset + +beta[] + +include::../../../module/linux/iostat/_meta/docs.asciidoc[] + + +==== Fields + +For a description of each field in the metricset, see the +<> section. + +Here is an example document generated by this metricset: + +[source,json] +---- +include::../../../module/linux/iostat/_meta/data.json[] +---- diff --git a/metricbeat/docs/modules/linux/memory.asciidoc b/metricbeat/docs/modules/linux/memory.asciidoc new file mode 100644 index 00000000000..9ea3d482e57 --- /dev/null +++ b/metricbeat/docs/modules/linux/memory.asciidoc @@ -0,0 +1,24 @@ +//// +This file is generated! See scripts/mage/docs_collector.go +//// + +[[metricbeat-metricset-linux-memory]] +=== linux memory metricset + +beta[] + +include::../../../module/linux/memory/_meta/docs.asciidoc[] + +This is a default metricset. If the host module is unconfigured, this metricset is enabled by default. + +==== Fields + +For a description of each field in the metricset, see the +<> section. + +Here is an example document generated by this metricset: + +[source,json] +---- +include::../../../module/linux/memory/_meta/data.json[] +---- diff --git a/metricbeat/docs/modules/prometheus/query.asciidoc b/metricbeat/docs/modules/prometheus/query.asciidoc index 72c0fde9278..ff746df44a7 100644 --- a/metricbeat/docs/modules/prometheus/query.asciidoc +++ b/metricbeat/docs/modules/prometheus/query.asciidoc @@ -5,8 +5,6 @@ This file is generated! See scripts/mage/docs_collector.go [[metricbeat-metricset-prometheus-query]] === Prometheus query metricset -beta[] - include::../../../module/prometheus/query/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/prometheus/remote_write.asciidoc b/metricbeat/docs/modules/prometheus/remote_write.asciidoc index 9d871805344..535fdec82e6 100644 --- a/metricbeat/docs/modules/prometheus/remote_write.asciidoc +++ b/metricbeat/docs/modules/prometheus/remote_write.asciidoc @@ -5,8 +5,6 @@ This file is generated! See scripts/mage/docs_collector.go [[metricbeat-metricset-prometheus-remote_write]] === Prometheus remote_write metricset -beta[] - include::../../../module/prometheus/remote_write/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/sql.asciidoc b/metricbeat/docs/modules/sql.asciidoc index 69726a1fe7d..6e944cf5c13 100644 --- a/metricbeat/docs/modules/sql.asciidoc +++ b/metricbeat/docs/modules/sql.asciidoc @@ -8,24 +8,45 @@ This file is generated! See scripts/mage/docs_collector.go beta[] -The SQL module allows to execute custom queries against an SQL database and store the results to Elasticsearch. +The SQL module allows you to execute custom queries against an SQL database and +store the results in {es}. -The currently supported databases are the ones already included in Metricbeat, which are: -- PostgreSQL -- MySQL -- Oracle -- Microsoft SQL -- CockroachDB +This module supports the databases that you can monitor with {metricbeat}, +including: -== Quickstart +* PostgreSQL +* MySQL +* Oracle +* Microsoft SQL +* CockroachDB -You can setup the module by activating it first running +To enable the module, run: - metricbeat module enable sql +[source,shell] +---- +metricbeat module enable sql +---- + +After enabling the module, open `modules.d/sql.yml` and set the required +fields: + +`driver`:: The driver can be any driver that has a {metricbeat} module, such as +`mssql` or `postgres`. +`sql_query`:: The single query you want to run. +`sql_response_format`:: Either `variables` or `table`: +`variables`::: Expects a two-column table that looks like a key/value result. +The left column is considered a key and the right column the value. This mode +generates a single event on each fetch operation. +`table`::: Expects any number of columns. This mode generates a single event for +each row. + +[float] +=== Example: capture Innodb-related metrics -Once it is activated, open `modules.d/sql.yml` and fill the required fields. This is an example that captures Innodb related metrics from the result of the query `SHOW GLOBAL STATUS LIKE 'Innodb_system%'` in a MySQL database: +This `sql.yml` configuration shows how to capture Innodb-related metrics that +result from the query `SHOW GLOBAL STATUS LIKE 'Innodb_system%'` in a MySQL +database: -.sql.yml [source,yaml] ---- - module: sql @@ -39,7 +60,8 @@ Once it is activated, open `modules.d/sql.yml` and fill the required fields. Thi sql_response_format: variables ---- -.SHOW GLOBAL STATUS LIKE 'Innodb_system%' +The `SHOW GLOBAL STATUS` query results in this table: + |==== |Variable_name|Value @@ -49,18 +71,11 @@ Once it is activated, open `modules.d/sql.yml` and fill the required fields. Thi |Innodb_system_rows_updated|315 |==== +Results are grouped by type in the result event for convenient mapping in +{es}. For example, `strings` values are grouped into `sql.strings`, `numeric` +into `sql.numeric`, and so on. -Keys in the YAML are defined as follow: - -- `driver`: The drivers currently supported are those which already have a Metricbeat module like `mssql` or `postgres`. -- `sql_query`: Is the single query you want to run -- `sql_response_format`: You have 2 options here: - - `variables`: Expects a table which looks like a key/value result. With 2 columns, left column will be considered a key and the right column the value. This mode generates a single event on each fetch operation. - - `table`: Table mode can contain any number of columns and a single event will be generated for each row. - -Results will be grouped by type in the result event for convenient mapping in Elasticsearch. So `strings` values will be grouped into `sql.strings`, `numeric` into `sql.numeric` and so on and so forth. - -The event generated with the example above looks like this: +The example shown earlier generates this event: [source,json] ---- @@ -112,9 +127,13 @@ The event generated with the example above looks like this: } ---- -In this example, we are querying PostgreSQL and generate a "table" result, hence a single event for each row returned +[float] +=== Example: query PostgreSQL and generate a "table" result + +This `sql.yml` configuration shows how to query PostgreSQL and generate +a "table" result. This configuration generates a single event for each row +returned: -.sql.yml [source,yaml] ---- - module: sql @@ -128,7 +147,8 @@ In this example, we are querying PostgreSQL and generate a "table" result, hence sql_response_format: table ---- -.SELECT datid, datname, blks_read, blks_hit, tup_returned, tup_fetched, stats_reset FROM pg_stat_database +The SELECT query results in this table: + |==== |datid|datname|blks_read|blks_hit|tup_returned|tup_fetched|stats_reset @@ -137,7 +157,8 @@ In this example, we are querying PostgreSQL and generate a "table" result, hence |13407|template0|0|0|0|0| |==== -With 3 rows on the table, three events will be generated with the contents of each row. As an example, below you can see the event created for the first row: +Because the table contains three rows, three events are generated, one event +for each row. For example, this event is created for the first row: [source,json] ---- @@ -194,14 +215,11 @@ With 3 rows on the table, three events will be generated with the contents of ea } ---- +[float] +=== Example: get the buffer catch hit ratio in Oracle -== More examples - -=== Oracle: - -Get the buffer cache hit ratio: +This `sql.yml` configuration shows how to get the buffer cache hit ratio: -.sql.yml [source,yaml] ---- - module: sql @@ -215,6 +233,7 @@ Get the buffer cache hit ratio: sql_response_format: table ---- +The example generates this event: [source,json] ---- @@ -269,11 +288,11 @@ Get the buffer cache hit ratio: } ---- -=== MSSQL +[float] +=== Example: get the buffer cache hit ratio for MSSQL -Get the buffer cache hit ratio: +This `sql.yml` configuration gets the buffer cache hit ratio: -.sql.yml [source,yaml] ---- - module: sql @@ -287,6 +306,8 @@ Get the buffer cache hit ratio: sql_response_format: table ---- +The example generates this event: + [source,json] ---- { @@ -338,11 +359,12 @@ Get the buffer cache hit ratio: } ---- -=== Two or more queries +[float] +=== Example: launch two or more queries -If you want to launch two or more queries, you need to specify them with their full configuration for each query. For example: +To launch two or more queries, specify the full configuration for each query. +For example: -.sql.yml [source,yaml] ---- - module: sql diff --git a/metricbeat/docs/modules_list.asciidoc b/metricbeat/docs/modules_list.asciidoc index 2232cf3b070..1bc81071e76 100644 --- a/metricbeat/docs/modules_list.asciidoc +++ b/metricbeat/docs/modules_list.asciidoc @@ -33,7 +33,8 @@ This file is generated! See scripts/mage/docs_collector.go |<> beta[] |<> beta[] |<> |image:./images/icon-yes.png[Prebuilt dashboards are available] | -.10+| .10+| |<> beta[] +.11+| .11+| |<> beta[] +|<> beta[] |<> beta[] |<> |<> @@ -131,7 +132,7 @@ This file is generated! See scripts/mage/docs_collector.go .3+| .3+| |<> beta[] |<> beta[] |<> beta[] -|<> beta[] |image:./images/icon-no.png[No prebuilt dashboards] | +|<> beta[] |image:./images/icon-yes.png[Prebuilt dashboards are available] | .5+| .5+| |<> beta[] |<> beta[] |<> beta[] @@ -175,8 +176,10 @@ This file is generated! See scripts/mage/docs_collector.go .2+| .2+| |<> beta[] |<> beta[] |<> beta[] |image:./images/icon-no.png[No prebuilt dashboards] | -.3+| .3+| |<> beta[] +.5+| .5+| |<> beta[] +|<> beta[] |<> beta[] +|<> beta[] |<> beta[] |<> |image:./images/icon-no.png[No prebuilt dashboards] | .2+| .2+| |<> @@ -221,8 +224,8 @@ This file is generated! See scripts/mage/docs_collector.go |<> |<> |image:./images/icon-yes.png[Prebuilt dashboards are available] | .3+| .3+| |<> -|<> beta[] -|<> beta[] +|<> +|<> |<> |image:./images/icon-yes.png[Prebuilt dashboards are available] | .4+| .4+| |<> |<> diff --git a/metricbeat/docs/running-on-kubernetes.asciidoc b/metricbeat/docs/running-on-kubernetes.asciidoc index 786977cb294..f852c153e5e 100644 --- a/metricbeat/docs/running-on-kubernetes.asciidoc +++ b/metricbeat/docs/running-on-kubernetes.asciidoc @@ -192,11 +192,6 @@ $ kubectl --namespace=kube-system get ds/metricbeat NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE-SELECTOR AGE metricbeat 32 32 0 32 0 1m - -$ kubectl --namespace=kube-system get deploy/metricbeat - -NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE -metricbeat 1 1 1 1 1m ------------------------------------------------ Metrics should start flowing to Elasticsearch. diff --git a/metricbeat/include/list_common.go b/metricbeat/include/list_common.go index 39fadeea0e0..b77bb57f9a6 100644 --- a/metricbeat/include/list_common.go +++ b/metricbeat/include/list_common.go @@ -95,7 +95,9 @@ import ( _ "github.com/elastic/beats/v7/metricbeat/module/kvm/status" _ "github.com/elastic/beats/v7/metricbeat/module/linux" _ "github.com/elastic/beats/v7/metricbeat/module/linux/conntrack" + _ "github.com/elastic/beats/v7/metricbeat/module/linux/iostat" _ "github.com/elastic/beats/v7/metricbeat/module/linux/ksm" + _ "github.com/elastic/beats/v7/metricbeat/module/linux/memory" _ "github.com/elastic/beats/v7/metricbeat/module/linux/pageinfo" _ "github.com/elastic/beats/v7/metricbeat/module/logstash" _ "github.com/elastic/beats/v7/metricbeat/module/logstash/node" diff --git a/metricbeat/metricbeat.reference.yml b/metricbeat/metricbeat.reference.yml index 9b6f37eb447..9df18e4d7f9 100644 --- a/metricbeat/metricbeat.reference.yml +++ b/metricbeat/metricbeat.reference.yml @@ -572,8 +572,10 @@ metricbeat.modules: period: 10s metricsets: - "pageinfo" + - "memory" # - ksm # - conntrack + # - iostat enabled: true #hostfs: /hostfs diff --git a/metricbeat/module/kafka/broker.go b/metricbeat/module/kafka/broker.go index b9e78c7dacc..2e558d7944a 100644 --- a/metricbeat/module/kafka/broker.go +++ b/metricbeat/module/kafka/broker.go @@ -119,7 +119,7 @@ func (b *Broker) Connect() error { c, err := getClusterWideClient(b.Addr(), b.cfg) if err != nil { closeBroker(b.broker) - return fmt.Errorf("Could not get cluster client for advertised broker with address %v", b.Addr()) + return fmt.Errorf("getting cluster client for advertised broker with address %v: %w", b.Addr(), err) } b.client = c diff --git a/metricbeat/module/linux/_meta/config.yml b/metricbeat/module/linux/_meta/config.yml index e00fe571846..490d3245c19 100644 --- a/metricbeat/module/linux/_meta/config.yml +++ b/metricbeat/module/linux/_meta/config.yml @@ -2,8 +2,10 @@ period: 10s metricsets: - "pageinfo" + - "memory" # - ksm # - conntrack + # - iostat enabled: true #hostfs: /hostfs diff --git a/metricbeat/module/linux/_meta/fields.yml b/metricbeat/module/linux/_meta/fields.yml index c3fe9657e89..44236f625e9 100644 --- a/metricbeat/module/linux/_meta/fields.yml +++ b/metricbeat/module/linux/_meta/fields.yml @@ -7,4 +7,5 @@ - name: linux type: group description: > + linux system metrics fields: diff --git a/metricbeat/module/linux/fields.go b/metricbeat/module/linux/fields.go index e4935eb2d7f..90e7e3ed940 100644 --- a/metricbeat/module/linux/fields.go +++ b/metricbeat/module/linux/fields.go @@ -32,5 +32,5 @@ func init() { // AssetLinux returns asset data. // This is the base64 encoded gzipped contents of module/linux. func AssetLinux() string { - return "eJy8l0tv4zYQx+/+FIMcF91Hsm8fCgTdRVEUKYIGe+mhwogcWawpUuWQybqfviBl2YoiOUpTiZcgIfWfn/6ch/IStrRbg1YmfF8BeOU1reEs/X62AnCkCZnWkJPHFYAkFk7VXlmzhh9XANA8C5WVQdMKoFCkJa/T1kswWNFRPi6/q2kNG2dDvf/LgOZ9ma6UsMZ4h2J72BmSjKuP3q7BcM0aEu+DdGE4VBW63b29MZxHQse1lwNbgCmyAwywR6/YK8E/pDMkAYWzzPDT9TcQ1hH3tIagu+DS2T7bkVxbsxnYfAQ+rhrFljwn+ZokyEDg7dFWKFBpFRyNghE6vctmwjtykPFO0RHUW6hwS+CsraCwDgzdgTUPfO2ANgozULZsyoAvqQPtMdfjzhU2GDkDDgchiLkIWu+ACZ0oSY6+fkujNsYOXPP/l2JMZAC1I5S75BEJ31wk9u65X54dSMPkfBaTkuaw7rdQ5eRiObd3eleSI9CK/T54+6NhgBOot6jVMyEfyj9w1JfoQaAx1kNOkFwc8ObQAFM+ZI7Yo/MzWJhyHrS121BH+5QoocR0zznBPu6x0zTHHbH6p5OcLe2Wqzmmxn3Zk/PCo+/XzH+eFr/eXHUmwxMHQI0b4oxLdLNk/k0SbqLERhaYXk1gUYPxng2jPDHs9Ztoj8EEM5s134z6O9AJjAoPGLdWo1cDTf/5GNfpakSJZhNd8dZCgez3hdW8/bhLcRpkLNDMMQCPbdOrihgqcptU1006lXhLkMdmFQHMKUxO/SAzVlImSlSz4DZOpsaZ0BxhGpEVfs8icZvZ0zBlqOf1VIZaK4GxacYO0svDbhkoU9g5+uWA9qmmmQcpd1nvgXGgCYZ8QY9QOFvB69pZ8TpFiAEasVgPgQ/tK9+BdZLcEzvsl6vL0XscYp7AndivLhNXeomBE2NYXbSzN2eD+4+k2UTCROGIQJTBbDnm3MWfb15cX/78Nbv55Y+vp9HOF0c7n4p2sTjaxVS0t4ujvZ2K9m5xtHdT0d4vjvZ+KtqHxdE+TEX7uDjax6lonxZH+zQV7fPiaJ8nt9zlx8H52DxooeK3EL96MTjxbf4Xif4/mxNIfsc7QK2twHgK0sDvfAXEqRoD3PvSWP0bAAD//4Pi/m8=" + return "eJzEmd9v2zgSx9/zVwwCHNAWVzfp7/rhgNylOBR3uQu27csudoUxObK5pkiVP+y6f/2CpBXLtmQrcaT6pWgkz3z4neHMkH4Oc1qNQQrlv58BOOEkjeE8/v/8DMCQJLQ0hgk5PAPgZJkRpRNajeEfZwCQvguF5l7SGUAuSHI7jo+eg8KCNubDx61KGsPUaF+u/9Jgc2PXrqyjAgpyRjC7flj3UffDtFLOIJvfPWnyFz6766o+LSzh02R8F6QOY31RoFltPWvDOeI6fNbmQOeg8uwOBqxDJ6wTzP49vkMckBltLfzr9iswbcju2GqCroNzo3fZNuRSq2nDwyPw4VMim5Oz0XxJHLgncHojK+QopPCGWsEIjVxlPeFtOEg5I2gD6jQUOCcwWheQawOKlqDVnq410GShB8qKTShwM6pBO5zIduVy7RXvAcd6xsja3Eu5Akto2Ix46/IrGjFVuiHMj5dilkgBSkPIV1EjYi4FEnfivLs9a5DKknFZSErqQ7r/+WJCJmznKqbLGRkCKaxbO6/+SQxwAHWBUpwIuW9+T1E3QwcMldIOJgRRxQZt7gpgzIfMkHVoXA8SxpwHqfXcl0E+wWYwwxjnCcHa76bSpNcNWfGjlpx3IupQSftoHHuWD3WNkLMjQ988WTcqyEzJZiWZzBJr7CS51Lir7VHpvswI1F3+BZewdmkh+uRQkgFLTCuewr4MufnNk0/7KBQfTgvBaNS4jKURjgZeR/T52AvZiseggdjQCmv3aGvr6hCAYZU/jTwqvgYeTVZur5E8GvY/g/Gkem500cw42p2etCnQjWGfbGsBuESxi3ciOC7I4JTAiYLAlqRcnEa2s6ZR8VQQLZkF8UP7dUDVU8o8puxpCcPpvpP0DxS+2qG4mGahMfWDHizDE6GSfE9DGAJlxx3bTB5raM/c0QdIUlM3exToIbflaYkRnglGWTDbU1IkDwk8JEchpBRp+9mncRGfXvz/NL0n3jafgB9Ef0uGkXIBXufxfBvZuTdCTdcD4BZyexN6MkHFl4K7GXgnpPiBwW1c9OatpyO4Tq9bdN6kVzRj3sRpPUzEwsICpQ9egEltY2gvLy7+ttFjb9Sc26KPOXPb7MGrCYeuub4/4GLiP59vapcQ97xrKDEMhnaGppdD1udoOHkJZ2ZvabexNLGIRn8nw4jQ+Nb2k7djMF71Js1XJb55OoBR4B3GQkt0ouF+4XSM2xgaNkM1Dao4rSFH66oCGVffrlLupcwsQ9XHXcvmhB6qTDpQxCNkSqcZLggm4VwcANQhTBuPnpnSnDI2Q9ELblIyFumIZgjjbUyB37NAXGV2N0zuy3415b6UgmE4n4cKspOHFVJBhd66pHm0avnfdG0d7QPHra8dqp1JyocX0LXHMnbgB5fNaci5bG6XWPJR1O6+waoG6jSYH4tmSvl1osNkBcn1MUAuDDE3PGDyK9tv98ppboiGAwveom5huEi/aRzSzhHKAaO7OZwlWkNMoii6RjrSDhfqdtqjYU8vZJTngglSbDUqWfvNpGUoiWdNo2qdukxT6THs5LuihQ1DZQCnNIIrkHpJpvY3EIrHQmlryRPGTeuMn05lapt3dlN9aS/yKZw/R4Lk+6dIUC1/5qfUlKPt1bs0lIvvYzj/Larw+/mh6v4lHAiiFWBaudDqa1U+9Clc/xIRQNYJ7G080aja4vauP440BKcdyn633bGGXlvQ+tepUmvZnojeEm+8aerM3fblDtg3qQsHhkCLUuo0i2xWcYT80K45wt1xt7SMeVtn4K0sOjgpG7r3+P64+YELFDLOz/fNFEPpouTn8lcUMPEOlHaNSdNtQdabUvqe2+Sx9egFGaaLQnRNe045eumarvs6o5+wZa+T+3SXmWvTyFyf0oXKdR8nhwbbhw4ME8/5Ktv5QjtQBzWu0WG6On9RGs1eRA/BQTIWumEsbCkjJyvQhu/ly7GOcn1z1RrkJuYO3JH95iqdfa63j1zHsOpo5xe7PXgbryUHOxJGCkMEbObV3Iat8vKPi2e3V//+mH3+9OvHw2iXg6NddkV7OTjay65orwZHe9UV7fXgaK+7or0ZHO1NV7S3g6O97Yr2bnC0d13R3g+O9r4r2ofB0T50LrnDt4PLtn5QQSnNyY6eNXZ8PfmT9g4PHUh+wWU1cwqtIDb82hQQumpwsDVpnP0VAAD//2DzKvg=" } diff --git a/metricbeat/module/linux/iostat/_meta/data.json b/metricbeat/module/linux/iostat/_meta/data.json new file mode 100644 index 00000000000..99f23d8cc95 --- /dev/null +++ b/metricbeat/module/linux/iostat/_meta/data.json @@ -0,0 +1,49 @@ +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "event": { + "dataset": "linux.iostat", + "duration": 115000, + "module": "linux" + }, + "linux": { + "iostat": { + "await": 0, + "busy": 0, + "name": "sr0", + "queue": { + "avg_size": 0 + }, + "read": { + "await": 0, + "per_sec": { + "bytes": 0 + }, + "request": { + "merges_per_sec": 0, + "per_sec": 0 + } + }, + "request": { + "avg_size": 0 + }, + "service_time": 0, + "write": { + "await": 0, + "per_sec": { + "bytes": 0 + }, + "request": { + "merges_per_sec": 0, + "per_sec": 0 + } + } + } + }, + "metricset": { + "name": "iostat", + "period": 10000 + }, + "service": { + "type": "linux" + } +} \ No newline at end of file diff --git a/metricbeat/module/linux/iostat/_meta/docs.asciidoc b/metricbeat/module/linux/iostat/_meta/docs.asciidoc new file mode 100644 index 00000000000..ec4c4de1618 --- /dev/null +++ b/metricbeat/module/linux/iostat/_meta/docs.asciidoc @@ -0,0 +1,3 @@ +The iostat module reports per-disk IO statistics that emulate `iostat -x` on linux. + +NOTE: as of now, this data is part of system/diskio on Metricbeat, but can only be found in the Linux integration in Fleet. In the future, this data will be removed from system/memory. \ No newline at end of file diff --git a/metricbeat/module/linux/iostat/_meta/fields.yml b/metricbeat/module/linux/iostat/_meta/fields.yml new file mode 100644 index 00000000000..a7ded63f8fc --- /dev/null +++ b/metricbeat/module/linux/iostat/_meta/fields.yml @@ -0,0 +1,61 @@ +- name: iostat + type: group + release: beta + description: > + iostat + fields: + - name: read.request.merges_per_sec + type: float + description: > + The number of read requests merged per second that were queued to the device. + - name: write.request.merges_per_sec + type: float + description: > + The number of write requests merged per second that were queued to the device. + - name: read.request.per_sec + type: float + description: > + The number of read requests that were issued to the device per second + - name: write.request.per_sec + type: float + description: > + The number of write requests that were issued to the device per second + - name: read.per_sec.bytes + type: float + description: > + The number of Bytes read from the device per second. + format: bytes + - name: read.await + type: float + description: > + The average time spent for read requests issued to the device to be served. + - name: write.per_sec.bytes + type: float + description: > + The number of Bytes write from the device per second. + format: bytes + - name: write.await + type: float + description: > + The average time spent for write requests issued to the device to be served. + - name: request.avg_size + type: float + description: > + The average size (in bytes) of the requests that were issued to the device. + - name: queue.avg_size + type: float + description: > + The average queue length of the requests that were issued to the device. + - name: await + type: float + description: > + The average time spent for requests issued to the device to be served. + - name: service_time + type: float + description: > + The average service time (in milliseconds) for I/O requests that were issued to the device. + - name: busy + type: float + description: > + Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. + diff --git a/metricbeat/module/linux/iostat/data.go b/metricbeat/module/linux/iostat/data.go new file mode 100644 index 00000000000..4e546deaa34 --- /dev/null +++ b/metricbeat/module/linux/iostat/data.go @@ -0,0 +1,58 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package iostat + +import ( + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/metric/system/diskio" +) + +// AddLinuxIOStat adds the linux iostat data to the provided map +func AddLinuxIOStat(extraMetrics diskio.IOMetric) common.MapStr { + return common.MapStr{ + "read": common.MapStr{ + "request": common.MapStr{ + "merges_per_sec": extraMetrics.ReadRequestMergeCountPerSec, + "per_sec": extraMetrics.ReadRequestCountPerSec, + }, + "per_sec": common.MapStr{ + "bytes": extraMetrics.ReadBytesPerSec, + }, + "await": extraMetrics.AvgReadAwaitTime, + }, + "write": common.MapStr{ + "request": common.MapStr{ + "merges_per_sec": extraMetrics.WriteRequestMergeCountPerSec, + "per_sec": extraMetrics.WriteRequestCountPerSec, + }, + "per_sec": common.MapStr{ + "bytes": extraMetrics.WriteBytesPerSec, + }, + "await": extraMetrics.AvgWriteAwaitTime, + }, + "queue": common.MapStr{ + "avg_size": extraMetrics.AvgQueueSize, + }, + "request": common.MapStr{ + "avg_size": extraMetrics.AvgRequestSize, + }, + "await": extraMetrics.AvgAwaitTime, + "service_time": extraMetrics.AvgServiceTime, + "busy": extraMetrics.BusyPct, + } +} diff --git a/metricbeat/module/linux/iostat/iostat.go b/metricbeat/module/linux/iostat/iostat.go new file mode 100644 index 00000000000..049b4daadf7 --- /dev/null +++ b/metricbeat/module/linux/iostat/iostat.go @@ -0,0 +1,104 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package iostat + +import ( + "github.com/pkg/errors" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/cfgwarn" + "github.com/elastic/beats/v7/libbeat/metric/system/diskio" + "github.com/elastic/beats/v7/metricbeat/mb" +) + +// init registers the MetricSet with the central registry as soon as the program +// starts. The New function will be called later to instantiate an instance of +// the MetricSet for each host defined in the module's configuration. After the +// MetricSet has been created then Fetch will begin to be called periodically. +func init() { + mb.Registry.MustAddMetricSet("linux", "iostat", New) +} + +// MetricSet holds any configuration or state information. It must implement +// the mb.MetricSet interface. And this is best achieved by embedding +// mb.BaseMetricSet because it implements all of the required mb.MetricSet +// interface methods except for Fetch. +type MetricSet struct { + mb.BaseMetricSet + stats *diskio.IOStat + includeDevices []string +} + +// New creates a new instance of the MetricSet. New is responsible for unpacking +// any MetricSet specific configuration options if there are any. +func New(base mb.BaseMetricSet) (mb.MetricSet, error) { + cfgwarn.Beta("The linux iostat metricset is beta.") + + config := struct { + IncludeDevices []string `config:"iostat.include_devices"` + }{IncludeDevices: []string{}} + if err := base.Module().UnpackConfig(&config); err != nil { + return nil, err + } + + return &MetricSet{ + BaseMetricSet: base, + includeDevices: config.IncludeDevices, + stats: diskio.NewDiskIOStat(), + }, nil +} + +// Fetch methods implements the data gathering and data conversion to the right +// format. It publishes the event which is then forwarded to the output. In case +// of an error set the Error field of mb.Event or simply call report.Error(). +func (m *MetricSet) Fetch(report mb.ReporterV2) error { + + IOstats, err := diskio.IOCounters(m.includeDevices...) + if err != nil { + return errors.Wrap(err, "disk io counters") + } + + // Sample the current cpu counter + m.stats.OpenSampling() + + // Store the last cpu counter when finished + defer m.stats.CloseSampling() + + for _, counters := range IOstats { + event := common.MapStr{ + "name": counters.Name, + } + if counters.SerialNumber != "" { + event["serial_number"] = counters.SerialNumber + } + result, err := m.stats.CalcIOStatistics(counters) + if err != nil { + return errors.Wrap(err, "error calculating iostat") + } + IOstats := AddLinuxIOStat(result) + event.DeepUpdate(IOstats) + + isOpen := report.Event(mb.Event{ + MetricSetFields: event, + }) + if !isOpen { + return nil + } + } + return nil +} diff --git a/metricbeat/module/linux/iostat/iostat_test.go b/metricbeat/module/linux/iostat/iostat_test.go new file mode 100644 index 00000000000..6a607fc66d4 --- /dev/null +++ b/metricbeat/module/linux/iostat/iostat_test.go @@ -0,0 +1,55 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build linux + +package iostat + +import ( + "testing" + + "github.com/stretchr/testify/assert" + + mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" +) + +func TestFetch(t *testing.T) { + f := mbtest.NewReportingMetricSetV2Error(t, getConfig()) + events, errs := mbtest.ReportingFetchV2Error(f) + + assert.Empty(t, errs) + if !assert.NotEmpty(t, events) { + t.FailNow() + } + t.Logf("%s/%s event: %+v", f.Module().Name(), f.Name(), + events[0].BeatEvent("linux", "iostat").Fields.StringToPrint()) +} + +func TestData(t *testing.T) { + f := mbtest.NewReportingMetricSetV2Error(t, getConfig()) + err := mbtest.WriteEventsReporterV2Error(f, t, ".") + if err != nil { + t.Fatal("write", err) + } +} + +func getConfig() map[string]interface{} { + return map[string]interface{}{ + "module": "linux", + "metricsets": []string{"iostat"}, + } +} diff --git a/metricbeat/module/linux/memory/_meta/data.json b/metricbeat/module/linux/memory/_meta/data.json new file mode 100644 index 00000000000..79a3d431869 --- /dev/null +++ b/metricbeat/module/linux/memory/_meta/data.json @@ -0,0 +1,59 @@ +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "event": { + "dataset": "linux.memory", + "duration": 115000, + "module": "linux" + }, + "linux": { + "memory": { + "hugepages": { + "default_size": 2097152, + "free": 0, + "reserved": 0, + "surplus": 0, + "swap": { + "out": { + "fallback": 0, + "pages": 0 + } + }, + "total": 0, + "used": { + "bytes": 0, + "pct": 0 + } + }, + "page_stats": { + "direct_efficiency": { + "pct": 0.9228 + }, + "kswapd_efficiency": { + "pct": 0.7523 + }, + "pgfree": { + "pages": 16061818710 + }, + "pgscan_direct": { + "pages": 1198580 + }, + "pgscan_kswapd": { + "pages": 50222460 + }, + "pgsteal_direct": { + "pages": 1106083 + }, + "pgsteal_kswapd": { + "pages": 37782783 + } + } + } + }, + "metricset": { + "name": "memory", + "period": 10000 + }, + "service": { + "type": "linux" + } +} \ No newline at end of file diff --git a/metricbeat/module/linux/memory/_meta/docs.asciidoc b/metricbeat/module/linux/memory/_meta/docs.asciidoc new file mode 100644 index 00000000000..8b0bbaed750 --- /dev/null +++ b/metricbeat/module/linux/memory/_meta/docs.asciidoc @@ -0,0 +1,3 @@ +The memory metricset extends system/memory and adds linux-specific memory metrics, including Huge Pages and overall paging statistics. + +NOTE: as of now, this data is part of system/memory on Metricbeat, but can only be found in the Linux integration in Fleet. In the future, this data will be removed from system/memory. \ No newline at end of file diff --git a/metricbeat/module/linux/memory/_meta/fields.yml b/metricbeat/module/linux/memory/_meta/fields.yml new file mode 100644 index 00000000000..2490e69aa21 --- /dev/null +++ b/metricbeat/module/linux/memory/_meta/fields.yml @@ -0,0 +1,78 @@ +- name: memory + type: group + release: beta + description: > + Linux memory data + fields: + - name: page_stats + type: group + description: memory page statistics + fields: + - name: pgscan_kswapd.pages + type: long + format: number + description: pages scanned by kswapd + - name: pgscan_direct.pages + type: long + format: number + description: pages scanned directly + - name: pgfree.pages + type: long + format: number + description: pages freed by the system + - name: pgsteal_kswapd.pages + type: long + format: number + description: number of pages reclaimed by kswapd + - name: pgsteal_direct.pages + type: long + format: number + description: number of pages reclaimed directly + - name: direct_efficiency.pct + type: scaled_float + format: percent + description: direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. + - name: kswapd_efficiency.pct + type: scaled_float + format: percent + description: kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. + - name: hugepages + type: group + prefix: "[float]" + description: This group contains statistics related to huge pages usage on the system. + fields: + - name: total + type: long + format: number + description: > + Number of huge pages in the pool. + - name: used.bytes + type: long + format: bytes + description: > + Memory used in allocated huge pages. + - name: used.pct + type: long + format: percent + description: > + Percentage of huge pages used. + - name: free + type: long + format: number + description: > + Number of available huge pages in the pool. + - name: reserved + type: long + format: number + description: > + Number of reserved but not allocated huge pages in the pool. + - name: surplus + type: long + format: number + description: > + Number of overcommited huge pages. + - name: default_size + type: long + format: bytes + description: > + Default size for huge pages. diff --git a/metricbeat/module/linux/memory/data.go b/metricbeat/module/linux/memory/data.go new file mode 100644 index 00000000000..d3f1a5ef2f8 --- /dev/null +++ b/metricbeat/module/linux/memory/data.go @@ -0,0 +1,99 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build darwin freebsd linux openbsd windows + +package memory + +import ( + "github.com/pkg/errors" + + "github.com/elastic/beats/v7/libbeat/common" + mem "github.com/elastic/beats/v7/libbeat/metric/system/memory" +) + +// FetchLinuxMemStats gets page_stat and huge pages data for linux +func FetchLinuxMemStats(baseMap common.MapStr) error { + + vmstat, err := mem.GetVMStat() + if err != nil { + return errors.Wrap(err, "VMStat") + } + + if vmstat != nil { + pageStats := common.MapStr{ + "pgscan_kswapd": common.MapStr{ + "pages": vmstat.PgscanKswapd, + }, + "pgscan_direct": common.MapStr{ + "pages": vmstat.PgscanDirect, + }, + "pgfree": common.MapStr{ + "pages": vmstat.Pgfree, + }, + "pgsteal_kswapd": common.MapStr{ + "pages": vmstat.PgstealKswapd, + }, + "pgsteal_direct": common.MapStr{ + "pages": vmstat.PgstealDirect, + }, + } + // This is similar to the vmeff stat gathered by sar + // these ratios calculate thhe efficiency of page reclaim + if vmstat.PgscanDirect != 0 { + pageStats["direct_efficiency"] = common.MapStr{ + "pct": common.Round(float64(vmstat.PgstealDirect)/float64(vmstat.PgscanDirect), common.DefaultDecimalPlacesCount), + } + } + + if vmstat.PgscanKswapd != 0 { + pageStats["kswapd_efficiency"] = common.MapStr{ + "pct": common.Round(float64(vmstat.PgstealKswapd)/float64(vmstat.PgscanKswapd), common.DefaultDecimalPlacesCount), + } + } + baseMap["page_stats"] = pageStats + } + + hugePagesStat, err := mem.GetHugeTLBPages() + if err != nil { + return errors.Wrap(err, "hugepages") + } + if hugePagesStat != nil { + mem.AddHugeTLBPagesPercentage(hugePagesStat) + thp := common.MapStr{ + "total": hugePagesStat.Total, + "used": common.MapStr{ + "bytes": hugePagesStat.TotalAllocatedSize, + "pct": hugePagesStat.UsedPercent, + }, + "free": hugePagesStat.Free, + "reserved": hugePagesStat.Reserved, + "surplus": hugePagesStat.Surplus, + "default_size": hugePagesStat.DefaultSize, + } + if vmstat != nil { + thp["swap"] = common.MapStr{ + "out": common.MapStr{ + "pages": vmstat.ThpSwpout, + "fallback": vmstat.ThpSwpoutFallback, + }, + } + } + baseMap["hugepages"] = thp + } + return nil +} diff --git a/metricbeat/module/linux/memory/memory.go b/metricbeat/module/linux/memory/memory.go new file mode 100644 index 00000000000..163e3bea771 --- /dev/null +++ b/metricbeat/module/linux/memory/memory.go @@ -0,0 +1,62 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package memory + +import ( + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/cfgwarn" + "github.com/elastic/beats/v7/metricbeat/mb" +) + +// init registers the MetricSet with the central registry as soon as the program +// starts. The New function will be called later to instantiate an instance of +// the MetricSet for each host defined in the module's configuration. After the +// MetricSet has been created then Fetch will begin to be called periodically. +func init() { + mb.Registry.MustAddMetricSet("linux", "memory", New, mb.DefaultMetricSet()) +} + +// MetricSet holds any configuration or state information. It must implement +// the mb.MetricSet interface. And this is best achieved by embedding +// mb.BaseMetricSet because it implements all of the required mb.MetricSet +// interface methods except for Fetch. +type MetricSet struct { + mb.BaseMetricSet +} + +// New creates a new instance of the MetricSet. New is responsible for unpacking +// any MetricSet specific configuration options if there are any. +func New(base mb.BaseMetricSet) (mb.MetricSet, error) { + cfgwarn.Beta("The linux memory metricset is beta.") + + return &MetricSet{ + BaseMetricSet: base, + }, nil +} + +// Fetch methods implements the data gathering and data conversion to the right +// format. It publishes the event which is then forwarded to the output. In case +// of an error set the Error field of mb.Event or simply call report.Error(). +func (m *MetricSet) Fetch(report mb.ReporterV2) error { + rootEvent := common.MapStr{} + FetchLinuxMemStats(rootEvent) + report.Event(mb.Event{ + MetricSetFields: rootEvent, + }) + return nil +} diff --git a/metricbeat/module/linux/memory/memory_test.go b/metricbeat/module/linux/memory/memory_test.go new file mode 100644 index 00000000000..2980c94841e --- /dev/null +++ b/metricbeat/module/linux/memory/memory_test.go @@ -0,0 +1,55 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build darwin freebsd linux openbsd windows + +package memory + +import ( + "testing" + + "github.com/stretchr/testify/assert" + + mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" +) + +func TestFetch(t *testing.T) { + f := mbtest.NewReportingMetricSetV2Error(t, getConfig()) + events, errs := mbtest.ReportingFetchV2Error(f) + + assert.Empty(t, errs) + if !assert.NotEmpty(t, events) { + t.FailNow() + } + t.Logf("%s/%s event: %+v", f.Module().Name(), f.Name(), + events[0].BeatEvent("linux", "memory").Fields.StringToPrint()) +} + +func TestData(t *testing.T) { + f := mbtest.NewReportingMetricSetV2Error(t, getConfig()) + err := mbtest.WriteEventsReporterV2Error(f, t, ".") + if err != nil { + t.Fatal("write", err) + } +} + +func getConfig() map[string]interface{} { + return map[string]interface{}{ + "module": "linux", + "metricsets": []string{"memory"}, + } +} diff --git a/metricbeat/module/prometheus/fields.go b/metricbeat/module/prometheus/fields.go index e93b578c7b7..ff89ddf8ac7 100644 --- a/metricbeat/module/prometheus/fields.go +++ b/metricbeat/module/prometheus/fields.go @@ -32,5 +32,5 @@ func init() { // AssetPrometheus returns asset data. // This is the base64 encoded gzipped contents of module/prometheus. func AssetPrometheus() string { - return "eJzMkkGO2zAMRfc+xYe7G2TmAF70BAXaosuiCBT7O1ZHllSSniC3LxzHGU0yQJF2Uy75RfLxi4945rFBljTSBk5aAeYtsEH95ZKsK6CjtuKz+RQbfKwA4Js5U2grLrNDL2mEw2sVGLucfLSnCtAhiW3bFHu/b9C7oKwAYaBTNti7+Q3NfNxrg++1aqg3qAezXP+ogN4zdNqc5j4iupFX1HPYMc+9JE35nCnL5viAz9JR4BV+zEnMRcNA4QbB7RgUBx8CRmftgN6L2gY2EEI1OCG6NO0CL/1WlKX46eEirDBp95OtFeklsV3UZx4PSbpCfsfmNQpnR5r49jz1BmZR76e52u2Nuh1dzj7uz0/rh/ovoW9of02U4//G+uLCdPr1Kdh627P89VPB//Z639nqZqfyNP8Ac2qwfiVLHy5jdzRX5K9vfUURjsm4PYg3/gvR0genPivYqzNn45TyQrmD9ncAAAD//1baTA8=" + return "eJzMkk1u20AMhfc6xYO6C5wcQIueoEBbdFkUxlh6sqaZv5JUDN++kGU5im2gf5tyyTckP77hI555bFAkR9rAUSvAvAU2qD9dknUFdNRWfDGfU4P3FQB8MWcKbcUVduglRzi8VoGpK9kne6oAHbLYts2p9/sGvQvKChAGOmWDvZve0MynvTb4WquGeoN6MCv1twroPUOnzWnuI5KLvKKewo5l6iV5LOfMumyKd/goHQVe4WPJYi4ZBgo3CG7HoDj4EBCdtQN6L2ob2EAI1eCE6PK4C7z0W1Dm4qeHi7DA5N13trZKz4ntrD7zeMjSreQ7Ni+xcjbSxLfnqTcws/rnNFe7vVG30ZXi0/78tH6o/xL6hvbHSDn+b6wvLoynXx+DLbc9yZ8/rPjfXu+drW52Wp/mL2BODZav5NqHe2NvL30BEcZs3B7EG/+FZ+6DU58F69WXs21KeaH8NuvPAAAA///rUkpn" } diff --git a/metricbeat/module/prometheus/query/_meta/fields.yml b/metricbeat/module/prometheus/query/_meta/fields.yml index acbc35db449..31f29117385 100644 --- a/metricbeat/module/prometheus/query/_meta/fields.yml +++ b/metricbeat/module/prometheus/query/_meta/fields.yml @@ -2,5 +2,5 @@ type: group description: > query metricset - release: beta + release: ga fields: diff --git a/metricbeat/module/prometheus/remote_write/_meta/fields.yml b/metricbeat/module/prometheus/remote_write/_meta/fields.yml index e3b2f050a40..17f5f5fe801 100644 --- a/metricbeat/module/prometheus/remote_write/_meta/fields.yml +++ b/metricbeat/module/prometheus/remote_write/_meta/fields.yml @@ -2,5 +2,5 @@ type: group description: > remote write metrics from Prometheus server - release: beta + release: ga fields: diff --git a/metricbeat/module/system/cpu/_meta/data.json b/metricbeat/module/system/cpu/_meta/data.json index 4a5fd7c8ff7..cb9548ec6e4 100644 --- a/metricbeat/module/system/cpu/_meta/data.json +++ b/metricbeat/module/system/cpu/_meta/data.json @@ -7,7 +7,7 @@ }, "host": { "cpu": { - "pct": 0.0816 + "pct": 0.1629 } }, "metricset": { @@ -19,68 +19,68 @@ }, "system": { "cpu": { - "cores": 12, + "cores": 4, "idle": { "norm": { - "pct": 0.9184 + "pct": 0.8371 }, - "pct": 11.0208, - "ticks": 1964402 + "pct": 3.3484, + "ticks": 806327077 }, "iowait": { "norm": { "pct": 0 }, "pct": 0, - "ticks": 5083 + "ticks": 312229 }, "irq": { "norm": { - "pct": 0 + "pct": 0.0125 }, - "pct": 0, - "ticks": 0 + "pct": 0.0501, + "ticks": 6548016 }, "nice": { "norm": { "pct": 0 }, "pct": 0, - "ticks": 9752 + "ticks": 517231 }, "softirq": { "norm": { - "pct": 0.0058 + "pct": 0.0025 }, - "pct": 0.0699, - "ticks": 10386 + "pct": 0.01, + "ticks": 1561223 }, "steal": { "norm": { "pct": 0 }, "pct": 0, - "ticks": 0 + "ticks": 156646 }, "system": { "norm": { - "pct": 0.005 + "pct": 0.0551 }, - "pct": 0.06, - "ticks": 22274 + "pct": 0.2206, + "ticks": 31037256 }, "total": { "norm": { - "pct": 0.0816 + "pct": 0.1629 }, - "pct": 0.9792 + "pct": 0.6516 }, "user": { "norm": { - "pct": 0.0708 + "pct": 0.0927 }, - "pct": 0.8493, - "ticks": 123767 + "pct": 0.3709, + "ticks": 139619320 } } } diff --git a/metricbeat/module/system/cpu/cpu.go b/metricbeat/module/system/cpu/cpu.go index 7333df6dec7..7650b65cd80 100644 --- a/metricbeat/module/system/cpu/cpu.go +++ b/metricbeat/module/system/cpu/cpu.go @@ -20,11 +20,8 @@ package cpu import ( - "strings" - "github.com/pkg/errors" - "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/metric/system/cpu" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/mb/parse" @@ -69,50 +66,7 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error { return errors.Wrap(err, "failed to fetch CPU times") } - event := common.MapStr{"cores": cpu.NumCores} - hostFields := common.MapStr{} - for _, metric := range m.config.Metrics { - switch strings.ToLower(metric) { - case percentages: - pct := sample.Percentages() - event.Put("user.pct", pct.User) - event.Put("system.pct", pct.System) - event.Put("idle.pct", pct.Idle) - event.Put("iowait.pct", pct.IOWait) - event.Put("irq.pct", pct.IRQ) - event.Put("nice.pct", pct.Nice) - event.Put("softirq.pct", pct.SoftIRQ) - event.Put("steal.pct", pct.Steal) - event.Put("total.pct", pct.Total) - case normalizedPercentages: - normalizedPct := sample.NormalizedPercentages() - event.Put("user.norm.pct", normalizedPct.User) - event.Put("system.norm.pct", normalizedPct.System) - event.Put("idle.norm.pct", normalizedPct.Idle) - event.Put("iowait.norm.pct", normalizedPct.IOWait) - event.Put("irq.norm.pct", normalizedPct.IRQ) - event.Put("nice.norm.pct", normalizedPct.Nice) - event.Put("softirq.norm.pct", normalizedPct.SoftIRQ) - event.Put("steal.norm.pct", normalizedPct.Steal) - event.Put("total.norm.pct", normalizedPct.Total) - hostFields.Put("host.cpu.pct", normalizedPct.Total) - case ticks: - ticks := sample.Ticks() - event.Put("user.ticks", ticks.User) - event.Put("system.ticks", ticks.System) - event.Put("idle.ticks", ticks.Idle) - event.Put("iowait.ticks", ticks.IOWait) - event.Put("irq.ticks", ticks.IRQ) - event.Put("nice.ticks", ticks.Nice) - event.Put("softirq.ticks", ticks.SoftIRQ) - event.Put("steal.ticks", ticks.Steal) - } - } - - r.Event(mb.Event{ - RootFields: hostFields, - MetricSetFields: event, - }) + r.Event(collectCPUMetrics(m.config.Metrics, sample)) return nil } diff --git a/metricbeat/module/system/cpu/data.go b/metricbeat/module/system/cpu/data.go new file mode 100644 index 00000000000..497a91a6173 --- /dev/null +++ b/metricbeat/module/system/cpu/data.go @@ -0,0 +1,112 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build darwin freebsd linux openbsd windows + +package cpu + +import ( + "runtime" + "strings" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/metric/system/cpu" + "github.com/elastic/beats/v7/metricbeat/mb" +) + +// CPU metrics are highly OS-specific, so we need to build the event per-OS +func getPlatformCPUMetrics(sample *cpu.Metrics, selectors []string, event common.MapStr) { + for _, metric := range selectors { + switch strings.ToLower(metric) { + case percentages: + pct := sample.Percentages() + event.Put("user.pct", pct.User) + event.Put("system.pct", pct.System) + event.Put("idle.pct", pct.Idle) + event.Put("total.pct", pct.Total) + + if runtime.GOOS != "windows" { + event.Put("nice.pct", pct.Nice) + } + if runtime.GOOS == "linux" || runtime.GOOS == "openbsd" { + event.Put("irq.pct", pct.IRQ) + } + if runtime.GOOS == "linux" || runtime.GOOS == "aix" { + event.Put("iowait.pct", pct.IOWait) + } + if runtime.GOOS == "linux" { + event.Put("softirq.pct", pct.SoftIRQ) + event.Put("steal.pct", pct.Steal) + } + case normalizedPercentages: + normalizedPct := sample.NormalizedPercentages() + event.Put("user.norm.pct", normalizedPct.User) + event.Put("system.norm.pct", normalizedPct.System) + event.Put("idle.norm.pct", normalizedPct.Idle) + event.Put("total.norm.pct", normalizedPct.Total) + + if runtime.GOOS != "windows" { + event.Put("nice.norm.pct", normalizedPct.Nice) + } + if runtime.GOOS == "linux" || runtime.GOOS == "openbsd" { + event.Put("irq.norm.pct", normalizedPct.IRQ) + } + if runtime.GOOS == "linux" || runtime.GOOS == "aix" { + event.Put("iowait.norm.pct", normalizedPct.IOWait) + } + if runtime.GOOS == "linux" { + event.Put("softirq.norm.pct", normalizedPct.SoftIRQ) + event.Put("steal.norm.pct", normalizedPct.Steal) + } + case ticks: + ticks := sample.Ticks() + event.Put("user.ticks", ticks.User) + event.Put("system.ticks", ticks.System) + event.Put("idle.ticks", ticks.Idle) + + if runtime.GOOS != "windows" { + event.Put("nice.ticks", ticks.Nice) + } + if runtime.GOOS == "linux" || runtime.GOOS == "openbsd" { + event.Put("irq.ticks", ticks.IRQ) + } + if runtime.GOOS == "linux" || runtime.GOOS == "aix" { + event.Put("iowait.ticks", ticks.IOWait) + } + if runtime.GOOS == "linux" { + event.Put("softirq.ticks", ticks.SoftIRQ) + event.Put("steal.ticks", ticks.Steal) + } + } + } +} + +// gather CPU metrics +func collectCPUMetrics(selectors []string, sample *cpu.Metrics) mb.Event { + event := common.MapStr{"cores": cpu.NumCores} + getPlatformCPUMetrics(sample, selectors, event) + + //generate the host fields here, since we don't want users disabling it. + normalizedPct := sample.NormalizedPercentages() + hostFields := common.MapStr{} + hostFields.Put("host.cpu.pct", normalizedPct.Total) + + return mb.Event{ + RootFields: hostFields, + MetricSetFields: event, + } +} diff --git a/metricbeat/module/system/diskio/_meta/data.json b/metricbeat/module/system/diskio/_meta/data.json index b9c8533b0c8..a2301ef8888 100644 --- a/metricbeat/module/system/diskio/_meta/data.json +++ b/metricbeat/module/system/diskio/_meta/data.json @@ -15,7 +15,7 @@ "system": { "diskio": { "io": { - "time": 364 + "time": 601740 }, "iostat": { "await": 0, @@ -48,16 +48,16 @@ } } }, - "name": "loop1", + "name": "sdb1", "read": { - "bytes": 5267456, - "count": 4124, - "time": 557 + "bytes": 25128030208, + "count": 3146154, + "time": 833872 }, "write": { - "bytes": 0, - "count": 0, - "time": 0 + "bytes": 34401640448, + "count": 861040, + "time": 11224168 } } } diff --git a/metricbeat/module/system/diskio/diskio.go b/metricbeat/module/system/diskio/diskio.go index 9da3a3c2344..1359180cff6 100644 --- a/metricbeat/module/system/diskio/diskio.go +++ b/metricbeat/module/system/diskio/diskio.go @@ -20,9 +20,14 @@ package diskio import ( + "fmt" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/metric/system/diskio" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/mb/parse" + "github.com/elastic/beats/v7/metricbeat/module/linux/iostat" + "github.com/elastic/beats/v7/metricbeat/module/system" "github.com/pkg/errors" ) @@ -36,9 +41,10 @@ func init() { // MetricSet for fetching system disk IO metrics. type MetricSet struct { mb.BaseMetricSet - statistics *DiskIOStat + statistics *diskio.IOStat includeDevices []string prevCounters diskCounter + IsAgent bool } // diskCounter stores previous disk counter values for calculating gauges in next collection @@ -57,17 +63,23 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { return nil, err } + systemModule, ok := base.Module().(*system.Module) + if !ok { + return nil, fmt.Errorf("unexpected module type") + } + return &MetricSet{ BaseMetricSet: base, - statistics: NewDiskIOStat(), + statistics: diskio.NewDiskIOStat(), includeDevices: config.IncludeDevices, prevCounters: diskCounter{}, + IsAgent: systemModule.IsAgent, }, nil } // Fetch fetches disk IO metrics from the OS. func (m *MetricSet) Fetch(r mb.ReporterV2) error { - stats, err := IOCounters(m.includeDevices...) + stats, err := diskio.IOCounters(m.includeDevices...) if err != nil { return errors.Wrap(err, "disk io counters") } @@ -101,40 +113,13 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error { diskReadBytes += counters.ReadBytes diskWriteBytes += counters.WriteBytes - var extraMetrics DiskIOMetric - err := m.statistics.CalIOStatistics(&extraMetrics, counters) - if err == nil { - event["iostat"] = common.MapStr{ - "read": common.MapStr{ - "request": common.MapStr{ - "merges_per_sec": extraMetrics.ReadRequestMergeCountPerSec, - "per_sec": extraMetrics.ReadRequestCountPerSec, - }, - "per_sec": common.MapStr{ - "bytes": extraMetrics.ReadBytesPerSec, - }, - "await": extraMetrics.AvgReadAwaitTime, - }, - "write": common.MapStr{ - "request": common.MapStr{ - "merges_per_sec": extraMetrics.WriteRequestMergeCountPerSec, - "per_sec": extraMetrics.WriteRequestCountPerSec, - }, - "per_sec": common.MapStr{ - "bytes": extraMetrics.WriteBytesPerSec, - }, - "await": extraMetrics.AvgWriteAwaitTime, - }, - "queue": common.MapStr{ - "avg_size": extraMetrics.AvgQueueSize, - }, - "request": common.MapStr{ - "avg_size": extraMetrics.AvgRequestSize, - }, - "await": extraMetrics.AvgAwaitTime, - "service_time": extraMetrics.AvgServiceTime, - "busy": extraMetrics.BusyPct, + //Add linux-only data if agent is off as not to make breaking changes. + if !m.IsAgent { + result, err := m.statistics.CalcIOStatistics(counters) + if err != nil { + return errors.Wrap(err, "error calculating iostat") } + event["iostat"] = iostat.AddLinuxIOStat(result) } if counters.SerialNumber != "" { diff --git a/metricbeat/module/system/diskio/diskio_test.go b/metricbeat/module/system/diskio/diskio_test.go index aabc44c374b..b5494ac4bfe 100644 --- a/metricbeat/module/system/diskio/diskio_test.go +++ b/metricbeat/module/system/diskio/diskio_test.go @@ -27,8 +27,48 @@ import ( "github.com/stretchr/testify/assert" mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" + "github.com/elastic/beats/v7/metricbeat/module/system" ) +func TestDataNameFilter(t *testing.T) { + oldFS := system.HostFS + newFS := "_meta/testdata" + system.HostFS = &newFS + defer func() { + system.HostFS = oldFS + }() + + conf := map[string]interface{}{ + "module": "system", + "metricsets": []string{"diskio"}, + "diskio.include_devices": []string{"sda", "sda1", "sda2"}, + } + + f := mbtest.NewReportingMetricSetV2Error(t, conf) + data, errs := mbtest.ReportingFetchV2Error(f) + assert.Empty(t, errs) + assert.Equal(t, 3, len(data)) +} + +func TestDataEmptyFilter(t *testing.T) { + oldFS := system.HostFS + newFS := "_meta/testdata" + system.HostFS = &newFS + defer func() { + system.HostFS = oldFS + }() + + conf := map[string]interface{}{ + "module": "system", + "metricsets": []string{"diskio"}, + } + + f := mbtest.NewReportingMetricSetV2Error(t, conf) + data, errs := mbtest.ReportingFetchV2Error(f) + assert.Empty(t, errs) + assert.Equal(t, 10, len(data)) +} + func TestFetch(t *testing.T) { f := mbtest.NewReportingMetricSetV2Error(t, getConfig()) events, errs := mbtest.ReportingFetchV2Error(f) diff --git a/metricbeat/module/system/fields.go b/metricbeat/module/system/fields.go index 28135f5fa95..d78002d2847 100644 --- a/metricbeat/module/system/fields.go +++ b/metricbeat/module/system/fields.go @@ -32,5 +32,5 @@ func init() { // AssetSystem returns asset data. // This is the base64 encoded gzipped contents of module/system. func AssetSystem() string { - return "eJzsff+PGzey5+/5KwgfFhm/m5E93mxe3vxwgON5uRvAWQ9sB+8Bh4NMdZck7rDJDsmWrPz1BxbZ39nqbqmlkYMMFtlkRiI/VSwW6xuLN+QJdndE77SB5DtCDDMc7siLT/iLF98REoOOFEsNk+KO/K/vCCHE/ZFoQ02mSQJGsUhfE86egLx7/I1QEZMEEql2JNN0BdfErKkhVAGJJOcQGYjJUsmEmDUQmYKihomVRzH7jhC9lsrMIymWbHVHjMrgO0IUcKAa7siKfkfIkgGP9R0CuiGCJlAhw/6YXWo/q2SW+t8ESLE/X9zXvpBICkOZ0ITLiHI/Wk7fzH++Om917kgqKH4Zmn0PggqKGztOBYrlp0dAllIRSjQTKw44H5FLQkmSccPwexUO5j91puU/TSKqhLC49uucFC7FqvGHPdTYHwv9nUUlsmQBqkRV++T/II+gIhCGrkAHAWUa1CyNTBCWjiiHeL7kkjY/sJQqoeaOpG78ceA/ryH/Il0hoy05hiVAdArCECYQGNEpjaCDthoFhkVPehrWWnA0kZkwRwLz8nKJzH0CJYCPoWJCBvdyeAQ6wSK4PA5LQbjc3qSKScXMjqRKRqA16CHUnI3Th6JkMb9AniOqAcDPJ8gDAMktZeYCeSmIBUaupCAx008vh9FxTh0xDp/6/fKYrEFtWGRNM2vSramIuf2PNVXx1lpzTBhQKktN735Uv5+P9ZOh1nJpvqV1sXgPo/C51+YA5AYov7yVYYIwsZE8E4aqnVMBix36ORumTEY5fmO7Zhzwt+tdalmipWpNtqW6xi9p1qDyI1CqWesLbzeUcbrgQKTgO3t4/ibY10GMPKdevFwGFb5cmh3lykVp1vImLVXWY9bHeWfWzZtyoZxvli8Ujk5SBdpbX7gCUpuZ+7AUN8LuH87+gKabSCo7Q5Mt45ys6Qasg0q/siRLyIbyDDfNl9vXr/9G/s1N9wXHbg1WzlMbl3IFNN4RQ5+sfDDtR2XCSEKjCMXO6ZZNe9AAFgvlT+2akg+iHSLQ161hdzIjERVu0aosL4I3KwXUgLK/EI5v5BepCHylScrhmrAl+XtrWCdS9uvUkB9f/81Cu7Zy5YTLhz1mUZrNcm5+cdKzAHL7U+fi/Llc2D+Xk/jtul9/Fm/nG7Ja/7LLAxT+Zd1OY90aaS6UkdYWBE0c2XiiPsQcUHAePvyX1UJdRsk/S8tokH1iLamLZMHYMPXFEjL2oL9MQo467S+TpOFH/oXiP+Dcv0xKJj/8vykyD7UALpPIb9UMuDRuDrECrvNAiIY4Z3IZs0HnOkB7w2L43IrufSuZ6UvO6X4bWdALTCZedBLuuVMhh5+Iz4380EPur9xDlSdWTpn8rsmKMekHO0Ql/2D/kzx8KMrIBtbg5T/jcxT2n8H1fILdVqpm4sDHj++Ijunt+OVG8uyUfcIGilE+d4fnCHgDIXyv/Qx5uRv5vGaaJHRHhDRkAVY4Nix2xzjlvGR6a0wfo+8hSAGNZ5jwmHDzoKVUsTDsJFZk7ApZkdFZZCV8mXG+68G3VczAyQHiLAciRA4udmZ4Ri03BUNfOgA8DoMw6rDJB0HeM5F9dSku1pyKNOxADZGRyo+EyZ6UMy9pglCts8RyBj9FNPsD7dB/3L4ZtILPzyCLw4CYhkf5YAPZ1Bq1n20oVvbcOaHYJ4xbnyCSItb+ePNqBXfsoIV9Nohuz/Yai6cGGMYYS3sOPrz60A/Qem8zXG0Fv2egzSwBtQI9T0HNNURB7CEPswd8M1WP29xPqQnOiVly4ihxGdstKCC/Z5BBTIzEzRDDhvX6Np4sJyLnpQvnPDVhtfU660KV6JnWLfQVOg9YoPOuzLSU4Ip4AvacNhOQ8XN53ha2bwtz03YPH2m9BFHrX0xLCN2Aoiuo+jRLqRpSFlwRI60Fah0WiMfs/zOuihOxUy6LI+l869LYNBMtTL7j6WY1tzbKaUhB6+eKCcfel3aZLOqBGmAYJajDT0wHzkE4iJVZn4SIc27zaQXJhS9g3mllHS9EbgZHiBWmqrn1Eol6ePVh2vVYZHo3HTWP4ch9nClrJG7XLFrXSeg+FK8WVMRbFps1yQzj7A9qp0UmlJ96OSP37uOamky5j8goyqzj4mrmypJHTSIuNS59vYoxZwkIo2S6OyaYVIat/HXI9pjjA0Q0H3S+YGbS0F+B1g5sl6wNt4Tx/KmgEq/HeW25SQ3bQC49qZS8cNl/eP0fP7ZWeck41G6+koOihuUwrdrl8k9TlDAXRJ8ppoABQszqVPhtpHX5M5EqtmEcrJ+Buan8xJsFobtNOh8Z4BwVxKyW1N6RL69i2Lyyf739EkRk5z0BFDtGEwp8NT+EQWDAfZ5K1hHpOxgLDmw1LY7d4k0YDUrrCcMGdnwiZAzaSovdo/ibduS8AknBs0r7fqm26OZTc63CLwVwCNOQ72fimlvjCu/2cyzTcN7AsZ1wJLznP90aoPfVKRSiqO0Bc9Q55kXKjVQ5yiqHWJ4Jo6uVghUtUmGUc6dyGpdbyq8efXvn0GTIP+vqx6MhS5k1PePa9jliW38OqL0OeXNTBZy4fVIfXtk24aBxfUqqSSwj3YoGBLhO9mvgvazoQ9/CGfIeiGciasDGHmgCtJvl2QDiTu0BGFLH50Po1N4VAk15ppGnL9suD5c0PkZ9WBfPjpH7sEdu+Be3L8YqYfsnJlbzJY2MVHfWtRuniN9X4BfuJafakISJzEB4D7/4xyUh/YfH2qFwXtxeFNrbANwwbixBfC6ZCMgCiVlRkzCstLBNznMtRVhgpqDo2aSrQ6qOpAk/FKbotJeGW9rZdQU7yrxzQ7RCFL7f2AThibO5HXiuOdz9/aPO5278Zo/YQbDO6NU6/6ys7EOLyq954Qu5iisXHI0laCy8YiLiWVx8OJLCVXksdrk5GdFoDZpQ0ba/FtlyCUqTKw2Fr+pZQyOTUT5rmCEX744NWlhH22H2ehvJWxyt7AgIMdaNWs71WfF7reXgjiBnsEg9QRV+VmTwwRAFXhlqF9lnVohAREAWYLbgb757kcaqhmqsxq9QsCmC/Wl+ksSQgoh1rnk/fHJxskQqIDEYyri+JimqQRKtIXoqfOSKDH/pEAny/D6UZ3d4yz8YzINQHmUcHfkFtctS4UW9TMxph7y/wK+QlAkODAG8SpWMXiWQMLGU121e2B+pqhPi16rg0D0plUqhRNiyProFbjVUsaBt38v+fBDkw6f/JgwJpURnSVMB5jLEBI0wdZCL0AdB/ouJWG71tf8+/N7e2H4VZSEW/utDxaJDvZEhKo70qjky0Ets51Zau7SvQHhLm5qtW+elCpbs6x158X+RrP/XNK/qoRQreThKabZYS4VpwyLtUj5lvtDiqPVPzaU5FCztj3w8s99eEjNUlJ5LraPhMw7vc2nEMik7Cq7MzCxtXRYfgLmGKcqNMBwKIaRW5WamHwETpwPARP/8CmhM11hvdjQM5H0xIKkPOAABHhGjY377IOCIZF3NqX9rWjsbtgmLFD5dwRydvsOs1fzIxmqVQiOP1LDpSkdUzJ8s7AMFK+dm8HZKC7WX+4gK4TwZN3UfwJgpiA7UAMcAdPPyZllOFR86A2cDZmcrgimt0okW7wxQfsbVLaMrDq2CiFOWDF1pRHu+pe5G27vs7gNzWC5ZxEBEuzPqIzd3jpaUGCr6aEbeEi63oKo6iomYRXhpuxQea1lro7LVCi9CGlmM21RiTRa45XweFri5z86CoB5fZysICevZDXALxEvyc9vew/Zf+GAt08UVgnzhRSolv3Rb/NdKsIgJQjmXES5RSc4UnmkPAUfZNvXS0ZpcdVbokol8i2lEp4w0HSxEClxF8vMSkqMgi8y4kEtAnkZSpjOV8uzEh2sfYXIDKpJJwkZvjRiWNOMmVLQxmIYj9ve9m94Vti6lGgfeHlyzqr/ZBB46MFrIKksf8mEr9HZoedJwREK8IH3MbMEagqiiJSjnCxo9TTL1u9yxrrAGa/KTTOMVdp1yZv9liZ1ktzStwiuu/4PZSlVFND7L58eopPn8b6qNDGrv4eR/x+YTy0Yly/l6GIBZj0z8YkK1CX5IQwOZmbPWIDZvZWsQXU0KK+Ge50SoIALWfx/GhcWiJ5j0LkLVMcKxBzLsdEhUgWQgY5iYgVJSnYYtbmjfbsUhYmI1YK3OhUmDiPsRMTGLlbTK+iSImIhkgiXwfu3KS1J+2gEcOyVAmZmV3A+wmphnmlC+pbv2Yfna+lr3VG2twS9i8vOne7KAiGYafPbKmm4KUqlMGb7pbl3TOI/mOksSOqD6pDgsFmDosPPqV38iucs7zv9dcbmgvFDtmJpjZjfw/GHp7N+CyyUX/4KWR9OzYA+PLmYOKtwFzkRTzvb5Xc90WTzldL/d908358zAxHO+Zwb2T8yiZNJVfPdrgNLCAHWtp46yuvwYFavL/8aaXDSmhl5XHyS8rr702HgmkUxrdVHOaFNjpNSsC7pnga8mbOVuUBZPSLZnxAaMIwy9IVU3nmc4dOPO0guVCcHE6kW4rjXteHyxn/z2N4dQnx4x4YEzrg6fsf3VITNGScyZmHiNlxnnxHreVMQ3dngXqjLSrroyLpDgcF/7EjQ8FgI1PVStsgSLhTSkVFF/tgWr8dlKSAVzupAbuCNvXv/wU1jjaVAHbCXXLfywfRRtD11WezoysfIpi3p56NDZQWyGq1n3y/mREgBiw5QUduXIhipGF9zH9oJS4B7QsSo01KmKVpoDkl8UwM+f7q9d2ZJTsh8+kf8Oq4z6W0Vkupj5u8ffbnQKEVuyqBosT8s+h2PD4Z3dZsmorHd3LjnQ+tFUNfK+NrRNsK5nMBqtJ0JbvEFkwbpsg2YiAic9Xl908boJ9PJS+Y3um95eL9YCKS2K3bM0xtPywVQcBc0SxqnyhVHBaf9mZykYWZ0gZjrldFd6CkamucrO22+2Oy2GmdvROfqb4jBsauGH+shV96zy8lbrvkFZ72+5yAxRVHQFPrEw8nW7O0WTxXtaPZMz64VwC+gmYCcTp8TraoP3Lu8eflrtEerqUqKL20bvGHQW0zZ/wStnInbEtVNDx4XU1uUPMrxOx+UDx55Hfedd33n1TMmRUgLytsTex6qye011tcDXVTc3Ks/fYWqIvFtTtQJyZQIXKYqRqTNXcm+OCroCZWchLsGEpc4YcPcuTI7kZfECn4+6uktMTPdLqtL62TLMlskfQbPYbq1PYMgn9gfMGtoiwHcZRVnKXFo6ofYf7jNXH9/++rJ3RaJMKTuhN3qJBpcDu+640d/k1uWdQaNZ1L3b1lQ913bDueMQMZnubJsR9ngOuCHzC+NQfEYqbwvmERV3PFtJQXa7SCPTFadhGWhQ7u482FPa+xNTK0eZgjjq+Gt0CanzQOP4g888zhJmZlouR9d6DBUQuTRulrwiqAd6YT0Fh6x5hZWxIyrIAki0tmZV3LToqCFU7PD87WPFmrac2qlYYYc+FSsqY1tWYKv8BRBF8/dPlJSmwxEObbyDt2Qe0bcbCPHosjWlmwnbomIDODxXqX5yF3QSwPbvrRH9t4reIwrKXEbLmLLnrhtIr1mKJVCtAYUUN5YdfmRkoIbaBMi/WnAB1cJYv70VdyM9EbQBDCZemh7u0cCwkiSxAYujRhOqtYwYhsO2zKzdcWrZHPZhHtD7w+Z74ntDaD7qw70LyvjW0/noOBrSnV8GC45KF3uStqRW/2HWp2OSHT2/HuTlqNknzv9aZwvnT32vXSsb1zlrFMtwtnMwrR27IuNKeLo5FqVZyQuiozXEGQeNPhXFLvLOTqX6qaj88vsoOOZb951cP0thlOTca7atLGK3xVRKX5N3v3xCBfLxc3hQ+3dtqIgdmPwNA74jS8pUOZTXM6mSVl8wKSgPlFUjd7BRgLf+c/cxv3WaL2NxRXILbLU2M/LxcwVGcFwFlHtftAFKg9GVd7WDnnbQHiXlO0b1BUAm+3vaeadNSlZsA8Lankzuq54cVq0VVGhkwH4lTQl8uM/jTk3p2QugQ10cBCG8CezP4yFqo3O0kDrZS2S01DO/YMFCSTK6QG0PqTgProV/Wi1hkZJ5a38sMZRbomCVcarsqdg5lGPJ9zrXE0aiLCvQMlMRaKLXMuMx2iVQVJKO4MnvmTT09Cz53HD1OxnjNjLl4YvBCClXk7S6R1Um8v0pBfi9Sa6oJjEsmTP7urlcFY6uDgoh7qGrdmrevRVYi7cC5aMbGCDx4SewCq/YSIinqvA6B611H82NxhpbZ5W8QD5Z7LVjNyfTzDPFmd95seYbYoWerdZVa3Qve5W54P1a7Mtu/nbsVwzDjN2oysxUJtDVugRmYBhfihVog9YHE5nMtN9znQMz0XBR6pt4TTfQxbWBbHINdxyMU7OprHv3qgbLZTeUa1Q6tQ1jN0VdxXQrN7u1kRXAabr/ckabdLNW0hgO8dmZYGVFd63qwrUZ8djIFRLJ9HXnuPm1iK1LYFvdnhffmTXsPIO+rmmG/RjxAbPlXr1UUXdWqmsr5OIBTBE8C4eq/ybHxcmP0CJinrd9dx3Zr5ggggpZa2Xvd1qxHj0GRmidhvlMNNoTBR7kN3kvKO+uHKjdyn/+sqaLn2e2pn0m+jxWY/WN4oqg19pnWRVQ9Z975H3UHnelSNPQWtBSBV8Ax1KQRMZdty3C+HzO+nwIr1xq+uUYqCmocISF7C+Qyn9qhVLHS1ZBZUt7FmRLQYBGa/xoQ8L2HN9M94vY3iQ0Gac9/eVUHxZ2NbB/KdATKdDxijKBZIYZtM7cMhmyQ/syiyMIr7Z69Mm9xa4z/FW+ujSa4IR+vRyi11BEBau9/6am3OW7LpHqMvTiDpl67zpLbV4XbP327uOTRmt46Us02vFqTPRULPdMDz0fLPeWlPHs9PGUeq7Xey6NmhOX9rtqrOlLsm0VEJc/CrCJ0nCC9fbSdMMa8p5+eXFITVFgN0FsiORaoPs91DnelHurYNal6pVWpY49jNvMqjFljyFxLLMuXhXlkSQvcE2m4WLvj5NMrYD09pJUUHOz4YJ2jnjVWnVUViOV0tOl2iu+GPZkZsvT5dstTRb0mi+do47nzMUrE7ls8GefguiOEh6iOJ4u03RprtuUtosde26i9CJVRU1H2EPm87vHsu9xq7J1DKGXqhqqOqFJcUBH9ATHDtOeyKZvQU94ZjX51FIYfVw62NIouHWZSqO5kN3JqvH2hQtYus7gcypkuCXLYAZMKCtvhRS7RGa6tEBdB1spiO9kzoFqc6MgAmH47gZ329X7j791M4gzbWpXbpN0qcmVXieQvAyV2Q9nnvXSz8y8XxiHmwWNnsri9JI57z/+VpB7AFXI6zPT82gPCJx46jVaM1BURWsWUT53rJpflmqsho0LTyyH7a2novFCRU843deduZ2EXXp7mdwqPbLBfOscss7Pw/iWv7Hw7WjS4lWIqrqo7bxuB7e5Iw/i1DOozW5OhRVqkEcHSEeCTfsui+JP/u1wR+2Ng0j8/+Gjnt2qeFqdg83ase/j2YtkrI6gxe2KundqFFutQEFsP7EvAIbQR8rDv6SafwN0I9AewsmLX+2nXrj/1GRtRUiUd1d8MMC9u8J3eIfFyH3ur3u2Bpti4OWamFVvdwyUKD3vDLucoPAMe2Laf2L1may81sTcpby8Q9MBdHT1+jw1ITKrOGnHkrLvTu8gUs5xLPrUm90higqdUsy7FE3IX14TIbvjvtMarkrruZ35Yrj2z0YXTbkktGBkkF/jSme2NL0YWj8VaY8DVy8TsGGRwee7LoWoXyvh2IgKIY27q+AfZhhEaU7lgj+xkA4fUS7zM5dRtW/vX1UyU1fJHFAk46oJL0Vim2/NO8WDumYJSrlon3s00j/Tv0Chiu3m65yc7EnWjGITk+epuiwZ8PDqQ97ZVAos87fcdhVylvzDCcc6bCiv1vvaY2zoITmLdu0GqvkN7UADVWY43JFHb19+GthhdQ9T/BC1Ht+Vi9Ggi/YjwYeGT/7gb19nuMY6lrARLtMtvJUbJ46wiZBUXj+o92sZhIXFrYKk44HYQUeh0BwgPQVL8oHHoTFTNlGugHHjjsLyh0wWbPoVcsOOQhIDnZ4lMT6oF0ZBHsz3mmxA7UgmOHsC7k0dZtytdOuWUoVvfTBBtEz8XTrKiWYm8yqVGZLQnXdiw6Rl4knIbdO5PJ66krDKtZG1e4AOWwrzWHzvbTajGGys3lfWJfOI2ipa0Zp1NFrtNr5/8vcS+nhFk6KfnzvqurYkNa3beUfMmzfpvnFLMQABhw2ED4+DO4vatXDj1gGEObAT0dzClmE5PQjFO1+IaAcnbvBrwhyWj28f7glViu7cvco4EzEVJtx7Pmb6KU+fTbSNqu8TuZitm2TP/Kc84HGGyiLhXQamjXWb92FCH3p6luCwcT9LlpTxyY6yyvxu3P75cX/pMc3Rj+/aSxKKTXsU3SIKp2/DrdvRvZhWciphFRy8KjRryWMMw5Pb129+uLHuTw5hHzy7P09gkHh83sD2EF0oWeGNMDtvD9pCP4Fq6K7JHl2ough5nxc3mz7DoYUVHpVjqk1o5ZCQNJ4f1Wn+M17/pjGpHUz75jx6uvwsHDFltjieSp0tbsYROcdGt8E5A31OWxNipsTQJM0nxG653hbDPmwz3ykph4LBcXf2UBHn/tW1s1Ht/4wmWdru0lZ0K/8K0TyS8VF8+vTwv9/9n/f3xI5TtibzCL/XrvFi+1GIismY3/QPouhtmeZ3XNFtrNWtK7xy/c3GojTzpX/B25XDO9iVXbXr9w07Z/YJkP0FlsPnrxVFtjLozcmxDG6GGZejZq1UnWFh3fCFab2Y04ljUNg3f/gml7PO2wWDYr/nrrVwEciOzGIFVfi1rtPhyh9Z6kHW/aTZYGjBafueI+x6k+6wWX3+qTJn276QFtgxru/nd49+FF0aOU69HxdXdA9adDlm3Q9j+I0z6/p+14MYQRBLmrBWr7ihCOznjpmcy4jyGQs35Wz9ungk5/Y/3sxez97MbolU5M3r17d3r+9//unu7c//eX/30z/+/uPd3e040/a9xUEeHgmNY+V7jbKimR8V5OFx84Od7OFx82PxoSG0pVI1N0SniBf0vXlzCHw7VQ8mBYk0cAEM/4hAJua4p+4sLPcEDOf5Wuowqp73Qv/9x5s3t7c3t7f/fvP3H2diO/N/mUWy9dp4D+bHzx+JgkiqOHjoq3xNZuQBX9OTC0OxS9uGUaJgA0q3j+eHR8KlfOpMmDXYAIbH85Rnei5HPblUvp96KPn4Js9yCZFPlKY3LoQWS7SEr+Dz+/uXuYnveWEXzVWYSgEkke1rSpwugNfe8LrGAexo//MWXc8XSylnC6pmK8mpWM2kWs1eWP6+qP6ilfQungOyY8RgQCVM5G++2OFJJBPwXYepIJAsII4hJpFMd0VgkJpWmyH8wtqY9O7VqzRbcBbpbLlkXxHHYFme40uYhzoobeH8Tzuc/9AiJ9O1lyrWBCXQixvxFzV6EHc/f9Z3xo1/OG0vAP+wzIEgAoGIw1BM/dbZL5V3zkht6L044Ouhz/hZ3zjDcppj+IHtg0aLRPhb4yfuDCv1TL3MOJ+PEIW6Ddydnv+EfydD3z8dkZ2XS9emP7efWZmT9wGCoyzodkvSg/u5v0U5FsJZ1M1F6I1J7HXLfafQPoc4XP1hgSEPu9FVe/trA4EigQmxFFOg8dP5XuyU6+IejD10bXo6OnUzZIKnQ36tXwyvupJ5wOe6bLddhmaKZqS+DhfLU11ALXXPwP0BM/JOKgU6xcZrRub9pjRgXvuV1Ziv9E6/EmBesXTzwysTpfMEkhn50NH2v7vML9z89+hO7P2rSwYGgKRK13R/nXf3Sg9Ei4jdXveL5KeF2Ip8vrTd/N1LQZcOmZqAXJ/0832YXjkBPgttn55pwgNtLQKm161k1wkAlnmwyrSjuBlxqWG+pZ2tQ06CtoHQ6oh5iWQeTAjVcRuWXAbsAsgQ1Hon5jr8oNVZQec4hmJWEDUfrX0WzBbHEMxLJnBNmqGgs4MugIxB3Yz/PBvqN0NQc6rNnEahDMxZQec4hmC2uuYsJ0i/ymNiFUJcOGnxpObrb/d/EvPVEvKM5msWX6L5un91yUDz9dzGXxfqPf9S7I608YjF6CjBFzfEl3o3A3+dQaxyUXGf8rGEI1NtvjH7LAlXMwRSA/n2yb/a+DMTaWbm+YcSxjkLlw8MKOj88CmnFV92KIdql0tlGpTu5f0BxVLv5WoF8U3x9jlozaRoBpD38bgjnHZwmWt5CcuDCc6qofV41BHzvhXV1AiXK2Y1V3OKPfe9jqT5/udM+0pG98raAA4EkrBHorBfz2euSkPHAoRqRY5Zg0L4hpam1NMTQSQLKTm04gO9SOzXCBMxi5xmonlmaC9HjilxC69I3vm1Ufi2B0Mkp5aKymo4BR0HZinL3mncOqwOrqleA77rSR6H6QS3RvORKdfeI/RtLS3oc9Jly9QGoPJf/n8AAAD//y766bE=" + return "eJzsff+PGzey5+/5KwgfFhm/m5E93mzevvnhAMfzcjeAEw9sB/uAw0GmuksS37DJDsmWrPz1BxbZ39nqbqmlkYMMFtlkRiI/9YXFqmKxeEOeYHdH9E4bSL4jxDDD4Y68+IS/ePEdITHoSLHUMCnuyP/6jhBC3B+JNtRkmiRgFIv0NeHsCci7x98IFTFJIJFqRzJNV3BNzJoaQhWQSHIOkYGYLJVMiFkDkSkoaphYeRSz7wjRa6nMPJJiyVZ3xKgMviNEAQeq4Y6s6HeELBnwWN8hoBsiaAIVMuyP2aX2s0pmqf9NgBT788V97QuJpDCUCU24jCj3o+X0zfznq/NW546kguKXodn3IKiguLHjVKBYfnoEZCkVoUQzseKA8xG5JJQkGTcMv1fhYP5TZ1r+0ySiSgiLa7/OSeFSrBp/2EON/bHQ31lUIksWoEpUtU/+D/IIKgJh6Ap0EFCmQc3SyARh6YhyiOdLLmnzA0upEmruSOrGHwf+8xryL9IVMtqSY1gCRKcgDGECgRGd0gg6aKtRYFj0pKdhrQVHE5kJcyQwry+XyNwnUAL4GComZHAvh0egEyyCy+OwFITL7U2qmFTM7EiqZARagx5Czdk4fShKFvML5DmiGgD8fIo8AJDcUmYukJeCWGDkSgoSM/30chgd57QR4/Cp3y+PyRrUhkXWNbMu3ZqKmNv/WFMVb603x4QBpbLU9K5H9fv5WD8Zai2X5luSi8V7GIXPLZsDkBug/PIkwwRhYiN5JgxVO2cCFjuMczZMmYxy/MZ2zTjgb9e71LJES9WabEt1jV/SrEHlW6BUs9YX3m4o43TBgUjBd3bz/E2wr4MYeU67eLkMKmK5NDsqlIvSrBVNWqpsxKyPi85smDeloFxslgsKRyepAu29L5SA1GbmPizFjbDrh7M/oBkmksrK0GTLOCdrugEboNKvLMkSsqE8w0Xz5fb167+Rf3PTfcGxW4OV89TGpVwBjXfE0CerH0z7UZkwktAoQrVztmXTHjSAxUL5U4em5INopwj0dWvYncxIRIUTWpXlRfJmpYAaUPYXwvGN/CwVga80STlcE7Ykf28N61TKfp0a8uPrv1lo11avnHL5tMcsSrNZzs0vTnsWQG7/2SmcP1cI++cKEr/d8OvPEu18Q17rX355gMK/vNtpvFsjzYUy0vqCoIkjG3fUh5gDKs7Dh39ZK9TllPxaekaD/BPrSV0kC8amqS+WkLEb/WUSctRuf5kkDd/yLxT/Afv+ZVIy+eb/TZF5qAdwmUR+q27ApXFziBdwnSdCNMQ5k8ucDQbXAdobHsPnVnbvWzmZvuQz3W/jFPQCDxMv+hDuuY9CDt8Rnxv5oZvcX2cPVZ5YPWXyuyYrxhw/2CEq5w/2P8nDh6KMbGANXv4z/ozC/jMozyfYbaVqHhz4/PEd0TG9HS9uJM9O2adsoBjlc7d5joA3EML32s+Ql7uRz2umSUJ3REhDFmCVY8Nit41Tzkumt8b0OfoeghTQeIYHHhMuHvSUKh6GncSqjJWQVRmdRVbDlxnnux58W8UMnBwgznIgQuTgYmeGn6jlrmDoSweAx2EQRh02+SDIeyayr+6IizWnIg0/UENkpPIj4WFPypnXNEGo1lliOYOfIpr9gX7oP27fDJLg8zPI4jAgpuFRPthANrVG7WcbqpXdd06o9gnjNiaIpIi13968WcEVO0iwzwbRrdleZ/HUAMMYY2n3wYdXH/oB2uhthtJW8HsG2swSUCvQ8xTUXEMUxB6KMHvAN4/qcZn7KTXBOfGUnDhK3IntFhSQ3zPIICZG4mKIYcN6YxtPllOR89KFc56asJq8ziqoEj3TuoW+QucBAjqvZKalBCXiCdiz20xAxk/lflv4vi3MTd89vKX1EkRtfDEtIXQDiq6gGtMspWpoWVAiRloP1AYsEI9Z/2eUilOxU4rFkXQ+uTQWzUSCyVc83azm1kc5DSno/Vwx4dj70orJoh5oAYZRgjb8xHTgHISDWJn1SYg45zKfVpFc+gLmnV7W8UrkZnCEWGWqulsvkaiHVx+mlcci07vpqHkMZ+7jTFkncbtm0bpOQvemeLWgIt6y2KxJZhhnf1A7LTKh/NTLGbl3H9fUZMp9REZRZgMXVzNXljxqEnGpUfT1KsacJSCMkunumGRSmbby1yHbY45PENF80PmCmUlTfwVaO7AVWRtuCeP5j4JKvB7nteUmNWwDufakUvIiZP/h9X/82JLyknGo3XwlB2UNy2Fatcvln6YoYS6IPlNOAROEeKpT4beRNuTPRKrYhnGwcQaeTeU73iwI3S3S+cgE56gkZrWk9o58eRXD5pX96+2XICI77wmg2DGaUOCr+SEMAhPu81SyjkzfwVhwYGtpcewWb8JoUFtPmDaw4xMhY9BWW+waxd+0M+cVSAqeVdv3a7VFN5+aaxV+KYBDmIZ8PxPXnIwrvNvPsUzDeRPHdsKR8J5/d2uA3lenUKiithvMUfuYVyk3UmUrq2xi+UkYXa0UrGhxFEY5dyancbml/OrRt3cOPQz5tW5+PBqylFkzMq4tnyOW9eeA2dMz8qvEgoR/MRHLbYf+uakDQd2+VRCWdJsRoFFeJRdILCPdyg4EpED2W+S9rOlD38IZiiaIZypaxMaaaAK0i+fZAOLK7QEYMs/nQ+jM4BUCTXmmkacv2yEQlzQ+xpzYkM+Okce0RxqAF7cvxhpl+ycmVvMljYxUdzbUG2eY31fgF+Emp9qQhInMQHgNv/jHJSH9h8faYXBe3F4U2tsA3DBuLEl8Lp0I6AKJWVGjMKzUsE3Oc4kirDBTUPRs2tWhVUfShB8KU3TaS8Qt6+y6hB3l7rkhWikL339sgnTF2cIQ3Ncc7v5+UucLP36zW+wgWGeMcl28Vlb6oUflZV7ERq4CyyVLYwkaC7GYiHgWFx+OpHBVH4td7k5GNFqDJlS0/a9FtlyC0uRKQxG7etbQyGSUzxpuyMWHZ4ME62g7zF9vI3mLo5UdAiHGOlLLuT4vfq+3HFwR5AweqSeows+KDj4YosAbQ+0y/cwqEYgIyALMFvxNeK/SWOVQzd14CQWbJNif5idJDCmIWOeW98MnlzdLpAISg6GM62uSohkk0RqipyJmrujwlw6VIM8fQ3l2h5f8g8FzEcqjjGNgv6BWLBVe1MvGnHXI+w38Akl54IEpgVepktGrBBImlvK6zQv7I1V1QvxaFRyGJ6VRKYwIW9ZHt8CthSoE2o697M8HQT58+i/CkFBKdJY0DWCuQ0zQCI8SchX6UMTt1/778Ht7YXspykIt/NeHqkWHeSNDTBzpNXNkYJTYPmtprdK+guEtbVq2bpuXKliyr3fkxf9Fsv5f072qp1as5uEopdtiPRWmDYu0OwIqzw8tjlo/1VybQ8nT/szHM8ftJTFDVem5zDo6PuPwPpdFLA9pR8GVmZmlrcvjAzDXMEW5E4ZDIYTUmtzM9CNg4nQAmOifXwGN6Rrrz46GgbwvBiT1AQcgwC1idM5vHwQckayrZ+zfmtXOhi3C4kifrmCOQd9h3mq+ZWP1SmGRR1rYdKUjKuZPFvaBipVzM3hbpYXa631EhXCRjJu6D2DMFEQHWoBjALp5ebNMp4oPg4GzAbOzFcmUVilFi3cGKD+jdMvsikOrIOKUJUMljWjPJ+putL1idx+Yw3LJIgYi2p3RHrm5c7SkxFCxRzPylnC5BVW1UUzELMJL3KXyWM9aG5WtVngx0shi3KYRa7LAifN5WODmPjsLgnZ8na0gpKxnd8AtEK/Jz+17D1t/4Y21PD6uEOQLMVIp+aX74r9UkkVMEMq5jFBEJTlTRKY9BBzl29RLSWt61VmxSyaKLaZRnTLTdLASKXAVys9LSI6CLDLjUi4BfRpJmc5UyrMTb659hMkNqEgmCRu9NGJY0oybUNHGYBqOWN/3bnpX6LqUahx4u3HNqvFmE3how2ghq4g+FMNW6O2w8qQRiIR4QfqY2YI1BFHFSlDOFzR6mmTqd3lgXWEN1ugnmcYr7TrlzP7LEjvLbmlahVe0AwCzlaqKaPwpnx+jcsznf1NtbFB7Hyf/OzajWDYqWc7X0wDMeuTBLx6oNsEPaXAgM3PWmsTmLW0NoqtpYSXd85wIFUTA+u/HuLRY9AST3k2oBkY49kCGnQ6JKpAMZAwTM1BKqtOwxQ3t2684REysBsjqXJg0iLgfEROzWElrrE+CiIlIJlgS72VXXpry0w7g2CkBysys5H6A1YN5pgnlW7prb5avbax1T9XWOvwiJj99uicLiGimwZ9eWddNQSqVKdM33a1sGvvRXGdJQgdUnxSbxQIMHbZf/eJ3JHeZx8W/Ky4XlBemHY/mmNkN3H9YOvu3oLjk4r+hFdH0COzh0eXMQYW7wploytk+v+uZLounnO63+/7p5pwZmHjO98zA/olZlEwqxXe/BCgtHFDXiuoor8uPUfG6/G+sy0Vjauh19YHC6+rLj41nE8m0XhfljDYtRkrNuqB7FvhqwlbuRmXxpGR7RmzIOMLRG1J143mGQzfuML1QmRBMrF6E61rTjscY+8lvf3MI9ekREx444+rwGdtfHTJjlMSciYllvMw4JzbypiK+scO7VJWRVurKuESCw33tS9BwWwjU9FC1yhIsFtKQUkX93hasxmcrIRXM6UJu4I68ef3DP8MWT4M6YCm57uGHraNoe6hY7e7IxMofWdTLQ4fODmIz3My6X86P1AAQG6aksJIjG6oYXXCf2wtqgXtQx5rQUOcqWmkWSH5WAD99ur92ZUvOyH74RP4rbDLqbxeR6XLm7x5/u9EpRGzJomqyPC37Ho5Nh3d2nyWjTr27z5IDrSBN1SLva0vbBOt6CKPTeiK0xZtEFqw7bdBMROC0x9uLLl43gV7eUX6jG6f31wtZIKVFsXuWxrhbPphKoKBZwjhVvjAqOO3f7CwFI6sTxEynnO7KSMHINDfZeTvOdufFMHM7Okl/UxyGTS39UB+5Gp5VXuJq3Tco6/0tF5khioquxCcWRr5ud6tosnhP62dyZrsQbgndBOx04pR4XW3wXvHu4ae1HqEuLyW6uO30jkFnMW3zF71yJmKHXDs1dFxQbV3+IMPrdNx54Nj9qG+/69uvnulwpNSAvE2xj7Gq7F5TXS3wddXNjcrzd3g0RN6tqVoBuTKBixTFyNS5K3k0RwVdgbKzEHfAhKXOmHD3IUyO5GXxIp/PurpLTEz3a6rS+tlOmC2TP4JmsV1an8CQT+wPmDWsRYDvMoqylLlj6YTaf7jPXH18+8vLXolEmVJ2Qu/0Eg3uDOy6UtL+a7UmvPPudZOPl7c7jWfeeMq3z6hBjuZ/eUlOp0K5/kjB91QObS9A5tNIfRi9ek3VcxljnDsOkZbp4Su2OLINR8oH3Kz6mXEoPiOVjyHyTJxz66yFQbG4DDXTFaTLQKN7d1fGenc+Dp16U5UpiKPcpka3mToPNI4/2FfiLGFmpuVydI3QUNWRS+NmySvJeqAXXndwyFo2oTJ2RAVZAInW1h2Pm5EANYSKHfptfaxY01YyZCpW2KFPxYrK2JYV+OTCAoii+Ts6SkrTkUAJLbyDl2R+EmQXEOLRZYtTNxO218VGguiPUf3kLnYlgM8ItEb03yp62Cgoz8BaTrj119xAes1SLJ1rDSikuLHs8CMjAzXUJkD+1SwamoWx+Z5Wvpb0ZF4HMJh4bXq4R8fUapLERj6OGk2o1jJimEbdMrN2bphlczj2fcCsATZxFN8bQvNRH+5dMs+3MM9Hx9GQ7vwSYXBUuthz2E9qdUNmfTom2dHza2Vej5r9Bv2vdbZwcfj32rVEch3YRrEMZzsH09o5TzKu9KubY1GalbwgOlpDnHHQGItTfI3AxTdUPxUVg34dBcd8676T22cpjJKce8u2lUXOv5hK6Wvy7udPaEA+fg4Pav+uDRWxA5O/hcF3ZEmZKofydiZV0toLJgXlgXJ85A42mPBRY552yG8r52IsrtZuga3WZkY+fq7ACI6rgHKfw2iA0mB05X32YIYm6LmS8j2sugCQyf5+f96xlZIV24CwPiqT+6puh1X5BQ0aGbBeSVMDH+7zfGVTe/YC6DAXB0Ho8ukJeTzEbHSOFjIne4mMlnrmBRYssCWjCxv3kIrzoCz8E30Ji5TMn4jA0lS5JQpWGafK7oqdQzmWfK9zO2Ek6rICLTMVgSZ6LTMeo18CRQXyCJ78nklDT8+Sz40UUSdj3EKmPHyhHCHlZpJW16jKRL4+pQC/NskV1SSGJXNuXzeXq8rR1XkjxD0M4k7Nu7cCazhXoHxWDBNrPm0J1uAVCwnxVA1e56C1Lra501hj66xynpRPFnvr2M3JNPNMce53XuT7hlilZ6t11Rvdy15lLni9Fuuym78d6xXTd2MXqjIzlQkMtS6BGXj8I8UKtEHvg4lMZtqvuc6BmWiEKPVFvKYb6OLaQDa5Rk0OxqnZVN6X8KYGy6w3lGs0OrUFYxdF3cR0Gze7tJEVwGm6/1JPm3SzVtIYDvHZmWB1RXdJdeHa03hs5AqJZPq6c9z8Os3WFT5Y254XbZo17DyDvq5phn088SG85V67VDF3VqtrEnL5AKYI7oVDzX+T4+LkW2hx0pI/H+A6+18xQQQVsvYkgl9phTx6HIyQnIbFTDTaky8eFDf5KCjv0h2o+ct//vKmi59n9qZ9BcN5vMbqW9cVRa+1XbMmoBo/9+j7qDXuStimobWgpQq+AI4lRImMu27phPH5WofzIbxyJQ0vx0BNQYUzLGR/YV3+UyuwO16zCipb1rMgWwoCNFrjRxsatmf7ZrpfxfYWL5Bx1tNfavZpYVc7/ZcBPZEBHW8oE0hmeILWeaJMhqzQvjPHEYRXW4T6w73FrjP9Vb7eNZrghH69HKLXUGQFqz0jp6bcnXddItVl6sVtMvWeh5bavJ7cxu3d2yeN1vDSl/a089V40FPx3DM9dH+w3FtSxrPT51PqZ70+cmnUKrljv6uGTF+SbavwvPxRgM23hhOst5dmG9aQ94LMi4pqhgK7UGIjLdc636+hzvGmXFsFsy7VrrTKc+xm3GZWjSl7HIljmXXxpijPJHmFazINhb0/TzK1AdLbSzJBzcWGAu0c8aoldTRWI43S06X6K76I+mRuy9Pl+y1NFvS6L52jjufMxRsTuWzwZ5+B6M4SHmI4ni7TdWnKbUrfxY49N1F6kaaiZiPsJvP53WPZL7v15tkYQi/VNFRtQpPigI3oSY4dZj2RTd+CnfDMavKpZTD6uHSwp1Fw6zKNRlOQ3YdV4/0Ll7B0HeXnVMhwK5/BDJhQV94KKXaJzHTpgbrOx1IQ3wGfA9XmRkEEwvDdDa62q/cff+tmEGfa1K5qJ+lSkyu9TiB5eT3WGNWYZ6P0MzPvZ8bhZkGjp7JsvWTO+4+/FeQeQBXy+sz0PNoNAieeWkZrBoqqaM0iyueOVfPLMo3VtHERieWwvfdUNOyo2Aln+7pPbidhl95eJrfKiGww3zqHrPPzML7lb3N8O5a0eE2kai5qK687wG2uyIM49Qxms5tTYYMa5NEB2pFgs8fLoviTf4PeUXvjIBL/f/g4bLcpntbmYJN/7Bd69iIZayNocbuiHp0axVYrUBDbT+xLgCH0kfrw31LNvwG6EWgP4eTFL/ZTL9x/arK2KiTKuys+GeDe6+E7vMNi5L7w1z13hM1U8HJNzKq3OwZqlJ53pl1OUHiGvVTtP7H6TFZe+WLuUl7e2esAOrp6xJ6aEJlVgrRjSdl3F3wQKefYFv3Rm10higqdUjx3KZrXv7wmQnbnfad1XJXWczvzxXDt10b3VbkktGBkkF/jSme2NL0YWj8Vxx4HSi8TsGGRwWffLoWoXyrp2IgKIY27q+Af9BhEaU7lgj+xkA0fUS7zE5dRtd/zX1UyU1fJHFAk46oJL0VjXRa52fYZbc0SlHLZPvfYqEywLGyBShXbxdc5OdlzWDOKTUyep+qyZMDDqw95R1wpsMzfcttVyFnyDycc67ChvFrva4+xEYzkLNq1G+/mN7QDjXeZ4XBHHr1/+WlgZ949TPFD1HrDVy5Ggy7a1gQfqD75Q9F9HQUbcixhI1ymW3grN04cYRMhqbyaUe/zMwgLi1sFSccDsYOOQqE5QHoKluQDj0Njpmy+XQHjxh2F5Q+ZLNj0EnLDjkISA52eJTE+xBhGQR7M95psQO1IJjh7Au5dHWbcrXQbllKFb8QwQbRM/F06yolmJvMmlRmS0J0PYsOkZeJJyG0zuDyeupKwyrWRtXu4EFtR81h87302oxhsrN1XNiTziNomWtGadzTa7Da+f/J3Nvp4RZOiD6Tb6rqWJDWt23lHzJs3d79xohiAgMMGwpvHwR1prSzcuHUAYQ7sRDS3sGVYTw9C8c4XItrBiRv8mjCH5ePbh3tClaI7d68yzkRMhQm/WRAz/ZQfn020jKrvWrmcrZtkz/yn3OBxhoqQ8C4D08aGzfswYQw9PUtw2LifJUvK+GRbWWV+N27//Li+9Jim+sd3eyYJxaY9im4RhbO34Zb/GF5MqzmVtAoOXlWateQxpuHJ7es3P9zY8CeHsA+eXZ8ncEg8Pu9ge4gulazwRpidtwdtYZ9ANWzXZI91VEOEvM+Lm02fYdPCCo/KNtUmtLJJSBrPj3qh4DNe/6YxqW1M++Y8erp8LxwxZbY4nkqdLW7GETnHBsnBOQP9cVsT4kmJoUmaT4hdlr0vhn3YZr5TUg4Fk+Nu76EizuOra+ej2v8ZTbK03aWt6HL/FaJ5JOOj+PTp4X+/+z/v74kdp2xN5hF+r12DxvZjIhWXMb/pH0TR2zLNr7ii21irW1dYcv3NxqI086V/wduVwzvYld3Y6/cNO2f2ByD7CyyHz18rimydoDcnxzK4GZ64HDVrpeoMC+uGC6b10lInjkFp3/zBpFzPOm8XDMr9nrvWwmUgO04WK6jCr7ydDlf+OFcPsu6n8AZDC07b94xl11uGh83qz58qc7b9C2mBHRP6fn736EfRpZPjzPtxeUX3EEpXYNb9oIpfOLOu73c9pBIEsaQJa/WKG4rAfu6YybmMKJ+xcFPO1q+Lx5Vu/+PN7PXszeyWSEXevH59e/f6/qd/3r396T/v7/75j7//eHd3O861fW9xkIdHQuNY+V6jrGjmRwV5eNz8YCd7eNz8WHxoCG2pVM0F0aniBX1v3hwC307Vg0lBIg1cAMM/IpCJOe6pOwvLPQHDeb6WOoyq553Zf//x5s3t7c3t7b/f/P3HmdjO/F9mkWy9Ut+D+fHzR6IgkioObvoql8mMPOArjHJhKHZp2zBKFGxA6fb2/PBIuJRPnQdmDTaA4fE85Zmey1FPdZXv7h5KPr7ltFxC5A9K0xuXQoslesJX8Pn9/cvcxfe8sEJzFaZSAElk+5oSpwvgtbffrnEAO9r/vMXQ88VSytmCqtlKcipWM6lWsxeWvy+qv2gdehfPSNkxYjCgEibyt4Ls8CSSCfiuw1QQSBYQxxCTSKa7IjFITavNEH5hbUx69+pVmi04i3S2XLKviGOwLs/xBdVDA5S2cv6nHc5/aJGT6dpLFTJBDfTqRvxFjR7E3c/m9e1x4x/c2wvAP0h0IIhAIuIwFFO/kfdz5X08Uht6Lw74eujzjzY2zrCc5hh+YPug0SoR/tb4iTvTSj1TLzPO5yNUoe4Ddx/Pf8K/k6Hv5o44nZdL16Y/959ZeSbvEwRHedDtlqQH93N/i3oshPOom0LozUnsDct9p9C+gDhc/WGBIQ+70VV7+2sDgSKBCbEUU6Dz0/nO8JRycQ8NHyqbno5O3QyZ4FGRX+oXw6uhZJ7wuS7bbZepmaIZqa/DxfJUl1BL3fOBf8CMvJNKgU6x8ZqReb8pDXiu/cpazFd6p18JMK9YuvnhlYnSeQLJjHzoaPvfXeYXbv57dCf2fumSgQkgqdI13V/n3S3pgWgRsVvrXkh+Woityuei7ebvXgq6bMjUBOT2pJ/vw+zKCfBZaPvsTBMeaOsRML1uHXadAGB5DlaZdhQ3Iy41zLe0s3XISdA2EFobMS+RzIMHQnXchiWXAbsAMgS13om5Dj99dVbQOY6hmBVEzceOnwWzxTEE85IJlEkzFXR20AWQMaib+Z9nQ/1mCGpOtZnTKHQCc1bQOY4hmK2tOcsO0m/ymFiFEBdBWjyp+/rb/Z/EfbWEPKP7msWX6L7uly4Z6L6e2/nrQr3nX4rVkTYesRidJfjihvhS72bgrzOIVa4q7lM+l3DkUZtvzD5LwtUMgaOBfPnkX238mYk0M/P8QwnjnIXLBwYUdH74lNOKLzuUQ7XLpTINSvfy/oBiqfdytYL4pngzH7RmUjQTyPt43JFOO7jMtbyE5cEEZ9XQejzqiHnfiurRCJcrZi1Xc4o9972OpPn+p0z7Skb3ytoADgQOYY9EYb+ez1zVhg4BhGpFjpFBoXxDS1PqxxNBJAspObTyA71I7NcIEzGLnGWi+cnQXo4cU+IWlkje+bVR+LYHQySn1oqKNJyBjgOzlGXvNG5tVgfXVK8B3/Ukj8NsgpPRfOSRa+8W+rZ2LOjPpMuWqQ1A5b/8/wAAAP//AKSNsw==" } diff --git a/metricbeat/module/system/filesystem/_meta/data.json b/metricbeat/module/system/filesystem/_meta/data.json index 2cb9f0897ac..4f13fff0465 100644 --- a/metricbeat/module/system/filesystem/_meta/data.json +++ b/metricbeat/module/system/filesystem/_meta/data.json @@ -1,33 +1,30 @@ { "@timestamp": "2017-10-12T08:05:34.853Z", - "agent": { - "hostname": "host.example.com", - "name": "host.example.com" - }, "event": { "dataset": "system.filesystem", "duration": 115000, "module": "system" }, "metricset": { - "name": "filesystem" + "name": "filesystem", + "period": 10000 }, "service": { "type": "system" }, "system": { "filesystem": { - "available": 53067177984, - "device_name": "/dev/dm-5", - "files": 0, - "free": 54342492160, - "free_files": 0, - "mount_point": "/var/lib/lxd/storage-pools/default", - "total": 86301999104, - "type": "btrfs", + "available": 148708327424, + "device_name": "/dev/mapper/fedora-root", + "files": 105089024, + "free": 148708327424, + "free_files": 103974920, + "mount_point": "/", + "total": 215211835392, + "type": "xfs", "used": { - "bytes": 31959506944, - "pct": 0.3759 + "bytes": 66503507968, + "pct": 0.309 } } } diff --git a/metricbeat/module/system/filesystem/helper.go b/metricbeat/module/system/filesystem/helper.go index d64ef95f562..4d53ddf2a79 100644 --- a/metricbeat/module/system/filesystem/helper.go +++ b/metricbeat/module/system/filesystem/helper.go @@ -145,20 +145,23 @@ func AddFileSystemUsedPercentage(f *FSStat) { // GetFilesystemEvent turns a stat struct into a MapStr func GetFilesystemEvent(fsStat *FSStat) common.MapStr { - return common.MapStr{ + evt := common.MapStr{ "type": fsStat.SysTypeName, "device_name": fsStat.DevName, "mount_point": fsStat.Mount, "total": fsStat.Total, - "free": fsStat.Free, "available": fsStat.Avail, "files": fsStat.Files, - "free_files": fsStat.FreeFiles, "used": common.MapStr{ "pct": fsStat.UsedPercent, "bytes": fsStat.Used, }, } + if runtime.GOOS != "windows" { + evt.Put("free", fsStat.Free) + evt.Put("free_files", fsStat.FreeFiles) + } + return evt } // Predicate is a function predicate for use with filesystems. It returns true diff --git a/metricbeat/module/system/fsstat/_meta/fields.yml b/metricbeat/module/system/fsstat/_meta/fields.yml index d9d2b0e7ce1..d9bd3acd7f3 100644 --- a/metricbeat/module/system/fsstat/_meta/fields.yml +++ b/metricbeat/module/system/fsstat/_meta/fields.yml @@ -10,7 +10,7 @@ description: Number of file systems found. - name: total_files type: long - description: Total number of files. + description: Total number of files. Not on Windows. - name: total_size format: bytes type: group diff --git a/metricbeat/module/system/fsstat/fsstat.go b/metricbeat/module/system/fsstat/fsstat.go index a8a1eaa0c94..0f43cf4af55 100644 --- a/metricbeat/module/system/fsstat/fsstat.go +++ b/metricbeat/module/system/fsstat/fsstat.go @@ -20,6 +20,7 @@ package fsstat import ( + "runtime" "strings" "github.com/elastic/beats/v7/libbeat/common" @@ -91,16 +92,23 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error { totalSizeUsed += stat.Used } - r.Event(mb.Event{ - MetricSetFields: common.MapStr{ - "total_size": common.MapStr{ - "free": totalSizeFree, - "used": totalSizeUsed, - "total": totalSize, - }, - "count": len(fss), - "total_files": totalFiles, + event := common.MapStr{ + "total_size": common.MapStr{ + "free": totalSizeFree, + "used": totalSizeUsed, + "total": totalSize, }, + "count": len(fss), + "total_files": totalFiles, + } + + //We don't get the `Files` field on Windows + if runtime.GOOS == "windows" { + event["total_files"] = totalFiles + } + + r.Event(mb.Event{ + MetricSetFields: event, }) return nil diff --git a/metricbeat/module/system/memory/_meta/data.json b/metricbeat/module/system/memory/_meta/data.json index 01231bede4c..06abee40a35 100644 --- a/metricbeat/module/system/memory/_meta/data.json +++ b/metricbeat/module/system/memory/_meta/data.json @@ -15,13 +15,13 @@ "system": { "memory": { "actual": { - "free": 14247317504, + "free": 8461623296, "used": { - "bytes": 1407057920, - "pct": 0.0899 + "bytes": 7159164928, + "pct": 0.4583 } }, - "free": 4859097088, + "free": 1299234816, "hugepages": { "default_size": 2097152, "free": 0, @@ -41,49 +41,49 @@ }, "page_stats": { "direct_efficiency": { - "pct": 0.9976 + "pct": 0.9242 }, "kswapd_efficiency": { - "pct": 0.6213 + "pct": 0.7518 }, "pgfree": { - "pages": 4382105954 + "pages": 15924304810 }, "pgscan_direct": { - "pages": 485820 + "pages": 1185751 }, "pgscan_kswapd": { - "pages": 77390925 + "pages": 50008148 }, "pgsteal_direct": { - "pages": 484631 + "pages": 1095884 }, "pgsteal_kswapd": { - "pages": 48081976 + "pages": 37594071 } }, "swap": { - "free": 7846490112, + "free": 7823421440, "in": { - "pages": 1111 + "pages": 2702 }, "out": { - "pages": 20255 + "pages": 23582 }, "readahead": { - "cached": 28, - "pages": 65 + "cached": 554, + "pages": 986 }, "total": 7897870336, "used": { - "bytes": 51380224, - "pct": 0.0065 + "bytes": 74448896, + "pct": 0.0094 } }, - "total": 15654375424, + "total": 15620788224, "used": { - "bytes": 10795278336, - "pct": 0.6896 + "bytes": 14321553408, + "pct": 0.9168 } } } diff --git a/metricbeat/module/system/memory/memory.go b/metricbeat/module/system/memory/memory.go index 90283f801be..27e76b85489 100644 --- a/metricbeat/module/system/memory/memory.go +++ b/metricbeat/module/system/memory/memory.go @@ -20,12 +20,16 @@ package memory import ( + "fmt" + + "github.com/pkg/errors" + "github.com/elastic/beats/v7/libbeat/common" mem "github.com/elastic/beats/v7/libbeat/metric/system/memory" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/mb/parse" - - "github.com/pkg/errors" + linux "github.com/elastic/beats/v7/metricbeat/module/linux/memory" + "github.com/elastic/beats/v7/metricbeat/module/system" ) func init() { @@ -38,11 +42,18 @@ func init() { // MetricSet for fetching system memory metrics. type MetricSet struct { mb.BaseMetricSet + IsFleet bool } // New is a mb.MetricSetFactory that returns a memory.MetricSet. func New(base mb.BaseMetricSet) (mb.MetricSet, error) { - return &MetricSet{base}, nil + + systemModule, ok := base.Module().(*system.Module) + if !ok { + return nil, fmt.Errorf("unexpected module type") + } + + return &MetricSet{BaseMetricSet: base, IsFleet: systemModule.IsAgent}, nil } // Fetch fetches memory metrics from the OS. @@ -103,70 +114,18 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error { "pages": vmstat.SwapRa, "cached": vmstat.SwapRaHit, } - pageStats := common.MapStr{ - "pgscan_kswapd": common.MapStr{ - "pages": vmstat.PgscanKswapd, - }, - "pgscan_direct": common.MapStr{ - "pages": vmstat.PgscanDirect, - }, - "pgfree": common.MapStr{ - "pages": vmstat.Pgfree, - }, - "pgsteal_kswapd": common.MapStr{ - "pages": vmstat.PgstealKswapd, - }, - "pgsteal_direct": common.MapStr{ - "pages": vmstat.PgstealDirect, - }, - } - // This is similar to the vmeff stat gathered by sar - // these ratios calculate thhe efficiency of page reclaim - if vmstat.PgscanDirect != 0 { - pageStats["direct_efficiency"] = common.MapStr{ - "pct": common.Round(float64(vmstat.PgstealDirect)/float64(vmstat.PgscanDirect), common.DefaultDecimalPlacesCount), - } - } + } - if vmstat.PgscanKswapd != 0 { - pageStats["kswapd_efficiency"] = common.MapStr{ - "pct": common.Round(float64(vmstat.PgstealKswapd)/float64(vmstat.PgscanKswapd), common.DefaultDecimalPlacesCount), - } + // for backwards compatibility, only report if we're not in fleet mode + if !m.IsFleet { + err := linux.FetchLinuxMemStats(memory) + if err != nil { + return errors.Wrap(err, "error getting page stats") } - - memory["page_stats"] = pageStats } memory["swap"] = swap - hugePagesStat, err := mem.GetHugeTLBPages() - if err != nil { - return errors.Wrap(err, "hugepages") - } - if hugePagesStat != nil { - mem.AddHugeTLBPagesPercentage(hugePagesStat) - thp := common.MapStr{ - "total": hugePagesStat.Total, - "used": common.MapStr{ - "bytes": hugePagesStat.TotalAllocatedSize, - "pct": hugePagesStat.UsedPercent, - }, - "free": hugePagesStat.Free, - "reserved": hugePagesStat.Reserved, - "surplus": hugePagesStat.Surplus, - "default_size": hugePagesStat.DefaultSize, - } - if vmstat != nil { - thp["swap"] = common.MapStr{ - "out": common.MapStr{ - "pages": vmstat.ThpSwpout, - "fallback": vmstat.ThpSwpoutFallback, - }, - } - } - memory["hugepages"] = thp - } - r.Event(mb.Event{ MetricSetFields: memory, }) diff --git a/metricbeat/module/system/process/_meta/data.json b/metricbeat/module/system/process/_meta/data.json index 78ece4aa114..84b74110683 100644 --- a/metricbeat/module/system/process/_meta/data.json +++ b/metricbeat/module/system/process/_meta/data.json @@ -1,29 +1,26 @@ { "@timestamp": "2017-10-12T08:05:34.853Z", - "agent": { - "hostname": "host.example.com", - "name": "host.example.com" - }, "event": { "dataset": "system.process", "duration": 115000, "module": "system" }, "metricset": { - "name": "process" + "name": "process", + "period": 10000 }, "process": { "args": [ - "/usr/bin/dockerd", - "-H", - "unix://" + "/usr/lib/systemd/systemd", + "--switched-root", + "--system", + "--deserialize", + "28" ], - "executable": "/usr/bin/dockerd-ce", - "name": "dockerd", - "pgid": 2080, - "pid": 2080, - "ppid": 1, - "working_directory": "/" + "name": "systemd", + "pgid": 1, + "pid": 1, + "ppid": 0 }, "service": { "type": "system" @@ -32,11 +29,11 @@ "process": { "cgroup": { "blkio": { - "id": "docker.service", - "path": "/system.slice/docker.service", + "id": "init.scope", + "path": "/init.scope", "total": { - "bytes": 844576104448, - "ios": 54869430 + "bytes": 7453696, + "ios": 548 } }, "cpu": { @@ -49,8 +46,8 @@ }, "shares": 1024 }, - "id": "docker.service", - "path": "/system.slice/docker.service", + "id": "init.scope", + "path": "/init.scope", "rt": { "period": { "us": 0 @@ -68,38 +65,38 @@ } }, "cpuacct": { - "id": "docker.service", - "path": "/system.slice/docker.service", + "id": "init.scope", + "path": "/init.scope", "percpu": { - "1": 7058282754012, - "2": 7053634662537, - "3": 7069386293853, - "4": 7050055153087 + "1": 3930656993407, + "2": 4025787490535, + "3": 4064460082910, + "4": 3387847262532 }, "stats": { "system": { - "ns": 7202920000000 + "ns": 4996000000000 }, "user": { - "ns": 19573240000000 + "ns": 10329380000000 } }, "total": { - "ns": 28231358863489 + "ns": 15408751829384 } }, - "id": "docker.service", + "id": "init.scope", "memory": { - "id": "docker.service", + "id": "init.scope", "kmem": { "failures": 0, "limit": { "bytes": 9223372036854771712 }, "usage": { - "bytes": 21139456, + "bytes": 9404416, "max": { - "bytes": 480030720 + "bytes": 14987264 } } }, @@ -121,95 +118,88 @@ "bytes": 9223372036854771712 }, "usage": { - "bytes": 3337703424, + "bytes": 29437952, "max": { - "bytes": 5245300736 + "bytes": 70705152 } } }, "memsw": { "failures": 0, "limit": { - "bytes": 0 + "bytes": 9223372036854771712 }, "usage": { - "bytes": 0, + "bytes": 30392320, "max": { - "bytes": 0 + "bytes": 70705152 } } }, - "path": "/system.slice/docker.service", + "path": "/init.scope", "stats": { "active_anon": { - "bytes": 779677696 + "bytes": 3444736 }, "active_file": { - "bytes": 1753378816 + "bytes": 10563584 }, "cache": { - "bytes": 2127810560 + "bytes": 10752000 }, "hierarchical_memory_limit": { "bytes": 9223372036854771712 }, "hierarchical_memsw_limit": { - "bytes": 0 + "bytes": 9223372036854771712 }, "inactive_anon": { - "bytes": 409075712 + "bytes": 6197248 }, "inactive_file": { - "bytes": 374431744 + "bytes": 327680 }, - "major_page_faults": 53164, + "major_page_faults": 198, "mapped_file": { - "bytes": 7491584 + "bytes": 9867264 }, - "page_faults": 21923702, - "pages_in": 57261049, - "pages_out": 56521859, + "page_faults": 3626304, + "pages_in": 1095732, + "pages_out": 1090806, "rss": { - "bytes": 1188753408 + "bytes": 9592832 }, "rss_huge": { - "bytes": 56623104 + "bytes": 0 }, "swap": { - "bytes": 0 + "bytes": 675840 }, "unevictable": { "bytes": 0 } } }, - "path": "/system.slice/docker.service" + "path": "/init.scope" }, - "cmdline": "/usr/bin/dockerd -H unix://", + "cmdline": "/usr/lib/systemd/systemd --switched-root --system --deserialize 28", "cpu": { - "start_time": "2019-01-08T17:06:39.000Z", + "start_time": "2020-08-27T01:05:16.000Z", "total": { "norm": { - "pct": 0.0049 + "pct": 0.0056 }, - "pct": 0.0195, - "value": 27827810 + "pct": 0.0222, + "value": 15389060 } }, - "fd": { - "limit": { - "hard": 1048576, - "soft": 1048576 - }, - "open": 68 - }, "memory": { "rss": { - "bytes": 1187336192, - "pct": 0.0716 + "bytes": 12853248, + "pct": 0.0008 }, - "share": 8253440, - "size": 4438523904 + "share": 7118848, + "size": 176881664 }, "state": "sleeping" } @@ -217,4 +207,4 @@ "user": { "name": "root" } -} +} \ No newline at end of file diff --git a/metricbeat/module/system/process/_meta/fields.yml b/metricbeat/module/system/process/_meta/fields.yml index 51ab8b81e09..fe941031551 100644 --- a/metricbeat/module/system/process/_meta/fields.yml +++ b/metricbeat/module/system/process/_meta/fields.yml @@ -96,17 +96,27 @@ type: long format: bytes description: > - The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. + The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. Not available on Windows. - name: rss.pct type: scaled_float format: percent description: > - The percentage of memory the process occupied in main memory (RAM). + The percentage of memory the process occupied in main memory (RAM). Not available on Windows. + - name: wss.bytes + type: long + format: bytes + description: > + The Working Set Size. The amount of memory the process occupied in main memory (RAM). Windows only. + - name: wss.pct + type: scaled_float + format: percent + description: > + The percentage of memory the process occupied in main memory (RAM). Windows only. - name: share type: long format: bytes description: > - The shared memory the process uses. + The shared memory the process uses. Not available on Windows. - name: fd type: group description: > diff --git a/metricbeat/module/system/process/process.go b/metricbeat/module/system/process/process.go index 9c754177372..804c62d06d6 100644 --- a/metricbeat/module/system/process/process.go +++ b/metricbeat/module/system/process/process.go @@ -46,9 +46,10 @@ func init() { // MetricSet that fetches process metrics. type MetricSet struct { mb.BaseMetricSet - stats *process.Stats - cgroup *cgroup.Reader - perCPU bool + stats *process.Stats + cgroup *cgroup.Reader + perCPU bool + IsAgent bool } // New creates and returns a new MetricSet. @@ -58,6 +59,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { return nil, err } + systemModule, ok := base.Module().(*system.Module) + if !ok { + return nil, fmt.Errorf("unexpected module type") + } + m := &MetricSet{ BaseMetricSet: base, stats: &process.Stats{ @@ -67,7 +73,8 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { CacheCmdLine: config.CacheCmdLine, IncludeTop: config.IncludeTop, }, - perCPU: config.IncludePerCPU, + perCPU: config.IncludePerCPU, + IsAgent: systemModule.IsAgent, } err := m.stats.Init() if err != nil { @@ -75,11 +82,6 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { } if runtime.GOOS == "linux" { - systemModule, ok := base.Module().(*system.Module) - if !ok { - return nil, fmt.Errorf("unexpected module type") - } - if config.Cgroups == nil || *config.Cgroups { debugf("process cgroup data collection is enabled, using hostfs='%v'", systemModule.HostFS) m.cgroup, err = cgroup.NewReader(systemModule.HostFS, true) @@ -148,6 +150,22 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error { rootFields.Put("process.args", args) } + // This is a temporary fix until we make these changes global across libbeat + // This logic should happen in libbeat getProcessEvent() + + // There's some more Windows memory quirks we need to deal with. + // "rss" is a linux concept, but "wss" is a direct match on Windows. + // "share" is also unavailable on Windows. + + if m.IsAgent { + if runtime.GOOS == "windows" { + proc.Delete("memory.share") + if setSize := getAndRemove(proc, "memory.rss"); setSize != nil { + proc.Put("memory.wss", setSize) + } + } + } + e := mb.Event{ RootFields: rootFields, MetricSetFields: proc, diff --git a/metricbeat/module/system/process_summary/_meta/data.json b/metricbeat/module/system/process_summary/_meta/data.json index 363e5f77a0d..159defcb769 100644 --- a/metricbeat/module/system/process_summary/_meta/data.json +++ b/metricbeat/module/system/process_summary/_meta/data.json @@ -1,16 +1,13 @@ { "@timestamp": "2017-10-12T08:05:34.853Z", - "agent": { - "hostname": "host.example.com", - "name": "host.example.com" - }, "event": { "dataset": "system.process.summary", "duration": 115000, "module": "system" }, "metricset": { - "name": "process_summary" + "name": "process_summary", + "period": 10000 }, "service": { "type": "system" @@ -19,13 +16,13 @@ "process": { "summary": { "dead": 0, - "idle": 112, - "running": 0, - "sleeping": 288, + "idle": 63, + "running": 3, + "sleeping": 117, "stopped": 0, - "total": 401, - "unknown": 0, - "zombie": 1 + "total": 185, + "unknown": 2, + "zombie": 0 } } } diff --git a/metricbeat/module/system/process_summary/process_summary.go b/metricbeat/module/system/process_summary/process_summary.go index 071a7b2a660..5edb31f9182 100644 --- a/metricbeat/module/system/process_summary/process_summary.go +++ b/metricbeat/module/system/process_summary/process_summary.go @@ -20,6 +20,8 @@ package process_summary import ( + "runtime" + "github.com/pkg/errors" "github.com/elastic/beats/v7/libbeat/common" @@ -79,7 +81,7 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error { state := sigar.ProcState{} err = state.Get(pid) if err != nil { - summary.unknown += 1 + summary.unknown++ continue } @@ -104,15 +106,25 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error { } } - event := common.MapStr{ - "total": len(pids), - "sleeping": summary.sleeping, - "running": summary.running, - "idle": summary.idle, - "stopped": summary.stopped, - "zombie": summary.zombie, - "unknown": summary.unknown, - "dead": summary.dead, + event := common.MapStr{} + if runtime.GOOS == "windows" { + event = common.MapStr{ + "total": len(pids), + "sleeping": summary.sleeping, + "running": summary.running, + "unknown": summary.unknown, + } + } else { + event = common.MapStr{ + "total": len(pids), + "sleeping": summary.sleeping, + "running": summary.running, + "idle": summary.idle, + "stopped": summary.stopped, + "zombie": summary.zombie, + "unknown": summary.unknown, + "dead": summary.dead, + } } r.Event(mb.Event{ diff --git a/metricbeat/module/system/process_summary/process_summary_test.go b/metricbeat/module/system/process_summary/process_summary_test.go index 55afce8f190..c95e361224c 100644 --- a/metricbeat/module/system/process_summary/process_summary_test.go +++ b/metricbeat/module/system/process_summary/process_summary_test.go @@ -20,6 +20,7 @@ package process_summary import ( + "runtime" "testing" "github.com/stretchr/testify/assert" @@ -53,18 +54,26 @@ func TestFetch(t *testing.T) { event, ok := summary.(common.MapStr) require.True(t, ok) - assert.Contains(t, event, "total") - assert.Contains(t, event, "sleeping") - assert.Contains(t, event, "running") - assert.Contains(t, event, "idle") - assert.Contains(t, event, "stopped") - assert.Contains(t, event, "zombie") - assert.Contains(t, event, "unknown") + if runtime.GOOS == "windows" { + assert.Contains(t, event, "total") + assert.Contains(t, event, "sleeping") + assert.Contains(t, event, "running") + assert.Contains(t, event, "unknown") + total := event["sleeping"].(int) + event["running"].(int) + event["unknown"].(int) + assert.Equal(t, event["total"].(int), total) + } else { + assert.Contains(t, event, "total") + assert.Contains(t, event, "sleeping") + assert.Contains(t, event, "running") + assert.Contains(t, event, "idle") + assert.Contains(t, event, "stopped") + assert.Contains(t, event, "zombie") + assert.Contains(t, event, "unknown") + total := event["sleeping"].(int) + event["running"].(int) + event["idle"].(int) + + event["stopped"].(int) + event["zombie"].(int) + event["unknown"].(int) - total := event["sleeping"].(int) + event["running"].(int) + event["idle"].(int) + - event["stopped"].(int) + event["zombie"].(int) + event["unknown"].(int) - - assert.Equal(t, event["total"].(int), total) + assert.Equal(t, event["total"].(int), total) + } } func getConfig() map[string]interface{} { diff --git a/metricbeat/module/system/system.go b/metricbeat/module/system/system.go index edb9f55bf6b..f1f060a90bc 100644 --- a/metricbeat/module/system/system.go +++ b/metricbeat/module/system/system.go @@ -21,10 +21,12 @@ import ( "flag" "sync" + "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/metricbeat/mb" ) var ( + // HostFS is an alternate mountpoint for the filesytem root, for when metricbeat is running inside a container. HostFS = flag.String("system.hostfs", "", "mountpoint of the host's filesystem for use in monitoring a host from within a container") ) @@ -37,16 +39,48 @@ func init() { } } +// Module represents the system module type Module struct { mb.BaseModule - HostFS string // Mountpoint of the host's filesystem for use in monitoring inside a container. + HostFS string // Mountpoint of the host's filesystem for use in monitoring inside a container. + IsAgent bool // Looks to see if metricbeat is running under agent. Useful if we have breaking changes in one but not the other. } +// NewModule instatiates the system module func NewModule(base mb.BaseModule) (mb.Module, error) { // This only needs to be configured once for all system modules. once.Do(func() { initModule() }) - return &Module{BaseModule: base, HostFS: *HostFS}, nil + return &Module{BaseModule: base, HostFS: *HostFS, IsAgent: checkMgmtFlags()}, nil +} + +// checkMgmtFlags checks to see if metricbeat is running under Agent +// The management setting is stored in the main Beat runtime object, but we can't see that from a module +// So instead we check the CLI flags, since Agent starts metricbeat with "-E", "management.mode=x-pack-fleet", "-E", "management.enabled=true" +func checkMgmtFlags() bool { + type management struct { + Mode string `config:"management.mode"` + Enabled bool `config:"management.enabled"` + } + var managementSettings management + + cfgFlag := flag.Lookup("E") + if cfgFlag == nil { + return false + } + + CfgObject, _ := cfgFlag.Value.(*common.SettingsFlag) + cliCfg := CfgObject.Config() + + err := cliCfg.Unpack(&managementSettings) + if err != nil { + return false + } + + if managementSettings.Enabled == true && managementSettings.Mode == "x-pack-fleet" { + return true + } + return false } diff --git a/metricbeat/module/system/test_system.py b/metricbeat/module/system/test_system.py index f689b99fb4c..0cfb820c18a 100644 --- a/metricbeat/module/system/test_system.py +++ b/metricbeat/module/system/test_system.py @@ -7,13 +7,23 @@ import unittest -SYSTEM_CPU_FIELDS = ["cores", "idle.pct", "iowait.pct", "irq.pct", "nice.pct", - "softirq.pct", "steal.pct", "system.pct", "user.pct", "total.pct"] +SYSTEM_CPU_FIELDS_LINUX = ["cores", "idle.pct", "iowait.pct", "irq.pct", "nice.pct", + "softirq.pct", "steal.pct", "system.pct", "user.pct", "total.pct"] -SYSTEM_CPU_FIELDS_ALL = ["cores", "idle.pct", "idle.ticks", "iowait.pct", "iowait.ticks", "irq.pct", "irq.ticks", "nice.pct", "nice.ticks", - "softirq.pct", "softirq.ticks", "steal.pct", "steal.ticks", "system.pct", "system.ticks", "user.pct", "user.ticks", - "idle.norm.pct", "iowait.norm.pct", "irq.norm.pct", "nice.norm.pct", "softirq.norm.pct", - "steal.norm.pct", "system.norm.pct", "user.norm.pct", "total.norm.pct", "total.value"] +SYSTEM_CPU_FIELDS_WINDOWS = ["cores", "idle.pct", "system.pct", "user.pct", "total.pct"] + +SYSTEM_CPU_FIELDS_DARWIN = ["cores", "idle.pct", "system.pct", "user.pct", "total.pct", "nice.pct"] + +SYSTEM_CPU_FIELDS_LINUX_ALL = ["cores", "idle.pct", "idle.ticks", "iowait.pct", "iowait.ticks", "irq.pct", "irq.ticks", "nice.pct", "nice.ticks", + "softirq.pct", "softirq.ticks", "steal.pct", "steal.ticks", "system.pct", "system.ticks", "user.pct", "user.ticks", + "idle.norm.pct", "iowait.norm.pct", "irq.norm.pct", "nice.norm.pct", "softirq.norm.pct", + "steal.norm.pct", "system.norm.pct", "user.norm.pct", "total.norm.pct", "total.value"] + +SYSTEM_CPU_FIELDS_WINDOWS_ALL = ["cores", "idle.pct", "idle.ticks", "system.pct", "system.ticks", "user.pct", "user.ticks", + "idle.norm.pct", "system.norm.pct", "user.norm.pct", "total.norm.pct", "total.value"] + +SYSTEM_CPU_FIELDS_DARWIN_ALL = ["cores", "idle.pct", "idle.ticks", "nice.pct", "nice.ticks", "system.pct", "system.ticks", "user.pct", "user.ticks", + "idle.norm.pct", "nice.norm.pct", "system.norm.pct", "user.norm.pct", "total.norm.pct", "total.value"] SYSTEM_LOAD_FIELDS = ["cores", "1", "5", "15", "norm.1", "norm.5", "norm.15"] @@ -37,6 +47,10 @@ "free_files", "mount_point", "total", "used.bytes", "used.pct"] +SYSTEM_FILESYSTEM_FIELDS_WINDOWS = ["available", "device_name", "type", "files", + "mount_point", "total", "used.bytes", + "used.pct"] + SYSTEM_FSSTAT_FIELDS = ["count", "total_files", "total_size"] SYSTEM_MEMORY_FIELDS = ["swap", "actual.free", "free", "total", "used.bytes", "used.pct", "actual.used.bytes", @@ -82,7 +96,12 @@ def test_cpu(self): if "system" in evt: cpu = evt["system"]["cpu"] - self.assertCountEqual(self.de_dot(SYSTEM_CPU_FIELDS), cpu.keys()) + if sys.platform.startswith("linux"): + self.assertCountEqual(self.de_dot(SYSTEM_CPU_FIELDS_LINUX), cpu.keys()) + elif sys.platform.startswith("darwin"): + self.assertCountEqual(self.de_dot(SYSTEM_CPU_FIELDS_DARWIN), cpu.keys()) + elif sys.platform.startswith("win"): + self.assertCountEqual(self.de_dot(SYSTEM_CPU_FIELDS_WINDOWS), cpu.keys()) else: host_cpu = evt["host"]["cpu"] self.assertCountEqual(self.de_dot(SYSTEM_CPU_HOST_FIELDS), host_cpu.keys()) @@ -111,7 +130,12 @@ def test_cpu_ticks_option(self): for evt in output: self.assert_fields_are_documented(evt) cpuStats = evt["system"]["cpu"] - self.assertCountEqual(self.de_dot(SYSTEM_CPU_FIELDS_ALL), cpuStats.keys()) + if sys.platform.startswith("linux"): + self.assertCountEqual(self.de_dot(SYSTEM_CPU_FIELDS_LINUX_ALL), cpuStats.keys()) + elif sys.platform.startswith("win"): + self.assertCountEqual(self.de_dot(SYSTEM_CPU_FIELDS_WINDOWS_ALL), cpuStats.keys()) + elif sys.platform.startswith("darwin"): + self.assertCountEqual(self.de_dot(SYSTEM_CPU_FIELDS_DARWIN_ALL), cpuStats.keys()) @unittest.skipUnless(re.match("(?i)win|linux|darwin|freebsd|openbsd", sys.platform), "os") def test_core(self): @@ -261,7 +285,10 @@ def test_filesystem(self): for evt in output: self.assert_fields_are_documented(evt) filesystem = evt["system"]["filesystem"] - self.assertCountEqual(self.de_dot(SYSTEM_FILESYSTEM_FIELDS), filesystem.keys()) + if sys.platform.startswith("win"): + self.assertCountEqual(self.de_dot(SYSTEM_FILESYSTEM_FIELDS_WINDOWS), filesystem.keys()) + else: + self.assertCountEqual(self.de_dot(SYSTEM_FILESYSTEM_FIELDS), filesystem.keys()) @unittest.skipUnless(re.match("(?i)win|linux|darwin|freebsd|openbsd", sys.platform), "os") def test_fsstat(self): @@ -378,13 +405,17 @@ def test_process_summary(self): assert isinstance(summary["total"], int) assert isinstance(summary["sleeping"], int) assert isinstance(summary["running"], int) - assert isinstance(summary["idle"], int) - assert isinstance(summary["stopped"], int) - assert isinstance(summary["zombie"], int) assert isinstance(summary["unknown"], int) - assert summary["total"] == summary["sleeping"] + summary["running"] + \ - summary["idle"] + summary["stopped"] + summary["zombie"] + summary["unknown"] + if not sys.platform.startswith("win"): + assert isinstance(summary["idle"], int) + assert isinstance(summary["stopped"], int) + assert isinstance(summary["zombie"], int) + assert summary["total"] == summary["sleeping"] + summary["running"] + \ + summary["idle"] + summary["stopped"] + summary["zombie"] + summary["unknown"] + + if sys.platform.startswith("windows"): + assert summary["total"] == summary["sleeping"] + summary["running"] + summary["unknown"] @unittest.skipUnless(re.match("(?i)win|linux|darwin|freebsd", sys.platform), "os") def test_process(self): diff --git a/metricbeat/modules.d/linux.yml.disabled b/metricbeat/modules.d/linux.yml.disabled index a01989aa0c9..22e675cafff 100644 --- a/metricbeat/modules.d/linux.yml.disabled +++ b/metricbeat/modules.d/linux.yml.disabled @@ -5,8 +5,10 @@ period: 10s metricsets: - "pageinfo" + - "memory" # - ksm # - conntrack + # - iostat enabled: true #hostfs: /hostfs diff --git a/metricbeat/tests/system/test_processors.py b/metricbeat/tests/system/test_processors.py index 2f7d131d119..a680c049d67 100644 --- a/metricbeat/tests/system/test_processors.py +++ b/metricbeat/tests/system/test_processors.py @@ -12,13 +12,13 @@ def test_drop_fields(self): self.render_config_template( modules=[{ "name": "system", - "metricsets": ["cpu"], + "metricsets": ["network"], "period": "1s" }], processors=[{ "drop_fields": { "when": "range.system.cpu.system.pct.lt: 0.1", - "fields": ["system.cpu.load"], + "fields": ["system.network.in"], }, }] ) @@ -27,7 +27,7 @@ def test_drop_fields(self): proc.check_kill_and_wait() output = self.read_output_json() - self.assertEqual(len(output), 1) + self.assertGreater(len(output), 1) evt = output[0] self.assert_fields_are_documented(evt) @@ -37,12 +37,9 @@ def test_drop_fields(self): 'agent', '@timestamp', 'system', 'metricset.module', 'metricset.rtt', 'metricset.name', 'host', 'service', 'ecs', 'event' ]), evt.keys()) - cpu = evt["system"]["cpu"] - print(list(cpu.keys())) - self.assertCountEqual(self.de_dot([ - "system", "cores", "user", "softirq", "iowait", - "idle", "irq", "steal", "nice", "total" - ]), cpu.keys()) + network = evt["system"]["network"] + print(list(network.keys())) + self.assertCountEqual(self.de_dot(["name", "out", "in"]), network.keys()) def test_dropfields_with_condition(self): """ diff --git a/packetbeat/Jenkinsfile.yml b/packetbeat/Jenkinsfile.yml index 3397ccd21f5..f755f322477 100644 --- a/packetbeat/Jenkinsfile.yml +++ b/packetbeat/Jenkinsfile.yml @@ -19,15 +19,27 @@ stages: mage: "mage build unitTest" platforms: ## override default label in this specific stage. - "macosx" - when: ## Aggregate when with the top-level one. + when: ## Override the top-level when. comments: - "/test packetbeat for macos" labels: - "macOS" parameters: - "macosTest" + branches: true ## for all the branches + tags: true ## for all the tags windows: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2019" - - "windows-10" + windows-2016: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2016" + when: ## Override the top-level when. + comments: + - "/test packetbeat for windows-2016" + labels: + - "windows-2016" + branches: true ## for all the branches + tags: true ## for all the tags diff --git a/packetbeat/_meta/config/beat.docker.yml.tmpl b/packetbeat/_meta/config/beat.docker.yml.tmpl index f4f0db1f7e6..f9b573edfeb 100644 --- a/packetbeat/_meta/config/beat.docker.yml.tmpl +++ b/packetbeat/_meta/config/beat.docker.yml.tmpl @@ -36,3 +36,6 @@ packetbeat.protocols.cassandra: packetbeat.protocols.tls: ports: [443, 993, 995, 5223, 8443, 8883, 9243] + +packetbeat.protocols.sip: + ports: [5060] diff --git a/packetbeat/_meta/config/beat.reference.yml.tmpl b/packetbeat/_meta/config/beat.reference.yml.tmpl index 1a3aab315d7..722c47102dc 100644 --- a/packetbeat/_meta/config/beat.reference.yml.tmpl +++ b/packetbeat/_meta/config/beat.reference.yml.tmpl @@ -531,6 +531,19 @@ packetbeat.protocols: # Set to true to publish fields with null values in events. #keep_null: false +- type: sip + # Configure the ports where to listen for SIP traffic. You can disable the SIP protocol by commenting out the list of ports. + ports: [5060] + + # Parse the authorization headers + parse_authorization: true + + # Parse body contents (only when body is SDP) + parse_body: true + + # Preserve original contents in event.original + keep_original: true + {{header "Monitored processes"}} # Packetbeat can enrich events with information about the process associated diff --git a/packetbeat/_meta/config/beat.yml.tmpl b/packetbeat/_meta/config/beat.yml.tmpl index fb221cba3c9..c5f9cfc0c23 100644 --- a/packetbeat/_meta/config/beat.yml.tmpl +++ b/packetbeat/_meta/config/beat.yml.tmpl @@ -101,6 +101,10 @@ packetbeat.protocols: - 8883 # Secure MQTT - 9243 # Elasticsearch +- type: sip + # Configure the ports where to listen for SIP traffic. You can disable the SIP protocol by commenting out the list of ports. + ports: [5060] + {{header "Elasticsearch template setting"}} setup.template.settings: diff --git a/packetbeat/_meta/sample_outputs/sip.json b/packetbeat/_meta/sample_outputs/sip.json new file mode 100644 index 00000000000..4a57d85908f --- /dev/null +++ b/packetbeat/_meta/sample_outputs/sip.json @@ -0,0 +1,77 @@ +{ + "@metadata.beat": "packetbeat", + "@metadata.type": "_doc", + "client.ip": "192.168.1.2", + "client.port": 5060, + "destination.ip": "212.242.33.35", + "destination.port": 5060, + "event.action": "sip_register", + "event.category": [ + "network", + "protocol", + "authentication" + ], + "event.dataset": "sip", + "event.duration": 0, + "event.kind": "event", + "event.original": "REGISTER sip:sip.cybercity.dk SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.2;branch=z9hG4bKnp112903503-43a64480192.168.1.2;rport\r\nFrom: ;tag=6bac55c\r\nTo: \r\nCall-ID: 578222729-4665d775@578222732-4665d772\r\nContact: ;expires=1200;q=0.500\r\nExpires: 1200\r\nCSeq: 75 REGISTER\r\nContent-Length: 0\r\nAuthorization: Digest username=\"voi18062\",realm=\"sip.cybercity.dk\",uri=\"sip:192.168.1.2\",nonce=\"1701b22972b90f440c3e4eb250842bb\",opaque=\"1701a1351f70795\",nc=\"00000001\",response=\"79a0543188495d288c9ebbe0c881abdc\"\r\nMax-Forwards: 70\r\nUser-Agent: Nero SIPPS IP Phone Version 2.0.51.16\r\n\r\n", + "event.sequence": 75, + "event.type": [ + "info" + ], + "network.application": "sip", + "network.community_id": "1:dOa61R2NaaJsJlcFAiMIiyXX+Kk=", + "network.iana_number": "17", + "network.protocol": "sip", + "network.transport": "udp", + "network.type": "ipv4", + "related.hosts": [ + "sip.cybercity.dk" + ], + "related.ip": [ + "192.168.1.2", + "212.242.33.35" + ], + "related.user": [ + "voi18062" + ], + "server.ip": "212.242.33.35", + "server.port": 5060, + "sip.auth.realm": "sip.cybercity.dk", + "sip.auth.scheme": "Digest", + "sip.auth.uri.host": "192.168.1.2", + "sip.auth.uri.original": "sip:192.168.1.2", + "sip.auth.uri.scheme": "sip", + "sip.call_id": "578222729-4665d775@578222732-4665d772", + "sip.contact.uri.host": "sip.cybercity.dk", + "sip.contact.uri.original": "sip:voi18062@sip.cybercity.dk", + "sip.contact.uri.scheme": "sip", + "sip.contact.uri.username": "voi18062", + "sip.cseq.code": 75, + "sip.cseq.method": "REGISTER", + "sip.from.tag": "6bac55c", + "sip.from.uri.host": "sip.cybercity.dk", + "sip.from.uri.original": "sip:voi18062@sip.cybercity.dk", + "sip.from.uri.scheme": "sip", + "sip.from.uri.username": "voi18062", + "sip.max_forwards": 70, + "sip.method": "REGISTER", + "sip.to.uri.host": "sip.cybercity.dk", + "sip.to.uri.original": "sip:voi18062@sip.cybercity.dk", + "sip.to.uri.scheme": "sip", + "sip.to.uri.username": "voi18062", + "sip.type": "request", + "sip.uri.host": "sip.cybercity.dk", + "sip.uri.original": "sip:sip.cybercity.dk", + "sip.uri.scheme": "sip", + "sip.user_agent.original": "Nero SIPPS IP Phone Version 2.0.51.16", + "sip.version": "2.0", + "sip.via.original": [ + "SIP/2.0/UDP 192.168.1.2;branch=z9hG4bKnp112903503-43a64480192.168.1.2;rport" + ], + "source.ip": "192.168.1.2", + "source.port": 5060, + "status": "OK", + "type": "sip", + "user.name": "voi18062" +} diff --git a/packetbeat/cmd/root.go b/packetbeat/cmd/root.go index 82ab41da374..0a22e98a1a0 100644 --- a/packetbeat/cmd/root.go +++ b/packetbeat/cmd/root.go @@ -37,7 +37,7 @@ const ( Name = "packetbeat" // ecsVersion specifies the version of ECS that Packetbeat is implementing. - ecsVersion = "1.5.0" + ecsVersion = "1.6.0" ) // withECSVersion is a modifier that adds ecs.version to events. diff --git a/packetbeat/docs/fields.asciidoc b/packetbeat/docs/fields.asciidoc index 2c73f3dd277..22d2b406bf9 100644 --- a/packetbeat/docs/fields.asciidoc +++ b/packetbeat/docs/fields.asciidoc @@ -35,6 +35,7 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> @@ -2127,8 +2128,15 @@ type: object [[exported-fields-ecs]] == ECS fields -ECS Fields. +This section defines Elastic Common Schema (ECS) fields—a common set of fields +to be used when storing event data in {es}. + +This is an exhaustive list, and fields listed here are not necessarily used by {beatname_uc}. +The goal of ECS is to enable and encourage users of {es} to normalize their event data, +so that they can better analyze, visualize, and correlate the data represented in their events. + +See the {ecs-ref}[ECS reference] for more information. *`@timestamp`*:: + @@ -11680,6 +11688,667 @@ The return value of the Redis command in a human readable format. If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. +-- + +[[exported-fields-sip]] +== SIP fields + +SIP-specific event fields. + + +[float] +=== sip + +Information about SIP traffic. + + +*`sip.timestamp`*:: ++ +-- +Timestamp with nano second precision. + +type: date_nanos + +-- + +*`sip.code`*:: ++ +-- +Response status code. + +type: keyword + +-- + +*`sip.method`*:: ++ +-- +Request method. + +type: keyword + +-- + +*`sip.status`*:: ++ +-- +Response status phrase. + +type: keyword + +-- + +*`sip.type`*:: ++ +-- +Either request or response. + +type: keyword + +-- + +*`sip.version`*:: ++ +-- +SIP protocol version. + +type: keyword + +-- + +*`sip.uri.original`*:: ++ +-- +The original URI. + +type: keyword + +-- + +*`sip.uri.original.text`*:: ++ +-- +type: text + +-- + +*`sip.uri.scheme`*:: ++ +-- +The URI scheme. + +type: keyword + +-- + +*`sip.uri.username`*:: ++ +-- +The URI user name. + +type: keyword + +-- + +*`sip.uri.host`*:: ++ +-- +The URI host. + +type: keyword + +-- + +*`sip.uri.port`*:: ++ +-- +The URI port. + +type: keyword + +-- + +*`sip.accept`*:: ++ +-- +Accept header value. + +type: keyword + +-- + +*`sip.allow`*:: ++ +-- +Allowed methods. + +type: keyword + +-- + +*`sip.call_id`*:: ++ +-- +Call ID. + +type: keyword + +-- + +*`sip.content_length`*:: ++ +-- +type: long + +-- + +*`sip.content_type`*:: ++ +-- +type: keyword + +-- + +*`sip.max_forwards`*:: ++ +-- +type: long + +-- + +*`sip.supported`*:: ++ +-- +Supported methods. + +type: keyword + +-- + +*`sip.user_agent.original`*:: ++ +-- +type: keyword + +-- + +*`sip.user_agent.original.text`*:: ++ +-- +type: text + +-- + +*`sip.private.uri.original`*:: ++ +-- +Private original URI. + +type: keyword + +-- + +*`sip.private.uri.original.text`*:: ++ +-- +type: text + +-- + +*`sip.private.uri.scheme`*:: ++ +-- +Private URI scheme. + +type: keyword + +-- + +*`sip.private.uri.username`*:: ++ +-- +Private URI user name. + +type: keyword + +-- + +*`sip.private.uri.host`*:: ++ +-- +Private URI host. + +type: keyword + +-- + +*`sip.private.uri.port`*:: ++ +-- +Private URI port. + +type: keyword + +-- + +*`sip.cseq.code`*:: ++ +-- +Sequence code. + +type: keyword + +-- + +*`sip.cseq.method`*:: ++ +-- +Sequence method. + +type: keyword + +-- + +*`sip.via.original`*:: ++ +-- +The original Via value. + +type: keyword + +-- + +*`sip.via.original.text`*:: ++ +-- +type: text + +-- + +*`sip.to.display_info`*:: ++ +-- +To display info + +type: keyword + +-- + +*`sip.to.uri.original`*:: ++ +-- +To original URI + +type: keyword + +-- + +*`sip.to.uri.original.text`*:: ++ +-- +type: text + +-- + +*`sip.to.uri.scheme`*:: ++ +-- +To URI scheme + +type: keyword + +-- + +*`sip.to.uri.username`*:: ++ +-- +To URI user name + +type: keyword + +-- + +*`sip.to.uri.host`*:: ++ +-- +To URI host + +type: keyword + +-- + +*`sip.to.uri.port`*:: ++ +-- +To URI port + +type: keyword + +-- + +*`sip.to.tag`*:: ++ +-- +To tag + +type: keyword + +-- + +*`sip.from.display_info`*:: ++ +-- +From display info + +type: keyword + +-- + +*`sip.from.uri.original`*:: ++ +-- +From original URI + +type: keyword + +-- + +*`sip.from.uri.original.text`*:: ++ +-- +type: text + +-- + +*`sip.from.uri.scheme`*:: ++ +-- +From URI scheme + +type: keyword + +-- + +*`sip.from.uri.username`*:: ++ +-- +From URI user name + +type: keyword + +-- + +*`sip.from.uri.host`*:: ++ +-- +From URI host + +type: keyword + +-- + +*`sip.from.uri.port`*:: ++ +-- +From URI port + +type: keyword + +-- + +*`sip.from.tag`*:: ++ +-- +From tag + +type: keyword + +-- + +*`sip.contact.display_info`*:: ++ +-- +Contact display info + +type: keyword + +-- + +*`sip.contact.uri.original`*:: ++ +-- +Contact original URI + +type: keyword + +-- + +*`sip.contact.uri.original.text`*:: ++ +-- +type: text + +-- + +*`sip.contact.uri.scheme`*:: ++ +-- +Contat URI scheme + +type: keyword + +-- + +*`sip.contact.uri.username`*:: ++ +-- +Contact URI user name + +type: keyword + +-- + +*`sip.contact.uri.host`*:: ++ +-- +Contact URI host + +type: keyword + +-- + +*`sip.contact.uri.port`*:: ++ +-- +Contact URI port + +type: keyword + +-- + +*`sip.contact.transport`*:: ++ +-- +Contact transport + +type: keyword + +-- + +*`sip.contact.line`*:: ++ +-- +Contact line + +type: keyword + +-- + +*`sip.contact.expires`*:: ++ +-- +Contact expires + +type: keyword + +-- + +*`sip.contact.q`*:: ++ +-- +Contact Q + +type: keyword + +-- + +*`sip.auth.scheme`*:: ++ +-- +Auth scheme + +type: keyword + +-- + +*`sip.auth.realm`*:: ++ +-- +Auth realm + +type: keyword + +-- + +*`sip.auth.uri.original`*:: ++ +-- +Auth original URI + +type: keyword + +-- + +*`sip.auth.uri.original.text`*:: ++ +-- +type: text + +-- + +*`sip.auth.uri.scheme`*:: ++ +-- +Auth URI scheme + +type: keyword + +-- + +*`sip.auth.uri.host`*:: ++ +-- +Auth URI host + +type: keyword + +-- + +*`sip.auth.uri.port`*:: ++ +-- +Auth URI port + +type: keyword + +-- + +*`sip.sdp.version`*:: ++ +-- +SDP version + +type: keyword + +-- + +*`sip.sdp.owner.username`*:: ++ +-- +SDP owner user name + +type: keyword + +-- + +*`sip.sdp.owner.session_id`*:: ++ +-- +SDP owner session ID + +type: keyword + +-- + +*`sip.sdp.owner.version`*:: ++ +-- +SDP owner version + +type: keyword + +-- + +*`sip.sdp.owner.ip`*:: ++ +-- +SDP owner IP + +type: ip + +-- + +*`sip.sdp.session.name`*:: ++ +-- +SDP session name + +type: keyword + +-- + +*`sip.sdp.connection.info`*:: ++ +-- +SDP connection info + +type: keyword + +-- + +*`sip.sdp.connection.address`*:: ++ +-- +SDP connection address + +type: keyword + +-- + +*`sip.sdp.body.original`*:: ++ +-- +SDP original body + +type: keyword + +-- + +*`sip.sdp.body.original.text`*:: ++ +-- +type: text + -- [[exported-fields-thrift]] diff --git a/packetbeat/docs/shared-protocol-list.asciidoc b/packetbeat/docs/shared-protocol-list.asciidoc index 3e18fc35eb8..fdac127050a 100644 --- a/packetbeat/docs/shared-protocol-list.asciidoc +++ b/packetbeat/docs/shared-protocol-list.asciidoc @@ -18,3 +18,4 @@ - Memcache - NFS - TLS + - SIP/SDP (beta) diff --git a/packetbeat/include/list.go b/packetbeat/include/list.go index 0dc1f0bd053..748d525eb2f 100644 --- a/packetbeat/include/list.go +++ b/packetbeat/include/list.go @@ -33,6 +33,7 @@ import ( _ "github.com/elastic/beats/v7/packetbeat/protos/nfs" _ "github.com/elastic/beats/v7/packetbeat/protos/pgsql" _ "github.com/elastic/beats/v7/packetbeat/protos/redis" + _ "github.com/elastic/beats/v7/packetbeat/protos/sip" _ "github.com/elastic/beats/v7/packetbeat/protos/thrift" _ "github.com/elastic/beats/v7/packetbeat/protos/tls" ) diff --git a/packetbeat/packetbeat.docker.yml b/packetbeat/packetbeat.docker.yml index edffce72694..4cf9016a926 100644 --- a/packetbeat/packetbeat.docker.yml +++ b/packetbeat/packetbeat.docker.yml @@ -37,6 +37,9 @@ packetbeat.protocols.cassandra: packetbeat.protocols.tls: ports: [443, 993, 995, 5223, 8443, 8883, 9243] +packetbeat.protocols.sip: + ports: [5060] + processors: - add_cloud_metadata: ~ - add_docker_metadata: ~ diff --git a/packetbeat/packetbeat.reference.yml b/packetbeat/packetbeat.reference.yml index 0dc551698e9..6b936240bbb 100644 --- a/packetbeat/packetbeat.reference.yml +++ b/packetbeat/packetbeat.reference.yml @@ -531,6 +531,19 @@ packetbeat.protocols: # Set to true to publish fields with null values in events. #keep_null: false +- type: sip + # Configure the ports where to listen for SIP traffic. You can disable the SIP protocol by commenting out the list of ports. + ports: [5060] + + # Parse the authorization headers + parse_authorization: true + + # Parse body contents (only when body is SDP) + parse_body: true + + # Preserve original contents in event.original + keep_original: true + # ============================ Monitored processes ============================= # Packetbeat can enrich events with information about the process associated diff --git a/packetbeat/packetbeat.yml b/packetbeat/packetbeat.yml index 53f87d73003..31c229b1ef7 100644 --- a/packetbeat/packetbeat.yml +++ b/packetbeat/packetbeat.yml @@ -101,6 +101,10 @@ packetbeat.protocols: - 8883 # Secure MQTT - 9243 # Elasticsearch +- type: sip + # Configure the ports where to listen for SIP traffic. You can disable the SIP protocol by commenting out the list of ports. + ports: [5060] + # ======================= Elasticsearch template setting ======================= setup.template.settings: diff --git a/packetbeat/pb/ecs.go b/packetbeat/pb/ecs.go index b7722c2c22a..4594f7cd8c4 100644 --- a/packetbeat/pb/ecs.go +++ b/packetbeat/pb/ecs.go @@ -54,7 +54,11 @@ type ecsRelated struct { User []string `ecs:"user"` // overridden because this needs to be an array Hash []string `ecs:"hash"` + // overridden because this needs to be an array + Hosts []string `ecs:"hosts"` // for de-dup - ipSet map[string]struct{} + ipSet map[string]struct{} + userSet map[string]struct{} + hostSet map[string]struct{} } diff --git a/packetbeat/pb/event.go b/packetbeat/pb/event.go index f0287665c0d..cd652756f3e 100644 --- a/packetbeat/pb/event.go +++ b/packetbeat/pb/event.go @@ -147,10 +147,15 @@ func (f *Fields) SetDestination(endpoint *common.Endpoint) { func (f *Fields) AddIP(ip ...string) { if f.Related == nil { f.Related = &ecsRelated{ - ipSet: make(map[string]struct{}), + ipSet: make(map[string]struct{}), + userSet: make(map[string]struct{}), + hostSet: make(map[string]struct{}), } } for _, ipAddress := range ip { + if ipAddress == "" { + continue + } if _, ok := f.Related.ipSet[ipAddress]; !ok { f.Related.ipSet[ipAddress] = struct{}{} f.Related.IP = append(f.Related.IP, ipAddress) @@ -158,6 +163,46 @@ func (f *Fields) AddIP(ip ...string) { } } +// AddUser adds the given user names to the related ECS User field +func (f *Fields) AddUser(u ...string) { + if f.Related == nil { + f.Related = &ecsRelated{ + ipSet: make(map[string]struct{}), + userSet: make(map[string]struct{}), + hostSet: make(map[string]struct{}), + } + } + for _, user := range u { + if user == "" { + continue + } + if _, ok := f.Related.userSet[user]; !ok { + f.Related.userSet[user] = struct{}{} + f.Related.User = append(f.Related.User, user) + } + } +} + +// AddHost adds the given hosts to the related ECS Hosts field +func (f *Fields) AddHost(h ...string) { + if f.Related == nil { + f.Related = &ecsRelated{ + ipSet: make(map[string]struct{}), + userSet: make(map[string]struct{}), + hostSet: make(map[string]struct{}), + } + } + for _, host := range h { + if host == "" { + continue + } + if _, ok := f.Related.hostSet[host]; !ok { + f.Related.hostSet[host] = struct{}{} + f.Related.Hosts = append(f.Related.Hosts, host) + } + } +} + func makeProcess(p *common.Process) *ecs.Process { return &ecs.Process{ Name: p.Name, diff --git a/packetbeat/protos/sip/README.md b/packetbeat/protos/sip/README.md new file mode 100644 index 00000000000..5e5962675a1 --- /dev/null +++ b/packetbeat/protos/sip/README.md @@ -0,0 +1,123 @@ +# SIP (Session Initiation Protocol) for packetbeat + +The SIP (Session Initiation Protocol) is a communications protocol for signaling and controlling multimedia communication sessions. SIP is used by many VoIP applications, not only for enterprise uses but also telecom carriers. + +SIP is a text-based protocol like HTTP. But SIP has various unique features like : +- SIP is server-client model, but its role may change in a per call basis. +- SIP is request-response model, but server may (usually) reply with many responses to a single request. +- There are many requests and responses in one call. +- It is not known when the call will end. + +## Implementation + +### Published for each SIP message (request or response) + +- SIP is not a one to one message with request and response. Also order to each message is not determined (a response may be sent after previous response). +- Therefore the SIP responses and requests are published when packetbeat receives them immediately. +- If you need all SIP messages in throughout of SIP dialog, you need to retrieve from Elasticsearch using the SIP Call ID field etc. + +### Notes +* ``transport=tcp`` is not supported yet. +* ``content-encoding`` is not supported yet. +* Default timestamp field(@timestamp) precision is not sufficient(the sip response is often send immediately when request received eg. 100 Trying). You can sort to keep the message correct order using the ``sip.timestamp``(`date_nanos`) field. +* Body parsing is partially supported for ``application/sdp`` content type only. + +## Configuration + +```yaml +- type: sip + # Configure the ports where to listen for SIP traffic. You can disable the SIP protocol by commenting out the list of ports. + ports: [5060] + + # Parse the authorization headers + parse_authorization: true + + # Parse body contents (only when body is SDP) + parse_body: true + + # Preserve original contents in event.original + keep_original: true +``` + +### Sample Full JSON Output + +```json +{ + "@metadata.beat": "packetbeat", + "@metadata.type": "_doc", + "client.ip": "192.168.1.2", + "client.port": 5060, + "destination.ip": "212.242.33.35", + "destination.port": 5060, + "event.action": "sip_register", + "event.category": [ + "network", + "protocol", + "authentication" + ], + "event.dataset": "sip", + "event.duration": 0, + "event.kind": "event", + "event.original": "REGISTER sip:sip.cybercity.dk SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.2;branch=z9hG4bKnp112903503-43a64480192.168.1.2;rport\r\nFrom: ;tag=6bac55c\r\nTo: \r\nCall-ID: 578222729-4665d775@578222732-4665d772\r\nContact: ;expires=1200;q=0.500\r\nExpires: 1200\r\nCSeq: 75 REGISTER\r\nContent-Length: 0\r\nAuthorization: Digest username=\"voi18062\",realm=\"sip.cybercity.dk\",uri=\"sip:192.168.1.2\",nonce=\"1701b22972b90f440c3e4eb250842bb\",opaque=\"1701a1351f70795\",nc=\"00000001\",response=\"79a0543188495d288c9ebbe0c881abdc\"\r\nMax-Forwards: 70\r\nUser-Agent: Nero SIPPS IP Phone Version 2.0.51.16\r\n\r\n", + "event.sequence": 75, + "event.type": [ + "info" + ], + "network.application": "sip", + "network.community_id": "1:dOa61R2NaaJsJlcFAiMIiyXX+Kk=", + "network.iana_number": "17", + "network.protocol": "sip", + "network.transport": "udp", + "network.type": "ipv4", + "related.hosts": [ + "sip.cybercity.dk" + ], + "related.ip": [ + "192.168.1.2", + "212.242.33.35" + ], + "related.user": [ + "voi18062" + ], + "server.ip": "212.242.33.35", + "server.port": 5060, + "sip.auth.realm": "sip.cybercity.dk", + "sip.auth.scheme": "Digest", + "sip.auth.uri.host": "192.168.1.2", + "sip.auth.uri.original": "sip:192.168.1.2", + "sip.auth.uri.scheme": "sip", + "sip.call_id": "578222729-4665d775@578222732-4665d772", + "sip.contact.uri.host": "sip.cybercity.dk", + "sip.contact.uri.original": "sip:voi18062@sip.cybercity.dk", + "sip.contact.uri.scheme": "sip", + "sip.contact.uri.username": "voi18062", + "sip.cseq.code": 75, + "sip.cseq.method": "REGISTER", + "sip.from.tag": "6bac55c", + "sip.from.uri.host": "sip.cybercity.dk", + "sip.from.uri.original": "sip:voi18062@sip.cybercity.dk", + "sip.from.uri.scheme": "sip", + "sip.from.uri.username": "voi18062", + "sip.max_forwards": 70, + "sip.method": "REGISTER", + "sip.to.uri.host": "sip.cybercity.dk", + "sip.to.uri.original": "sip:voi18062@sip.cybercity.dk", + "sip.to.uri.scheme": "sip", + "sip.to.uri.username": "voi18062", + "sip.type": "request", + "sip.uri.host": "sip.cybercity.dk", + "sip.uri.original": "sip:sip.cybercity.dk", + "sip.uri.scheme": "sip", + "sip.user_agent.original": "Nero SIPPS IP Phone Version 2.0.51.16", + "sip.version": "2.0", + "sip.via.original": [ + "SIP/2.0/UDP 192.168.1.2;branch=z9hG4bKnp112903503-43a64480192.168.1.2;rport" + ], + "source.ip": "192.168.1.2", + "source.port": 5060, + "status": "OK", + "type": "sip", + "user.name": "voi18062" +} +``` + diff --git a/packetbeat/protos/sip/_meta/fields.yml b/packetbeat/protos/sip/_meta/fields.yml new file mode 100644 index 00000000000..fcbb1349dd1 --- /dev/null +++ b/packetbeat/protos/sip/_meta/fields.yml @@ -0,0 +1,238 @@ +- key: sip + title: "SIP" + description: SIP-specific event fields. + fields: + - name: sip + type: group + description: Information about SIP traffic. + fields: + - name: timestamp + type: date_nanos + description: Timestamp with nano second precision. + - name: code + type: keyword + description: Response status code. + - name: method + type: keyword + description: Request method. + - name: status + type: keyword + description: Response status phrase. + - name: type + type: keyword + description: Either request or response. + - name: version + type: keyword + description: SIP protocol version. + - name: uri.original + type: keyword + description: The original URI. + multi_fields: + - name: text + type: text + analyzer: simple + - name: uri.scheme + type: keyword + description: The URI scheme. + - name: uri.username + type: keyword + description: The URI user name. + - name: uri.host + type: keyword + description: The URI host. + - name: uri.port + type: keyword + description: The URI port. + - name: accept + type: keyword + description: Accept header value. + - name: allow + type: keyword + description: Allowed methods. + - name: call_id + type: keyword + description: Call ID. + - name: content_length + type: long + - name: content_type + type: keyword + - name: max_forwards + type: long + - name: supported + type: keyword + description: Supported methods. + - name: user_agent.original + type: keyword + multi_fields: + - name: text + type: text + analyzer: simple + - name: private.uri.original + type: keyword + description: Private original URI. + multi_fields: + - name: text + type: text + analyzer: simple + - name: private.uri.scheme + type: keyword + description: Private URI scheme. + - name: private.uri.username + type: keyword + description: Private URI user name. + - name: private.uri.host + type: keyword + description: Private URI host. + - name: private.uri.port + type: keyword + description: Private URI port. + - name: cseq.code + type: keyword + description: Sequence code. + - name: cseq.method + type: keyword + description: Sequence method. + - name: via.original + type: keyword + description: The original Via value. + multi_fields: + - name: text + type: text + analyzer: simple + - name: to.display_info + type: keyword + description: "To display info" + - name: to.uri.original + type: keyword + description: "To original URI" + multi_fields: + - name: text + type: text + analyzer: simple + - name: to.uri.scheme + type: keyword + description: "To URI scheme" + - name: to.uri.username + type: keyword + description: "To URI user name" + - name: to.uri.host + type: keyword + description: "To URI host" + - name: to.uri.port + type: keyword + description: "To URI port" + - name: to.tag + type: keyword + description: "To tag" + - name: from.display_info + type: keyword + description: "From display info" + - name: from.uri.original + type: keyword + description: "From original URI" + multi_fields: + - name: text + type: text + analyzer: simple + - name: from.uri.scheme + type: keyword + description: "From URI scheme" + - name: from.uri.username + type: keyword + description: "From URI user name" + - name: from.uri.host + type: keyword + description: "From URI host" + - name: from.uri.port + type: keyword + description: "From URI port" + - name: from.tag + type: keyword + description: "From tag" + - name: contact.display_info + type: keyword + description: "Contact display info" + - name: contact.uri.original + type: keyword + description: "Contact original URI" + multi_fields: + - name: text + type: text + analyzer: simple + - name: contact.uri.scheme + type: keyword + description: "Contat URI scheme" + - name: contact.uri.username + type: keyword + description: "Contact URI user name" + - name: contact.uri.host + type: keyword + description: "Contact URI host" + - name: contact.uri.port + type: keyword + description: "Contact URI port" + - name: contact.transport + type: keyword + description: "Contact transport" + - name: contact.line + type: keyword + description: "Contact line" + - name: contact.expires + type: keyword + description: "Contact expires" + - name: contact.q + type: keyword + description: "Contact Q" + - name: auth.scheme + type: keyword + description: "Auth scheme" + - name: auth.realm + type: keyword + description: "Auth realm" + - name: auth.uri.original + type: keyword + description: "Auth original URI" + multi_fields: + - name: text + type: text + analyzer: simple + - name: auth.uri.scheme + type: keyword + description: "Auth URI scheme" + - name: auth.uri.host + type: keyword + description: "Auth URI host" + - name: auth.uri.port + type: keyword + description: "Auth URI port" + - name: sdp.version + type: keyword + description: "SDP version" + - name: sdp.owner.username + type: keyword + description: "SDP owner user name" + - name: sdp.owner.session_id + type: keyword + description: "SDP owner session ID" + - name: sdp.owner.version + type: keyword + description: "SDP owner version" + - name: sdp.owner.ip + type: ip + description: "SDP owner IP" + - name: sdp.session.name + type: keyword + description: "SDP session name" + - name: sdp.connection.info + type: keyword + description: "SDP connection info" + - name: sdp.connection.address + type: keyword + description: "SDP connection address" + - name: sdp.body.original + type: keyword + description: "SDP original body" + multi_fields: + - name: text + type: text + analyzer: simple diff --git a/packetbeat/protos/sip/config.go b/packetbeat/protos/sip/config.go new file mode 100644 index 00000000000..58a92606e80 --- /dev/null +++ b/packetbeat/protos/sip/config.go @@ -0,0 +1,41 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package sip + +import ( + cfg "github.com/elastic/beats/v7/packetbeat/config" + "github.com/elastic/beats/v7/packetbeat/protos" +) + +type config struct { + cfg.ProtocolCommon `config:",inline"` + ParseAuthorization bool `config:"parse_authorization"` + ParseBody bool `config:"parse_body"` + KeepOriginal bool `config:"keep_original"` +} + +var ( + defaultConfig = config{ + ProtocolCommon: cfg.ProtocolCommon{ + TransactionTimeout: protos.DefaultTransactionExpiration, + }, + ParseAuthorization: true, + ParseBody: true, + KeepOriginal: true, + } +) diff --git a/packetbeat/protos/sip/event.go b/packetbeat/protos/sip/event.go new file mode 100644 index 00000000000..fcb9112fe93 --- /dev/null +++ b/packetbeat/protos/sip/event.go @@ -0,0 +1,102 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package sip + +import ( + "github.com/elastic/beats/v7/libbeat/common" +) + +// ProtocolFields contains SIP fields. +type ProtocolFields struct { + Timestamp int64 `ecs:"timestamp"` + Code int `ecs:"code"` + Method common.NetString `ecs:"method"` + Status common.NetString `ecs:"status"` + Type string `ecs:"type"` + Version string `ecs:"version"` + + URIOriginal common.NetString `ecs:"uri.original"` + URIScheme common.NetString `ecs:"uri.scheme"` + URIUsername common.NetString `ecs:"uri.username"` + URIHost common.NetString `ecs:"uri.host"` + URIPort int `ecs:"uri.port"` + + Accept common.NetString `ecs:"accept"` + Allow []string `ecs:"allow"` + CallID common.NetString `ecs:"call_id"` + ContentLength int `ecs:"content_length"` + ContentType common.NetString `ecs:"content_type"` + MaxForwards int `ecs:"max_forwards"` + Supported []string `ecs:"supported"` + UserAgentOriginal common.NetString `ecs:"user_agent.original"` + + PrivateURIOriginal common.NetString `ecs:"private.uri.original"` + PrivateURIScheme common.NetString `ecs:"private.uri.scheme"` + PrivateURIUsername common.NetString `ecs:"private.uri.username"` + PrivateURIHost common.NetString `ecs:"private.uri.host"` + PrivateURIPort int `ecs:"private.uri.port"` + + CseqCode int `ecs:"cseq.code"` + CseqMethod common.NetString `ecs:"cseq.method"` + + ViaOriginal []common.NetString `ecs:"via.original"` + + ToDisplayInfo common.NetString `ecs:"to.display_info"` + ToURIOriginal common.NetString `ecs:"to.uri.original"` + ToURIScheme common.NetString `ecs:"to.uri.scheme"` + ToURIUsername common.NetString `ecs:"to.uri.username"` + ToURIHost common.NetString `ecs:"to.uri.host"` + ToURIPort int `ecs:"to.uri.port"` + ToTag common.NetString `ecs:"to.tag"` + + FromDisplayInfo common.NetString `ecs:"from.display_info"` + FromURIOriginal common.NetString `ecs:"from.uri.original"` + FromURIScheme common.NetString `ecs:"from.uri.scheme"` + FromURIUsername common.NetString `ecs:"from.uri.username"` + FromURIHost common.NetString `ecs:"from.uri.host"` + FromURIPort int `ecs:"from.uri.port"` + FromTag common.NetString `ecs:"from.tag"` + + ContactDisplayInfo common.NetString `ecs:"contact.display_info"` + ContactURIOriginal common.NetString `ecs:"contact.uri.original"` + ContactURIScheme common.NetString `ecs:"contact.uri.scheme"` + ContactURIUsername common.NetString `ecs:"contact.uri.username"` + ContactURIHost common.NetString `ecs:"contact.uri.host"` + ContactURIPort int `ecs:"contact.uri.port"` + ContactTransport common.NetString `ecs:"contact.transport"` + ContactLine common.NetString `ecs:"contact.line"` + ContactExpires int `ecs:"contact.expires"` + ContactQ float64 `ecs:"contact.q"` + + AuthScheme common.NetString `ecs:"auth.scheme"` + AuthRealm common.NetString `ecs:"auth.realm"` + AuthURIOriginal common.NetString `ecs:"auth.uri.original"` + AuthURIScheme common.NetString `ecs:"auth.uri.scheme"` + AuthURIHost common.NetString `ecs:"auth.uri.host"` + AuthURIPort int `ecs:"auth.uri.port"` + + SDPVersion string `ecs:"sdp.version"` + SDPOwnerUsername common.NetString `ecs:"sdp.owner.username"` + SDPOwnerSessID common.NetString `ecs:"sdp.owner.session_id"` + SDPOwnerVersion common.NetString `ecs:"sdp.owner.version"` + SDPOwnerIP common.NetString `ecs:"sdp.owner.ip"` + SDPSessName common.NetString `ecs:"sdp.session.name"` + SDPConnInfo common.NetString `ecs:"sdp.connection.info"` + SDPConnAddr common.NetString `ecs:"sdp.connection.address"` + SDPBodyOriginal common.NetString `ecs:"sdp.body.original"` +} diff --git a/packetbeat/protos/sip/fields.go b/packetbeat/protos/sip/fields.go new file mode 100644 index 00000000000..87c93ab0cad --- /dev/null +++ b/packetbeat/protos/sip/fields.go @@ -0,0 +1,36 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package sip + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("packetbeat", "sip", asset.ModuleFieldsPri, AssetSip); err != nil { + panic(err) + } +} + +// AssetSip returns asset data. +// This is the base64 encoded gzipped contents of protos/sip. +func AssetSip() string { + return "eJzEmcFy4jgQhu95ii7u8QNwm5rsVnHLhsxeKY3dxqqRJUdqQ9in35KxFGEkZqRUhZzAcX+/1Pz9ozKP8AtPazB8eAAgTgLXsNpunlcPAA2aWvOBuJJr2G6eH82ANW95DXhASdByFI2pHmB+tX4AAHgEyXp0SPtHpwHXsNdqdFcuyBvZKt0z+wbYTzWS1QLSrG15Xc0VocKHBvEeDbHecZ1Wwwh3kkll/D8uJF9dHRw5dWDvBIO1kg0MGmtuuJLVQqtWDS5kfuHpqHQT13hBMyhpEAwxGs1Uv2T2SJ1q8qhvIxqaK5e8s9RnVjl0mpmrdVpQDvUvTh1q0PNilX151lmSD6hts3Pg1h2DVqRqJVz9EjtqXinN91wykcN+7RBcHfx42VT+tn4UxHeXNrxoEb5TcNmpXV1mkonTf6jtgPSDwMjCTd1hn9Vvu+wfLxs4V8aaMRrU9l0J1dZOqBi4U4ZKoLYuxhuULuLZuiWP1TUOWbRvUwV0yBrUcGBivNo0E0Ids5i2AJt5ZM1VrjAhdjwrBL4zIWDzdJ1QklDSTqDcU7cACiX3ift/O90+rtj7rlX6yHSzDJkI3oyD/VAwa2tbV5RqlzXjju1R0p8O+BdN7qD5gRFWpdHzfK6/b/yEm8iPIbeFdBSF/JJIChWSsRSK5MZTKBCLqJCdG1UhOxZXtcG3KveYsbXfsbLG6PliIuYfMjwzfso4cPb5L9d/ObvM1y/zOKmq4WYQ7LTjslU5O1i9KphrwdaurtGl42/R4eiv7tCWsqm3K/+Y+ERLSobdgf2gJ9i5M+64ti6BzB1th7R1ESSxfS6N2H4JarXqy637t1b9TfNO+GL7Tvi7Gtivv8DC0+rTJvboIht7eNLInp9tZc+Omdljs+3ssTFDT9hcS0/EiKntIZTVVO7r72fATWs7kWJ3O5G7GjzcRYHHpz3QDZeH/CKjuy7d9Hqokm33UCHm+BCebfoQHvO9g5Nm0hTTfXUKL7gsa7stTEHxfeAasx4Nee5cm0K/FUH/WeLYSF2Jrb+N1CUMPSE1MtHnE6eyKLA4RCbuXRPEr7+0z+nw8Ojsmfbg2EB7bPa8eWxs1kwzVAWPHlfbp2f3yDGGVEeJuiw7LXkqTyfnh4JBY5eQ+dgo0JgBsHlKi5T256zw2y7x5UP74EIKev5dYsmbN1MV9dx1ItXwWkmJtS2oso8mlv9RHz2ZLCRY02g0eTG9UJkRMaGfqjmVRdf0EbjkspgviK7/AwAA///sesAq" +} diff --git a/packetbeat/protos/sip/parser.go b/packetbeat/protos/sip/parser.go new file mode 100644 index 00000000000..55e66045e95 --- /dev/null +++ b/packetbeat/protos/sip/parser.go @@ -0,0 +1,469 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package sip + +import ( + "bytes" + "errors" + "fmt" + "time" + "unicode" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/streambuf" + "github.com/elastic/beats/v7/packetbeat/procs" + "github.com/elastic/beats/v7/packetbeat/protos" +) + +// Http Message +type message struct { + ts time.Time + hasContentLength bool + headerOffset int + + isRequest bool + ipPortTuple common.IPPortTuple + cmdlineTuple *common.ProcessTuple + + // Info + requestURI common.NetString + method common.NetString + statusCode uint16 + statusPhrase common.NetString + version version + + // Headers + contentLength int + contentType common.NetString + userAgent common.NetString + to common.NetString + from common.NetString + cseq common.NetString + callID common.NetString + maxForwards int + via []common.NetString + allow []string + supported []string + + headers map[string][]common.NetString + size uint64 + + firstLine []byte + rawHeaders []byte + body []byte + rawData []byte +} + +type version struct { + major uint8 + minor uint8 +} + +func (v version) String() string { + return fmt.Sprintf("%d.%d", v.major, v.minor) +} + +type parserState uint8 + +const ( + stateStart parserState = iota + stateHeaders + stateBody +) + +type parser struct { +} + +type parsingInfo struct { + tuple *common.IPPortTuple + + data []byte + + parseOffset int + state parserState + bodyReceived int + + pkt *protos.Packet +} + +var ( + constCRLF = []byte("\r\n") + constSIPVersion = []byte("SIP/") + nameContentLength = []byte("content-length") + nameContentType = []byte("content-type") + nameUserAgent = []byte("user-agent") + nameTo = []byte("to") + nameFrom = []byte("from") + nameCseq = []byte("cseq") + nameCallID = []byte("call-id") + nameMaxForwards = []byte("max-forwards") + nameAllow = []byte("allow") + nameSupported = []byte("supported") + nameVia = []byte("via") +) + +func newParser() *parser { + return &parser{} +} + +func (parser *parser) parse(pi *parsingInfo) (*message, error) { + m := &message{ + ts: pi.pkt.Ts, + ipPortTuple: pi.pkt.Tuple, + cmdlineTuple: procs.ProcWatcher.FindProcessesTupleTCP(&pi.pkt.Tuple), + rawData: pi.data, + } + for pi.parseOffset < len(pi.data) { + switch pi.state { + case stateStart: + if err := parser.parseSIPLine(pi, m); err != nil { + return m, err + } + case stateHeaders: + if err := parser.parseHeaders(pi, m); err != nil { + return m, err + } + case stateBody: + parser.parseBody(pi, m) + } + } + return m, nil +} + +func (*parser) parseSIPLine(pi *parsingInfo, m *message) error { + // ignore any CRLF appearing before the start-line (RFC3261 7.5) + pi.data = bytes.TrimLeft(pi.data[pi.parseOffset:], string(constCRLF)) + + i := bytes.Index(pi.data[pi.parseOffset:], constCRLF) + if i == -1 { + return errors.New("not found expected CRLF") + } + + // Very basic tests on the first line. Just to check that + // we have what looks as a SIP message + var ( + version []byte + err error + ) + + fline := pi.data[pi.parseOffset:i] + if len(fline) < 16 { // minimum line will be "SIP/2.0 XXX OK\r\n" + if isDebug { + debugf("First line too small") + } + return errors.New("first line too small") + } + + m.firstLine = fline + + if bytes.Equal(fline[0:4], constSIPVersion) { + // RESPONSE + m.isRequest = false + version = fline[4:7] + m.statusCode, m.statusPhrase, err = parseResponseStatus(fline[8:]) + if err != nil { + if isDebug { + debugf("Failed to understand SIP response status: %s", fline[8:]) + } + return errors.New("failed to parse response status") + } + + if isDebug { + debugf("SIP status_code=%d, status_phrase=%s", m.statusCode, m.statusPhrase) + } + } else { + // REQUEST + afterMethodIdx := bytes.IndexFunc(fline, unicode.IsSpace) + afterRequestURIIdx := bytes.LastIndexFunc(fline, unicode.IsSpace) + + // Make sure we have the VERB + URI + SIP_VERSION + if afterMethodIdx == -1 || afterRequestURIIdx == -1 || afterMethodIdx == afterRequestURIIdx { + if isDebug { + debugf("Couldn't understand SIP request: %s", fline) + } + return errors.New("failed to parse SIP request") + } + + m.method = common.NetString(fline[:afterMethodIdx]) + m.requestURI = common.NetString(fline[afterMethodIdx+1 : afterRequestURIIdx]) + + versionIdx := afterRequestURIIdx + len(constSIPVersion) + 1 + if len(fline) > versionIdx && bytes.Equal(fline[afterRequestURIIdx+1:versionIdx], constSIPVersion) { + m.isRequest = true + version = fline[versionIdx:] + } else { + if isDebug { + debugf("Couldn't understand SIP version: %s", fline) + } + return errors.New("failed to parse SIP version") + } + } + + m.version.major, m.version.minor, err = parseVersion(version) + if err != nil { + if isDebug { + debugf(err.Error(), version) + } + return err + } + if isDebug { + debugf("SIP version %d.%d", m.version.major, m.version.minor) + } + + // ok so far + pi.parseOffset = i + 2 + m.headerOffset = pi.parseOffset + pi.state = stateHeaders + + return nil +} + +func parseResponseStatus(s []byte) (uint16, []byte, error) { + if isDebug { + debugf("parseResponseStatus: %s", s) + } + + var phrase []byte + p := bytes.IndexByte(s, ' ') + if p == -1 { + p = len(s) + } else { + phrase = s[p+1:] + } + statusCode, err := parseInt(s[0:p]) + if err != nil { + return 0, nil, fmt.Errorf("Unable to parse status code from [%s]", s) + } + return uint16(statusCode), phrase, nil +} + +func parseVersion(s []byte) (uint8, uint8, error) { + if len(s) < 3 { + return 0, 0, errors.New("Invalid version") + } + + major := s[0] - '0' + minor := s[2] - '0' + + return uint8(major), uint8(minor), nil +} + +func (parser *parser) parseHeaders(pi *parsingInfo, m *message) error { + // check if it isn't headers end yet with /r/n/r/n + if !(len(pi.data)-pi.parseOffset >= 2 && + bytes.Equal(pi.data[pi.parseOffset:pi.parseOffset+2], constCRLF)) { + offset, err := parser.parseHeader(m, pi.data[pi.parseOffset:]) + if err != nil { + return err + } + + pi.parseOffset += offset + + return nil + } + + m.size = uint64(pi.parseOffset + 2) + m.rawHeaders = pi.data[:m.size] + pi.data = pi.data[m.size:] + pi.parseOffset = 0 + + if m.contentLength == 0 && (m.isRequest || m.hasContentLength) { + if isDebug { + debugf("Empty content length, ignore body") + } + return nil + } + + if isDebug { + debugf("Read body") + } + + pi.state = stateBody + + return nil +} + +func (parser *parser) parseHeader(m *message, data []byte) (int, error) { + if m.headers == nil { + m.headers = make(map[string][]common.NetString) + } + + i := bytes.Index(data, []byte(":")) + if i == -1 { + // Expected \":\" in headers. Assuming incomplete + if isDebug { + debugf("ignoring incomplete header %s", data) + } + return len(data), nil + } + + // enabled if required. Allocs for parameters slow down parser big times + if isDetailed { + detailedf("Data: %s", data) + detailedf("Header: %s", data[:i]) + } + + // skip folding line + for p := i + 1; p < len(data); { + q := bytes.Index(data[p:], constCRLF) + if q == -1 { + if isDebug { + debugf("ignoring incomplete header %s", data) + } + return len(data), nil + } + + p += q + if len(data) > p && (data[p+1] == ' ' || data[p+1] == '\t') { + p = p + 2 + continue + } + + headerName := getExpandedHeaderName(bytes.ToLower(data[:i])) + headerVal := bytes.TrimSpace(data[i+1 : p]) + if isDebug { + debugf("Header: '%s' Value: '%s'\n", data[:i], headerVal) + } + + // Headers we need for parsing. Make sure we always + // capture their value + switch { + case bytes.Equal(headerName, nameMaxForwards): + m.maxForwards, _ = parseInt(headerVal) + case bytes.Equal(headerName, nameContentLength): + m.contentLength, _ = parseInt(headerVal) + m.hasContentLength = true + case bytes.Equal(headerName, nameContentType): + m.contentType = headerVal + case bytes.Equal(headerName, nameUserAgent): + m.userAgent = headerVal + case bytes.Equal(headerName, nameTo): + m.to = headerVal + case bytes.Equal(headerName, nameFrom): + m.from = headerVal + case bytes.Equal(headerName, nameCseq): + m.cseq = headerVal + case bytes.Equal(headerName, nameCallID): + m.callID = headerVal + case bytes.Equal(headerName, nameAllow): + m.allow = parseCommaSeparatedList(headerVal) + case bytes.Equal(headerName, nameSupported): + m.supported = parseCommaSeparatedList(headerVal) + case bytes.Equal(headerName, nameVia): + m.via = append(m.via, headerVal) + } + + m.headers[string(headerName)] = append( + m.headers[string(headerName)], + headerVal, + ) + + return p + 2, nil + } + + return len(data), nil +} + +func parseCommaSeparatedList(s common.NetString) (list []string) { + values := bytes.Split(s, []byte(",")) + list = make([]string, len(values)) + for idx := range values { + list[idx] = string(bytes.ToLower(bytes.Trim(values[idx], " "))) + } + return list +} + +func (*parser) parseBody(pi *parsingInfo, m *message) { + nbytes := len(pi.data) + if nbytes >= m.contentLength-pi.bodyReceived { + wanted := m.contentLength - pi.bodyReceived + m.body = append(m.body, pi.data[:wanted]...) + pi.bodyReceived = m.contentLength + m.size += uint64(wanted) + pi.data = pi.data[wanted:] + } else { + m.body = append(m.body, pi.data...) + pi.data = nil + pi.bodyReceived += nbytes + m.size += uint64(nbytes) + if isDebug { + debugf("bodyReceived: %d", pi.bodyReceived) + } + } +} + +func (m *message) getEndpoints() (src *common.Endpoint, dst *common.Endpoint) { + source, destination := common.MakeEndpointPair(m.ipPortTuple.BaseTuple, m.cmdlineTuple) + src, dst = &source, &destination + return src, dst +} + +func parseInt(line []byte) (int, error) { + buf := streambuf.NewFixed(line) + i, err := buf.IntASCII(false) + return int(i), err + // TODO: is it an error if 'buf.Len() != 0 {}' ? +} + +func getExpandedHeaderName(n []byte) []byte { + if len(n) > 1 { + return n + } + switch string(n) { + // referfenced by https://www.iana.org/assignments/sip-parameters/sip-parameters.xhtml + case "a": + return []byte("accept-contact") //[RFC3841] + case "b": + return []byte("referred-by") //[RFC3892] + case "c": + return []byte("content-type") //[RFC3261] + case "d": + return []byte("request-disposition") //[RFC3841] + case "e": + return []byte("content-encoding") //[RFC3261] + case "f": + return []byte("from") //[RFC3261] + case "i": + return []byte("call-id") //[RFC3261] + case "j": + return []byte("reject-contact") //[RFC3841] + case "k": + return []byte("supported") //[RFC3261] + case "l": + return []byte("content-length") //[RFC3261] + case "m": + return []byte("contact") //[RFC3261] + case "o": + return []byte("event") //[RFC666)5] [RFC6446] + case "r": + return []byte("refer-to") //[RFC3515] + case "s": + return []byte("subject") //[RFC3261] + case "t": + return []byte("to") //[RFC3261] + case "u": + return []byte("allow-events") //[RFC6665] + case "v": + return []byte("via") //[RFC326)1] [RFC7118] + case "x": + return []byte("session-expires") //[RFC4028] + case "y": + return []byte("identity") //[RFC8224] + } + return n +} diff --git a/packetbeat/protos/sip/plugin.go b/packetbeat/protos/sip/plugin.go new file mode 100644 index 00000000000..14b56aeda45 --- /dev/null +++ b/packetbeat/protos/sip/plugin.go @@ -0,0 +1,636 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package sip + +import ( + "bytes" + "fmt" + "strconv" + "strings" + "time" + + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/cfgwarn" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/packetbeat/pb" + "github.com/elastic/beats/v7/packetbeat/protos" +) + +var ( + debugf = logp.MakeDebug("sip") + detailedf = logp.MakeDebug("sipdetailed") +) + +// SIP application level protocol analyser plugin. +type plugin struct { + // config + ports []int + parseAuthorization bool + parseBody bool + keepOriginal bool + + results protos.Reporter +} + +var ( + isDebug = false + isDetailed = false +) + +func init() { + protos.Register("sip", New) +} + +func New( + testMode bool, + results protos.Reporter, + cfg *common.Config, +) (protos.Plugin, error) { + cfgwarn.Beta("packetbeat SIP protocol is used") + + p := &plugin{} + config := defaultConfig + if !testMode { + if err := cfg.Unpack(&config); err != nil { + return nil, err + } + } + + if err := p.init(results, &config); err != nil { + return nil, err + } + return p, nil +} + +// Init initializes the HTTP protocol analyser. +func (p *plugin) init(results protos.Reporter, config *config) error { + p.setFromConfig(config) + + isDebug = logp.IsDebug("sip") + isDetailed = logp.IsDebug("sipdetailed") + p.results = results + return nil +} + +func (p *plugin) setFromConfig(config *config) { + p.ports = config.Ports + p.keepOriginal = config.KeepOriginal + p.parseAuthorization = config.ParseAuthorization + p.parseBody = config.ParseBody +} + +func (p *plugin) GetPorts() []int { + return p.ports +} + +func (p *plugin) ParseUDP(pkt *protos.Packet) { + defer logp.Recover("SIP ParseUDP exception") + + if err := p.doParse(pkt); err != nil { + debugf("error: %s", err) + } +} + +func (p *plugin) doParse(pkt *protos.Packet) error { + if isDetailed { + detailedf("Payload received: [%s]", pkt.Payload) + } + + parser := newParser() + + pi := newParsingInfo(pkt) + m, err := parser.parse(pi) + if err != nil { + return err + } + + evt, err := p.buildEvent(m, pkt) + if err != nil { + return err + } + + p.publish(*evt) + + return nil +} + +func (p *plugin) publish(evt beat.Event) { + if p.results != nil { + p.results(evt) + } +} + +func newParsingInfo(pkt *protos.Packet) *parsingInfo { + return &parsingInfo{ + tuple: &pkt.Tuple, + data: pkt.Payload, + pkt: pkt, + } +} + +func (p *plugin) buildEvent(m *message, pkt *protos.Packet) (*beat.Event, error) { + status := common.OK_STATUS + if m.statusCode >= 400 { + status = common.ERROR_STATUS + } + + evt, pbf := pb.NewBeatEvent(m.ts) + fields := evt.Fields + fields["type"] = "sip" + fields["status"] = status + + var sipFields ProtocolFields + sipFields.Timestamp = time.Now().UnixNano() + if m.isRequest { + populateRequestFields(m, pbf, &sipFields) + } else { + populateResponseFields(m, &sipFields) + } + + p.populateHeadersFields(m, evt, pbf, &sipFields) + + if p.parseBody { + populateBodyFields(m, pbf, &sipFields) + } + + pbf.Network.IANANumber = "17" + pbf.Network.Application = "sip" + pbf.Network.Protocol = "sip" + pbf.Network.Transport = "udp" + + src, dst := m.getEndpoints() + pbf.SetSource(src) + pbf.SetDestination(dst) + + p.populateEventFields(m, pbf, sipFields) + + if err := pb.MarshalStruct(evt.Fields, "sip", sipFields); err != nil { + return nil, err + } + + return &evt, nil +} + +func populateRequestFields(m *message, pbf *pb.Fields, fields *ProtocolFields) { + fields.Type = "request" + fields.Method = bytes.ToUpper(m.method) + fields.URIOriginal = m.requestURI + scheme, username, host, port, _ := parseURI(fields.URIOriginal) + fields.URIScheme = scheme + fields.URIHost = host + if !bytes.Equal(username, []byte(" ")) && !bytes.Equal(username, []byte("-")) { + fields.URIUsername = username + pbf.AddUser(string(username)) + } + fields.URIPort = port + fields.Version = m.version.String() + pbf.AddHost(string(host)) +} + +func populateResponseFields(m *message, fields *ProtocolFields) { + fields.Type = "response" + fields.Code = int(m.statusCode) + fields.Status = m.statusPhrase + fields.Version = m.version.String() +} + +func (p *plugin) populateHeadersFields(m *message, evt beat.Event, pbf *pb.Fields, fields *ProtocolFields) { + fields.Allow = m.allow + fields.CallID = m.callID + fields.ContentLength = m.contentLength + fields.ContentType = bytes.ToLower(m.contentType) + fields.MaxForwards = m.maxForwards + fields.Supported = m.supported + fields.UserAgentOriginal = m.userAgent + fields.ViaOriginal = m.via + + privateURI, found := m.headers["p-associated-uri"] + if found && len(privateURI) > 0 { + scheme, username, host, port, _ := parseURI(privateURI[0]) + fields.PrivateURIOriginal = privateURI[0] + fields.PrivateURIScheme = scheme + fields.PrivateURIHost = host + if !bytes.Equal(username, []byte(" ")) && !bytes.Equal(username, []byte("-")) { + fields.PrivateURIUsername = username + pbf.AddUser(string(username)) + } + fields.PrivateURIPort = port + pbf.AddHost(string(host)) + } + + if accept, found := m.headers["accept"]; found && len(accept) > 0 { + fields.Accept = bytes.ToLower(accept[0]) + } + + cseqParts := bytes.Split(m.cseq, []byte(" ")) + if len(cseqParts) == 2 { + fields.CseqCode, _ = strconv.Atoi(string(cseqParts[0])) + fields.CseqMethod = bytes.ToUpper(cseqParts[1]) + } + + populateFromFields(m, pbf, fields) + + populateToFields(m, pbf, fields) + + populateContactFields(m, pbf, fields) + + if p.parseAuthorization { + populateAuthFields(m, evt, pbf, fields) + } +} + +func populateFromFields(m *message, pbf *pb.Fields, fields *ProtocolFields) { + if len(m.from) > 0 { + displayInfo, uri, params := parseFromToContact(m.from) + fields.FromDisplayInfo = displayInfo + fields.FromTag = params["tag"] + scheme, username, host, port, _ := parseURI(uri) + fields.FromURIOriginal = uri + fields.FromURIScheme = scheme + fields.FromURIHost = host + if !bytes.Equal(username, []byte(" ")) && !bytes.Equal(username, []byte("-")) { + fields.FromURIUsername = username + pbf.AddUser(string(username)) + } + fields.FromURIPort = port + pbf.AddHost(string(host)) + } +} + +func populateToFields(m *message, pbf *pb.Fields, fields *ProtocolFields) { + if len(m.to) > 0 { + displayInfo, uri, params := parseFromToContact(m.to) + fields.ToDisplayInfo = displayInfo + fields.ToTag = params["tag"] + scheme, username, host, port, _ := parseURI(uri) + fields.ToURIOriginal = uri + fields.ToURIScheme = scheme + fields.ToURIHost = host + if !bytes.Equal(username, []byte(" ")) && !bytes.Equal(username, []byte("-")) { + fields.ToURIUsername = username + pbf.AddUser(string(username)) + } + fields.ToURIPort = port + pbf.AddHost(string(host)) + } +} + +func populateContactFields(m *message, pbf *pb.Fields, fields *ProtocolFields) { + if contact, found := m.headers["contact"]; found && len(contact) > 0 { + displayInfo, uri, params := parseFromToContact(m.to) + fields.ContactDisplayInfo = displayInfo + fields.ContactExpires, _ = strconv.Atoi(string(params["expires"])) + fields.ContactQ, _ = strconv.ParseFloat(string(params["q"]), 64) + scheme, username, host, port, urlparams := parseURI(uri) + fields.ContactURIOriginal = uri + fields.ContactURIScheme = scheme + fields.ContactURIHost = host + if !bytes.Equal(username, []byte(" ")) && !bytes.Equal(username, []byte("-")) { + fields.ContactURIUsername = username + pbf.AddUser(string(username)) + } + fields.ContactURIPort = port + fields.ContactLine = urlparams["line"] + fields.ContactTransport = bytes.ToLower(urlparams["transport"]) + pbf.AddHost(string(host)) + } +} + +func (p *plugin) populateEventFields(m *message, pbf *pb.Fields, fields ProtocolFields) { + pbf.Event.Kind = "event" + pbf.Event.Type = []string{"info"} + pbf.Event.Dataset = "sip" + pbf.Event.Sequence = int64(fields.CseqCode) + + // TODO: Get these values from body + pbf.Event.Start = m.ts + pbf.Event.End = m.ts + // + + if p.keepOriginal { + pbf.Event.Original = string(m.rawData) + } + + pbf.Event.Category = []string{"network", "protocol"} + if _, found := m.headers["authorization"]; found { + pbf.Event.Category = append(pbf.Event.Category, "authentication") + } + + pbf.Event.Action = func() string { + if m.isRequest { + return fmt.Sprintf("sip-%s", strings.ToLower(string(m.method))) + } + return fmt.Sprintf("sip-%s", strings.ToLower(string(fields.CseqMethod))) + }() + + pbf.Event.Outcome = func() string { + switch { + case m.statusCode < 200: + return "" + case m.statusCode > 299: + return "failure" + } + return "success" + }() + + pbf.Event.Reason = string(fields.Status) +} + +func populateAuthFields(m *message, evt beat.Event, pbf *pb.Fields, fields *ProtocolFields) { + auths, found := m.headers["authorization"] + if !found || len(auths) == 0 { + if isDetailed { + detailedf("sip packet without authorization header") + } + return + } + + if isDetailed { + detailedf("sip packet with authorization header") + } + + auth := bytes.TrimSpace(auths[0]) + pos := bytes.IndexByte(auth, ' ') + if pos == -1 { + if isDebug { + debugf("malformed authorization header: missing scheme") + } + return + } + + fields.AuthScheme = auth[:pos] + + pos += 1 + for _, param := range bytes.Split(auth[pos:], []byte(",")) { + kv := bytes.SplitN(param, []byte("="), 2) + if len(kv) != 2 { + continue + } + kv[1] = bytes.Trim(kv[1], "'\" \t") + switch string(bytes.ToLower(bytes.TrimSpace(kv[0]))) { + case "realm": + fields.AuthRealm = kv[1] + case "username": + username := string(kv[1]) + if username != "" && username != "-" { + _, _ = evt.Fields.Put("user.name", username) + pbf.AddUser(username) + } + case "uri": + scheme, _, host, port, _ := parseURI(kv[1]) + fields.AuthURIOriginal = kv[1] + fields.AuthURIScheme = scheme + fields.AuthURIHost = host + fields.AuthURIPort = port + } + } +} + +var constSDPContentType = []byte("application/sdp") + +func populateBodyFields(m *message, pbf *pb.Fields, fields *ProtocolFields) { + if !m.hasContentLength { + return + } + + if !bytes.Equal(m.contentType, constSDPContentType) { + if isDebug { + debugf("body content-type: %s is not supported", m.contentType) + } + return + } + + if _, found := m.headers["content-encoding"]; found { + if isDebug { + debugf("body decoding is not supported yet if content-endcoding is present") + } + return + } + + fields.SDPBodyOriginal = m.body + + var isInMedia bool + for _, line := range bytes.Split(m.body, []byte("\r\n")) { + kv := bytes.SplitN(line, []byte("="), 2) + if len(kv) != 2 { + continue + } + + kv[1] = bytes.TrimSpace(kv[1]) + ch := string(bytes.ToLower(bytes.TrimSpace(kv[0]))) + switch ch { + case "v": + fields.SDPVersion = string(kv[1]) + case "o": + var pos int + if kv[1][pos] == '"' { + endUserPos := bytes.IndexByte(kv[1][pos+1:], '"') + if !bytes.Equal(kv[1][pos+1:endUserPos], []byte("-")) { + fields.SDPOwnerUsername = kv[1][pos+1 : endUserPos] + } + pos = endUserPos + 1 + } + nParts := func() int { + if pos == 0 { + return 4 + } + return 3 // already have user + }() + parts := bytes.SplitN(kv[1][pos:], []byte(" "), nParts) + if len(parts) != nParts { + if isDebug { + debugf("malformed owner SDP line") + } + continue + } + if nParts == 4 { + if !bytes.Equal(parts[0], []byte("-")) { + fields.SDPOwnerUsername = parts[0] + } + parts = parts[1:] + } + fields.SDPOwnerSessID = parts[0] + fields.SDPOwnerVersion = parts[1] + fields.SDPOwnerIP = func() common.NetString { + p := bytes.Split(parts[2], []byte(" ")) + return p[len(p)-1] + }() + pbf.AddUser(string(fields.SDPOwnerUsername)) + pbf.AddIP(string(fields.SDPOwnerIP)) + case "s": + if !bytes.Equal(kv[1], []byte("-")) { + fields.SDPSessName = kv[1] + } + case "c": + if isInMedia { + continue + } + fields.SDPConnInfo = kv[1] + fields.SDPConnAddr = func() common.NetString { + p := bytes.Split(kv[1], []byte(" ")) + return p[len(p)-1] + }() + pbf.AddHost(string(fields.SDPConnAddr)) + case "m": + isInMedia = true + // TODO + case "i", "u", "e", "p", "b", "t", "r", "z", "k", "a": + // TODO + } + } +} + +func parseFromToContact(fromTo common.NetString) (displayInfo, uri common.NetString, params map[string]common.NetString) { + params = make(map[string]common.NetString) + + fromTo = bytes.TrimSpace(fromTo) + + var uriIsWrapped bool + pos := func() int { + // look for the beginning of a url wrapped in <...> + if pos := bytes.IndexByte(fromTo, '<'); pos > -1 { + uriIsWrapped = true + return pos + } + // if there is no < char, it means there is no display info, and + // that the url starts from the beginning + // https://tools.ietf.org/html/rfc3261#section-20.10 + return 0 + }() + + displayInfo = bytes.Trim(fromTo[:pos], "'\"\t ") + + endURIPos := func() int { + if uriIsWrapped { + return bytes.IndexByte(fromTo, '>') + } + return bytes.IndexByte(fromTo, ';') + }() + + // not wrapped and no header params + if endURIPos == -1 { + uri = fromTo[pos:] + return displayInfo, uri, params + } + + // if wrapped, we want to get over the < char + if uriIsWrapped { + pos += 1 + } + + // if wrapped, we will get the string between <...> + // if not wrapped, we will get the value before the header params (until ;) + uri = fromTo[pos:endURIPos] + + // parse the header params + pos = endURIPos + 1 + for _, param := range bytes.Split(fromTo[pos:], []byte(";")) { + kv := bytes.SplitN(param, []byte("="), 2) + if len(kv) != 2 { + continue + } + params[string(bytes.ToLower(bytes.TrimSpace(kv[0])))] = kv[1] + } + + return displayInfo, uri, params +} + +func parseURI(uri common.NetString) (scheme, username, host common.NetString, port int, params map[string]common.NetString) { + var ( + prevChar rune + inIPv6 bool + idx int + hasParams bool + ) + uri = bytes.TrimSpace(uri) + prevChar = ' ' + pos := -1 + ppos := -1 + epos := len(uri) + + params = make(map[string]common.NetString) +loop: + for idx = 0; idx < len(uri); idx++ { + curChar := rune(uri[idx]) + + switch { + case idx == 0: + colonIdx := bytes.Index(uri, []byte(":")) + if colonIdx == -1 { + break loop + } + scheme = uri[:colonIdx] + idx += colonIdx + pos = idx + 1 + + case curChar == '[' && prevChar != '\\': + inIPv6 = true + + case curChar == ']' && prevChar != '\\': + inIPv6 = false + + case curChar == ';' && prevChar != '\\': + // we found end of URI + hasParams = true + epos = idx + break loop + + default: + // select wich part + switch curChar { + case '@': + if len(host) > 0 { + pos = ppos + host = nil + } + username = uri[pos:idx] + ppos = pos + pos = idx + 1 + case ':': + if !inIPv6 { + host = uri[pos:idx] + ppos = pos + pos = idx + 1 + } + } + } + + prevChar = curChar + } + + if pos > 0 && epos <= len(uri) && pos <= epos { + if len(host) == 0 { + host = bytes.TrimSpace(uri[pos:epos]) + } else { + port, _ = strconv.Atoi(string(bytes.TrimSpace(uri[pos:epos]))) + } + } + + if hasParams { + for _, param := range bytes.Split(uri[epos+1:], []byte(";")) { + kv := bytes.Split(param, []byte("=")) + if len(kv) != 2 { + continue + } + params[string(bytes.ToLower(bytes.TrimSpace(kv[0])))] = kv[1] + } + } + + return scheme, username, host, port, params +} diff --git a/packetbeat/protos/sip/plugin_test.go b/packetbeat/protos/sip/plugin_test.go new file mode 100644 index 00000000000..d8c09f5b307 --- /dev/null +++ b/packetbeat/protos/sip/plugin_test.go @@ -0,0 +1,174 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build !integration + +package sip + +import ( + "testing" + "time" + + "github.com/stretchr/testify/assert" + + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/packetbeat/protos" +) + +func TestParseURI(t *testing.T) { + scheme, username, host, port, params := parseURI(common.NetString("sip:test@10.0.2.15:5060")) + assert.Equal(t, common.NetString("sip"), scheme) + assert.Equal(t, common.NetString("test"), username) + assert.Equal(t, common.NetString("10.0.2.15"), host) + assert.Equal(t, map[string]common.NetString{}, params) + assert.Equal(t, 5060, port) + + scheme, username, host, port, params = parseURI(common.NetString("sips:test@10.0.2.15:5061 ; transport=udp")) + assert.Equal(t, common.NetString("sips"), scheme) + assert.Equal(t, common.NetString("test"), username) + assert.Equal(t, common.NetString("10.0.2.15"), host) + assert.Equal(t, common.NetString("udp"), params["transport"]) + assert.Equal(t, 5061, port) + + scheme, username, host, port, params = parseURI(common.NetString("mailto:192.168.0.2")) + assert.Equal(t, common.NetString("mailto"), scheme) + assert.Equal(t, common.NetString(nil), username) + assert.Equal(t, common.NetString("192.168.0.2"), host) + assert.Equal(t, map[string]common.NetString{}, params) + assert.Equal(t, 0, port) +} + +func TestParseFromTo(t *testing.T) { + // To + displayInfo, uri, params := parseFromToContact(common.NetString("test ;tag=QvN921")) + assert.Equal(t, common.NetString("test"), displayInfo) + assert.Equal(t, common.NetString("sip:test@10.0.2.15:5060"), uri) + assert.Equal(t, common.NetString("QvN921"), params["tag"]) + displayInfo, uri, params = parseFromToContact(common.NetString("test ")) + assert.Equal(t, common.NetString("test"), displayInfo) + assert.Equal(t, common.NetString("sip:test@10.0.2.15:5060"), uri) + assert.Equal(t, common.NetString(nil), params["tag"]) + + // From + displayInfo, uri, params = parseFromToContact(common.NetString("\"PCMU/8000\" ;tag=1")) + assert.Equal(t, common.NetString("PCMU/8000"), displayInfo) + assert.Equal(t, common.NetString("sip:sipp@10.0.2.15:5060"), uri) + assert.Equal(t, common.NetString("1"), params["tag"]) + displayInfo, uri, params = parseFromToContact(common.NetString(" \"Matthew Hodgson\" ;tag=5c7cdb68")) + assert.Equal(t, common.NetString("Matthew Hodgson"), displayInfo) + assert.Equal(t, common.NetString("sip:matthew@mxtelecom.com"), uri) + assert.Equal(t, common.NetString("5c7cdb68"), params["tag"]) + displayInfo, uri, params = parseFromToContact(common.NetString(";tag=5c7cdb68")) + assert.Equal(t, common.NetString(nil), displayInfo) + assert.Equal(t, common.NetString("sip:matthew@mxtelecom.com"), uri) + assert.Equal(t, common.NetString("5c7cdb68"), params["tag"]) + displayInfo, uri, params = parseFromToContact(common.NetString("")) + assert.Equal(t, common.NetString(nil), displayInfo) + assert.Equal(t, common.NetString("sip:matthew@mxtelecom.com"), uri) + assert.Equal(t, common.NetString(nil), params["tag"]) + + // Contact + displayInfo, uri, _ = parseFromToContact(common.NetString(" ")) + assert.Equal(t, common.NetString(nil), displayInfo) + assert.Equal(t, common.NetString("sip:test@10.0.2.15:5060;transport=udp"), uri) + displayInfo, uri, params = parseFromToContact(common.NetString(";expires=1200;q=0.500")) + assert.Equal(t, common.NetString(nil), displayInfo) + assert.Equal(t, common.NetString("sip:voi18062@192.168.1.2:5060;line=aca6b97ca3f5e51a"), uri) + assert.Equal(t, common.NetString("1200"), params["expires"]) + assert.Equal(t, common.NetString("0.500"), params["q"]) + displayInfo, uri, params = parseFromToContact(common.NetString(" \"Mr. Watson\" ;q=0.7; expires=3600")) + assert.Equal(t, common.NetString("Mr. Watson"), displayInfo) + assert.Equal(t, common.NetString("sip:watson@worcester.bell-telephone.com"), uri) + assert.Equal(t, common.NetString("3600"), params["expires"]) + assert.Equal(t, common.NetString("0.7"), params["q"]) + displayInfo, uri, params = parseFromToContact(common.NetString(" \"Mr. Watson\" ;q=0.1")) + assert.Equal(t, common.NetString("Mr. Watson"), displayInfo) + assert.Equal(t, common.NetString("mailto:watson@bell-telephone.com"), uri) + assert.Equal(t, common.NetString("0.1"), params["q"]) + + // url is not bounded by <...> + displayInfo, uri, params = parseFromToContact(common.NetString(" sip:test@10.0.2.15:5060;transport=udp")) + assert.Equal(t, common.NetString(nil), displayInfo) + assert.Equal(t, common.NetString("sip:test@10.0.2.15:5060"), uri) + assert.Equal(t, common.NetString("udp"), params["transport"]) +} + +func TestParseUDP(t *testing.T) { + gotEvent := new(beat.Event) + reporter := func(evt beat.Event) { + gotEvent = &evt + } + const data = "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0\r\nFrom: \"DVI4/8000\" ;tag=1\r\nTo: test \r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 123\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n" + p, _ := New(true, reporter, nil) + plugin := p.(*plugin) + plugin.ParseUDP(&protos.Packet{ + Ts: time.Now(), + Tuple: common.IPPortTuple{}, + Payload: []byte(data), + }) + fields := *gotEvent + + assert.Equal(t, common.NetString("1-2187@10.0.2.20"), getVal(fields, "sip.call_id")) + assert.Equal(t, common.NetString("test"), getVal(fields, "sip.contact.display_info")) + assert.Equal(t, common.NetString("10.0.2.15"), getVal(fields, "sip.contact.uri.host")) + assert.Equal(t, common.NetString("sip:test@10.0.2.15:5060"), getVal(fields, "sip.contact.uri.original")) + assert.Equal(t, 5060, getVal(fields, "sip.contact.uri.port")) + assert.Equal(t, common.NetString("sip"), getVal(fields, "sip.contact.uri.scheme")) + assert.Equal(t, common.NetString("test"), getVal(fields, "sip.contact.uri.username")) + assert.Equal(t, 123, getVal(fields, "sip.content_length")) + assert.Equal(t, common.NetString("application/sdp"), getVal(fields, "sip.content_type")) + assert.Equal(t, 1, getVal(fields, "sip.cseq.code")) + assert.Equal(t, common.NetString("INVITE"), getVal(fields, "sip.cseq.method")) + assert.Equal(t, common.NetString("DVI4/8000"), getVal(fields, "sip.from.display_info")) + assert.Equal(t, common.NetString("1"), getVal(fields, "sip.from.tag")) + assert.Equal(t, common.NetString("10.0.2.20"), getVal(fields, "sip.from.uri.host")) + assert.Equal(t, common.NetString("sip:sipp@10.0.2.20:5060"), getVal(fields, "sip.from.uri.original")) + assert.Equal(t, 5060, getVal(fields, "sip.from.uri.port")) + assert.Equal(t, common.NetString("sip"), getVal(fields, "sip.from.uri.scheme")) + assert.Equal(t, common.NetString("sipp"), getVal(fields, "sip.from.uri.username")) + assert.Equal(t, 70, getVal(fields, "sip.max_forwards")) + assert.Equal(t, common.NetString("INVITE"), getVal(fields, "sip.method")) + assert.Equal(t, common.NetString("10.0.2.20"), getVal(fields, "sip.sdp.connection.address")) + assert.Equal(t, common.NetString("IN IP4 10.0.2.20"), getVal(fields, "sip.sdp.connection.info")) + assert.Equal(t, common.NetString("10.0.2.20"), getVal(fields, "sip.sdp.owner.ip")) + assert.Equal(t, common.NetString("42"), getVal(fields, "sip.sdp.owner.session_id")) + assert.Equal(t, common.NetString("42"), getVal(fields, "sip.sdp.owner.version")) + assert.Equal(t, nil, getVal(fields, "sip.sdp.owner.username")) + assert.Equal(t, nil, getVal(fields, "sip.sdp.session.name")) + assert.Equal(t, "0", getVal(fields, "sip.sdp.version")) + assert.Equal(t, common.NetString("test"), getVal(fields, "sip.to.display_info")) + assert.Equal(t, nil, getVal(fields, "sip.to.tag")) + assert.Equal(t, common.NetString("10.0.2.15"), getVal(fields, "sip.to.uri.host")) + assert.Equal(t, common.NetString("sip:test@10.0.2.15:5060"), getVal(fields, "sip.to.uri.original")) + assert.Equal(t, 5060, getVal(fields, "sip.to.uri.port")) + assert.Equal(t, common.NetString("sip"), getVal(fields, "sip.to.uri.scheme")) + assert.Equal(t, common.NetString("test"), getVal(fields, "sip.to.uri.username")) + assert.Equal(t, "request", getVal(fields, "sip.type")) + assert.Equal(t, common.NetString("10.0.2.15"), getVal(fields, "sip.uri.host")) + assert.Equal(t, common.NetString("sip:test@10.0.2.15:5060"), getVal(fields, "sip.uri.original")) + assert.Equal(t, 5060, getVal(fields, "sip.uri.port")) + assert.Equal(t, common.NetString("sip"), getVal(fields, "sip.uri.scheme")) + assert.Equal(t, common.NetString("test"), getVal(fields, "sip.uri.username")) + assert.Equal(t, "2.0", getVal(fields, "sip.version")) + assert.EqualValues(t, []common.NetString{common.NetString("SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0")}, getVal(fields, "sip.via.original")) +} + +func getVal(f beat.Event, k string) interface{} { + v, _ := f.GetValue(k) + return v +} diff --git a/packetbeat/tests/system/config/golden-tests.yml b/packetbeat/tests/system/config/golden-tests.yml index 6d49ce9c221..42ad0c746d2 100644 --- a/packetbeat/tests/system/config/golden-tests.yml +++ b/packetbeat/tests/system/config/golden-tests.yml @@ -27,3 +27,11 @@ test_cases: - name: TLS 1.3 pcap: pcaps/tls-version-13.pcap config: {} + + - name: SIP + pcap: pcaps/sip.pcap + config: {} + + - name: SIP Authenticated Register + pcap: pcaps/sip_authenticated_register.pcap + config: {} diff --git a/packetbeat/tests/system/config/packetbeat.yml.j2 b/packetbeat/tests/system/config/packetbeat.yml.j2 index b687f6f0402..7b253d8ec2c 100644 --- a/packetbeat/tests/system/config/packetbeat.yml.j2 +++ b/packetbeat/tests/system/config/packetbeat.yml.j2 @@ -148,6 +148,9 @@ packetbeat.protocols: {% if mongodb_max_docs is not none %} max_docs: {{mongodb_max_docs}}{% endif %} {% if mongodb_max_doc_length is not none %} max_doc_length: {{mongodb_max_doc_length}}{% endif %} +- type: sip + ports: [{{ sip_ports|default([5060])|join(", ") }}] + {% if procs_enabled %} #=========================== Monitored processes ============================== diff --git a/packetbeat/tests/system/golden/sip-expected.json b/packetbeat/tests/system/golden/sip-expected.json new file mode 100644 index 00000000000..37d95d715a7 --- /dev/null +++ b/packetbeat/tests/system/golden/sip-expected.json @@ -0,0 +1,668 @@ +[ + { + "@metadata.beat": "packetbeat", + "@metadata.type": "_doc", + "client.ip": "10.0.2.20", + "client.port": 5060, + "destination.ip": "10.0.2.15", + "destination.port": 5060, + "event.action": "sip-invite", + "event.category": [ + "network", + "protocol" + ], + "event.dataset": "sip", + "event.duration": 0, + "event.kind": "event", + "event.original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0\r\nFrom: \"DVI4/8000\" ;tag=1\r\nTo: test \r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 123\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n", + "event.sequence": 1, + "event.type": [ + "info" + ], + "network.application": "sip", + "network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", + "network.iana_number": "17", + "network.protocol": "sip", + "network.transport": "udp", + "network.type": "ipv4", + "related.hosts": [ + "10.0.2.15", + "10.0.2.20" + ], + "related.ip": [ + "10.0.2.20", + "10.0.2.15" + ], + "related.user": [ + "test", + "sipp" + ], + "server.ip": "10.0.2.15", + "server.port": 5060, + "sip.call_id": "1-2187@10.0.2.20", + "sip.contact.display_info": "test", + "sip.contact.uri.host": "10.0.2.15", + "sip.contact.uri.original": "sip:test@10.0.2.15:5060", + "sip.contact.uri.port": 5060, + "sip.contact.uri.scheme": "sip", + "sip.contact.uri.username": "test", + "sip.content_length": 123, + "sip.content_type": "application/sdp", + "sip.cseq.code": 1, + "sip.cseq.method": "INVITE", + "sip.from.display_info": "DVI4/8000", + "sip.from.tag": "1", + "sip.from.uri.host": "10.0.2.20", + "sip.from.uri.original": "sip:sipp@10.0.2.20:5060", + "sip.from.uri.port": 5060, + "sip.from.uri.scheme": "sip", + "sip.from.uri.username": "sipp", + "sip.max_forwards": 70, + "sip.method": "INVITE", + "sip.sdp.body.original": "v=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n", + "sip.sdp.connection.address": "10.0.2.20", + "sip.sdp.connection.info": "IN IP4 10.0.2.20", + "sip.sdp.owner.ip": "10.0.2.20", + "sip.sdp.owner.session_id": "42", + "sip.sdp.owner.version": "42", + "sip.sdp.version": "0", + "sip.to.display_info": "test", + "sip.to.uri.host": "10.0.2.15", + "sip.to.uri.original": "sip:test@10.0.2.15:5060", + "sip.to.uri.port": 5060, + "sip.to.uri.scheme": "sip", + "sip.to.uri.username": "test", + "sip.type": "request", + "sip.uri.host": "10.0.2.15", + "sip.uri.original": "sip:test@10.0.2.15:5060", + "sip.uri.port": 5060, + "sip.uri.scheme": "sip", + "sip.uri.username": "test", + "sip.version": "2.0", + "sip.via.original": [ + "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0" + ], + "source.ip": "10.0.2.20", + "source.port": 5060, + "status": "OK", + "type": "sip" + }, + { + "@metadata.beat": "packetbeat", + "@metadata.type": "_doc", + "client.ip": "10.0.2.15", + "client.port": 5060, + "destination.ip": "10.0.2.20", + "destination.port": 5060, + "event.action": "sip-invite", + "event.category": [ + "network", + "protocol" + ], + "event.dataset": "sip", + "event.duration": 0, + "event.kind": "event", + "event.original": "SIP/2.0 100 Trying\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0\r\nFrom: \"DVI4/8000\" ;tag=1\r\nTo: test \r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 INVITE\r\nUser-Agent: FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit\r\nContent-Length: 0\r\n\r\n", + "event.reason": "Trying", + "event.sequence": 1, + "event.type": [ + "info" + ], + "network.application": "sip", + "network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", + "network.iana_number": "17", + "network.protocol": "sip", + "network.transport": "udp", + "network.type": "ipv4", + "related.hosts": [ + "10.0.2.20", + "10.0.2.15" + ], + "related.ip": [ + "10.0.2.15", + "10.0.2.20" + ], + "related.user": [ + "sipp", + "test" + ], + "server.ip": "10.0.2.20", + "server.port": 5060, + "sip.call_id": "1-2187@10.0.2.20", + "sip.code": 100, + "sip.cseq.code": 1, + "sip.cseq.method": "INVITE", + "sip.from.display_info": "DVI4/8000", + "sip.from.tag": "1", + "sip.from.uri.host": "10.0.2.20", + "sip.from.uri.original": "sip:sipp@10.0.2.20:5060", + "sip.from.uri.port": 5060, + "sip.from.uri.scheme": "sip", + "sip.from.uri.username": "sipp", + "sip.status": "Trying", + "sip.to.display_info": "test", + "sip.to.uri.host": "10.0.2.15", + "sip.to.uri.original": "sip:test@10.0.2.15:5060", + "sip.to.uri.port": 5060, + "sip.to.uri.scheme": "sip", + "sip.to.uri.username": "test", + "sip.type": "response", + "sip.user_agent.original": "FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit", + "sip.version": "2.0", + "sip.via.original": [ + "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0" + ], + "source.ip": "10.0.2.15", + "source.port": 5060, + "status": "OK", + "type": "sip" + }, + { + "@metadata.beat": "packetbeat", + "@metadata.type": "_doc", + "client.ip": "10.0.2.20", + "client.port": 5060, + "destination.ip": "10.0.2.15", + "destination.port": 5060, + "event.action": "sip-ack", + "event.category": [ + "network", + "protocol" + ], + "event.dataset": "sip", + "event.duration": 0, + "event.kind": "event", + "event.original": "ACK sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-5\r\nFrom: \"DVI4/8000\" ;tag=1\r\nTo: test ;tag=e2jv529vDZ3eQ\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 ACK\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Length: 0\r\n\r\n", + "event.sequence": 1, + "event.type": [ + "info" + ], + "network.application": "sip", + "network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", + "network.iana_number": "17", + "network.protocol": "sip", + "network.transport": "udp", + "network.type": "ipv4", + "related.hosts": [ + "10.0.2.15", + "10.0.2.20" + ], + "related.ip": [ + "10.0.2.20", + "10.0.2.15" + ], + "related.user": [ + "test", + "sipp" + ], + "server.ip": "10.0.2.15", + "server.port": 5060, + "sip.call_id": "1-2187@10.0.2.20", + "sip.contact.display_info": "test", + "sip.contact.uri.host": "10.0.2.15", + "sip.contact.uri.original": "sip:test@10.0.2.15:5060", + "sip.contact.uri.port": 5060, + "sip.contact.uri.scheme": "sip", + "sip.contact.uri.username": "test", + "sip.cseq.code": 1, + "sip.cseq.method": "ACK", + "sip.from.display_info": "DVI4/8000", + "sip.from.tag": "1", + "sip.from.uri.host": "10.0.2.20", + "sip.from.uri.original": "sip:sipp@10.0.2.20:5060", + "sip.from.uri.port": 5060, + "sip.from.uri.scheme": "sip", + "sip.from.uri.username": "sipp", + "sip.max_forwards": 70, + "sip.method": "ACK", + "sip.to.display_info": "test", + "sip.to.tag": "e2jv529vDZ3eQ", + "sip.to.uri.host": "10.0.2.15", + "sip.to.uri.original": "sip:test@10.0.2.15:5060", + "sip.to.uri.port": 5060, + "sip.to.uri.scheme": "sip", + "sip.to.uri.username": "test", + "sip.type": "request", + "sip.uri.host": "10.0.2.15", + "sip.uri.original": "sip:test@10.0.2.15:5060", + "sip.uri.port": 5060, + "sip.uri.scheme": "sip", + "sip.uri.username": "test", + "sip.version": "2.0", + "sip.via.original": [ + "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-5" + ], + "source.ip": "10.0.2.20", + "source.port": 5060, + "status": "OK", + "type": "sip" + }, + { + "@metadata.beat": "packetbeat", + "@metadata.type": "_doc", + "client.ip": "10.0.2.15", + "client.port": 5060, + "destination.ip": "10.0.2.20", + "destination.port": 5060, + "event.action": "sip-bye", + "event.category": [ + "network", + "protocol" + ], + "event.dataset": "sip", + "event.duration": 0, + "event.kind": "event", + "event.original": "BYE sip:sipp@10.0.2.20:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.15;rport;branch=z9hG4bKDQ7XK6BBH57ya\r\nMax-Forwards: 70\r\nFrom: test ;tag=e2jv529vDZ3eQ\r\nTo: \"DVI4/8000\" ;tag=1\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 99750433 BYE\r\nUser-Agent: FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit\r\nAllow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE\r\nSupported: timer, path, replaces\r\nReason: Q.850;cause=16;text=\"NORMAL_CLEARING\"\r\nContent-Length: 0\r\n\r\n", + "event.sequence": 99750433, + "event.type": [ + "info" + ], + "network.application": "sip", + "network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", + "network.iana_number": "17", + "network.protocol": "sip", + "network.transport": "udp", + "network.type": "ipv4", + "related.hosts": [ + "10.0.2.20", + "10.0.2.15" + ], + "related.ip": [ + "10.0.2.15", + "10.0.2.20" + ], + "related.user": [ + "sipp", + "test" + ], + "server.ip": "10.0.2.20", + "server.port": 5060, + "sip.allow": [ + "invite", + "ack", + "bye", + "cancel", + "options", + "message", + "info", + "update", + "register", + "refer", + "notify", + "publish", + "subscribe" + ], + "sip.call_id": "1-2187@10.0.2.20", + "sip.cseq.code": 99750433, + "sip.cseq.method": "BYE", + "sip.from.display_info": "test", + "sip.from.tag": "e2jv529vDZ3eQ", + "sip.from.uri.host": "10.0.2.15", + "sip.from.uri.original": "sip:test@10.0.2.15:5060", + "sip.from.uri.port": 5060, + "sip.from.uri.scheme": "sip", + "sip.from.uri.username": "test", + "sip.max_forwards": 70, + "sip.method": "BYE", + "sip.supported": [ + "timer", + "path", + "replaces" + ], + "sip.to.display_info": "DVI4/8000", + "sip.to.tag": "1", + "sip.to.uri.host": "10.0.2.20", + "sip.to.uri.original": "sip:sipp@10.0.2.20:5060", + "sip.to.uri.port": 5060, + "sip.to.uri.scheme": "sip", + "sip.to.uri.username": "sipp", + "sip.type": "request", + "sip.uri.host": "10.0.2.20", + "sip.uri.original": "sip:sipp@10.0.2.20:5060", + "sip.uri.port": 5060, + "sip.uri.scheme": "sip", + "sip.uri.username": "sipp", + "sip.user_agent.original": "FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit", + "sip.version": "2.0", + "sip.via.original": [ + "SIP/2.0/UDP 10.0.2.15;rport;branch=z9hG4bKDQ7XK6BBH57ya" + ], + "source.ip": "10.0.2.15", + "source.port": 5060, + "status": "OK", + "type": "sip" + }, + { + "@metadata.beat": "packetbeat", + "@metadata.type": "_doc", + "client.ip": "10.0.2.20", + "client.port": 5060, + "destination.ip": "10.0.2.15", + "destination.port": 5060, + "event.action": "sip-invite", + "event.category": [ + "network", + "protocol" + ], + "event.dataset": "sip", + "event.duration": 0, + "event.kind": "event", + "event.original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2189-1-0\r\nFrom: \"DVI4/16000\" ;tag=1\r\nTo: test \r\nCall-ID: 1-2189@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 124\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 6\r\na=rtpmap:6 DVI4/16000\r\na=recvonly\r\n", + "event.sequence": 1, + "event.type": [ + "info" + ], + "network.application": "sip", + "network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", + "network.iana_number": "17", + "network.protocol": "sip", + "network.transport": "udp", + "network.type": "ipv4", + "related.hosts": [ + "10.0.2.15", + "10.0.2.20" + ], + "related.ip": [ + "10.0.2.20", + "10.0.2.15" + ], + "related.user": [ + "test", + "sipp" + ], + "server.ip": "10.0.2.15", + "server.port": 5060, + "sip.call_id": "1-2189@10.0.2.20", + "sip.contact.display_info": "test", + "sip.contact.uri.host": "10.0.2.15", + "sip.contact.uri.original": "sip:test@10.0.2.15:5060", + "sip.contact.uri.port": 5060, + "sip.contact.uri.scheme": "sip", + "sip.contact.uri.username": "test", + "sip.content_length": 124, + "sip.content_type": "application/sdp", + "sip.cseq.code": 1, + "sip.cseq.method": "INVITE", + "sip.from.display_info": "DVI4/16000", + "sip.from.tag": "1", + "sip.from.uri.host": "10.0.2.20", + "sip.from.uri.original": "sip:sipp@10.0.2.20:5060", + "sip.from.uri.port": 5060, + "sip.from.uri.scheme": "sip", + "sip.from.uri.username": "sipp", + "sip.max_forwards": 70, + "sip.method": "INVITE", + "sip.sdp.body.original": "v=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 6\r\na=rtpmap:6 DVI4/16000\r\na=recvonly\r\n", + "sip.sdp.connection.address": "10.0.2.20", + "sip.sdp.connection.info": "IN IP4 10.0.2.20", + "sip.sdp.owner.ip": "10.0.2.20", + "sip.sdp.owner.session_id": "42", + "sip.sdp.owner.version": "42", + "sip.sdp.version": "0", + "sip.to.display_info": "test", + "sip.to.uri.host": "10.0.2.15", + "sip.to.uri.original": "sip:test@10.0.2.15:5060", + "sip.to.uri.port": 5060, + "sip.to.uri.scheme": "sip", + "sip.to.uri.username": "test", + "sip.type": "request", + "sip.uri.host": "10.0.2.15", + "sip.uri.original": "sip:test@10.0.2.15:5060", + "sip.uri.port": 5060, + "sip.uri.scheme": "sip", + "sip.uri.username": "test", + "sip.version": "2.0", + "sip.via.original": [ + "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2189-1-0" + ], + "source.ip": "10.0.2.20", + "source.port": 5060, + "status": "OK", + "type": "sip" + }, + { + "@metadata.beat": "packetbeat", + "@metadata.type": "_doc", + "client.ip": "10.0.2.15", + "client.port": 5060, + "destination.ip": "10.0.2.20", + "destination.port": 5060, + "event.action": "sip-invite", + "event.category": [ + "network", + "protocol" + ], + "event.dataset": "sip", + "event.duration": 0, + "event.kind": "event", + "event.original": "SIP/2.0 100 Trying\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2189-1-0\r\nFrom: \"DVI4/16000\" ;tag=1\r\nTo: test \r\nCall-ID: 1-2189@10.0.2.20\r\nCSeq: 1 INVITE\r\nUser-Agent: FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit\r\nContent-Length: 0\r\n\r\n", + "event.reason": "Trying", + "event.sequence": 1, + "event.type": [ + "info" + ], + "network.application": "sip", + "network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", + "network.iana_number": "17", + "network.protocol": "sip", + "network.transport": "udp", + "network.type": "ipv4", + "related.hosts": [ + "10.0.2.20", + "10.0.2.15" + ], + "related.ip": [ + "10.0.2.15", + "10.0.2.20" + ], + "related.user": [ + "sipp", + "test" + ], + "server.ip": "10.0.2.20", + "server.port": 5060, + "sip.call_id": "1-2189@10.0.2.20", + "sip.code": 100, + "sip.cseq.code": 1, + "sip.cseq.method": "INVITE", + "sip.from.display_info": "DVI4/16000", + "sip.from.tag": "1", + "sip.from.uri.host": "10.0.2.20", + "sip.from.uri.original": "sip:sipp@10.0.2.20:5060", + "sip.from.uri.port": 5060, + "sip.from.uri.scheme": "sip", + "sip.from.uri.username": "sipp", + "sip.status": "Trying", + "sip.to.display_info": "test", + "sip.to.uri.host": "10.0.2.15", + "sip.to.uri.original": "sip:test@10.0.2.15:5060", + "sip.to.uri.port": 5060, + "sip.to.uri.scheme": "sip", + "sip.to.uri.username": "test", + "sip.type": "response", + "sip.user_agent.original": "FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit", + "sip.version": "2.0", + "sip.via.original": [ + "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2189-1-0" + ], + "source.ip": "10.0.2.15", + "source.port": 5060, + "status": "OK", + "type": "sip" + }, + { + "@metadata.beat": "packetbeat", + "@metadata.type": "_doc", + "client.ip": "10.0.2.20", + "client.port": 5060, + "destination.ip": "10.0.2.15", + "destination.port": 5060, + "event.action": "sip-ack", + "event.category": [ + "network", + "protocol" + ], + "event.dataset": "sip", + "event.duration": 0, + "event.kind": "event", + "event.original": "ACK sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2189-1-5\r\nFrom: \"DVI4/16000\" ;tag=1\r\nTo: test ;tag=FBcN7Xt0a8S1j\r\nCall-ID: 1-2189@10.0.2.20\r\nCSeq: 1 ACK\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Length: 0\r\n\r\n", + "event.sequence": 1, + "event.type": [ + "info" + ], + "network.application": "sip", + "network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", + "network.iana_number": "17", + "network.protocol": "sip", + "network.transport": "udp", + "network.type": "ipv4", + "related.hosts": [ + "10.0.2.15", + "10.0.2.20" + ], + "related.ip": [ + "10.0.2.20", + "10.0.2.15" + ], + "related.user": [ + "test", + "sipp" + ], + "server.ip": "10.0.2.15", + "server.port": 5060, + "sip.call_id": "1-2189@10.0.2.20", + "sip.contact.display_info": "test", + "sip.contact.uri.host": "10.0.2.15", + "sip.contact.uri.original": "sip:test@10.0.2.15:5060", + "sip.contact.uri.port": 5060, + "sip.contact.uri.scheme": "sip", + "sip.contact.uri.username": "test", + "sip.cseq.code": 1, + "sip.cseq.method": "ACK", + "sip.from.display_info": "DVI4/16000", + "sip.from.tag": "1", + "sip.from.uri.host": "10.0.2.20", + "sip.from.uri.original": "sip:sipp@10.0.2.20:5060", + "sip.from.uri.port": 5060, + "sip.from.uri.scheme": "sip", + "sip.from.uri.username": "sipp", + "sip.max_forwards": 70, + "sip.method": "ACK", + "sip.to.display_info": "test", + "sip.to.tag": "FBcN7Xt0a8S1j", + "sip.to.uri.host": "10.0.2.15", + "sip.to.uri.original": "sip:test@10.0.2.15:5060", + "sip.to.uri.port": 5060, + "sip.to.uri.scheme": "sip", + "sip.to.uri.username": "test", + "sip.type": "request", + "sip.uri.host": "10.0.2.15", + "sip.uri.original": "sip:test@10.0.2.15:5060", + "sip.uri.port": 5060, + "sip.uri.scheme": "sip", + "sip.uri.username": "test", + "sip.version": "2.0", + "sip.via.original": [ + "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2189-1-5" + ], + "source.ip": "10.0.2.20", + "source.port": 5060, + "status": "OK", + "type": "sip" + }, + { + "@metadata.beat": "packetbeat", + "@metadata.type": "_doc", + "client.ip": "10.0.2.15", + "client.port": 5060, + "destination.ip": "10.0.2.20", + "destination.port": 5060, + "event.action": "sip-bye", + "event.category": [ + "network", + "protocol" + ], + "event.dataset": "sip", + "event.duration": 0, + "event.kind": "event", + "event.original": "BYE sip:sipp@10.0.2.20:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.15;rport;branch=z9hG4bKe00pN1veeeyHp\r\nMax-Forwards: 70\r\nFrom: test ;tag=FBcN7Xt0a8S1j\r\nTo: \"DVI4/16000\" ;tag=1\r\nCall-ID: 1-2189@10.0.2.20\r\nCSeq: 99750437 BYE\r\nUser-Agent: FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit\r\nAllow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE\r\nSupported: timer, path, replaces\r\nReason: Q.850;cause=16;text=\"NORMAL_CLEARING\"\r\nContent-Length: 0\r\n\r\n", + "event.sequence": 99750437, + "event.type": [ + "info" + ], + "network.application": "sip", + "network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", + "network.iana_number": "17", + "network.protocol": "sip", + "network.transport": "udp", + "network.type": "ipv4", + "related.hosts": [ + "10.0.2.20", + "10.0.2.15" + ], + "related.ip": [ + "10.0.2.15", + "10.0.2.20" + ], + "related.user": [ + "sipp", + "test" + ], + "server.ip": "10.0.2.20", + "server.port": 5060, + "sip.allow": [ + "invite", + "ack", + "bye", + "cancel", + "options", + "message", + "info", + "update", + "register", + "refer", + "notify", + "publish", + "subscribe" + ], + "sip.call_id": "1-2189@10.0.2.20", + "sip.cseq.code": 99750437, + "sip.cseq.method": "BYE", + "sip.from.display_info": "test", + "sip.from.tag": "FBcN7Xt0a8S1j", + "sip.from.uri.host": "10.0.2.15", + "sip.from.uri.original": "sip:test@10.0.2.15:5060", + "sip.from.uri.port": 5060, + "sip.from.uri.scheme": "sip", + "sip.from.uri.username": "test", + "sip.max_forwards": 70, + "sip.method": "BYE", + "sip.supported": [ + "timer", + "path", + "replaces" + ], + "sip.to.display_info": "DVI4/16000", + "sip.to.tag": "1", + "sip.to.uri.host": "10.0.2.20", + "sip.to.uri.original": "sip:sipp@10.0.2.20:5060", + "sip.to.uri.port": 5060, + "sip.to.uri.scheme": "sip", + "sip.to.uri.username": "sipp", + "sip.type": "request", + "sip.uri.host": "10.0.2.20", + "sip.uri.original": "sip:sipp@10.0.2.20:5060", + "sip.uri.port": 5060, + "sip.uri.scheme": "sip", + "sip.uri.username": "sipp", + "sip.user_agent.original": "FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit", + "sip.version": "2.0", + "sip.via.original": [ + "SIP/2.0/UDP 10.0.2.15;rport;branch=z9hG4bKe00pN1veeeyHp" + ], + "source.ip": "10.0.2.15", + "source.port": 5060, + "status": "OK", + "type": "sip" + } +] \ No newline at end of file diff --git a/packetbeat/tests/system/golden/sip_authenticated_register-expected.json b/packetbeat/tests/system/golden/sip_authenticated_register-expected.json new file mode 100644 index 00000000000..133792cc157 --- /dev/null +++ b/packetbeat/tests/system/golden/sip_authenticated_register-expected.json @@ -0,0 +1,142 @@ +[ + { + "@metadata.beat": "packetbeat", + "@metadata.type": "_doc", + "client.ip": "192.168.1.2", + "client.port": 5060, + "destination.ip": "212.242.33.35", + "destination.port": 5060, + "event.action": "sip-register", + "event.category": [ + "network", + "protocol", + "authentication" + ], + "event.dataset": "sip", + "event.duration": 0, + "event.kind": "event", + "event.original": "REGISTER sip:sip.cybercity.dk SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.2;branch=z9hG4bKnp112903503-43a64480192.168.1.2;rport\r\nFrom: ;tag=6bac55c\r\nTo: \r\nCall-ID: 578222729-4665d775@578222732-4665d772\r\nContact: ;expires=1200;q=0.500\r\nExpires: 1200\r\nCSeq: 75 REGISTER\r\nContent-Length: 0\r\nAuthorization: Digest username=\"voi18062\",realm=\"sip.cybercity.dk\",uri=\"sip:192.168.1.2\",nonce=\"1701b22972b90f440c3e4eb250842bb\",opaque=\"1701a1351f70795\",nc=\"00000001\",response=\"79a0543188495d288c9ebbe0c881abdc\"\r\nMax-Forwards: 70\r\nUser-Agent: Nero SIPPS IP Phone Version 2.0.51.16\r\n\r\n", + "event.sequence": 75, + "event.type": [ + "info" + ], + "network.application": "sip", + "network.community_id": "1:dOa61R2NaaJsJlcFAiMIiyXX+Kk=", + "network.iana_number": "17", + "network.protocol": "sip", + "network.transport": "udp", + "network.type": "ipv4", + "related.hosts": [ + "sip.cybercity.dk" + ], + "related.ip": [ + "192.168.1.2", + "212.242.33.35" + ], + "related.user": [ + "voi18062" + ], + "server.ip": "212.242.33.35", + "server.port": 5060, + "sip.auth.realm": "sip.cybercity.dk", + "sip.auth.scheme": "Digest", + "sip.auth.uri.host": "192.168.1.2", + "sip.auth.uri.original": "sip:192.168.1.2", + "sip.auth.uri.scheme": "sip", + "sip.call_id": "578222729-4665d775@578222732-4665d772", + "sip.contact.uri.host": "sip.cybercity.dk", + "sip.contact.uri.original": "sip:voi18062@sip.cybercity.dk", + "sip.contact.uri.scheme": "sip", + "sip.contact.uri.username": "voi18062", + "sip.cseq.code": 75, + "sip.cseq.method": "REGISTER", + "sip.from.tag": "6bac55c", + "sip.from.uri.host": "sip.cybercity.dk", + "sip.from.uri.original": "sip:voi18062@sip.cybercity.dk", + "sip.from.uri.scheme": "sip", + "sip.from.uri.username": "voi18062", + "sip.max_forwards": 70, + "sip.method": "REGISTER", + "sip.to.uri.host": "sip.cybercity.dk", + "sip.to.uri.original": "sip:voi18062@sip.cybercity.dk", + "sip.to.uri.scheme": "sip", + "sip.to.uri.username": "voi18062", + "sip.type": "request", + "sip.uri.host": "sip.cybercity.dk", + "sip.uri.original": "sip:sip.cybercity.dk", + "sip.uri.scheme": "sip", + "sip.user_agent.original": "Nero SIPPS IP Phone Version 2.0.51.16", + "sip.version": "2.0", + "sip.via.original": [ + "SIP/2.0/UDP 192.168.1.2;branch=z9hG4bKnp112903503-43a64480192.168.1.2;rport" + ], + "source.ip": "192.168.1.2", + "source.port": 5060, + "status": "OK", + "type": "sip", + "user.name": "voi18062" + }, + { + "@metadata.beat": "packetbeat", + "@metadata.type": "_doc", + "client.ip": "212.242.33.35", + "client.port": 5060, + "destination.ip": "192.168.1.2", + "destination.port": 5060, + "event.action": "sip-register", + "event.category": [ + "network", + "protocol" + ], + "event.dataset": "sip", + "event.duration": 0, + "event.kind": "event", + "event.original": "SIP/2.0 100 Trying\r\nCall-ID: 578222729-4665d775@578222732-4665d772\r\nCSeq: 75 REGISTER\r\nFrom: ;tag=6bac55c\r\nTo: \r\nVia: SIP/2.0/UDP 192.168.1.2;received=80.230.219.70;rport=5060;branch=z9hG4bKnp112903503-43a64480192.168.1.2\r\nContent-Length: 0\r\n\r\n", + "event.reason": "Trying", + "event.sequence": 75, + "event.type": [ + "info" + ], + "network.application": "sip", + "network.community_id": "1:dOa61R2NaaJsJlcFAiMIiyXX+Kk=", + "network.iana_number": "17", + "network.protocol": "sip", + "network.transport": "udp", + "network.type": "ipv4", + "related.hosts": [ + "sip.cybercity.dk" + ], + "related.ip": [ + "212.242.33.35", + "192.168.1.2" + ], + "related.user": [ + "voi18062" + ], + "server.ip": "192.168.1.2", + "server.port": 5060, + "sip.call_id": "578222729-4665d775@578222732-4665d772", + "sip.code": 100, + "sip.cseq.code": 75, + "sip.cseq.method": "REGISTER", + "sip.from.tag": "6bac55c", + "sip.from.uri.host": "sip.cybercity.dk", + "sip.from.uri.original": "sip:voi18062@sip.cybercity.dk", + "sip.from.uri.scheme": "sip", + "sip.from.uri.username": "voi18062", + "sip.status": "Trying", + "sip.to.uri.host": "sip.cybercity.dk", + "sip.to.uri.original": "sip:voi18062@sip.cybercity.dk", + "sip.to.uri.scheme": "sip", + "sip.to.uri.username": "voi18062", + "sip.type": "response", + "sip.version": "2.0", + "sip.via.original": [ + "SIP/2.0/UDP 192.168.1.2;received=80.230.219.70;rport=5060;branch=z9hG4bKnp112903503-43a64480192.168.1.2" + ], + "source.ip": "212.242.33.35", + "source.port": 5060, + "status": "OK", + "type": "sip" + } +] \ No newline at end of file diff --git a/packetbeat/tests/system/pcaps/sip.pcap b/packetbeat/tests/system/pcaps/sip.pcap new file mode 100644 index 00000000000..7ec19fb525b Binary files /dev/null and b/packetbeat/tests/system/pcaps/sip.pcap differ diff --git a/packetbeat/tests/system/pcaps/sip_authenticated_register.pcap b/packetbeat/tests/system/pcaps/sip_authenticated_register.pcap new file mode 100644 index 00000000000..25f10e5cf88 Binary files /dev/null and b/packetbeat/tests/system/pcaps/sip_authenticated_register.pcap differ diff --git a/packetbeat/tests/system/test_0099_golden_files.py b/packetbeat/tests/system/test_0099_golden_files.py index 0acc7ca8ad1..e01bc955600 100644 --- a/packetbeat/tests/system/test_0099_golden_files.py +++ b/packetbeat/tests/system/test_0099_golden_files.py @@ -79,6 +79,9 @@ def clean_keys(obj): # Network direction is populated based on local-IPs which is misleading # when reading from a pcap and leads to inconsistent results. "network.direction", + + # module specific + "sip.timestamp", ] for key in keys: if key in obj: diff --git a/winlogbeat/Jenkinsfile.yml b/winlogbeat/Jenkinsfile.yml index 9801a232674..82ce7912d3b 100644 --- a/winlogbeat/Jenkinsfile.yml +++ b/winlogbeat/Jenkinsfile.yml @@ -19,4 +19,14 @@ stages: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2019" - - "windows-10" + windows-2016: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2016" + when: ## Override the top-level when. + comments: + - "/test winlogbeat for windows-2016" + labels: + - "windows-2016" + branches: true ## for all the branches + tags: true ## for all the tags diff --git a/winlogbeat/cmd/root.go b/winlogbeat/cmd/root.go index 7e25e717813..988ac6f9f6c 100644 --- a/winlogbeat/cmd/root.go +++ b/winlogbeat/cmd/root.go @@ -30,7 +30,6 @@ import ( // Import processors and supporting modules. _ "github.com/elastic/beats/v7/libbeat/processors/script" _ "github.com/elastic/beats/v7/libbeat/processors/timestamp" - _ "github.com/elastic/beats/v7/winlogbeat/processors/script/javascript/module/winlogbeat" ) const ( @@ -38,7 +37,7 @@ const ( Name = "winlogbeat" // ecsVersion specifies the version of ECS that Winlogbeat is implementing. - ecsVersion = "1.5.0" + ecsVersion = "1.6.0" ) // withECSVersion is a modifier that adds ecs.version to events. diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc index d0b1a0a1473..cc84c0fad8a 100644 --- a/winlogbeat/docs/fields.asciidoc +++ b/winlogbeat/docs/fields.asciidoc @@ -220,8 +220,15 @@ type: object [[exported-fields-ecs]] == ECS fields -ECS Fields. +This section defines Elastic Common Schema (ECS) fields—a common set of fields +to be used when storing event data in {es}. + +This is an exhaustive list, and fields listed here are not necessarily used by {beatname_uc}. +The goal of ECS is to enable and encourage users of {es} to normalize their event data, +so that they can better analyze, visualize, and correlate the data represented in their events. + +See the {ecs-ref}[ECS reference] for more information. *`@timestamp`*:: + diff --git a/winlogbeat/eventlog/eventlogging.go b/winlogbeat/eventlog/eventlogging.go index 963797264b2..01465d933fc 100644 --- a/winlogbeat/eventlog/eventlogging.go +++ b/winlogbeat/eventlog/eventlogging.go @@ -40,9 +40,6 @@ const ( eventLoggingAPIName = "eventlogging" ) -var eventLoggingConfigKeys = common.MakeStringSet(append(commonConfigKeys, - "ignore_older", "read_buffer_size", "format_buffer_size")...) - type eventLoggingConfig struct { ConfigCommon `config:",inline"` IgnoreOlder time.Duration `config:"ignore_older"` @@ -284,7 +281,7 @@ func newEventLogging(options *common.Config) (EventLog, error) { ReadBufferSize: win.MaxEventBufferSize, FormatBufferSize: win.MaxFormatMessageBufferSize, } - if err := readConfig(options, &c, eventLoggingConfigKeys); err != nil { + if err := readConfig(options, &c); err != nil { return nil, err } diff --git a/winlogbeat/eventlog/factory.go b/winlogbeat/eventlog/factory.go index f66c158b2f2..9ee8e0d144f 100644 --- a/winlogbeat/eventlog/factory.go +++ b/winlogbeat/eventlog/factory.go @@ -22,14 +22,9 @@ import ( "sort" "strings" - "github.com/joeshaw/multierror" - "github.com/elastic/beats/v7/libbeat/common" ) -var commonConfigKeys = []string{"type", "api", "name", "fields", "fields_under_root", - "tags", "processors", "index", "id", "meta", "revision"} - // ConfigCommon is the common configuration data used to instantiate a new // EventLog. Each implementation is free to support additional configuration // options. @@ -42,33 +37,18 @@ type validator interface { Validate() error } -func readConfig( - c *common.Config, - config interface{}, - validKeys common.StringSet, -) error { +func readConfig(c *common.Config, config interface{}) error { if err := c.Unpack(config); err != nil { return fmt.Errorf("failed unpacking config. %v", err) } - var errs multierror.Errors - if len(validKeys) > 0 { - // Check for invalid keys. - for _, k := range c.GetFields() { - if !validKeys.Has(k) { - errs = append(errs, fmt.Errorf("invalid event log key '%s' "+ - "found. Valid keys are %s", k, strings.Join(validKeys.ToSlice(), ", "))) - } - } - } - if v, ok := config.(validator); ok { if err := v.Validate(); err != nil { - errs = append(errs, err) + return err } } - return errs.Err() + return nil } // Producer produces a new event log instance for reading event log records. @@ -114,7 +94,7 @@ func New(options *common.Config) (EventLog, error) { } var config ConfigCommon - if err := readConfig(options, &config, nil); err != nil { + if err := readConfig(options, &config); err != nil { return nil, err } diff --git a/winlogbeat/eventlog/wineventlog.go b/winlogbeat/eventlog/wineventlog.go index db00f239974..7ee6c62cf18 100644 --- a/winlogbeat/eventlog/wineventlog.go +++ b/winlogbeat/eventlog/wineventlog.go @@ -47,10 +47,6 @@ const ( winEventLogAPIName = "wineventlog" ) -var winEventLogConfigKeys = common.MakeStringSet(append(commonConfigKeys, - "batch_read_size", "ignore_older", "include_xml", "event_id", "forwarded", - "level", "provider", "no_more_events")...) - type winEventLogConfig struct { ConfigCommon `config:",inline"` BatchReadSize int `config:"batch_read_size"` // Maximum number of events that Read will return. @@ -366,7 +362,7 @@ func (l *winEventLog) buildRecordFromXML(x []byte, recoveredErr error) (Record, // using the Windows Event Log. func newWinEventLog(options *common.Config) (EventLog, error) { c := defaultWinEventLogConfig - if err := readConfig(options, &c, winEventLogConfigKeys); err != nil { + if err := readConfig(options, &c); err != nil { return nil, err } diff --git a/winlogbeat/eventlog/wineventlog_expirimental.go b/winlogbeat/eventlog/wineventlog_expirimental.go index 5952aad0f5a..301b2cf4f0b 100644 --- a/winlogbeat/eventlog/wineventlog_expirimental.go +++ b/winlogbeat/eventlog/wineventlog_expirimental.go @@ -243,7 +243,7 @@ func newWinEventLogExp(options *common.Config) (EventLog, error) { cfgwarn.Experimental("The %s event log reader is experimental.", winEventLogExpAPIName) c := winEventLogConfig{BatchReadSize: 512} - if err := readConfig(options, &c, winEventLogConfigKeys); err != nil { + if err := readConfig(options, &c); err != nil { return nil, err } diff --git a/winlogbeat/tests/system/test_eventlogging.py b/winlogbeat/tests/system/test_eventlogging.py index dd763104fa5..0d486656054 100644 --- a/winlogbeat/tests/system/test_eventlogging.py +++ b/winlogbeat/tests/system/test_eventlogging.py @@ -156,25 +156,6 @@ def test_ignore_older(self): self.assertEqual(evts[0]["winlog.event_id"], 10) self.assertEqual(evts[0]["event.code"], 10) - def test_unknown_eventlog_config(self): - """ - eventlogging - Unknown config parameter - """ - self.render_config_template( - event_logs=[ - { - "name": self.providerName, - "api": self.api, - "event_id": "10, 12", - "level": "info", - "provider": ["me"], - "include_xml": True, - } - ] - ) - self.start_beat().check_wait(exit_code=1) - assert self.log_contains("4 errors: invalid event log key") - def test_utf16_characters(self): """ eventlogging - UTF-16 characters diff --git a/winlogbeat/tests/system/test_wineventlog.py b/winlogbeat/tests/system/test_wineventlog.py index ea390475279..363e90edbd2 100644 --- a/winlogbeat/tests/system/test_wineventlog.py +++ b/winlogbeat/tests/system/test_wineventlog.py @@ -311,23 +311,6 @@ def test_query_multi_param(self): self.assertTrue(len(evts), 1) self.assertEqual(evts[0]["message"], "selected") - def test_unknown_eventlog_config(self): - """ - wineventlog - Unknown config parameter - """ - self.render_config_template( - event_logs=[ - { - "name": self.providerName, - "api": self.api, - "forwarded": False, - "invalid": "garbage"} - ] - ) - self.start_beat().check_wait(exit_code=1) - assert self.log_contains( - "1 error: invalid event log key 'invalid' found.") - def test_utf16_characters(self): """ wineventlog - UTF-16 characters diff --git a/x-pack/auditbeat/Jenkinsfile.yml b/x-pack/auditbeat/Jenkinsfile.yml index 7944892f8c5..969aa0a8e08 100644 --- a/x-pack/auditbeat/Jenkinsfile.yml +++ b/x-pack/auditbeat/Jenkinsfile.yml @@ -5,11 +5,11 @@ when: - "@ci" ## special token regarding the changeset for the ci - "@xpack" ## special token regarding the changeset for the xpack comments: ## when PR comment contains any of those entries - - "/test auditbeat" + - "/test x-pack/auditbeat" labels: ## when PR labels matches any of those entries - - "auditbeat" + - "x-pack-auditbeat" parameters: ## when parameter was selected in the UI. - - "auditbeat" + - "x-pack-auditbeat" tags: true ## for all the tags platform: "linux && ubuntu-18" ## default label for all the stages stages: @@ -20,15 +20,27 @@ stages: mage: "mage build unitTest" platforms: ## override default label in this specific stage. - "macosx" - when: ## Aggregate when with the top-level one. + when: ## Override the top-level when. comments: - - "/test auditbeat for macos" + - "/test x-pack/auditbeat for macos" labels: - "macOS" parameters: - "macosTest" + branches: true ## for all the branches + tags: true ## for all the tags windows: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2019" - - "windows-10" + windows-2016: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2016" + when: ## Override the top-level when. + comments: + - "/test auditbeat for windows-2016" + labels: + - "windows-2016" + branches: true ## for all the branches + tags: true ## for all the tags diff --git a/x-pack/auditbeat/module/system/socket/events.go b/x-pack/auditbeat/module/system/socket/events.go index 76d91a8db24..c1937cb0302 100644 --- a/x-pack/auditbeat/module/system/socket/events.go +++ b/x-pack/auditbeat/module/system/socket/events.go @@ -872,8 +872,8 @@ type execveCall struct { creds *commitCreds } -func (e *execveCall) getProcess() process { - p := process{ +func (e *execveCall) getProcess() *process { + p := &process{ pid: e.Meta.PID, path: readCString(e.Path[:]), created: kernelTime(e.Meta.Timestamp), diff --git a/x-pack/auditbeat/module/system/socket/socket_linux.go b/x-pack/auditbeat/module/system/socket/socket_linux.go index 78fdd8ae4ca..11f8a22289e 100644 --- a/x-pack/auditbeat/module/system/socket/socket_linux.go +++ b/x-pack/auditbeat/module/system/socket/socket_linux.go @@ -158,7 +158,7 @@ func (m *MetricSet) Run(r mb.PushReporterV2) { } else { for _, p := range procs { if i, err := p.Info(); err == nil { - process := process{ + process := &process{ name: i.Name, pid: uint32(i.PID), args: i.Args, diff --git a/x-pack/auditbeat/module/system/socket/state.go b/x-pack/auditbeat/module/system/socket/state.go index c7b3ac761a7..fa612b56e1a 100644 --- a/x-pack/auditbeat/module/system/socket/state.go +++ b/x-pack/auditbeat/module/system/socket/state.go @@ -214,6 +214,9 @@ func (f *flow) Timestamp() time.Time { } type process struct { + // RWMutex is used to arbitrate reads and writes to resolvedDomains. + sync.RWMutex + pid uint32 name, path string args []string @@ -229,6 +232,8 @@ type process struct { } func (p *process) addTransaction(tr dns.Transaction) { + p.Lock() + defer p.Unlock() if p.resolvedDomains == nil { p.resolvedDomains = make(map[string]string) } @@ -239,6 +244,8 @@ func (p *process) addTransaction(tr dns.Transaction) { // ResolveIP returns the domain associated with the given IP. func (p *process) ResolveIP(ip net.IP) (domain string, found bool) { + p.RLock() + defer p.RUnlock() domain, found = p.resolvedDomains[ip.String()] return } @@ -542,13 +549,13 @@ func (s *state) ExpireOlder() { s.dns.CleanUp() } -func (s *state) CreateProcess(p process) error { +func (s *state) CreateProcess(p *process) error { if p.pid == 0 { return errors.New("can't create process with PID 0") } s.Lock() defer s.Unlock() - s.processes[p.pid] = &p + s.processes[p.pid] = p if p.createdTime == (time.Time{}) { p.createdTime = s.kernTimestampToTime(p.created) } diff --git a/x-pack/auditbeat/module/system/socket/state_test.go b/x-pack/auditbeat/module/system/socket/state_test.go index 75b73a374d1..89ba0cde9db 100644 --- a/x-pack/auditbeat/module/system/socket/state_test.go +++ b/x-pack/auditbeat/module/system/socket/state_test.go @@ -11,6 +11,7 @@ import ( "fmt" "net" "os" + "sync" "testing" "time" @@ -835,3 +836,28 @@ func TestSocketReuse(t *testing.T) { } assert.Len(t, flows, 1) } + +func TestProcessDNSRace(t *testing.T) { + p := new(process) + var wg sync.WaitGroup + wg.Add(2) + address := func(i byte) net.IP { return net.IPv4(172, 16, 0, i) } + go func() { + for i := byte(255); i > 0; i-- { + p.addTransaction(dns.Transaction{ + Client: net.UDPAddr{IP: net.IPv4(10, 20, 30, 40)}, + Server: net.UDPAddr{IP: net.IPv4(10, 20, 30, 41)}, + Domain: "example.net", + Addresses: []net.IP{address(i)}, + }) + } + wg.Done() + }() + go func() { + for i := byte(255); i > 0; i-- { + p.ResolveIP(address(i)) + } + wg.Done() + }() + wg.Wait() +} diff --git a/x-pack/auditbeat/tests/system/test_metricsets.py b/x-pack/auditbeat/tests/system/test_metricsets.py index 26bddcef785..d60c1b82ef8 100644 --- a/x-pack/auditbeat/tests/system/test_metricsets.py +++ b/x-pack/auditbeat/tests/system/test_metricsets.py @@ -1,6 +1,7 @@ import jinja2 import os import platform +import pytest import sys import time import unittest @@ -42,6 +43,8 @@ def test_metricset_login(self): # Metricset is beta and that generates a warning, TODO: remove later self.check_metricset("system", "login", COMMON_FIELDS + fields, config, warnings_allowed=True) + # 1/20 build fails https://github.com/elastic/beats/issues/21308 + @pytest.mark.flaky(reruns=1, reruns_delay=10) @unittest.skipIf(sys.platform == "win32", "Not implemented for Windows") @unittest.skipIf(sys.platform.startswith('linux') and not (os.path.isdir("/var/lib/dpkg") or os.path.isdir("/var/lib/rpm")), "Only implemented for dpkg and rpm") diff --git a/x-pack/elastic-agent/CHANGELOG.next.asciidoc b/x-pack/elastic-agent/CHANGELOG.next.asciidoc index 3963dda9a12..eb98ef39ded 100644 --- a/x-pack/elastic-agent/CHANGELOG.next.asciidoc +++ b/x-pack/elastic-agent/CHANGELOG.next.asciidoc @@ -10,9 +10,11 @@ - Docker container is not run as root by default. {pull}21213[21213] ==== Bugfixes +- Fix rename *ConfigChange to *PolicyChange to align on changes in the UI. {pull}20779[20779] - Thread safe sorted set {pull}21290[21290] - Copy Action store on upgrade {pull}21298[21298] - Include inputs in action store actions {pull}21298[21298] +- Fix issue where inputs without processors defined would panic {pull}21628[21628] ==== New features @@ -26,3 +28,10 @@ - Add support for dynamic inputs with providers and `{{variable|"default"}}` substitution. {pull}20839[20839] - Add support for EQL based condition on inputs {pull}20994[20994] - Send `fleet.host.id` to Endpoint Security {pull}21042[21042] +- Add `install` and `uninstall` subcommands {pull}21206[21206] +- Use new form of fleet API paths {pull}21478[21478] +- Add `kubernetes` composable dynamic provider. {pull}21480[21480] +- Send updating state {pull}21461[21461] +- Add `elastic.agent.id` and `elastic.agent.version` to published events from filebeat and metricbeat {pull}21543[21543] +- Add `upgrade` subcommand to perform upgrade of installed Elastic Agent {pull}21425[21425] +- Update `fleet.yml` and Kibana hosts when a policy change updates the Kibana hosts {pull}21599[21599] diff --git a/x-pack/elastic-agent/Jenkinsfile.yml b/x-pack/elastic-agent/Jenkinsfile.yml index b25d83a9092..04a6b227721 100644 --- a/x-pack/elastic-agent/Jenkinsfile.yml +++ b/x-pack/elastic-agent/Jenkinsfile.yml @@ -19,15 +19,27 @@ stages: mage: "mage build unitTest" platforms: ## override default label in this specific stage. - "macosx" - when: ## Aggregate when with the top-level one. + when: ## Override the top-level when. comments: - "/test x-pack/elastic-agent for macos" labels: - "macOS" parameters: - "macosTest" + branches: true ## for all the branches + tags: true ## for all the tags windows: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2019" - - "windows-10" + windows-2016: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2016" + when: ## Override the top-level when. + comments: + - "/test x-pack/elastic-agent for windows-2016" + labels: + - "windows-2016" + branches: true ## for all the branches + tags: true ## for all the tags diff --git a/x-pack/elastic-agent/dev-tools/cmd/fakewebapi/action_example.json b/x-pack/elastic-agent/dev-tools/cmd/fakewebapi/action_example.json index 327b79ed347..f08e98942ea 100644 --- a/x-pack/elastic-agent/dev-tools/cmd/fakewebapi/action_example.json +++ b/x-pack/elastic-agent/dev-tools/cmd/fakewebapi/action_example.json @@ -2,9 +2,9 @@ "action": "checkin", "actions": [ { - "type": "CONFIG_CHANGE", + "type": "POLICY_CHANGE", "data": { - "config": { + "policy": { "id": "default", "outputs": { "default": { diff --git a/x-pack/elastic-agent/magefile.go b/x-pack/elastic-agent/magefile.go index 7296e8189be..4fa067f8f8b 100644 --- a/x-pack/elastic-agent/magefile.go +++ b/x-pack/elastic-agent/magefile.go @@ -658,6 +658,7 @@ func buildVars() map[string]string { if isDevFlag, devFound := os.LookupEnv(devEnv); devFound { if isDev, err := strconv.ParseBool(isDevFlag); err == nil && isDev { vars["github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release.allowEmptyPgp"] = "true" + vars["github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release.allowUpgrade"] = "true" } } diff --git a/x-pack/elastic-agent/pkg/agent/application/action_store.go b/x-pack/elastic-agent/pkg/agent/application/action_store.go index 25dbf7a5b82..ce4ea785cf7 100644 --- a/x-pack/elastic-agent/pkg/agent/application/action_store.go +++ b/x-pack/elastic-agent/pkg/agent/application/action_store.go @@ -35,7 +35,7 @@ func newActionStore(log *logger.Logger, store storeLoad) (*actionStore, error) { } defer reader.Close() - var action actionConfigChangeSerializer + var action ActionPolicyChangeSerializer dec := yaml.NewDecoder(reader) err = dec.Decode(&action) @@ -49,7 +49,7 @@ func newActionStore(log *logger.Logger, store storeLoad) (*actionStore, error) { return nil, err } - apc := fleetapi.ActionConfigChange(action) + apc := fleetapi.ActionPolicyChange(action) return &actionStore{ log: log, @@ -62,7 +62,7 @@ func newActionStore(log *logger.Logger, store storeLoad) (*actionStore, error) { // any other type of action will be silently ignored. func (s *actionStore) Add(a action) { switch v := a.(type) { - case *fleetapi.ActionConfigChange, *fleetapi.ActionUnenroll: + case *fleetapi.ActionPolicyChange, *fleetapi.ActionUnenroll: // Only persist the action if the action is different. if s.action != nil && s.action.ID() == v.ID() { return @@ -79,8 +79,8 @@ func (s *actionStore) Save() error { } var reader io.Reader - if apc, ok := s.action.(*fleetapi.ActionConfigChange); ok { - serialize := actionConfigChangeSerializer(*apc) + if apc, ok := s.action.(*fleetapi.ActionPolicyChange); ok { + serialize := ActionPolicyChangeSerializer(*apc) r, err := yamlToReader(&serialize) if err != nil { @@ -120,7 +120,7 @@ func (s *actionStore) Actions() []action { return []action{s.action} } -// actionConfigChangeSerializer is a struct that adds a YAML serialization, I don't think serialization +// ActionPolicyChangeSerializer is a struct that adds a YAML serialization, I don't think serialization // is a concern of the fleetapi package. I went this route so I don't have to do much refactoring. // // There are four ways to achieve the same results: @@ -130,14 +130,14 @@ func (s *actionStore) Actions() []action { // 4. We have two sets of type. // // This could be done in a refactoring. -type actionConfigChangeSerializer struct { +type ActionPolicyChangeSerializer struct { ActionID string `yaml:"action_id"` ActionType string `yaml:"action_type"` - Config map[string]interface{} `yaml:"config"` + Policy map[string]interface{} `yaml:"policy"` } // Add a guards between the serializer structs and the original struct. -var _ actionConfigChangeSerializer = actionConfigChangeSerializer(fleetapi.ActionConfigChange{}) +var _ ActionPolicyChangeSerializer = ActionPolicyChangeSerializer(fleetapi.ActionPolicyChange{}) // actionUnenrollSerializer is a struct that adds a YAML serialization, type actionUnenrollSerializer struct { diff --git a/x-pack/elastic-agent/pkg/agent/application/action_store_test.go b/x-pack/elastic-agent/pkg/agent/application/action_store_test.go index 4205deda8b6..f2691d66db6 100644 --- a/x-pack/elastic-agent/pkg/agent/application/action_store_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/action_store_test.go @@ -57,10 +57,10 @@ func TestActionStore(t *testing.T) { t.Run("can save to disk known action type", withFile(func(t *testing.T, file string) { - actionConfigChange := &fleetapi.ActionConfigChange{ + ActionPolicyChange := &fleetapi.ActionPolicyChange{ ActionID: "abc123", - ActionType: "CONFIG_CHANGE", - Config: map[string]interface{}{ + ActionType: "POLICY_CHANGE", + Policy: map[string]interface{}{ "hello": "world", }, } @@ -70,7 +70,7 @@ func TestActionStore(t *testing.T) { require.NoError(t, err) require.Equal(t, 0, len(store.Actions())) - store.Add(actionConfigChange) + store.Add(ActionPolicyChange) err = store.Save() require.NoError(t, err) require.Equal(t, 1, len(store.Actions())) @@ -82,12 +82,12 @@ func TestActionStore(t *testing.T) { actions := store1.Actions() require.Equal(t, 1, len(actions)) - require.Equal(t, actionConfigChange, actions[0]) + require.Equal(t, ActionPolicyChange, actions[0]) })) t.Run("when we ACK we save to disk", withFile(func(t *testing.T, file string) { - actionConfigChange := &fleetapi.ActionConfigChange{ + ActionPolicyChange := &fleetapi.ActionPolicyChange{ ActionID: "abc123", } @@ -98,7 +98,7 @@ func TestActionStore(t *testing.T) { acker := newActionStoreAcker(&testAcker{}, store) require.Equal(t, 0, len(store.Actions())) - require.NoError(t, acker.Ack(context.Background(), actionConfigChange)) + require.NoError(t, acker.Ack(context.Background(), ActionPolicyChange)) require.Equal(t, 1, len(store.Actions())) })) } diff --git a/x-pack/elastic-agent/pkg/agent/application/application.go b/x-pack/elastic-agent/pkg/agent/application/application.go index e003eed61a6..d721a8aa148 100644 --- a/x-pack/elastic-agent/pkg/agent/application/application.go +++ b/x-pack/elastic-agent/pkg/agent/application/application.go @@ -8,6 +8,7 @@ import ( "context" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/upgrade" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/warn" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" @@ -25,8 +26,12 @@ type reexecManager interface { ReExec(argOverrides ...string) } +type upgraderControl interface { + SetUpgrader(upgrader *upgrade.Upgrader) +} + // New creates a new Agent and bootstrap the required subsystem. -func New(log *logger.Logger, pathConfigFile string, reexec reexecManager) (Application, error) { +func New(log *logger.Logger, pathConfigFile string, reexec reexecManager, uc upgraderControl) (Application, error) { // Load configuration from disk to understand in which mode of operation // we must start the elastic-agent, the mode of operation cannot be changed without restarting the // elastic-agent. @@ -39,7 +44,7 @@ func New(log *logger.Logger, pathConfigFile string, reexec reexecManager) (Appli return nil, err } - return createApplication(log, pathConfigFile, rawConfig, reexec) + return createApplication(log, pathConfigFile, rawConfig, reexec, uc) } func createApplication( @@ -47,6 +52,7 @@ func createApplication( pathConfigFile string, rawConfig *config.Config, reexec reexecManager, + uc upgraderControl, ) (Application, error) { warn.LogNotGA(log) log.Info("Detecting execution mode") @@ -59,7 +65,7 @@ func createApplication( if isStandalone(cfg.Fleet) { log.Info("Agent is managed locally") - return newLocal(ctx, log, pathConfigFile, rawConfig) + return newLocal(ctx, log, pathConfigFile, rawConfig, reexec, uc) } log.Info("Agent is managed by Fleet") diff --git a/x-pack/elastic-agent/pkg/agent/application/emitter.go b/x-pack/elastic-agent/pkg/agent/application/emitter.go index d8a19492e2b..07f8e1f460b 100644 --- a/x-pack/elastic-agent/pkg/agent/application/emitter.go +++ b/x-pack/elastic-agent/pkg/agent/application/emitter.go @@ -10,6 +10,7 @@ import ( "strings" "sync" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/program" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" @@ -18,7 +19,7 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" ) -type decoratorFunc = func(string, *transpiler.AST, []program.Program) ([]program.Program, error) +type decoratorFunc = func(*info.AgentInfo, string, *transpiler.AST, []program.Program) ([]program.Program, error) type filterFunc = func(*logger.Logger, *transpiler.AST) error type reloadable interface { @@ -36,16 +37,18 @@ type programsDispatcher interface { type emitterController struct { logger *logger.Logger + agentInfo *info.AgentInfo controller composable.Controller router programsDispatcher modifiers *configModifiers reloadables []reloadable // state - lock sync.RWMutex - config *config.Config - ast *transpiler.AST - vars []*transpiler.Vars + lock sync.RWMutex + updateLock sync.Mutex + config *config.Config + ast *transpiler.AST + vars []*transpiler.Vars } func (e *emitterController) Update(c *config.Config) error { @@ -91,6 +94,10 @@ func (e *emitterController) Set(vars []*transpiler.Vars) { } func (e *emitterController) update() error { + // locking whole update because it can be called concurrently via Set and Update method + e.updateLock.Lock() + defer e.updateLock.Unlock() + e.lock.RLock() cfg := e.config rawAst := e.ast @@ -112,14 +119,14 @@ func (e *emitterController) update() error { e.logger.Debug("Converting single configuration into specific programs configuration") - programsToRun, err := program.Programs(ast) + programsToRun, err := program.Programs(e.agentInfo, ast) if err != nil { return err } for _, decorator := range e.modifiers.Decorators { for outputType, ptr := range programsToRun { - programsToRun[outputType], err = decorator(outputType, ast, ptr) + programsToRun[outputType], err = decorator(e.agentInfo, outputType, ast, ptr) if err != nil { return err } @@ -135,12 +142,13 @@ func (e *emitterController) update() error { return e.router.Dispatch(ast.HashStr(), programsToRun) } -func emitter(ctx context.Context, log *logger.Logger, controller composable.Controller, router programsDispatcher, modifiers *configModifiers, reloadables ...reloadable) (emitterFunc, error) { +func emitter(ctx context.Context, log *logger.Logger, agentInfo *info.AgentInfo, controller composable.Controller, router programsDispatcher, modifiers *configModifiers, reloadables ...reloadable) (emitterFunc, error) { log.Debugf("Supported programs: %s", strings.Join(program.KnownProgramNames(), ", ")) init, _ := transpiler.NewVars(map[string]interface{}{}) ctrl := &emitterController{ logger: log, + agentInfo: agentInfo, controller: controller, router: router, modifiers: modifiers, @@ -211,17 +219,20 @@ func promoteProcessors(dict *transpiler.Dict) *transpiler.Dict { if p == nil { return dict } + var currentList *transpiler.List current, ok := dict.Find("processors") - currentList, isList := current.Value().(*transpiler.List) - if !isList { - return dict + if ok { + currentList, ok = current.Value().(*transpiler.List) + if !ok { + return dict + } } ast, _ := transpiler.NewAST(map[string]interface{}{ "processors": p, }) procs, _ := transpiler.Lookup(ast, "processors") nodes := nodesFromList(procs.Value().(*transpiler.List)) - if ok { + if ok && currentList != nil { nodes = append(nodes, nodesFromList(currentList)...) } dictNodes := dict.Value().([]transpiler.Node) diff --git a/x-pack/elastic-agent/pkg/agent/application/emitter_test.go b/x-pack/elastic-agent/pkg/agent/application/emitter_test.go index 32770eaa5df..b2286552f9f 100644 --- a/x-pack/elastic-agent/pkg/agent/application/emitter_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/emitter_test.go @@ -479,6 +479,181 @@ func TestRenderInputs(t *testing.T) { }), }, }, + "inputs without processors and vars with processors": { + input: transpiler.NewKey("inputs", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/${var1.name}.log"), + })), + }), + })), + }), + })), + expected: transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/value1.log"), + })), + }), + })), + transpiler.NewKey("processors", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("add_fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("custom", transpiler.NewStrVal("value1")), + })), + transpiler.NewKey("to", transpiler.NewStrVal("dynamic")), + })), + }), + })), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/value2.log"), + })), + }), + })), + transpiler.NewKey("processors", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("add_fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("custom", transpiler.NewStrVal("value2")), + })), + transpiler.NewKey("to", transpiler.NewStrVal("dynamic")), + })), + }), + })), + }), + }), + varsArray: []*transpiler.Vars{ + mustMakeVarsP(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + }, + }, + "var1", + []map[string]interface{}{ + { + "add_fields": map[string]interface{}{ + "fields": map[string]interface{}{ + "custom": "value1", + }, + "to": "dynamic", + }, + }, + }), + mustMakeVarsP(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value2", + }, + }, + "var1", + []map[string]interface{}{ + { + "add_fields": map[string]interface{}{ + "fields": map[string]interface{}{ + "custom": "value2", + }, + "to": "dynamic", + }, + }, + }), + }, + }, + "processors incorrectly a map": { + input: transpiler.NewKey("inputs", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/${var1.name}.log"), + })), + }), + })), + transpiler.NewKey("processors", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("add_fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("invalid", transpiler.NewStrVal("value")), + })), + })), + }), + })), + expected: transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/value1.log"), + })), + }), + })), + transpiler.NewKey("processors", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("add_fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("invalid", transpiler.NewStrVal("value")), + })), + })), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/value2.log"), + })), + }), + })), + transpiler.NewKey("processors", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("add_fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("invalid", transpiler.NewStrVal("value")), + })), + })), + }), + }), + varsArray: []*transpiler.Vars{ + mustMakeVarsP(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + }, + }, + "var1", + []map[string]interface{}{ + { + "add_fields": map[string]interface{}{ + "fields": map[string]interface{}{ + "custom": "value1", + }, + "to": "dynamic", + }, + }, + }), + mustMakeVarsP(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value2", + }, + }, + "var1", + []map[string]interface{}{ + { + "add_fields": map[string]interface{}{ + "fields": map[string]interface{}{ + "custom": "value2", + }, + "to": "dynamic", + }, + }, + }), + }, + }, } for name, test := range testcases { diff --git a/x-pack/elastic-agent/pkg/agent/application/enroll_cmd_test.go b/x-pack/elastic-agent/pkg/agent/application/enroll_cmd_test.go index beab1b253d6..080b5efcb69 100644 --- a/x-pack/elastic-agent/pkg/agent/application/enroll_cmd_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/enroll_cmd_test.go @@ -49,7 +49,7 @@ func TestEnroll(t *testing.T) { t.Run("fail to save is propagated", withTLSServer( func(t *testing.T) *http.ServeMux { mux := http.NewServeMux() - mux.HandleFunc("/api/ingest_manager/fleet/agents/enroll", func(w http.ResponseWriter, r *http.Request) { + mux.HandleFunc("/api/fleet/agents/enroll", func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusOK) w.Write([]byte(` { @@ -102,7 +102,7 @@ func TestEnroll(t *testing.T) { t.Run("successfully enroll with TLS and save access api key in the store", withTLSServer( func(t *testing.T) *http.ServeMux { mux := http.NewServeMux() - mux.HandleFunc("/api/ingest_manager/fleet/agents/enroll", func(w http.ResponseWriter, r *http.Request) { + mux.HandleFunc("/api/fleet/agents/enroll", func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusOK) w.Write([]byte(` { @@ -163,7 +163,7 @@ func TestEnroll(t *testing.T) { t.Run("successfully enroll when a slash is defined at the end of host", withServer( func(t *testing.T) *http.ServeMux { mux := http.NewServeMux() - mux.HandleFunc("/api/ingest_manager/fleet/agents/enroll", func(w http.ResponseWriter, r *http.Request) { + mux.HandleFunc("/api/fleet/agents/enroll", func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusOK) w.Write([]byte(` { @@ -223,7 +223,7 @@ func TestEnroll(t *testing.T) { t.Run("successfully enroll without TLS and save access api key in the store", withServer( func(t *testing.T) *http.ServeMux { mux := http.NewServeMux() - mux.HandleFunc("/api/ingest_manager/fleet/agents/enroll", func(w http.ResponseWriter, r *http.Request) { + mux.HandleFunc("/api/fleet/agents/enroll", func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusOK) w.Write([]byte(` { @@ -283,7 +283,7 @@ func TestEnroll(t *testing.T) { t.Run("fail to enroll without TLS", withServer( func(t *testing.T) *http.ServeMux { mux := http.NewServeMux() - mux.HandleFunc("/api/ingest_manager/fleet/agents/enroll", func(w http.ResponseWriter, r *http.Request) { + mux.HandleFunc("/api/fleet/agents/enroll", func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusInternalServerError) w.Write([]byte(` { diff --git a/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker.go b/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker.go index 3a6a7843b72..4f9e753ba94 100644 --- a/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker.go +++ b/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker.go @@ -5,7 +5,6 @@ package filters import ( - "fmt" "strings" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" @@ -47,11 +46,7 @@ func StreamChecker(log *logger.Logger, ast *transpiler.AST) error { if nsNode, found := inputNode.Find("data_stream.namespace"); found { nsKey, ok := nsNode.(*transpiler.Key) if ok { - newNamespace := nsKey.Value().(transpiler.Node).String() - if !isValid(newNamespace) { - return ErrInvalidNamespace - } - namespace = newNamespace + namespace = nsKey.Value().(transpiler.Node).String() } } else { dsNode, found := inputNode.Find("data_stream") @@ -63,17 +58,17 @@ func StreamChecker(log *logger.Logger, ast *transpiler.AST) error { if found { nsKey, ok := nsNode.(*transpiler.Key) if ok { - newNamespace := nsKey.Value().(transpiler.Node).String() - if !isValid(newNamespace) { - return ErrInvalidNamespace - } - namespace = newNamespace + namespace = nsKey.Value().(transpiler.Node).String() } } } } } + if !matchesNamespaceContraints(namespace) { + return ErrInvalidNamespace + } + // get the type, longest type for now is metrics datasetType := "metrics" if nsNode, found := inputNode.Find("data_stream.type"); found { @@ -100,6 +95,10 @@ func StreamChecker(log *logger.Logger, ast *transpiler.AST) error { } } + if !matchesTypeConstraints(datasetType) { + return ErrInvalidIndex + } + streamsNode, ok := inputNode.Find("streams") if ok { streamsList, ok := streamsNode.Value().(*transpiler.List) @@ -119,11 +118,8 @@ func StreamChecker(log *logger.Logger, ast *transpiler.AST) error { if dsNameNode, found := streamMap.Find("data_stream.dataset"); found { dsKey, ok := dsNameNode.(*transpiler.Key) if ok { - newDataset := dsKey.Value().(transpiler.Node).String() - if !isValid(newDataset) { - return ErrInvalidDataset - } - datasetName = newDataset + datasetName = dsKey.Value().(transpiler.Node).String() + break } } else { datasetNode, found := streamMap.Find("data_stream") @@ -137,11 +133,8 @@ func StreamChecker(log *logger.Logger, ast *transpiler.AST) error { if found { dsKey, ok := dsNameNode.(*transpiler.Key) if ok { - newDataset := dsKey.Value().(transpiler.Node).String() - if !isValid(newDataset) { - return ErrInvalidDataset - } - datasetName = newDataset + datasetName = dsKey.Value().(transpiler.Node).String() + break } } } @@ -149,49 +142,65 @@ func StreamChecker(log *logger.Logger, ast *transpiler.AST) error { } } } - - if indexName := fmt.Sprintf("%s-%s-%s", datasetType, datasetName, namespace); !matchesIndexContraints(indexName) { - return ErrInvalidIndex + if !matchesDatasetConstraints(datasetName) { + return ErrInvalidDataset } } return nil } -// The only two requirement are that it has only characters allowed in an Elasticsearch index name -// and does NOT contain a `-`. -func isValid(namespace string) bool { - return matchesIndexContraints(namespace) && !strings.Contains(namespace, "-") -} - // The only two requirement are that it has only characters allowed in an Elasticsearch index name // Index names must meet the following criteria: +// Not longer than 100 bytes // Lowercase only // Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # +func matchesNamespaceContraints(namespace string) bool { + // length restriction is in bytes, not characters + if len(namespace) <= 0 || len(namespace) > 100 { + return false + } + + return isCharactersetValid(namespace) +} + +// matchesTypeConstraints fails for following rules. As type is first element of resulting index prefix restrictions need to be applied. +// Not longer than 20 bytes +// Lowercase only // Cannot start with -, _, + -// Cannot be . or .. -func matchesIndexContraints(namespace string) bool { - // Cannot be . or .. - if namespace == "." || namespace == ".." { +// Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # +func matchesTypeConstraints(dsType string) bool { + // length restriction is in bytes, not characters + if len(dsType) <= 0 || len(dsType) > 20 { return false } - if len(namespace) <= 0 || len(namespace) > 255 { + if strings.HasPrefix(dsType, "-") || strings.HasPrefix(dsType, "_") || strings.HasPrefix(dsType, "+") { return false } - // Lowercase only - if strings.ToLower(namespace) != namespace { + return isCharactersetValid(dsType) +} + +// matchesDatasetConstraints fails for following rules +// Not longer than 100 bytes +// Lowercase only +// Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # +func matchesDatasetConstraints(dataset string) bool { + // length restriction is in bytes, not characters + if len(dataset) <= 0 || len(dataset) > 100 { return false } - // Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # - if strings.ContainsAny(namespace, "\\/*?\"<>| ,#") { + return isCharactersetValid(dataset) +} + +func isCharactersetValid(input string) bool { + if strings.ToLower(input) != input { return false } - // Cannot start with -, _, + - if strings.HasPrefix(namespace, "-") || strings.HasPrefix(namespace, "_") || strings.HasPrefix(namespace, "+") { + if strings.ContainsAny(input, "\\/*?\"<>| ,#:") { return false } diff --git a/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker_test.go b/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker_test.go index 1daa14a1ad6..5750734c477 100644 --- a/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker_test.go @@ -93,25 +93,6 @@ func TestStreamCheck(t *testing.T) { }, result: ErrInvalidDataset, }, - - { - name: "dataset invalid dot - compact", - configMap: map[string]interface{}{ - "inputs": []map[string]interface{}{ - {"streams": []map[string]interface{}{{"data_stream.dataset": "."}}}, - }, - }, - result: ErrInvalidDataset, - }, - { - name: "dataset invalid dotdot- compact", - configMap: map[string]interface{}{ - "inputs": []map[string]interface{}{ - {"streams": []map[string]interface{}{{"data_stream.dataset": ".."}}}, - }, - }, - result: ErrInvalidDataset, - }, { name: "dataset invalid uppercase - compact", configMap: map[string]interface{}{ @@ -139,16 +120,6 @@ func TestStreamCheck(t *testing.T) { }, result: ErrInvalidDataset, }, - { - name: "dataset invalid invalid prefix- compact", - configMap: map[string]interface{}{ - "inputs": []map[string]interface{}{ - {"streams": []map[string]interface{}{{"data_stream.dataset": "_isthisvalid"}}}, - }, - }, - result: ErrInvalidDataset, - }, - { name: "namespace invalid - compact", configMap: map[string]interface{}{ @@ -156,22 +127,6 @@ func TestStreamCheck(t *testing.T) { }, result: ErrInvalidNamespace, }, - { - name: "namespace invalid name 1 - compact", - configMap: map[string]interface{}{ - "inputs": []map[string]interface{}{ - {"data_stream.namespace": "."}, - }, - }, - result: ErrInvalidNamespace, - }, - { - name: "namespace invalid name 2 - compact", - configMap: map[string]interface{}{ - "inputs": []map[string]interface{}{{"data_stream.namespace": ".."}}, - }, - result: ErrInvalidNamespace, - }, { name: "namespace invalid name uppercase - compact", configMap: map[string]interface{}{ @@ -193,13 +148,6 @@ func TestStreamCheck(t *testing.T) { }, result: ErrInvalidNamespace, }, - { - name: "namespace invalid name invalid prefix - compact", - configMap: map[string]interface{}{ - "inputs": []map[string]interface{}{{"data_stream.namespace": "+isitok"}}, - }, - result: ErrInvalidNamespace, - }, { name: "namespace invalid - long", configMap: map[string]interface{}{ @@ -274,6 +222,33 @@ func TestStreamCheck(t *testing.T) { }, result: nil, }, + { + name: "type invalid prefix _", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + {"data_stream.type": "_type"}, + }, + }, + result: ErrInvalidIndex, + }, + { + name: "type invalid prefix -", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + {"data_stream.type": "-type"}, + }, + }, + result: ErrInvalidIndex, + }, + { + name: "type invalid prefix +", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + {"data_stream.type": "+type"}, + }, + }, + result: ErrInvalidIndex, + }, } log, err := logger.New("") diff --git a/x-pack/elastic-agent/pkg/agent/application/fleet_acker.go b/x-pack/elastic-agent/pkg/agent/application/fleet_acker.go index ba324f2d7de..4544fa8a772 100644 --- a/x-pack/elastic-agent/pkg/agent/application/fleet_acker.go +++ b/x-pack/elastic-agent/pkg/agent/application/fleet_acker.go @@ -39,6 +39,10 @@ func newActionAcker( }, nil } +func (f *actionAcker) SetClient(client clienter) { + f.client = client +} + func (f *actionAcker) Ack(ctx context.Context, action fleetapi.Action) error { // checkin agentID := f.agentInfo.AgentID() diff --git a/x-pack/elastic-agent/pkg/agent/application/fleet_gateway.go b/x-pack/elastic-agent/pkg/agent/application/fleet_gateway.go index 4bb9d2e6280..21e7bfd4589 100644 --- a/x-pack/elastic-agent/pkg/agent/application/fleet_gateway.go +++ b/x-pack/elastic-agent/pkg/agent/application/fleet_gateway.go @@ -253,3 +253,7 @@ func (f *fleetGateway) stop() { close(f.done) f.wg.Wait() } + +func (f *fleetGateway) SetClient(client clienter) { + f.client = client +} diff --git a/x-pack/elastic-agent/pkg/agent/application/fleet_gateway_test.go b/x-pack/elastic-agent/pkg/agent/application/fleet_gateway_test.go index bd9037416dc..cfcd1f46994 100644 --- a/x-pack/elastic-agent/pkg/agent/application/fleet_gateway_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/fleet_gateway_test.go @@ -208,10 +208,10 @@ func TestFleetGateway(t *testing.T) { { "actions": [ { - "type": "CONFIG_CHANGE", + "type": "POLICY_CHANGE", "id": "id1", "data": { - "config": { + "policy": { "id": "policy-id" } } diff --git a/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change.go b/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change.go index 34fd5716980..8821700ee74 100644 --- a/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change.go +++ b/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change.go @@ -5,35 +5,138 @@ package application import ( + "bytes" "context" "fmt" + "io" + "sort" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" + + "gopkg.in/yaml.v2" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/storage" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/kibana" ) -type handlerConfigChange struct { - log *logger.Logger - emitter emitterFunc +type clientSetter interface { + SetClient(clienter) } -func (h *handlerConfigChange) Handle(ctx context.Context, a action, acker fleetAcker) error { - h.log.Debugf("handlerConfigChange: action '%+v' received", a) - action, ok := a.(*fleetapi.ActionConfigChange) +type handlerPolicyChange struct { + log *logger.Logger + emitter emitterFunc + agentInfo *info.AgentInfo + config *configuration.Configuration + store storage.Store + setters []clientSetter +} + +func (h *handlerPolicyChange) Handle(ctx context.Context, a action, acker fleetAcker) error { + h.log.Debugf("handlerPolicyChange: action '%+v' received", a) + action, ok := a.(*fleetapi.ActionPolicyChange) if !ok { - return fmt.Errorf("invalid type, expected ActionConfigChange and received %T", a) + return fmt.Errorf("invalid type, expected ActionPolicyChange and received %T", a) } - c, err := LoadConfig(action.Config) + c, err := LoadConfig(action.Policy) if err != nil { return errors.New(err, "could not parse the configuration from the policy", errors.TypeConfig) } - h.log.Debugf("handlerConfigChange: emit configuration for action %+v", a) + h.log.Debugf("handlerPolicyChange: emit configuration for action %+v", a) + err = h.handleKibanaHosts(c) + if err != nil { + return err + } if err := h.emitter(c); err != nil { return err } return acker.Ack(ctx, action) } + +func (h *handlerPolicyChange) handleKibanaHosts(c *config.Config) (err error) { + cfg, err := configuration.NewFromConfig(c) + if err != nil { + return errors.New(err, "could not parse the configuration from the policy", errors.TypeConfig) + } + if kibanaEqual(h.config.Fleet.Kibana, cfg.Fleet.Kibana) { + // already the same hosts + return nil + } + + // only set protocol/hosts as that is all Fleet currently sends + prevProtocol := h.config.Fleet.Kibana.Protocol + prevHosts := h.config.Fleet.Kibana.Hosts + h.config.Fleet.Kibana.Protocol = cfg.Fleet.Kibana.Protocol + h.config.Fleet.Kibana.Hosts = cfg.Fleet.Kibana.Hosts + + // rollback on failure + defer func() { + if err != nil { + h.config.Fleet.Kibana.Protocol = prevProtocol + h.config.Fleet.Kibana.Hosts = prevHosts + } + }() + + client, err := fleetapi.NewAuthWithConfig(h.log, h.config.Fleet.AccessAPIKey, h.config.Fleet.Kibana) + if err != nil { + return errors.New( + err, "fail to create API client with updated hosts", + errors.TypeNetwork, errors.M("hosts", h.config.Fleet.Kibana.Hosts)) + } + reader, err := fleetToReader(h.agentInfo, h.config) + if err != nil { + return errors.New( + err, "fail to persist updated API client hosts", + errors.TypeUnexpected, errors.M("hosts", h.config.Fleet.Kibana.Hosts)) + } + err = h.store.Save(reader) + if err != nil { + return errors.New( + err, "fail to persist updated API client hosts", + errors.TypeFilesystem, errors.M("hosts", h.config.Fleet.Kibana.Hosts)) + } + for _, setter := range h.setters { + setter.SetClient(client) + } + return nil +} + +func kibanaEqual(k1 *kibana.Config, k2 *kibana.Config) bool { + if k1.Protocol != k2.Protocol { + return false + } + + sort.Strings(k1.Hosts) + sort.Strings(k2.Hosts) + if len(k1.Hosts) != len(k2.Hosts) { + return false + } + for i, v := range k1.Hosts { + if v != k2.Hosts[i] { + return false + } + } + return true +} + +func fleetToReader(agentInfo *info.AgentInfo, cfg *configuration.Configuration) (io.Reader, error) { + configToStore := map[string]interface{}{ + "fleet": cfg.Fleet, + "agent": map[string]interface{}{ + "id": agentInfo.AgentID(), + }, + } + data, err := yaml.Marshal(configToStore) + if err != nil { + return nil, err + } + return bytes.NewReader(data), nil +} diff --git a/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change_test.go b/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change_test.go index b95c259e7c7..c30f886b0d1 100644 --- a/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change_test.go @@ -9,6 +9,10 @@ import ( "sync" "testing" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/storage" + "github.com/pkg/errors" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -31,18 +35,27 @@ func (m *mockEmitter) Emitter(policy *config.Config) error { func TestPolicyChange(t *testing.T) { log, _ := logger.New("") ack := newNoopAcker() + agentInfo, _ := info.NewAgentInfo() + nullStore := &storage.NullStore{} t.Run("Receive a config change and successfully emits a raw configuration", func(t *testing.T) { emitter := &mockEmitter{} conf := map[string]interface{}{"hello": "world"} - action := &fleetapi.ActionConfigChange{ + action := &fleetapi.ActionPolicyChange{ ActionID: "abc123", - ActionType: "CONFIG_CHANGE", - Config: conf, + ActionType: "POLICY_CHANGE", + Policy: conf, } - handler := &handlerConfigChange{log: log, emitter: emitter.Emitter} + cfg := configuration.DefaultConfiguration() + handler := &handlerPolicyChange{ + log: log, + emitter: emitter.Emitter, + agentInfo: agentInfo, + config: cfg, + store: nullStore, + } err := handler.Handle(context.Background(), action, ack) require.NoError(t, err) @@ -54,13 +67,20 @@ func TestPolicyChange(t *testing.T) { emitter := &mockEmitter{err: mockErr} conf := map[string]interface{}{"hello": "world"} - action := &fleetapi.ActionConfigChange{ + action := &fleetapi.ActionPolicyChange{ ActionID: "abc123", - ActionType: "CONFIG_CHANGE", - Config: conf, + ActionType: "POLICY_CHANGE", + Policy: conf, } - handler := &handlerConfigChange{log: log, emitter: emitter.Emitter} + cfg := configuration.DefaultConfiguration() + handler := &handlerPolicyChange{ + log: log, + emitter: emitter.Emitter, + agentInfo: agentInfo, + config: cfg, + store: nullStore, + } err := handler.Handle(context.Background(), action, ack) require.Error(t, err) @@ -69,6 +89,9 @@ func TestPolicyChange(t *testing.T) { func TestPolicyAcked(t *testing.T) { log, _ := logger.New("") + agentInfo, _ := info.NewAgentInfo() + nullStore := &storage.NullStore{} + t.Run("Config change should not ACK on error", func(t *testing.T) { tacker := &testAcker{} @@ -77,13 +100,20 @@ func TestPolicyAcked(t *testing.T) { config := map[string]interface{}{"hello": "world"} actionID := "abc123" - action := &fleetapi.ActionConfigChange{ + action := &fleetapi.ActionPolicyChange{ ActionID: actionID, - ActionType: "CONFIG_CHANGE", - Config: config, + ActionType: "POLICY_CHANGE", + Policy: config, } - handler := &handlerConfigChange{log: log, emitter: emitter.Emitter} + cfg := configuration.DefaultConfiguration() + handler := &handlerPolicyChange{ + log: log, + emitter: emitter.Emitter, + agentInfo: agentInfo, + config: cfg, + store: nullStore, + } err := handler.Handle(context.Background(), action, tacker) require.Error(t, err) @@ -99,13 +129,20 @@ func TestPolicyAcked(t *testing.T) { config := map[string]interface{}{"hello": "world"} actionID := "abc123" - action := &fleetapi.ActionConfigChange{ + action := &fleetapi.ActionPolicyChange{ ActionID: actionID, - ActionType: "CONFIG_CHANGE", - Config: config, + ActionType: "POLICY_CHANGE", + Policy: config, } - handler := &handlerConfigChange{log: log, emitter: emitter.Emitter} + cfg := configuration.DefaultConfiguration() + handler := &handlerPolicyChange{ + log: log, + emitter: emitter.Emitter, + agentInfo: agentInfo, + config: cfg, + store: nullStore, + } err := handler.Handle(context.Background(), action, tacker) require.NoError(t, err) diff --git a/x-pack/elastic-agent/pkg/agent/application/handler_action_upgrade.go b/x-pack/elastic-agent/pkg/agent/application/handler_action_upgrade.go index 4d0026d4d79..a4940cfe55b 100644 --- a/x-pack/elastic-agent/pkg/agent/application/handler_action_upgrade.go +++ b/x-pack/elastic-agent/pkg/agent/application/handler_action_upgrade.go @@ -27,5 +27,21 @@ func (h *handlerUpgrade) Handle(ctx context.Context, a action, acker fleetAcker) return fmt.Errorf("invalid type, expected ActionUpgrade and received %T", a) } - return h.upgrader.Upgrade(ctx, action) + return h.upgrader.Upgrade(ctx, &upgradeAction{action}, true) +} + +type upgradeAction struct { + *fleetapi.ActionUpgrade +} + +func (a *upgradeAction) Version() string { + return a.ActionUpgrade.Version +} + +func (a *upgradeAction) SourceURI() string { + return a.ActionUpgrade.SourceURI +} + +func (a *upgradeAction) FleetAction() *fleetapi.ActionUpgrade { + return a.ActionUpgrade } diff --git a/x-pack/elastic-agent/pkg/agent/application/info/agent_info.go b/x-pack/elastic-agent/pkg/agent/application/info/agent_info.go index e990b83bd49..b0abbe19e64 100644 --- a/x-pack/elastic-agent/pkg/agent/application/info/agent_info.go +++ b/x-pack/elastic-agent/pkg/agent/application/info/agent_info.go @@ -4,6 +4,8 @@ package info +import "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" + // AgentInfo is a collection of information about agent. type AgentInfo struct { agentID string @@ -44,3 +46,13 @@ func ForceNewAgentInfo() (*AgentInfo, error) { func (i *AgentInfo) AgentID() string { return i.agentID } + +// Version returns the version for this Agent. +func (*AgentInfo) Version() string { + return release.Version() +} + +// Snapshot returns if this version is a snapshot. +func (*AgentInfo) Snapshot() bool { + return release.Snapshot() +} diff --git a/x-pack/elastic-agent/pkg/agent/application/info/agent_metadata.go b/x-pack/elastic-agent/pkg/agent/application/info/agent_metadata.go index c98f9b8e015..c5712646cfb 100644 --- a/x-pack/elastic-agent/pkg/agent/application/info/agent_metadata.go +++ b/x-pack/elastic-agent/pkg/agent/application/info/agent_metadata.go @@ -10,6 +10,7 @@ import ( "runtime" "strings" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/install" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" "github.com/elastic/go-sysinfo" "github.com/elastic/go-sysinfo/types" @@ -33,6 +34,12 @@ type AgentECSMeta struct { ID string `json:"id"` // Version specifies current version of an agent. Version string `json:"version"` + // Snapshot is a flag specifying that the agent used is a snapshot build. + Snapshot bool `json:"snapshot"` + // BuildOriginal is an extended build information for the agent. + BuildOriginal string `json:"build.original"` + // Upgradeable is a flag specifying if it is possible for agent to be upgraded. + Upgradeable bool `json:"upgradeable"` } // SystemECSMeta is a collection of operating system metadata in ECS compliant object form. @@ -126,8 +133,13 @@ func (i *AgentInfo) ECSMetadata() (*ECSMeta, error) { return &ECSMeta{ Elastic: &ElasticECSMeta{ Agent: &AgentECSMeta{ - ID: i.agentID, - Version: release.Version(), + ID: i.agentID, + Version: release.Version(), + Snapshot: release.Snapshot(), + BuildOriginal: release.Info().String(), + // only upgradeable if running from Agent installer and running under the + // control of the system supervisor (or built specifically with upgrading enabled) + Upgradeable: release.Upgradeable() || (install.RunningInstalled() && install.RunningUnderSupervisor()), }, }, Host: &HostECSMeta{ diff --git a/x-pack/elastic-agent/pkg/agent/application/inspect_config_cmd.go b/x-pack/elastic-agent/pkg/agent/application/inspect_config_cmd.go index 2c53fc62bf2..edf1ad8cdf2 100644 --- a/x-pack/elastic-agent/pkg/agent/application/inspect_config_cmd.go +++ b/x-pack/elastic-agent/pkg/agent/application/inspect_config_cmd.go @@ -106,13 +106,13 @@ func loadFleetConfig(cfg *config.Config) (map[string]interface{}, error) { } for _, c := range as.Actions() { - cfgChange, ok := c.(*fleetapi.ActionConfigChange) + cfgChange, ok := c.(*fleetapi.ActionPolicyChange) if !ok { continue } fmt.Println("Action ID:", cfgChange.ID()) - return cfgChange.Config, nil + return cfgChange.Policy, nil } return nil, nil } diff --git a/x-pack/elastic-agent/pkg/agent/application/inspect_output_cmd.go b/x-pack/elastic-agent/pkg/agent/application/inspect_output_cmd.go index 8f648887d10..bb319ce1569 100644 --- a/x-pack/elastic-agent/pkg/agent/application/inspect_output_cmd.go +++ b/x-pack/elastic-agent/pkg/agent/application/inspect_output_cmd.go @@ -8,11 +8,12 @@ import ( "context" "fmt" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" - "github.com/elastic/beats/v7/libbeat/logp" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/program" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" @@ -37,14 +38,19 @@ func NewInspectOutputCmd(configPath, output, program string) (*InspectOutputCmd, // Execute tries to enroll the agent into Fleet. func (c *InspectOutputCmd) Execute() error { + agentInfo, err := info.NewAgentInfo() + if err != nil { + return err + } + if c.output == "" { - return c.inspectOutputs() + return c.inspectOutputs(agentInfo) } - return c.inspectOutput() + return c.inspectOutput(agentInfo) } -func (c *InspectOutputCmd) inspectOutputs() error { +func (c *InspectOutputCmd) inspectOutputs(agentInfo *info.AgentInfo) error { rawConfig, err := loadConfig(c.cfgPath) if err != nil { return err @@ -61,7 +67,7 @@ func (c *InspectOutputCmd) inspectOutputs() error { } if isStandalone(cfg.Fleet) { - return listOutputsFromConfig(l, rawConfig) + return listOutputsFromConfig(l, agentInfo, rawConfig) } fleetConfig, err := loadFleetConfig(rawConfig) @@ -71,11 +77,11 @@ func (c *InspectOutputCmd) inspectOutputs() error { return fmt.Errorf("no fleet config retrieved yet") } - return listOutputsFromMap(l, fleetConfig) + return listOutputsFromMap(l, agentInfo, fleetConfig) } -func listOutputsFromConfig(log *logger.Logger, cfg *config.Config) error { - programsGroup, err := getProgramsFromConfig(log, cfg) +func listOutputsFromConfig(log *logger.Logger, agentInfo *info.AgentInfo, cfg *config.Config) error { + programsGroup, err := getProgramsFromConfig(log, agentInfo, cfg) if err != nil { return err @@ -88,16 +94,16 @@ func listOutputsFromConfig(log *logger.Logger, cfg *config.Config) error { return nil } -func listOutputsFromMap(log *logger.Logger, cfg map[string]interface{}) error { +func listOutputsFromMap(log *logger.Logger, agentInfo *info.AgentInfo, cfg map[string]interface{}) error { c, err := config.NewConfigFrom(cfg) if err != nil { return err } - return listOutputsFromConfig(log, c) + return listOutputsFromConfig(log, agentInfo, c) } -func (c *InspectOutputCmd) inspectOutput() error { +func (c *InspectOutputCmd) inspectOutput(agentInfo *info.AgentInfo) error { rawConfig, err := loadConfig(c.cfgPath) if err != nil { return err @@ -114,7 +120,7 @@ func (c *InspectOutputCmd) inspectOutput() error { } if isStandalone(cfg.Fleet) { - return printOutputFromConfig(l, c.output, c.program, rawConfig) + return printOutputFromConfig(l, agentInfo, c.output, c.program, rawConfig) } fleetConfig, err := loadFleetConfig(rawConfig) @@ -124,11 +130,11 @@ func (c *InspectOutputCmd) inspectOutput() error { return fmt.Errorf("no fleet config retrieved yet") } - return printOutputFromMap(l, c.output, c.program, fleetConfig) + return printOutputFromMap(l, agentInfo, c.output, c.program, fleetConfig) } -func printOutputFromConfig(log *logger.Logger, output, programName string, cfg *config.Config) error { - programsGroup, err := getProgramsFromConfig(log, cfg) +func printOutputFromConfig(log *logger.Logger, agentInfo *info.AgentInfo, output, programName string, cfg *config.Config) error { + programsGroup, err := getProgramsFromConfig(log, agentInfo, cfg) if err != nil { return err @@ -164,16 +170,16 @@ func printOutputFromConfig(log *logger.Logger, output, programName string, cfg * } -func printOutputFromMap(log *logger.Logger, output, programName string, cfg map[string]interface{}) error { +func printOutputFromMap(log *logger.Logger, agentInfo *info.AgentInfo, output, programName string, cfg map[string]interface{}) error { c, err := config.NewConfigFrom(cfg) if err != nil { return err } - return printOutputFromConfig(log, output, programName, c) + return printOutputFromConfig(log, agentInfo, output, programName, c) } -func getProgramsFromConfig(log *logger.Logger, cfg *config.Config) (map[string][]program.Program, error) { +func getProgramsFromConfig(log *logger.Logger, agentInfo *info.AgentInfo, cfg *config.Config) (map[string][]program.Program, error) { monitor := noop.NewMonitor() router := &inmemRouter{} ctx, cancel := context.WithCancel(context.Background()) @@ -186,6 +192,7 @@ func getProgramsFromConfig(log *logger.Logger, cfg *config.Config) (map[string][ emit, err := emitter( ctx, log, + agentInfo, composableWaiter, router, &configModifiers{ diff --git a/x-pack/elastic-agent/pkg/agent/application/local_mode.go b/x-pack/elastic-agent/pkg/agent/application/local_mode.go index 5559089404e..b58e260cab6 100644 --- a/x-pack/elastic-agent/pkg/agent/application/local_mode.go +++ b/x-pack/elastic-agent/pkg/agent/application/local_mode.go @@ -9,6 +9,7 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/filters" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/upgrade" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configrequest" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" @@ -60,6 +61,8 @@ func newLocal( log *logger.Logger, pathConfigFile string, rawConfig *config.Config, + reexec reexecManager, + uc upgraderControl, ) (*Local, error) { cfg, err := configuration.NewFromConfig(rawConfig) if err != nil { @@ -112,6 +115,7 @@ func newLocal( emit, err := emitter( localApplication.bgContext, log, + agentInfo, composableCtrl, router, &configModifiers{ @@ -135,6 +139,17 @@ func newLocal( localApplication.source = cfgSource + // create a upgrader to use in local mode + upgrader := upgrade.NewUpgrader( + agentInfo, + cfg.Settings.DownloadConfig, + log, + []context.CancelFunc{localApplication.cancelCtxFn}, + reexec, + newNoopAcker(), + reporter) + uc.SetUpgrader(upgrader) + return localApplication, nil } diff --git a/x-pack/elastic-agent/pkg/agent/application/managed_mode.go b/x-pack/elastic-agent/pkg/agent/application/managed_mode.go index a4e4bf92379..e38685741c3 100644 --- a/x-pack/elastic-agent/pkg/agent/application/managed_mode.go +++ b/x-pack/elastic-agent/pkg/agent/application/managed_mode.go @@ -168,6 +168,7 @@ func newManaged( emit, err := emitter( managedApplication.bgContext, log, + agentInfo, composableCtrl, router, &configModifiers{ @@ -200,18 +201,25 @@ func newManaged( } managedApplication.upgrader = upgrade.NewUpgrader( + agentInfo, cfg.Settings.DownloadConfig, log, []context.CancelFunc{managedApplication.cancelCtxFn}, reexec, - acker) + acker, + combinedReporter) + policyChanger := &handlerPolicyChange{ + log: log, + emitter: emit, + agentInfo: agentInfo, + config: cfg, + store: store, + setters: []clientSetter{acker}, + } actionDispatcher.MustRegister( - &fleetapi.ActionConfigChange{}, - &handlerConfigChange{ - log: log, - emitter: emit, - }, + &fleetapi.ActionPolicyChange{}, + policyChanger, ) actionDispatcher.MustRegister( @@ -261,6 +269,9 @@ func newManaged( if err != nil { return nil, err } + // add the gateway to setters, so the gateway can be updated + // when the hosts for Kibana are updated by the policy. + policyChanger.setters = append(policyChanger.setters, gateway) managedApplication.gateway = gateway return managedApplication, nil diff --git a/x-pack/elastic-agent/pkg/agent/application/managed_mode_test.go b/x-pack/elastic-agent/pkg/agent/application/managed_mode_test.go index 9b51016a126..4325c5ce7a6 100644 --- a/x-pack/elastic-agent/pkg/agent/application/managed_mode_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/managed_mode_test.go @@ -9,10 +9,14 @@ import ( "encoding/json" "testing" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" + "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configrequest" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/storage" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" @@ -32,18 +36,24 @@ func TestManagedModeRouting(t *testing.T) { log, _ := logger.New("") router, _ := newRouter(log, streamFn) + agentInfo, _ := info.NewAgentInfo() + nullStore := &storage.NullStore{} composableCtrl, _ := composable.New(log, nil) - emit, err := emitter(ctx, log, composableCtrl, router, &configModifiers{Decorators: []decoratorFunc{injectMonitoring}}) + emit, err := emitter(ctx, log, agentInfo, composableCtrl, router, &configModifiers{Decorators: []decoratorFunc{injectMonitoring}}) require.NoError(t, err) actionDispatcher, err := newActionDispatcher(ctx, log, &handlerDefault{log: log}) require.NoError(t, err) + cfg := configuration.DefaultConfiguration() actionDispatcher.MustRegister( - &fleetapi.ActionConfigChange{}, - &handlerConfigChange{ - log: log, - emitter: emit, + &fleetapi.ActionPolicyChange{}, + &handlerPolicyChange{ + log: log, + emitter: emit, + agentInfo: agentInfo, + config: cfg, + store: nullStore, }, ) @@ -100,9 +110,9 @@ const fleetResponse = ` "action": "checkin", "actions": [{ "agent_id": "17e93530-7f42-11ea-9330-71e968b29fa4", - "type": "CONFIG_CHANGE", + "type": "POLICY_CHANGE", "data": { - "config": { + "policy": { "id": "86561d50-7f3b-11ea-9fab-3db3bdb4efa4", "outputs": { "default": { diff --git a/x-pack/elastic-agent/pkg/agent/application/monitoring_decorator.go b/x-pack/elastic-agent/pkg/agent/application/monitoring_decorator.go index 2b04126381b..3fc49ef17d3 100644 --- a/x-pack/elastic-agent/pkg/agent/application/monitoring_decorator.go +++ b/x-pack/elastic-agent/pkg/agent/application/monitoring_decorator.go @@ -7,6 +7,7 @@ package application import ( "fmt" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/program" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" ) @@ -28,7 +29,7 @@ const ( defaultOutputName = "default" ) -func injectMonitoring(outputGroup string, rootAst *transpiler.AST, programsToRun []program.Program) ([]program.Program, error) { +func injectMonitoring(agentInfo *info.AgentInfo, outputGroup string, rootAst *transpiler.AST, programsToRun []program.Program) ([]program.Program, error) { var err error monitoringProgram := program.Program{ Spec: program.Spec{ @@ -63,7 +64,7 @@ func injectMonitoring(outputGroup string, rootAst *transpiler.AST, programsToRun } ast := rootAst.Clone() - if err := getMonitoringRule(monitoringOutputName).Apply(ast); err != nil { + if err := getMonitoringRule(monitoringOutputName).Apply(agentInfo, ast); err != nil { return programsToRun, err } @@ -93,6 +94,7 @@ func getMonitoringRule(outputName string) *transpiler.RuleList { return transpiler.NewRuleList( transpiler.Copy(monitoringOutputSelector, outputKey), transpiler.Rename(fmt.Sprintf("%s.%s", outputsKey, outputName), elasticsearchKey), + transpiler.InjectAgentInfo(), transpiler.Filter(monitoringKey, programsKey, outputKey), ) } diff --git a/x-pack/elastic-agent/pkg/agent/application/monitoring_decorator_test.go b/x-pack/elastic-agent/pkg/agent/application/monitoring_decorator_test.go index f50bb74d5e8..6a3be4100be 100644 --- a/x-pack/elastic-agent/pkg/agent/application/monitoring_decorator_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/monitoring_decorator_test.go @@ -7,17 +7,22 @@ package application import ( "testing" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/program" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" ) func TestMonitoringInjection(t *testing.T) { + agentInfo, err := info.NewAgentInfo() + if err != nil { + t.Fatal(err) + } ast, err := transpiler.NewAST(inputConfigMap) if err != nil { t.Fatal(err) } - programsToRun, err := program.Programs(ast) + programsToRun, err := program.Programs(agentInfo, ast) if err != nil { t.Fatal(err) } @@ -25,7 +30,7 @@ func TestMonitoringInjection(t *testing.T) { GROUPLOOP: for group, ptr := range programsToRun { programsCount := len(ptr) - newPtr, err := injectMonitoring(group, ast, ptr) + newPtr, err := injectMonitoring(agentInfo, group, ast, ptr) if err != nil { t.Error(err) continue GROUPLOOP @@ -83,12 +88,16 @@ GROUPLOOP: } func TestMonitoringInjectionDefaults(t *testing.T) { + agentInfo, err := info.NewAgentInfo() + if err != nil { + t.Fatal(err) + } ast, err := transpiler.NewAST(inputConfigMapDefaults) if err != nil { t.Fatal(err) } - programsToRun, err := program.Programs(ast) + programsToRun, err := program.Programs(agentInfo, ast) if err != nil { t.Fatal(err) } @@ -96,7 +105,7 @@ func TestMonitoringInjectionDefaults(t *testing.T) { GROUPLOOP: for group, ptr := range programsToRun { programsCount := len(ptr) - newPtr, err := injectMonitoring(group, ast, ptr) + newPtr, err := injectMonitoring(agentInfo, group, ast, ptr) if err != nil { t.Error(err) continue GROUPLOOP @@ -154,12 +163,16 @@ GROUPLOOP: } func TestMonitoringInjectionDisabled(t *testing.T) { + agentInfo, err := info.NewAgentInfo() + if err != nil { + t.Fatal(err) + } ast, err := transpiler.NewAST(inputConfigMapDisabled) if err != nil { t.Fatal(err) } - programsToRun, err := program.Programs(ast) + programsToRun, err := program.Programs(agentInfo, ast) if err != nil { t.Fatal(err) } @@ -167,7 +180,7 @@ func TestMonitoringInjectionDisabled(t *testing.T) { GROUPLOOP: for group, ptr := range programsToRun { programsCount := len(ptr) - newPtr, err := injectMonitoring(group, ast, ptr) + newPtr, err := injectMonitoring(agentInfo, group, ast, ptr) if err != nil { t.Error(err) continue GROUPLOOP diff --git a/x-pack/elastic-agent/pkg/agent/application/paths/paths.go b/x-pack/elastic-agent/pkg/agent/application/paths/paths.go index 48544ec7593..b646f3796ba 100644 --- a/x-pack/elastic-agent/pkg/agent/application/paths/paths.go +++ b/x-pack/elastic-agent/pkg/agent/application/paths/paths.go @@ -6,121 +6,87 @@ package paths import ( "flag" + "fmt" "os" "path/filepath" - "runtime" - "sync" + "strings" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" ) var ( - homePath string - configPath string - dataPath string - logsPath string - serviceName string - - overridesLoader sync.Once + topPath string + configPath string + logsPath string ) func init() { - initialHome := initialHome() + topPath = initialTop() + configPath = topPath + logsPath = topPath fs := flag.CommandLine - fs.StringVar(&homePath, "path.home", initialHome, "Agent root path") - fs.StringVar(&configPath, "path.config", initialHome, "Config path is the directory Agent looks for its config file") - fs.StringVar(&dataPath, "path.data", filepath.Join(initialHome, "data"), "Data path contains Agent managed binaries") - fs.StringVar(&logsPath, "path.logs", initialHome, "Logs path contains Agent log output") + fs.StringVar(&topPath, "path.home", topPath, "Agent root path") + fs.StringVar(&configPath, "path.config", configPath, "Config path is the directory Agent looks for its config file") + fs.StringVar(&logsPath, "path.logs", logsPath, "Logs path contains Agent log output") } -// UpdatePaths update paths based on changes in paths file. -func UpdatePaths() { - getOverrides() -} - -func getOverrides() { - type paths struct { - HomePath string `config:"path.home" yaml:"path.home"` - ConfigPath string `config:"path.config" yaml:"path.config"` - DataPath string `config:"path.data" yaml:"path.data"` - LogsPath string `config:"path.logs" yaml:"path.logs"` - ServiceName string `config:"path.service_name" yaml:"path.service_name"` - } - - defaults := &paths{ - HomePath: homePath, - ConfigPath: configPath, - DataPath: dataPath, - LogsPath: logsPath, - } - - pathsFile := filepath.Join(dataPath, "paths.yml") - rawConfig, err := config.LoadYAML(pathsFile) - if err != nil { - return - } - - rawConfig.Unpack(defaults) - homePath = defaults.HomePath - configPath = defaults.ConfigPath - dataPath = defaults.DataPath - logsPath = defaults.LogsPath - serviceName = defaults.ServiceName -} - -// ServiceName return predefined service name if defined by initial call. -func ServiceName() string { - // needs to do this at this place because otherwise it will - // get overwritten by flags behavior. - overridesLoader.Do(getOverrides) - return serviceName +// Top returns the top directory for Elastic Agent, all the versioned +// home directories live under this top-level/data/elastic-agent-${hash} +func Top() string { + return topPath } // Home returns a directory where binary lives -// Executable is not supported on nacl. func Home() string { - overridesLoader.Do(getOverrides) - return homePath + return versionedHome(topPath) } // Config returns a directory where configuration file lives func Config() string { - overridesLoader.Do(getOverrides) return configPath } // Data returns the data directory for Agent func Data() string { - overridesLoader.Do(getOverrides) - return dataPath + return filepath.Join(Top(), "data") } // Logs returns a the log directory for Agent func Logs() string { - overridesLoader.Do(getOverrides) return logsPath } +// initialTop returns the initial top-level path for the binary +// +// When nested in top-level/data/elastic-agent-${hash}/ the result is top-level/. +func initialTop() string { + exePath := retrieveExecutablePath() + if insideData(exePath) { + return filepath.Dir(filepath.Dir(exePath)) + } + return exePath +} + +// retrieveExecutablePath returns the executing binary, even if the started binary was a symlink func retrieveExecutablePath() string { execPath, err := os.Executable() if err != nil { panic(err) } - evalPath, err := filepath.EvalSymlinks(execPath) if err != nil { panic(err) } - return filepath.Dir(evalPath) } -func initialHome() string { - exePath := retrieveExecutablePath() - if runtime.GOOS == "windows" { - return exePath - } +// insideData returns true when the exePath is inside of the current Agents data path. +func insideData(exePath string) bool { + expectedPath := filepath.Join("data", fmt.Sprintf("elastic-agent-%s", release.ShortCommit())) + return strings.HasSuffix(exePath, expectedPath) +} - return filepath.Dir(filepath.Dir(exePath)) // is two level up the executable (symlink evaluated) +func versionedHome(base string) string { + return filepath.Join(base, "data", fmt.Sprintf("elastic-agent-%s", release.ShortCommit())) } diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/step_download.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_download.go index 28e93949fbf..3aea96da0ab 100644 --- a/x-pack/elastic-agent/pkg/agent/application/upgrade/step_download.go +++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_download.go @@ -6,6 +6,7 @@ package upgrade import ( "context" + "strings" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" downloader "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact/download/localremote" @@ -16,7 +17,13 @@ func (u *Upgrader) downloadArtifact(ctx context.Context, version, sourceURI stri // do not update source config settings := *u.settings if sourceURI != "" { - settings.SourceURI = sourceURI + if strings.HasPrefix(sourceURI, "file://") { + // update the DropPath so the fs.Downloader can download from this + // path instead of looking into the installed downloads directory + settings.DropPath = strings.TrimPrefix(sourceURI, "file://") + } else { + settings.SourceURI = sourceURI + } } allowEmptyPgp, pgp := release.PGP() @@ -31,7 +38,7 @@ func (u *Upgrader) downloadArtifact(ctx context.Context, version, sourceURI stri return "", errors.New(err, "failed upgrade of agent binary") } - matches, err := verifier.Verify(agentName, version) + matches, err := verifier.Verify(agentName, version, agentArtifactName, true) if err != nil { return "", errors.New(err, "failed verification of agent binary") } diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/step_mark.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_mark.go index 0d8253bb9ca..8d03fec3ff6 100644 --- a/x-pack/elastic-agent/pkg/agent/application/upgrade/step_mark.go +++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_mark.go @@ -6,11 +6,8 @@ package upgrade import ( "context" - "fmt" "io/ioutil" - "os" "path/filepath" - "runtime" "time" "gopkg.in/yaml.v2" @@ -40,11 +37,7 @@ type updateMarker struct { } // markUpgrade marks update happened so we can handle grace period -func (h *Upgrader) markUpgrade(ctx context.Context, hash string, action *fleetapi.ActionUpgrade) error { - if err := updateHomePath(hash); err != nil { - return err - } - +func (h *Upgrader) markUpgrade(ctx context.Context, hash string, action Action) error { prevVersion := release.Version() prevHash := release.Commit() if len(prevHash) > hashLen { @@ -56,7 +49,7 @@ func (h *Upgrader) markUpgrade(ctx context.Context, hash string, action *fleetap UpdatedOn: time.Now(), PrevVersion: prevVersion, PrevHash: prevHash, - Action: action, + Action: action.FleetAction(), } markerBytes, err := yaml.Marshal(marker) @@ -69,55 +62,10 @@ func (h *Upgrader) markUpgrade(ctx context.Context, hash string, action *fleetap return errors.New(err, errors.TypeFilesystem, "failed to create update marker file", errors.M(errors.MetaKeyPath, markerPath)) } - activeCommitPath := filepath.Join(paths.Config(), agentCommitFile) + activeCommitPath := filepath.Join(paths.Top(), agentCommitFile) if err := ioutil.WriteFile(activeCommitPath, []byte(hash), 0644); err != nil { return errors.New(err, errors.TypeFilesystem, "failed to update active commit", errors.M(errors.MetaKeyPath, activeCommitPath)) } return nil } - -func updateHomePath(hash string) error { - if err := createPathsSymlink(hash); err != nil { - return errors.New(err, errors.TypeFilesystem, "failed to create paths symlink") - } - - pathsMap := make(map[string]string) - pathsFilepath := filepath.Join(paths.Data(), "paths.yml") - - pathsBytes, err := ioutil.ReadFile(pathsFilepath) - if err != nil { - return errors.New(err, errors.TypeConfig, "failed to read paths file") - } - - if err := yaml.Unmarshal(pathsBytes, &pathsMap); err != nil { - return errors.New(err, errors.TypeConfig, "failed to parse paths file") - } - - pathsMap["path.home"] = filepath.Join(filepath.Dir(paths.Home()), fmt.Sprintf("%s-%s", agentName, hash)) - - pathsBytes, err = yaml.Marshal(pathsMap) - if err != nil { - return errors.New(err, errors.TypeConfig, "failed to marshal paths file") - } - - return ioutil.WriteFile(pathsFilepath, pathsBytes, 0740) -} - -func createPathsSymlink(hash string) error { - // only on windows, as windows resolves PWD using symlinks in a different way. - // we create symlink for each versioned agent inside `data/` directory - // on other systems path is shared - if runtime.GOOS != "windows" { - return nil - } - - dir := filepath.Join(paths.Data(), fmt.Sprintf("%s-%s", agentName, hash)) - versionedPath := filepath.Join(dir, "data", "paths.yml") - if err := os.MkdirAll(filepath.Dir(versionedPath), 0700); err != nil { - return err - } - - pathsCfgPath := filepath.Join(paths.Data(), "paths.yml") - return os.Symlink(pathsCfgPath, versionedPath) -} diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/step_relink.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_relink.go index 48d22de36cf..7cbd78d4849 100644 --- a/x-pack/elastic-agent/pkg/agent/application/upgrade/step_relink.go +++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_relink.go @@ -21,22 +21,22 @@ func (u *Upgrader) changeSymlink(ctx context.Context, newHash string) error { // create symlink to elastic-agent-{hash} hashedDir := fmt.Sprintf("%s-%s", agentName, newHash) - agentBakName := agentName + ".bak" - symlinkPath := filepath.Join(paths.Config(), agentName) - newPath := filepath.Join(paths.Data(), hashedDir, agentName) + agentPrevName := agentName + ".prev" + symlinkPath := filepath.Join(paths.Top(), agentName) + newPath := filepath.Join(paths.Top(), "data", hashedDir, agentName) // handle windows suffixes if runtime.GOOS == "windows" { - agentBakName = agentName + ".exe.back" //.bak is already used + agentPrevName = agentName + ".exe.prev" symlinkPath += ".exe" newPath += ".exe" } - bakNewPath := filepath.Join(paths.Config(), agentBakName) - if err := os.Symlink(newPath, bakNewPath); err != nil { + prevNewPath := filepath.Join(paths.Top(), agentPrevName) + if err := os.Symlink(newPath, prevNewPath); err != nil { return errors.New(err, errors.TypeFilesystem, "failed to update agent symlink") } // safely rotate - return file.SafeFileRotate(symlinkPath, bakNewPath) + return file.SafeFileRotate(symlinkPath, prevNewPath) } diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/step_unpack.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_unpack.go index ae3d05edd16..8efb2de2140 100644 --- a/x-pack/elastic-agent/pkg/agent/application/upgrade/step_unpack.go +++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_unpack.go @@ -23,8 +23,8 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" ) -// untar unpacks archive correctly, skips root (symlink, config...) unpacks data/* -func (u *Upgrader) unpack(ctx context.Context, version, sourceURI, archivePath string) (string, error) { +// unpack unpacks archive correctly, skips root (symlink, config...) unpacks data/* +func (u *Upgrader) unpack(ctx context.Context, version, archivePath string) (string, error) { // unpack must occur in directory that holds the installation directory // or the extraction will be double nested var hash string diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go index 08c38aba8c5..1a21bc154a1 100644 --- a/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go +++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go @@ -17,8 +17,10 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/install" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/state" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" ) @@ -32,11 +34,24 @@ const ( // Upgrader performs an upgrade type Upgrader struct { - settings *artifact.Config - log *logger.Logger - closers []context.CancelFunc - reexec reexecManager - acker acker + agentInfo *info.AgentInfo + settings *artifact.Config + log *logger.Logger + closers []context.CancelFunc + reexec reexecManager + acker acker + reporter stateReporter + upgradeable bool +} + +// Action is the upgrade action state. +type Action interface { + // Version to upgrade to. + Version() string + // SourceURI for download. + SourceURI() string + // FleetAction is the action from fleet that started the action (optional). + FleetAction() *fleetapi.ActionUpgrade } type reexecManager interface { @@ -48,25 +63,55 @@ type acker interface { Commit(ctx context.Context) error } +type stateReporter interface { + OnStateChange(id string, name string, s state.State) +} + // NewUpgrader creates an upgrader which is capable of performing upgrade operation -func NewUpgrader(settings *artifact.Config, log *logger.Logger, closers []context.CancelFunc, reexec reexecManager, a acker) *Upgrader { +func NewUpgrader(agentInfo *info.AgentInfo, settings *artifact.Config, log *logger.Logger, closers []context.CancelFunc, reexec reexecManager, a acker, r stateReporter) *Upgrader { return &Upgrader{ - settings: settings, - log: log, - closers: closers, - reexec: reexec, - acker: a, + agentInfo: agentInfo, + settings: settings, + log: log, + closers: closers, + reexec: reexec, + acker: a, + reporter: r, + upgradeable: getUpgradeable(), } } +// Upgradeable returns true if the Elastic Agent can be upgraded. +func (u *Upgrader) Upgradeable() bool { + return u.upgradeable +} + // Upgrade upgrades running agent -func (u *Upgrader) Upgrade(ctx context.Context, a *fleetapi.ActionUpgrade) error { - archivePath, err := u.downloadArtifact(ctx, a.Version, a.SourceURI) +func (u *Upgrader) Upgrade(ctx context.Context, a Action, reexecNow bool) (err error) { + // report failed + defer func() { + if err != nil { + if action := a.FleetAction(); action != nil { + u.reportFailure(ctx, action, err) + } + } + }() + + if !u.upgradeable { + return fmt.Errorf( + "cannot be upgraded; must be installed with install sub-command and " + + "running under control of the systems supervisor") + } + + u.reportUpdating(a.Version()) + + sourceURI, err := u.sourceURI(a.Version(), a.SourceURI()) + archivePath, err := u.downloadArtifact(ctx, a.Version(), sourceURI) if err != nil { return err } - newHash, err := u.unpack(ctx, a.Version, a.SourceURI, archivePath) + newHash, err := u.unpack(ctx, a.Version(), archivePath) if err != nil { return err } @@ -76,7 +121,12 @@ func (u *Upgrader) Upgrade(ctx context.Context, a *fleetapi.ActionUpgrade) error } if strings.HasPrefix(release.Commit(), newHash) { - return errors.New("upgrading to same version") + // not an error + if action := a.FleetAction(); action != nil { + u.ackAction(ctx, action) + } + u.log.Warn("upgrading to same version") + return nil } if err := copyActionStore(newHash); err != nil { @@ -93,7 +143,9 @@ func (u *Upgrader) Upgrade(ctx context.Context, a *fleetapi.ActionUpgrade) error return err } - u.reexec.ReExec() + if reexecNow { + u.reexec.ReExec() + } return nil } @@ -117,11 +169,7 @@ func (u *Upgrader) Ack(ctx context.Context) error { return nil } - if err := u.acker.Ack(ctx, marker.Action); err != nil { - return err - } - - if err := u.acker.Commit(ctx); err != nil { + if err := u.ackAction(ctx, marker.Action); err != nil { return err } @@ -134,15 +182,71 @@ func (u *Upgrader) Ack(ctx context.Context) error { return ioutil.WriteFile(markerFile, markerBytes, 0600) } -func isSubdir(base, target string) (bool, error) { - relPath, err := filepath.Rel(base, target) - return strings.HasPrefix(relPath, ".."), err +func (u *Upgrader) sourceURI(version, retrievedURI string) (string, error) { + if strings.HasSuffix(version, "-SNAPSHOT") && retrievedURI == "" { + return "", errors.New("snapshot upgrade requires source uri", errors.TypeConfig) + } + if retrievedURI != "" { + return retrievedURI, nil + } + + return u.settings.SourceURI, nil +} + +// ackAction is used for successful updates, it was either updated successfully or to the same version +// so we need to remove updating state and get prevent from receiving same update action again. +func (u *Upgrader) ackAction(ctx context.Context, action fleetapi.Action) error { + if err := u.acker.Ack(ctx, action); err != nil { + return err + } + + if err := u.acker.Commit(ctx); err != nil { + return err + } + + u.reporter.OnStateChange( + "", + agentName, + state.State{Status: state.Running}, + ) + + return nil +} + +// report failure is used when update process fails. action is acked so it won't be received again +// and state is changed to FAILED +func (u *Upgrader) reportFailure(ctx context.Context, action fleetapi.Action, err error) { + // ack action + u.acker.Ack(ctx, action) + + // report failure + u.reporter.OnStateChange( + "", + agentName, + state.State{Status: state.Failed, Message: err.Error()}, + ) +} + +// reportUpdating sets state of agent to updating. +func (u *Upgrader) reportUpdating(version string) { + // report failure + u.reporter.OnStateChange( + "", + agentName, + state.State{Status: state.Updating, Message: fmt.Sprintf("Update to version '%s' started", version)}, + ) } func rollbackInstall(hash string) { os.RemoveAll(filepath.Join(paths.Data(), fmt.Sprintf("%s-%s", agentName, hash))) } +func getUpgradeable() bool { + // only upgradeable if running from Agent installer and running under the + // control of the system supervisor (or built specifically with upgrading enabled) + return release.Upgradeable() || (install.RunningInstalled() && install.RunningUnderSupervisor()) +} + func copyActionStore(newHash string) error { currentActionStorePath := info.AgentActionStoreFile() diff --git a/x-pack/elastic-agent/pkg/agent/cmd/checks.go b/x-pack/elastic-agent/pkg/agent/cmd/checks.go deleted file mode 100644 index 4fee7497009..00000000000 --- a/x-pack/elastic-agent/pkg/agent/cmd/checks.go +++ /dev/null @@ -1,57 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// +build !windows - -package cmd - -import ( - "fmt" - "io/ioutil" - "os" - "path/filepath" - - "github.com/spf13/cobra" - - // import logp flags - _ "github.com/elastic/beats/v7/libbeat/logp/configure" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" -) - -// preRunCheck is noop because -// - darwin.tar - symlink created during packaging -// - linux.tar - symlink created during packaging -// - linux.rpm - symlink created using install script -// - linux.deb - symlink created using install script -// - linux.docker - symlink created using Dockerfile -func preRunCheck(flags *globalFlags) func(cmd *cobra.Command, args []string) error { - return func(cmd *cobra.Command, args []string) error { - if sn := paths.ServiceName(); sn != "" { - // paths were created we're running as child. - return nil - } - - // get versioned path - smallHash := fmt.Sprintf("elastic-agent-%s", smallHash(release.Commit())) - commitFilepath := filepath.Join(paths.Config(), commitFile) // use other file in the future - if content, err := ioutil.ReadFile(commitFilepath); err == nil { - smallHash = hashedDirName(content) - } - - origExecPath, err := os.Executable() - if err != nil { - return err - } - reexecPath := filepath.Join(paths.Data(), smallHash, filepath.Base(origExecPath)) - - // generate paths - if err := generatePaths(filepath.Dir(reexecPath), origExecPath); err != nil { - return err - } - - paths.UpdatePaths() - return nil - } -} diff --git a/x-pack/elastic-agent/pkg/agent/cmd/checks_windows.go b/x-pack/elastic-agent/pkg/agent/cmd/checks_windows.go deleted file mode 100644 index 36108c8e08b..00000000000 --- a/x-pack/elastic-agent/pkg/agent/cmd/checks_windows.go +++ /dev/null @@ -1,114 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// +build windows - -package cmd - -import ( - "fmt" - "io/ioutil" - "os" - "path/filepath" - - "github.com/spf13/cobra" - - // import logp flags - _ "github.com/elastic/beats/v7/libbeat/logp/configure" - - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/reexec" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" -) - -func preRunCheck(flags *globalFlags) func(cmd *cobra.Command, args []string) error { - return func(cmd *cobra.Command, args []string) error { - if sn := paths.ServiceName(); sn != "" { - // replacing with correct service name so we - // can talk to service manager. - if !filepath.IsAbs(os.Args[0]) { - os.Args[0] = sn - } - - // paths were created we're running as child. - return nil - } - - smallHash := fmt.Sprintf("elastic-agent-%s", smallHash(release.Commit())) - commitFilepath := filepath.Join(paths.Config(), commitFile) - if content, err := ioutil.ReadFile(commitFilepath); err == nil { - smallHash = hashedDirName(content) - } - - // rename itself - origExecPath, err := os.Executable() - if err != nil { - return err - } - - if err := os.Rename(origExecPath, origExecPath+".bak"); err != nil { - return err - } - - // create symlink to elastic-agent-{hash} - reexecPath := filepath.Join(paths.Data(), smallHash, filepath.Base(origExecPath)) - if err := os.Symlink(reexecPath, origExecPath); err != nil { - return err - } - - // generate paths - if err := generatePaths(filepath.Dir(reexecPath), origExecPath); err != nil { - return err - } - - paths.UpdatePaths() - - // reexec if running run - if cmd.Use == "run" { - pathConfigFile := flags.Config() - rawConfig, err := config.LoadYAML(pathConfigFile) - if err != nil { - return errors.New(err, - fmt.Sprintf("could not read configuration file %s", pathConfigFile), - errors.TypeFilesystem, - errors.M(errors.MetaKeyPath, pathConfigFile)) - } - - cfg, err := configuration.NewFromConfig(rawConfig) - if err != nil { - return errors.New(err, - fmt.Sprintf("could not parse configuration file %s", pathConfigFile), - errors.TypeFilesystem, - errors.M(errors.MetaKeyPath, pathConfigFile)) - } - - logger, err := logger.NewFromConfig("", cfg.Settings.LoggingConfig) - if err != nil { - return err - } - - rexLogger := logger.Named("reexec") - rm := reexec.NewManager(rexLogger, reexecPath) - - argsOverrides := []string{ - "--path.data", paths.Data(), - "--path.home", filepath.Dir(reexecPath), - "--path.config", paths.Config(), - } - rm.ReExec(argsOverrides...) - - // trigger reexec - rm.ShutdownComplete() - - // return without running Run method - os.Exit(0) - } - - return nil - } -} diff --git a/x-pack/elastic-agent/pkg/agent/cmd/common.go b/x-pack/elastic-agent/pkg/agent/cmd/common.go index d5c195566bd..39093be71b6 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/common.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/common.go @@ -6,15 +6,10 @@ package cmd import ( "flag" - "fmt" - "io/ioutil" "os" "path/filepath" - "runtime" - "strings" "github.com/spf13/cobra" - "gopkg.in/yaml.v2" // import logp flags _ "github.com/elastic/beats/v7/libbeat/logp/configure" @@ -58,7 +53,6 @@ func NewCommandWithArgs(args []string, streams *cli.IOStreams) *cobra.Command { // path flags cmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("path.home")) cmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("path.config")) - cmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("path.data")) cmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("path.logs")) cmd.PersistentFlags().StringVarP(&flags.PathConfigFile, "c", "c", defaultConfig, `Configuration file, relative to path.config`) @@ -72,6 +66,9 @@ func NewCommandWithArgs(args []string, streams *cli.IOStreams) *cobra.Command { run := newRunCommandWithArgs(flags, args, streams) cmd.AddCommand(basecmd.NewDefaultCommandsWithArgs(args, streams)...) cmd.AddCommand(run) + cmd.AddCommand(newInstallCommandWithArgs(flags, args, streams)) + cmd.AddCommand(newUninstallCommandWithArgs(flags, args, streams)) + cmd.AddCommand(newUpgradeCommandWithArgs(flags, args, streams)) cmd.AddCommand(newEnrollCommandWithArgs(flags, args, streams)) cmd.AddCommand(newInspectCommandWithArgs(flags, args, streams)) @@ -80,58 +77,7 @@ func NewCommandWithArgs(args []string, streams *cli.IOStreams) *cobra.Command { if reexec != nil { cmd.AddCommand(reexec) } - cmd.PersistentPreRunE = preRunCheck(flags) cmd.Run = run.Run return cmd } - -func hashedDirName(filecontent []byte) string { - s := strings.TrimSpace(string(filecontent)) - if len(s) == 0 { - return "elastic-agent" - } - - s = smallHash(s) - - return fmt.Sprintf("elastic-agent-%s", s) -} - -func smallHash(hash string) string { - if len(hash) > hashLen { - hash = hash[:hashLen] - } - - return hash -} - -func generatePaths(dir, origExec string) error { - pathsCfg := map[string]interface{}{ - "path.data": paths.Data(), - "path.home": dir, - "path.config": paths.Config(), - "path.service_name": origExec, - } - - pathsCfgPath := filepath.Join(paths.Data(), "paths.yml") - pathsContent, err := yaml.Marshal(pathsCfg) - if err != nil { - return err - } - - if err := ioutil.WriteFile(pathsCfgPath, pathsContent, 0740); err != nil { - return err - } - - if runtime.GOOS == "windows" { - // due to two binaries we need to do a path dance - // as versioned binary will look for path inside it's own directory - versionedPath := filepath.Join(dir, "data", "paths.yml") - if err := os.MkdirAll(filepath.Dir(versionedPath), 0700); err != nil { - return err - } - return os.Symlink(pathsCfgPath, versionedPath) - } - - return nil -} diff --git a/x-pack/elastic-agent/pkg/agent/cmd/enroll.go b/x-pack/elastic-agent/pkg/agent/cmd/enroll.go index 6749b57b250..a92766b9c07 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/enroll.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/enroll.go @@ -42,18 +42,55 @@ func newEnrollCommandWithArgs(flags *globalFlags, _ []string, streams *cli.IOStr }, } + addEnrollFlags(cmd) + cmd.Flags().BoolP("force", "f", false, "Force overwrite the current and do not prompt for confirmation") + cmd.Flags().Bool("no-restart", false, "Skip restarting the currently running daemon") + + // used by install command + cmd.Flags().BoolP("from-install", "", false, "Set by install command to signal this was executed from install") + cmd.Flags().MarkHidden("from-install") + + return cmd +} + +func addEnrollFlags(cmd *cobra.Command) { cmd.Flags().StringP("certificate-authorities", "a", "", "Comma separated list of root certificate for server verifications") cmd.Flags().StringP("ca-sha256", "p", "", "Comma separated list of certificate authorities hash pins used for certificate verifications") - cmd.Flags().BoolP("force", "f", false, "Force overwrite the current and do not prompt for confirmation") cmd.Flags().BoolP("insecure", "i", false, "Allow insecure connection to Kibana") cmd.Flags().StringP("staging", "", "", "Configures agent to download artifacts from a staging build") - cmd.Flags().Bool("no-restart", false, "Skip restarting the currently running daemon") +} - return cmd +func buildEnrollmentFlags(cmd *cobra.Command) []string { + ca, _ := cmd.Flags().GetString("certificate-authorities") + sha256, _ := cmd.Flags().GetString("ca-sha256") + insecure, _ := cmd.Flags().GetBool("insecure") + staging, _ := cmd.Flags().GetString("staging") + + args := []string{} + if ca != "" { + args = append(args, "--certificate-authorities") + args = append(args, ca) + } + if sha256 != "" { + args = append(args, "--ca-sha256") + args = append(args, sha256) + } + if insecure { + args = append(args, "--insecure") + } + if staging != "" { + args = append(args, "--staging") + args = append(args, staging) + } + return args } func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args []string) error { - warn.PrintNotGA(streams.Out) + fromInstall, _ := cmd.Flags().GetBool("from-install") + if !fromInstall { + warn.PrintNotGA(streams.Out) + } + pathConfigFile := flags.Config() rawConfig, err := application.LoadConfigFromFile(pathConfigFile) if err != nil { @@ -79,13 +116,18 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args } force, _ := cmd.Flags().GetBool("force") - if !force { + if fromInstall { + force = true + } + + // prompt only when it is not forced and is already enrolled + if !force && (cfg.Fleet != nil && cfg.Fleet.Enabled == true) { confirm, err := c.Confirm("This will replace your current settings. Do you want to continue?", true) if err != nil { return errors.New(err, "problem reading prompt response") } if !confirm { - fmt.Fprintln(streams.Out, "Enrollment was canceled by the user") + fmt.Fprintln(streams.Out, "Enrollment was cancelled by the user") return nil } } diff --git a/x-pack/elastic-agent/pkg/agent/cmd/include.go b/x-pack/elastic-agent/pkg/agent/cmd/include.go index 87506b88415..b955c85418f 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/include.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/include.go @@ -10,6 +10,7 @@ import ( _ "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable/providers/docker" _ "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable/providers/env" _ "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable/providers/host" + _ "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable/providers/kubernetes" _ "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable/providers/local" _ "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable/providers/localdynamic" _ "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable/providers/path" diff --git a/x-pack/elastic-agent/pkg/agent/cmd/install.go b/x-pack/elastic-agent/pkg/agent/cmd/install.go new file mode 100644 index 00000000000..177f79912c9 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/cmd/install.go @@ -0,0 +1,154 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package cmd + +import ( + "fmt" + "os" + "os/exec" + + "github.com/spf13/cobra" + + c "github.com/elastic/beats/v7/libbeat/common/cli" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/install" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/warn" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" +) + +func newInstallCommandWithArgs(flags *globalFlags, _ []string, streams *cli.IOStreams) *cobra.Command { + cmd := &cobra.Command{ + Use: "install", + Short: "Install Elastic Agent permanently on this system", + Long: `This will install Elastic Agent permanently on this system and will become managed by the systems service manager. + +Unless all the require command-line parameters are provided or -f is used this command will ask questions on how you +would like the Agent to operate. +`, + Run: func(c *cobra.Command, args []string) { + if err := installCmd(streams, c, flags, args); err != nil { + fmt.Fprintf(streams.Err, "%v\n", err) + os.Exit(1) + } + }, + } + + cmd.Flags().StringP("kibana-url", "k", "", "URL of Kibana to enroll Agent into Fleet") + cmd.Flags().StringP("enrollment-token", "t", "", "Enrollment token to use to enroll Agent into Fleet") + cmd.Flags().BoolP("force", "f", false, "Force overwrite the current and do not prompt for confirmation") + addEnrollFlags(cmd) + + return cmd +} + +func installCmd(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args []string) error { + if !install.HasRoot() { + return fmt.Errorf("unable to perform install command, not executed with %s permissions", install.PermissionUser) + } + status, reason := install.Status() + if status == install.Installed { + return fmt.Errorf("already installed at: %s", install.InstallPath) + } + + warn.PrintNotGA(streams.Out) + force, _ := cmd.Flags().GetBool("force") + if status == install.Broken { + if !force { + fmt.Fprintf(streams.Out, "Elastic Agent is installed but currently broken: %s\n", reason) + confirm, err := c.Confirm(fmt.Sprintf("Continuing will re-install Elastic Agent over the current installation at %s. Do you want to continue?", install.InstallPath), true) + if err != nil { + return fmt.Errorf("Error: problem reading prompt response") + } + if !confirm { + return fmt.Errorf("installation was cancelled by the user") + } + } + } else { + if !force { + confirm, err := c.Confirm(fmt.Sprintf("Elastic Agent will be installed at %s and will run as a service. Do you want to continue?", install.InstallPath), true) + if err != nil { + return fmt.Errorf("Error: problem reading prompt response") + } + if !confirm { + return fmt.Errorf("installation was cancelled by the user") + } + } + } + + err := install.Install() + if err != nil { + return fmt.Errorf("Error: %s", err) + } + err = install.StartService() + if err != nil { + fmt.Fprintf(streams.Out, "Installation of required system files was successful, but starting of the service failed.\n") + return err + } + fmt.Fprintf(streams.Out, "Installation was successful and Elastic Agent is running.\n") + + askEnroll := true + kibana, _ := cmd.Flags().GetString("kibana-url") + token, _ := cmd.Flags().GetString("enrollment-token") + if kibana != "" && token != "" { + askEnroll = false + } + if force { + askEnroll = false + } + if askEnroll { + confirm, err := c.Confirm("Do you want to enroll this Agent into Fleet?", true) + if err != nil { + return fmt.Errorf("problem reading prompt response") + } + if !confirm { + // not enrolling, all done (standalone mode) + return nil + } + } + if !askEnroll && (kibana == "" || token == "") { + // force was performed without required enrollment arguments, all done (standalone mode) + return nil + } + + if kibana == "" { + kibana, err = c.ReadInput("Kibana URL you want to enroll this Agent into:") + if err != nil { + return fmt.Errorf("problem reading prompt response") + } + if kibana == "" { + fmt.Fprintf(streams.Out, "Enrollment cancelled because no URL was provided.\n") + return nil + } + } + if token == "" { + token, err = c.ReadInput("Fleet enrollment token:") + if err != nil { + return fmt.Errorf("problem reading prompt response") + } + if token == "" { + fmt.Fprintf(streams.Out, "Enrollment cancelled because no enrollment token was provided.\n") + return nil + } + } + + enrollArgs := []string{"enroll", kibana, token, "--from-install"} + enrollArgs = append(enrollArgs, buildEnrollmentFlags(cmd)...) + enrollCmd := exec.Command(install.ExecutablePath(), enrollArgs...) + enrollCmd.Stdin = os.Stdin + enrollCmd.Stdout = os.Stdout + enrollCmd.Stderr = os.Stderr + err = enrollCmd.Start() + if err != nil { + return fmt.Errorf("failed to execute enroll command: %s", err) + } + err = enrollCmd.Wait() + if err == nil { + return nil + } + exitErr, ok := err.(*exec.ExitError) + if ok { + return fmt.Errorf("enroll command failed with exit code: %d", exitErr.ExitCode()) + } + return fmt.Errorf("enroll command failed for unknown reason: %s", err) +} diff --git a/x-pack/elastic-agent/pkg/agent/cmd/run.go b/x-pack/elastic-agent/pkg/agent/cmd/run.go index 77beeb6fe1a..84dd8bd8a9a 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/run.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/run.go @@ -95,13 +95,13 @@ func run(flags *globalFlags, streams *cli.IOStreams) error { // Windows: Mark se rex := reexec.NewManager(rexLogger, execPath) // start the control listener - control := server.New(logger.Named("control"), rex) + control := server.New(logger.Named("control"), rex, nil) if err := control.Start(); err != nil { return err } defer control.Stop() - app, err := application.New(logger, pathConfigFile, rex) + app, err := application.New(logger, pathConfigFile, rex, control) if err != nil { return err } diff --git a/x-pack/elastic-agent/pkg/agent/cmd/uninstall.go b/x-pack/elastic-agent/pkg/agent/cmd/uninstall.go new file mode 100644 index 00000000000..d215a15e337 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/cmd/uninstall.go @@ -0,0 +1,95 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package cmd + +import ( + "fmt" + "os" + "os/exec" + "path/filepath" + "runtime" + + "github.com/spf13/cobra" + + c "github.com/elastic/beats/v7/libbeat/common/cli" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/install" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" +) + +func newUninstallCommandWithArgs(flags *globalFlags, _ []string, streams *cli.IOStreams) *cobra.Command { + cmd := &cobra.Command{ + Use: "uninstall", + Short: "Uninstall permanent Elastic Agent from this system", + Long: `This will uninstall permanent Elastic Agent from this system and will no longer be managed by this system. + +Unless -f is used this command will ask confirmation before performing removal. +`, + Run: func(c *cobra.Command, args []string) { + if err := uninstallCmd(streams, c, flags, args); err != nil { + fmt.Fprintf(streams.Err, "%v\n", err) + os.Exit(1) + } + }, + } + + cmd.Flags().BoolP("force", "f", false, "Force overwrite the current and do not prompt for confirmation") + + return cmd +} + +func uninstallCmd(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args []string) error { + if !install.HasRoot() { + return fmt.Errorf("unable to perform uninstall command, not executed with %s permissions", install.PermissionUser) + } + status, reason := install.Status() + if status == install.NotInstalled { + return fmt.Errorf("not installed") + } + if status == install.Installed && !install.RunningInstalled() { + return fmt.Errorf("can only be uninstall by executing the installed Elastic Agent at: %s", install.ExecutablePath()) + } + + force, _ := cmd.Flags().GetBool("force") + if status == install.Broken { + if !force { + fmt.Fprintf(streams.Out, "Elastic Agent is installed but currently broken: %s\n", reason) + confirm, err := c.Confirm(fmt.Sprintf("Continuing will uninstall the broken Elastic Agent at %s. Do you want to continue?", install.InstallPath), true) + if err != nil { + return fmt.Errorf("problem reading prompt response") + } + if !confirm { + return fmt.Errorf("uninstall was cancelled by the user") + } + } + } else { + if !force { + confirm, err := c.Confirm(fmt.Sprintf("Elastic Agent will be uninstalled from your system at %s. Do you want to continue?", install.InstallPath), true) + if err != nil { + return fmt.Errorf("problem reading prompt response") + } + if !confirm { + return fmt.Errorf("uninstall was cancelled by the user") + } + } + } + + err := install.Uninstall() + if err != nil { + return err + } + fmt.Fprintf(streams.Out, "Elastic Agent has been uninstalled.\n") + + if runtime.GOOS == "windows" { + // The installation path will still exists because we are executing from that + // directory. So cmd.exe is spawned that sleeps for 2 seconds (using ping, recommend way from + // from Windows) then rmdir is performed. + rmdir := exec.Command( + filepath.Join(os.Getenv("windir"), "system32", "cmd.exe"), + "/C", "ping", "-n", "2", "127.0.0.1", "&&", "rmdir", "/s", "/q", install.InstallPath) + _ = rmdir.Start() + } + + return nil +} diff --git a/x-pack/elastic-agent/pkg/agent/cmd/upgrade.go b/x-pack/elastic-agent/pkg/agent/cmd/upgrade.go new file mode 100644 index 00000000000..81a5c82b4ab --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/cmd/upgrade.go @@ -0,0 +1,56 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package cmd + +import ( + "context" + "fmt" + "os" + + "github.com/spf13/cobra" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/client" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" +) + +func newUpgradeCommandWithArgs(flags *globalFlags, _ []string, streams *cli.IOStreams) *cobra.Command { + cmd := &cobra.Command{ + Use: "upgrade ", + Short: "Upgrade the currently running Elastic Agent to the specified version", + Args: cobra.ExactArgs(1), + Run: func(c *cobra.Command, args []string) { + if err := upgradeCmd(streams, c, flags, args); err != nil { + fmt.Fprintf(streams.Err, "%v\n", err) + os.Exit(1) + } + }, + } + + cmd.Flags().StringP("source-uri", "s", "", "Source URI to download the new version from") + + return cmd +} + +func upgradeCmd(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args []string) error { + fmt.Fprintln(streams.Out, "The upgrade process of Elastic Agent is currently EXPERIMENTAL and should not be used in production") + + version := args[0] + sourceURI, _ := cmd.Flags().GetString("source-uri") + + c := client.New() + err := c.Connect(context.Background()) + if err != nil { + return errors.New(err, "Failed communicating to running daemon", errors.TypeNetwork, errors.M("socket", control.Address())) + } + defer c.Disconnect() + version, err = c.Upgrade(context.Background(), version, sourceURI) + if err != nil { + return errors.New(err, "Failed trigger upgrade of daemon") + } + fmt.Fprintf(streams.Out, "Upgrade triggered to version %s, Elastic Agent is currently restarting\n", version) + return nil +} diff --git a/x-pack/elastic-agent/pkg/agent/control/addr.go b/x-pack/elastic-agent/pkg/agent/control/addr.go index 20bc1e6a005..31005e8e34d 100644 --- a/x-pack/elastic-agent/pkg/agent/control/addr.go +++ b/x-pack/elastic-agent/pkg/agent/control/addr.go @@ -11,10 +11,17 @@ import ( "fmt" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/install" ) // Address returns the address to connect to Elastic Agent daemon. func Address() string { + // when installed the control address is fixed + if install.RunningInstalled() { + return install.SocketPath + } + + // not install, adjust the path based on data path data := paths.Data() // entire string cannot be longer than 107 characters, this forces the // length to always be 88 characters (but unique per data path) diff --git a/x-pack/elastic-agent/pkg/agent/control/addr_windows.go b/x-pack/elastic-agent/pkg/agent/control/addr_windows.go index bf2e164fbae..cbfcdf2c99e 100644 --- a/x-pack/elastic-agent/pkg/agent/control/addr_windows.go +++ b/x-pack/elastic-agent/pkg/agent/control/addr_windows.go @@ -11,10 +11,17 @@ import ( "fmt" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/install" ) // Address returns the address to connect to Elastic Agent daemon. func Address() string { + // when installed the control address is fixed + if install.RunningInstalled() { + return install.SocketPath + } + + // not install, adjust the path based on data path data := paths.Data() // entire string cannot be longer than 256 characters, this forces the // length to always be 87 characters (but unique per data path) diff --git a/x-pack/elastic-agent/pkg/agent/control/control_test.go b/x-pack/elastic-agent/pkg/agent/control/control_test.go index 9454179ae60..5c56aed4691 100644 --- a/x-pack/elastic-agent/pkg/agent/control/control_test.go +++ b/x-pack/elastic-agent/pkg/agent/control/control_test.go @@ -20,7 +20,7 @@ import ( ) func TestServerClient_Version(t *testing.T) { - srv := server.New(newErrorLogger(t), nil) + srv := server.New(newErrorLogger(t), nil, nil) err := srv.Start() require.NoError(t, err) defer srv.Stop() diff --git a/x-pack/elastic-agent/pkg/agent/control/server/listener.go b/x-pack/elastic-agent/pkg/agent/control/server/listener.go index 7edfc7b8ee9..3090f3d140d 100644 --- a/x-pack/elastic-agent/pkg/agent/control/server/listener.go +++ b/x-pack/elastic-agent/pkg/agent/control/server/listener.go @@ -8,7 +8,6 @@ package server import ( "fmt" - "net" "os" "path/filepath" diff --git a/x-pack/elastic-agent/pkg/agent/control/server/listener_windows.go b/x-pack/elastic-agent/pkg/agent/control/server/listener_windows.go index f98c32bcee3..eaedc9f88f2 100644 --- a/x-pack/elastic-agent/pkg/agent/control/server/listener_windows.go +++ b/x-pack/elastic-agent/pkg/agent/control/server/listener_windows.go @@ -10,6 +10,8 @@ import ( "net" "os/user" + "github.com/pkg/errors" + "github.com/elastic/beats/v7/libbeat/api/npipe" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control" @@ -18,11 +20,7 @@ import ( // createListener creates a named pipe listener on Windows func createListener(_ *logger.Logger) (net.Listener, error) { - u, err := user.Current() - if err != nil { - return nil, err - } - sd, err := npipe.DefaultSD(u.Username) + sd, err := securityDescriptor() if err != nil { return nil, err } @@ -32,3 +30,26 @@ func createListener(_ *logger.Logger) (net.Listener, error) { func cleanupListener(_ *logger.Logger) { // nothing to do on windows } + +func securityDescriptor() (string, error) { + u, err := user.Current() + if err != nil { + return "", errors.Wrap(err, "failed to get current user") + } + // Named pipe security and access rights. + // We create the pipe and the specific users should only be able to write to it. + // See docs: https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipe-security-and-access-rights + // String definition: https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings + // Give generic read/write access to the specified user. + descriptor := "D:P(A;;GA;;;" + u.Uid + ")" + if u.Username == "NT AUTHORITY\\SYSTEM" { + // running as SYSTEM, include Administrators group so Administrators can talk over + // the named pipe to the running Elastic Agent system process + admin, err := user.LookupGroup("Administrators") + if err != nil { + return "", errors.Wrap(err, "failed to lookup Administrators group") + } + descriptor += "(A;;GA;;;" + admin.Gid + ")" + } + return descriptor, nil +} diff --git a/x-pack/elastic-agent/pkg/agent/control/server/server.go b/x-pack/elastic-agent/pkg/agent/control/server/server.go index faa7982c814..0ce970c9256 100644 --- a/x-pack/elastic-agent/pkg/agent/control/server/server.go +++ b/x-pack/elastic-agent/pkg/agent/control/server/server.go @@ -7,14 +7,17 @@ package server import ( "context" "net" - - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/reexec" + "sync" + "time" "google.golang.org/grpc" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/reexec" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/upgrade" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/proto" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" ) @@ -22,18 +25,28 @@ import ( type Server struct { logger *logger.Logger rex reexec.ExecManager + up *upgrade.Upgrader listener net.Listener server *grpc.Server + lock sync.RWMutex } // New creates a new control protocol server. -func New(log *logger.Logger, rex reexec.ExecManager) *Server { +func New(log *logger.Logger, rex reexec.ExecManager, up *upgrade.Upgrader) *Server { return &Server{ logger: log, rex: rex, + up: up, } } +// SetUpgrader changes the upgrader. +func (s *Server) SetUpgrader(up *upgrade.Upgrader) { + s.lock.Lock() + defer s.lock.Unlock() + s.up = up +} + // Start starts the GRPC endpoint and accepts new connections. func (s *Server) Start() error { if s.server != nil { @@ -100,10 +113,48 @@ func (s *Server) Restart(_ context.Context, _ *proto.Empty) (*proto.RestartRespo // Upgrade performs the upgrade operation. func (s *Server) Upgrade(ctx context.Context, request *proto.UpgradeRequest) (*proto.UpgradeResponse, error) { - // not implemented + s.lock.RLock() + u := s.up + s.lock.RUnlock() + if u == nil { + // not running with upgrader (must be controlled by Fleet) + return &proto.UpgradeResponse{ + Status: proto.ActionStatus_FAILURE, + Error: "cannot be upgraded; perform upgrading using Fleet", + }, nil + } + err := u.Upgrade(ctx, &upgradeRequest{request}, false) + if err != nil { + return &proto.UpgradeResponse{ + Status: proto.ActionStatus_FAILURE, + Error: err.Error(), + }, nil + } + // perform the re-exec after a 1 second delay + // this ensures that the upgrade response over GRPC is returned + go func() { + <-time.After(time.Second) + s.rex.ReExec() + }() return &proto.UpgradeResponse{ - Status: proto.ActionStatus_FAILURE, - Version: "", - Error: "not implemented", + Status: proto.ActionStatus_SUCCESS, + Version: request.Version, }, nil } + +type upgradeRequest struct { + *proto.UpgradeRequest +} + +func (r *upgradeRequest) Version() string { + return r.GetVersion() +} + +func (r *upgradeRequest) SourceURI() string { + return r.GetSourceURI() +} + +func (r *upgradeRequest) FleetAction() *fleetapi.ActionUpgrade { + // upgrade request not from Fleet + return nil +} diff --git a/x-pack/elastic-agent/pkg/agent/install/install.go b/x-pack/elastic-agent/pkg/agent/install/install.go new file mode 100644 index 00000000000..2705ea0bfd9 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/install.go @@ -0,0 +1,142 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package install + +import ( + "fmt" + "io/ioutil" + "os" + "path/filepath" + "strings" + + "github.com/otiai10/copy" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" +) + +// Install installs Elastic Agent persistently on the system including creating and starting its service. +func Install() error { + dir, err := findDirectory() + if err != nil { + return errors.New(err, "failed to discover the source directory for installation", errors.TypeFilesystem) + } + + // uninstall current installation + err = Uninstall() + if err != nil { + return err + } + + // ensure parent directory exists, copy source into install path + err = os.MkdirAll(filepath.Dir(InstallPath), 0755) + if err != nil { + return errors.New( + err, + fmt.Sprintf("failed to create installation parent directory (%s)", filepath.Dir(InstallPath)), + errors.M("directory", filepath.Dir(InstallPath))) + } + err = copy.Copy(dir, InstallPath, copy.Options{ + OnSymlink: func(_ string) copy.SymlinkAction { + return copy.Shallow + }, + Sync: true, + }) + if err != nil { + return errors.New( + err, + fmt.Sprintf("failed to copy source directory (%s) to destination (%s)", dir, InstallPath), + errors.M("source", dir), errors.M("destination", InstallPath)) + } + + // place shell wrapper, if present on platform + if ShellWrapperPath != "" { + err = ioutil.WriteFile(ShellWrapperPath, []byte(ShellWrapper), 0755) + if err != nil { + return errors.New( + err, + fmt.Sprintf("failed to write shell wrapper (%s)", ShellWrapperPath), + errors.M("destination", ShellWrapperPath)) + } + } + + // post install (per platform) + err = postInstall() + if err != nil { + return err + } + + // install service + svc, err := newService() + if err != nil { + return err + } + err = svc.Install() + if err != nil { + return errors.New( + err, + fmt.Sprintf("failed to install service (%s)", ServiceName), + errors.M("service", ServiceName)) + } + return nil +} + +// StartService starts the installed service. +// +// This should only be called after Install is successful. +func StartService() error { + svc, err := newService() + if err != nil { + return err + } + err = svc.Start() + if err != nil { + return errors.New( + err, + fmt.Sprintf("failed to start service (%s)", ServiceName), + errors.M("service", ServiceName)) + } + return nil +} + +// findDirectory returns the directory to copy into the installation location. +// +// This also verifies that the discovered directory is a valid directory for installation. +func findDirectory() (string, error) { + execPath, err := os.Executable() + if err != nil { + return "", err + } + execPath, err = filepath.Abs(execPath) + if err != nil { + return "", err + } + sourceDir := filepath.Dir(execPath) + if insideData(sourceDir) { + // executable path is being reported as being down inside of data path + // move up to directories to perform the copy + sourceDir = filepath.Dir(filepath.Dir(sourceDir)) + } + err = verifyDirectory(sourceDir) + if err != nil { + return "", err + } + return sourceDir, nil +} + +// verifyDirectory ensures that the directory includes the executable. +func verifyDirectory(dir string) error { + _, err := os.Stat(filepath.Join(dir, BinaryName)) + if os.IsNotExist(err) { + return fmt.Errorf("missing %s", BinaryName) + } + return nil +} + +// insideData returns true when the exePath is inside of the current Agents data path. +func insideData(exePath string) bool { + expectedPath := filepath.Join("data", fmt.Sprintf("elastic-agent-%s", release.ShortCommit())) + return strings.HasSuffix(exePath, expectedPath) +} diff --git a/x-pack/elastic-agent/pkg/agent/install/install_unix.go b/x-pack/elastic-agent/pkg/agent/install/install_unix.go new file mode 100644 index 00000000000..07d696d580a --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/install_unix.go @@ -0,0 +1,13 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build !windows + +package install + +// postInstall performs post installation for unix-based systems. +func postInstall() error { + // do nothing + return nil +} diff --git a/x-pack/elastic-agent/pkg/agent/install/install_windows.go b/x-pack/elastic-agent/pkg/agent/install/install_windows.go new file mode 100644 index 00000000000..ec10467ce79 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/install_windows.go @@ -0,0 +1,35 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build windows + +package install + +import ( + "fmt" + "os" + "path/filepath" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" +) + +// postInstall performs post installation for Windows systems. +func postInstall() error { + // delete the top-level elastic-agent.exe + binary := filepath.Join(InstallPath, BinaryName) + err := os.Remove(binary) + if err != nil { + // do not handle does not exist, it should have existed + return err + } + + // create top-level symlink to nested binary + realBinary := filepath.Join(InstallPath, "data", fmt.Sprintf("elastic-agent-%s", release.ShortCommit()), BinaryName) + err = os.Symlink(realBinary, binary) + if err != nil { + return err + } + + return nil +} diff --git a/x-pack/elastic-agent/pkg/agent/install/installed.go b/x-pack/elastic-agent/pkg/agent/install/installed.go new file mode 100644 index 00000000000..9f294078242 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/installed.go @@ -0,0 +1,75 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package install + +import ( + "os" + "path/filepath" + + "github.com/kardianos/service" +) + +// StatusType is the return status types. +type StatusType int + +const ( + // NotInstalled returned when Elastic Agent is not installed. + NotInstalled StatusType = iota + // Installed returned when Elastic Agent is installed currectly. + Installed + // Broken returned when Elastic Agent is installed but broken. + Broken +) + +// Status returns the installation status of Agent. +func Status() (StatusType, string) { + expected := filepath.Join(InstallPath, BinaryName) + status, reason := checkService() + _, err := os.Stat(expected) + if os.IsNotExist(err) { + if status == Installed { + // service installed, but no install path + return Broken, "service exists but installation path is missing" + } + return NotInstalled, "no install path or service" + } + if status == NotInstalled { + // install path present, but not service + return Broken, reason + } + return Installed, "" +} + +// RunningInstalled returns true when executing Agent is the installed Agent. +// +// This verifies the running executable path based on hard-coded paths +// for each platform type. +func RunningInstalled() bool { + expected := filepath.Join(InstallPath, BinaryName) + execPath, _ := os.Executable() + execPath, _ = filepath.Abs(execPath) + execName := filepath.Base(execPath) + execDir := filepath.Dir(execPath) + if insideData(execDir) { + // executable path is being reported as being down inside of data path + // move up to directories to perform the comparison + execDir = filepath.Dir(filepath.Dir(execDir)) + execPath = filepath.Join(execDir, execName) + } + return expected == execPath +} + +// checkService only checks the status of the service. +func checkService() (StatusType, string) { + svc, err := newService() + if err != nil { + return NotInstalled, "unable to check service status" + } + status, _ := svc.Status() + if status == service.StatusUnknown { + return NotInstalled, "service is not installed" + } + return Installed, "" +} diff --git a/x-pack/elastic-agent/pkg/agent/install/paths.go b/x-pack/elastic-agent/pkg/agent/install/paths.go new file mode 100644 index 00000000000..5936c31926a --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/paths.go @@ -0,0 +1,30 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build !darwin +// +build !windows + +package install + +const ( + // BinaryName is the name of the installed binary. + BinaryName = "elastic-agent" + + // InstallPath is the installation path using for install command. + InstallPath = "/opt/Elastic/Agent" + + // SocketPath is the socket path used when installed. + SocketPath = "unix:///run/elastic-agent.sock" + + // ServiceName is the service name when installed. + ServiceName = "elastic-agent" + + // ShellWrapperPath is the path to the installed shell wrapper. + ShellWrapperPath = "/usr/bin/elastic-agent" + + // ShellWrapper is the wrapper that is installed. + ShellWrapper = `#!/bin/sh +exec /opt/Elastic/Agent/elastic-agent $@ +` +) diff --git a/x-pack/elastic-agent/pkg/agent/install/paths_darwin.go b/x-pack/elastic-agent/pkg/agent/install/paths_darwin.go new file mode 100644 index 00000000000..f6ebcdfdbae --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/paths_darwin.go @@ -0,0 +1,29 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build darwin + +package install + +const ( + // BinaryName is the name of the installed binary. + BinaryName = "elastic-agent" + + // InstallPath is the installation path using for install command. + InstallPath = "/Library/Elastic/Agent" + + // SocketPath is the socket path used when installed. + SocketPath = "unix:///var/run/elastic-agent.sock" + + // ServiceName is the service name when installed. + ServiceName = "co.elastic.elastic-agent" + + // ShellWrapperPath is the path to the installed shell wrapper. + ShellWrapperPath = "/usr/local/bin/elastic-agent" + + // ShellWrapper is the wrapper that is installed. + ShellWrapper = `#!/bin/sh +exec /Library/Elastic/Agent/elastic-agent $@ +` +) diff --git a/x-pack/elastic-agent/pkg/agent/install/paths_windows.go b/x-pack/elastic-agent/pkg/agent/install/paths_windows.go new file mode 100644 index 00000000000..3af4c79d941 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/paths_windows.go @@ -0,0 +1,27 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build windows + +package install + +const ( + // BinaryName is the name of the installed binary. + BinaryName = "elastic-agent.exe" + + // InstallPath is the installation path using for install command. + InstallPath = `C:\Program Files\Elastic\Agent` + + // SocketPath is the socket path used when installed. + SocketPath = `\\.\pipe\elastic-agent-system` + + // ServiceName is the service name when installed. + ServiceName = "Elastic Agent" + + // ShellWrapperPath is the path to the installed shell wrapper. + ShellWrapperPath = "" // no wrapper on Windows + + // ShellWrapper is the wrapper that is installed. + ShellWrapper = "" // no wrapper on Windows +) diff --git a/x-pack/elastic-agent/pkg/agent/install/root_unix.go b/x-pack/elastic-agent/pkg/agent/install/root_unix.go new file mode 100644 index 00000000000..b79f104d98d --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/root_unix.go @@ -0,0 +1,19 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build !windows + +package install + +import "os" + +const ( + // PermissionUser is the permission level the user needs to be. + PermissionUser = "root" +) + +// HasRoot returns true if the user has root permissions. +func HasRoot() bool { + return os.Getegid() == 0 +} diff --git a/x-pack/elastic-agent/pkg/agent/install/root_windows.go b/x-pack/elastic-agent/pkg/agent/install/root_windows.go new file mode 100644 index 00000000000..c72432084ac --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/root_windows.go @@ -0,0 +1,27 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build windows + +package install + +import ( + "os" +) + +const ( + // PermissionUser is the permission level the user needs to be. + PermissionUser = "Administrator" +) + +// HasRoot returns true if the user has Administrator/SYSTEM permissions. +func HasRoot() bool { + // only valid rights can open the physical drive + f, err := os.Open("\\\\.\\PHYSICALDRIVE0") + if err != nil { + return false + } + defer f.Close() + return true +} diff --git a/x-pack/elastic-agent/pkg/agent/install/svc.go b/x-pack/elastic-agent/pkg/agent/install/svc.go new file mode 100644 index 00000000000..18cbc6d840f --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/svc.go @@ -0,0 +1,38 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package install + +import ( + "path/filepath" + + "github.com/kardianos/service" +) + +const ( + // ServiceDisplayName is the service display name for the service. + ServiceDisplayName = "Elastic Agent" + + // ServiceDescription is the description for the service. + ServiceDescription = "Elastic Agent is a unified agent to observe, monitor and protect your system." +) + +// ExecutablePath returns the path for the installed Agents executable. +func ExecutablePath() string { + exec := filepath.Join(InstallPath, BinaryName) + if ShellWrapperPath != "" { + exec = ShellWrapperPath + } + return exec +} + +func newService() (service.Service, error) { + return service.New(nil, &service.Config{ + Name: ServiceName, + DisplayName: ServiceDisplayName, + Description: ServiceDescription, + Executable: ExecutablePath(), + WorkingDirectory: InstallPath, + }) +} diff --git a/x-pack/elastic-agent/pkg/agent/install/svc_unix.go b/x-pack/elastic-agent/pkg/agent/install/svc_unix.go new file mode 100644 index 00000000000..c7acb998489 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/svc_unix.go @@ -0,0 +1,15 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build !windows + +package install + +import "os" + +// RunningUnderSupervisor returns true when executing Agent is running under +// the supervisor processes of the OS. +func RunningUnderSupervisor() bool { + return os.Getppid() == 1 +} diff --git a/x-pack/elastic-agent/pkg/agent/install/svc_windows.go b/x-pack/elastic-agent/pkg/agent/install/svc_windows.go new file mode 100644 index 00000000000..9084f3b5ea7 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/svc_windows.go @@ -0,0 +1,49 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build windows + +package install + +import ( + "golang.org/x/sys/windows" +) + +// RunningUnderSupervisor returns true when executing Agent is running under +// the supervisor processes of the OS. +func RunningUnderSupervisor() bool { + serviceSid, err := allocSid(windows.SECURITY_SERVICE_RID) + if err != nil { + return false + } + defer windows.FreeSid(serviceSid) + + t, err := windows.OpenCurrentProcessToken() + if err != nil { + return false + } + defer t.Close() + + gs, err := t.GetTokenGroups() + if err != nil { + return false + } + + for _, g := range gs.AllGroups() { + if windows.EqualSid(g.Sid, serviceSid) { + return true + } + } + return false +} + +func allocSid(subAuth0 uint32) (*windows.SID, error) { + var sid *windows.SID + err := windows.AllocateAndInitializeSid(&windows.SECURITY_NT_AUTHORITY, + 1, subAuth0, 0, 0, 0, 0, 0, 0, 0, &sid) + if err != nil { + return nil, err + } + return sid, nil +} diff --git a/x-pack/elastic-agent/pkg/agent/install/uninstall.go b/x-pack/elastic-agent/pkg/agent/install/uninstall.go new file mode 100644 index 00000000000..381427eb8c7 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/uninstall.go @@ -0,0 +1,71 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package install + +import ( + "fmt" + "os" + "runtime" + + "github.com/kardianos/service" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" +) + +// Uninstall uninstalls persistently Elastic Agent on the system. +func Uninstall() error { + // uninstall the current service + svc, err := newService() + if err != nil { + return err + } + status, _ := svc.Status() + if status == service.StatusRunning { + err := svc.Stop() + if err != nil { + return errors.New( + err, + fmt.Sprintf("failed to stop service (%s)", ServiceName), + errors.M("service", ServiceName)) + } + status = service.StatusStopped + } + if status == service.StatusStopped { + err := svc.Uninstall() + if err != nil { + return errors.New( + err, + fmt.Sprintf("failed to uninstall service (%s)", ServiceName), + errors.M("service", ServiceName)) + } + } + + // remove, if present on platform + if ShellWrapperPath != "" { + err = os.Remove(ShellWrapperPath) + if !os.IsNotExist(err) && err != nil { + return errors.New( + err, + fmt.Sprintf("failed to remove shell wrapper (%s)", ShellWrapperPath), + errors.M("destination", ShellWrapperPath)) + } + } + + // remove existing directory + err = os.RemoveAll(InstallPath) + if err != nil { + if runtime.GOOS == "windows" { + // possible to fail on Windows, because elastic-agent.exe is running from + // this directory. + return nil + } + return errors.New( + err, + fmt.Sprintf("failed to remove installation directory (%s)", InstallPath), + errors.M("directory", InstallPath)) + } + + return nil +} diff --git a/x-pack/elastic-agent/pkg/agent/operation/common_test.go b/x-pack/elastic-agent/pkg/agent/operation/common_test.go index cc17733c656..e9d40bece87 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/common_test.go +++ b/x-pack/elastic-agent/pkg/agent/operation/common_test.go @@ -143,7 +143,7 @@ var _ download.Downloader = &DummyDownloader{} type DummyVerifier struct{} -func (*DummyVerifier) Verify(p, v string) (bool, error) { +func (*DummyVerifier) Verify(p, v, _ string, _ bool) (bool, error) { return true, nil } diff --git a/x-pack/elastic-agent/pkg/agent/operation/monitoring.go b/x-pack/elastic-agent/pkg/agent/operation/monitoring.go index fe33de852d1..c4d895eb6ee 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/monitoring.go +++ b/x-pack/elastic-agent/pkg/agent/operation/monitoring.go @@ -161,7 +161,7 @@ func (o *Operator) generateMonitoringSteps(version string, output interface{}) [ ProgramSpec: program.Spec{ Name: metricsProcessName, Cmd: metricsProcessName, - Artifact: fmt.Sprintf("%s/%s", artifactPrefix, logsProcessName), + Artifact: fmt.Sprintf("%s/%s", artifactPrefix, metricsProcessName), }, Meta: map[string]interface{}{ configrequest.MetaConfigKey: mbConfig, diff --git a/x-pack/elastic-agent/pkg/agent/operation/operation_verify.go b/x-pack/elastic-agent/pkg/agent/operation/operation_verify.go index 289693ca373..7626d339e57 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/operation_verify.go +++ b/x-pack/elastic-agent/pkg/agent/operation/operation_verify.go @@ -66,7 +66,7 @@ func (o *operationVerify) Run(_ context.Context, application Application) (err e } }() - isVerified, err := o.verifier.Verify(o.program.BinaryName(), o.program.Version()) + isVerified, err := o.verifier.Verify(o.program.BinaryName(), o.program.Version(), o.program.ArtifactName(), true) if err != nil { return errors.New(err, fmt.Sprintf("operation '%s' failed to verify %s.%s", o.Name(), o.program.BinaryName(), o.program.Version()), diff --git a/x-pack/elastic-agent/pkg/agent/program/program.go b/x-pack/elastic-agent/pkg/agent/program/program.go index 25b56081e68..f3f17d06b9d 100644 --- a/x-pack/elastic-agent/pkg/agent/program/program.go +++ b/x-pack/elastic-agent/pkg/agent/program/program.go @@ -47,7 +47,7 @@ func (p *Program) Configuration() map[string]interface{} { // Programs take a Tree representation of the main configuration and apply all the different // programs rules and generate individual configuration from the rules. -func Programs(singleConfig *transpiler.AST) (map[string][]Program, error) { +func Programs(agentInfo transpiler.AgentInfo, singleConfig *transpiler.AST) (map[string][]Program, error) { grouped, err := groupByOutputs(singleConfig) if err != nil { return nil, errors.New(err, errors.TypeConfig, "fail to extract program configuration") @@ -55,7 +55,7 @@ func Programs(singleConfig *transpiler.AST) (map[string][]Program, error) { groupedPrograms := make(map[string][]Program) for k, config := range grouped { - programs, err := detectPrograms(config) + programs, err := detectPrograms(agentInfo, config) if err != nil { return nil, errors.New(err, errors.TypeConfig, "fail to generate program configuration") } @@ -65,11 +65,11 @@ func Programs(singleConfig *transpiler.AST) (map[string][]Program, error) { return groupedPrograms, nil } -func detectPrograms(singleConfig *transpiler.AST) ([]Program, error) { +func detectPrograms(agentInfo transpiler.AgentInfo, singleConfig *transpiler.AST) ([]Program, error) { programs := make([]Program, 0) for _, spec := range Supported { specificAST := singleConfig.Clone() - err := spec.Rules.Apply(specificAST) + err := spec.Rules.Apply(agentInfo, specificAST) if err != nil { return nil, err } diff --git a/x-pack/elastic-agent/pkg/agent/program/program_test.go b/x-pack/elastic-agent/pkg/agent/program/program_test.go index c15510b6655..8c2cf8c499f 100644 --- a/x-pack/elastic-agent/pkg/agent/program/program_test.go +++ b/x-pack/elastic-agent/pkg/agent/program/program_test.go @@ -437,7 +437,7 @@ func TestConfiguration(t *testing.T) { ast, err := transpiler.NewAST(m) require.NoError(t, err) - programs, err := Programs(ast) + programs, err := Programs(&fakeAgentInfo{}, ast) if test.err { require.Error(t, err) return @@ -478,3 +478,17 @@ func TestConfiguration(t *testing.T) { }) } } + +type fakeAgentInfo struct{} + +func (*fakeAgentInfo) AgentID() string { + return "agent-id" +} + +func (*fakeAgentInfo) Version() string { + return "8.0.0" +} + +func (*fakeAgentInfo) Snapshot() bool { + return false +} diff --git a/x-pack/elastic-agent/pkg/agent/program/supported.go b/x-pack/elastic-agent/pkg/agent/program/supported.go index 3b314bfa3f4..adc13938ae2 100644 --- a/x-pack/elastic-agent/pkg/agent/program/supported.go +++ b/x-pack/elastic-agent/pkg/agent/program/supported.go @@ -21,7 +21,7 @@ func init() { // spec/filebeat.yml // spec/heartbeat.yml // spec/metricbeat.yml - unpacked := packer.MustUnpack("eJzEWEtz47rR3X8/Y7b3q4QER06YqixEufiSRI9oGwCxIwCJpARSuuZDolL57ymQFB+yPXMnt2qymNIIhoDuRvfpc/pfX/LTlv11m/HTMcmKv9Sp+PKPLzQ1C/JyjHw0OzBLP9FsE70CuOfYPXH7sAyAenhKDEFT/0yBKPlCvRLkqSwVynZzilnmn0hq7vnjMSLDGQWxIFhknmAZOQXg9cF5DLSnx2gZgFgEoNiFaHbllpnTx+Ny9WyIrQX3GJATtV4fFsk8chbGOcD+8SmZJ+Nz2WBb0u2LWcqvT9ExchbzaPU8T3gK6xCRmdOtcUsUBOmqtHF9nS+ZpV+5Kc/zlABd8qfoWDgW/EqQtyOpyMnLcSl/59hGzK3owVm4H/v/7LT7LLMm2rqze144C7c/2xnZtXpWVWbxOkC+uFuvCfYqjt09wetkdM4n9072l9tUnD/y1dvPz4vMqAnUVZqKkml+TK3zwyJRIoJjEah6GqKLuMWOWaYSPh4jJ4UlsY0qRDNlhT0RaLAOsd/HM8Buxq5djG4xR7N3Pr+3xVWpBa9tvMlpa+pXbrsiQMqDYxf6olunti+Y0EGALirBt7gaV4IuItD8iu2PUYhmZ479a/e3N4IPD47tz5j12r0diakNxWCnMs7PZRODVOTcgjXW7vbanqAW3HNLr58S40QzQ+X2unvrQmxfmlyPg/QiyLzzNTVzjuAoDw2FZVA0Pt3Oa3LOr/p4A5gT5ClUc69PiUGJPA9vygB5e4K9KwbmOYS69C13LJITBJVVWpyC1CwDqExztP+7eQ43TU0VAZ7f1ZKRUgsK3tnMMpgP8Z0Xju0KinRA2jtv682/EMDZU2LEAfAE07xdgI0TBoXYbnp/a4LUiqdw1+ztfBzHLAQiCdAsnrzz/n3MJ2/WxqT/Pn33eeFYusptQ7351NiByYkBUdHouOQgFnR/jKgFS6L5x+XC/1t7pq8vn+e/OY/zKECzg2NdBE25Ei6iwxaIktlQYZpych6/RuuFEdN0E4WWeX0GcCbPoBpU5J7d8zlyAcwD7Ckh8q4EmXUAomy5Of7zy/+3kLtLxJZuw3eQK6EGuSLAmxvMNuUYpDDm81MLa4lBnUQ1neQcOZknuA3Pq1Tk9HkmaGom1IKHb0imryeaPfd7M19QbOQB9sUqhWWA3JygjU5SM2fgNVkt5snqtf2kyCwDxAVFsOSLWUGBL77hqGCWuQ9rtU2dhZM7C6fwn+WnW8jnJAAWRELF6Hxuuyp5nuzNKeBZiGbZKr0InsL8G/JFkMHMEcoywK4SIhIH2ubBsWRM/OuqaQcwIchUfggdSZMav8tywkCUxIJfbynIbXGW8aaWnrFzUxonmp4klOyY5tcEmQXWjJq2qV31KWnpJQZeRVOSh8hTWiiQLc3fBYgoBHfw38LOg2NdKqKtG2ihyDzfw+odZNUcXSbwFAD9vIV6TK3Ljlv6jlriyh8HmHUWhkKvx+hmMzuPS+ydrSUF+nlcwgTHe4INpcmpzFNYCmOK183bh2jTfPaw1ryze2ap3kCRhCj5Tne2KlTV8xB7yrTchUKadxnFNFv/t34MMU9hSjW3g1TZGps66t6K1BQoD47Vle751oL+Pqxpvc/LrgUqTFIXs/UBA2m3ev3s3e7tDbEv6Mt7PyZ3nj+F4mlbsfv8HtpHapYMXGLeU6L5xK4mrzfj2Kkxs40BUvv1S0U6atX8fxzvJi+IoNmm6qhPUyfj+5yFIeu15Av9yi3/JOGUaf4hRF/v7oGgwQHN3zNpn+WdPzlHJfb8wbHhgc2ntsi7V8CvAlBIPyJi6fsQwPrunJwCVrEUHkLs7Ri4VBxcKiJzqllbv/e/1q9b7MnfPTi2N5O/ucXhj7Qujj2BwQet5ge/I5apBLDHqr5+WAoLqhHRtNCXSY23VMbyY26ZPT6t0llMEbxKLCY/0XLv7i+b79iTFEDmpew3CsHu7p6+DNTEeVdTHRVQttgQXU7fUTXZlk2NAS+nGjxwYCoBiAbswCeVpa9Fm3f+kSNnhCuXiiM/pZqkoO5sOM+raObHIZoJNtTIgQLvrcdhSReAXhFwEStsqEHmqcGw98ht/4zBQG2Hs2OF28bvDOjlsFbEJC3i4fskXwqG/dHvZ4JbJKca6+2g1zXwkKkSSyhjekUsMVAXez36v6cQS5Sj7/c5qgTavD+fI/887IVliIf4ciDKpob/LJ22+n7+KaVu+nxLN/dUM/ocJJlbSWy8O7fBfTLiPWMa/iEtHt5vxI36tYpj/8zH9BDAGZM+pa+fUL/+7vJm2+75EH1L5mfHMkuyMI4B9lYEH46uXXTn+/pqMc8IusRM80+B5okAu/twwXJnwWuC/BOrWS59dEGbN24taaHkA56st6NbH5Y3Ohhvw7fiAz74bEEpp1u+k3oFkb1nstbKTMfMe87GAFQ4npchuhQ/4ne3vdyCBbOavlL2/f5RTQN0ud5xtjt+p1bEetW3C/UcIO9thVrJMeGdqRrT1MwIUmVPGZ/fyKHpXtmX+ImmrKRN7zjrxIIJRyzBd6OF5t3tdTWJRzbumU0efcW3Hv9yjLZag7cf1IC340AooanXBHGxtedDf73h/aS3GrV8H5x5M4lXBMscWFerJO9x+3O8/I7M/AHOflqHH8jNu3qc3DvsGdV8tp5wioYTj/nI4mN59Ufr7H9VW+m2eEvYB8X1gqDCUrHvxNWeIik0VMFt9xSAToS1c40I1X0BXAn2VbaYnail/KhYbnsliTxTy1TIj0TaXbFQpB/Ii/p1haXOzotO+35PpA3nY7/m6E7QWXpGpBiqZ3nTbB/VA0GuSmqXSzDhlkiDlmQ3BcVqvSDYr0PkdQVmVEzzJ7O6Nila0jGZlU3mR2pF7Ga2UJJFQ7ykICi3SO1nQ7IZyHgTvHmQQEOB3xTzKt1UTBNXCVKrTBR0MZMk7yZKlsPM4uOCH4u7EM0OBEe3htcQlqfEuPl4bRukKMO0mc10JEndMdutAgCvDOh98VAw2wVAL0l6ObUiVZQMwJqbekwyvyclvdjs8q0TALXMHYr62WbKUr14LwL8aljzbvZ0dqoxe7ybS34gbD4RE01zxsDMqfmJaGvvHu4cgcN732cV7clIS+y3lieYvWmaUy+I6qYuTp2Y7HO1HVBMxGGCN3e2an6FweXEtM10DnUTXaM3mgjIn/Kjf8OEINKA2S8Whu8IONb4iVvxjqUwIzjuhwgfkO62KSVf31agwzFtffguufu1hPBPil74eZP+ngi2XVnj2+WjvvnWDmZ+WyX56X2MukYq73g8Ru54dtwKtDJAqpiKqm7IMNk7EFuJ3xxdxCAM1DgEcBdgtw7u56ldjvQ4AaAysavJlZvNnhga8x8Rj6Pf/YxYvZtp/1qB23y/jme9v0ok34n7nxIzdMIrvov1k966Sj8aVPV982eE0bRnfz4XfyNY9lW9lvX5EWmb+NIOgJv6/DMkriFuWit8W+L2HRL37//7TwAAAP//S6KvFQ==") + unpacked := packer.MustUnpack("eJy8WF1zozoSfd+fMa93axdEnF226j4YUnzFJmOSSEJvSLIBW2DfALbx1v73LQHmw0lm7uxszcOUByKk7lb36XP631+Kw5r9fZ3zwz7Ny7/Vmfjyry80s0ryso8DNNsxWz/QfBW/Arjl2DtwZ/cYAnX3lBqCZsGJAlFxU70Q5KssE8p6dUhYHhxIZm35wz4mwx4lsSEwc1+wnBxC8HrvPoTa00P8GIJEhKDcRGh24bZV0If94+LZEGsbbjEgB2q/3pvpPHZN4xTiYP+UztPxvmywLe3WJSzjl6d4H7vmPF48z1OewTpCZOZ277gtSoJ0Vdq4vMwfma1fuCX385UQnYuneF+6NrwjyN+QTBTkZf8ov3MdI+F2fO+a3sf+P7vtOtuqibbs7J6Xrun1e7sjuxbPqspsXocoEDfva4L9I8feluBlOtrnk3Mn66t1Jk4f+epv5yczN2oCdZVmomJakFD7dG+mSkxwIkJVzyJ0FtfYMdtSood97GawIo5xjNBMWWBfhBqsIxz08Qyxl7NLF6NrzNHsnc/vbfFUasNLG29yWFv6hTueCJFy7zqlbnbvqRMIJnQQorNK8DWuxoWgswi14Mi2+zhCsxPHwaX72xvBu3vXCWbMfu3ujiTUgWKwUxnn52MTg0wU3IY11m7WOr6gNtxyW6+fUuNAc0PlzrK761KsX5pcT8LsLMi88zWzCo7gKA8NheVQND5d92tyLjj28QawIMhXqOZdnlKDErkfXlUh8rcE+xcMrFMEdelb4dqkIAgqi6w8hJlVhVCZ5mj/d+sUrZqaKkM8v6klI6M2FLyzmeWwGOI7L13HExTpgLRnXt83/yIAZ0+pkYTAF0zzNyE2DhiUYr3q/a0JUo88g5tmbefjOGYREGmIZsnknrfvYz65szYm/fP03uela+sqdwz16lNjByYHBsSRxvtHDhJBt/uY2rAiWrB/NIN/tHsG+uPz/Df3YR6HaLZz7bOgGVciM96tgaiYAxWmKQf34S5emkZCs1Uc2dblGcCZ3INqUJFrNs+n2AOwCLGvRMi/EGTVIYjzx9X+9y9/bSF3k4o1XUfvIFdCDfJEiFdXmG3KMcxgwueHFtZSg7qparnpKXZzX3AHnhaZKOjzTNDMSqkNd1+RTF9fNGtu1+aBoNgoQhyIRQarEHkFQSudZFbBwGu6MOfp4rX9pciqQsQFRbDi5qykIBBfcVwy29pGtdqmjukWrumWwbP89Up5nQTAkkioGO3PHU8lz5O1BQU8j9AsX2RnwTNYfEWBCHOYu0J5DLGnRIgkoba6d20Zk+CyaNoBTAmylO9CR9qkxh+ynDAQFbHh3TUFuSNOMt7U1nN2akrjQLODhJIN04KaIKvEmlHTNrWPfUraeoWBf6QZKSLkKy0UyJYWbEJEFII7+G9h5961z0eiLRtoocg63cLqDWTVHJ0n8BQC/bSGekLt84bb+oba4sIfBph1TUOhl318tZmdxiX2ztaKAv00LmGCky3BhtLkVO4rLIMJxcvm7iO0an57WGvu2TuxTG+gSEKUvKcbWxWq6kWEfWVa7kIhzb2MYpov/1c/hphnMKOa10GqbI1NHXV3RWoKlHvX7kr3dG1B/xzeab3Pj10LVJikLlbrAwbSbvXy2b3d2hvhQNCX935Mzjx9CsXTtuL0+T20j8yqGDgnvKdE84ldTV6vxrFTE+YYA6T2789H0lGr5v/jeDd5QQTNV8eO+jR1Mj7PNQ1ZrxU39Qu3g4OEU6YFuwjd3ZwDQYMDWrBl0j7bP32yj0qc+b3rwB2bT22RZy9AcAxBKf2Iia1vIwDrm30KCtiRZXAXYX/DwPnIwflIZE4175bv/a/1yxr78rt71/Fn8ptrHP5M6+LYFxh80Gq+8x2xLSWEPVb19cMyWFKNiKaFvkxqvKUydpBw2+rxaZHNEorgRWIx+YGWe3N+1TxjX1IAmZey3ygEe5tb+jJQE/ddTXVUQFljQ3Q5fUPVZFu2NAb8gmpwx4GlhCAesAMfVJa9lm3eBXuO3BGunI8cBRnVJAX1ZsN+/pHmQRKhmWBDjewo8N96HJZ0AehHAs5igQ01zH01HNbuuROcMBio7bB3onDH+IMBvRrelQnJymR4nuRLyXAw+n4muE0KqrHeDnpZAh9ZKrGFMqZXxBYDdXGWo//7CrFFNXq+zVEl1Ob9/hwFp2EtrCI8xJcDUTU1/LN02u77+aeUuunzq2lPbThEHkiJl0mcX2tKg7dNz/hTeD3q+z9EFQc+1d9DR9NG9yrWuKHcwsz5nqC7+yn1G85eZD9PAxfmPO8wKV80uMHfQkTewmdWuCaXnEjK4EtksoMZ/95TxmQdvZUfcMZnG0rJ3cYm80si+9PkXStFXavoeR0DUOF4XkXoXH6PA17XchuWzG56T9Vzggc1C9H5csPrbjigeiT2q7421VOI/LcFamXJhJtmakIzKydIlX1nvH8jmaZrZe/iB5qxijb95aQTG6YcsRTfjB8a3uwsj5N45OO+2uTIHb7ygJc2N9u8uK0Tf8OBUCJLrwniYu3Mhx587QmT/mvU8n5w7s8kphEcHEJteVykRY/tn2PqN6Tod7D401r9QJLe1Ozk3GHNCBfy5YR3NDU+5izmxxKsl2oAzpjcJ3v9UIZdMWfzvIu/pvOTa1sVMY19iP0Fwbu955RHjgO5Rpd1RNA5YZqMqy9C7G0js6mhmqDgwGpWSFs90OK2V8t6lHzcl/1u79W7x2ttZevyLWUfFNcLggrLxLYTYFuKpBhRBXe8Qwg6odbOPmJU9wVwIThQmTk7UFv5XrFc10qieaK2pZDvCbmbYqFI35EX9W6BpRYvyk4ff0vIDfvjoOboRvTZek6kYKpnRdOQH9QdQZ5Kao9LMOG2yMKWiDcFxWq9JDioI+R3BWYcmRZM5nltUrTEZDJPm8yY1CNxmvlDRcyGnEnRUK2R2s+PpFCQ8SZ4dS+BhoKgKeZFtjoyTVwkSC1yUVJzJongVbg8DnONjwt+3KwiNNsRHF+bYkNqnlLj6uOlbUCiirJmftMRKXXDHO8YAnhhQO+Lh4LZJgR6RbLzoRWyomIA1tzSE5IHPXHpBWmXb51IqGXuUNTPPzOW6eV7oRAch3f+1Z7OTjVhDzezyw/EzyeCY0s1Y4aBVVDrE2HXnj2cOQKH977PjrQnLC35X9u+YM6qaU69aKqbujh0grPP1XaIMRGQKV7d2KoFRwzOB6atprOqqzAb3dFEZP6QH/0dpgSRBsx+sXh8R9Kxxg/cTjYsgznBST9o+ICYt00pvXtbgA7HtOXumwTw15LGnxTG8PMm/S2h7HiyxtePD/rqazu8+W2RFof3MeoaqTzjYR974/lyK+KqEKliKrw6YjtZOww9JH5zdBYDIVWTCMBNiL06vJ25djnS4wToiewoV642+2JozH9GYI6++xFBezP3/rUiuHm+jOfBv0pI3wwA/s+CZ8ox5Le3uUVy7zjOhYajSM7xvjf0ffJHxNNk3+FuOwI2mr+PSN3HAmriS3XN958SUa1w6oned0XUf/7y3wAAAP//NCXBlQ==") SupportedMap = make(map[string]Spec) for f, v := range unpacked { diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_output_true-filebeat.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_output_true-filebeat.yml index 8edc27061b0..38b251d95dc 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_output_true-filebeat.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_output_true-filebeat.yml @@ -16,6 +16,12 @@ filebeat: target: "event" fields: dataset: generic + - add_fields: + target: "elastic" + fields: + agent.id: agent-id + agent.version: 8.0.0 + agent.snapshot: false output: elasticsearch: enabled: true diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_true-filebeat.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_true-filebeat.yml index 8bd5d93a3b9..6e768db6aa4 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_true-filebeat.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_true-filebeat.yml @@ -17,6 +17,12 @@ filebeat: target: "event" fields: dataset: generic + - add_fields: + target: "elastic" + fields: + agent.id: agent-id + agent.version: 8.0.0 + agent.snapshot: false output: elasticsearch: hosts: diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-filebeat.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-filebeat.yml index b996e13b531..01ee955e4ec 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-filebeat.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-filebeat.yml @@ -18,6 +18,12 @@ filebeat: target: "event" fields: dataset: generic + - add_fields: + target: "elastic" + fields: + agent.id: agent-id + agent.version: 8.0.0 + agent.snapshot: false - type: log paths: - /var/log/hello3.log @@ -36,6 +42,12 @@ filebeat: target: "event" fields: dataset: generic + - add_fields: + target: "elastic" + fields: + agent.id: agent-id + agent.version: 8.0.0 + agent.snapshot: false output: elasticsearch: hosts: diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-metricbeat.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-metricbeat.yml index c62882ff6da..d09e80accf1 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-metricbeat.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-metricbeat.yml @@ -15,6 +15,12 @@ metricbeat: target: "event" fields: dataset: docker.status + - add_fields: + target: "elastic" + fields: + agent.id: agent-id + agent.version: 8.0.0 + agent.snapshot: false - module: docker metricsets: [info] index: metrics-generic-default @@ -30,6 +36,12 @@ metricbeat: target: "event" fields: dataset: generic + - add_fields: + target: "elastic" + fields: + agent.id: agent-id + agent.version: 8.0.0 + agent.snapshot: false - module: apache metricsets: [info] index: metrics-generic-testing @@ -48,7 +60,12 @@ metricbeat: target: "event" fields: dataset: generic - + - add_fields: + target: "elastic" + fields: + agent.id: agent-id + agent.version: 8.0.0 + agent.snapshot: false output: elasticsearch: hosts: [127.0.0.1:9200, 127.0.0.1:9300] diff --git a/x-pack/elastic-agent/pkg/agent/storage/storage.go b/x-pack/elastic-agent/pkg/agent/storage/storage.go index b37c6e06ab3..2435311486a 100644 --- a/x-pack/elastic-agent/pkg/agent/storage/storage.go +++ b/x-pack/elastic-agent/pkg/agent/storage/storage.go @@ -20,7 +20,9 @@ import ( const perms os.FileMode = 0600 -type store interface { +// Store saves the io.Reader. +type Store interface { + // Save the io.Reader. Save(io.Reader) error } @@ -62,12 +64,12 @@ type ReplaceOnSuccessStore struct { target string replaceWith []byte - wrapped store + wrapped Store } // NewReplaceOnSuccessStore takes a target file and a replacement content and will replace the target // file content if the wrapped store execution is done without any error. -func NewReplaceOnSuccessStore(target string, replaceWith []byte, wrapped store) *ReplaceOnSuccessStore { +func NewReplaceOnSuccessStore(target string, replaceWith []byte, wrapped Store) *ReplaceOnSuccessStore { return &ReplaceOnSuccessStore{ target: target, replaceWith: replaceWith, diff --git a/x-pack/elastic-agent/pkg/agent/transpiler/rules.go b/x-pack/elastic-agent/pkg/agent/transpiler/rules.go index 5ad790eb31e..29ff1786d1e 100644 --- a/x-pack/elastic-agent/pkg/agent/transpiler/rules.go +++ b/x-pack/elastic-agent/pkg/agent/transpiler/rules.go @@ -14,6 +14,13 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" ) +// AgentInfo is an interface to get the agent info. +type AgentInfo interface { + AgentID() string + Version() string + Snapshot() bool +} + // RuleList is a container that allow the same tree to be executed on multiple defined Rule. type RuleList struct { Rules []Rule @@ -21,15 +28,15 @@ type RuleList struct { // Rule defines a rule that can be Applied on the Tree. type Rule interface { - Apply(*AST) error + Apply(AgentInfo, *AST) error } // Apply applies a list of rules over the same tree and use the result of the previous execution // as the input of the next rule, will return early if any error is raise during the execution. -func (r *RuleList) Apply(ast *AST) error { +func (r *RuleList) Apply(agentInfo AgentInfo, ast *AST) error { var err error for _, rule := range r.Rules { - err = rule.Apply(ast) + err = rule.Apply(agentInfo, ast) if err != nil { return err } @@ -73,6 +80,8 @@ func (r *RuleList) MarshalYAML() (interface{}, error) { name = "inject_index" case *InjectStreamProcessorRule: name = "inject_stream_processor" + case *InjectAgentInfoRule: + name = "inject_agent_info" case *MakeArrayRule: name = "make_array" case *RemoveKeyRule: @@ -154,6 +163,8 @@ func (r *RuleList) UnmarshalYAML(unmarshal func(interface{}) error) error { r = &InjectIndexRule{} case "inject_stream_processor": r = &InjectStreamProcessorRule{} + case "inject_agent_info": + r = &InjectAgentInfoRule{} case "make_array": r = &MakeArrayRule{} case "remove_key": @@ -181,7 +192,7 @@ type SelectIntoRule struct { } // Apply applies select into rule. -func (r *SelectIntoRule) Apply(ast *AST) error { +func (r *SelectIntoRule) Apply(_ AgentInfo, ast *AST) error { target := &Dict{} for _, selector := range r.Selectors { @@ -214,7 +225,7 @@ type RemoveKeyRule struct { } // Apply applies remove key rule. -func (r *RemoveKeyRule) Apply(ast *AST) error { +func (r *RemoveKeyRule) Apply(_ AgentInfo, ast *AST) error { sourceMap, ok := ast.root.(*Dict) if !ok { return nil @@ -250,7 +261,7 @@ type MakeArrayRule struct { } // Apply applies make array rule. -func (r *MakeArrayRule) Apply(ast *AST) error { +func (r *MakeArrayRule) Apply(_ AgentInfo, ast *AST) error { sourceNode, found := Lookup(ast, r.Item) if !found { return nil @@ -286,7 +297,7 @@ type CopyToListRule struct { } // Apply copies specified node into every item of the list. -func (r *CopyToListRule) Apply(ast *AST) error { +func (r *CopyToListRule) Apply(_ AgentInfo, ast *AST) error { sourceNode, found := Lookup(ast, r.Item) if !found { // nothing to copy @@ -347,7 +358,7 @@ type CopyAllToListRule struct { } // Apply copies all nodes into every item of the list. -func (r *CopyAllToListRule) Apply(ast *AST) error { +func (r *CopyAllToListRule) Apply(agentInfo AgentInfo, ast *AST) error { // get list of nodes astMap, err := ast.Map() if err != nil { @@ -370,7 +381,7 @@ func (r *CopyAllToListRule) Apply(ast *AST) error { continue } - if err := CopyToList(item, r.To, r.OnConflict).Apply(ast); err != nil { + if err := CopyToList(item, r.To, r.OnConflict).Apply(agentInfo, ast); err != nil { return err } } @@ -393,7 +404,7 @@ type FixStreamRule struct { } // Apply stream fixes. -func (r *FixStreamRule) Apply(ast *AST) error { +func (r *FixStreamRule) Apply(_ AgentInfo, ast *AST) error { const defaultDataset = "generic" const defaultNamespace = "default" @@ -526,7 +537,7 @@ type InjectIndexRule struct { } // Apply injects index into input. -func (r *InjectIndexRule) Apply(ast *AST) error { +func (r *InjectIndexRule) Apply(_ AgentInfo, ast *AST) error { inputsNode, found := Lookup(ast, "inputs") if !found { return nil @@ -583,7 +594,7 @@ type InjectStreamProcessorRule struct { } // Apply injects processor into input. -func (r *InjectStreamProcessorRule) Apply(ast *AST) error { +func (r *InjectStreamProcessorRule) Apply(_ AgentInfo, ast *AST) error { inputsNode, found := Lookup(ast, "inputs") if !found { return nil @@ -665,6 +676,63 @@ func InjectStreamProcessor(onMerge, streamType string) *InjectStreamProcessorRul } } +// InjectAgentInfoRule injects agent information into each rule. +type InjectAgentInfoRule struct{} + +// Apply injects index into input. +func (r *InjectAgentInfoRule) Apply(agentInfo AgentInfo, ast *AST) error { + inputsNode, found := Lookup(ast, "inputs") + if !found { + return nil + } + + inputsList, ok := inputsNode.Value().(*List) + if !ok { + return nil + } + + for _, inputNode := range inputsList.value { + inputMap, ok := inputNode.(*Dict) + if !ok { + continue + } + + // get processors node + processorsNode, found := inputMap.Find("processors") + if !found { + processorsNode = &Key{ + name: "processors", + value: &List{value: make([]Node, 0)}, + } + + inputMap.value = append(inputMap.value, processorsNode) + } + + processorsList, ok := processorsNode.Value().(*List) + if !ok { + return errors.New("InjectAgentInfoRule: processors is not a list") + } + + // elastic.agent + processorMap := &Dict{value: make([]Node, 0)} + processorMap.value = append(processorMap.value, &Key{name: "target", value: &StrVal{value: "elastic"}}) + processorMap.value = append(processorMap.value, &Key{name: "fields", value: &Dict{value: []Node{ + &Key{name: "agent.id", value: &StrVal{value: agentInfo.AgentID()}}, + &Key{name: "agent.version", value: &StrVal{value: agentInfo.Version()}}, + &Key{name: "agent.snapshot", value: &BoolVal{value: agentInfo.Snapshot()}}, + }}}) + addFieldsMap := &Dict{value: []Node{&Key{"add_fields", processorMap}}} + processorsList.value = mergeStrategy("").InjectItem(processorsList.value, addFieldsMap) + } + + return nil +} + +// InjectAgentInfo creates a InjectAgentInfoRule +func InjectAgentInfo() *InjectAgentInfoRule { + return &InjectAgentInfoRule{} +} + // ExtractListItemRule extract items with specified name from a list of maps. // The result is store in a new array. // Example: @@ -679,7 +747,7 @@ type ExtractListItemRule struct { } // Apply extracts items from array. -func (r *ExtractListItemRule) Apply(ast *AST) error { +func (r *ExtractListItemRule) Apply(_ AgentInfo, ast *AST) error { node, found := Lookup(ast, r.Path) if !found { return nil @@ -740,7 +808,7 @@ type RenameRule struct { // Apply renames the last items of a Selector to a new name and keep all the other values and will // return an error on failure. -func (r *RenameRule) Apply(ast *AST) error { +func (r *RenameRule) Apply(_ AgentInfo, ast *AST) error { // Skip rename when node is not found. node, ok := Lookup(ast, r.From) if !ok { @@ -773,7 +841,7 @@ func Copy(from, to Selector) *CopyRule { } // Apply copy a part of a tree into a new destination. -func (r CopyRule) Apply(ast *AST) error { +func (r CopyRule) Apply(_ AgentInfo, ast *AST) error { node, ok := Lookup(ast, r.From) // skip when the `from` node is not found. if !ok { @@ -800,7 +868,7 @@ func Translate(path Selector, mapper map[string]interface{}) *TranslateRule { } // Apply translates matching elements of a translation table for a specific selector. -func (r *TranslateRule) Apply(ast *AST) error { +func (r *TranslateRule) Apply(_ AgentInfo, ast *AST) error { // Skip translate when node is not found. node, ok := Lookup(ast, r.Path) if !ok { @@ -873,7 +941,7 @@ func TranslateWithRegexp(path Selector, re *regexp.Regexp, with string) *Transla } // Apply translates matching elements of a translation table for a specific selector. -func (r *TranslateWithRegexpRule) Apply(ast *AST) error { +func (r *TranslateWithRegexpRule) Apply(_ AgentInfo, ast *AST) error { // Skip translate when node is not found. node, ok := Lookup(ast, r.Path) if !ok { @@ -914,7 +982,7 @@ func Map(path Selector, rules ...Rule) *MapRule { } // Apply maps multiples rules over a subset of the tree. -func (r *MapRule) Apply(ast *AST) error { +func (r *MapRule) Apply(agentInfo AgentInfo, ast *AST) error { node, ok := Lookup(ast, r.Path) // Skip map when node is not found. if !ok { @@ -931,15 +999,15 @@ func (r *MapRule) Apply(ast *AST) error { switch t := n.Value().(type) { case *List: - return mapList(r, t) + return mapList(agentInfo, r, t) case *Dict: - return mapDict(r, t) + return mapDict(agentInfo, r, t) case *Key: switch t := n.Value().(type) { case *List: - return mapList(r, t) + return mapList(agentInfo, r, t) case *Dict: - return mapDict(r, t) + return mapDict(agentInfo, r, t) default: return fmt.Errorf( "cannot iterate over node, invalid type expected 'List' or 'Dict' received '%T'", @@ -954,13 +1022,13 @@ func (r *MapRule) Apply(ast *AST) error { ) } -func mapList(r *MapRule, l *List) error { +func mapList(agentInfo AgentInfo, r *MapRule, l *List) error { values := l.Value().([]Node) for idx, item := range values { newAST := &AST{root: item} for _, rule := range r.Rules { - err := rule.Apply(newAST) + err := rule.Apply(agentInfo, newAST) if err != nil { return err } @@ -970,10 +1038,10 @@ func mapList(r *MapRule, l *List) error { return nil } -func mapDict(r *MapRule, l *Dict) error { +func mapDict(agentInfo AgentInfo, r *MapRule, l *Dict) error { newAST := &AST{root: l} for _, rule := range r.Rules { - err := rule.Apply(newAST) + err := rule.Apply(agentInfo, newAST) if err != nil { return err } @@ -1024,7 +1092,7 @@ func Filter(selectors ...Selector) *FilterRule { } // Apply filters a Tree based on list of selectors. -func (r *FilterRule) Apply(ast *AST) error { +func (r *FilterRule) Apply(_ AgentInfo, ast *AST) error { mergedAST := &AST{root: &Dict{}} var err error for _, selector := range r.Selectors { @@ -1054,7 +1122,7 @@ func FilterValues(selector Selector, key Selector, values ...interface{}) *Filte } // Apply filters a Tree based on list of selectors. -func (r *FilterValuesRule) Apply(ast *AST) error { +func (r *FilterValuesRule) Apply(_ AgentInfo, ast *AST) error { node, ok := Lookup(ast, r.Selector) // Skip map when node is not found. if !ok { @@ -1167,7 +1235,7 @@ func (r *FilterValuesWithRegexpRule) UnmarshalYAML(unmarshal func(interface{}) e } // Apply filters a Tree based on list of selectors. -func (r *FilterValuesWithRegexpRule) Apply(ast *AST) error { +func (r *FilterValuesWithRegexpRule) Apply(_ AgentInfo, ast *AST) error { node, ok := Lookup(ast, r.Selector) // Skip map when node is not found. if !ok { diff --git a/x-pack/elastic-agent/pkg/agent/transpiler/rules_test.go b/x-pack/elastic-agent/pkg/agent/transpiler/rules_test.go index c3207f48cea..d92ba0de985 100644 --- a/x-pack/elastic-agent/pkg/agent/transpiler/rules_test.go +++ b/x-pack/elastic-agent/pkg/agent/transpiler/rules_test.go @@ -165,6 +165,51 @@ inputs: }, }, + "inject agent info": { + givenYAML: ` +inputs: + - name: No processors + type: file + - name: With processors + type: file + processors: + - add_fields: + target: other + fields: + data: more +`, + expectedYAML: ` +inputs: + - name: No processors + type: file + processors: + - add_fields: + target: elastic + fields: + agent.id: agent-id + agent.snapshot: false + agent.version: 8.0.0 + - name: With processors + type: file + processors: + - add_fields: + target: other + fields: + data: more + - add_fields: + target: elastic + fields: + agent.id: agent-id + agent.snapshot: false + agent.version: 8.0.0 +`, + rule: &RuleList{ + Rules: []Rule{ + InjectAgentInfo(), + }, + }, + }, + "extract items from array": { givenYAML: ` streams: @@ -615,7 +660,7 @@ logs: a, err := makeASTFromYAML(test.givenYAML) require.NoError(t, err) - err = test.rule.Apply(a) + err = test.rule.Apply(FakeAgentInfo(), a) require.NoError(t, err) v := &MapVisitor{} @@ -751,3 +796,21 @@ func TestSerialization(t *testing.T) { assert.Equal(t, value, v) }) } + +type fakeAgentInfo struct{} + +func (*fakeAgentInfo) AgentID() string { + return "agent-id" +} + +func (*fakeAgentInfo) Version() string { + return "8.0.0" +} + +func (*fakeAgentInfo) Snapshot() bool { + return false +} + +func FakeAgentInfo() AgentInfo { + return &fakeAgentInfo{} +} diff --git a/x-pack/elastic-agent/pkg/agent/warn/warn.go b/x-pack/elastic-agent/pkg/agent/warn/warn.go index 03d746992f6..182d2af50b0 100644 --- a/x-pack/elastic-agent/pkg/agent/warn/warn.go +++ b/x-pack/elastic-agent/pkg/agent/warn/warn.go @@ -21,4 +21,5 @@ func LogNotGA(log *logger.Logger) { // PrintNotGA writes to the received writer that the Agent is not GA. func PrintNotGA(output io.Writer) { fmt.Fprintln(output, message) + fmt.Fprintln(output) } diff --git a/x-pack/elastic-agent/pkg/artifact/download/composed/verifier.go b/x-pack/elastic-agent/pkg/artifact/download/composed/verifier.go index 33397a87e1e..663484130f4 100644 --- a/x-pack/elastic-agent/pkg/artifact/download/composed/verifier.go +++ b/x-pack/elastic-agent/pkg/artifact/download/composed/verifier.go @@ -29,11 +29,12 @@ func NewVerifier(verifiers ...download.Verifier) *Verifier { } // Verify checks the package from configured source. -func (e *Verifier) Verify(programName, version string) (bool, error) { +func (e *Verifier) Verify(programName, version, artifactName string, removeOnFailure bool) (bool, error) { var err error - for _, v := range e.vv { - b, e := v.Verify(programName, version) + for i, v := range e.vv { + isLast := (i + 1) == len(e.vv) + b, e := v.Verify(programName, version, artifactName, isLast && removeOnFailure) if e == nil { return b, nil } diff --git a/x-pack/elastic-agent/pkg/artifact/download/fs/verifier.go b/x-pack/elastic-agent/pkg/artifact/download/fs/verifier.go index d934b20faef..56652d4f69c 100644 --- a/x-pack/elastic-agent/pkg/artifact/download/fs/verifier.go +++ b/x-pack/elastic-agent/pkg/artifact/download/fs/verifier.go @@ -51,20 +51,23 @@ func NewVerifier(config *artifact.Config, allowEmptyPgp bool, pgp []byte) (*Veri // Verify checks downloaded package on preconfigured // location agains a key stored on elastic.co website. -func (v *Verifier) Verify(programName, version string) (bool, error) { +func (v *Verifier) Verify(programName, version, artifactName string, removeOnFailure bool) (isMatch bool, err error) { filename, err := artifact.GetArtifactName(programName, version, v.config.OS(), v.config.Arch()) if err != nil { return false, errors.New(err, "retrieving package name") } fullPath := filepath.Join(v.config.TargetDirectory, filename) + defer func() { + if removeOnFailure && (!isMatch || err != nil) { + // remove bits so they can be redownloaded + os.Remove(fullPath) + os.Remove(fullPath + ".sha512") + os.Remove(fullPath + ".asc") + } + }() - isMatch, err := v.verifyHash(filename, fullPath) - if !isMatch || err != nil { - // remove bits so they can be redownloaded - os.Remove(fullPath) - os.Remove(fullPath + ".sha512") - os.Remove(fullPath + ".asc") + if isMatch, err := v.verifyHash(filename, fullPath); !isMatch || err != nil { return isMatch, err } diff --git a/x-pack/elastic-agent/pkg/artifact/download/fs/verifier_test.go b/x-pack/elastic-agent/pkg/artifact/download/fs/verifier_test.go index 4fd845482c5..a79f35bdd6f 100644 --- a/x-pack/elastic-agent/pkg/artifact/download/fs/verifier_test.go +++ b/x-pack/elastic-agent/pkg/artifact/download/fs/verifier_test.go @@ -65,7 +65,7 @@ func TestFetchVerify(t *testing.T) { // first download verify should fail: // download skipped, as invalid package is prepared upfront // verify fails and cleans download - matches, err := verifier.Verify(programName, version) + matches, err := verifier.Verify(programName, version, artifactName, true) assert.NoError(t, err) assert.Equal(t, false, matches) @@ -88,7 +88,7 @@ func TestFetchVerify(t *testing.T) { _, err = os.Stat(hashTargetFilePath) assert.NoError(t, err) - matches, err = verifier.Verify(programName, version) + matches, err = verifier.Verify(programName, version, artifactName, true) assert.NoError(t, err) assert.Equal(t, true, matches) } @@ -162,7 +162,7 @@ func TestVerify(t *testing.T) { t.Fatal(err) } - isOk, err := testVerifier.Verify(beatName, version) + isOk, err := testVerifier.Verify(beatName, version, artifactName, true) if err != nil { t.Fatal(err) } diff --git a/x-pack/elastic-agent/pkg/artifact/download/http/elastic_test.go b/x-pack/elastic-agent/pkg/artifact/download/http/elastic_test.go index 0edb979a320..0ff4dfd2b93 100644 --- a/x-pack/elastic-agent/pkg/artifact/download/http/elastic_test.go +++ b/x-pack/elastic-agent/pkg/artifact/download/http/elastic_test.go @@ -110,7 +110,7 @@ func TestVerify(t *testing.T) { t.Fatal(err) } - isOk, err := testVerifier.Verify(beatName, version) + isOk, err := testVerifier.Verify(beatName, version, artifactName, false) if err != nil { t.Fatal(err) } diff --git a/x-pack/elastic-agent/pkg/artifact/download/http/verifier.go b/x-pack/elastic-agent/pkg/artifact/download/http/verifier.go index 9f2eacd9395..b5b5e628b4a 100644 --- a/x-pack/elastic-agent/pkg/artifact/download/http/verifier.go +++ b/x-pack/elastic-agent/pkg/artifact/download/http/verifier.go @@ -59,9 +59,7 @@ func NewVerifier(config *artifact.Config, allowEmptyPgp bool, pgp []byte) (*Veri // Verify checks downloaded package on preconfigured // location agains a key stored on elastic.co website. -func (v *Verifier) Verify(programName, version string) (bool, error) { - // TODO: think about verifying asc for prepacked beats - +func (v *Verifier) Verify(programName, version, artifactName string, removeOnFailure bool) (isMatch bool, err error) { filename, err := artifact.GetArtifactName(programName, version, v.config.OS(), v.config.Arch()) if err != nil { return false, errors.New(err, "retrieving package name") @@ -72,16 +70,20 @@ func (v *Verifier) Verify(programName, version string) (bool, error) { return false, errors.New(err, "retrieving package path") } - isMatch, err := v.verifyHash(filename, fullPath) - if !isMatch || err != nil { - // remove bits so they can be redownloaded - os.Remove(fullPath) - os.Remove(fullPath + ".sha512") - os.Remove(fullPath + ".asc") + defer func() { + if removeOnFailure && (!isMatch || err != nil) { + // remove bits so they can be redownloaded + os.Remove(fullPath) + os.Remove(fullPath + ".sha512") + os.Remove(fullPath + ".asc") + } + }() + + if isMatch, err := v.verifyHash(filename, fullPath); !isMatch || err != nil { return isMatch, err } - return v.verifyAsc(programName, version) + return v.verifyAsc(programName, version, artifactName) } func (v *Verifier) verifyHash(filename, fullPath string) (bool, error) { @@ -127,7 +129,7 @@ func (v *Verifier) verifyHash(filename, fullPath string) (bool, error) { return expectedHash == computedHash, nil } -func (v *Verifier) verifyAsc(programName, version string) (bool, error) { +func (v *Verifier) verifyAsc(programName, version, artifactName string) (bool, error) { if len(v.pgpBytes) == 0 { // no pgp available skip verification process return true, nil @@ -143,7 +145,7 @@ func (v *Verifier) verifyAsc(programName, version string) (bool, error) { return false, errors.New(err, "retrieving package path") } - ascURI, err := v.composeURI(programName, filename) + ascURI, err := v.composeURI(filename, artifactName) if err != nil { return false, errors.New(err, "composing URI for fetching asc file", errors.TypeNetwork) } @@ -177,7 +179,7 @@ func (v *Verifier) verifyAsc(programName, version string) (bool, error) { } -func (v *Verifier) composeURI(programName, filename string) (string, error) { +func (v *Verifier) composeURI(filename, artifactName string) (string, error) { upstream := v.config.SourceURI if !strings.HasPrefix(upstream, "http") && !strings.HasPrefix(upstream, "file") && !strings.HasPrefix(upstream, "/") { // always default to https @@ -190,7 +192,7 @@ func (v *Verifier) composeURI(programName, filename string) (string, error) { return "", errors.New(err, "invalid upstream URI", errors.TypeNetwork, errors.M(errors.MetaKeyURI, upstream)) } - uri.Path = path.Join(uri.Path, "beats", programName, filename+ascSuffix) + uri.Path = path.Join(uri.Path, artifactName, filename+ascSuffix) return uri.String(), nil } diff --git a/x-pack/elastic-agent/pkg/artifact/download/verifier.go b/x-pack/elastic-agent/pkg/artifact/download/verifier.go index 6aa4dc4abe4..d7b2bc7a415 100644 --- a/x-pack/elastic-agent/pkg/artifact/download/verifier.go +++ b/x-pack/elastic-agent/pkg/artifact/download/verifier.go @@ -6,5 +6,5 @@ package download // Verifier is an interface verifying GPG key of a downloaded artifact type Verifier interface { - Verify(programName, version string) (bool, error) + Verify(programName, version, artifactName string, removeOnFailure bool) (bool, error) } diff --git a/x-pack/elastic-agent/pkg/artifact/install/tar/tar_installer.go b/x-pack/elastic-agent/pkg/artifact/install/tar/tar_installer.go index 5c7f0f593a3..74a74e4c6bc 100644 --- a/x-pack/elastic-agent/pkg/artifact/install/tar/tar_installer.go +++ b/x-pack/elastic-agent/pkg/artifact/install/tar/tar_installer.go @@ -99,9 +99,19 @@ func unpack(r io.Reader, dir string) error { } _, err = io.Copy(wf, tr) + + if err == nil { + // sometimes we try executing binary too fast and run into text file busy after unpacking + // syncing prevents this + if syncErr := wf.Sync(); syncErr != nil { + err = syncErr + } + } + if closeErr := wf.Close(); closeErr != nil && err == nil { err = closeErr } + if err != nil { return fmt.Errorf("TarInstaller: error writing to %s: %v", abs, err) } diff --git a/x-pack/elastic-agent/pkg/artifact/install/zip/zip_installer.go b/x-pack/elastic-agent/pkg/artifact/install/zip/zip_installer.go index ffc90f2dce8..b565f630a73 100644 --- a/x-pack/elastic-agent/pkg/artifact/install/zip/zip_installer.go +++ b/x-pack/elastic-agent/pkg/artifact/install/zip/zip_installer.go @@ -102,14 +102,18 @@ func (i *Installer) unzip(artifactPath string) error { return err } defer func() { - if cerr := f.Close(); cerr != nil { - err = multierror.Append(err, cerr) + if closeErr := f.Close(); closeErr != nil { + err = multierror.Append(err, closeErr) } }() if _, err = io.Copy(f, rc); err != nil { return err } + + // sometimes we try executing binary too fast and run into text file busy after unpacking + // syncing prevents this + f.Sync() } return nil } diff --git a/x-pack/elastic-agent/pkg/basecmd/version/cmd_test.go b/x-pack/elastic-agent/pkg/basecmd/version/cmd_test.go index 119809338d6..6c656839820 100644 --- a/x-pack/elastic-agent/pkg/basecmd/version/cmd_test.go +++ b/x-pack/elastic-agent/pkg/basecmd/version/cmd_test.go @@ -52,7 +52,7 @@ func TestCmdBinaryOnlyYAML(t *testing.T) { } func TestCmdDaemon(t *testing.T) { - srv := server.New(newErrorLogger(t), nil) + srv := server.New(newErrorLogger(t), nil, nil) require.NoError(t, srv.Start()) defer srv.Stop() @@ -67,7 +67,7 @@ func TestCmdDaemon(t *testing.T) { } func TestCmdDaemonYAML(t *testing.T) { - srv := server.New(newErrorLogger(t), nil) + srv := server.New(newErrorLogger(t), nil, nil) require.NoError(t, srv.Start()) defer srv.Stop() diff --git a/x-pack/elastic-agent/pkg/composable/providers/kubernetes/config.go b/x-pack/elastic-agent/pkg/composable/providers/kubernetes/config.go new file mode 100644 index 00000000000..200bedbe878 --- /dev/null +++ b/x-pack/elastic-agent/pkg/composable/providers/kubernetes/config.go @@ -0,0 +1,31 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// TODO review the need for this +// +build linux darwin windows + +package kubernetes + +import ( + "time" +) + +// Config for kubernetes provider +type Config struct { + KubeConfig string `config:"kube_config"` + SyncPeriod time.Duration `config:"sync_period"` + CleanupTimeout time.Duration `config:"cleanup_timeout" validate:"positive"` + + // Needed when resource is a pod + Node string `config:"node"` + + // Scope of the provider (cluster or node) + Scope string `config:"scope"` +} + +// InitDefaults initializes the default values for the config. +func (c *Config) InitDefaults() { + c.SyncPeriod = 10 * time.Minute + c.CleanupTimeout = 60 * time.Second +} diff --git a/x-pack/elastic-agent/pkg/composable/providers/kubernetes/kubernetes.go b/x-pack/elastic-agent/pkg/composable/providers/kubernetes/kubernetes.go new file mode 100644 index 00000000000..c777c8a05ce --- /dev/null +++ b/x-pack/elastic-agent/pkg/composable/providers/kubernetes/kubernetes.go @@ -0,0 +1,215 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package kubernetes + +import ( + "fmt" + "time" + + "github.com/elastic/beats/v7/libbeat/common/kubernetes" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" +) + +func init() { + composable.Providers.AddDynamicProvider("kubernetes", DynamicProviderBuilder) +} + +type dynamicProvider struct { + logger *logger.Logger + config *Config +} + +type eventWatcher struct { + logger *logger.Logger + cleanupTimeout time.Duration + comm composable.DynamicProviderComm +} + +// DynamicProviderBuilder builds the dynamic provider. +func DynamicProviderBuilder(logger *logger.Logger, c *config.Config) (composable.DynamicProvider, error) { + var cfg Config + if c == nil { + c = config.New() + } + err := c.Unpack(&cfg) + if err != nil { + return nil, errors.New(err, "failed to unpack configuration") + } + return &dynamicProvider{logger, &cfg}, nil +} + +// Run runs the environment context provider. +func (p *dynamicProvider) Run(comm composable.DynamicProviderComm) error { + client, err := kubernetes.GetKubernetesClient(p.config.KubeConfig) + if err != nil { + // info only; return nil (do nothing) + p.logger.Debugf("Kubernetes provider skipped, unable to connect: %s", err) + return nil + } + + // Ensure that node is set correctly whenever the scope is set to "node". Make sure that node is empty + // when cluster scope is enforced. + if p.config.Scope == "node" { + p.config.Node = kubernetes.DiscoverKubernetesNode(p.logger, p.config.Node, kubernetes.IsInCluster(p.config.KubeConfig), client) + } else { + p.config.Node = "" + } + p.logger.Infof("Kubernetes provider started with %s scope", p.config.Scope) + p.logger.Debugf("Initializing Kubernetes watcher using node: %v", p.config.Node) + + watcher, err := kubernetes.NewWatcher(client, &kubernetes.Pod{}, kubernetes.WatchOptions{ + SyncTimeout: p.config.SyncPeriod, + Node: p.config.Node, + //Namespace: p.config.Namespace, + }, nil) + if err != nil { + return errors.New(err, "couldn't create kubernetes watcher") + } + + watcher.AddEventHandler(&eventWatcher{p.logger, p.config.CleanupTimeout, comm}) + + err = watcher.Start() + if err != nil { + return errors.New(err, "couldn't start kubernetes watcher") + } + + return nil +} + +func (p *eventWatcher) emitRunning(pod *kubernetes.Pod) { + mapping := map[string]interface{}{ + "namespace": pod.GetNamespace(), + "pod": map[string]interface{}{ + "uid": string(pod.GetUID()), + "name": pod.GetName(), + "labels": pod.GetLabels(), + "ip": pod.Status.PodIP, + }, + } + + processors := []map[string]interface{}{ + { + "add_fields": map[string]interface{}{ + "fields": mapping, + "target": "kubernetes", + }, + }, + } + + // Emit the pod + // We emit Pod + containers to ensure that configs matching Pod only + // get Pod metadata (not specific to any container) + p.comm.AddOrUpdate(string(pod.GetUID()), mapping, processors) + + // Emit all containers in the pod + p.emitContainers(pod, pod.Spec.Containers, pod.Status.ContainerStatuses) + + // TODO deal with init containers stopping after initialization + p.emitContainers(pod, pod.Spec.InitContainers, pod.Status.InitContainerStatuses) +} + +func (p *eventWatcher) emitContainers(pod *kubernetes.Pod, containers []kubernetes.Container, containerstatuses []kubernetes.PodContainerStatus) { + // Collect all runtimes from status information. + containerIDs := map[string]string{} + runtimes := map[string]string{} + for _, c := range containerstatuses { + cid, runtime := kubernetes.ContainerIDWithRuntime(c) + containerIDs[c.Name] = cid + runtimes[c.Name] = runtime + } + + for _, c := range containers { + // If it doesn't have an ID, container doesn't exist in + // the runtime, emit only an event if we are stopping, so + // we are sure of cleaning up configurations. + cid := containerIDs[c.Name] + if cid == "" { + continue + } + + // ID is the combination of pod UID + container name + eventID := fmt.Sprintf("%s.%s", pod.GetObjectMeta().GetUID(), c.Name) + + mapping := map[string]interface{}{ + "namespace": pod.GetNamespace(), + "pod": map[string]interface{}{ + "uid": string(pod.GetUID()), + "name": pod.GetName(), + "labels": pod.GetLabels(), + "ip": pod.Status.PodIP, + }, + "container": map[string]interface{}{ + "id": cid, + "name": c.Name, + "image": c.Image, + "runtime": runtimes[c.Name], + }, + } + + processors := []map[string]interface{}{ + { + "add_fields": map[string]interface{}{ + "fields": mapping, + "target": "kubernetes", + }, + }, + } + + // Emit the container + p.comm.AddOrUpdate(eventID, mapping, processors) + } +} + +func (p *eventWatcher) emitStopped(pod *kubernetes.Pod) { + p.comm.Remove(string(pod.GetUID())) + + for _, c := range pod.Spec.Containers { + // ID is the combination of pod UID + container name + eventID := fmt.Sprintf("%s.%s", pod.GetObjectMeta().GetUID(), c.Name) + p.comm.Remove(eventID) + } + + for _, c := range pod.Spec.InitContainers { + // ID is the combination of pod UID + container name + eventID := fmt.Sprintf("%s.%s", pod.GetObjectMeta().GetUID(), c.Name) + p.comm.Remove(eventID) + } +} + +// OnAdd ensures processing of pod objects that are newly added +func (p *eventWatcher) OnAdd(obj interface{}) { + p.logger.Debugf("pod add: %+v", obj) + p.emitRunning(obj.(*kubernetes.Pod)) +} + +// OnUpdate emits events for a given pod depending on the state of the pod, +// if it is terminating, a stop event is scheduled, if not, a stop and a start +// events are sent sequentially to recreate the resources assotiated to the pod. +func (p *eventWatcher) OnUpdate(obj interface{}) { + pod := obj.(*kubernetes.Pod) + + p.logger.Debugf("pod update for pod: %+v, status: %+v", pod.Name, pod.Status.Phase) + switch pod.Status.Phase { + case kubernetes.PodSucceeded, kubernetes.PodFailed: + time.AfterFunc(p.cleanupTimeout, func() { p.emitStopped(pod) }) + return + case kubernetes.PodPending: + p.logger.Debugf("pod update (pending): don't know what to do with this pod yet, skipping for now: %+v", obj) + return + } + + p.logger.Debugf("pod update: %+v", obj) + p.emitRunning(pod) +} + +// OnDelete stops pod objects that are deleted +func (p *eventWatcher) OnDelete(obj interface{}) { + p.logger.Debugf("pod delete: %+v", obj) + pod := obj.(*kubernetes.Pod) + time.AfterFunc(p.cleanupTimeout, func() { p.emitStopped(pod) }) +} diff --git a/x-pack/elastic-agent/pkg/core/plugin/process/app.go b/x-pack/elastic-agent/pkg/core/plugin/process/app.go index 5f9cf6efb25..8732af24f68 100644 --- a/x-pack/elastic-agent/pkg/core/plugin/process/app.go +++ b/x-pack/elastic-agent/pkg/core/plugin/process/app.go @@ -117,7 +117,7 @@ func (a *Application) Name() string { // Started returns true if the application is started. func (a *Application) Started() bool { - return a.state.Status != state.Stopped + return a.state.Status != state.Stopped && a.state.Status != state.Crashed && a.state.Status != state.Failed } // Stop stops the current application. diff --git a/x-pack/elastic-agent/pkg/core/plugin/process/start.go b/x-pack/elastic-agent/pkg/core/plugin/process/start.go index c5f1ffb3842..bc19910e53c 100644 --- a/x-pack/elastic-agent/pkg/core/plugin/process/start.go +++ b/x-pack/elastic-agent/pkg/core/plugin/process/start.go @@ -39,7 +39,7 @@ func (a *Application) start(ctx context.Context, t app.Taggable, cfg map[string] }() // already started if not stopped or crashed - if a.state.Status != state.Stopped && a.state.Status != state.Crashed && a.state.Status != state.Failed { + if a.Started() { return nil } diff --git a/x-pack/elastic-agent/pkg/core/state/state.go b/x-pack/elastic-agent/pkg/core/state/state.go index 6b7c8bd53de..670cdc2a2f2 100644 --- a/x-pack/elastic-agent/pkg/core/state/state.go +++ b/x-pack/elastic-agent/pkg/core/state/state.go @@ -30,6 +30,8 @@ const ( Crashed // Restarting is status describing application is restarting. Restarting + // Updating is status describing application is updating. + Updating ) // State wraps the process state and application status. diff --git a/x-pack/elastic-agent/pkg/fleetapi/ack_cmd.go b/x-pack/elastic-agent/pkg/fleetapi/ack_cmd.go index ac568c884d1..5c197289ed9 100644 --- a/x-pack/elastic-agent/pkg/fleetapi/ack_cmd.go +++ b/x-pack/elastic-agent/pkg/fleetapi/ack_cmd.go @@ -14,7 +14,7 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" ) -const ackPath = "/api/ingest_manager/fleet/agents/%s/acks" +const ackPath = "/api/fleet/agents/%s/acks" // AckEvent is an event sent in an ACK request. type AckEvent struct { diff --git a/x-pack/elastic-agent/pkg/fleetapi/ack_cmd_test.go b/x-pack/elastic-agent/pkg/fleetapi/ack_cmd_test.go index a9e3aebc25b..1f1bfdb21eb 100644 --- a/x-pack/elastic-agent/pkg/fleetapi/ack_cmd_test.go +++ b/x-pack/elastic-agent/pkg/fleetapi/ack_cmd_test.go @@ -22,7 +22,7 @@ func TestAck(t *testing.T) { func(t *testing.T) *http.ServeMux { raw := `{"action": "ack"}` mux := http.NewServeMux() - path := fmt.Sprintf("/api/ingest_manager/fleet/agents/%s/acks", agentInfo.AgentID()) + path := fmt.Sprintf("/api/fleet/agents/%s/acks", agentInfo.AgentID()) mux.HandleFunc(path, authHandler(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusOK) @@ -46,10 +46,10 @@ func TestAck(t *testing.T) { return mux }, withAPIKey, func(t *testing.T, client clienter) { - action := &ActionConfigChange{ + action := &ActionPolicyChange{ ActionID: "my-id", - ActionType: "CONFIG_CHANGE", - Config: map[string]interface{}{ + ActionType: "POLICY_CHANGE", + Policy: map[string]interface{}{ "id": "config_id", }, } diff --git a/x-pack/elastic-agent/pkg/fleetapi/action.go b/x-pack/elastic-agent/pkg/fleetapi/action.go index efb4e1672aa..2329546629c 100644 --- a/x-pack/elastic-agent/pkg/fleetapi/action.go +++ b/x-pack/elastic-agent/pkg/fleetapi/action.go @@ -17,8 +17,8 @@ const ( ActionTypeUpgrade = "UPGRADE" // ActionTypeUnenroll specifies unenroll action. ActionTypeUnenroll = "UNENROLL" - // ActionTypeConfigChange specifies config change action. - ActionTypeConfigChange = "CONFIG_CHANGE" + // ActionTypePolicyChange specifies policy change action. + ActionTypePolicyChange = "POLICY_CHANGE" ) // Action base interface for all the implemented action from the fleet API. @@ -66,14 +66,14 @@ func (a *ActionUnknown) OriginalType() string { return a.originalType } -// ActionConfigChange is a request to apply a new -type ActionConfigChange struct { +// ActionPolicyChange is a request to apply a new +type ActionPolicyChange struct { ActionID string ActionType string - Config map[string]interface{} `json:"config"` + Policy map[string]interface{} `json:"policy"` } -func (a *ActionConfigChange) String() string { +func (a *ActionPolicyChange) String() string { var s strings.Builder s.WriteString("action_id: ") s.WriteString(a.ActionID) @@ -83,12 +83,12 @@ func (a *ActionConfigChange) String() string { } // Type returns the type of the Action. -func (a *ActionConfigChange) Type() string { +func (a *ActionPolicyChange) Type() string { return a.ActionType } // ID returns the ID of the Action. -func (a *ActionConfigChange) ID() string { +func (a *ActionPolicyChange) ID() string { return a.ActionID } @@ -97,7 +97,7 @@ type ActionUpgrade struct { ActionID string `json:"id" yaml:"id"` ActionType string `json:"type" yaml:"type"` Version string `json:"version" yaml:"version"` - SourceURI string `json:"source_uri" yaml:"source_uri"` + SourceURI string `json:"source_uri,omitempty" yaml:"source_uri,omitempty"` } func (a *ActionUpgrade) String() string { @@ -169,14 +169,14 @@ func (a *Actions) UnmarshalJSON(data []byte) error { for _, response := range responses { switch response.ActionType { - case ActionTypeConfigChange: - action = &ActionConfigChange{ + case ActionTypePolicyChange: + action = &ActionPolicyChange{ ActionID: response.ActionID, ActionType: response.ActionType, } if err := json.Unmarshal(response.Data, action); err != nil { return errors.New(err, - "fail to decode CONFIG_CHANGE action", + "fail to decode POLICY_CHANGE action", errors.TypeConfig) } case ActionTypeUnenroll: diff --git a/x-pack/elastic-agent/pkg/fleetapi/checkin_cmd.go b/x-pack/elastic-agent/pkg/fleetapi/checkin_cmd.go index 58c80b0adf1..9758fd4236c 100644 --- a/x-pack/elastic-agent/pkg/fleetapi/checkin_cmd.go +++ b/x-pack/elastic-agent/pkg/fleetapi/checkin_cmd.go @@ -17,7 +17,7 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" ) -const checkingPath = "/api/ingest_manager/fleet/agents/%s/checkin" +const checkingPath = "/api/fleet/agents/%s/checkin" // CheckinRequest consists of multiple events reported to fleet ui. type CheckinRequest struct { diff --git a/x-pack/elastic-agent/pkg/fleetapi/checkin_cmd_test.go b/x-pack/elastic-agent/pkg/fleetapi/checkin_cmd_test.go index 953b86a260e..3e88ed29cd1 100644 --- a/x-pack/elastic-agent/pkg/fleetapi/checkin_cmd_test.go +++ b/x-pack/elastic-agent/pkg/fleetapi/checkin_cmd_test.go @@ -34,7 +34,7 @@ func TestCheckin(t *testing.T) { } ` mux := http.NewServeMux() - path := fmt.Sprintf("/api/ingest_manager/fleet/agents/%s/checkin", agentInfo.AgentID()) + path := fmt.Sprintf("/api/fleet/agents/%s/checkin", agentInfo.AgentID()) mux.HandleFunc(path, authHandler(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusInternalServerError) fmt.Fprintf(w, raw) @@ -56,10 +56,10 @@ func TestCheckin(t *testing.T) { raw := ` { "actions": [{ - "type": "CONFIG_CHANGE", + "type": "POLICY_CHANGE", "id": "id1", "data": { - "config": { + "policy": { "id": "policy-id", "outputs": { "default": { @@ -83,7 +83,7 @@ func TestCheckin(t *testing.T) { } ` mux := http.NewServeMux() - path := fmt.Sprintf("/api/ingest_manager/fleet/agents/%s/checkin", agentInfo.AgentID()) + path := fmt.Sprintf("/api/fleet/agents/%s/checkin", agentInfo.AgentID()) mux.HandleFunc(path, authHandler(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusOK) fmt.Fprintf(w, raw) @@ -102,7 +102,7 @@ func TestCheckin(t *testing.T) { // ActionPolicyChange require.Equal(t, "id1", r.Actions[0].ID()) - require.Equal(t, "CONFIG_CHANGE", r.Actions[0].Type()) + require.Equal(t, "POLICY_CHANGE", r.Actions[0].Type()) }, )) @@ -112,10 +112,10 @@ func TestCheckin(t *testing.T) { { "actions": [ { - "type": "CONFIG_CHANGE", + "type": "POLICY_CHANGE", "id": "id1", "data": { - "config": { + "policy": { "id": "policy-id", "outputs": { "default": { @@ -144,7 +144,7 @@ func TestCheckin(t *testing.T) { } ` mux := http.NewServeMux() - path := fmt.Sprintf("/api/ingest_manager/fleet/agents/%s/checkin", agentInfo.AgentID()) + path := fmt.Sprintf("/api/fleet/agents/%s/checkin", agentInfo.AgentID()) mux.HandleFunc(path, authHandler(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusOK) fmt.Fprintf(w, raw) @@ -163,7 +163,7 @@ func TestCheckin(t *testing.T) { // ActionPolicyChange require.Equal(t, "id1", r.Actions[0].ID()) - require.Equal(t, "CONFIG_CHANGE", r.Actions[0].Type()) + require.Equal(t, "POLICY_CHANGE", r.Actions[0].Type()) // UnknownAction require.Equal(t, "id2", r.Actions[1].ID()) @@ -176,7 +176,7 @@ func TestCheckin(t *testing.T) { func(t *testing.T) *http.ServeMux { raw := `{ "actions": [] }` mux := http.NewServeMux() - path := fmt.Sprintf("/api/ingest_manager/fleet/agents/%s/checkin", agentInfo.AgentID()) + path := fmt.Sprintf("/api/fleet/agents/%s/checkin", agentInfo.AgentID()) mux.HandleFunc(path, authHandler(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusOK) fmt.Fprintf(w, raw) @@ -199,7 +199,7 @@ func TestCheckin(t *testing.T) { func(t *testing.T) *http.ServeMux { raw := `{"actions": []}` mux := http.NewServeMux() - path := fmt.Sprintf("/api/ingest_manager/fleet/agents/%s/checkin", agentInfo.AgentID()) + path := fmt.Sprintf("/api/fleet/agents/%s/checkin", agentInfo.AgentID()) mux.HandleFunc(path, authHandler(func(w http.ResponseWriter, r *http.Request) { type Request struct { Metadata *info.ECSMeta `json:"local_metadata"` @@ -233,7 +233,7 @@ func TestCheckin(t *testing.T) { func(t *testing.T) *http.ServeMux { raw := `{"actions": []}` mux := http.NewServeMux() - path := fmt.Sprintf("/api/ingest_manager/fleet/agents/%s/checkin", agentInfo.AgentID()) + path := fmt.Sprintf("/api/fleet/agents/%s/checkin", agentInfo.AgentID()) mux.HandleFunc(path, authHandler(func(w http.ResponseWriter, r *http.Request) { type Request struct { Metadata *info.ECSMeta `json:"local_metadata"` diff --git a/x-pack/elastic-agent/pkg/fleetapi/enroll_cmd.go b/x-pack/elastic-agent/pkg/fleetapi/enroll_cmd.go index 3e6336fbc81..29168be0ae4 100644 --- a/x-pack/elastic-agent/pkg/fleetapi/enroll_cmd.go +++ b/x-pack/elastic-agent/pkg/fleetapi/enroll_cmd.go @@ -71,7 +71,7 @@ func (p EnrollType) MarshalJSON() ([]byte, error) { // EnrollRequest is the data required to enroll the elastic-agent into Fleet. // // Example: -// POST /api/ingest_manager/fleet/agents/enroll +// POST /api/fleet/agents/enroll // { // "type": "PERMANENT", // "metadata": { @@ -168,7 +168,7 @@ type EnrollCmd struct { // Execute enroll the Agent in the Fleet. func (e *EnrollCmd) Execute(ctx context.Context, r *EnrollRequest) (*EnrollResponse, error) { - const p = "/api/ingest_manager/fleet/agents/enroll" + const p = "/api/fleet/agents/enroll" const key = "Authorization" const prefix = "ApiKey " diff --git a/x-pack/elastic-agent/pkg/fleetapi/enroll_cmd_test.go b/x-pack/elastic-agent/pkg/fleetapi/enroll_cmd_test.go index 6533ad6643e..29bbf7e607e 100644 --- a/x-pack/elastic-agent/pkg/fleetapi/enroll_cmd_test.go +++ b/x-pack/elastic-agent/pkg/fleetapi/enroll_cmd_test.go @@ -23,7 +23,7 @@ func TestEnroll(t *testing.T) { t.Run("Successful enroll", withServer( func(t *testing.T) *http.ServeMux { mux := http.NewServeMux() - mux.HandleFunc("/api/ingest_manager/fleet/agents/enroll", func(w http.ResponseWriter, r *http.Request) { + mux.HandleFunc("/api/fleet/agents/enroll", func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusOK) w.Header().Set("Content-Type", "application/json") @@ -92,7 +92,7 @@ func TestEnroll(t *testing.T) { t.Run("Raise back any server errors", withServer( func(t *testing.T) *http.ServeMux { mux := http.NewServeMux() - mux.HandleFunc("/api/ingest_manager/fleet/agents/enroll", func(w http.ResponseWriter, r *http.Request) { + mux.HandleFunc("/api/fleet/agents/enroll", func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusInternalServerError) w.Header().Set("Content-Type", "application/json") w.Write([]byte(`{"statusCode": 500, "error":"Something is really bad here"}`)) diff --git a/x-pack/elastic-agent/pkg/release/upgrade.go b/x-pack/elastic-agent/pkg/release/upgrade.go new file mode 100644 index 00000000000..2e63eb47ad5 --- /dev/null +++ b/x-pack/elastic-agent/pkg/release/upgrade.go @@ -0,0 +1,10 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package release + +// Upgradeable return true when release is built specifically for upgrading. +func Upgradeable() bool { + return allowUpgrade == "true" +} diff --git a/x-pack/elastic-agent/pkg/release/version.go b/x-pack/elastic-agent/pkg/release/version.go index 37579ac86de..05f0063afdf 100644 --- a/x-pack/elastic-agent/pkg/release/version.go +++ b/x-pack/elastic-agent/pkg/release/version.go @@ -12,6 +12,10 @@ import ( libbeatVersion "github.com/elastic/beats/v7/libbeat/version" ) +const ( + hashLen = 6 +) + // snapshot is a flag marking build as a snapshot. var snapshot = "" @@ -19,11 +23,24 @@ var snapshot = "" // without valid pgp var allowEmptyPgp string +// allowUpgrade is used as a debug flag and allows working +// with upgrade without requiring Agent to be installed correctly +var allowUpgrade string + // Commit returns the current build hash or unknown if it was not injected in the build process. func Commit() string { return libbeatVersion.Commit() } +// ShortCommit returns commit up to 6 characters. +func ShortCommit() string { + hash := Commit() + if len(hash) > hashLen { + hash = hash[:hashLen] + } + return hash +} + // BuildTime returns the build time of the binaries. func BuildTime() time.Time { return libbeatVersion.BuildTime() @@ -59,7 +76,7 @@ func Info() VersionInfo { } // String returns the string format for the version information. -func (v *VersionInfo) String() string { +func (v VersionInfo) String() string { var sb strings.Builder sb.WriteString(v.Version) diff --git a/x-pack/elastic-agent/pkg/reporter/reporter.go b/x-pack/elastic-agent/pkg/reporter/reporter.go index c36708a837f..3b128841b2a 100644 --- a/x-pack/elastic-agent/pkg/reporter/reporter.go +++ b/x-pack/elastic-agent/pkg/reporter/reporter.go @@ -38,6 +38,8 @@ const ( EventSubTypeFailed = "FAILED" // EventSubTypeStopping is an event type indicating application is stopping. EventSubTypeStopping = "STOPPING" + // EventSubTypeUpdating is an event type indicating update process in progress. + EventSubTypeUpdating = "UPDATING" ) type agentInfo interface { @@ -127,6 +129,10 @@ func generateRecord(agentID string, id string, name string, s state.State) event case state.Restarting: subType = EventSubTypeStarting subTypeText = "RESTARTING" + case state.Updating: + subType = EventSubTypeUpdating + subTypeText = EventSubTypeUpdating + } err := errors.New( diff --git a/x-pack/elastic-agent/spec/apm-server.yml.disabled b/x-pack/elastic-agent/spec/apm-server.yml.disabled new file mode 100644 index 00000000000..c84405dfadd --- /dev/null +++ b/x-pack/elastic-agent/spec/apm-server.yml.disabled @@ -0,0 +1,16 @@ +name: APM-Server +cmd: apm-server +artifact: apm-server +args: ["-E", "management.enabled=true", "-E", "management.mode=x-pack-fleet"] +rules: + - fix_stream: {} + - filter_values: + selector: inputs + key: type + values: + - apm + - filter: + selectors: + - inputs + - output +when: length(${inputs}) > 0 and hasKey(${output}, 'elasticsearch') diff --git a/x-pack/elastic-agent/spec/filebeat.yml b/x-pack/elastic-agent/spec/filebeat.yml index 1b184b10098..aa09b4f9121 100644 --- a/x-pack/elastic-agent/spec/filebeat.yml +++ b/x-pack/elastic-agent/spec/filebeat.yml @@ -87,6 +87,8 @@ rules: values: - true +- inject_agent_info: {} + - copy: from: inputs to: filebeat diff --git a/x-pack/elastic-agent/spec/metricbeat.yml b/x-pack/elastic-agent/spec/metricbeat.yml index 94b69e9a2f3..a5015a974a5 100644 --- a/x-pack/elastic-agent/spec/metricbeat.yml +++ b/x-pack/elastic-agent/spec/metricbeat.yml @@ -73,6 +73,8 @@ rules: - remove_key: key: use_output +- inject_agent_info: {} + - copy: from: inputs to: metricbeat diff --git a/x-pack/filebeat/Jenkinsfile.yml b/x-pack/filebeat/Jenkinsfile.yml index 755be59b451..b2db448f532 100644 --- a/x-pack/filebeat/Jenkinsfile.yml +++ b/x-pack/filebeat/Jenkinsfile.yml @@ -20,15 +20,27 @@ stages: mage: "mage build unitTest" platforms: ## override default label in this specific stage. - "macosx" - when: ## Aggregate when with the top-level one. + when: ## Override the top-level when. comments: - "/test x-pack/filebeat for macos" labels: - "macOS" parameters: - "macosTest" + branches: true ## for all the branches + tags: true ## for all the tags windows: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2019" - - "windows-10" + windows-2016: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2016" + when: ## Override the top-level when. + comments: + - "/test x-pack/filebeat for windows-2016" + labels: + - "windows-2016" + branches: true ## for all the branches + tags: true ## for all the tags diff --git a/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc b/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc index 8891e38fcc4..5cbe4685cb8 100644 --- a/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc +++ b/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc @@ -42,6 +42,11 @@ The `s3` input supports the following configuration options plus the URL of the AWS SQS queue that messages will be received from. Required. +[float] +==== `fips_enabled` + +Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. For example: `s3-fips.us-gov-east-1.amazonaws.com`. + [float] ==== `visibility_timeout` diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 9797291bdf4..49ede1c7d24 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1050,6 +1050,19 @@ filebeat.modules: # "+02:00" for GMT+02:00 # var.tz_offset: local + srx: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9006. + #var.syslog_port: 9006 + #-------------------------------- Kafka Module -------------------------------- - module: kafka # All logs @@ -1105,7 +1118,20 @@ filebeat.modules: # Oauth Client Secret #var.oauth2.client.secret: "" - + + # Oauth Token URL, should include the tenant ID + #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" + m365_defender: + enabled: true + # How often the API should be polled + #var.interval: 5m + + # Oauth Client ID + #var.oauth2.client.id: "" + + # Oauth Client Secret + #var.oauth2.client.secret: "" + # Oauth Token URL, should include the tenant ID #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" dhcp: @@ -1757,6 +1783,7 @@ filebeat.inputs: # # Possible options are: # * log: Reads every line of the log file (default) +# * filestream: Improved version of log input. Experimental. # * stdin: Reads the standard in #------------------------------ Log input -------------------------------- @@ -1977,6 +2004,145 @@ filebeat.inputs: # Defines if inputs is enabled #enabled: true +#--------------------------- Filestream input ---------------------------- +- type: filestream + + # Change to true to enable this input configuration. + enabled: false + + # Paths that should be crawled and fetched. Glob based paths. + # To fetch all ".log" files from a specific level of subdirectories + # /var/log/*/*.log can be used. + # For each file found under this path, a harvester is started. + # Make sure not file is defined twice as this can lead to unexpected behaviour. + paths: + - /var/log/*.log + #- c:\programdata\elasticsearch\logs\* + + # Configure the file encoding for reading files with international characters + # following the W3C recommendation for HTML5 (http://www.w3.org/TR/encoding). + # Some sample encodings: + # plain, utf-8, utf-16be-bom, utf-16be, utf-16le, big5, gb18030, gbk, + # hz-gb-2312, euc-kr, euc-jp, iso-2022-jp, shift-jis, ... + #encoding: plain + + + # Exclude lines. A list of regular expressions to match. It drops the lines that are + # matching any regular expression from the list. The include_lines is called before + # exclude_lines. By default, no lines are dropped. + #exclude_lines: ['^DBG'] + + # Include lines. A list of regular expressions to match. It exports the lines that are + # matching any regular expression from the list. The include_lines is called before + # exclude_lines. By default, all the lines are exported. + #include_lines: ['^ERR', '^WARN'] + + ### Prospector options + + # How often the input checks for new files in the paths that are specified + # for harvesting. Specify 1s to scan the directory as frequently as possible + # without causing Filebeat to scan too frequently. Default: 10s. + #prospector.scanner.check_interval: 10s + + # Exclude files. A list of regular expressions to match. Filebeat drops the files that + # are matching any regular expression from the list. By default, no files are dropped. + #prospector.scanner.exclude_files: ['.gz$'] + + # Expand "**" patterns into regular glob patterns. + #prospector.scanner.recursive_glob: true + + # If symlinks is enabled, symlinks are opened and harvested. The harvester is opening the + # original for harvesting but will report the symlink name as source. + #prospector.scanner.symlinks: false + + ### State options + + # Files for the modification data is older then clean_inactive the state from the registry is removed + # By default this is disabled. + #clean_inactive: 0 + + # Removes the state for file which cannot be found on disk anymore immediately + #clean_removed: true + + # Method to determine if two files are the same or not. By default + # the Beat considers two files the same if their inode and device id are the same. + #file_identity.native: ~ + + # Optional additional fields. These fields can be freely picked + # to add additional information to the crawled log files for filtering + #fields: + # level: debug + # review: 1 + + # Set to true to publish fields with null values in events. + #keep_null: false + + # By default, all events contain `host.name`. This option can be set to true + # to disable the addition of this field to all events. The default value is + # false. + #publisher_pipeline.disable_host: false + + # Ignore files which were modified more then the defined timespan in the past. + # ignore_older is disabled by default, so no files are ignored by setting it to 0. + # Time strings like 2h (2 hours), 5m (5 minutes) can be used. + #ignore_older: 0 + + # Defines the buffer size every harvester uses when fetching the file + #harvester_buffer_size: 16384 + + # Maximum number of bytes a single log event can have + # All bytes after max_bytes are discarded and not sent. The default is 10MB. + # This is especially useful for multiline log messages which can get large. + #message_max_bytes: 10485760 + + # Characters which separate the lines. Valid values: auto, line_feed, vertical_tab, form_feed, + # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator. + #line_terminator: auto + + # The Ingest Node pipeline ID associated with this input. If this is set, it + # overwrites the pipeline option from the Elasticsearch output. + #pipeline: + + # Backoff values define how aggressively filebeat crawls new files for updates + # The default values can be used in most cases. Backoff defines how long it is waited + # to check a file again after EOF is reached. Default is 1s which means the file + # is checked every second if new lines were added. This leads to a near real time crawling. + # Every time a new line appears, backoff is reset to the initial value. + #backoff.init: 1s + + # Max backoff defines what the maximum backoff time is. After having backed off multiple times + # from checking the files, the waiting time will never exceed max_backoff independent of the + # backoff factor. Having it set to 10s means in the worst case a new line can be added to a log + # file after having backed off multiple times, it takes a maximum of 10s to read the new line + #backoff.max: 10s + + ### Harvester closing options + + # Close inactive closes the file handler after the predefined period. + # The period starts when the last line of the file was, not the file ModTime. + # Time strings like 2h (2 hours), 5m (5 minutes) can be used. + #close.on_state_change.inactive: 5m + + # Close renamed closes a file handler when the file is renamed or rotated. + # Note: Potential data loss. Make sure to read and understand the docs for this option. + #close.on_state_change.renamed: false + + # When enabling this option, a file handler is closed immediately in case a file can't be found + # any more. In case the file shows up again later, harvesting will continue at the last known position + # after scan_frequency. + #close.on_state_change.removed: true + + # Closes the file handler as soon as the harvesters reaches the end of the file. + # By default this option is disabled. + # Note: Potential data loss. Make sure to read and understand the docs for this option. + #close.reader.eof: false + + # Close timeout closes the harvester after the predefined time. + # This is independent if the harvester did finish reading the file or not. + # By default this option is disabled. + # Note: Potential data loss. Make sure to read and understand the docs for this option. + #close.reader.after_interval: 0 + #----------------------------- Stdin input ------------------------------- # Configuration to use stdin input #- type: stdin diff --git a/x-pack/filebeat/filebeat.yml b/x-pack/filebeat/filebeat.yml index 2a3e678c542..9a29bc76962 100644 --- a/x-pack/filebeat/filebeat.yml +++ b/x-pack/filebeat/filebeat.yml @@ -62,6 +62,35 @@ filebeat.inputs: # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash #multiline.match: after +# filestream is an experimental input. It is going to replace log input in the future. +- type: filestream + + # Change to true to enable this input configuration. + enabled: false + + # Paths that should be crawled and fetched. Glob based paths. + paths: + - /var/log/*.log + #- c:\programdata\elasticsearch\logs\* + + # Exclude lines. A list of regular expressions to match. It drops the lines that are + # matching any regular expression from the list. + #exclude_lines: ['^DBG'] + + # Include lines. A list of regular expressions to match. It exports the lines that are + # matching any regular expression from the list. + #include_lines: ['^ERR', '^WARN'] + + # Exclude files. A list of regular expressions to match. Filebeat drops the files that + # are matching any regular expression from the list. By default, no files are dropped. + #prospector.scanner.exclude_files: ['.gz$'] + + # Optional additional fields. These fields can be freely picked + # to add additional information to the crawled log files for filtering + #fields: + # level: debug + # review: 1 + # ============================== Filebeat modules ============================== filebeat.config.modules: diff --git a/x-pack/filebeat/input/cloudfoundry/input.go b/x-pack/filebeat/input/cloudfoundry/input.go index 036a61b9d1e..3d2b9b34e59 100644 --- a/x-pack/filebeat/input/cloudfoundry/input.go +++ b/x-pack/filebeat/input/cloudfoundry/input.go @@ -25,7 +25,7 @@ type cloudfoundryEvent interface { func Plugin() v2.Plugin { return v2.Plugin{ Name: "cloudfoundry", - Stability: feature.Beta, + Stability: feature.Stable, Deprecated: false, Info: "collect logs from cloudfoundry loggregator", Manager: stateless.NewInputManager(configure), diff --git a/x-pack/filebeat/input/default-inputs/inputs.go b/x-pack/filebeat/input/default-inputs/inputs.go index 1fe245b80f7..4779b452f1d 100644 --- a/x-pack/filebeat/input/default-inputs/inputs.go +++ b/x-pack/filebeat/input/default-inputs/inputs.go @@ -14,6 +14,7 @@ import ( "github.com/elastic/beats/v7/x-pack/filebeat/input/http_endpoint" "github.com/elastic/beats/v7/x-pack/filebeat/input/httpjson" "github.com/elastic/beats/v7/x-pack/filebeat/input/o365audit" + "github.com/elastic/beats/v7/x-pack/filebeat/input/s3" ) func Init(info beat.Info, log *logp.Logger, store beater.StateStore) []v2.Plugin { @@ -27,7 +28,8 @@ func xpackInputs(info beat.Info, log *logp.Logger, store beater.StateStore) []v2 return []v2.Plugin{ cloudfoundry.Plugin(), http_endpoint.Plugin(), - httpjson.Plugin(), + httpjson.Plugin(log, store), o365audit.Plugin(log, store), + s3.Plugin(), } } diff --git a/x-pack/filebeat/input/httpjson/config.go b/x-pack/filebeat/input/httpjson/config.go index 95ca205be0d..ee1445b8a3d 100644 --- a/x-pack/filebeat/input/httpjson/config.go +++ b/x-pack/filebeat/input/httpjson/config.go @@ -17,9 +17,9 @@ import ( "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" ) -// Config contains information about httpjson configuration +// config contains information about httpjson configuration type config struct { - OAuth2 *OAuth2 `config:"oauth2"` + OAuth2 *oauth2Config `config:"oauth2"` APIKey string `config:"api_key"` AuthenticationScheme string `config:"authentication_scheme"` HTTPClientTimeout time.Duration `config:"http_client_timeout"` @@ -30,21 +30,21 @@ type config struct { JSONObjects string `config:"json_objects_array"` SplitEventsBy string `config:"split_events_by"` NoHTTPBody bool `config:"no_http_body"` - Pagination *Pagination `config:"pagination"` - RateLimit *RateLimit `config:"rate_limit"` + Pagination *paginationConfig `config:"pagination"` + RateLimit *rateLimitConfig `config:"rate_limit"` RetryMax int `config:"retry.max_attempts"` RetryWaitMin time.Duration `config:"retry.wait_min"` RetryWaitMax time.Duration `config:"retry.wait_max"` TLS *tlscommon.Config `config:"ssl"` - URL *URL `config:"url" validate:"required"` - DateCursor *DateCursor `config:"date_cursor"` + URL *urlConfig `config:"url" validate:"required"` + DateCursor *dateCursorConfig `config:"date_cursor"` } // Pagination contains information about httpjson pagination settings -type Pagination struct { +type paginationConfig struct { Enabled *bool `config:"enabled"` ExtraBodyContent common.MapStr `config:"extra_body_content"` - Header *Header `config:"header"` + Header *headerConfig `config:"header"` IDField string `config:"id_field"` RequestField string `config:"req_field"` URLField string `config:"url_field"` @@ -52,76 +52,76 @@ type Pagination struct { } // IsEnabled returns true if the `enable` field is set to true in the yaml. -func (p *Pagination) IsEnabled() bool { +func (p *paginationConfig) isEnabled() bool { return p != nil && (p.Enabled == nil || *p.Enabled) } // HTTP Header information for pagination -type Header struct { +type headerConfig struct { FieldName string `config:"field_name" validate:"required"` RegexPattern *regexp.Regexp `config:"regex_pattern" validate:"required"` } // HTTP Header Rate Limit information -type RateLimit struct { +type rateLimitConfig struct { Limit string `config:"limit"` Reset string `config:"reset"` Remaining string `config:"remaining"` } -type DateCursor struct { - Enabled *bool `config:"enabled"` - Field string `config:"field"` - URLField string `config:"url_field" validate:"required"` - ValueTemplate *Template `config:"value_template"` - DateFormat string `config:"date_format"` - InitialInterval time.Duration `config:"initial_interval"` +type dateCursorConfig struct { + Enabled *bool `config:"enabled"` + Field string `config:"field"` + URLField string `config:"url_field" validate:"required"` + ValueTemplate *templateConfig `config:"value_template"` + DateFormat string `config:"date_format"` + InitialInterval time.Duration `config:"initial_interval"` } -type Template struct { +type templateConfig struct { *template.Template } -func (t *Template) Unpack(in string) error { +func (t *templateConfig) Unpack(in string) error { tpl, err := template.New("tpl").Parse(in) if err != nil { return err } - *t = Template{Template: tpl} + *t = templateConfig{Template: tpl} return nil } -type URL struct { +type urlConfig struct { *url.URL } -func (u *URL) Unpack(in string) error { +func (u *urlConfig) Unpack(in string) error { parsed, err := url.Parse(in) if err != nil { return err } - *u = URL{URL: parsed} + *u = urlConfig{URL: parsed} return nil } // IsEnabled returns true if the `enable` field is set to true in the yaml. -func (dc *DateCursor) IsEnabled() bool { +func (dc *dateCursorConfig) isEnabled() bool { return dc != nil && (dc.Enabled == nil || *dc.Enabled) } // IsEnabled returns true if the `enable` field is set to true in the yaml. -func (dc *DateCursor) GetDateFormat() string { +func (dc *dateCursorConfig) getDateFormat() string { if dc.DateFormat == "" { return time.RFC3339 } return dc.DateFormat } -func (dc *DateCursor) Validate() error { +func (dc *dateCursorConfig) Validate() error { if dc.DateFormat == "" { return nil } @@ -154,7 +154,7 @@ func (c *config) Validate() error { } } } - if c.OAuth2.IsEnabled() { + if c.OAuth2.isEnabled() { if c.APIKey != "" || c.AuthenticationScheme != "" { return errors.New("invalid configuration: oauth2 and api_key or authentication_scheme cannot be set simultaneously") } @@ -162,7 +162,7 @@ func (c *config) Validate() error { return nil } -func defaultConfig() config { +func newDefaultConfig() config { var c config c.HTTPMethod = "GET" c.HTTPClientTimeout = 60 * time.Second diff --git a/x-pack/filebeat/input/httpjson/config_oauth.go b/x-pack/filebeat/input/httpjson/config_oauth.go index 0ff55dcbc33..d7412fd0ba8 100644 --- a/x-pack/filebeat/input/httpjson/config_oauth.go +++ b/x-pack/filebeat/input/httpjson/config_oauth.go @@ -20,32 +20,32 @@ import ( "golang.org/x/oauth2/google" ) -// An OAuth2Provider represents a supported oauth provider. -type OAuth2Provider string +// An oauth2Provider represents a supported oauth provider. +type oauth2Provider string const ( - OAuth2ProviderDefault OAuth2Provider = "" // OAuth2ProviderDefault means no specific provider is set. - OAuth2ProviderAzure OAuth2Provider = "azure" // OAuth2ProviderAzure AzureAD. - OAuth2ProviderGoogle OAuth2Provider = "google" // OAuth2ProviderGoogle Google. + oauth2ProviderDefault oauth2Provider = "" // OAuth2ProviderDefault means no specific provider is set. + oauth2ProviderAzure oauth2Provider = "azure" // OAuth2ProviderAzure AzureAD. + oauth2ProviderGoogle oauth2Provider = "google" // OAuth2ProviderGoogle Google. ) -func (p *OAuth2Provider) Unpack(in string) error { - *p = OAuth2Provider(in) +func (p *oauth2Provider) Unpack(in string) error { + *p = oauth2Provider(in) return nil } -func (p OAuth2Provider) canonical() OAuth2Provider { - return OAuth2Provider(strings.ToLower(string(p))) +func (p oauth2Provider) canonical() oauth2Provider { + return oauth2Provider(strings.ToLower(string(p))) } -// OAuth2 contains information about oauth2 authentication settings. -type OAuth2 struct { +// oauth2Config contains information about oauth2 authentication settings. +type oauth2Config struct { // common oauth fields ClientID string `config:"client.id"` ClientSecret string `config:"client.secret"` Enabled *bool `config:"enabled"` EndpointParams map[string][]string `config:"endpoint_params"` - Provider OAuth2Provider `config:"provider"` + Provider oauth2Provider `config:"provider"` Scopes []string `config:"scopes"` TokenURL string `config:"token_url"` @@ -61,25 +61,26 @@ type OAuth2 struct { } // IsEnabled returns true if the `enable` field is set to true in the yaml. -func (o *OAuth2) IsEnabled() bool { +func (o *oauth2Config) isEnabled() bool { return o != nil && (o.Enabled == nil || *o.Enabled) } // Client wraps the given http.Client and returns a new one that will use the oauth authentication. -func (o *OAuth2) Client(ctx context.Context, client *http.Client) (*http.Client, error) { - ctx = context.WithValue(ctx, oauth2.HTTPClient, client) +func (o *oauth2Config) client(ctx context.Context, client *http.Client) (*http.Client, error) { + // only required to let oauth2 library to find our custom client in the context + ctx = context.WithValue(context.Background(), oauth2.HTTPClient, client) - switch o.GetProvider() { - case OAuth2ProviderAzure, OAuth2ProviderDefault: + switch o.getProvider() { + case oauth2ProviderAzure, oauth2ProviderDefault: creds := clientcredentials.Config{ ClientID: o.ClientID, ClientSecret: o.ClientSecret, - TokenURL: o.GetTokenURL(), + TokenURL: o.getTokenURL(), Scopes: o.Scopes, - EndpointParams: o.GetEndpointParams(), + EndpointParams: o.getEndpointParams(), } return creds.Client(ctx), nil - case OAuth2ProviderGoogle: + case oauth2ProviderGoogle: if o.GoogleJWTFile != "" { cfg, err := google.JWTConfigFromJSON(o.GoogleCredentialsJSON, o.Scopes...) if err != nil { @@ -100,9 +101,9 @@ func (o *OAuth2) Client(ctx context.Context, client *http.Client) (*http.Client, } // GetTokenURL returns the TokenURL. -func (o *OAuth2) GetTokenURL() string { - switch o.GetProvider() { - case OAuth2ProviderAzure: +func (o *oauth2Config) getTokenURL() string { + switch o.getProvider() { + case oauth2ProviderAzure: if o.TokenURL == "" { return endpoints.AzureAD(o.AzureTenantID).TokenURL } @@ -112,14 +113,14 @@ func (o *OAuth2) GetTokenURL() string { } // GetProvider returns provider in its canonical form. -func (o OAuth2) GetProvider() OAuth2Provider { +func (o oauth2Config) getProvider() oauth2Provider { return o.Provider.canonical() } // GetEndpointParams returns endpoint params with any provider ones combined. -func (o OAuth2) GetEndpointParams() map[string][]string { - switch o.GetProvider() { - case OAuth2ProviderAzure: +func (o oauth2Config) getEndpointParams() map[string][]string { + switch o.getProvider() { + case oauth2ProviderAzure: if o.AzureResource != "" { if o.EndpointParams == nil { o.EndpointParams = map[string][]string{} @@ -132,18 +133,18 @@ func (o OAuth2) GetEndpointParams() map[string][]string { } // Validate checks if oauth2 config is valid. -func (o *OAuth2) Validate() error { - switch o.GetProvider() { - case OAuth2ProviderAzure: +func (o *oauth2Config) Validate() error { + switch o.getProvider() { + case oauth2ProviderAzure: return o.validateAzureProvider() - case OAuth2ProviderGoogle: + case oauth2ProviderGoogle: return o.validateGoogleProvider() - case OAuth2ProviderDefault: + case oauth2ProviderDefault: if o.TokenURL == "" || o.ClientID == "" || o.ClientSecret == "" { return errors.New("invalid configuration: both token_url and client credentials must be provided") } default: - return fmt.Errorf("invalid configuration: unknown provider %q", o.GetProvider()) + return fmt.Errorf("invalid configuration: unknown provider %q", o.getProvider()) } return nil } @@ -151,7 +152,7 @@ func (o *OAuth2) Validate() error { // findDefaultGoogleCredentials will default to google.FindDefaultCredentials and will only be changed for testing purposes var findDefaultGoogleCredentials = google.FindDefaultCredentials -func (o *OAuth2) validateGoogleProvider() error { +func (o *oauth2Config) validateGoogleProvider() error { if o.TokenURL != "" || o.ClientID != "" || o.ClientSecret != "" || o.AzureTenantID != "" || o.AzureResource != "" || len(o.EndpointParams) > 0 { return errors.New("invalid configuration: none of token_url and client credentials can be used, use google.credentials_file, google.jwt_file, google.credentials_json or ADC instead") @@ -191,7 +192,7 @@ func (o *OAuth2) validateGoogleProvider() error { return fmt.Errorf("invalid configuration: no authentication credentials were configured or detected (ADC)") } -func (o *OAuth2) populateCredentialsJSONFromFile(file string) error { +func (o *oauth2Config) populateCredentialsJSONFromFile(file string) error { if _, err := os.Stat(file); os.IsNotExist(err) { return fmt.Errorf("invalid configuration: the file %q cannot be found", file) } @@ -210,7 +211,7 @@ func (o *OAuth2) populateCredentialsJSONFromFile(file string) error { return nil } -func (o *OAuth2) validateAzureProvider() error { +func (o *oauth2Config) validateAzureProvider() error { if o.TokenURL == "" && o.AzureTenantID == "" { return errors.New("invalid configuration: at least one of token_url or tenant_id must be provided") } diff --git a/x-pack/filebeat/input/httpjson/config_oauth_test.go b/x-pack/filebeat/input/httpjson/config_oauth_test.go index 3fa0eed4284..67ec63b6650 100644 --- a/x-pack/filebeat/input/httpjson/config_oauth_test.go +++ b/x-pack/filebeat/input/httpjson/config_oauth_test.go @@ -11,8 +11,8 @@ import ( func TestProviderCanonical(t *testing.T) { const ( - a OAuth2Provider = "gOoGle" - b OAuth2Provider = "google" + a oauth2Provider = "gOoGle" + b oauth2Provider = "google" ) if a.canonical() != b.canonical() { @@ -21,74 +21,74 @@ func TestProviderCanonical(t *testing.T) { } func TestGetProviderIsCanonical(t *testing.T) { - const expected OAuth2Provider = "google" + const expected oauth2Provider = "google" - oauth2 := OAuth2{Provider: "GOogle"} - if oauth2.GetProvider() != expected { + oauth2 := oauth2Config{Provider: "GOogle"} + if oauth2.getProvider() != expected { t.Fatal("GetProvider should return canonical provider") } } func TestIsEnabled(t *testing.T) { - oauth2 := OAuth2{} - if !oauth2.IsEnabled() { + oauth2 := oauth2Config{} + if !oauth2.isEnabled() { t.Fatal("OAuth2 should be enabled by default") } var enabled = false oauth2.Enabled = &enabled - if oauth2.IsEnabled() { + if oauth2.isEnabled() { t.Fatal("OAuth2 should be disabled") } enabled = true - if !oauth2.IsEnabled() { + if !oauth2.isEnabled() { t.Fatal("OAuth2 should be enabled") } } func TestGetTokenURL(t *testing.T) { const expected = "http://localhost" - oauth2 := OAuth2{TokenURL: "http://localhost"} - if got := oauth2.GetTokenURL(); got != expected { + oauth2 := oauth2Config{TokenURL: "http://localhost"} + if got := oauth2.getTokenURL(); got != expected { t.Fatalf("GetTokenURL should return the provided TokenURL but got %q", got) } } func TestGetTokenURLWithAzure(t *testing.T) { const expectedWithoutTenantID = "http://localhost" - oauth2 := OAuth2{TokenURL: "http://localhost", Provider: "azure"} - if got := oauth2.GetTokenURL(); got != expectedWithoutTenantID { + oauth2 := oauth2Config{TokenURL: "http://localhost", Provider: "azure"} + if got := oauth2.getTokenURL(); got != expectedWithoutTenantID { t.Fatalf("GetTokenURL should return the provided TokenURL but got %q", got) } oauth2.TokenURL = "" oauth2.AzureTenantID = "a_tenant_id" const expectedWithTenantID = "https://login.microsoftonline.com/a_tenant_id/oauth2/v2.0/token" - if got := oauth2.GetTokenURL(); got != expectedWithTenantID { + if got := oauth2.getTokenURL(); got != expectedWithTenantID { t.Fatalf("GetTokenURL should return the generated TokenURL but got %q", got) } } func TestGetEndpointParams(t *testing.T) { var expected = map[string][]string{"foo": {"bar"}} - oauth2 := OAuth2{EndpointParams: map[string][]string{"foo": {"bar"}}} - if got := oauth2.GetEndpointParams(); !reflect.DeepEqual(got, expected) { + oauth2 := oauth2Config{EndpointParams: map[string][]string{"foo": {"bar"}}} + if got := oauth2.getEndpointParams(); !reflect.DeepEqual(got, expected) { t.Fatalf("GetEndpointParams should return the provided EndpointParams but got %q", got) } } func TestGetEndpointParamsWithAzure(t *testing.T) { var expectedWithoutResource = map[string][]string{"foo": {"bar"}} - oauth2 := OAuth2{Provider: "azure", EndpointParams: map[string][]string{"foo": {"bar"}}} - if got := oauth2.GetEndpointParams(); !reflect.DeepEqual(got, expectedWithoutResource) { + oauth2 := oauth2Config{Provider: "azure", EndpointParams: map[string][]string{"foo": {"bar"}}} + if got := oauth2.getEndpointParams(); !reflect.DeepEqual(got, expectedWithoutResource) { t.Fatalf("GetEndpointParams should return the provided EndpointParams but got %q", got) } oauth2.AzureResource = "baz" var expectedWithResource = map[string][]string{"foo": {"bar"}, "resource": {"baz"}} - if got := oauth2.GetEndpointParams(); !reflect.DeepEqual(got, expectedWithResource) { + if got := oauth2.getEndpointParams(); !reflect.DeepEqual(got, expectedWithResource) { t.Fatalf("GetEndpointParams should return the provided EndpointParams but got %q", got) } } diff --git a/x-pack/filebeat/input/httpjson/config_test.go b/x-pack/filebeat/input/httpjson/config_test.go index 0de07311239..85c7c64848d 100644 --- a/x-pack/filebeat/input/httpjson/config_test.go +++ b/x-pack/filebeat/input/httpjson/config_test.go @@ -25,7 +25,7 @@ func TestConfigValidationCase1(t *testing.T) { "url": "localhost", } cfg := common.MustNewConfigFrom(m) - conf := defaultConfig() + conf := newDefaultConfig() if err := cfg.Unpack(&conf); err == nil { t.Fatal("Configuration validation failed. no_http_body and http_request_body cannot coexist.") } @@ -39,7 +39,7 @@ func TestConfigValidationCase2(t *testing.T) { "url": "localhost", } cfg := common.MustNewConfigFrom(m) - conf := defaultConfig() + conf := newDefaultConfig() if err := cfg.Unpack(&conf); err == nil { t.Fatal("Configuration validation failed. no_http_body and pagination.extra_body_content cannot coexist.") } @@ -53,7 +53,7 @@ func TestConfigValidationCase3(t *testing.T) { "url": "localhost", } cfg := common.MustNewConfigFrom(m) - conf := defaultConfig() + conf := newDefaultConfig() if err := cfg.Unpack(&conf); err == nil { t.Fatal("Configuration validation failed. no_http_body and pagination.req_field cannot coexist.") } @@ -66,7 +66,7 @@ func TestConfigValidationCase4(t *testing.T) { "url": "localhost", } cfg := common.MustNewConfigFrom(m) - conf := defaultConfig() + conf := newDefaultConfig() if err := cfg.Unpack(&conf); err == nil { t.Fatal("Configuration validation failed. pagination.header and pagination.req_field cannot coexist.") } @@ -79,7 +79,7 @@ func TestConfigValidationCase5(t *testing.T) { "url": "localhost", } cfg := common.MustNewConfigFrom(m) - conf := defaultConfig() + conf := newDefaultConfig() if err := cfg.Unpack(&conf); err == nil { t.Fatal("Configuration validation failed. pagination.header and pagination.id_field cannot coexist.") } @@ -92,7 +92,7 @@ func TestConfigValidationCase6(t *testing.T) { "url": "localhost", } cfg := common.MustNewConfigFrom(m) - conf := defaultConfig() + conf := newDefaultConfig() if err := cfg.Unpack(&conf); err == nil { t.Fatal("Configuration validation failed. pagination.header and extra_body_content cannot coexist.") } @@ -105,7 +105,7 @@ func TestConfigValidationCase7(t *testing.T) { "url": "localhost", } cfg := common.MustNewConfigFrom(m) - conf := defaultConfig() + conf := newDefaultConfig() if err := cfg.Unpack(&conf); err == nil { t.Fatal("Configuration validation failed. http_method DELETE is not allowed.") } @@ -116,7 +116,7 @@ func TestConfigMustFailWithInvalidURL(t *testing.T) { "url": "::invalid::", } cfg := common.MustNewConfigFrom(m) - conf := defaultConfig() + conf := newDefaultConfig() err := cfg.Unpack(&conf) assert.EqualError(t, err, `parse "::invalid::": missing protocol scheme accessing 'url'`) } @@ -414,7 +414,7 @@ func TestConfigOauth2Validation(t *testing.T) { } cfg := common.MustNewConfigFrom(c.input) - conf := defaultConfig() + conf := newDefaultConfig() err := cfg.Unpack(&conf) switch { diff --git a/x-pack/filebeat/input/httpjson/date_cursor.go b/x-pack/filebeat/input/httpjson/date_cursor.go index 2a9db44bd2a..66ca659de78 100644 --- a/x-pack/filebeat/input/httpjson/date_cursor.go +++ b/x-pack/filebeat/input/httpjson/date_cursor.go @@ -7,6 +7,7 @@ package httpjson import ( "bytes" "net/url" + "text/template" "time" "github.com/elastic/beats/v7/libbeat/common" @@ -22,13 +23,12 @@ type dateCursor struct { initialInterval time.Duration dateFormat string - value string - valueTpl *Template + valueTpl *template.Template } func newDateCursorFromConfig(config config, log *logp.Logger) *dateCursor { c := &dateCursor{ - enabled: config.DateCursor.IsEnabled(), + enabled: config.DateCursor.isEnabled(), url: *config.URL.URL, } @@ -40,23 +40,23 @@ func newDateCursorFromConfig(config config, log *logp.Logger) *dateCursor { c.field = config.DateCursor.Field c.urlField = config.DateCursor.URLField c.initialInterval = config.DateCursor.InitialInterval - c.dateFormat = config.DateCursor.GetDateFormat() - c.valueTpl = config.DateCursor.ValueTemplate + c.dateFormat = config.DateCursor.getDateFormat() + c.valueTpl = config.DateCursor.ValueTemplate.Template return c } -func (c *dateCursor) getURL() string { +func (c *dateCursor) getURL(prevValue string) string { if !c.enabled { return c.url.String() } var dateStr string - if c.value == "" { + if prevValue == "" { t := timeNow().UTC().Add(-c.initialInterval) dateStr = t.Format(c.dateFormat) } else { - dateStr = c.value + dateStr = prevValue } q := c.url.Query() @@ -66,7 +66,7 @@ func (c *dateCursor) getURL() string { value = dateStr } else { buf := new(bytes.Buffer) - if err := c.valueTpl.Template.Execute(buf, dateStr); err != nil { + if err := c.valueTpl.Execute(buf, dateStr); err != nil { return c.url.String() } value = buf.String() @@ -74,32 +74,33 @@ func (c *dateCursor) getURL() string { q.Set(c.urlField, value) - c.url.RawQuery = q.Encode() + url := c.url + url.RawQuery = q.Encode() - return c.url.String() + return url.String() } -func (c *dateCursor) advance(m common.MapStr) { +func (c *dateCursor) getNextValue(m common.MapStr) string { if c.field == "" { - c.value = time.Now().UTC().Format(c.dateFormat) - return + return time.Now().UTC().Format(c.dateFormat) } v, err := m.GetValue(c.field) if err != nil { c.log.Warnf("date_cursor field: %q", err) - return + return "" } + switch t := v.(type) { case string: _, err := time.Parse(c.dateFormat, t) if err != nil { c.log.Warn("date_cursor field does not have the expected layout") - return + return "" } - c.value = t - default: - c.log.Warn("date_cursor field must be a string, cursor will not advance") - return + return t } + + c.log.Warn("date_cursor field must be a string, cursor will not advance") + return "" } diff --git a/x-pack/filebeat/input/httpjson/input.go b/x-pack/filebeat/input/httpjson/input.go index 766fa364864..5445197f563 100644 --- a/x-pack/filebeat/input/httpjson/input.go +++ b/x-pack/filebeat/input/httpjson/input.go @@ -9,12 +9,14 @@ import ( "fmt" "net" "net/http" + "net/url" "time" "github.com/hashicorp/go-retryablehttp" "go.uber.org/zap" v2 "github.com/elastic/beats/v7/filebeat/input/v2" + cursor "github.com/elastic/beats/v7/filebeat/input/v2/input-cursor" stateless "github.com/elastic/beats/v7/filebeat/input/v2/input-stateless" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" @@ -63,30 +65,25 @@ func (log *retryLogger) Warn(format string, args ...interface{}) { log.log.Warnf(format, args...) } -type httpJSONInput struct { - config config - tlsConfig *tlscommon.TLSConfig -} - -func Plugin() v2.Plugin { +func Plugin(log *logp.Logger, store cursor.StateStore) v2.Plugin { + sim := stateless.NewInputManager(statelessConfigure) return v2.Plugin{ Name: inputName, Stability: feature.Beta, Deprecated: false, - Manager: stateless.NewInputManager(configure), - } -} - -func configure(cfg *common.Config) (stateless.Input, error) { - conf := defaultConfig() - if err := cfg.Unpack(&conf); err != nil { - return nil, err + Manager: inputManager{ + stateless: &sim, + cursor: &cursor.InputManager{ + Logger: log, + StateStore: store, + Type: inputName, + Configure: cursorConfigure, + }, + }, } - - return newHTTPJSONInput(conf) } -func newHTTPJSONInput(config config) (*httpJSONInput, error) { +func newTLSConfig(config config) (*tlscommon.TLSConfig, error) { if err := config.Validate(); err != nil { return nil, err } @@ -96,54 +93,53 @@ func newHTTPJSONInput(config config) (*httpJSONInput, error) { return nil, err } - return &httpJSONInput{ - config: config, - tlsConfig: tlsConfig, - }, nil + return tlsConfig, nil } -func (*httpJSONInput) Name() string { return inputName } - -func (in *httpJSONInput) Test(v2.TestContext) error { +func test(url *url.URL) error { port := func() string { - if in.config.URL.Port() != "" { - return in.config.URL.Port() + if url.Port() != "" { + return url.Port() } - switch in.config.URL.Scheme { + switch url.Scheme { case "https": return "443" } return "80" }() - _, err := net.DialTimeout("tcp", net.JoinHostPort(in.config.URL.Hostname(), port), time.Second) + _, err := net.DialTimeout("tcp", net.JoinHostPort(url.Hostname(), port), time.Second) if err != nil { - return fmt.Errorf("url %q is unreachable", in.config.URL) + return fmt.Errorf("url %q is unreachable", url) } return nil } -// Run starts the input and blocks until it ends the execution. -// It will return on context cancellation, any other error will be retried. -func (in *httpJSONInput) Run(ctx v2.Context, publisher stateless.Publisher) error { - log := ctx.Logger.With("url", in.config.URL) +func run( + ctx v2.Context, + config config, + tlsConfig *tlscommon.TLSConfig, + publisher cursor.Publisher, + cursor *cursor.Cursor, +) error { + log := ctx.Logger.With("url", config.URL) stdCtx := ctxtool.FromCanceller(ctx.Cancelation) - httpClient, err := in.newHTTPClient(stdCtx) + httpClient, err := newHTTPClient(stdCtx, config, tlsConfig) if err != nil { return err } - dateCursor := newDateCursorFromConfig(in.config, log) + dateCursor := newDateCursorFromConfig(config, log) - rateLimiter := newRateLimiterFromConfig(in.config, log) + rateLimiter := newRateLimiterFromConfig(config, log) - pagination := newPaginationFromConfig(in.config) + pagination := newPaginationFromConfig(config) requester := newRequester( - in.config, + config, rateLimiter, dateCursor, pagination, @@ -151,12 +147,14 @@ func (in *httpJSONInput) Run(ctx v2.Context, publisher stateless.Publisher) erro log, ) + requester.loadCursor(cursor, log) + // TODO: disallow passing interval = 0 as a mean to run once. - if in.config.Interval == 0 { + if config.Interval == 0 { return requester.processHTTPRequest(stdCtx, publisher) } - err = timed.Periodic(stdCtx, in.config.Interval, func() error { + err = timed.Periodic(stdCtx, config.Interval, func() error { log.Info("Process another repeated request.") if err := requester.processHTTPRequest(stdCtx, publisher); err != nil { log.Error(err) @@ -169,29 +167,29 @@ func (in *httpJSONInput) Run(ctx v2.Context, publisher stateless.Publisher) erro return nil } -func (in *httpJSONInput) newHTTPClient(ctx context.Context) (*http.Client, error) { +func newHTTPClient(ctx context.Context, config config, tlsConfig *tlscommon.TLSConfig) (*http.Client, error) { // Make retryable HTTP client client := &retryablehttp.Client{ HTTPClient: &http.Client{ Transport: &http.Transport{ DialContext: (&net.Dialer{ - Timeout: in.config.HTTPClientTimeout, + Timeout: config.HTTPClientTimeout, }).DialContext, - TLSClientConfig: in.tlsConfig.ToConfig(), + TLSClientConfig: tlsConfig.ToConfig(), DisableKeepAlives: true, }, - Timeout: in.config.HTTPClientTimeout, + Timeout: config.HTTPClientTimeout, }, Logger: newRetryLogger(), - RetryWaitMin: in.config.RetryWaitMin, - RetryWaitMax: in.config.RetryWaitMax, - RetryMax: in.config.RetryMax, + RetryWaitMin: config.RetryWaitMin, + RetryWaitMax: config.RetryWaitMax, + RetryMax: config.RetryMax, CheckRetry: retryablehttp.DefaultRetryPolicy, Backoff: retryablehttp.DefaultBackoff, } - if in.config.OAuth2.IsEnabled() { - return in.config.OAuth2.Client(ctx, client.StandardClient()) + if config.OAuth2.isEnabled() { + return config.OAuth2.client(ctx, client.StandardClient()) } return client.StandardClient(), nil diff --git a/x-pack/filebeat/input/httpjson/input_cursor.go b/x-pack/filebeat/input/httpjson/input_cursor.go new file mode 100644 index 00000000000..d18a91f3918 --- /dev/null +++ b/x-pack/filebeat/input/httpjson/input_cursor.go @@ -0,0 +1,67 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package httpjson + +import ( + v2 "github.com/elastic/beats/v7/filebeat/input/v2" + cursor "github.com/elastic/beats/v7/filebeat/input/v2/input-cursor" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" +) + +type cursorInput struct{} + +func (cursorInput) Name() string { + return "httpjson-cursor" +} + +type source struct { + config config + tlsConfig *tlscommon.TLSConfig +} + +func (src source) Name() string { + return src.config.URL.String() +} + +func cursorConfigure(cfg *common.Config) ([]cursor.Source, cursor.Input, error) { + conf := newDefaultConfig() + if err := cfg.Unpack(&conf); err != nil { + return nil, nil, err + } + return newCursorInput(conf) +} + +func newCursorInput(config config) ([]cursor.Source, cursor.Input, error) { + tlsConfig, err := newTLSConfig(config) + if err != nil { + return nil, nil, err + } + // we only allow one url per config, if we wanted to allow more than one + // each source should hold only one url + return []cursor.Source{ + &source{config: config, + tlsConfig: tlsConfig, + }, + }, + &cursorInput{}, + nil +} + +func (in *cursorInput) Test(src cursor.Source, _ v2.TestContext) error { + return test((src.(*source)).config.URL.URL) +} + +// Run starts the input and blocks until it ends the execution. +// It will return on context cancellation, any other error will be retried. +func (in *cursorInput) Run( + ctx v2.Context, + src cursor.Source, + cursor cursor.Cursor, + publisher cursor.Publisher, +) error { + s := src.(*source) + return run(ctx, s.config, s.tlsConfig, publisher, &cursor) +} diff --git a/x-pack/filebeat/input/httpjson/input_manager.go b/x-pack/filebeat/input/httpjson/input_manager.go new file mode 100644 index 00000000000..21f5066dc05 --- /dev/null +++ b/x-pack/filebeat/input/httpjson/input_manager.go @@ -0,0 +1,49 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package httpjson + +import ( + "go.uber.org/multierr" + + "github.com/elastic/go-concert/unison" + + v2 "github.com/elastic/beats/v7/filebeat/input/v2" + cursor "github.com/elastic/beats/v7/filebeat/input/v2/input-cursor" + stateless "github.com/elastic/beats/v7/filebeat/input/v2/input-stateless" + "github.com/elastic/beats/v7/libbeat/common" +) + +// inputManager wraps one stateless input manager +// and one cursor input manager. It will create one or the other +// based on the config that is passed. +type inputManager struct { + stateless *stateless.InputManager + cursor *cursor.InputManager +} + +var _ v2.InputManager = inputManager{} + +// Init initializes both wrapped input managers. +func (m inputManager) Init(grp unison.Group, mode v2.Mode) error { + return multierr.Append( + m.stateless.Init(grp, mode), + m.cursor.Init(grp, mode), + ) +} + +// Create creates a cursor input manager if the config has a date cursor set up, +// otherwise it creates a stateless input manager. +func (m inputManager) Create(cfg *common.Config) (v2.Input, error) { + var config config + if err := cfg.Unpack(&config); err != nil { + return nil, err + } + + if config.DateCursor != nil { + return m.cursor.Create(cfg) + } + + return m.stateless.Create(cfg) +} diff --git a/x-pack/filebeat/input/httpjson/input_stateless.go b/x-pack/filebeat/input/httpjson/input_stateless.go new file mode 100644 index 00000000000..c7ebf6c3d4c --- /dev/null +++ b/x-pack/filebeat/input/httpjson/input_stateless.go @@ -0,0 +1,58 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package httpjson + +import ( + v2 "github.com/elastic/beats/v7/filebeat/input/v2" + stateless "github.com/elastic/beats/v7/filebeat/input/v2/input-stateless" + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" +) + +type statelessInput struct { + config config + tlsConfig *tlscommon.TLSConfig +} + +func (statelessInput) Name() string { + return "httpjson-stateless" +} + +func statelessConfigure(cfg *common.Config) (stateless.Input, error) { + conf := newDefaultConfig() + if err := cfg.Unpack(&conf); err != nil { + return nil, err + } + return newStatelessInput(conf) +} + +func newStatelessInput(config config) (*statelessInput, error) { + tlsConfig, err := newTLSConfig(config) + if err != nil { + return nil, err + } + return &statelessInput{config: config, tlsConfig: tlsConfig}, nil +} + +func (in *statelessInput) Test(v2.TestContext) error { + return test(in.config.URL.URL) +} + +type statelessPublisher struct { + wrapped stateless.Publisher +} + +func (pub statelessPublisher) Publish(event beat.Event, _ interface{}) error { + pub.wrapped.Publish(event) + return nil +} + +// Run starts the input and blocks until it ends the execution. +// It will return on context cancellation, any other error will be retried. +func (in *statelessInput) Run(ctx v2.Context, publisher stateless.Publisher) error { + pub := statelessPublisher{wrapped: publisher} + return run(ctx, in.config, in.tlsConfig, pub, nil) +} diff --git a/x-pack/filebeat/input/httpjson/httpjson_test.go b/x-pack/filebeat/input/httpjson/input_test.go similarity index 96% rename from x-pack/filebeat/input/httpjson/httpjson_test.go rename to x-pack/filebeat/input/httpjson/input_test.go index b541c16002e..242811d2795 100644 --- a/x-pack/filebeat/input/httpjson/httpjson_test.go +++ b/x-pack/filebeat/input/httpjson/input_test.go @@ -23,7 +23,7 @@ import ( beattest "github.com/elastic/beats/v7/libbeat/publisher/testing" ) -func TestHTTPJSONInput(t *testing.T) { +func TestStatelessHTTPJSONInput(t *testing.T) { testCases := []struct { name string setupServer func(*testing.T, http.HandlerFunc, map[string]interface{}) @@ -224,20 +224,23 @@ func TestHTTPJSONInput(t *testing.T) { cfg := common.MustNewConfigFrom(tc.baseConfig) - input, err := configure(cfg) + conf := newDefaultConfig() + assert.NoError(t, cfg.Unpack(&conf)) + + input, err := newStatelessInput(conf) assert.NoError(t, err) - assert.Equal(t, "httpjson", input.Name()) + assert.Equal(t, "httpjson-stateless", input.Name()) assert.NoError(t, input.Test(v2.TestContext{})) - pub := beattest.NewChanClient(len(tc.expected)) - t.Cleanup(func() { _ = pub.Close() }) + chanClient := beattest.NewChanClient(len(tc.expected)) + t.Cleanup(func() { _ = chanClient.Close() }) ctx, cancel := newV2Context() t.Cleanup(cancel) var g errgroup.Group - g.Go(func() error { return input.Run(ctx, pub) }) + g.Go(func() error { return input.Run(ctx, chanClient) }) timeout := time.NewTimer(5 * time.Second) t.Cleanup(func() { _ = timeout.Stop() }) @@ -249,7 +252,7 @@ func TestHTTPJSONInput(t *testing.T) { case <-timeout.C: t.Errorf("timed out waiting for %d events", len(tc.expected)) return - case got := <-pub.Channel: + case got := <-chanClient.Channel: val, err := got.Fields.GetValue("message") assert.NoError(t, err) assert.JSONEq(t, tc.expected[receivedCount], val.(string)) diff --git a/x-pack/filebeat/input/httpjson/pagination.go b/x-pack/filebeat/input/httpjson/pagination.go index 9a7bf82b2b4..020bc783055 100644 --- a/x-pack/filebeat/input/httpjson/pagination.go +++ b/x-pack/filebeat/input/httpjson/pagination.go @@ -16,7 +16,7 @@ import ( type pagination struct { extraBodyContent common.MapStr - header *Header + header *headerConfig idField string requestField string urlField string @@ -24,7 +24,7 @@ type pagination struct { } func newPaginationFromConfig(config config) *pagination { - if !config.Pagination.IsEnabled() { + if !config.Pagination.isEnabled() { return nil } return &pagination{ diff --git a/x-pack/filebeat/input/httpjson/pagination_test.go b/x-pack/filebeat/input/httpjson/pagination_test.go index 9b04de75819..32e3261c1e6 100644 --- a/x-pack/filebeat/input/httpjson/pagination_test.go +++ b/x-pack/filebeat/input/httpjson/pagination_test.go @@ -42,7 +42,7 @@ func TestCreateRequestInfoFromBody(t *testing.T) { contentMap: common.MapStr{}, headers: common.MapStr{}, } - err := pagination.setRequestInfoFromBody( + _ = pagination.setRequestInfoFromBody( common.MapStr(m), common.MapStr(m), ri, diff --git a/x-pack/filebeat/input/httpjson/rate_limiter.go b/x-pack/filebeat/input/httpjson/rate_limiter.go index 57d206224ac..93c2b4a3fe7 100644 --- a/x-pack/filebeat/input/httpjson/rate_limiter.go +++ b/x-pack/filebeat/input/httpjson/rate_limiter.go @@ -122,7 +122,7 @@ func (r *rateLimiter) getRateLimit(header http.Header) (int64, error) { if err != nil { return 0, fmt.Errorf("failed to parse rate-limit reset value: %w", err) } - if time.Unix(epoch, 0).Sub(time.Now()) <= 0 { + if time.Until(time.Unix(epoch, 0)) <= 0 { return 0, nil } diff --git a/x-pack/filebeat/input/httpjson/requester.go b/x-pack/filebeat/input/httpjson/requester.go index b5f58179aa0..df0a1efb1eb 100644 --- a/x-pack/filebeat/input/httpjson/requester.go +++ b/x-pack/filebeat/input/httpjson/requester.go @@ -14,7 +14,7 @@ import ( "net/http" "strings" - stateless "github.com/elastic/beats/v7/filebeat/input/v2/input-stateless" + cursor "github.com/elastic/beats/v7/filebeat/input/v2/input-cursor" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/logp" ) @@ -40,6 +40,8 @@ type requester struct { authScheme string jsonObjects string splitEventsBy string + + cursorState cursorState } func newRequester( @@ -72,9 +74,9 @@ type response struct { } // processHTTPRequest processes HTTP request, and handles pagination if enabled -func (r *requester) processHTTPRequest(ctx context.Context, publisher stateless.Publisher) error { +func (r *requester) processHTTPRequest(ctx context.Context, publisher cursor.Publisher) error { ri := &requestInfo{ - url: r.dateCursor.getURL(), + url: r.dateCursor.getURL(r.cursorState.LastDateCursorValue), contentMap: common.MapStr{}, headers: r.headers, } @@ -166,7 +168,7 @@ func (r *requester) processHTTPRequest(ctx context.Context, publisher stateless. } if lastObj != nil && r.dateCursor.enabled { - r.dateCursor.advance(common.MapStr(lastObj)) + r.updateCursorState(ri.url, r.dateCursor.getNextValue(common.MapStr(lastObj))) } return nil @@ -210,7 +212,7 @@ func (r *requester) createHTTPRequest(ctx context.Context, ri *requestInfo) (*ht } // processEventArray publishes an event for each object contained in the array. It returns the last object in the array and an error if any. -func (r *requester) processEventArray(publisher stateless.Publisher, events []interface{}) (map[string]interface{}, error) { +func (r *requester) processEventArray(publisher cursor.Publisher, events []interface{}) (map[string]interface{}, error) { var last map[string]interface{} for _, t := range events { switch v := t.(type) { @@ -221,7 +223,9 @@ func (r *requester) processEventArray(publisher stateless.Publisher, events []in if err != nil { return nil, fmt.Errorf("failed to marshal %+v: %w", e, err) } - publisher.Publish(makeEvent(string(d))) + if err := publisher.Publish(makeEvent(string(d)), r.cursorState); err != nil { + return nil, fmt.Errorf("failed to publish: %w", err) + } } default: return nil, fmt.Errorf("expected only JSON objects in the array but got a %T", v) @@ -273,3 +277,23 @@ func splitEvent(splitKey string, event map[string]interface{}) []map[string]inte return events } + +type cursorState struct { + LastCalledURL string + LastDateCursorValue string +} + +func (r *requester) updateCursorState(url, value string) { + r.cursorState.LastCalledURL = url + r.cursorState.LastDateCursorValue = value +} + +func (r *requester) loadCursor(c *cursor.Cursor, log *logp.Logger) { + if c == nil || c.IsNew() { + return + } + + if err := c.Unpack(&r.cursorState); err != nil { + log.Errorf("Reset http cursor state. Failed to read from registry: %v", err) + } +} diff --git a/x-pack/filebeat/input/o365audit/input.go b/x-pack/filebeat/input/o365audit/input.go index ceff10751de..2cf76de9ee3 100644 --- a/x-pack/filebeat/input/o365audit/input.go +++ b/x-pack/filebeat/input/o365audit/input.go @@ -21,6 +21,7 @@ import ( "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/x-pack/filebeat/input/o365audit/poll" "github.com/elastic/go-concert/ctxtool" + "github.com/elastic/go-concert/timed" ) const ( @@ -107,6 +108,34 @@ func (inp *o365input) Run( src cursor.Source, cursor cursor.Cursor, publisher cursor.Publisher, +) error { + for ctx.Cancelation.Err() == nil { + err := inp.runOnce(ctx, src, cursor, publisher) + if err == nil { + break + } + if ctx.Cancelation.Err() != err && err != context.Canceled { + msg := common.MapStr{} + msg.Put("error.message", err.Error()) + msg.Put("event.kind", "pipeline_error") + event := beat.Event{ + Timestamp: time.Now(), + Fields: msg, + } + publisher.Publish(event, nil) + ctx.Logger.Errorf("Input failed: %v", err) + ctx.Logger.Infof("Restarting in %v", inp.config.API.ErrorRetryInterval) + timed.Wait(ctx.Cancelation, inp.config.API.ErrorRetryInterval) + } + } + return nil +} + +func (inp *o365input) runOnce( + ctx v2.Context, + src cursor.Source, + cursor cursor.Cursor, + publisher cursor.Publisher, ) error { stream := src.(*stream) tenantID, contentType := stream.tenantID, stream.contentType @@ -156,18 +185,7 @@ func (inp *o365input) Run( } log.Infow("Start fetching events", "cursor", start) - err = poller.Run(action) - if err != nil && ctx.Cancelation.Err() != err && err != context.Canceled { - msg := common.MapStr{} - msg.Put("error.message", err.Error()) - msg.Put("event.kind", "pipeline_error") - event := beat.Event{ - Timestamp: time.Now(), - Fields: msg, - } - publisher.Publish(event, nil) - } - return err + return poller.Run(action) } func initCheckpoint(log *logp.Logger, c cursor.Cursor, maxRetention time.Duration) checkpoint { diff --git a/x-pack/filebeat/input/s3/collector.go b/x-pack/filebeat/input/s3/collector.go new file mode 100644 index 00000000000..bf294f94245 --- /dev/null +++ b/x-pack/filebeat/input/s3/collector.go @@ -0,0 +1,637 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package s3 + +import ( + "bufio" + "compress/gzip" + "context" + "crypto/sha256" + "encoding/hex" + "encoding/json" + "fmt" + "io" + "net/http" + "net/url" + "strings" + "sync" + "time" + + awssdk "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/aws/awserr" + "github.com/aws/aws-sdk-go-v2/service/s3" + "github.com/aws/aws-sdk-go-v2/service/s3/s3iface" + "github.com/aws/aws-sdk-go-v2/service/sqs" + "github.com/aws/aws-sdk-go-v2/service/sqs/sqsiface" + + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/go-concert/unison" +) + +type s3Collector struct { + cancellation context.Context + logger *logp.Logger + + config *config + visibilityTimeout int64 + + sqs sqsiface.ClientAPI + s3 s3iface.ClientAPI + publisher beat.Client +} + +type s3Info struct { + name string + key string + region string + arn string + expandEventListFromField string +} + +type bucket struct { + Name string `json:"name"` + Arn string `json:"arn"` +} + +type object struct { + Key string `json:"key"` +} + +type s3BucketObject struct { + bucket `json:"bucket"` + object `json:"object"` +} + +type sqsMessage struct { + Records []struct { + EventSource string `json:"eventSource"` + AwsRegion string `json:"awsRegion"` + EventName string `json:"eventName"` + S3 s3BucketObject `json:"s3"` + } `json:"Records"` +} + +type s3Context struct { + mux sync.Mutex + refs int + err error // first error witnessed or multi error + errC chan error +} + +var ( + // The maximum number of messages to return. Amazon SQS never returns more messages + // than this value (however, fewer messages might be returned). + maxNumberOfMessage uint8 = 10 + + // The duration (in seconds) for which the call waits for a message to arrive + // in the queue before returning. If a message is available, the call returns + // sooner than WaitTimeSeconds. If no messages are available and the wait time + // expires, the call returns successfully with an empty list of messages. + waitTimeSecond uint8 = 10 +) + +func (c *s3Collector) run() { + defer c.logger.Info("s3 input worker has stopped.") + c.logger.Info("s3 input worker has started.") + for c.cancellation.Err() == nil { + // receive messages from sqs + output, err := c.receiveMessage(c.sqs, c.visibilityTimeout) + if err != nil { + if awsErr, ok := err.(awserr.Error); ok && awsErr.Code() == awssdk.ErrCodeRequestCanceled { + continue + } + c.logger.Error("SQS ReceiveMessageRequest failed: ", err) + continue + } + + if output == nil || len(output.Messages) == 0 { + c.logger.Debug("no message received from SQS") + continue + } + + // process messages received from sqs, get logs from s3 and create events + c.processor(c.config.QueueURL, output.Messages, c.visibilityTimeout, c.s3, c.sqs) + } +} + +func (c *s3Collector) processor(queueURL string, messages []sqs.Message, visibilityTimeout int64, svcS3 s3iface.ClientAPI, svcSQS sqsiface.ClientAPI) { + var grp unison.MultiErrGroup + numMessages := len(messages) + c.logger.Debugf("Processing %v messages", numMessages) + + // process messages received from sqs + for i := range messages { + i := i + errC := make(chan error) + grp.Go(func() (err error) { + return c.processMessage(svcS3, messages[i], errC) + }) + grp.Go(func() (err error) { + return c.processorKeepAlive(svcSQS, messages[i], queueURL, visibilityTimeout, errC) + }) + } + grp.Wait() +} + +func (c *s3Collector) processMessage(svcS3 s3iface.ClientAPI, message sqs.Message, errC chan error) error { + s3Infos, err := c.handleSQSMessage(message) + if err != nil { + c.logger.Error(fmt.Errorf("handleSQSMessage failed: %w", err)) + return err + } + c.logger.Debugf("handleSQSMessage succeed and returned %v sets of S3 log info", len(s3Infos)) + + // read from s3 object and create event for each log line + err = c.handleS3Objects(svcS3, s3Infos, errC) + if err != nil { + err = fmt.Errorf("handleS3Objects failed: %w", err) + c.logger.Error(err) + return err + } + c.logger.Debugf("handleS3Objects succeed") + return nil +} + +func (c *s3Collector) processorKeepAlive(svcSQS sqsiface.ClientAPI, message sqs.Message, queueURL string, visibilityTimeout int64, errC chan error) error { + for { + select { + case <-c.cancellation.Done(): + return nil + case err := <-errC: + if err != nil { + c.logger.Warn("Processing message failed, updating visibility timeout") + err := c.changeVisibilityTimeout(queueURL, visibilityTimeout, svcSQS, message.ReceiptHandle) + if err != nil { + c.logger.Error(fmt.Errorf("SQS ChangeMessageVisibilityRequest failed: %w", err)) + } + c.logger.Infof("Message visibility timeout updated to %v", visibilityTimeout) + } else { + // When ACK done, message will be deleted. Or when message is + // not s3 ObjectCreated event related(handleSQSMessage function + // failed), it will be removed as well. + c.logger.Debug("Deleting message from SQS: ", *message.MessageId) + // only delete sqs message when errC is closed with no error + err := c.deleteMessage(queueURL, *message.ReceiptHandle, svcSQS) + if err != nil { + c.logger.Error(fmt.Errorf("deleteMessages failed: %w", err)) + } + } + return err + case <-time.After(time.Duration(visibilityTimeout/2) * time.Second): + c.logger.Warn("Half of the set visibilityTimeout passed, visibility timeout needs to be updated") + // If half of the set visibilityTimeout passed and this is + // still ongoing, then change visibility timeout. + err := c.changeVisibilityTimeout(queueURL, visibilityTimeout, svcSQS, message.ReceiptHandle) + if err != nil { + c.logger.Error(fmt.Errorf("SQS ChangeMessageVisibilityRequest failed: %w", err)) + } + c.logger.Infof("Message visibility timeout updated to %v seconds", visibilityTimeout) + return err + } + } +} + +func (c *s3Collector) receiveMessage(svcSQS sqsiface.ClientAPI, visibilityTimeout int64) (*sqs.ReceiveMessageResponse, error) { + // receive messages from sqs + req := svcSQS.ReceiveMessageRequest( + &sqs.ReceiveMessageInput{ + QueueUrl: &c.config.QueueURL, + MessageAttributeNames: []string{"All"}, + MaxNumberOfMessages: awssdk.Int64(int64(maxNumberOfMessage)), + VisibilityTimeout: &visibilityTimeout, + WaitTimeSeconds: awssdk.Int64(int64(waitTimeSecond)), + }) + + // The Context will interrupt the request if the timeout expires. + sendCtx, cancelFn := context.WithTimeout(c.cancellation, c.config.APITimeout) + defer cancelFn() + + return req.Send(sendCtx) +} + +func (c *s3Collector) changeVisibilityTimeout(queueURL string, visibilityTimeout int64, svcSQS sqsiface.ClientAPI, receiptHandle *string) error { + req := svcSQS.ChangeMessageVisibilityRequest(&sqs.ChangeMessageVisibilityInput{ + QueueUrl: &queueURL, + VisibilityTimeout: &visibilityTimeout, + ReceiptHandle: receiptHandle, + }) + + // The Context will interrupt the request if the timeout expires. + sendCtx, cancelFn := context.WithTimeout(c.cancellation, c.config.APITimeout) + defer cancelFn() + + _, err := req.Send(sendCtx) + return err +} + +func getRegionFromQueueURL(queueURL string) (string, error) { + // get region from queueURL + // Example: https://sqs.us-east-1.amazonaws.com/627959692251/test-s3-logs + queueURLSplit := strings.Split(queueURL, ".") + if queueURLSplit[0] == "https://sqs" && queueURLSplit[2] == "amazonaws" { + return queueURLSplit[1], nil + } + return "", fmt.Errorf("queueURL is not in format: https://sqs.{REGION_ENDPOINT}.amazonaws.com/{ACCOUNT_NUMBER}/{QUEUE_NAME}") +} + +// handle message +func (c *s3Collector) handleSQSMessage(m sqs.Message) ([]s3Info, error) { + msg := sqsMessage{} + err := json.Unmarshal([]byte(*m.Body), &msg) + if err != nil { + return nil, fmt.Errorf("json unmarshal sqs message body failed: %w", err) + } + + var s3Infos []s3Info + for _, record := range msg.Records { + if record.EventSource != "aws:s3" || !strings.HasPrefix(record.EventName, "ObjectCreated:") { + return nil, fmt.Errorf("this SQS queue should be dedicated to s3 ObjectCreated event notifications") + } + // Unescape substrings from s3 log name. For example, convert "%3D" back to "=" + filename, err := url.QueryUnescape(record.S3.object.Key) + if err != nil { + return nil, fmt.Errorf("url.QueryUnescape failed for '%s': %w", record.S3.object.Key, err) + } + + if len(c.config.FileSelectors) == 0 { + s3Infos = append(s3Infos, s3Info{ + region: record.AwsRegion, + name: record.S3.bucket.Name, + key: filename, + arn: record.S3.bucket.Arn, + expandEventListFromField: c.config.ExpandEventListFromField, + }) + continue + } + + for _, fs := range c.config.FileSelectors { + if fs.Regex == nil { + continue + } + if fs.Regex.MatchString(filename) { + s3Infos = append(s3Infos, s3Info{ + region: record.AwsRegion, + name: record.S3.bucket.Name, + key: filename, + arn: record.S3.bucket.Arn, + expandEventListFromField: fs.ExpandEventListFromField, + }) + break + } + } + } + return s3Infos, nil +} + +func (c *s3Collector) handleS3Objects(svc s3iface.ClientAPI, s3Infos []s3Info, errC chan error) error { + s3Ctx := &s3Context{ + refs: 1, + errC: errC, + } + defer s3Ctx.done() + + for _, info := range s3Infos { + c.logger.Debugf("Processing file from s3 bucket \"%s\" with name \"%s\"", info.name, info.key) + err := c.createEventsFromS3Info(svc, info, s3Ctx) + if err != nil { + err = fmt.Errorf("createEventsFromS3Info failed processing file from s3 bucket \"%s\" with name \"%s\": %w", info.name, info.key, err) + c.logger.Error(err) + s3Ctx.setError(err) + } + } + return nil +} + +func (c *s3Collector) createEventsFromS3Info(svc s3iface.ClientAPI, info s3Info, s3Ctx *s3Context) error { + objectHash := s3ObjectHash(info) + + // Download the S3 object using GetObjectRequest. + s3GetObjectInput := &s3.GetObjectInput{ + Bucket: awssdk.String(info.name), + Key: awssdk.String(info.key), + } + req := svc.GetObjectRequest(s3GetObjectInput) + + // The Context will interrupt the request if the timeout expires. + ctx, cancelFn := context.WithTimeout(c.cancellation, c.config.APITimeout) + defer cancelFn() + + resp, err := req.Send(ctx) + if err != nil { + if awsErr, ok := err.(awserr.Error); ok { + // If the SDK can determine the request or retry delay was canceled + // by a context the ErrCodeRequestCanceled error will be returned. + if awsErr.Code() == awssdk.ErrCodeRequestCanceled { + err = fmt.Errorf("s3 GetObjectRequest canceled for '%s' from S3 bucket '%s': %w", info.key, info.name, err) + c.logger.Error(err) + return err + } + + if awsErr.Code() == "NoSuchKey" { + c.logger.Warnf("Cannot find s3 file '%s' from S3 bucket '%s'", info.key, info.name) + return nil + } + } + return fmt.Errorf("s3 GetObjectRequest failed for '%s' from S3 bucket '%s': %w", info.key, info.name, err) + } + + defer resp.Body.Close() + + reader := bufio.NewReader(resp.Body) + + isS3ObjGzipped, err := isStreamGzipped(reader) + if err != nil { + err = fmt.Errorf("could not determine if S3 object is gzipped: %w", err) + c.logger.Error(err) + return err + } + + if isS3ObjGzipped { + gzipReader, err := gzip.NewReader(reader) + if err != nil { + err = fmt.Errorf("gzip.NewReader failed for '%s' from S3 bucket '%s': %w", info.key, info.name, err) + c.logger.Error(err) + return err + } + reader = bufio.NewReader(gzipReader) + gzipReader.Close() + } + + // Decode JSON documents when content-type is "application/json" or expand_event_list_from_field is given in config + if resp.ContentType != nil && *resp.ContentType == "application/json" || info.expandEventListFromField != "" { + decoder := json.NewDecoder(reader) + err := c.decodeJSON(decoder, objectHash, info, s3Ctx) + if err != nil { + err = fmt.Errorf("decodeJSONWithKey failed for '%s' from S3 bucket '%s': %w", info.key, info.name, err) + c.logger.Error(err) + return err + } + return nil + } + + // handle s3 objects that are not json content-type + offset := 0 + for { + log, err := readStringAndTrimDelimiter(reader) + if err == io.EOF { + // create event for last line + offset += len([]byte(log)) + event := createEvent(log, offset, info, objectHash, s3Ctx) + err = c.forwardEvent(event) + if err != nil { + err = fmt.Errorf("forwardEvent failed: %w", err) + c.logger.Error(err) + return err + } + return nil + } else if err != nil { + err = fmt.Errorf("readStringAndTrimDelimiter failed: %w", err) + c.logger.Error(err) + return err + } + + if log == "" { + break + } + + // create event per log line + offset += len([]byte(log)) + event := createEvent(log, offset, info, objectHash, s3Ctx) + err = c.forwardEvent(event) + if err != nil { + err = fmt.Errorf("forwardEvent failed: %w", err) + c.logger.Error(err) + return err + } + } + return nil +} + +func (c *s3Collector) decodeJSON(decoder *json.Decoder, objectHash string, s3Info s3Info, s3Ctx *s3Context) error { + offset := 0 + for { + var jsonFields interface{} + err := decoder.Decode(&jsonFields) + if jsonFields == nil { + return nil + } + + if err == io.EOF { + offsetNew, err := c.jsonFieldsType(jsonFields, offset, objectHash, s3Info, s3Ctx) + if err != nil { + return err + } + offset = offsetNew + } else if err != nil { + // decode json failed, skip this log file + err = fmt.Errorf("decode json failed for '%s' from S3 bucket '%s', skipping this file: %w", s3Info.key, s3Info.name, err) + c.logger.Warn(err) + return nil + } + + offset, err = c.jsonFieldsType(jsonFields, offset, objectHash, s3Info, s3Ctx) + if err != nil { + return err + } + } +} + +func (c *s3Collector) jsonFieldsType(jsonFields interface{}, offset int, objectHash string, s3Info s3Info, s3Ctx *s3Context) (int, error) { + switch f := jsonFields.(type) { + case map[string][]interface{}: + if s3Info.expandEventListFromField != "" { + textValues, ok := f[s3Info.expandEventListFromField] + if !ok { + err := fmt.Errorf("key '%s' not found", s3Info.expandEventListFromField) + c.logger.Error(err) + return offset, err + } + for _, v := range textValues { + offset, err := c.convertJSONToEvent(v, offset, objectHash, s3Info, s3Ctx) + if err != nil { + err = fmt.Errorf("convertJSONToEvent failed for '%s' from S3 bucket '%s': %w", s3Info.key, s3Info.name, err) + c.logger.Error(err) + return offset, err + } + } + return offset, nil + } + case map[string]interface{}: + if s3Info.expandEventListFromField != "" { + textValues, ok := f[s3Info.expandEventListFromField] + if !ok { + err := fmt.Errorf("key '%s' not found", s3Info.expandEventListFromField) + c.logger.Error(err) + return offset, err + } + + valuesConverted := textValues.([]interface{}) + for _, textValue := range valuesConverted { + offsetNew, err := c.convertJSONToEvent(textValue, offset, objectHash, s3Info, s3Ctx) + if err != nil { + err = fmt.Errorf("convertJSONToEvent failed for '%s' from S3 bucket '%s': %w", s3Info.key, s3Info.name, err) + c.logger.Error(err) + return offset, err + } + offset = offsetNew + } + return offset, nil + } + + offset, err := c.convertJSONToEvent(f, offset, objectHash, s3Info, s3Ctx) + if err != nil { + err = fmt.Errorf("convertJSONToEvent failed for '%s' from S3 bucket '%s': %w", s3Info.key, s3Info.name, err) + c.logger.Error(err) + return offset, err + } + return offset, nil + } + return offset, nil +} + +func (c *s3Collector) convertJSONToEvent(jsonFields interface{}, offset int, objectHash string, s3Info s3Info, s3Ctx *s3Context) (int, error) { + vJSON, _ := json.Marshal(jsonFields) + logOriginal := string(vJSON) + log := trimLogDelimiter(logOriginal) + offset += len([]byte(log)) + event := createEvent(log, offset, s3Info, objectHash, s3Ctx) + + err := c.forwardEvent(event) + if err != nil { + err = fmt.Errorf("forwardEvent failed: %w", err) + c.logger.Error(err) + return offset, err + } + return offset, nil +} + +func (c *s3Collector) forwardEvent(event beat.Event) error { + c.publisher.Publish(event) + return c.cancellation.Err() +} + +func (c *s3Collector) deleteMessage(queueURL string, messagesReceiptHandle string, svcSQS sqsiface.ClientAPI) error { + deleteMessageInput := &sqs.DeleteMessageInput{ + QueueUrl: awssdk.String(queueURL), + ReceiptHandle: awssdk.String(messagesReceiptHandle), + } + + req := svcSQS.DeleteMessageRequest(deleteMessageInput) + + // The Context will interrupt the request if the timeout expires. + ctx, cancelFn := context.WithTimeout(c.cancellation, c.config.APITimeout) + defer cancelFn() + + _, err := req.Send(ctx) + if err != nil { + if awsErr, ok := err.(awserr.Error); ok && awsErr.Code() == awssdk.ErrCodeRequestCanceled { + return nil + } + return fmt.Errorf("SQS DeleteMessageRequest failed: %w", err) + } + return nil +} + +func trimLogDelimiter(log string) string { + return strings.TrimSuffix(log, "\n") +} + +func readStringAndTrimDelimiter(reader *bufio.Reader) (string, error) { + logOriginal, err := reader.ReadString('\n') + if err != nil { + return logOriginal, err + } + return trimLogDelimiter(logOriginal), nil +} + +func createEvent(log string, offset int, info s3Info, objectHash string, s3Ctx *s3Context) beat.Event { + s3Ctx.Inc() + + event := beat.Event{ + Timestamp: time.Now().UTC(), + Fields: common.MapStr{ + "message": log, + "log": common.MapStr{ + "offset": int64(offset), + "file": common.MapStr{ + "path": constructObjectURL(info), + }, + }, + "aws": common.MapStr{ + "s3": common.MapStr{ + "bucket": common.MapStr{ + "name": info.name, + "arn": info.arn}, + "object.key": info.key, + }, + }, + "cloud": common.MapStr{ + "provider": "aws", + "region": info.region, + }, + }, + Private: s3Ctx, + } + event.SetID(objectHash + "-" + fmt.Sprintf("%012d", offset)) + + return event +} + +func constructObjectURL(info s3Info) string { + return "https://" + info.name + ".s3-" + info.region + ".amazonaws.com/" + info.key +} + +// s3ObjectHash returns a short sha256 hash of the bucket arn + object key name. +func s3ObjectHash(s3Info s3Info) string { + h := sha256.New() + h.Write([]byte(s3Info.arn + s3Info.key)) + prefix := hex.EncodeToString(h.Sum(nil)) + return prefix[:10] +} + +func (c *s3Context) setError(err error) { + // only care about the last error for now + // TODO: add "Typed" error to error for context + c.mux.Lock() + defer c.mux.Unlock() + c.err = err +} + +func (c *s3Context) done() { + c.mux.Lock() + defer c.mux.Unlock() + c.refs-- + if c.refs == 0 { + c.errC <- c.err + close(c.errC) + } +} + +func (c *s3Context) Inc() { + c.mux.Lock() + defer c.mux.Unlock() + c.refs++ +} + +// isStreamGzipped determines whether the given stream of bytes (encapsulated in a buffered reader) +// represents gzipped content or not. A buffered reader is used so the function can peek into the byte +// stream without consuming it. This makes it convenient for code executed after this function call +// to consume the stream if it wants. +func isStreamGzipped(r *bufio.Reader) (bool, error) { + // Why 512? See https://godoc.org/net/http#DetectContentType + buf, err := r.Peek(512) + if err != nil && err != io.EOF { + return false, err + } + + switch http.DetectContentType(buf) { + case "application/x-gzip", "application/zip": + return true, nil + default: + return false, nil + } +} diff --git a/x-pack/filebeat/input/s3/input_test.go b/x-pack/filebeat/input/s3/collector_test.go similarity index 97% rename from x-pack/filebeat/input/s3/input_test.go rename to x-pack/filebeat/input/s3/collector_test.go index d1fab05cb3c..510f94d40d5 100644 --- a/x-pack/filebeat/input/s3/input_test.go +++ b/x-pack/filebeat/input/s3/collector_test.go @@ -120,7 +120,7 @@ func TestHandleMessage(t *testing.T) { }, } - p := &s3Input{context: &channelContext{}} + p := &s3Collector{config: &config{}} for _, c := range casesPositive { t.Run(c.title, func(t *testing.T) { s3Info, err := p.handleSQSMessage(c.message) @@ -165,7 +165,8 @@ func TestHandleMessage(t *testing.T) { } func TestNewS3BucketReader(t *testing.T) { - p := &s3Input{context: &channelContext{}} + config := defaultConfig() + p := &s3Collector{cancellation: context.TODO(), config: &config} s3GetObjectInput := &s3.GetObjectInput{ Bucket: awssdk.String(info.name), Key: awssdk.String(info.key), @@ -174,7 +175,7 @@ func TestNewS3BucketReader(t *testing.T) { // The Context will interrupt the request if the timeout expires. var cancelFn func() - ctx, cancelFn := context.WithTimeout(p.context, p.config.APITimeout) + ctx, cancelFn := context.WithTimeout(p.cancellation, p.config.APITimeout) defer cancelFn() resp, err := req.Send(ctx) @@ -201,7 +202,8 @@ func TestNewS3BucketReader(t *testing.T) { } func TestCreateEvent(t *testing.T) { - p := &s3Input{context: &channelContext{}} + config := defaultConfig() + p := &s3Collector{cancellation: context.TODO(), config: &config} errC := make(chan error) s3Context := &s3Context{ refs: 1, @@ -225,7 +227,7 @@ func TestCreateEvent(t *testing.T) { // The Context will interrupt the request if the timeout expires. var cancelFn func() - ctx, cancelFn := context.WithTimeout(p.context, p.config.APITimeout) + ctx, cancelFn := context.WithTimeout(p.cancellation, p.config.APITimeout) defer cancelFn() resp, err := req.Send(ctx) diff --git a/x-pack/filebeat/input/s3/config.go b/x-pack/filebeat/input/s3/config.go index f9780d82277..cc3c5318289 100644 --- a/x-pack/filebeat/input/s3/config.go +++ b/x-pack/filebeat/input/s3/config.go @@ -9,18 +9,17 @@ import ( "regexp" "time" - "github.com/elastic/beats/v7/filebeat/harvester" awscommon "github.com/elastic/beats/v7/x-pack/libbeat/common/aws" ) type config struct { - harvester.ForwarderConfig `config:",inline"` - QueueURL string `config:"queue_url" validate:"nonzero,required"` - VisibilityTimeout time.Duration `config:"visibility_timeout"` - AwsConfig awscommon.ConfigAWS `config:",inline"` - ExpandEventListFromField string `config:"expand_event_list_from_field"` - APITimeout time.Duration `config:"api_timeout"` - FileSelectors []FileSelectorCfg `config:"file_selectors"` + QueueURL string `config:"queue_url" validate:"nonzero,required"` + VisibilityTimeout time.Duration `config:"visibility_timeout"` + FipsEnabled bool `config:"fips_enabled"` + AwsConfig awscommon.ConfigAWS `config:",inline"` + ExpandEventListFromField string `config:"expand_event_list_from_field"` + APITimeout time.Duration `config:"api_timeout"` + FileSelectors []FileSelectorCfg `config:"file_selectors"` } // FileSelectorCfg defines type and configuration of FileSelectors @@ -32,11 +31,9 @@ type FileSelectorCfg struct { func defaultConfig() config { return config{ - ForwarderConfig: harvester.ForwarderConfig{ - Type: "s3", - }, VisibilityTimeout: 300 * time.Second, APITimeout: 120 * time.Second, + FipsEnabled: false, } } diff --git a/x-pack/filebeat/input/s3/input.go b/x-pack/filebeat/input/s3/input.go index 1085c9dccbd..d76e5b8b728 100644 --- a/x-pack/filebeat/input/s3/input.go +++ b/x-pack/filebeat/input/s3/input.go @@ -5,748 +5,127 @@ package s3 import ( - "bufio" - "compress/gzip" - "context" - "crypto/sha256" - "encoding/hex" - "encoding/json" "fmt" - "io" - "net/http" - "net/url" - "strings" - "sync" - "time" - awssdk "github.com/aws/aws-sdk-go-v2/aws" - "github.com/aws/aws-sdk-go-v2/aws/awserr" "github.com/aws/aws-sdk-go-v2/service/s3" - "github.com/aws/aws-sdk-go-v2/service/s3/s3iface" "github.com/aws/aws-sdk-go-v2/service/sqs" - "github.com/aws/aws-sdk-go-v2/service/sqs/sqsiface" - "github.com/pkg/errors" - "github.com/elastic/beats/v7/filebeat/channel" - "github.com/elastic/beats/v7/filebeat/input" + v2 "github.com/elastic/beats/v7/filebeat/input/v2" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/common/acker" - "github.com/elastic/beats/v7/libbeat/common/cfgwarn" - "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/feature" awscommon "github.com/elastic/beats/v7/x-pack/libbeat/common/aws" + "github.com/elastic/go-concert/ctxtool" ) const inputName = "s3" -var ( - // The maximum number of messages to return. Amazon SQS never returns more messages - // than this value (however, fewer messages might be returned). - maxNumberOfMessage int64 = 10 - - // The duration (in seconds) for which the call waits for a message to arrive - // in the queue before returning. If a message is available, the call returns - // sooner than WaitTimeSeconds. If no messages are available and the wait time - // expires, the call returns successfully with an empty list of messages. - waitTimeSecond int64 = 10 - - errOutletClosed = errors.New("input outlet closed") -) - -func init() { - err := input.Register(inputName, NewInput) - if err != nil { - panic(err) +func Plugin() v2.Plugin { + return v2.Plugin{ + Name: inputName, + Stability: feature.Beta, + Deprecated: false, + Info: "Collect logs from s3", + Manager: v2.ConfigureWith(configure), } } -// s3Input is a input for s3 -type s3Input struct { - outlet channel.Outleter // Output of received s3 logs. - config config - awsConfig awssdk.Config - logger *logp.Logger - close chan struct{} - workerOnce sync.Once // Guarantees that the worker goroutine is only started once. - context *channelContext - workerWg sync.WaitGroup // Waits on s3 worker goroutine. - stopOnce sync.Once -} - -type s3Info struct { - name string - key string - region string - arn string - expandEventListFromField string -} - -type bucket struct { - Name string `json:"name"` - Arn string `json:"arn"` -} - -type object struct { - Key string `json:"key"` -} - -type s3BucketObject struct { - bucket `json:"bucket"` - object `json:"object"` -} - -type sqsMessage struct { - Records []struct { - EventSource string `json:"eventSource"` - AwsRegion string `json:"awsRegion"` - EventName string `json:"eventName"` - S3 s3BucketObject `json:"s3"` - } `json:"Records"` -} - -type s3Context struct { - mux sync.Mutex - refs int - err error // first error witnessed or multi error - errC chan error -} - -// channelContext implements context.Context by wrapping a channel -type channelContext struct { - done <-chan struct{} -} - -func (c *channelContext) Deadline() (time.Time, bool) { return time.Time{}, false } -func (c *channelContext) Done() <-chan struct{} { return c.done } -func (c *channelContext) Err() error { - select { - case <-c.done: - return context.Canceled - default: - return nil - } -} -func (c *channelContext) Value(key interface{}) interface{} { return nil } - -// NewInput creates a new s3 input -func NewInput(cfg *common.Config, connector channel.Connector, context input.Context) (input.Input, error) { - cfgwarn.Beta("s3 input type is used") - logger := logp.NewLogger(inputName) - +func configure(cfg *common.Config) (v2.Input, error) { config := defaultConfig() if err := cfg.Unpack(&config); err != nil { - return nil, errors.Wrap(err, "failed unpacking config") - } - - out, err := connector.ConnectWith(cfg, beat.ClientConfig{ - ACKHandler: acker.ConnectionOnly( - acker.EventPrivateReporter(func(_ int, privates []interface{}) { - for _, private := range privates { - if s3Context, ok := private.(*s3Context); ok { - s3Context.done() - } - } - }), - ), - }) - if err != nil { return nil, err } - awsConfig, err := awscommon.GetAWSCredentials(config.AwsConfig) - if err != nil { - return nil, errors.Wrap(err, "getAWSCredentials failed") - } - - closeChannel := make(chan struct{}) - p := &s3Input{ - outlet: out, - config: config, - awsConfig: awsConfig, - logger: logger, - close: closeChannel, - context: &channelContext{closeChannel}, - } - return p, nil -} - -// Run runs the input -func (p *s3Input) Run() { - p.workerOnce.Do(func() { - visibilityTimeout := int64(p.config.VisibilityTimeout.Seconds()) - p.logger.Infof("visibility timeout is set to %v seconds", visibilityTimeout) - p.logger.Infof("aws api timeout is set to %v", p.config.APITimeout) - - regionName, err := getRegionFromQueueURL(p.config.QueueURL) - if err != nil { - p.logger.Errorf("failed to get region name from queueURL: %v", p.config.QueueURL) - } - - awsConfig := p.awsConfig.Copy() - awsConfig.Region = regionName - - svcSQS := sqs.New(awscommon.EnrichAWSConfigWithEndpoint(p.config.AwsConfig.Endpoint, "sqs", regionName, awsConfig)) - svcS3 := s3.New(awscommon.EnrichAWSConfigWithEndpoint(p.config.AwsConfig.Endpoint, "s3", regionName, awsConfig)) - - p.workerWg.Add(1) - go p.run(svcSQS, svcS3, visibilityTimeout) - p.workerWg.Done() - }) -} - -func (p *s3Input) run(svcSQS sqsiface.ClientAPI, svcS3 s3iface.ClientAPI, visibilityTimeout int64) { - defer p.logger.Infof("s3 input worker for '%v' has stopped.", p.config.QueueURL) - - p.logger.Infof("s3 input worker has started. with queueURL: %v", p.config.QueueURL) - for p.context.Err() == nil { - // receive messages from sqs - output, err := p.receiveMessage(svcSQS, visibilityTimeout) - if err != nil { - if awsErr, ok := err.(awserr.Error); ok && awsErr.Code() == awssdk.ErrCodeRequestCanceled { - continue - } - p.logger.Error("SQS ReceiveMessageRequest failed: ", err) - time.Sleep(time.Duration(waitTimeSecond) * time.Second) - continue - } - - if output == nil || len(output.Messages) == 0 { - p.logger.Debug("no message received from SQS:", p.config.QueueURL) - continue - } - - // process messages received from sqs, get logs from s3 and create events - p.processor(p.config.QueueURL, output.Messages, visibilityTimeout, svcS3, svcSQS) - } -} - -// Stop stops the s3 input -func (p *s3Input) Stop() { - p.stopOnce.Do(func() { - defer p.outlet.Close() - close(p.close) - p.logger.Info("Stopping s3 input") - }) -} - -// Wait stops the s3 input. -func (p *s3Input) Wait() { - p.Stop() - p.workerWg.Wait() -} - -func (p *s3Input) processor(queueURL string, messages []sqs.Message, visibilityTimeout int64, svcS3 s3iface.ClientAPI, svcSQS sqsiface.ClientAPI) { - var wg sync.WaitGroup - numMessages := len(messages) - p.logger.Debugf("Processing %v messages", numMessages) - wg.Add(numMessages * 2) - - // process messages received from sqs - for i := range messages { - errC := make(chan error) - go p.processMessage(svcS3, messages[i], &wg, errC) - go p.processorKeepAlive(svcSQS, messages[i], queueURL, visibilityTimeout, &wg, errC) - } - wg.Wait() + return newInput(config) } -func (p *s3Input) processMessage(svcS3 s3iface.ClientAPI, message sqs.Message, wg *sync.WaitGroup, errC chan error) { - defer wg.Done() - - s3Infos, err := p.handleSQSMessage(message) - if err != nil { - p.logger.Error(errors.Wrap(err, "handleSQSMessage failed")) - return - } - p.logger.Debugf("handleSQSMessage succeed and returned %v sets of S3 log info", len(s3Infos)) - - // read from s3 object and create event for each log line - err = p.handleS3Objects(svcS3, s3Infos, errC) - if err != nil { - err = errors.Wrap(err, "handleS3Objects failed") - p.logger.Error(err) - return - } - p.logger.Debugf("handleS3Objects succeed") -} - -func (p *s3Input) processorKeepAlive(svcSQS sqsiface.ClientAPI, message sqs.Message, queueURL string, visibilityTimeout int64, wg *sync.WaitGroup, errC chan error) { - defer wg.Done() - for { - select { - case <-p.close: - return - case err := <-errC: - if err != nil { - p.logger.Warn("Processing message failed, updating visibility timeout") - err := p.changeVisibilityTimeout(queueURL, visibilityTimeout, svcSQS, message.ReceiptHandle) - if err != nil { - p.logger.Error(errors.Wrap(err, "SQS ChangeMessageVisibilityRequest failed")) - } - p.logger.Infof("Message visibility timeout updated to %v", visibilityTimeout) - } else { - // When ACK done, message will be deleted. Or when message is - // not s3 ObjectCreated event related(handleSQSMessage function - // failed), it will be removed as well. - p.logger.Debug("Deleting message from SQS: ", message.MessageId) - // only delete sqs message when errC is closed with no error - err := p.deleteMessage(queueURL, *message.ReceiptHandle, svcSQS) - if err != nil { - p.logger.Error(errors.Wrap(err, "deleteMessages failed")) - } - } - return - case <-time.After(time.Duration(visibilityTimeout/2) * time.Second): - p.logger.Warn("Half of the set visibilityTimeout passed, visibility timeout needs to be updated") - // If half of the set visibilityTimeout passed and this is - // still ongoing, then change visibility timeout. - err := p.changeVisibilityTimeout(queueURL, visibilityTimeout, svcSQS, message.ReceiptHandle) - if err != nil { - p.logger.Error(errors.Wrap(err, "SQS ChangeMessageVisibilityRequest failed")) - } - p.logger.Infof("Message visibility timeout updated to %v seconds", visibilityTimeout) - } - } -} - -func (p *s3Input) receiveMessage(svcSQS sqsiface.ClientAPI, visibilityTimeout int64) (*sqs.ReceiveMessageResponse, error) { - // receive messages from sqs - req := svcSQS.ReceiveMessageRequest( - &sqs.ReceiveMessageInput{ - QueueUrl: &p.config.QueueURL, - MessageAttributeNames: []string{"All"}, - MaxNumberOfMessages: &maxNumberOfMessage, - VisibilityTimeout: &visibilityTimeout, - WaitTimeSeconds: &waitTimeSecond, - }) - - // The Context will interrupt the request if the timeout expires. - ctx, cancelFn := context.WithTimeout(p.context, p.config.APITimeout) - defer cancelFn() - - return req.Send(ctx) +// s3Input is a input for s3 +type s3Input struct { + config config } -func (p *s3Input) changeVisibilityTimeout(queueURL string, visibilityTimeout int64, svcSQS sqsiface.ClientAPI, receiptHandle *string) error { - req := svcSQS.ChangeMessageVisibilityRequest(&sqs.ChangeMessageVisibilityInput{ - QueueUrl: &queueURL, - VisibilityTimeout: &visibilityTimeout, - ReceiptHandle: receiptHandle, - }) - - // The Context will interrupt the request if the timeout expires. - ctx, cancelFn := context.WithTimeout(p.context, p.config.APITimeout) - defer cancelFn() - - _, err := req.Send(ctx) - return err +func newInput(config config) (*s3Input, error) { + return &s3Input{config: config}, nil } -func getRegionFromQueueURL(queueURL string) (string, error) { - // get region from queueURL - // Example: https://sqs.us-east-1.amazonaws.com/627959692251/test-s3-logs - queueURLSplit := strings.Split(queueURL, ".") - if queueURLSplit[0] == "https://sqs" && queueURLSplit[2] == "amazonaws" { - return queueURLSplit[1], nil - } - return "", errors.New("queueURL is not in format: https://sqs.{REGION_ENDPOINT}.amazonaws.com/{ACCOUNT_NUMBER}/{QUEUE_NAME}") -} +func (in *s3Input) Name() string { return inputName } -// handle message -func (p *s3Input) handleSQSMessage(m sqs.Message) ([]s3Info, error) { - msg := sqsMessage{} - err := json.Unmarshal([]byte(*m.Body), &msg) +func (in *s3Input) Test(ctx v2.TestContext) error { + _, err := awscommon.GetAWSCredentials(in.config.AwsConfig) if err != nil { - return nil, errors.Wrap(err, "json unmarshal sqs message body failed") - } - - var s3Infos []s3Info - for _, record := range msg.Records { - if record.EventSource != "aws:s3" || !strings.HasPrefix(record.EventName, "ObjectCreated:") { - return nil, errors.New("this SQS queue should be dedicated to s3 ObjectCreated event notifications") - } - // Unescape substrings from s3 log name. For example, convert "%3D" back to "=" - filename, err := url.QueryUnescape(record.S3.object.Key) - if err != nil { - return nil, errors.Wrapf(err, "url.QueryUnescape failed for '%s'", record.S3.object.Key) - } - - if len(p.config.FileSelectors) == 0 { - s3Infos = append(s3Infos, s3Info{ - region: record.AwsRegion, - name: record.S3.bucket.Name, - key: filename, - arn: record.S3.bucket.Arn, - expandEventListFromField: p.config.ExpandEventListFromField, - }) - continue - } - - for _, fs := range p.config.FileSelectors { - if fs.Regex == nil { - continue - } - if fs.Regex.MatchString(filename) { - s3Infos = append(s3Infos, s3Info{ - region: record.AwsRegion, - name: record.S3.bucket.Name, - key: filename, - arn: record.S3.bucket.Arn, - expandEventListFromField: fs.ExpandEventListFromField, - }) - break - } - } - } - return s3Infos, nil -} - -func (p *s3Input) handleS3Objects(svc s3iface.ClientAPI, s3Infos []s3Info, errC chan error) error { - s3Ctx := &s3Context{ - refs: 1, - errC: errC, - } - defer s3Ctx.done() - - for _, info := range s3Infos { - p.logger.Debugf("Processing file from s3 bucket \"%s\" with name \"%s\"", info.name, info.key) - err := p.createEventsFromS3Info(svc, info, s3Ctx) - if err != nil { - err = errors.Wrapf(err, "createEventsFromS3Info failed processing file from s3 bucket \"%s\" with name \"%s\"", info.name, info.key) - p.logger.Error(err) - s3Ctx.setError(err) - } + return fmt.Errorf("getAWSCredentials failed: %w", err) } return nil } -func (p *s3Input) createEventsFromS3Info(svc s3iface.ClientAPI, info s3Info, s3Ctx *s3Context) error { - objectHash := s3ObjectHash(info) - - // Download the S3 object using GetObjectRequest. - s3GetObjectInput := &s3.GetObjectInput{ - Bucket: awssdk.String(info.name), - Key: awssdk.String(info.key), - } - req := svc.GetObjectRequest(s3GetObjectInput) - - // The Context will interrupt the request if the timeout expires. - ctx, cancelFn := context.WithTimeout(p.context, p.config.APITimeout) - defer cancelFn() - - resp, err := req.Send(ctx) +func (in *s3Input) Run(ctx v2.Context, pipeline beat.Pipeline) error { + collector, err := in.createCollector(ctx, pipeline) if err != nil { - if awsErr, ok := err.(awserr.Error); ok { - // If the SDK can determine the request or retry delay was canceled - // by a context the ErrCodeRequestCanceled error will be returned. - if awsErr.Code() == awssdk.ErrCodeRequestCanceled { - err = errors.Wrapf(err, "S3 GetObjectRequest canceled for '%s' from S3 bucket '%s'", info.key, info.name) - p.logger.Error(err) - return err - } - - if awsErr.Code() == "NoSuchKey" { - p.logger.Warnf("Cannot find s3 file '%s' from S3 bucket '%s'", info.key, info.name) - return nil - } - } - return errors.Wrapf(err, "S3 GetObjectRequest failed for '%s' from S3 bucket '%s'", info.key, info.name) - } - - defer resp.Body.Close() - - reader := bufio.NewReader(resp.Body) - - isS3ObjGzipped, err := isStreamGzipped(reader) - if err != nil { - err = errors.Wrap(err, "could not determine if S3 object is gzipped") - p.logger.Error(err) return err } - if isS3ObjGzipped { - gzipReader, err := gzip.NewReader(reader) - if err != nil { - err = errors.Wrapf(err, "gzip.NewReader failed for '%s' from S3 bucket '%s'", info.key, info.name) - p.logger.Error(err) - return err - } - reader = bufio.NewReader(gzipReader) - gzipReader.Close() - } - - // Decode JSON documents when content-type is "application/json" or expand_event_list_from_field is given in config - if resp.ContentType != nil && *resp.ContentType == "application/json" || info.expandEventListFromField != "" { - decoder := json.NewDecoder(reader) - err := p.decodeJSON(decoder, objectHash, info, s3Ctx) - if err != nil { - err = errors.Wrapf(err, "decodeJSONWithKey failed for '%s' from S3 bucket '%s'", info.key, info.name) - p.logger.Error(err) - return err - } - return nil - } - - // handle s3 objects that are not json content-type - offset := 0 - for { - log, err := readStringAndTrimDelimiter(reader) - if err == io.EOF { - // create event for last line - offset += len([]byte(log)) - event := createEvent(log, offset, info, objectHash, s3Ctx) - err = p.forwardEvent(event) - if err != nil { - err = errors.Wrap(err, "forwardEvent failed") - p.logger.Error(err) - return err - } - return nil - } else if err != nil { - err = errors.Wrap(err, "readStringAndTrimDelimiter failed") - p.logger.Error(err) - return err - } - - if log == "" { - break - } - - // create event per log line - offset += len([]byte(log)) - event := createEvent(log, offset, info, objectHash, s3Ctx) - err = p.forwardEvent(event) - if err != nil { - err = errors.Wrap(err, "forwardEvent failed") - p.logger.Error(err) - return err - } - } - return nil -} - -func (p *s3Input) decodeJSON(decoder *json.Decoder, objectHash string, s3Info s3Info, s3Ctx *s3Context) error { - offset := 0 - for { - var jsonFields interface{} - err := decoder.Decode(&jsonFields) - if jsonFields == nil { - return nil - } - - if err == io.EOF { - offset, err = p.jsonFieldsType(jsonFields, offset, objectHash, s3Info, s3Ctx) - if err != nil { - return err - } - } else if err != nil { - // decode json failed, skip this log file - err = errors.Wrapf(err, "decode json failed for '%s' from S3 bucket '%s', skipping this file", s3Info.key, s3Info.name) - p.logger.Warn(err) - return nil - } - - offsetNew, err := p.jsonFieldsType(jsonFields, offset, objectHash, s3Info, s3Ctx) - if err != nil { - return err - } - offset = offsetNew - } -} - -func (p *s3Input) jsonFieldsType(jsonFields interface{}, offset int, objectHash string, s3Info s3Info, s3Ctx *s3Context) (int, error) { - switch f := jsonFields.(type) { - case map[string][]interface{}: - if s3Info.expandEventListFromField != "" { - textValues, ok := f[s3Info.expandEventListFromField] - if !ok { - err := errors.Errorf("key '%s' not found", s3Info.expandEventListFromField) - p.logger.Error(err) - return offset, err - } - for _, v := range textValues { - offset, err := p.convertJSONToEvent(v, offset, objectHash, s3Info, s3Ctx) - if err != nil { - err = errors.Wrapf(err, "convertJSONToEvent failed for '%s' from S3 bucket '%s'", s3Info.key, s3Info.name) - p.logger.Error(err) - return offset, err - } - } - return offset, nil - } - case map[string]interface{}: - if s3Info.expandEventListFromField != "" { - textValues, ok := f[s3Info.expandEventListFromField] - if !ok { - err := errors.Errorf("key '%s' not found", s3Info.expandEventListFromField) - p.logger.Error(err) - return offset, err - } - - valuesConverted := textValues.([]interface{}) - for _, textValue := range valuesConverted { - offsetNew, err := p.convertJSONToEvent(textValue, offset, objectHash, s3Info, s3Ctx) - if err != nil { - err = errors.Wrapf(err, "convertJSONToEvent failed for '%s' from S3 bucket '%s'", s3Info.key, s3Info.name) - p.logger.Error(err) - return offset, err - } - offset = offsetNew - } - return offset, nil - } - - offset, err := p.convertJSONToEvent(f, offset, objectHash, s3Info, s3Ctx) - if err != nil { - err = errors.Wrapf(err, "convertJSONToEvent failed for '%s' from S3 bucket '%s'", s3Info.key, s3Info.name) - p.logger.Error(err) - return offset, err - } - return offset, nil - } - return offset, nil + defer collector.publisher.Close() + collector.run() + return ctx.Cancelation.Err() } -func (p *s3Input) convertJSONToEvent(jsonFields interface{}, offset int, objectHash string, s3Info s3Info, s3Ctx *s3Context) (int, error) { - vJSON, err := json.Marshal(jsonFields) - logOriginal := string(vJSON) - log := trimLogDelimiter(logOriginal) - offset += len([]byte(log)) - event := createEvent(log, offset, s3Info, objectHash, s3Ctx) +func (in *s3Input) createCollector(ctx v2.Context, pipeline beat.Pipeline) (*s3Collector, error) { + log := ctx.Logger.With("queue_url", in.config.QueueURL) - err = p.forwardEvent(event) + client, err := pipeline.ConnectWith(beat.ClientConfig{ + CloseRef: ctx.Cancelation, + ACKHandler: newACKHandler(), + }) if err != nil { - err = errors.Wrap(err, "forwardEvent failed") - p.logger.Error(err) - return offset, err - } - return offset, nil -} - -func (p *s3Input) forwardEvent(event beat.Event) error { - ok := p.outlet.OnEvent(event) - if !ok { - return errOutletClosed - } - return nil -} - -func (p *s3Input) deleteMessage(queueURL string, messagesReceiptHandle string, svcSQS sqsiface.ClientAPI) error { - deleteMessageInput := &sqs.DeleteMessageInput{ - QueueUrl: awssdk.String(queueURL), - ReceiptHandle: awssdk.String(messagesReceiptHandle), + return nil, err } - req := svcSQS.DeleteMessageRequest(deleteMessageInput) - - // The Context will interrupt the request if the timeout expires. - ctx, cancelFn := context.WithTimeout(p.context, p.config.APITimeout) - defer cancelFn() - - _, err := req.Send(ctx) + regionName, err := getRegionFromQueueURL(in.config.QueueURL) if err != nil { - if awsErr, ok := err.(awserr.Error); ok && awsErr.Code() == awssdk.ErrCodeRequestCanceled { - return nil - } - return errors.Wrapf(err, "SQS DeleteMessageRequest failed in queue %s", queueURL) + err := fmt.Errorf("getRegionFromQueueURL failed: %w", err) + log.Error(err) + return nil, err + } else { + log = log.With("region", regionName) } - return nil -} -func trimLogDelimiter(log string) string { - return strings.TrimSuffix(log, "\n") -} - -func readStringAndTrimDelimiter(reader *bufio.Reader) (string, error) { - logOriginal, err := reader.ReadString('\n') + awsConfig, err := awscommon.GetAWSCredentials(in.config.AwsConfig) if err != nil { - return logOriginal, err + return nil, fmt.Errorf("getAWSCredentials failed: %w", err) } - return trimLogDelimiter(logOriginal), nil -} + awsConfig.Region = regionName -func createEvent(log string, offset int, info s3Info, objectHash string, s3Ctx *s3Context) beat.Event { - s3Ctx.Inc() + visibilityTimeout := int64(in.config.VisibilityTimeout.Seconds()) + log.Infof("visibility timeout is set to %v seconds", visibilityTimeout) + log.Infof("aws api timeout is set to %v", in.config.APITimeout) - event := beat.Event{ - Timestamp: time.Now().UTC(), - Fields: common.MapStr{ - "message": log, - "log": common.MapStr{ - "offset": int64(offset), - "file.path": constructObjectURL(info), - }, - "aws": common.MapStr{ - "s3": common.MapStr{ - "bucket": common.MapStr{ - "name": info.name, - "arn": info.arn}, - "object.key": info.key, - }, - }, - "cloud": common.MapStr{ - "provider": "aws", - "region": info.region, - }, - }, - Private: s3Ctx, + s3Servicename := "s3" + if in.config.FipsEnabled { + s3Servicename = "s3-fips" } - event.SetID(objectHash + "-" + fmt.Sprintf("%012d", offset)) - - return event -} - -func constructObjectURL(info s3Info) string { - return "https://" + info.name + ".s3-" + info.region + ".amazonaws.com/" + info.key -} - -// s3ObjectHash returns a short sha256 hash of the bucket arn + object key name. -func s3ObjectHash(s3Info s3Info) string { - h := sha256.New() - h.Write([]byte(s3Info.arn + s3Info.key)) - prefix := hex.EncodeToString(h.Sum(nil)) - return prefix[:10] -} - -func (c *s3Context) setError(err error) { - // only care about the last error for now - // TODO: add "Typed" error to error for context - c.mux.Lock() - defer c.mux.Unlock() - c.err = err -} -func (c *s3Context) done() { - c.mux.Lock() - defer c.mux.Unlock() - c.refs-- - if c.refs == 0 { - c.errC <- c.err - close(c.errC) - } -} + log.Debug("s3 service name = ", s3Servicename) -func (c *s3Context) Inc() { - c.mux.Lock() - defer c.mux.Unlock() - c.refs++ + return &s3Collector{ + cancellation: ctxtool.FromCanceller(ctx.Cancelation), + logger: log, + config: &in.config, + publisher: client, + visibilityTimeout: visibilityTimeout, + sqs: sqs.New(awscommon.EnrichAWSConfigWithEndpoint(in.config.AwsConfig.Endpoint, "sqs", regionName, awsConfig)), + s3: s3.New(awscommon.EnrichAWSConfigWithEndpoint(in.config.AwsConfig.Endpoint, s3Servicename, regionName, awsConfig)), + }, nil } -// isStreamGzipped determines whether the given stream of bytes (encapsulated in a buffered reader) -// represents gzipped content or not. A buffered reader is used so the function can peek into the byte -// stream without consuming it. This makes it convenient for code executed after this function call -// to consume the stream if it wants. -func isStreamGzipped(r *bufio.Reader) (bool, error) { - // Why 512? See https://godoc.org/net/http#DetectContentType - buf, err := r.Peek(512) - if err != nil && err != io.EOF { - return false, err - } - - switch http.DetectContentType(buf) { - case "application/x-gzip", "application/zip": - return true, nil - default: - return false, nil - } +func newACKHandler() beat.ACKer { + return acker.ConnectionOnly( + acker.EventPrivateReporter(func(_ int, privates []interface{}) { + for _, private := range privates { + if s3Context, ok := private.(*s3Context); ok { + s3Context.done() + } + } + }), + ) } diff --git a/x-pack/filebeat/input/s3/s3_integration_test.go b/x-pack/filebeat/input/s3/s3_integration_test.go index 1d6a400a7f1..cadb5da035b 100644 --- a/x-pack/filebeat/input/s3/s3_integration_test.go +++ b/x-pack/filebeat/input/s3/s3_integration_test.go @@ -16,21 +16,20 @@ import ( "testing" "time" - "github.com/stretchr/testify/assert" - - "github.com/aws/aws-sdk-go-v2/aws" awssdk "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/s3" - "github.com/aws/aws-sdk-go-v2/service/s3/s3iface" "github.com/aws/aws-sdk-go-v2/service/sqs" "github.com/aws/aws-sdk-go-v2/service/sqs/sqsiface" + "github.com/stretchr/testify/assert" - "github.com/elastic/beats/v7/filebeat/channel" - "github.com/elastic/beats/v7/filebeat/input" + v2 "github.com/elastic/beats/v7/filebeat/input/v2" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" + pubtest "github.com/elastic/beats/v7/libbeat/publisher/testing" "github.com/elastic/beats/v7/libbeat/tests/resources" awscommon "github.com/elastic/beats/v7/x-pack/libbeat/common/aws" + "github.com/elastic/go-concert/unison" ) const ( @@ -77,228 +76,99 @@ func getConfigForTest(t *testing.T) config { return config } -func uploadSampleLogFile(t *testing.T, bucketName string, svcS3 s3iface.ClientAPI) { - t.Helper() - ctx, cancel := context.WithCancel(context.Background()) - defer cancel() - - file, err := os.Open(filePath) - if err != nil { - t.Fatalf("Failed to open file %v", filePath) - } - defer file.Close() - - s3PutObjectInput := s3.PutObjectInput{ - Bucket: aws.String(bucketName), - Key: aws.String(filepath.Base(filePath)), - Body: file, - } - req := svcS3.PutObjectRequest(&s3PutObjectInput) - output, err := req.Send(ctx) - if err != nil { - t.Fatalf("failed to put object into s3 bucket: %v", output) - } -} - -func collectOldMessages(t *testing.T, queueURL string, visibilityTimeout int64, svcSQS sqsiface.ClientAPI) []string { - t.Helper() - ctx, cancel := context.WithCancel(context.Background()) - defer cancel() - - // receive messages from sqs - req := svcSQS.ReceiveMessageRequest( - &sqs.ReceiveMessageInput{ - QueueUrl: &queueURL, - MessageAttributeNames: []string{"All"}, - MaxNumberOfMessages: &maxNumberOfMessage, - VisibilityTimeout: &visibilityTimeout, - WaitTimeSeconds: &waitTimeSecond, - }) - - output, err := req.Send(ctx) - if err != nil { - t.Fatalf("failed to receive message from SQS: %v", output) - } - - var oldMessageHandles []string - for _, message := range output.Messages { - oldMessageHandles = append(oldMessageHandles, *message.ReceiptHandle) - } - - return oldMessageHandles -} - -func (input *s3Input) deleteAllMessages(t *testing.T, awsConfig awssdk.Config, queueURL string, visibilityTimeout int64, svcSQS sqsiface.ClientAPI) error { - var messageReceiptHandles []string - init := true - for init || len(messageReceiptHandles) > 0 { - init = false - messageReceiptHandles = collectOldMessages(t, queueURL, visibilityTimeout, svcSQS) - for _, receiptHandle := range messageReceiptHandles { - err := input.deleteMessage(queueURL, receiptHandle, svcSQS) - if err != nil { - return err - } - } - } - return nil -} - func defaultTestConfig() *common.Config { return common.MustNewConfigFrom(map[string]interface{}{ "queue_url": os.Getenv("QUEUE_URL"), }) } -func runTest(t *testing.T, cfg *common.Config, run func(t *testing.T, input *s3Input, out *stubOutleter)) { - // Simulate input.Context from Filebeat input runner. - inputCtx := newInputContext() - defer close(inputCtx.Done) - - // Stub outlet for receiving events generated by the input. - eventOutlet := newStubOutlet() - defer eventOutlet.Close() - - connector := channel.ConnectorFunc(func(_ *common.Config, _ beat.ClientConfig) (channel.Outleter, error) { - return eventOutlet, nil - }) +func newV2Context() (v2.Context, func()) { + ctx, cancel := context.WithCancel(context.Background()) + return v2.Context{ + Logger: logp.NewLogger("s3_test"), + ID: "test_id", + Cancelation: ctx, + }, cancel +} - in, err := NewInput(cfg, connector, inputCtx) +func setupInput(t *testing.T, cfg *common.Config) (*s3Collector, chan beat.Event) { + inp, err := Plugin().Manager.Create(cfg) if err != nil { t.Fatal(err) } - s3Input := in.(*s3Input) - defer s3Input.Stop() - run(t, s3Input, eventOutlet) -} + ctx, cancel := newV2Context() + t.Cleanup(cancel) -func newInputContext() input.Context { - return input.Context{ - Done: make(chan struct{}), + client := pubtest.NewChanClient(0) + pipeline := pubtest.ConstClient(client) + collector, err := inp.(*s3Input).createCollector(ctx, pipeline) + if err != nil { + t.Fatal(err) } + return collector, client.Channel } -type stubOutleter struct { - sync.Mutex - cond *sync.Cond - done bool - Events []beat.Event -} - -func newStubOutlet() *stubOutleter { - o := &stubOutleter{} - o.cond = sync.NewCond(o) - return o -} - -func (o *stubOutleter) waitForEvents(numEvents int) ([]beat.Event, bool) { - o.Lock() - defer o.Unlock() - - for len(o.Events) < numEvents && !o.done { - o.cond.Wait() +func setupCollector(t *testing.T, cfg *common.Config, mock bool) (*s3Collector, chan beat.Event) { + collector, receiver := setupInput(t, cfg) + if mock { + svcS3 := &MockS3Client{} + svcSQS := &MockSQSClient{} + collector.sqs = svcSQS + collector.s3 = svcS3 + return collector, receiver } - size := numEvents - if size >= len(o.Events) { - size = len(o.Events) + config := getConfigForTest(t) + awsConfig, err := awscommon.GetAWSCredentials(config.AwsConfig) + if err != nil { + t.Fatal("failed GetAWSCredentials with AWS Config: ", err) } - out := make([]beat.Event, size) - copy(out, o.Events) - return out, len(out) == numEvents + s3BucketRegion := os.Getenv("S3_BUCKET_REGION") + if s3BucketRegion == "" { + t.Log("S3_BUCKET_REGION is not set, default to us-west-1") + s3BucketRegion = "us-west-1" + } + awsConfig.Region = s3BucketRegion + awsConfig = awsConfig.Copy() + collector.sqs = sqs.New(awsConfig) + collector.s3 = s3.New(awsConfig) + return collector, receiver } -func (o *stubOutleter) Close() error { - o.Lock() - defer o.Unlock() - o.done = true - return nil -} - -func (o *stubOutleter) Done() <-chan struct{} { return nil } - -func (o *stubOutleter) OnEvent(event beat.Event) bool { - o.Lock() - defer o.Unlock() - o.Events = append(o.Events, event) - o.cond.Broadcast() - return !o.done +func runTest(t *testing.T, cfg *common.Config, mock bool, run func(t *testing.T, collector *s3Collector, receiver chan beat.Event)) { + collector, receiver := setupCollector(t, cfg, mock) + run(t, collector, receiver) } func TestS3Input(t *testing.T) { - inputConfig := defaultTestConfig() - config := getConfigForTest(t) - - runTest(t, inputConfig, func(t *testing.T, input *s3Input, out *stubOutleter) { - awsConfig, err := awscommon.GetAWSCredentials(config.AwsConfig) - if err != nil { - - } - s3BucketRegion := os.Getenv("S3_BUCKET_REGION") - if s3BucketRegion == "" { - t.Log("S3_BUCKET_REGION is not set, default to us-west-1") - s3BucketRegion = "us-west-1" - } - awsConfig.Region = s3BucketRegion - input.awsConfig = awsConfig.Copy() - svcSQS := sqs.New(awsConfig) - - // remove old messages from SQS - err = input.deleteAllMessages(t, awsConfig, config.QueueURL, int64(config.VisibilityTimeout.Seconds()), svcSQS) - if err != nil { - t.Fatalf("failed to delete message: %v", err.Error()) - } - + runTest(t, defaultTestConfig(), false, func(t *testing.T, collector *s3Collector, receiver chan beat.Event) { // upload a sample log file for testing s3BucketNameEnv := os.Getenv("S3_BUCKET_NAME") if s3BucketNameEnv == "" { t.Fatal("failed to get S3_BUCKET_NAME") } - svcS3 := s3.New(awsConfig) - uploadSampleLogFile(t, s3BucketNameEnv, svcS3) - time.Sleep(30 * time.Second) - wg := sync.WaitGroup{} wg.Add(1) go func() { defer wg.Done() - input.run(svcSQS, svcS3, 300) + collector.run() }() - events, ok := out.waitForEvents(2) - if !ok { - t.Fatalf("Expected 2 events, but got %d.", len(events)) - } - input.Stop() - - // check events - for i, event := range events { - bucketName, err := event.GetValue("aws.s3.bucket.name") - assert.NoError(t, err) - assert.Equal(t, s3BucketNameEnv, bucketName) - - objectKey, err := event.GetValue("aws.s3.object.key") - assert.NoError(t, err) - assert.Equal(t, fileName, objectKey) - - message, err := event.GetValue("message") - assert.NoError(t, err) - switch i { - case 0: - assert.Equal(t, "logline1\n", message) - case 1: - assert.Equal(t, "logline2\n", message) - } - } + event := <-receiver + bucketName, err := event.GetValue("aws.s3.bucket.name") + assert.NoError(t, err) + assert.Equal(t, s3BucketNameEnv, bucketName) - // delete messages from the queue - err = input.deleteAllMessages(t, awsConfig, config.QueueURL, int64(config.VisibilityTimeout.Seconds()), svcSQS) - if err != nil { - t.Fatalf("failed to delete message: %v", err.Error()) - } + objectKey, err := event.GetValue("aws.s3.object.key") + assert.NoError(t, err) + assert.Equal(t, fileName, objectKey) + + message, err := event.GetValue("message") + assert.NoError(t, err) + assert.Equal(t, "logline1\n", message) }) } @@ -354,41 +224,23 @@ func TestMockS3Input(t *testing.T) { "queue_url": "https://sqs.ap-southeast-1.amazonaws.com/123456/test", }) - runTest(t, cfg, func(t *testing.T, input *s3Input, out *stubOutleter) { - svcS3 := &MockS3Client{} - svcSQS := &MockSQSClient{} + runTest(t, cfg, true, func(t *testing.T, collector *s3Collector, receiver chan beat.Event) { + defer collector.cancellation.Done() + defer collector.publisher.Close() - wg := sync.WaitGroup{} - wg.Add(1) - go func() { - defer wg.Done() - input.run(svcSQS, svcS3, 300) - }() + output, err := collector.receiveMessage(collector.sqs, collector.visibilityTimeout) + assert.NoError(t, err) - events, ok := out.waitForEvents(2) - if !ok { - t.Fatalf("Expected 2 events, but got %d.", len(events)) - } - input.Wait() - - // check events - for i, event := range events { - bucketName, err := event.GetValue("aws.s3.bucket.name") - assert.NoError(t, err) - assert.Equal(t, "test-s3-ks-2", bucketName) - - objectKey, err := event.GetValue("aws.s3.object.key") - assert.NoError(t, err) - assert.Equal(t, "server-access-logging2019-06-21-16-16-54", objectKey) - - message, err := event.GetValue("message") - assert.NoError(t, err) - switch i { - case 0: - assert.Equal(t, s3LogString1, message) - case 1: - assert.Equal(t, s3LogString2, message) - } - } + var grp unison.MultiErrGroup + errC := make(chan error) + defer close(errC) + grp.Go(func() (err error) { + return collector.processMessage(collector.s3, output.Messages[0], errC) + }) + + event := <-receiver + bucketName, err := event.GetValue("aws.s3.bucket.name") + assert.NoError(t, err) + assert.Equal(t, "test-s3-ks-2", bucketName) }) } diff --git a/x-pack/filebeat/module/activemq/audit/config/audit.yml b/x-pack/filebeat/module/activemq/audit/config/audit.yml index 3e0ec415541..f40bf16116f 100644 --- a/x-pack/filebeat/module/activemq/audit/config/audit.yml +++ b/x-pack/filebeat/module/activemq/audit/config/audit.yml @@ -9,4 +9,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/activemq/log/config/log.yml b/x-pack/filebeat/module/activemq/log/config/log.yml index 17f6bd869f2..55449d359f1 100644 --- a/x-pack/filebeat/module/activemq/log/config/log.yml +++ b/x-pack/filebeat/module/activemq/log/config/log.yml @@ -13,4 +13,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/aws/cloudtrail/config/file.yml b/x-pack/filebeat/module/aws/cloudtrail/config/file.yml index 5a56f210c79..c4436629e21 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/config/file.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/config/file.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml b/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml index 2094f77c712..ac1caacf21c 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml @@ -51,6 +51,10 @@ session_token: {{ .session_token }} role_arn: {{ .role_arn }} {{ end }} +{{ if .fips_enabled }} +fips_enabled: {{ .fips_enabled }} +{{ end }} + tags: {{.tags | tojson}} publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} @@ -58,4 +62,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml index 8421e12d7f0..8ceec6ff100 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml @@ -146,37 +146,36 @@ processors: field: "json.errorMessage" target_field: "aws.cloudtrail.error_message" ignore_failure: true - - rename: - field: json.requestParameters - target_field: "aws.cloudtrail.flattened.request_parameters" - if: ctx?.json?.requestParameters != null - script: lang: painless source: | - if (ctx.aws.cloudtrail.flattened.request_parameters != null) { - ctx.aws.cloudtrail.request_parameters = ctx.aws.cloudtrail.flattened.request_parameters.toString(); + if (ctx.aws.cloudtrail?.flattened == null) { + Map map = new HashMap(); + ctx.aws.cloudtrail.put("flattened", map); + } + if (ctx.json.requestParameters != null) { + ctx.aws.cloudtrail.request_parameters = ctx.json.requestParameters.toString(); + if (ctx.aws.cloudtrail.request_parameters.length() < 32766) { + ctx.aws.cloudtrail.flattened.put("request_parameters", ctx.json.requestParameters); + } } - ignore_failure: true - - rename: - field: json.responseElements - target_field: "aws.cloudtrail.flattened.response_elements" - if: ctx?.json?.responseElements != null - - script: - lang: painless - source: | - if (ctx.aws.cloudtrail.flattened.response_elements != null) { - ctx.aws.cloudtrail.response_elements = ctx.aws.cloudtrail.flattened.response_elements.toString(); + if (ctx.json.responseElements != null) { + ctx.aws.cloudtrail.response_elements = ctx.json.responseElements.toString(); + if (ctx.aws.cloudtrail.response_elements.length() < 32766) { + ctx.aws.cloudtrail.flattened.put("response_elements", ctx.json.responseElements); + } } - ignore_failure: true - - rename: - field: json.additionalEventData - target_field: "aws.cloudtrail.flattened.additional_eventdata" - if: ctx?.json?.additionalEventData != null - - script: - lang: painless - source: | - if (ctx.aws.cloudtrail.flattened.additional_eventdata != null) { - ctx.aws.cloudtrail.additional_eventdata = ctx.aws.cloudtrail.flattened.additional_eventdata.toString(); + if (ctx.json.additionalEventData != null) { + ctx.aws.cloudtrail.additional_eventdata = ctx.json.additionalEventData.toString(); + if (ctx.aws.cloudtrail.additional_eventdata.length() < 32766) { + ctx.aws.cloudtrail.flattened.put("additional_eventdata", ctx.json.additionalEventData); + } + } + if (ctx.json.serviceEventDetails != null) { + ctx.aws.cloudtrail.service_event_details = ctx.json.serviceEventDetails.toString(); + if (ctx.aws.cloudtrail.service_event_details.length() < 32766) { + ctx.aws.cloudtrail.flattened.put("service_event_details", ctx.json.serviceEventDetails); + } } ignore_failure: true - rename: @@ -219,17 +218,6 @@ processors: field: "json.recipientAccountId" target_field: "aws.cloudtrail.recipient_account_id" ignore_failure: true - - rename: - field: json.serviceEventDetails - target_field: "aws.cloudtrail.flattened.service_event_details" - if: ctx?.json?.serviceEventDetails != null - - script: - lang: painless - source: | - if (ctx.aws.cloudtrail.flattened.service_event_details != null) { - ctx.aws.cloudtrail.service_event_details = ctx.aws.cloudtrail.flattened.service_event_details.toString(); - } - ignore_failure: true - rename: field: "json.sharedEventId" target_field: "aws.cloudtrail.shared_event_id" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json index 3bdb628e7fb..47691a242dc 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json @@ -63,6 +63,7 @@ "source.as.organization.name": "CHINA UNICOM China169 Backbone", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 29.5569, "source.geo.location.lon": 106.5531, "source.geo.region_iso_code": "CN-CQ", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json index 5783ade81ed..41cca74d099 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json @@ -39,6 +39,7 @@ "source.geo.city_name": "Ashburn", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 39.0481, "source.geo.location.lon": -77.4728, "source.geo.region_iso_code": "US-VA", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json index c9ee01ef238..1531a7c1e5a 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json @@ -32,6 +32,7 @@ "source.geo.city_name": "Boardman", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 45.8491, "source.geo.location.lon": -119.7143, "source.geo.region_iso_code": "US-OR", diff --git a/x-pack/filebeat/module/aws/cloudwatch/config/file.yml b/x-pack/filebeat/module/aws/cloudwatch/config/file.yml index 5a56f210c79..c4436629e21 100644 --- a/x-pack/filebeat/module/aws/cloudwatch/config/file.yml +++ b/x-pack/filebeat/module/aws/cloudwatch/config/file.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/aws/cloudwatch/config/s3.yml b/x-pack/filebeat/module/aws/cloudwatch/config/s3.yml index 073eca58ab2..bdb0ff350f0 100644 --- a/x-pack/filebeat/module/aws/cloudwatch/config/s3.yml +++ b/x-pack/filebeat/module/aws/cloudwatch/config/s3.yml @@ -37,6 +37,10 @@ session_token: {{ .session_token }} role_arn: {{ .role_arn }} {{ end }} +{{ if .fips_enabled }} +fips_enabled: {{ .fips_enabled }} +{{ end }} + tags: {{.tags | tojson}} publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} @@ -44,4 +48,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/aws/ec2/config/file.yml b/x-pack/filebeat/module/aws/ec2/config/file.yml index 5a56f210c79..c4436629e21 100644 --- a/x-pack/filebeat/module/aws/ec2/config/file.yml +++ b/x-pack/filebeat/module/aws/ec2/config/file.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/aws/ec2/config/s3.yml b/x-pack/filebeat/module/aws/ec2/config/s3.yml index 073eca58ab2..bdb0ff350f0 100644 --- a/x-pack/filebeat/module/aws/ec2/config/s3.yml +++ b/x-pack/filebeat/module/aws/ec2/config/s3.yml @@ -37,6 +37,10 @@ session_token: {{ .session_token }} role_arn: {{ .role_arn }} {{ end }} +{{ if .fips_enabled }} +fips_enabled: {{ .fips_enabled }} +{{ end }} + tags: {{.tags | tojson}} publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} @@ -44,4 +48,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/aws/elb/_meta/fields.yml b/x-pack/filebeat/module/aws/elb/_meta/fields.yml index 9499f8bbb0e..aac074e9347 100644 --- a/x-pack/filebeat/module/aws/elb/_meta/fields.yml +++ b/x-pack/filebeat/module/aws/elb/_meta/fields.yml @@ -101,3 +101,19 @@ type: keyword description: > The error reason if the executed action failed. + - name: target_port + type: keyword + description: > + List of IP addresses and ports for the targets that processed this request. + - name: target_status_code + type: keyword + description: > + List of status codes from the responses of the targets. + - name: classification + type: keyword + description: > + The classification for desync mitigation. + - name: classification_reason + type: keyword + description: > + The classification reason code. diff --git a/x-pack/filebeat/module/aws/elb/config/file.yml b/x-pack/filebeat/module/aws/elb/config/file.yml index 498a7906457..e9470671e07 100644 --- a/x-pack/filebeat/module/aws/elb/config/file.yml +++ b/x-pack/filebeat/module/aws/elb/config/file.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/aws/elb/config/s3.yml b/x-pack/filebeat/module/aws/elb/config/s3.yml index 073eca58ab2..bdb0ff350f0 100644 --- a/x-pack/filebeat/module/aws/elb/config/s3.yml +++ b/x-pack/filebeat/module/aws/elb/config/s3.yml @@ -37,6 +37,10 @@ session_token: {{ .session_token }} role_arn: {{ .role_arn }} {{ end }} +{{ if .fips_enabled }} +fips_enabled: {{ .fips_enabled }} +{{ end }} + tags: {{.tags | tojson}} publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} @@ -44,4 +48,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/aws/elb/ingest/pipeline.yml b/x-pack/filebeat/module/aws/elb/ingest/pipeline.yml index de772ccdf01..8cb2a914921 100644 --- a/x-pack/filebeat/module/aws/elb/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/elb/ingest/pipeline.yml @@ -31,7 +31,7 @@ processors: %{TIMESTAMP_ISO8601:event.start} \"(?:-|%{DATA:_tmp.actions_executed})\" \"(?:-|%{DATA:aws.elb.redirect_url})\" - \"(?:-|%{DATA:aws.elb.error.reason})\" + \"(?:-|%{DATA:aws.elb.error.reason})\"( \"(?:-|%{DATA:_tmp.target_port})\")?( \"(?:-|%{DATA:_tmp.target_status_code})\")?( \"(?:-|%{DATA:aws.elb.classification})\")?( \"(?:-|%{DATA:aws.elb.classification_reason})\")? # TCP from Network Load Balancers (v2 Load Balancers) - >- @@ -141,6 +141,18 @@ processors: separator: ',' ignore_missing: true + - split: + field: '_tmp.target_port' + target_field: 'aws.elb.target_port' + separator: ' ' + ignore_missing: true + + - split: + field: '_tmp.target_status_code' + target_field: 'aws.elb.target_status_code' + separator: ' ' + ignore_missing: true + - date: field: '_tmp.timestamp' formats: diff --git a/x-pack/filebeat/module/aws/elb/test/application-lb-http.log b/x-pack/filebeat/module/aws/elb/test/application-lb-http.log index 88ea2d75c26..5d754c4bbaa 100644 --- a/x-pack/filebeat/module/aws/elb/test/application-lb-http.log +++ b/x-pack/filebeat/module/aws/elb/test/application-lb-http.log @@ -8,4 +8,4 @@ http 2019-10-11T15:03:49.331902Z app/filebeat-aws-elb-test/c86a326e7dc14222 77.2 http 2019-10-11T15:55:09.308183Z app/filebeat-aws-elb-test/c86a326e7dc14222 77.227.156.41:37838 10.0.0.192:80 0.001 0.000 0.000 200 200 125 859 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da0a5dd-4d9a423a0e9a782fe2f390af" "-" "-" 0 2019-10-11T15:55:09.307000Z "forward" "-" "-" http 2019-10-11T15:55:11.354283Z app/filebeat-aws-elb-test/c86a326e7dc14222 77.227.156.41:37850 10.0.1.107:80 0.001 0.001 0.000 200 200 125 859 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da0a5df-7d64cabe9955b4df9acc800a" "-" "-" 0 2019-10-11T15:55:11.352000Z "forward" "-" "-" http 2019-10-11T15:55:11.987940Z app/filebeat-aws-elb-test/c86a326e7dc14222 77.227.156.41:37856 10.0.0.192:80 0.000 0.001 0.000 200 200 125 859 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da0a5df-7c958e828ff43b63d0e0fac4" "-" "-" 0 2019-10-11T15:55:11.987000Z "forward" "-" "-" - +http 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 192.168.131.39:2817 10.0.0.1:80 0.000 0.001 0.000 200 200 34 366 "GET http://www.example.com:80/ HTTP/1.1" "curl/7.46.0" - - arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 "Root=1-58337262-36d228ad5d99923122bbe354" "-" "-" 0 2018-07-02T22:22:48.364000Z "forward,redirect" "-" "-" "10.0.0.1:80" "200" "-" "-" diff --git a/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json index a566b2f9478..3682fb6520e 100644 --- a/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json @@ -35,6 +35,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -83,6 +84,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -131,6 +133,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -179,6 +182,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -227,6 +231,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -275,6 +280,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -323,6 +329,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -375,6 +382,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -427,6 +435,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -479,6 +488,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -490,5 +500,55 @@ ], "tracing.trace.id": "Root=1-5da0a5df-7c958e828ff43b63d0e0fac4", "user_agent.original": "curl/7.58.0" + }, + { + "@timestamp": "2018-07-02T22:23:00.186Z", + "aws.elb.action_executed": [ + "forward", + "redirect" + ], + "aws.elb.backend.http.response.status_code": 200, + "aws.elb.backend.ip": "10.0.0.1", + "aws.elb.backend.port": "80", + "aws.elb.backend_processing_time.sec": 0.001, + "aws.elb.matched_rule_priority": "0", + "aws.elb.name": "app/my-loadbalancer/50dc6c495c0c9188", + "aws.elb.protocol": "http", + "aws.elb.request_processing_time.sec": 0.0, + "aws.elb.response_processing_time.sec": 0.0, + "aws.elb.target_group.arn": "arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067", + "aws.elb.target_port": [ + "10.0.0.1:80" + ], + "aws.elb.target_status_code": [ + "200" + ], + "aws.elb.trace_id": "Root=1-58337262-36d228ad5d99923122bbe354", + "aws.elb.type": "http", + "cloud.provider": "aws", + "event.category": "web", + "event.dataset": "aws.elb", + "event.end": "2018-07-02T22:23:00.186Z", + "event.kind": "event", + "event.module": "aws", + "event.outcome": "success", + "event.start": "2018-07-02T22:22:48.364000Z", + "fileset.name": "elb", + "http.request.body.bytes": 34, + "http.request.method": "GET", + "http.request.referrer": "http://www.example.com:80/", + "http.response.body.bytes": 366, + "http.response.status_code": 200, + "http.version": "1.1", + "input.type": "log", + "log.offset": 4431, + "service.type": "aws", + "source.ip": "192.168.131.39", + "source.port": "2817", + "tags": [ + "forwarded" + ], + "tracing.trace.id": "Root=1-58337262-36d228ad5d99923122bbe354", + "user_agent.original": "curl/7.46.0" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json index c1916fd1ec2..48701c8a985 100644 --- a/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json @@ -31,6 +31,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", @@ -74,6 +75,7 @@ "source.geo.city_name": "Mytishchi", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.9089, "source.geo.location.lon": 37.7339, "source.geo.region_iso_code": "RU-MOS", @@ -117,6 +119,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -160,6 +163,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -203,6 +207,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", diff --git a/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json b/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json index 8b394e2b07e..e960e211763 100644 --- a/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json @@ -25,6 +25,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -61,6 +62,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -97,6 +99,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -133,6 +136,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -169,6 +173,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -205,6 +210,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", diff --git a/x-pack/filebeat/module/aws/elb/test/example-alb-http.log b/x-pack/filebeat/module/aws/elb/test/example-alb-http.log index 9e4526d2d61..94c0ec1360b 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-alb-http.log +++ b/x-pack/filebeat/module/aws/elb/test/example-alb-http.log @@ -7,4 +7,7 @@ http 2018-11-30T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 192.168.13 http 2018-11-30T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 192.168.131.39:2817 - 0.000 0.001 0.000 502 - 34 366 "GET http://www.example.com:80/ HTTP/1.1" "curl/7.46.0" - - arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 "Root=1-58337364-23a8c76965a2ef7629b185e3" "-" "-" 0 2018-11-30T22:22:48.364000Z "forward" "-" "LambdaInvalidResponse" http 2018-11-30T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 192.168.131.39:2817 - -1 -1 -1 400 - 0 0 "- http://www.example.com:80- -" "-" - - - "-" "-" "-" 0 2018-11-30T22:22:48.364000Z "-" "-" "-" http 2018-11-30T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 192.168.131.39:2817 - -1 -1 -1 400 - 0 0 "- - -" "-" - - - "-" "-" "-" 0 2018-11-30T22:22:48.364000Z "-" "-" "-" - +h2 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 10.0.1.252:48160 10.0.0.66:9000 0.000 0.002 0.000 200 200 5 257 "GET https://10.0.2.105:773/ HTTP/2.0" "curl/7.46.0" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 "Root=1-58337327-72bd00b0343d75b906739c42" "-" "-" 1 2018-07-02T22:22:48.364000Z "redirect" "https://example.com:80/" "-" "10.0.0.66:9000" "200" "-" "-" +https 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 192.168.131.39:2817 10.0.0.1:80 0.086 0.048 0.037 200 200 0 57 "GET https://www.example.com:443/ HTTP/1.1" "curl/7.46.0" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 "Root=1-58337281-1d84f3d73c47ec4e58577259" "www.example.com" "arn:aws:acm:us-east-2:123456789012:certificate/12345678-1234-1234-1234-123456789012" 1 2018-07-02T22:22:48.364000Z "authenticate,forward" "-" "-" "10.0.0.1:80" "200" "-" "-" +ws 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 10.0.0.140:40914 10.0.1.192:8010 0.001 0.003 0.000 101 101 218 587 "GET http://10.0.0.30:80/ HTTP/1.1" "-" - - arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 "Root=1-58337364-23a8c76965a2ef7629b185e3" "-" "-" 1 2018-07-02T22:22:48.364000Z "forward" "-" "-" "10.0.1.192:8010" "101" "-" "-" +wss 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 10.0.0.140:44244 10.0.0.171:8010 0.000 0.001 0.000 101 101 218 786 "GET https://10.0.0.30:443/ HTTP/1.1" "-" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 "Root=1-58337364-23a8c76965a2ef7629b185e3" "-" "-" 1 2018-07-02T22:22:48.364000Z "forward" "-" "-" "10.0.0.171:8010" "101" "-" "-" diff --git a/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json index eb1fad5f705..2c1490142fa 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json @@ -368,5 +368,220 @@ ], "tracing.trace.id": "-", "user_agent.original": "-" + }, + { + "@timestamp": "2018-07-02T22:23:00.186Z", + "aws.elb.action_executed": [ + "redirect" + ], + "aws.elb.backend.http.response.status_code": 200, + "aws.elb.backend.ip": "10.0.0.66", + "aws.elb.backend.port": "9000", + "aws.elb.backend_processing_time.sec": 0.002, + "aws.elb.matched_rule_priority": "1", + "aws.elb.name": "app/my-loadbalancer/50dc6c495c0c9188", + "aws.elb.protocol": "http", + "aws.elb.redirect_url": "https://example.com:80/", + "aws.elb.request_processing_time.sec": 0.0, + "aws.elb.response_processing_time.sec": 0.0, + "aws.elb.ssl_cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "aws.elb.ssl_protocol": "TLSv1.2", + "aws.elb.target_group.arn": "arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067", + "aws.elb.target_port": [ + "10.0.0.66:9000" + ], + "aws.elb.target_status_code": [ + "200" + ], + "aws.elb.trace_id": "Root=1-58337327-72bd00b0343d75b906739c42", + "aws.elb.type": "h2", + "cloud.provider": "aws", + "event.category": "web", + "event.dataset": "aws.elb", + "event.end": "2018-07-02T22:23:00.186Z", + "event.kind": "event", + "event.module": "aws", + "event.outcome": "success", + "event.start": "2018-07-02T22:22:48.364000Z", + "fileset.name": "elb", + "http.request.body.bytes": 5, + "http.request.method": "GET", + "http.request.referrer": "https://10.0.2.105:773/", + "http.response.body.bytes": 257, + "http.response.status_code": 200, + "http.version": "2.0", + "input.type": "log", + "log.offset": 3284, + "service.type": "aws", + "source.ip": "10.0.1.252", + "source.port": "48160", + "tags": [ + "forwarded" + ], + "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "tls.version": "1.2", + "tls.version_protocol": "tls", + "tracing.trace.id": "Root=1-58337327-72bd00b0343d75b906739c42", + "user_agent.original": "curl/7.46.0" + }, + { + "@timestamp": "2018-07-02T22:23:00.186Z", + "aws.elb.action_executed": [ + "authenticate", + "forward" + ], + "aws.elb.backend.http.response.status_code": 200, + "aws.elb.backend.ip": "10.0.0.1", + "aws.elb.backend.port": "80", + "aws.elb.backend_processing_time.sec": 0.048, + "aws.elb.chosen_cert.arn": "arn:aws:acm:us-east-2:123456789012:certificate/12345678-1234-1234-1234-123456789012", + "aws.elb.matched_rule_priority": "1", + "aws.elb.name": "app/my-loadbalancer/50dc6c495c0c9188", + "aws.elb.protocol": "http", + "aws.elb.request_processing_time.sec": 0.086, + "aws.elb.response_processing_time.sec": 0.037, + "aws.elb.ssl_cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "aws.elb.ssl_protocol": "TLSv1.2", + "aws.elb.target_group.arn": "arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067", + "aws.elb.target_port": [ + "10.0.0.1:80" + ], + "aws.elb.target_status_code": [ + "200" + ], + "aws.elb.trace_id": "Root=1-58337281-1d84f3d73c47ec4e58577259", + "aws.elb.type": "https", + "cloud.provider": "aws", + "destination.domain": "www.example.com", + "event.category": "web", + "event.dataset": "aws.elb", + "event.end": "2018-07-02T22:23:00.186Z", + "event.kind": "event", + "event.module": "aws", + "event.outcome": "success", + "event.start": "2018-07-02T22:22:48.364000Z", + "fileset.name": "elb", + "http.request.body.bytes": 0, + "http.request.method": "GET", + "http.request.referrer": "https://www.example.com:443/", + "http.response.body.bytes": 57, + "http.response.status_code": 200, + "http.version": "1.1", + "input.type": "log", + "log.offset": 3750, + "service.type": "aws", + "source.ip": "192.168.131.39", + "source.port": "2817", + "tags": [ + "forwarded" + ], + "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "tls.version": "1.2", + "tls.version_protocol": "tls", + "tracing.trace.id": "Root=1-58337281-1d84f3d73c47ec4e58577259", + "user_agent.original": "curl/7.46.0" + }, + { + "@timestamp": "2018-07-02T22:23:00.186Z", + "aws.elb.action_executed": [ + "forward" + ], + "aws.elb.backend.http.response.status_code": 101, + "aws.elb.backend.ip": "10.0.1.192", + "aws.elb.backend.port": "8010", + "aws.elb.backend_processing_time.sec": 0.003, + "aws.elb.matched_rule_priority": "1", + "aws.elb.name": "app/my-loadbalancer/50dc6c495c0c9188", + "aws.elb.protocol": "http", + "aws.elb.request_processing_time.sec": 0.001, + "aws.elb.response_processing_time.sec": 0.0, + "aws.elb.target_group.arn": "arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067", + "aws.elb.target_port": [ + "10.0.1.192:8010" + ], + "aws.elb.target_status_code": [ + "101" + ], + "aws.elb.trace_id": "Root=1-58337364-23a8c76965a2ef7629b185e3", + "aws.elb.type": "ws", + "cloud.provider": "aws", + "event.category": "web", + "event.dataset": "aws.elb", + "event.end": "2018-07-02T22:23:00.186Z", + "event.kind": "event", + "event.module": "aws", + "event.outcome": "success", + "event.start": "2018-07-02T22:22:48.364000Z", + "fileset.name": "elb", + "http.request.body.bytes": 218, + "http.request.method": "GET", + "http.request.referrer": "http://10.0.0.30:80/", + "http.response.body.bytes": 587, + "http.response.status_code": 101, + "http.version": "1.1", + "input.type": "log", + "log.offset": 4306, + "service.type": "aws", + "source.ip": "10.0.0.140", + "source.port": "40914", + "tags": [ + "forwarded" + ], + "tracing.trace.id": "Root=1-58337364-23a8c76965a2ef7629b185e3", + "user_agent.original": "-" + }, + { + "@timestamp": "2018-07-02T22:23:00.186Z", + "aws.elb.action_executed": [ + "forward" + ], + "aws.elb.backend.http.response.status_code": 101, + "aws.elb.backend.ip": "10.0.0.171", + "aws.elb.backend.port": "8010", + "aws.elb.backend_processing_time.sec": 0.001, + "aws.elb.matched_rule_priority": "1", + "aws.elb.name": "app/my-loadbalancer/50dc6c495c0c9188", + "aws.elb.protocol": "http", + "aws.elb.request_processing_time.sec": 0.0, + "aws.elb.response_processing_time.sec": 0.0, + "aws.elb.ssl_cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "aws.elb.ssl_protocol": "TLSv1.2", + "aws.elb.target_group.arn": "arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067", + "aws.elb.target_port": [ + "10.0.0.171:8010" + ], + "aws.elb.target_status_code": [ + "101" + ], + "aws.elb.trace_id": "Root=1-58337364-23a8c76965a2ef7629b185e3", + "aws.elb.type": "wss", + "cloud.provider": "aws", + "event.category": "web", + "event.dataset": "aws.elb", + "event.end": "2018-07-02T22:23:00.186Z", + "event.kind": "event", + "event.module": "aws", + "event.outcome": "success", + "event.start": "2018-07-02T22:22:48.364000Z", + "fileset.name": "elb", + "http.request.body.bytes": 218, + "http.request.method": "GET", + "http.request.referrer": "https://10.0.0.30:443/", + "http.response.body.bytes": 786, + "http.response.status_code": 101, + "http.version": "1.1", + "input.type": "log", + "log.offset": 4708, + "service.type": "aws", + "source.ip": "10.0.0.140", + "source.port": "44244", + "tags": [ + "forwarded" + ], + "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "tls.version": "1.2", + "tls.version_protocol": "tls", + "tracing.trace.id": "Root=1-58337364-23a8c76965a2ef7629b185e3", + "user_agent.original": "-" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json index e9564154424..b5db726de69 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json @@ -30,6 +30,7 @@ "source.geo.city_name": "Ashburn", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 39.0481, "source.geo.location.lon": -77.4728, "source.geo.region_iso_code": "US-VA", diff --git a/x-pack/filebeat/module/aws/fields.go b/x-pack/filebeat/module/aws/fields.go index 352932f1b1c..e8968b65e8e 100644 --- a/x-pack/filebeat/module/aws/fields.go +++ b/x-pack/filebeat/module/aws/fields.go @@ -19,5 +19,5 @@ func init() { // AssetAws returns asset data. // This is the base64 encoded gzipped contents of module/aws. func AssetAws() string { - return "eJzcXN+T4raTf9+/oisvma0Crr6b1NXVXOWq2NnJhctkMzewyd2TI+wGdCMkR5JhyV9/1ZL8AywDM5jd1JeHXQbb0qdb/VstD+EZd7fAtuYNgOVW4C2Mf5++AdAokBm8hTla9gYgQ5Nqnluu5C38xxsAgF9UVgiEhdKwYjITXC5BqKWBhVZrGmb0BmDBUWTm1j0wBMnWWE5HH7vL8RaWWhV5+CUyD31+dMNUI7t5RuFqc4rmNKlQRWY146K6FJuRPofUlp8MF6wQNnFT3MKCCYN7l6Ngm4CVdnjvCMuMsOxBj8FvkoAblDbZoDZcyb07SkqecbdVOju4dgQYfWYrbCIK44NagF0hAfQTE/o1s6MotMKgTniG0nK7i0I7ZHIb2DCKjEaehIEBBa4JSqqkZVwayNAyLgywuSqsw0uzgVq0xpqMf4ESINgVs7BmGbpHNP5ZoLEDYDKD7YqnK0g1unuZMLBFja3hCoPZCCYLsLjOlWZ613rG3TNwM5S4zUptDazUln5tjdkaQM2JSsxGB7fGhKS5GsSD1sXjMtJejsgNfkUChx1hHUve0G59KKkvR9IWjBLKeM3+UhKe0KhCpwgf2RrhZvz08W0JMNdcpjxn4mDNUybEIVsbqNMUjUmecZfwGL6+8Pt5aCCYfPAIt8w4wQGrwPClbEpoN2CDhpQ2IcXAz7YTckwLzwU8WTSxOKCOnVtuVw01MJgWOiYSsC/ipG6VYjjSc602PEMDXHpbQ2ao1uxAY3TcinWpRmYxc6bWrpTB5pSRR7tUqcnc9YIlrLArGiWl0aN3n5aKcxkNQTo2TBQI3IDV9H9gv1LWGUVQ2hk1931LpHYOFrVMgUX1gjJhlOPhHq1+eVmc7fT55ccxZLjhKf47KLtCveUGB947tgW2yVe3ViS1GbNd4D1Pj9zwEobSMM7IW75G2K7Qa1dbdtsc48YUbUO8T0+phO5efZSgLj18CUV96CO8Xic7xwvu7Xx3Vn6O6SKcdm/l5xw1hBfwGYL0BB8THMtxoRmAKdLV0SGZgSel7ICU+JNBPSCFflKiQ2maDKicWtw7XZsRXFrUkgnyWYEbzbiq6cGW2C0nsC97p8mOxxLXpnb89LGkMkjADUtTVUi/dM7+urXTSuDbo8PF2HNCkM7gigfzdUQhTO4pU1tpricNJb1cbtQzZsk8ZtH6CsxoqnLVKWMzqMnDdSUOpOzAYvEFlDHq/d07GBdWwTRlLjkOueC9YMbyFN4jk8Yy8RxPsFBrpZNUZYeW7/zEL55fNalzk1SBRvArGm2hpXGega4fw7dGY9iyT4iT42B8etUYpDJI3VDDWEnONFujRX24bpeytB54QMxkcjcIukBe0JBv9T66O7JfF8Ly5GSedyzU77h4oojRZJPJlTSYhHigby6V41fxBsWjLKVnTKlnzwjpisklGrjxkf2gnYnnFNY5C5yhQIrw/CBv/4ZMZVnGCRwTiSuqZGyvwnQpX8fV8BTrskby5Es4lUWWypKY2qAurYFKfSO3Ftbpb8jNUpNbru9S2fSZl+OWr3AsOJo9ffURYbCbc+Ry2S7nMCEwgyVK1My657nxQ3fYUFffi0S3FxnQffxl8aYhDyXArCEoGlOlszhMlvOLi5AncY4fJ1UlkhmjUl4no+761oxzfseEaI3kKJgRnUd4vWaSLZ3d8YrYpxLCe6UEMtkhRtsVUprc4DY3cGgFoIHQ39XlzFiWKCniRdeLl6LGyg2onOSEVoQAu6mHNHV9oQujD5zjHuQ1heExCG6c8arGDrU0zIDLmrUvrZxer1xZ1SjHTx/bgeJZwXwfMMYhYK9Tt5KDFL5Hqha91pRPsMYZp0pTdLmSvvDg9qJub9nWDIPdHTpkt+TphvSo+7tDAlOec1L2TgZfojBPmGukuM7bLlbz2Om+xhT5xtlXbo4pc6DLW6Qk7G1cz8ZWYT9NNwAuU1FklJpsCbXVfLlE7d1C3Mj6WpqXoUL8HYNYs2Ias8DQXtf8Pz9NPjRc53zX3EOzCgrJ/yxQ7Ep5bl6PczNsaLqVofSTMjMfygYXYnzuYBVkfLFATX/4/dn9T5A/ExeyTZ4mKLNc8b5ZciBevz3eQTkRqbLfWQsBVCgJulTakd12gPS8VcCkqyo3E9Uq4S6T6+l3cVpTJY0SmAi15PFg5TXeJ+zmmhxTvuApgbzzEz3QPGE1X+p5TmcGx1G3kccdQJ0i3Dsd/kCJAuVep2k4RkeTlrWac4EdQeI+JXMfKnXcc3YpvB2x7FFDKY+TMo8MjiEriXAyk1h1FH4/mz2fnh5aK3CcwQuWFObERtTVWOvsOixYailjrzeLyFJtO6pgEPbMISs0uZhOUksSF4JZi7JF4+vV9n5aD+rSYxduEN/V/P8wtY5A7St7pph7QQemUX5r4VmqrSQrxrINk2krG+5Vvbtob1N5SsUvqwLAeZWAF5TWXkNjd5W2h0Lb+fWufqH3Vf2CF1XAXhZq9kdxj4EnnBV8lmRmfIkmntxf4PmdK7mrGsrgg5sFHtTypV5fqGWy4KKVGtcwJZp4x8FZ2V6VJz+opZunbJ2q82TPoiOSYpm2ieXr7vSvY3v+XF1wM9Dyf5rd+a15TVLv1aCGCEQApIqcd1wRLHumYZivTrgIOfX23I1axaBCLcFzY8U2cRGbI0rSJr5xkrgX3nfzCmV2VU6hzP4p+GS+S+ZF+hzdDrzKFl6ZJoCflkJ2T6JrVCi0bpcAw2wNlq6YOaD3KIU+qrgihTVVfirXR3YTcsVBlPDoWEL54K1qmgsMaRLfTanELbn8ULy+ovBXUh9QrpXxtZWyQgpsrUishTgW0IRcO1i/WsTPNIdKZF+HXD9xB6Xd+Rq8mtJc44arwiRfQluPa2gJZU8du1KNM7SzIm3FzCphYqk0t6v1F7JGNClUk7bbJNz1LvGNseIIocVc8NQ1si64XKLONY9aur7oXOFnlmHK10wAylRlmEFj5qot1+FyBovIjw63ZjZdhYgx13zDLLoHDrpj+ZmsoNuZLTR+kfWul7fVzNuJtu5wMXy5Ol4A7orIT+Gbug70eINtITPUYkehQYjBDa0XkzDxiNr6FiL4shznjZOv5g98Zypb+jsss9xYnpqB29sjStvBiW/Aj2yP2TJMpCQHZVbK0XFgNXv3ToFsSbDeHHL065wC+Z2wvOgUyLEem0i5/ES9YB9EOXibcZi++/ocu797588UcdkAfi7jeJ6wLNNoXr+l0mJf3Q6JFsLo9caaqzigjnBTzM/n5vI6vHx4/yKxa+2tXcy3pksUimUwZ4LJFDvati7qi4gCaB5k2QPgmLR5Bw/04/vwY8d2imV6iTZxqzdqbx9fCLHRfOon8mJSH7HrLG1VFQZuyE8cbuxeiMtJTxi5tclJyaeUmHZ3BORaWZWqw42wC0GVo8bX9GZlbU7uw6b52xOdgVqlaAyXSxfhjwymHU5YtWKXc+ROWSaqVNtgqmRmwPAyCa+556uuvgDLTc3jQlougO/tCVIqv6QlcXk4S59RdjTwhIt/IzIbZNCVABAsF2LvBxcCmFA8zbhcdjac+FLuV6awKvI2167a5N2jcn8tHXsE72wUqFnn6VrHXZpQrba0l1FV1gMaKyVhzYXggdhBoNbDV7nbW2kQlAplDhOxynIKyr9kZlbsGa9LR3nUafYwhWpKYnSq1rmrmB/QBSoipVX9B41lc8HNqou0Uv34YYH5Qgs3eTwMMkohqiXdp0SnLHCJMFf69b1vcSustC1LDJeiI5M9qradKIcozGVN8FHIfmCggdvqedO82lZQ/wD5Q9Jfq7SvrP/RCf2PKMXGiCTl+apvRz2dPoAf1yeiXJIS/Iv7uVqEjtCGMF3HU9P0lbd+Ma50pQzKJEVtrxpx+XmA5uELdxoSQp+Xz+gbQvBa+AY1Zz0z148JsljPUV+ZFi5TtXbuVZiECezbmFButUQdOmnVwllwN0/Do853sRC+1GNPldsgDhR3uyP6liWxncEL6SDYbnAfv3cg0CzFS1qyolO7I+HSVh7jj/8Zjtd/yeGMZhtOsj9ghSzryrp8ES5LdCEonOIqcpT04rDdj1ovsoudClEdt3IQ9k9c8QUFvHRPuNzRq+6DJPyMadHeRr0QeGjOKwf3B4r3XF19cOlmofSW6WwAC/4Zs2HpGQZ7p61Ho9HbEUwspEyWO7VgcIOaCc+eDj3UmHGNqU0K3bM1+fT0ECy043iYxxUO07Ljp2LBkbNhI43M9P3aEn9gzY9cnlurliPgWzAumsjqHTrfMf61CzHT71w/BOrybRAvqcr4zZIk1rp9qdlgUkmeMuHLuHW/uJvr4ESsh9ERy8W2jnosHZX7ReUmePM8fFBGEoYl47KrRqJxrSwmHdF66+dzTEOeM+2d6dnFQWhXIr7YolbzuS4iBkMnnoXcfxVE2bt7vHrSpwMbg7GuX3Cv07reLIw2WiOr+4zjUKsDK/2ytz4g42pjGaz8qyMgw1QwygyYgemv48dRdecAnu6ns9FPs9ljska7UtmoPJDhToIN4Pf799PJ7P7YLUrD+/Hs7qfRh/uH+9n96Nf3/3V/N4uT/ow9u+9vnnH3TbONsHbS5DvCJqAD+c3wm9JK16zKFPpOREs5OXNbfFVj33FJKzTvl5YnP/Dw09NkjyLifWVYWnskTWiU9iU+2+uxlCGLNWqeehzNfLQ+wxPpzOzx7Hg8VarU8N754TuVYXOdpQoOWqWuo6SrWLKzaBLTdQjv1RwL2U9VhHPzuAx+APi5bDl0LK0rxxvUFA43yfgLteowI67tJjH8rzhnL6lb0aCVy/XtPVyCk8DOsol7MtaU0g8n9wpkh66WS1gIvlzZxikWF9Z8ayBHbXKKGjcdEmoLLROmVRHvn7sKfGYbAmxyctaN2H2nCn3ch7jGOd23h97LgZxsPoV5Qpp2OpF17+Jz2+7XhvbJoB6OaaajOWQ4bdF7ZlueD558KOuNlec519mEISbZKZezUj1HNkTA5yFb/zXk2fCdextIJY342aLM6oALJh86KnRVT8tV3gpZDV/yaQBTvvzNoaUv3w/azUvNiHHPSLw6rvTly8QUvNVPd2kZElMibqoogzDwwHao4WY6fXhb1kzroxK4VJZXr5Yj8Z/GSKMLHaWIvYMylx3zj/uNsJ1dvc9t/2SOfxvluLCrn5yu+hMH+/d4LTYD+O8C9W7qQ2+670/6u4zFb3KNQ5INzCjEe/v6pXVa5SftuTBQnjssxTJUMunriTODVpjraNNMM2nc7ogXtGn5uqeb2cP0bWXNGpIWCpuHO4GNk5wLobbnFzCu1Zfz2+MdEJIXlS6uwmNC8iMheVBLU07h3tO6UwUJQ3hfkCM8HCz3ndIl+7mBd9UD/ojnDhikhbFq3fVEhyj1cNg8Hni7k8HVIfNyd7Ncgq5SvUW9uEaFuS4jSLRbpZ/ruRy2uo/XarZY8DTshyudHa/b9gvz4Cx17K0iAd8Axnd3948z90a+++5cWqjlsVzv1UiFWi7J0IZMLzC3XN4B/PrzAD7++mE8GztP/PPkkb53NpNaJq+66uUUjrXftjn7CqkYlKFbNTY3rvLojOJOFR19Rc82MTplWRb3J68p5eWMooOhwA0KuFGaL7lk4m1Z+mxvyQdyuhFmxn4RhBnlitJ79gbM0lwcxbnJ0ytKjDvaT3pYvci7V+thirnE/s1ujd9PcE0SbJonC8FaBwovJGHO7ZqZ55DLVY5DCaG2ZHFmd4/gpr2Fdz9M//fj4B//Rv8Nx3c/D/7xw4+Tj4Pvf3iazuKQr9eg6bl2C5PHzfcD+vdfXYp3/+N49Ob/AwAA//+8xDjD" + return "eJzcXN9z47Zzf7+/Yicv8c1I7nwvmU7HnXRG53MaNc7FtXxJ+8RA5IpCDQEMAEqn/PWdBcAfEkFJtqi7zFcPd7JIAp9d7G8sOIZn3N4A25g3AJZbgTcw+X32BkCjQGbwBuZo2RuADE2qeWG5kjfwH28AAH5RWSkQFkrDkslMcJmDULmBhVYrGub6DcCCo8jMjXtgDJKtsJqOPnZb4A3kWpVF+CUyD31+dMPUI7t5rsPV9hTtaVKhysxqxkV9KTYjffaprT4ZLlgpbOKmuIEFEwZ3LkfBtgEr7fDeEpYnwrIDPQa/TQKuUdpkjdpwJXfuqCh5xu1G6Wzv2gFg9HlaYhtRGB/UAuwSCaCfmNCvmL2OQisN6oRnKC232yi0fSZ3gY2jyGjkaRgYUOCKoKRKWsalgQwt48IAm6vSOrw0G6hFZ6zp5BeoAIJdMgsrlqF7ROOfJRo7AiYz2Cx5uoRUo7uXCQMb1NgZrjSYXcN0ARZXhdJMbzvPuHtGboYKt1mqjYGl2tCvnTE7A6g5UYnZ9d6tMSFprwbxoHPxsIx0lyNyg1+RwGFHWM+St7Rb70vqy5F0BaOCMlmxv5SERzSq1CnCR7ZCuJo8fnxbASw0lykvmNhb85QJsc/WFuo0RWOSZ9wmPIZvKPx+HhoIph88wg0zTnDAKjA8l20J7Qds0JDSJqQY+Nn2Qo5p4amAp4s2FgfUsXPD7bKlBgbTUsdEAnZFnNStVgxHeqHVmmdogEtva8gMNZodaIyOW7Mu1cgsZs7U2qUy2J4y8mifKrWZu1qwhJV2SaOkNHr07uNScSqjIUjHmokSgRuwmv4P7FfKOqMISjuj5r5viNTewaKWKbCoWVAmjHI83KHVLy+Ls50+v/w4gQzXPMV/B2WXqDfc4Mh7x67Atvnq1oqkNmO2D7zn6YEbXsJQGsYZectXCJsleu3qym6XY9yYsmuId+mplNDdqw8S1KeHL6FoCH2E1+tk73jBvZ3uzqrPIV2E4+6t+pyihvACPkOQnuBjgmM5LDQjMGW6PDgkM/ColB2REn8yqEek0I9K9ChNmwG1U4t7p0szgkuLWjJBPitwox1XtT1Yjv1yAruyd5zseCxxaWonjx8rKoMEXLE0VaX0S+fsr1s7rQS+PThcjD1HBOkErngwX0cUwuSeMrWR5nLSUNHL5Vo9Y5bMYxZtqMCMpqpWnTI2g5o8XF/iQMoOLBZfQBWj3t2+g0lpFcxS5pLjkAveCWYsT+E9MmksE8/xBAu1VjpJVbZv+U5P/OL5VZs6N0kdaAS/otGWWhrnGej6IXwrNIblQ0KcHgbj06vWILVB6ocaxkoKptkKLer9dTuXpc3AI2Imk9tR0AXygoZ8q/fR/ZH9qhSWJ0fzvEOhfs/FI0WMNptMoaTBJMQDQ3OpGr+ONygeZSk9Yyo9e0ZIl0zmaODKR/ajbiZeUFjnLHCGAinC84O8/RsylWUZJ3BMJK6okrGdCtO5fJ3Uw1Osy1rJky/h1BZZKktiaoO6dAaq9I3cWlinvyE3K03uuL5zZdNnXo5bvsKx4Gh29NVHhMFuzpHLvFvOYUJgBjlK1My657nxQ/fYUFffi0S3ZxnQXfxV8aYlDxXArCUoGlOlszhMVvCzi5BHcU4epnUlkhmjUt4ko+76xkwKfsuE6IzkKHgiOg/wesUky53d8Yo4pBLCe6UEMtkjRpslUprc4jY3sG8FoIXQ39XnzFiWKCniRdezl6LByg2oguSEVoQAu6nHNHVzoQ+jD5zjHuQ1heEJCG6c8arHDrU0zIDLhrUvrZxerlxZ1ygnjx+7geJJwfwQMCYhYG9St4qDFL5HqhaD1pSPsMYZp1pTdLWSvvDg9qJubtjGjIPdHTtkN+TpxvSo+7tHAlNecFL2XgafozCPWGikuM7bLtbw2Om+xhT52tlXbg4pc6DLW6Qk7G1czsbWYT9NNwIuU1FmlJpsCLXVPM9Re7cQN7K+luZlqBR/xyDWLJnGLDB00DX/z0/TDy3XOd+299CsglLyP0sU20qe29fj3Awbmm5lKP2kzMyHssGFGJ87WAUZXyxQ0x9+f3b3E+TPxIVsXaQJyqxQfGiW7InXbw+3UE1Equx31kIAFUqCLpV2ZHcdID1vFTDpqsrtRLVOuKvkevZdnNZUSaMEJkLlPB6svMb7hN1cU2DKFzwlkLd+onuaJ6zmSz3P8czgMOou8rgDaFKEO6fDHyhRoNzrOA2H6GjTslJzLrAnSNylZO5DpZ57Ti6FdyOWHWoo5XFS5pHBIWQVEU5mEqsOwh9ms+fT431nBQ4zeMGS0hzZiLoYa51dhwVLLWXszWYRWapNTxUMwp45ZKUmF9NLakXiQjBrUXZofL3a3s2aQV167MIN4rua/x+m1hGofWXPlHMv6MA0ym8tPEu1kWTFWLZmMu1kw4Oqdx/tXSqPqfh5VQA4rRLwgtLaa2jsr9IOUGg7vd41LPShql/wogrYy0LN4SgeMPCEk4LPisyM52jiyf0Znt+5ktu6oQw+uFngXuUv9fpC5cmCi05q3MCUaOIdBydle3WefK9yN0/VOtXkyZ5FByTFMm0Ty1f96V/P9vypuuBmoOX/9HTrt+Y1Sb1XgwYiEAGQKnLecUWw7JmGYb464SLk1NtzN2odgwqVg+fGkq3jIjZHlKRNfO0kcSe87+cVyuyinEKZ/VPwyXyXzMv0ObodeJEtvCpNAD8theyeRNeoUGrdLQGG2VosXTKzR+9BCn1UcUEKG6r8VK6P7CrkiqMo4dGxhPLBW900FxjSJr6fUokbcvmheH1B4a+lPqBcKeNrK1WFFNhKkVgLcSigCbl2sH6NiJ9oDpXIvg65fuIeSvvzNXg1pYXGNVelSb6Eth7W0ArKjjr2pRonaGdN2pKZZcJErjS3y9UXskY0KdSTdtsk3PU+8Y2x4gCh5Vzw1DWyLrjMUReaRy3dUHQu8TPLMOUrJgBlqjLMoDVz3ZbrcDmDReRHh1sxmy5DxFhovmYW3QN73bH8RFbQ7cyWGr/IejfL22nm7UXbdLgYni8PF4D7IvJj+GauAz3eYFvKDLXYUmgQYnBD68UkTD2irr6FCL4qx3nj5Kv5I9+ZynJ/h2WWG8tTM3J7e0RpNzjxDfiR7TFbhYmU5KDMKjk6DKxh784pkA0J1pt9jn6dUyC/E5YXnQI51GMTKZcfqRfsgqgG7zIO03dfn2N3t+/8mSIuW8BPZRwvEpZlGs3rt1Q67GvaIdFCGL3ZWHMVB9QRbor56dzML8PL+/cvErvO3trZfGu7RKFYBnMmmEyxp23rrL6IKID2QZYdAI5J63dwTz++Dz/2bKdYpnO0iVu96+728ZkQW82nfiIvJs0Ru97SVl1h4Ib8xP7G7pm4nPSEkTubnJR8Solpf0dAoZVVqdrfCDsTVDVqfE2vltYW5D5sWrw90hmoVYrGcJm7CP/aYNrjhFUndjlF7pRlok61DaZKZgYMr5Lwhnu+6uoLsNw0PC6l5QL4zp4gpfI5LYnLw1n6jLKngSdc/BuR2SKDrgSAYLkQOz+4EMCE4mnGZd7bcOJLuV+ZwrrI2167epN3h8rdtXTsEby3UaBhnadrFXdpQnXa0l5GVVUPaK2UhBUXggdiR4FaD18Vbm+lRVAqlNlPxGrLKSj/kplZsme8LB3VUaen+xnUUxKjU7UqXMV8jy5QESmt6z9oLJsLbpZ9pFXqx/cLzGdauOnDfpBRCVEj6T4lOmaBK4SF0q/vfYtbYaVtVWI4Fx2Z7Ot624lyiNKc1wQfhewHBhq4q55X7atdBfUPkD8k/bVK+8r6H73Q/4hSbIxIUl4sh3bUs9k9+HF9IsolKcG/uJ/rRegJbQjTZTw1TV976xfjSpfKoExS1PaiEZefB2gevnCnISH0efmMviUEr4VvUHM2MHP9mCDL1Rz1hWnhMlUr516FSZjAoY0J5VY56tBJqxbOgrt5Wh51vo2F8JUee6rcBnGguN8d0bcsie0MnkkHwXaD+/i9B4FmKZ7TkhWd2h0Jl7b2GH/8z3iy+kuOn2i28TT7A5bIsr6syxfhskSXgsIpriJHSc8O2/2ozSK72KkU9XErB2H3xBVfUMBL94TLPb3qPkjCz5iW3W3UM4GH5rxqcH+geMfVNQeXrhZKb5jORrDgnzEbV55htHPa+vr6+u01TC2kTFY7tWBwjZoJz54ePdSYcY2pTUo9sDX59HgfLLTjeJjHFQ7TquOnZsGBs2HXGpkZ+rUl/sCaH7k6t1YvR8C3YFz0hqA+eR82CLoPW+5NsIbGVTZpGlPHon5uUx+zDt3rLj46mNEH0BeJhirsrZin1ZZaCa3ZrUn0+TnBjPHOZvD31eyO7XiaodnKFFbc8vzAYYTdJ5NLSOUeuCCexMtuJdB8588tfO1y4Ow715WDunonyUtqg37LLokdIDiXlUwqyVMm/GZCc2rBzbV3LtvD6MkoYhuYAxYwq13LqhWj/VaGRrlZzrjs02uNK2Ux6ckZOz+f4qCKgmkf0p1cooZuPeyLLWo9n+tlYzB24lnK3ReSVB3kh2t4Q4ZREzDWda3u9Ps3W9bRdn9kTbd7HGp9bGpY9jbHtFyFNoOlf4EJZJgKRvkpMzD7dfJwXd85gse72dP1T09PD8kK7VJl19WxIHcecQS/372fTZ/uDt2iNLyfPN3+dP3h7v7u6e761/f/dXf7FCf9GQcOIr95xu037WbWJlSkCCZsRTuQ34y/qWKFhlWZQt8Pa9kzAnMbzXV76WFJKzUflpZHP/D40+N0hyLifW1YOjt1bWhLa4sQIAxYUJPlCjVPPY52VaQ5SRbpDx7wDQbxhL1WwzsXDd6qDNvrLFUIE1Xq+pr6SnZbiyYxfUdBX82xkIPXpWA3j6sjjQA/V42vjqXN/sUaNSVlbTL+Qq16zIhr/koM/yvO2XOqpzRo7XJ9kxmX4CSwN8JyT8Zao4bh5E6Zdt/VcgkLwfOlbZ2lcmHNtwYK1Kag3GXdI6G21DJhWpXxLs6LwGe2JcCmIGfdyiC3qtSHfYhr39RDe+idTNzJ5mOYJxQLjpdT3BshXfPHpaF9MqjHE5rpYCUjnPkZvL5SnVKffqiq3rXnOdXZhCGm2TGXs1QDRzZEwOcxW/015tn4nXsnTS2N+NmizJqAC6YfeurEdWfVRd5NWg9f8WkEM57/5tDSl+9H3Ra6dsS4YyReHVf6InpiSt7p6jy3GI4pETdTlEEYuGdb1HA1m92/rSr3zYEdzJXl9QsOSfxnMdLoQk9BbOe41nkvm4j7jdBUUb9VcPd8mH8n6qS0y5+crvpzL7v3eC02I/jvEvV25kNvuu9P+ruKxa8KjWOSDcwoxHv7+qV1WuUnHbg8VZ1+rcQy1NPp65GTq1aYy2jTk2bSuD06L2iz6qVjV0/3s7e1NWtJWiiv7+9Ht84TL4TanF7AuFR32G8Pt0BIXlS6uAiPCcmPhORe5aaawr0teKtKEobw1ipHeHi9ge/Xr9jPDbyrH/AHjbfAIC2NVau+J3pEaYBXHsQDb3c+vX7VQVXXrJagb8PIol5cYp+jKSNItBuln5u5HLamm9xqtljwNHRlKJ0d3j0YFubeif7Yu20CvhFMbm/vHp7ceyHv+nNpofJDud6rkQqV52RoQ6YXmFst7wh+/XkEH3/9MHmaOE/88/SBvve2NFsmL7rq1RSOtd92OfsKqRhVoVs9Njeu8uiM4laVPd1tzzYxOmVZFvcnrynlFYyig7HANQq4UprnXDLxtip9dhtDAjn9CDNjvwjCjHJF6T17C2a9DXII57pILygx7gUTpIf16+QHtR6mnEsc3uw2+P0ElyTBpkWyEKxzrPVMEubcrph5Drlc7TiUEGpDFufp9gHctDfw7ofZ/34c/ePf6L/x5Pbn0T9++HH6cfT9D4+zpzjky7UJe67dwPRh/f2I/v1Xl+Ld/Ti5fvP/AQAA//9d8O3V" } diff --git a/x-pack/filebeat/module/aws/s3access/config/file.yml b/x-pack/filebeat/module/aws/s3access/config/file.yml index 498a7906457..e9470671e07 100644 --- a/x-pack/filebeat/module/aws/s3access/config/file.yml +++ b/x-pack/filebeat/module/aws/s3access/config/file.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/aws/s3access/config/s3.yml b/x-pack/filebeat/module/aws/s3access/config/s3.yml index 073eca58ab2..bdb0ff350f0 100644 --- a/x-pack/filebeat/module/aws/s3access/config/s3.yml +++ b/x-pack/filebeat/module/aws/s3access/config/s3.yml @@ -37,6 +37,10 @@ session_token: {{ .session_token }} role_arn: {{ .role_arn }} {{ end }} +{{ if .fips_enabled }} +fips_enabled: {{ .fips_enabled }} +{{ end }} + tags: {{.tags | tojson}} publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} @@ -44,4 +48,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json b/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json index 273b1512556..187f7f33589 100644 --- a/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json +++ b/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json @@ -33,6 +33,7 @@ "geo.city_name": "Ashburn", "geo.continent_name": "North America", "geo.country_iso_code": "US", + "geo.country_name": "United States", "geo.location.lat": 39.0481, "geo.location.lon": -77.4728, "geo.region_iso_code": "US-VA", @@ -95,6 +96,7 @@ "geo.city_name": "Ashburn", "geo.continent_name": "North America", "geo.country_iso_code": "US", + "geo.country_name": "United States", "geo.location.lat": 39.0481, "geo.location.lon": -77.4728, "geo.region_iso_code": "US-VA", @@ -158,6 +160,7 @@ "geo.city_name": "Ashburn", "geo.continent_name": "North America", "geo.country_iso_code": "US", + "geo.country_name": "United States", "geo.location.lat": 39.0481, "geo.location.lon": -77.4728, "geo.region_iso_code": "US-VA", @@ -220,6 +223,7 @@ "geo.city_name": "Ashburn", "geo.continent_name": "North America", "geo.country_iso_code": "US", + "geo.country_name": "United States", "geo.location.lat": 39.0481, "geo.location.lon": -77.4728, "geo.region_iso_code": "US-VA", @@ -279,6 +283,7 @@ "geo.city_name": "Teruel", "geo.continent_name": "Europe", "geo.country_iso_code": "ES", + "geo.country_name": "Spain", "geo.location.lat": 40.3456, "geo.location.lon": -1.1065, "geo.region_iso_code": "ES-TE", @@ -331,6 +336,7 @@ "geo.city_name": "Denver", "geo.continent_name": "North America", "geo.country_iso_code": "US", + "geo.country_name": "United States", "geo.location.lat": 39.7044, "geo.location.lon": -105.0023, "geo.region_iso_code": "US-CO", diff --git a/x-pack/filebeat/module/aws/vpcflow/config/input.yml b/x-pack/filebeat/module/aws/vpcflow/config/input.yml index c9e88b6a743..628196b7d3e 100644 --- a/x-pack/filebeat/module/aws/vpcflow/config/input.yml +++ b/x-pack/filebeat/module/aws/vpcflow/config/input.yml @@ -39,6 +39,10 @@ session_token: {{ .session_token }} role_arn: {{ .role_arn }} {{ end }} +{{ if .fips_enabled }} +fips_enabled: {{ .fips_enabled }} +{{ end }} + {{ else if eq .input "file" }} type: log @@ -173,4 +177,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json index 170b8851ec9..1f1b3e061b2 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json @@ -13,6 +13,7 @@ "destination.as.organization.name": "Consorci de Serveis Universitaris de Catalunya", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "ES", + "destination.geo.country_name": "Spain", "destination.geo.location.lat": 40.4172, "destination.geo.location.lon": -3.684, "destination.ip": "158.109.0.1", @@ -47,6 +48,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", @@ -72,6 +74,7 @@ "destination.as.organization.name": "Consorci de Serveis Universitaris de Catalunya", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "ES", + "destination.geo.country_name": "Spain", "destination.geo.location.lat": 40.4172, "destination.geo.location.lon": -3.684, "destination.ip": "158.109.0.1", @@ -106,6 +109,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", diff --git a/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json index 6b7b788ac97..ba0293752ca 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json @@ -49,6 +49,7 @@ "source.geo.city_name": "Dublin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "IE", + "source.geo.country_name": "Ireland", "source.geo.location.lat": 53.3338, "source.geo.location.lon": -6.2488, "source.geo.region_iso_code": "IE-L", diff --git a/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml index a4567959194..77c7ea3f5d0 100644 --- a/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml @@ -13,4 +13,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/azure/activitylogs/config/file.yml b/x-pack/filebeat/module/azure/activitylogs/config/file.yml index 498a7906457..e9470671e07 100644 --- a/x-pack/filebeat/module/azure/activitylogs/config/file.yml +++ b/x-pack/filebeat/module/azure/activitylogs/config/file.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json b/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json index 4c0e8d4701a..3f86faee084 100644 --- a/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json +++ b/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json @@ -47,6 +47,7 @@ "fileset.name": "activitylogs", "geo.continent_name": "Europe", "geo.country_iso_code": "GB", + "geo.country_name": "United Kingdom", "geo.location.lat": 51.4964, "geo.location.lon": -0.1224, "input.type": "log", @@ -55,6 +56,7 @@ "service.type": "azure", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", "source.geo.location.lat": 51.4964, "source.geo.location.lon": -0.1224, "source.ip": "51.251.141.41", diff --git a/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json b/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json index db962bd4df6..5f14108e4c4 100644 --- a/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json +++ b/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json @@ -52,6 +52,7 @@ "fileset.name": "activitylogs", "geo.continent_name": "Asia", "geo.country_iso_code": "JP", + "geo.country_name": "Japan", "geo.location.lat": 35.69, "geo.location.lon": 139.69, "input.type": "log", @@ -62,6 +63,7 @@ "source.as.organization.name": "KDDI CORPORATION", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "JP", + "source.geo.country_name": "Japan", "source.geo.location.lat": 35.69, "source.geo.location.lon": 139.69, "source.ip": "111.111.111.11", diff --git a/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml index 3633cc4e5de..43a051f8dd3 100644 --- a/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/azure/auditlogs/config/file.yml b/x-pack/filebeat/module/azure/auditlogs/config/file.yml index 937446eb523..8e77b860e99 100644 --- a/x-pack/filebeat/module/azure/auditlogs/config/file.yml +++ b/x-pack/filebeat/module/azure/auditlogs/config/file.yml @@ -10,4 +10,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml index dd8e1473a68..b971be2783c 100644 --- a/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/azure/signinlogs/config/file.yml b/x-pack/filebeat/module/azure/signinlogs/config/file.yml index 937446eb523..8e77b860e99 100644 --- a/x-pack/filebeat/module/azure/signinlogs/config/file.yml +++ b/x-pack/filebeat/module/azure/signinlogs/config/file.yml @@ -10,4 +10,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json index 6a0f96ae261..db0643ccf25 100644 --- a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json +++ b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json @@ -66,6 +66,7 @@ "source.geo.city_name": "Farnham Royal", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", "source.geo.location.lat": 51.5333, "source.geo.location.lon": -0.6167, "source.geo.region_iso_code": "GB-BKM", @@ -145,6 +146,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "8.8.8.8", diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/config/pipeline.js b/x-pack/filebeat/module/barracuda/spamfirewall/config/pipeline.js index 37a1fa68d5e..3c8db034ee1 100644 --- a/x-pack/filebeat/module/barracuda/spamfirewall/config/pipeline.js +++ b/x-pack/filebeat/module/barracuda/spamfirewall/config/pipeline.js @@ -152,11 +152,9 @@ var map_getEventLegacyCategory = { "default": constant("1901000000"), }; -var dup1 = // "Pattern{Field(fld3,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(info,false)}" -match("MESSAGE#0:000001/1_0", "nwparser.p0", "%{fld3->} %{resultcode->} %{info}"); +var dup1 = match("MESSAGE#0:000001/1_0", "nwparser.p0", "%{fld3->} %{resultcode->} %{info}"); -var dup2 = // "Pattern{Field(info,false)}" -match_copy("MESSAGE#0:000001/1_1", "nwparser.p0", "info"); +var dup2 = match_copy("MESSAGE#0:000001/1_1", "nwparser.p0", "info"); var dup3 = setc("eventcategory","1207010201"); @@ -194,8 +192,7 @@ var dup13 = setc("eventcategory","1207010000"); var dup14 = setc("direction","outbound"); -var dup15 = // "Pattern{Constant('SZ:'), Field(fld9,true), Constant(' SUBJ:'), Field(subject,false)}" -match("MESSAGE#13:000003/1_0", "nwparser.p0", "SZ:%{fld9->} SUBJ:%{subject}"); +var dup15 = match("MESSAGE#13:000003/1_0", "nwparser.p0", "SZ:%{fld9->} SUBJ:%{subject}"); var dup16 = setc("eventcategory","1207040000"); @@ -259,8 +256,7 @@ var dup33 = linear_select([ dup2, ]); -var hdr1 = // "Pattern{Field(messageid,false), Constant('['), Field(hfld14,false), Constant(']: '), Field(p0,false)}" -match("HEADER#0:0001", "message", "%{messageid}[%{hfld14}]: %{p0}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%{messageid}[%{hfld14}]: %{p0}", processor_chain([ setc("header_id","0001"), call({ dest: "nwparser.payload", @@ -275,8 +271,7 @@ match("HEADER#0:0001", "message", "%{messageid}[%{hfld14}]: %{p0}", processor_ch }), ])); -var hdr2 = // "Pattern{Field(hfld1,false), Constant('/'), Field(messageid,false), Constant('['), Field(hfld14,false), Constant(']: '), Field(p0,false)}" -match("HEADER#1:0002", "message", "%{hfld1}/%{messageid}[%{hfld14}]: %{p0}", processor_chain([ +var hdr2 = match("HEADER#1:0002", "message", "%{hfld1}/%{messageid}[%{hfld14}]: %{p0}", processor_chain([ setc("header_id","0002"), call({ dest: "nwparser.payload", @@ -293,8 +288,7 @@ match("HEADER#1:0002", "message", "%{hfld1}/%{messageid}[%{hfld14}]: %{p0}", pro }), ])); -var hdr3 = // "Pattern{Field(messageid,false), Constant(': '), Field(p0,false)}" -match("HEADER#2:0003", "message", "%{messageid}: %{p0}", processor_chain([ +var hdr3 = match("HEADER#2:0003", "message", "%{messageid}: %{p0}", processor_chain([ setc("header_id","0003"), call({ dest: "nwparser.payload", @@ -313,8 +307,7 @@ var select1 = linear_select([ hdr3, ]); -var part1 = // "Pattern{Constant('inbound/pass1['), Field(fld14,false), Constant(']: '), Field(username,false), Constant('['), Field(saddr,false), Constant('] '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' RECV '), Field(from,true), Constant(' '), Field(to,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#0:000001/0", "nwparser.payload", "inbound/pass1[%{fld14}]: %{username}[%{saddr}] %{id->} %{fld1->} %{fld2->} RECV %{from->} %{to->} %{p0}"); +var part1 = match("MESSAGE#0:000001/0", "nwparser.payload", "inbound/pass1[%{fld14}]: %{username}[%{saddr}] %{id->} %{fld1->} %{fld2->} RECV %{from->} %{to->} %{p0}"); var all1 = all_match({ processors: [ @@ -337,14 +330,11 @@ var all1 = all_match({ var msg1 = msg("000001", all1); -var part2 = // "Pattern{Constant('inbound/pass1: '), Field(web_domain,false), Constant('['), Field(saddr,false), Constant('] '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' SCAN '), Field(fld4,true), Constant(' '), Field(from,true), Constant(' '), Field(to,true), Constant(' '), Field(fld5,true), Constant(' '), Field(fld3,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#1:inbound/pass1/0", "nwparser.payload", "inbound/pass1: %{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} SCAN %{fld4->} %{from->} %{to->} %{fld5->} %{fld3->} %{resultcode->} %{p0}"); +var part2 = match("MESSAGE#1:inbound/pass1/0", "nwparser.payload", "inbound/pass1: %{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} SCAN %{fld4->} %{from->} %{to->} %{fld5->} %{fld3->} %{resultcode->} %{p0}"); -var part3 = // "Pattern{Field(fld6,true), Constant(' SZ:'), Field(fld8,true), Constant(' SUBJ:'), Field(subject,false)}" -match("MESSAGE#1:inbound/pass1/1_0", "nwparser.p0", "%{fld6->} SZ:%{fld8->} SUBJ:%{subject}"); +var part3 = match("MESSAGE#1:inbound/pass1/1_0", "nwparser.p0", "%{fld6->} SZ:%{fld8->} SUBJ:%{subject}"); -var part4 = // "Pattern{Field(domain,true), Constant(' '), Field(info,false)}" -match("MESSAGE#1:inbound/pass1/1_1", "nwparser.p0", "%{domain->} %{info}"); +var part4 = match("MESSAGE#1:inbound/pass1/1_1", "nwparser.p0", "%{domain->} %{info}"); var select2 = linear_select([ part3, @@ -372,8 +362,7 @@ var all2 = all_match({ var msg2 = msg("inbound/pass1", all2); -var part5 = // "Pattern{Constant('inbound/pass1:'), Field(web_domain,false), Constant('['), Field(saddr,false), Constant('] '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' RECV '), Field(from,true), Constant(' '), Field(to,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#2:inbound/pass1:01/0", "nwparser.payload", "inbound/pass1:%{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} RECV %{from->} %{to->} %{p0}"); +var part5 = match("MESSAGE#2:inbound/pass1:01/0", "nwparser.payload", "inbound/pass1:%{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} RECV %{from->} %{to->} %{p0}"); var all3 = all_match({ processors: [ @@ -402,11 +391,9 @@ var select3 = linear_select([ msg3, ]); -var part6 = // "Pattern{Constant('outbound/smtp['), Field(fld14,false), Constant(']: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#3:000002/0", "nwparser.payload", "outbound/smtp[%{fld14}]: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{p0}"); +var part6 = match("MESSAGE#3:000002/0", "nwparser.payload", "outbound/smtp[%{fld14}]: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{p0}"); -var part7 = // "Pattern{Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(info,false)}" -match("MESSAGE#3:000002/1_0", "nwparser.p0", "%{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{info}"); +var part7 = match("MESSAGE#3:000002/1_0", "nwparser.p0", "%{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{info}"); var select4 = linear_select([ part7, @@ -430,37 +417,28 @@ var all4 = all_match({ var msg4 = msg("000002", all4); -var part8 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(fld5,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#4:outbound/smtp/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{fld5->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{p0}"); +var part8 = match("MESSAGE#4:outbound/smtp/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{fld5->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{p0}"); -var part9 = // "Pattern{Field(fld8,true), Constant(' <<'), Field(from,false), Constant('> '), Field(p0,false)}" -match("MESSAGE#4:outbound/smtp/1_0", "nwparser.p0", "%{fld8->} \u003c\u003c%{from}> %{p0}"); +var part9 = match("MESSAGE#4:outbound/smtp/1_0", "nwparser.p0", "%{fld8->} \u003c\u003c%{from}> %{p0}"); -var part10 = // "Pattern{Constant('<<'), Field(from,false), Constant('>'), Field(p0,false)}" -match("MESSAGE#4:outbound/smtp/1_1", "nwparser.p0", "\u003c\u003c%{from}>%{p0}"); +var part10 = match("MESSAGE#4:outbound/smtp/1_1", "nwparser.p0", "\u003c\u003c%{from}>%{p0}"); var select5 = linear_select([ part9, part10, ]); -var part11 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#4:outbound/smtp/2", "nwparser.p0", "%{} %{p0}"); +var part11 = match("MESSAGE#4:outbound/smtp/2", "nwparser.p0", "%{} %{p0}"); -var part12 = // "Pattern{Constant('[InternalId='), Field(id,false), Constant(', Hostname='), Field(hostname,false), Constant('] '), Field(event_description,true), Constant(' #to#'), Field(ddomain,false)}" -match("MESSAGE#4:outbound/smtp/3_0", "nwparser.p0", "[InternalId=%{id}, Hostname=%{hostname}] %{event_description->} #to#%{ddomain}"); +var part12 = match("MESSAGE#4:outbound/smtp/3_0", "nwparser.p0", "[InternalId=%{id}, Hostname=%{hostname}] %{event_description->} #to#%{ddomain}"); -var part13 = // "Pattern{Constant('[InternalId='), Field(id,false), Constant('] '), Field(event_description,true), Constant(' #to#'), Field(daddr,false)}" -match("MESSAGE#4:outbound/smtp/3_1", "nwparser.p0", "[InternalId=%{id}] %{event_description->} #to#%{daddr}"); +var part13 = match("MESSAGE#4:outbound/smtp/3_1", "nwparser.p0", "[InternalId=%{id}] %{event_description->} #to#%{daddr}"); -var part14 = // "Pattern{Constant('[InternalId='), Field(id,false), Constant(', Hostname='), Field(hostname,false), Constant('] '), Field(info,false)}" -match("MESSAGE#4:outbound/smtp/3_2", "nwparser.p0", "[InternalId=%{id}, Hostname=%{hostname}] %{info}"); +var part14 = match("MESSAGE#4:outbound/smtp/3_2", "nwparser.p0", "[InternalId=%{id}, Hostname=%{hostname}] %{info}"); -var part15 = // "Pattern{Field(event_description,true), Constant(' #to#'), Field(ddomain,false), Constant('['), Field(daddr,false), Constant(']:'), Field(dport,false)}" -match("MESSAGE#4:outbound/smtp/3_3", "nwparser.p0", "%{event_description->} #to#%{ddomain}[%{daddr}]:%{dport}"); +var part15 = match("MESSAGE#4:outbound/smtp/3_3", "nwparser.p0", "%{event_description->} #to#%{ddomain}[%{daddr}]:%{dport}"); -var part16 = // "Pattern{Field(event_description,true), Constant(' #to#'), Field(ddomain,false)}" -match("MESSAGE#4:outbound/smtp/3_4", "nwparser.p0", "%{event_description->} #to#%{ddomain}"); +var part16 = match("MESSAGE#4:outbound/smtp/3_4", "nwparser.p0", "%{event_description->} #to#%{ddomain}"); var select6 = linear_select([ part12, @@ -489,22 +467,18 @@ var all5 = all_match({ var msg5 = msg("outbound/smtp", all5); -var part17 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#5:000009/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{p0}"); +var part17 = match("MESSAGE#5:000009/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{p0}"); -var part18 = // "Pattern{Field(fld8,true), Constant(' ok'), Field(p0,false)}" -match("MESSAGE#5:000009/1_0", "nwparser.p0", "%{fld8->} ok%{p0}"); +var part18 = match("MESSAGE#5:000009/1_0", "nwparser.p0", "%{fld8->} ok%{p0}"); -var part19 = // "Pattern{Constant('ok'), Field(p0,false)}" -match("MESSAGE#5:000009/1_1", "nwparser.p0", "ok%{p0}"); +var part19 = match("MESSAGE#5:000009/1_1", "nwparser.p0", "ok%{p0}"); var select7 = linear_select([ part18, part19, ]); -var part20 = // "Pattern{Field(fld9,true), Constant(' Message '), Field(fld10,true), Constant(' accepted #to#'), Field(ddomain,false), Constant('['), Field(daddr,false), Constant(']:'), Field(dport,false)}" -match("MESSAGE#5:000009/2", "nwparser.p0", "%{fld9->} Message %{fld10->} accepted #to#%{ddomain}[%{daddr}]:%{dport}"); +var part20 = match("MESSAGE#5:000009/2", "nwparser.p0", "%{fld9->} Message %{fld10->} accepted #to#%{ddomain}[%{daddr}]:%{dport}"); var all6 = all_match({ processors: [ @@ -524,8 +498,7 @@ var all6 = all_match({ var msg6 = msg("000009", all6); -var part21 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(resultcode,true), Constant(' Message accepted for delivery #to#'), Field(ddomain,false), Constant('['), Field(daddr,false), Constant(']:'), Field(dport,false)}" -match("MESSAGE#6:outbound/smtp:01", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} Message accepted for delivery #to#%{ddomain}[%{daddr}]:%{dport}", processor_chain([ +var part21 = match("MESSAGE#6:outbound/smtp:01", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} Message accepted for delivery #to#%{ddomain}[%{daddr}]:%{dport}", processor_chain([ dup13, dup4, dup14, @@ -537,8 +510,7 @@ match("MESSAGE#6:outbound/smtp:01", "nwparser.payload", "outbound/smtp: %{saddr- var msg7 = msg("outbound/smtp:01", part21); -var part22 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' conversation with '), Field(fld5,false), Constant('['), Field(fld6,false), Constant('] timed out while sending '), Field(fld7,true), Constant(' #to#'), Field(ddomain,false), Constant('['), Field(daddr,false), Constant(']:'), Field(dport,false)}" -match("MESSAGE#7:outbound/smtp:02", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} conversation with %{fld5}[%{fld6}] timed out while sending %{fld7->} #to#%{ddomain}[%{daddr}]:%{dport}", processor_chain([ +var part22 = match("MESSAGE#7:outbound/smtp:02", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} conversation with %{fld5}[%{fld6}] timed out while sending %{fld7->} #to#%{ddomain}[%{daddr}]:%{dport}", processor_chain([ dup13, dup4, dup14, @@ -549,26 +521,19 @@ match("MESSAGE#7:outbound/smtp:02", "nwparser.payload", "outbound/smtp: %{saddr- var msg8 = msg("outbound/smtp:02", part22); -var part23 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(fld7,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#8:000010/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{fld7->} %{p0}"); +var part23 = match("MESSAGE#8:000010/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{fld7->} %{p0}"); -var part24 = // "Pattern{Constant('Ok '), Field(fld9,true), Constant(' '), Field(fld10,true), Constant(' - gsmtp #to#'), Field(p0,false)}" -match("MESSAGE#8:000010/1_0", "nwparser.p0", "Ok %{fld9->} %{fld10->} - gsmtp #to#%{p0}"); +var part24 = match("MESSAGE#8:000010/1_0", "nwparser.p0", "Ok %{fld9->} %{fld10->} - gsmtp #to#%{p0}"); -var part25 = // "Pattern{Constant('Ok: queued as '), Field(fld9,true), Constant(' #to#'), Field(p0,false)}" -match("MESSAGE#8:000010/1_1", "nwparser.p0", "Ok: queued as %{fld9->} #to#%{p0}"); +var part25 = match("MESSAGE#8:000010/1_1", "nwparser.p0", "Ok: queued as %{fld9->} #to#%{p0}"); -var part26 = // "Pattern{Constant('ok '), Field(fld9,true), Constant(' #to#'), Field(p0,false)}" -match("MESSAGE#8:000010/1_2", "nwparser.p0", "ok %{fld9->} #to#%{p0}"); +var part26 = match("MESSAGE#8:000010/1_2", "nwparser.p0", "ok %{fld9->} #to#%{p0}"); -var part27 = // "Pattern{Constant('Ok ('), Field(fld9,false), Constant(') #to#'), Field(p0,false)}" -match("MESSAGE#8:000010/1_3", "nwparser.p0", "Ok (%{fld9}) #to#%{p0}"); +var part27 = match("MESSAGE#8:000010/1_3", "nwparser.p0", "Ok (%{fld9}) #to#%{p0}"); -var part28 = // "Pattern{Constant('OK '), Field(fld9,true), Constant(' #to#'), Field(p0,false)}" -match("MESSAGE#8:000010/1_4", "nwparser.p0", "OK %{fld9->} #to#%{p0}"); +var part28 = match("MESSAGE#8:000010/1_4", "nwparser.p0", "OK %{fld9->} #to#%{p0}"); -var part29 = // "Pattern{Field(fld9,true), Constant(' #to#'), Field(p0,false)}" -match("MESSAGE#8:000010/1_5", "nwparser.p0", "%{fld9->} #to#%{p0}"); +var part29 = match("MESSAGE#8:000010/1_5", "nwparser.p0", "%{fld9->} #to#%{p0}"); var select8 = linear_select([ part24, @@ -579,8 +544,7 @@ var select8 = linear_select([ part29, ]); -var part30 = // "Pattern{Field(daddr,false)}" -match_copy("MESSAGE#8:000010/2", "nwparser.p0", "daddr"); +var part30 = match_copy("MESSAGE#8:000010/2", "nwparser.p0", "daddr"); var all7 = all_match({ processors: [ @@ -600,8 +564,7 @@ var all7 = all_match({ var msg9 = msg("000010", all7); -var part31 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' connect to '), Field(ddomain,false), Constant('['), Field(daddr,false), Constant(']: '), Field(event_description,false)}" -match("MESSAGE#9:000011", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} connect to %{ddomain}[%{daddr}]: %{event_description}", processor_chain([ +var part31 = match("MESSAGE#9:000011", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} connect to %{ddomain}[%{daddr}]: %{event_description}", processor_chain([ dup13, dup4, dup14, @@ -612,8 +575,7 @@ match("MESSAGE#9:000011", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} var msg10 = msg("000011", part31); -var part32 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(fld7,true), Constant(' ['), Field(ddomain,false), Constant(']: '), Field(event_description,false)}" -match("MESSAGE#10:000012", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{fld7->} [%{ddomain}]: %{event_description}", processor_chain([ +var part32 = match("MESSAGE#10:000012", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{fld7->} [%{ddomain}]: %{event_description}", processor_chain([ dup13, dup4, dup14, @@ -624,8 +586,7 @@ match("MESSAGE#10:000012", "nwparser.payload", "outbound/smtp: %{saddr->} %{id-> var msg11 = msg("000012", part32); -var part33 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(fld7,true), Constant(' <<'), Field(from,false), Constant('>: '), Field(event_description,false)}" -match("MESSAGE#11:000013", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{fld7->} \u003c\u003c%{from}>: %{event_description}", processor_chain([ +var part33 = match("MESSAGE#11:000013", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{fld7->} \u003c\u003c%{from}>: %{event_description}", processor_chain([ dup13, dup4, dup14, @@ -636,8 +597,7 @@ match("MESSAGE#11:000013", "nwparser.payload", "outbound/smtp: %{saddr->} %{id-> var msg12 = msg("000013", part33); -var part34 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(fld8,true), Constant(' '), Field(event_description,false)}" -match("MESSAGE#12:000014", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{fld8->} %{event_description}", processor_chain([ +var part34 = match("MESSAGE#12:000014", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{fld8->} %{event_description}", processor_chain([ dup13, dup4, dup14, @@ -661,8 +621,7 @@ var select9 = linear_select([ msg13, ]); -var part35 = // "Pattern{Constant('scan['), Field(fld14,false), Constant(']: '), Field(username,false), Constant('['), Field(saddr,false), Constant('] '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld8,true), Constant(' '), Field(from,true), Constant(' '), Field(to,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(fld7,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#13:000003/0", "nwparser.payload", "scan[%{fld14}]: %{username}[%{saddr}] %{id->} %{fld1->} %{fld2->} %{action->} %{fld8->} %{from->} %{to->} %{fld4->} %{fld3->} %{resultcode->} %{fld7->} %{p0}"); +var part35 = match("MESSAGE#13:000003/0", "nwparser.payload", "scan[%{fld14}]: %{username}[%{saddr}] %{id->} %{fld1->} %{fld2->} %{action->} %{fld8->} %{from->} %{to->} %{fld4->} %{fld3->} %{resultcode->} %{fld7->} %{p0}"); var all8 = all_match({ processors: [ @@ -683,8 +642,7 @@ var all8 = all_match({ var msg14 = msg("000003", all8); -var part36 = // "Pattern{Constant('scan: '), Field(web_domain,false), Constant('['), Field(saddr,false), Constant('] '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld8,true), Constant(' '), Field(from,true), Constant(' '), Field(to,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(fld7,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#14:scan/0", "nwparser.payload", "scan: %{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} %{action->} %{fld8->} %{from->} %{to->} %{fld4->} %{fld3->} %{resultcode->} %{fld7->} %{p0}"); +var part36 = match("MESSAGE#14:scan/0", "nwparser.payload", "scan: %{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} %{action->} %{fld8->} %{from->} %{to->} %{fld4->} %{fld3->} %{resultcode->} %{fld7->} %{p0}"); var all9 = all_match({ processors: [ @@ -710,16 +668,14 @@ var select10 = linear_select([ msg15, ]); -var part37 = // "Pattern{Constant('web: Ret Policy Summary (Del:'), Field(fld1,true), Constant(' Kept:'), Field(fld2,false), Constant(')')}" -match("MESSAGE#15:000004", "nwparser.payload", "web: Ret Policy Summary (Del:%{fld1->} Kept:%{fld2})", processor_chain([ +var part37 = match("MESSAGE#15:000004", "nwparser.payload", "web: Ret Policy Summary (Del:%{fld1->} Kept:%{fld2})", processor_chain([ dup17, dup4, ])); var msg16 = msg("000004", part37); -var part38 = // "Pattern{Constant('web: ['), Field(saddr,false), Constant('] FAILED_LOGIN ('), Field(username,false), Constant(')')}" -match("MESSAGE#16:000005", "nwparser.payload", "web: [%{saddr}] FAILED_LOGIN (%{username})", processor_chain([ +var part38 = match("MESSAGE#16:000005", "nwparser.payload", "web: [%{saddr}] FAILED_LOGIN (%{username})", processor_chain([ setc("eventcategory","1401030000"), dup18, dup19, @@ -731,16 +687,14 @@ match("MESSAGE#16:000005", "nwparser.payload", "web: [%{saddr}] FAILED_LOGIN (%{ var msg17 = msg("000005", part38); -var part39 = // "Pattern{Constant('web: Retention violating accounts: '), Field(fld1,true), Constant(' total')}" -match("MESSAGE#17:000006", "nwparser.payload", "web: Retention violating accounts: %{fld1->} total", processor_chain([ +var part39 = match("MESSAGE#17:000006", "nwparser.payload", "web: Retention violating accounts: %{fld1->} total", processor_chain([ setc("eventcategory","1605000000"), dup4, ])); var msg18 = msg("000006", part39); -var part40 = // "Pattern{Constant('web: ['), Field(saddr,false), Constant('] global CHANGE '), Field(category,true), Constant(' ('), Field(info,false), Constant(')')}" -match("MESSAGE#18:000007", "nwparser.payload", "web: [%{saddr}] global CHANGE %{category->} (%{info})", processor_chain([ +var part40 = match("MESSAGE#18:000007", "nwparser.payload", "web: [%{saddr}] global CHANGE %{category->} (%{info})", processor_chain([ dup17, dup4, setc("action","CHANGE"), @@ -748,8 +702,7 @@ match("MESSAGE#18:000007", "nwparser.payload", "web: [%{saddr}] global CHANGE %{ var msg19 = msg("000007", part40); -var part41 = // "Pattern{Constant('web: ['), Field(saddr,false), Constant('] LOGOUT ('), Field(username,false), Constant(')')}" -match("MESSAGE#19:000029", "nwparser.payload", "web: [%{saddr}] LOGOUT (%{username})", processor_chain([ +var part41 = match("MESSAGE#19:000029", "nwparser.payload", "web: [%{saddr}] LOGOUT (%{username})", processor_chain([ setc("eventcategory","1401070000"), dup18, setc("ec_activity","Logoff"), @@ -760,8 +713,7 @@ match("MESSAGE#19:000029", "nwparser.payload", "web: [%{saddr}] LOGOUT (%{userna var msg20 = msg("000029", part41); -var part42 = // "Pattern{Constant('web: ['), Field(saddr,false), Constant('] LOGIN ('), Field(username,false), Constant(')')}" -match("MESSAGE#20:000030", "nwparser.payload", "web: [%{saddr}] LOGIN (%{username})", processor_chain([ +var part42 = match("MESSAGE#20:000030", "nwparser.payload", "web: [%{saddr}] LOGIN (%{username})", processor_chain([ setc("eventcategory","1401060000"), dup18, dup19, @@ -781,8 +733,7 @@ var select11 = linear_select([ msg21, ]); -var part43 = // "Pattern{Constant('notify/smtp['), Field(fld14,false), Constant(']: '), Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(bytes,true), Constant(' '), Field(version,true), Constant(' '), Field(from,true), Constant(' '), Field(info,false)}" -match("MESSAGE#21:000008", "nwparser.payload", "notify/smtp[%{fld14}]: %{saddr->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{bytes->} %{version->} %{from->} %{info}", processor_chain([ +var part43 = match("MESSAGE#21:000008", "nwparser.payload", "notify/smtp[%{fld14}]: %{saddr->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{bytes->} %{version->} %{from->} %{info}", processor_chain([ dup13, dup4, dup32, @@ -792,8 +743,7 @@ match("MESSAGE#21:000008", "nwparser.payload", "notify/smtp[%{fld14}]: %{saddr-> var msg22 = msg("000008", part43); -var part44 = // "Pattern{Constant('reports: REPORTS ('), Field(process,false), Constant(') queued as '), Field(fld1,false)}" -match("MESSAGE#22:reports", "nwparser.payload", "reports: REPORTS (%{process}) queued as %{fld1}", processor_chain([ +var part44 = match("MESSAGE#22:reports", "nwparser.payload", "reports: REPORTS (%{process}) queued as %{fld1}", processor_chain([ dup16, dup4, setc("event_description","report queued"), @@ -813,14 +763,11 @@ var chain1 = processor_chain([ }), ]); -var part45 = // "Pattern{Field(fld3,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(info,false)}" -match("MESSAGE#0:000001/1_0", "nwparser.p0", "%{fld3->} %{resultcode->} %{info}"); +var part45 = match("MESSAGE#0:000001/1_0", "nwparser.p0", "%{fld3->} %{resultcode->} %{info}"); -var part46 = // "Pattern{Field(info,false)}" -match_copy("MESSAGE#0:000001/1_1", "nwparser.p0", "info"); +var part46 = match_copy("MESSAGE#0:000001/1_1", "nwparser.p0", "info"); -var part47 = // "Pattern{Constant('SZ:'), Field(fld9,true), Constant(' SUBJ:'), Field(subject,false)}" -match("MESSAGE#13:000003/1_0", "nwparser.p0", "SZ:%{fld9->} SUBJ:%{subject}"); +var part47 = match("MESSAGE#13:000003/1_0", "nwparser.p0", "SZ:%{fld9->} SUBJ:%{subject}"); var select12 = linear_select([ dup1, diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json b/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json index ff70486fab5..ed4c2bb4d7f 100644 --- a/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json @@ -496,8 +496,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", "related.ip": [ - "10.18.165.35", - "10.110.109.5" + "10.110.109.5", + "10.18.165.35" ], "rsa.internal.messageid": "outbound/smtp", "rsa.investigations.event_cat": 1901000000, diff --git a/x-pack/filebeat/module/cef/log/config/input.yml b/x-pack/filebeat/module/cef/log/config/input.yml index 49a2b1829be..cc911a8611f 100644 --- a/x-pack/filebeat/module/cef/log/config/input.yml +++ b/x-pack/filebeat/module/cef/log/config/input.yml @@ -28,4 +28,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/cef/log/test/cef.log-expected.json b/x-pack/filebeat/module/cef/log/test/cef.log-expected.json index ca0127defbd..d2902dc24b6 100644 --- a/x-pack/filebeat/module/cef/log/test/cef.log-expected.json +++ b/x-pack/filebeat/module/cef/log/test/cef.log-expected.json @@ -45,6 +45,7 @@ "service.type": "cef", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "6.7.8.9", @@ -77,6 +78,7 @@ "destination.geo.city_name": "Moscow", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", "destination.geo.location.lat": 55.7527, "destination.geo.location.lon": 37.6172, "destination.geo.region_iso_code": "RU-MOW", @@ -114,6 +116,7 @@ "service.type": "cef", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "6.7.8.9", diff --git a/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json b/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json index 8d027229032..eefe063490d 100644 --- a/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json +++ b/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json @@ -48,6 +48,7 @@ "destination.geo.city_name": "Des Moines", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 41.6006, "destination.geo.location.lon": -93.6112, "destination.geo.region_iso_code": "US-IA", diff --git a/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml b/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml index 12440f8fffe..f447d2aacdf 100644 --- a/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml +++ b/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml @@ -23,4 +23,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml index d21d421ce0f..d22d9a65eaf 100644 --- a/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml @@ -40,10 +40,14 @@ processors: - message - host ignore_missing: true -- set: - field: '@timestamp' - value: '{{syslog5424_ts}}' - if: ctx.checkpoint?.time == null +- rename: + field: "@timestamp" + target_field: "event.created" + ignore_missing: true +- date: + field: "syslog5424_ts" + formats: ["ISO8601", "UNIX"] + if: "ctx.checkpoint?.time == null" - set: field: event.module value: checkpoint @@ -578,10 +582,10 @@ processors: field: checkpoint.industry_reference target_field: vulnerability.id ignore_missing: true -- rename: - field: checkpoint.time - target_field: '@timestamp' - ignore_missing: true +- date: + field: "checkpoint.time" + formats: ["ISO8601", "UNIX"] + if: "ctx.checkpoint?.time != null" - rename: field: checkpoint.message target_field: message @@ -795,6 +799,7 @@ processors: - checkpoint.xlatesrc - checkpoint.xlatedst - checkpoint.uid + - checkpoint.time - syslog5424_ts ignore_missing: true on_failure: diff --git a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json index 72aede80ce5..30fc5952b01 100644 --- a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json +++ b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json @@ -1,6 +1,6 @@ [ { - "@timestamp": "2020-03-29T13:19:20Z", + "@timestamp": "2020-03-29T13:19:20.000Z", "checkpoint.sys_message": "The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk", "event.category": [ "network" @@ -27,7 +27,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:20Z", + "@timestamp": "2020-03-29T13:19:20.000Z", "checkpoint.sys_message": "The eth1 interface is not protected by the anti-spoofing feature. Your network may be at risk", "event.category": [ "network" @@ -54,7 +54,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:21Z", + "@timestamp": "2020-03-29T13:19:21.000Z", "checkpoint.sys_message": "installed Standard", "event.category": [ "network" @@ -81,7 +81,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -135,7 +135,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -150,6 +150,7 @@ "destination.geo.city_name": "Tel Aviv", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "IL", + "destination.geo.country_name": "Israel", "destination.geo.location.lat": 32.0678, "destination.geo.location.lon": 34.7647, "destination.geo.region_iso_code": "IL-TA", @@ -202,7 +203,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -256,7 +257,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -270,6 +271,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -320,7 +322,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -374,7 +376,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -388,6 +390,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -438,7 +441,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -492,7 +495,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -506,6 +509,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -556,7 +560,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -610,7 +614,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -624,6 +628,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.81.142.43", @@ -674,7 +679,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -728,7 +733,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -742,6 +747,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -792,7 +798,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -846,7 +852,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -860,6 +866,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -910,7 +917,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -964,7 +971,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -978,6 +985,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -1028,7 +1036,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -1082,7 +1090,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -1096,6 +1104,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -1146,7 +1155,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -1200,7 +1209,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -1214,6 +1223,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -1264,7 +1274,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -1318,7 +1328,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -1332,6 +1342,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -1382,7 +1393,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -1436,7 +1447,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -1450,6 +1461,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -1500,7 +1512,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -1554,7 +1566,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -1568,6 +1580,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -1618,7 +1631,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -1672,7 +1685,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -1686,6 +1699,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -1736,7 +1750,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -1790,7 +1804,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -1804,6 +1818,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -1854,7 +1869,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -1908,7 +1923,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -1922,6 +1937,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -1972,7 +1988,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -2026,7 +2042,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -2040,6 +2056,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -2090,7 +2107,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -2144,7 +2161,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.additional_info": "Access Control Policy : Standard", "checkpoint.audit_status": "Success", "checkpoint.machine": "192.168.1.117", @@ -2192,7 +2209,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -2206,6 +2223,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -2256,7 +2274,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:26Z", + "@timestamp": "2020-03-29T13:20:26.000Z", "checkpoint.blade_name": "Anti Bot & Anti Virus", "checkpoint.information": "policy installation for blade Anti Bot & Anti Virus completed successfully", "event.category": [ @@ -2283,7 +2301,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:28Z", + "@timestamp": "2020-03-29T13:20:28.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -2298,6 +2316,7 @@ "destination.geo.city_name": "Tel Aviv", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "IL", + "destination.geo.country_name": "Israel", "destination.geo.location.lat": 32.0678, "destination.geo.location.lon": 34.7647, "destination.geo.region_iso_code": "IL-TA", @@ -2350,7 +2369,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:28Z", + "@timestamp": "2020-03-29T13:20:28.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -2404,7 +2423,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:28Z", + "@timestamp": "2020-03-29T13:20:28.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -2458,7 +2477,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:28Z", + "@timestamp": "2020-03-29T13:20:28.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -2512,7 +2531,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:28Z", + "@timestamp": "2020-03-29T13:20:28.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -2526,6 +2545,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -2576,7 +2596,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:28Z", + "@timestamp": "2020-03-29T13:20:28.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -2630,7 +2650,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:28Z", + "@timestamp": "2020-03-29T13:20:28.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -2644,6 +2664,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -2694,7 +2715,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:29Z", + "@timestamp": "2020-03-29T13:20:29.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -2748,7 +2769,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:29Z", + "@timestamp": "2020-03-29T13:20:29.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -2762,6 +2783,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -2812,7 +2834,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:29Z", + "@timestamp": "2020-03-29T13:20:29.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -2866,7 +2888,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:29Z", + "@timestamp": "2020-03-29T13:20:29.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -2880,6 +2902,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -2930,7 +2953,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:29Z", + "@timestamp": "2020-03-29T13:20:29.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -2984,7 +3007,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:29Z", + "@timestamp": "2020-03-29T13:20:29.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -2998,6 +3021,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -3048,7 +3072,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:29Z", + "@timestamp": "2020-03-29T13:20:29.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -3102,7 +3126,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:29Z", + "@timestamp": "2020-03-29T13:20:29.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -3116,6 +3140,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -3166,7 +3191,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:28Z", + "@timestamp": "2020-03-29T13:20:28.000Z", "checkpoint.additional_info": "Threat Prevention Policy : Standard", "checkpoint.audit_status": "Success", "checkpoint.machine": "192.168.1.117", @@ -3214,7 +3239,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:29Z", + "@timestamp": "2020-03-29T13:20:29.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -3268,7 +3293,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:29Z", + "@timestamp": "2020-03-29T13:20:29.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -3282,6 +3307,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -3332,7 +3358,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:29Z", + "@timestamp": "2020-03-29T13:20:29.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -3386,7 +3412,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:29Z", + "@timestamp": "2020-03-29T13:20:29.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -3400,6 +3426,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -3450,7 +3477,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:30Z", + "@timestamp": "2020-03-29T13:20:30.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -3504,7 +3531,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:30Z", + "@timestamp": "2020-03-29T13:20:30.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -3518,6 +3545,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -3568,7 +3596,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:30Z", + "@timestamp": "2020-03-29T13:20:30.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -3622,7 +3650,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:30Z", + "@timestamp": "2020-03-29T13:20:30.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -3636,6 +3664,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -3686,7 +3715,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:30Z", + "@timestamp": "2020-03-29T13:20:30.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -3740,7 +3769,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:30Z", + "@timestamp": "2020-03-29T13:20:30.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -3754,6 +3783,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -3804,7 +3834,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:31Z", + "@timestamp": "2020-03-29T13:20:31.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -3818,6 +3848,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -3868,7 +3899,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:31Z", + "@timestamp": "2020-03-29T13:20:31.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -3922,7 +3953,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:31Z", + "@timestamp": "2020-03-29T13:20:31.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -3976,7 +4007,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:31Z", + "@timestamp": "2020-03-29T13:20:31.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -3990,6 +4021,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -4040,7 +4072,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:31Z", + "@timestamp": "2020-03-29T13:20:31.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -4094,7 +4126,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:31Z", + "@timestamp": "2020-03-29T13:20:31.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -4108,6 +4140,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -4158,7 +4191,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:46Z", + "@timestamp": "2020-03-29T13:20:46.000Z", "checkpoint.sys_message": "The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk", "event.category": [ "network" @@ -4185,7 +4218,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:46Z", + "@timestamp": "2020-03-29T13:20:46.000Z", "checkpoint.sys_message": "The eth1 interface is not protected by the anti-spoofing feature. Your network may be at risk", "event.category": [ "network" @@ -4212,7 +4245,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:46Z", + "@timestamp": "2020-03-29T13:20:46.000Z", "checkpoint.sys_message": "installed Standard", "event.category": [ "network" @@ -4239,7 +4272,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:47Z", + "@timestamp": "2020-03-29T13:20:47.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -4254,6 +4287,7 @@ "destination.geo.city_name": "Tel Aviv", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "IL", + "destination.geo.country_name": "Israel", "destination.geo.location.lat": 32.0678, "destination.geo.location.lon": 34.7647, "destination.geo.region_iso_code": "IL-TA", @@ -4306,7 +4340,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:47Z", + "@timestamp": "2020-03-29T13:20:47.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -4360,7 +4394,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:47Z", + "@timestamp": "2020-03-29T13:20:47.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -4414,7 +4448,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:47Z", + "@timestamp": "2020-03-29T13:20:47.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -4428,6 +4462,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.81.142.43", @@ -4478,7 +4513,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:47Z", + "@timestamp": "2020-03-29T13:20:47.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -4532,7 +4567,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:47Z", + "@timestamp": "2020-03-29T13:20:47.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -4546,6 +4581,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -4596,7 +4632,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:47Z", + "@timestamp": "2020-03-29T13:20:47.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -4650,7 +4686,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:47Z", + "@timestamp": "2020-03-29T13:20:47.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -4664,6 +4700,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -4714,7 +4751,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:47Z", + "@timestamp": "2020-03-29T13:20:47.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -4768,7 +4805,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:47Z", + "@timestamp": "2020-03-29T13:20:47.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -4782,6 +4819,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -4832,7 +4870,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:48Z", + "@timestamp": "2020-03-29T13:20:48.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -4886,7 +4924,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:48Z", + "@timestamp": "2020-03-29T13:20:48.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -4900,6 +4938,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -4950,7 +4989,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:48Z", + "@timestamp": "2020-03-29T13:20:48.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -5004,7 +5043,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:48Z", + "@timestamp": "2020-03-29T13:20:48.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -5018,6 +5057,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -5068,7 +5108,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:48Z", + "@timestamp": "2020-03-29T13:20:48.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -5122,7 +5162,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:48Z", + "@timestamp": "2020-03-29T13:20:48.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -5136,6 +5176,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -5186,7 +5227,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:48Z", + "@timestamp": "2020-03-29T13:20:48.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -5240,7 +5281,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:48Z", + "@timestamp": "2020-03-29T13:20:48.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -5254,6 +5295,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -5304,7 +5346,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:48Z", + "@timestamp": "2020-03-29T13:20:48.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -5358,7 +5400,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:48Z", + "@timestamp": "2020-03-29T13:20:48.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -5372,6 +5414,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -5422,7 +5465,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:48Z", + "@timestamp": "2020-03-29T13:20:48.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -5476,7 +5519,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:48Z", + "@timestamp": "2020-03-29T13:20:48.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -5490,6 +5533,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -5540,7 +5584,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:49Z", + "@timestamp": "2020-03-29T13:20:49.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -5594,7 +5638,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:49Z", + "@timestamp": "2020-03-29T13:20:49.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -5608,6 +5652,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", diff --git a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint_with_time.log b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint_with_time.log new file mode 100644 index 00000000000..c2a7b014e15 --- /dev/null +++ b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint_with_time.log @@ -0,0 +1 @@ +<134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 7776 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; time:"1594646954"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"] diff --git a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint_with_time.log-expected.json b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint_with_time.log-expected.json new file mode 100644 index 00000000000..7df3da49b7b --- /dev/null +++ b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint_with_time.log-expected.json @@ -0,0 +1,56 @@ +[ + { + "@timestamp": "2020-07-13T13:29:14.000Z", + "checkpoint.logid": "0", + "checkpoint.match_id": "1", + "checkpoint.parent_rule": "0", + "checkpoint.rule_action": "Accept", + "client.ip": "192.168.1.100", + "client.port": 43103, + "destination.ip": "192.168.1.153", + "destination.port": 514, + "event.action": "Accept", + "event.category": [ + "network" + ], + "event.dataset": "checkpoint.firewall", + "event.id": "{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}", + "event.kind": "event", + "event.module": "checkpoint", + "event.outcome": "success", + "event.sequence": 1, + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 0, + "network.application": "syslog", + "network.direction": "outbound", + "network.iana_number": "17", + "network.name": "Network", + "observer.egress.interface.name": "eth0", + "observer.egress.zone": "External", + "observer.ingress.zone": "Local", + "observer.name": "192.168.1.100", + "observer.product": "VPN-1 & FireWall-1", + "observer.type": "firewall", + "observer.vendor": "Checkpoint", + "related.ip": [ + "192.168.1.100", + "192.168.1.153" + ], + "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", + "server.ip": "192.168.1.153", + "server.port": 514, + "service.type": "checkpoint", + "source.ip": "192.168.1.100", + "source.port": 43103, + "tags": [ + "checkpoint-firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc index 08dc160fab0..aaf285680e0 100644 --- a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc @@ -5,13 +5,15 @@ == Cisco module -This is a module for Cisco network device's logs. It includes the following +This is a module for Cisco network device's logs and Cisco Umbrella. It includes the following filesets for receiving logs over syslog or read from a file: - `asa` fileset: supports Cisco ASA firewall logs. - `ftd` fileset: supports Cisco Firepower Threat Defense logs. - `ios` fileset: supports Cisco IOS router and switch logs. - `nexus` fileset: supports Cisco Nexus switch logs. +- `meraki` fileset: supports Cisco Meraki logs. +- `umbrella` fileset: supports Cisco Umbrella logs. Cisco ASA devices also support exporting flow records using NetFlow, which is supported by the {filebeat-ref}/filebeat-module-netflow.html[netflow module] in @@ -27,6 +29,8 @@ The module is by default configured to run via syslog on port 9001 for ASA and port 9002 for IOS. However it can also be configured to read from a file path. See the following example. +Cisco Umbrella publishes its logs in a compressed CSV format to a S3 bucket. + ["source","yaml",subs="attributes"] ----- - module: cisco @@ -374,6 +378,59 @@ will be found under `rsa.raw`. The default is false. :fileset_ex!: +[float] +==== `umbrella` fileset settings + +The Cisco Umbrella fileset primarily focuses on reading CSV files from an S3 bucket using the filebeat S3 input. + +To configure Cisco Umbrella to log to either your own S3 bucket or one that is managed by Cisco please follow the https://docs.umbrella.com/deployment-umbrella/docs/log-management[Cisco Umbrella User Guide.] + +This fileset supports all 4 log types: +- Proxy +- Cloud Firewall +- IP Logs +- DNS logs + +The Cisco Umbrella fileset depends on the original file path structure being followed. This structure is documented https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning[Umbrella Log Formats and Versioning]: + +/--
/--
---.csv.gz +dnslogs/--/----.csv.gz + +When configuring the fileset, please ensure that the Queue URL is set to the root folder that includes each of these subfolders above. + +Example config: + +[source,yaml] +---- +- module: cisco + umbrella: + enabled: true + var.input: s3 + var.queue_url: https://sqs.us-east-1.amazonaws.com/ID/CiscoQueue + var.access_key_id: 123456 + var.secret_access_key: PASSWORD +---- + +*`var.input`*:: + +The input from which messages are read. Can be S3 or file. + +*`var.queue_url`*:: + +The URL to the SQS queue if the input type is S3. + +*`var.access_key_id`*:: + +The ID for the access key used to read from the SQS queue. + +*`var.secret_access_key`*:: + +The secret token used for authenticating to the SQS queue. + +:has-dashboards!: + +:fileset_ex!: + [float] === Example dashboard diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index 73d42d43af7..66cc3da4b0c 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -1136,6 +1136,7 @@ "destination.geo.city_name": "Thousand Oaks", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 34.197, "destination.geo.location.lon": -118.8199, "destination.geo.region_iso_code": "US-CA", @@ -2417,6 +2418,7 @@ "destination.geo.city_name": "Clermont-Ferrand", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", "destination.geo.location.lat": 45.7838, "destination.geo.location.lon": 3.0966, "destination.geo.region_iso_code": "FR-63", @@ -2467,6 +2469,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", @@ -2542,6 +2545,7 @@ "destination.geo.city_name": "Riga", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "LV", + "destination.geo.country_name": "Latvia", "destination.geo.location.lat": 56.9496, "destination.geo.location.lon": 24.0978, "destination.geo.region_iso_code": "LV-RIX", @@ -2927,6 +2931,7 @@ "source.geo.city_name": "London", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", "source.geo.location.lat": 51.5888, "source.geo.location.lon": -0.0247, "source.geo.region_iso_code": "GB-ENG", @@ -2946,6 +2951,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5888, "destination.geo.location.lon": -0.0247, "destination.geo.region_iso_code": "GB-ENG", @@ -3029,6 +3035,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "8.8.8.8", @@ -3075,6 +3082,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "8.8.8.8", @@ -3093,6 +3101,7 @@ "destination.geo.city_name": "Stoke Newington", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5638, "destination.geo.location.lon": -0.0765, "destination.geo.region_iso_code": "GB-HCK", @@ -3139,6 +3148,7 @@ "source.geo.city_name": "Dublin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "IE", + "source.geo.country_name": "Ireland", "source.geo.location.lat": 53.3338, "source.geo.location.lon": -6.2488, "source.geo.region_iso_code": "IE-L", diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index 94f2b616d27..a57299252ca 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -509,6 +509,7 @@ "destination.address": "1.2.33.40", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "CN", + "destination.geo.country_name": "China", "destination.geo.location.lat": 23.1167, "destination.geo.location.lon": 113.25, "destination.geo.region_iso_code": "CN-GD", diff --git a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json index bb691462f78..e86dd81aead 100644 --- a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json @@ -35,6 +35,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index fac83c30f27..de57daee50f 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded gzipped contents of module/cisco. func AssetCisco() string { - return "eJzsvW1zIzeSIPx9fwXOEc+52yGzx+2XvfHN7oVWkte66W5rW93tfS4mogJEgSRGKKAaQJGif/0FEqgXVqFIiQKK6r3xB4ctkolEIpHI9/wW3dHtz4gwTeQ/IWSY4fRndOH/N6eaKFYaJsXP6F//CSGE3sq84hQtpEIrLHLOxNJ9HQlqNlLdoZyuGaGIy6We/RNCC0Z5rn/+J/i1/edbJHBB/ZozrHHzCUJmW9Kf0VLJquz8NYBG/c8vAB3QcVic356jX5iiG8z5rPPVGo32LzUeBdUaL2nG8h3IDpU7ut1ItfvJHnQQ+rCiHUw8bMRyKgxbMKpanAKo6GqxYPcPRIPe46K0p6Wp1kyKh+P4G/wdc78ewgtDFfr/LMIPRVRWitCMCUPVAhMag3K3ABM1MOFQzYqiBZcbJBWiayrMXrRyqg0T2MKPi9tlC/hJCKqK08z+Zwyk3uGCIrkAFM4JoVqjCymMkhy9YdrAYsissEEFNmRFc2RWTD8AS3+6laYqBa4WrsOLafiDW8+T80EYdg96MjQ7iz4G1wKXJc2z+sqUATx7fzwoYIzCQnNsaF7T7voG4TxXVOtH4LKS2jyYagtccZOBGP0ZLTDX9Kk42+UfgW0pVQhbLsXyqZhY0A/BZEe+RD7ILnc97jS7WJ3qSLvYP/Rcu3inONwuTgdP2KwUxSbjdE15HD3AwkMAD6RFgfkGK4peobk0ghqL6WLByAz9JkDmrKnafsvl5gzZf/XAFTKnCht6hlZsubKPDXzd/s9DtkWwoUuptjF2duFhNc/f+M5+sY9iraasmar0mf9Of39Gyb9jcYaoIXv3Q6QQlLgLGEVf+yjY56qroMG2MLzpezFhpCgzu2gAC73qs/NeHK4v3t7ALw8vSGQea0EL6qG0HtlnGrHy6eZdZ220s3ZIF8BlpiiRKtePQ+QJGj7Wmi0FzdHl+Q3qLx4kZVFgkWecCZphtawKKsx06PrlkV0eNctbE21JczTfwjXmkmCOcJUzYz/Zt516+/1H8IF7eOwr2T6HLeGNRNhxCmdUGKQr0IAXFefbhnvE3l2Uiq0Zp0s6k/yRPHzkWfy+ogJh0Cx1u7zVL8kKi2WtoXt9U/IcrTGv9nJ/uwlBN89wE4JuDm9iXiltZnL+d0r6UizdpVDUqQluWRD7gAfaYCWYWO690A5jNg3bdLG1SgC6vjwKXVIpRYXJLIzpZI9b1CML6GtKxQOwlWLBlpWi+WkQbtfv4H4YbbxengZfvKYKL+mTCH0y5DvEDuwDcy43NH8IhxcVx4ataUZkJaYTJkYazBGsaXX5Du4rZjTSTBDqhLqTNhusEbGquRVAChFOsepscNdHujBdbJ7uI/2FKVrKDVW1lXJJF1Ro+kwcp798uPyyHKcW4X84Tv/hOP2H4/SLdpyij5qiq4tb/9FMYDNj5T/8qUf6U0PkfMaO1gbdzuePYIF/OGEP47TLFn06/8NF+w8X7T9ctDsLHnTRakoqxUyIaYLelHbB3nLv8cZr+kDcWw8XXdlXen8U6gt3E6dEca+beNfGY1JHtfGuf7ttUnDqf8ZNOQxacMbZIx6uB2qD9ol1OraFvpeTFpgwHubmvXbc7dXF486lXggZiTYrRlZOSHqbU9EFVRq9WLSi8Qzdvnt7c4Zu///bM4SFVXR6YBdSmdXLGTpvgRMs0JwijFZY5SB+XWrUGcKoVNJIIvkZAlFWuKwquejLXKvkb7WhBdJyYSyQGbo2KKdCGrpjBHhJT3ClG9q7n/bfKbfN2YARfQLXrLHTZj3rQK6p2ihm7KOlKjrg1+EhHbhCew6qy0J1ZllrQG5WVDl/in/I0AprNKdUIDnXVK1pPtyf2kk1O7SZ4eXbu5XxuwVYC7yrsoyvPrZ+aImONqeXvWPet8K+W9U7lQ/WVrujW2vLVdoFXgguTeXpr/CmuThg8xFZUG03Le3nPdAIvZFLdEntw6bCG3GwWB+pY7dTwwVz02q7JDJgj3Bi6nuSuxtPpDAQwJMLxIQ2WJgaDR3E0bDiGATzvic4hJ238e0SCBsvTnHtW3PuT4zeUfM7M8I+A/70ZwPWaDarV7LiORJ0TZWVoDXflVhpit5Sgy1qGC2ULDpLvXgjl/rVDSZ31OiXA/CXTFFi+PasiU9h9J46YeE4XHTQnAUJObQ9HkbJgQnVo+QlLRUlYDBZTHK6YFZtkIIDWgbPuVXiyzBWhV72Ve24HOjP+K2/59eX37mYnvfy1Iq5+xa9xwQiyO681OAgYHcMlDbHLfA9exwlVoaRimMFv/cHOxvljAHoozglxBkDyOOcMnok62nP5PU/zmT/mdhV0xzI066vnP89g430j+XZYLfGxwi95Kgp6nTf54ibJVuq+/80zLTBhha0Fxx9JshB+lFGOO7d4WeCHhWm56F7JoitBl6nZ4IYE8chllZjqiXH8+W0nOJjpEdasi2oixjEsqFG9JqQndn5Yu0WsNgM9JCBkvA0K6KnhwygH7Aixqk4CLxOQkXR8aoEyefINdhmJPKhAAUfTT4yhVpdDWIO9f79n7a7Ru2FFMQ+DtjI527ZjoibNUsrDrvUvbDLsAUjuHuf38ilizfUGS2VyKkCZyn1gmqw9QW7pznSFLKudn68u4YeN1jqQxjAfrLB0hzCAPSjDmXoCYzvXzqOMQf7egRNHkeDQUg9CV/+KrXpikje50hNRc7Esv5Qh9im40P6cujLjmGwwY9GCXt9s/6hyeEfu+594g52b+SXStz1T6nJ+9P/u+QdRJ2TyIa+XHCOtK63LEcYLdmaisZJ9uUqApZEx/kv0log+XNU/r6MiMaoQ0OW20zRzwnOuhs8hAOGfft6syu3NLqBi3TmvdkGow/bkiKChxJkThFlZkUV+ngtzHc/IanQL1xi8/1rNMcauKgOkEE1Aah+B/Z9jLr7Be8bwqDpjM8I/oVgItwk1nG98hfvYJBqg9WgOjOa1tGRaJ1tdyl5ffNpR9/DUL/WP1JU57a4R9SjDen21HGqdsSDwhnFlgxqL9xvdrWVA3RIpX/tSYy4vvn0U4AE4ZwcFIEEDUZDKsd4fVpGHSqOx74+K4pzqiaJXf8KS6Hry6dESR2+3WApgDkuVvqsnWycZMn9bLhWtK5bRQsuijVdLiTnlBipvkQBbKl3gpwby3NMI+JIR3OL6Y6i+kb21Ra0h9DP0OIryPy5qKqF1JDsVkiB5tvBoSGk6OeKaiiC0qwo+dafk/0yJOpSTFZIs5yiF39CZqUq9PrHH19CaaimVDSr7KHEs1BeH0AJXUqhaTpSkC+GK1yJcO1TqIq5E3r2KusgBPQCz+WadojBRDCzshZv2iiKi9H7Q74YtjkxqWjOqr6eFoNQX4U0x8axwBaImb9Vr//03Z+1E+mvShCgNdJ/G+zmb9YefIO3VKHX6EoQXGoogpcCTMpHyfUQ9CcGPwK5laFVvn+N/sVu9wx9/z36F0SkgpYXcExu0TP037n5n/aLTKNdonwVPEIh80DR8DOxdcWGZgRzPsfkLq0G7JCrCwawcXaFJSIVeSmZMHV3kSCiwBwZVUomyk9r9UFdUsIwB4wBU22kspq12Dqtw36wxpzljjFCSCG0kJXI7QvDKSDPxNIrRweTF3dvxAByjFigvw57wkYjp7DlEufP5Z3z6CDN/qCooEYxErA6vCnc/TLYwu65r4WwffaxaTVauaiPbYZ+lRt7NEObkwkklTXGjER3lJYHiPYsXrwvhGhKQjHYmuVZnirqelVLniUVUDWroayqcna0twvXTJkKc2u07/jeRcDFwQpmzW6IlQMx3C78Vb++RMpKaw0OFSAaVktqmq8dpIRWiZKeTk6JumZ/HyVUklDQUPBfX9a+1/e0kIaiW8/vda+c+XZMUCLoNuICMV9A4MWvlOmSs5SZDc/anNdsoPY/C93MytyE/A63zr4BdZmm57raavFPyH+NCKMTLwvGTxCjt6ta4+jm4vzG676+KJcVpVR9jRfBE/nFpUFUz8P94ds0gCE+bL6GnCt115Sv2p+0BrvTc8Ayn6HXP/6ENkD3gmKBMOdhXwE49UFNav1HaEOV64GHoM0H1gZJ0SsX2SXiydXEL5uIgbuaImzrafe7VDkQDrKaKFkJyeVy2w/ELZgaaLEI/YjICitMjCOivdRbwB+c5gJVwuf08B2f+WhFbeyCbheoTxlE2BO7BIuisEqmFHUYQeHNqEwDydpTKzEBjdXFKIT3OUhCoMcjQNQGixyrHAmpCszZH6H8XqmKIH1yn+VwNIlkNR88SY8iUot1g8wrzhYUdhww8DUlUuQjCnZ73Jk2Kf0sezbEBJFFyakJMsCoExWDAm8U64nBTr2ZMidi5Fu7dpCdx1h5lzNH2a+QwqwiHVNbnxor56XNcspPRPgrkacguwX5hxSpuy3sEYt29VrFdOm1H/oUHoioZDf6HBl6b/zlQ2uqdKecIt+XBxY436cy25biWNtsy/SIVDnN072DPsnGP1O6WbHWMepMm+aL3fj68LVSspgB1AqK8jWhAismnVpfVNywbw2jCuGy5HX1S9vLpsACL0OluQhxCO/stPWpG0ohZr7WSG6Ei4wZXJR9z6DHGPpvKjlMPmJGI7Ji1rqROdUz9LbSBsykLlB7K7EZycvFhh55SHsF2GJh8V7TKTQhOOR6QUc7aAVFBXEMga1qnbM1y61mA/wQFmS3tSD70CNeeJP3JVOT7bA9TxcLurecyAzf1n2vjAR9zSLlmjPu9Y1GPPRRF86ZlcaNPJsNlmzSyWQVWwIVA0XuqRAb+se+KqBBfq5oNRkrWe52XNTKxw3WCJDIR/gGkPsuNlEjKgU7BE0g05aFSfD6LosUuJZZAlTLLIX2XMYURbtAX0eHmkBX6rwipzEhe+Zj8I0ZPJePenOOFZuH5NoxwYL2geh1Q4jtCMJkoMTHUKx1xVOHnUasKFkZIgv6yuHQGC+QlT1ogIksXzgS7BiQIwxC13TQDneyjdWr+yLATmRnn8snbfHioHege6WbShcLDeJOJSVswVrDJ6zd+lbuIzzldeX02UyBA2hcjCxvCyZqF1XugyxBvL3ZPNUhfNq10ruWoFTot1ufGst0nRDQ96sh3xe2N0AB7VRJ6lJqFlFwPIi3wJwWueswBan89d0d7cJTcTNsmH0qUSSqgipGHiuLgnuboIptz8a6lWzNzXBiyd3vwdbWVORS+YTZvTuT87+foHtNHdoNtDXvIpa+FnxAbitB9yPmJH3KXnVfDS+kr/r3YsZ7uVa4yS0W0iAMYyIskuEEWi6XWZ2ochKhXjPio4X6FD1TdmTfv0O6FXSt3h132MWqlJyRberbs0cu3AACvrm24NsRuRwctpSYgO8rTgGxsDiVwtD71Bprg9C1cP66th8qznNt/wWPKox6A4RCDWAOPM5uSmbWH9eZQBaMBS7rkZxNrxBsjGLzytCOhBjm6PsBn1Zb7z5/YdGhy/4EsadbLW7U6/Q3BwzBfn6Rnzvb0d8Cxi1UgFmC1Q0HdZvzpdZUzdAtdYdSaapmeEmhlbfPdF9IVeMwgF2DcXo7cUO33O87fSukQnMlN/az+q9e13Rm12g/6ev8BisT203XAI7tUfF3qj/Hd7o71czqTXilZEl9QDHVW3wuEOZUmSa7SLWL+r+58JYXH50mAJCEFFCYcySk+FbRkoIlsy/7AcyGKZ+cevhoY6+YZkDnK+YibHX4Z7CzDTMrryw7WY8uYcE5VJsIJMW3S2n/e89LAEpKFlAcE+4bd4KBrwABi6RcICsdDKN6hm5bmdIfbNCtrEqD8YUr56u0NWJcyahLtsm9+PWEx4jwSpuaIf3/DI4JfsK0PUlfE+39G1bxhU/HVaDJtR93w8IWvWvLlE4p+/qQ4WWxvAQsENZaEgb+UnsaQXsSDuwNu6M/I4zK1VYzgjnKmb47Q6WCmSgwSuzrsKKMFT6m9vKRD72rs1G4oAaGmWMNXbw0NHJwvQjq0flyJ2g/LK3ZmYqGhk+Tew9OpfF1zjDBw+TEN5FFWQ3vYIJjw2jDRC43Pp+WSEFoac6aTIpRYgy2uag436LPFebO+ZnLAjPhpYboLMTlyNPV9XrGUpf2bN2qhG+YuKO5rwWqE9GxBu+UN1DsJ181qM1Yvu/g+KArRFJR153s5NwSfQRq9H67PRVev5Xe84puh+16mqAzVQXrD3ZK7WL1awK2jv/3a9rfR9a0F4ynv+PNln+B1ZprrGheEYrqyBENu9s0VQzzLPCaJntEbmHJWm3uv4+dB9C+MKN+AUru9FEtB2J4jP3q9qFbYb1qbqhVCwNVhhVZuczfusamKTO8qCH1WoTZjTTLzLQiMPi+/v9hpSmy8lwgBjl3lYAR+fZP0AivRc0XELZD8Fxh5+HogxN+1bDP07N+sYgs5vU8XbnYebB82ah6xOsFA1+n9vR1tRFAYNzjN02ANHAlLtzqrifjuKfUWXDJXeMN+ZyX+foSvXOS5oVv3IDctD1f9GtxexnWq50D+hS+/I77+foSSOpL3hoxMfQe7EbkXBqg28LMMZGVBRumw0bqWm9T9rLfjer6Am2nLuz1Y48MR0586S7aSbnXlwc12Vj+uQOarEXstchbjXaGLlx9pu93yt0H+7VZQFDtfuO7r7w7bl6ZpnJTmuYxqgSn2lFGugdlI9EaK4bnfFAF6JoyMIFKjkcEgaZCJ+2PsnOgXVXVrTyzkspqGHV9IbPnfPvq+qavQyPfMtZ5FMbqso8cKPjgWsg20uKQRNfCoFu2FBiExQiLllKlbF779UB+WSa9qXU3CV0d4T8tIt3h05bLchlgnHe/fUBMEF7l1IozP8jWDcJ/cVUPML5xDhEHFqT3LOwXgcjc5LFNcE61T0sYM6bvrMp9BF6PKMXruDHf+afhPdN3e0KuRrHlkqp0I+zCJPvUjQV4HNyIZkX1SvLcco+z1Ucmje6E3ifwLAxj714qv3jvdIyXTTOO68twGcmDo/NEFmU2cd4VnIrPvYIxrs6/p6v5txYdKaA+deFmc+cVGbPSvFp6oqyxLuaNtJQKOg9YuV7jNzIlzg8iP4kCOOyqv4DZ5+4hspsYaY38wgpRjN5iUvdTDiu3VgRNasdI8W2toKr9UsjZmtGHWiuKdfTcYG2wqWIpzo0/CjN+MrPDLj6X94jlr8bfL/uyVlNgaDH6OGh87O6CxSJ8det3LPH0vQGTXw7n7h3znDEhq1gxzk4diV5Gv1NWksZ0Ogw8sj9EBpy6M+MOS5xzbuUe0hUhVOtFxdGVXR8RmVNtWaJu9hu2LJjI6X1kAnCmzXGa5xNlCywMppiqkZhTBfHNAivGIYMn4MFz8XexRBiI+K39bXBnIgEfyrlrLnQijdivjl40+ZwlVbr0RbdOwgxI5lWENiG+7vD0cqTI0Lm5hu9x6oQSp3w1SV7eV+W+bT/ETGiUU4MZDzgZ5rIynd+NbE3yyXMza48tbvLYAI/xh9TQouTJsnnOUU4X2IeAfOfLOobvszWtVrymiuMtFHIZ6R9X9CJwI+0HYHX7X9NFXQXufPXaMFNBY0YU3FhrGwwbNj31ukaNYnX8OwTHxjSBrCKyKOx9SsNGFw46Yp1k31LJNcud/6zuIldQPZoIlUtyfKDx8d6yXxhvtUbSzcsLqwb3JSQ9nUbW16unlfV/l/Mj/U5Hb+9/y7kPwIRvV8nSNc69hIRid/K3N9foeqBQddFI1rXWV5fsxyBiYVdTDbuMakg/xh/mc6vDyr0TEdlc5qkrvgYVd32lw+OCLC4j6tEqfrcEFzKYoPK84wL2pcMugbaJh7Aly5tQzogTr4htNQ7KwCO8/PGUvGbfZZXymaqne998dN1z6kAUJGvcU1J1vQgu9WtOQ+WtdRemfYkbEzhCgl7xfNch0lRX4jVmHA8DGahxhSOor1xQpUYmLbg7dIyvP17czRsrhW8A5QKwgy35dAPNlrMRiciKbF7l+Ta6f4YVWdQ6oA7cStPjGp3v9VLFh6iYjNjloFdil+lqioIEprvZq67nKq5yZprKurYvmscoNNiurdhwoqQNL+zfpMsSi03B9WRW+cWnK/TC10p8qrjVleeMQwEH5IFd3ZdS22++RN8OHQ2iH4W5E3IjdgwhTUkFzSzWu9BHJm0SPIELrp8WelFXub/zpUlv6BKTLfo4aq5xNlf4FEX5fuEdEjOBCszEQuGC7k3HKLGCqb3p+yTsKJc3sCx6J3OXHN22BexknQWQQge0L0gVsIRIZSHt9o17Rzfo10qAKflW5pSjF0ysZ9+cISbJGZrbf1H7Lyww32qmZ9+E44uGlNmC48Hk/Ng61K6Gf3GDYFHwdYGc3NbDr+Rib6MGI5Ni6v4693jWbRA0VZaRgwiti7hyt4fZp7e/Y0XRB5cA/M03n97+fv7+6ptvXM7tGivMRnlyI9VdzJLlgxfs93rBboRt1AmGRWwlwtfsxO1S0jwHmNjnYpvAhFlIRYVmJKYA6biSEmBcxPeCBOIDsYBmG8yGw4mf7B2A3uexgdrrE7tEXVfzRJfCzHNtVOzKd6jXTuYQ676l0d7RuuYjnZP02GKXdjDYQKXxxSZt3Yuvd7EgFmzU0VRvNZkj9titBrsRBbbZL+8JC+Wj+wk+3nFhkff6//vhqq3K7Cb/nYTF8o6P3iOyF8mTMEcdx92Hn5QTJG3tnGzHLn1hmoz2OssO+mS+BLfbgHMPR6brltVsingYFH0tMOOW1nUzlxsvM64vu7Vt0InLmoOGLgMtDMazCuuc68yqiEfs55jEa0i39tVHF7IoKtH3RA2wE8c1bnoqdu/ovfl3GtapG9z0cZr1U3G7xSL/NxmOmrW4GWzYMZLhydgNF95BTle6ZITJaFmiU1nwgP0GKzEMOjx31LUoykymEsa3797eoN+cH7VNSg0j8nnSVILb/3iDPldUjfRurbjIFO136kyb3NBxiG7R+7roLJjW1WjpJOJD2gUqY48RsEDLoxxHh6CaQHDsyXDz+AMaMMeqSHBaFmwC9wIuIxYgN0CrPNpU2h2Ycbtd7YDOselrhU+FO6eCrAqsYpWVNHC3JR6ML35y9AmTQTpVFJjZKjovELqIW0DVAF4sodVSArBy/vcEUEscfRKG6zgVnb0g6J6x2A+O79xWUKt6RkdaZJjAYJT45ScWthYRjfcO4PmyXP8g7s0q+vtOREaMynIdte96B7qFfFzk6QGA1xxHlxgio2LJRMSiyCHoFLnRIltkesMMiS4/RLbgcqNxET93pQtbmHU66AmiLkRkTKQUJ0yUVBXzbbSE9wHsktylAb7GPAWvsDIrlTQyix+SAujrHzLwOMaHzZPdTS6XWZ6C2BZw/Pw3IrIC32fGxHIb7AK2HM1pgkehYCIR0kykQ7rkOuNznsUOi+7A/lNC4NE7g3dgx+6F2IUdu6q3C/vHhLB/Sgj7nxPC/h8JYf85DWwjS47nNIVIaaDHN89EVlQclO/5NsE7WQMv7xLoJUXF2bIo02jfVsvEfBk7CclDZimUEk0/k/i+EZFpl5CY4AS1ImmsSQs4jTWpt7oqE8wiJaIpq05iqhpprOlB7xOIECONNcxSwQazJgnwSrB7gYXUlCRgwvVPliqJHoX1T7I0K4rzBG41WZQZ4Ql82BZwgiAJwFXzrYnvFrWQdRLIZZUliGkQxQwjmCcoINIZXlJBthGzrrqwBebbP2g+T4H3OoM2oEkgu3YwabB2ibVJoM+X5fqnND5onc2Z+XOSRmNEZ3FnxfUAKxldVOsk1xygUqLiV7lp5+OPNmurA5ialfPzx3eOOOCg9iUB7rrJx+sg14G9YJymsGF0tkhxiGwRszh7F3AK3UBnrIQkxSyJqGPl+odcm3LQzD8SbK1IEticLWgKM0aDo7mgOYtWMLoLm4k0XFLIvOJUE5mC2h44WyaQTbLUG2yizvzvQA9lkEcBrOiSaaNwfE9ICzuBxqdomYrUKhmtNXQiV4nkq8vMdyyeALpRFBcJFElXCpQK7XTK9WYlmc7chNn40LdY4SQMno8UwsaAvHbz7WPDZdpgEX3Oca7NvFKxhgXWUKmbFZQCahUd1/h6dF2THBssTG5YxB92fWyngX0wlzjPY98BlscOq9atgxK8RazIiJKySNKVyAJOYKaxIkuTHOk7HqUgc3kXvT1TqeO3LGWlLhWLDJRjw0wVPfuMM0HjtdhpoeqoE3UauFB8G9+txaXrepotuIz+nDfAE6T8W5s3utSxQBNIHGtDJ0A1em4Cl8skrCuWSS5wKVVsAVbMq2WKa1YwTVKIhUInYdgUcyAENdBcKTrc6DLcNYCOnfHnoMZOxxObTWwLJElFmXQDoKNbojK+ZiQVW2aBeVxPhrsRVMV/s8rMDeWNDjbqZOoWrBvxmoTJEhRu+pk4sYWBBxtbGpSZcyRFRxdrbT/MyCpWnf8ANL0vWfRAQElVsVRYmEHP3RiQN0kAx396XSeyjx97U0AjAFZymWFdRhwY0AWtcGyoimKeQr9TlAAdXNfRRMDjE9lCjtvCtQNZqjwBxvEdmTqBb1g733CCfABNYycCuIHHCYwTTT/HZ4BQg9ZoUBOYUpotEwheXcb2smlFUtwDRfLoirRWJNQVNwJgE2/EVhdmpaN31VwTEbtQIjgt9qlAXZPO2Ns3SxOfrRzQ+BG9ZqZnbLjbMnq31iqfJ8lDrxRP8BZWmqosZ7Gr3pOMragjQynIYIg2uIjtDV5nTGiDFwk0gzVTJoUavi5FgtZNRqpKxHSzhtqiBTqKnldGoveVQIOlm+yRhMPyPmHOcnShaM4MusAq990MNbR/D6PjJmclpNLYhFAAA0P0EfQ3IJKjUKlOkw/BRDrKXRUll1s6GCx4kH4LWUVr6v1AHrM0dD4jmHem6JLeowL3Gy20sVixrPrDQJIjyZmG4Qz16v7ooYES0lVZSmXQsPEoQpsVNogZVCq6GGOFJ6TlPmYIRYjw3upoUEBM+M7uI32hOROpJ/J3ULWrdfHUyMglNSuqZu339UpWgxcNIUHXVDXjiIxEJVaaorfUYJgI7u4qbkjw4o1c6lc3ruz1Jbr0I77OkFkFphRBM+D31I8+BrQFekfN78wIqsPnPGTqJMRbwMju5hbB4m6zmmJFVjMmWBA/mLk7QX/tnviEWRiQDPGK40rArN9lBXNc6ybu4QbuvX7te/aUvh13s6emCbefXzxi7NuDyCLWND2s8yosiz7QewO3YsxdMMU06hGB1A6uewcTqgUfmXgJ3XMTjgOH/rmaGqTo54pqs6dp9/HZyo/vle9UBhjL41Z1ErvvkWryTnfdKftwchhBbGzn79ChXf8c3HnM2f+H5xvaxa4va6EAa4d5A6yGeEm8j2Rh+7jMsabIpWs32KDBrWpOyf/iNPiKZhR8g7lUrn19kIwIYY00pTDuDO+fV6Ww0JhMMN530GHaLS1A7W2ZhlQKJqDtQ7qkqmBO3ZgK6XZJN5iDrRmnS4o4XVOOsNZsKdzBtfP6w6wPLZlPKL9h/T2cPj/JpGeLWSXY54r2xyTi8OXr4Htcx8TjpqDUGg3L3YUkUggKuRVow8xqTFAgFKgMaTR2RY8qL3q0aWHJCfKkeaK4XDKCObIYjJg+gMVpsYOlRsY0no525Wqrw+h10tk2spfVGvuBx5xhna1kcpvAGXGNuQazVNqhRlYqdkfwhPsBIHdpLLbwpvlBLIRTrGbnXEtriO/ct0sIlqNf/S9m6Fxsm/8bQDdgy2thEM5nRBZlZagKi+Ekbny7sXTm2Vf9s4AZizsHwszfqtd/+u7P1va97BxHTbGvgmh7Ps3iRswe6rjBW6rQPzc+Of3KowHIhW997Pqf9DwvWpx3uH7veRyZvHxItn3dH5hi15mhd799uLJ7p4o65wn4S3OmiaIlFmRrtUqvnvF+LggCCp2hD29/RtfCfP/6DF2/u7z6z5/Rx2thfvoBvdistkhQZlZUIbKS2o9Kk0pRYuBb3/30v/7by6+DFKFmlVDG9ekBMnVW4PA4Hp2Y+x55zW8dL17XSIWveP68kO7KpgOYH9kw7sEPfAjfnmLaWiefmDIV5ujN+bsgsn9IQdP5so7jjP8jBZ2FaWvR/WJEKGzksPCEI3iOb/Cec1hiQzf4BCPSgbtv0HmeK/DTOi4PodM8vaQoj41zPjUWcn3x9sa9SqPhsQLrCaMfO04lp6n6txtd31hURrxfloZHToKIQkO79jgNa00sc9O1phUQHXRxnjP7ZczbgG1nln/4nZuQAaxJCBdc+ht+ucsCA1TaXOsket1DnzSM3nkMb6QyjUgeCN0cAmxwAMxsD0tePTHt3X6YWNaPSb2tt2OEFzRkN07lxfXYgeWLtZaEWZXT+Y0GOg6ycllhsaSzxnQiUizYslI0R/MtwKQih6yhsJwpj2w9MCgaHdGWg4suEvQ74BF1/24JV3QHgKKFNDTzmd3x84zikzYXOsOZS8VPALo0Kg3wRQKWWCSoFuYprkOq/idlAqLiPKs9cenU8r4Fb/cx66/WdSacQIO9MiuqBDXow7akZ+hj/Yy9AQfY9+imdoANXoLfxjS1elTPBMrEiGlcI+394mcIcx5UJsr2i5DghhUk5q2psm8gE0YibeAxZwJ9vB4VKAQSZJPJq+gi2wKVZYKxbxawojp2Rq8Fm6DExb2IsVPRwd+eAFs3WiHjVCyjT4oEnK3ykVALHdFAncqDeScAIxCBdIIFwugXqTZY5cM53QidLyHZSyFsb/w95NLNqdlQKsKqZ+SuiY+NcUuDeTdU55BB0DIeMiMGO2TC57lCWkLBjBVLfsRGeItrjsUUcfwHOCjrBJGOi3KwwV2XZRtJWVsLdgkG7O7LEztSSQl0IVjH6wf3sIg9VoaRimOFoF80qpF4cXX/8xu5lItFePo7JZlZ0eTHu4PsB7ugu40dvK8s3hbd88qsqDA+WXwUbV3F7JzwsIQet+Q46h81VaMIy8oQOS2l/ZLjCN9WhFCtR3CGzuPHNUc7LvEE8EJWxV1KtUWBwoQBblMIpx0caQ9HK5UgwKdLKey7YuVWSDlsfogGitLurtbx+tGNvJsYua6lUDPAGc2b/Xg/TE8fZgJpZqqA/ERQXEC9iPZQV1gjnMvSvi5mRZlCciPaI3OEM/heClmM5NXCTA7NXIv6aZUIq9wzkVv5I5VuCIDRL4xTdO4Rmw3I8BBnr2g25u7kaMJ4s/+TpCuMkuDWZy3EpUJojwFCxKx3fwIhXL7era/XiE2J8YTQuUxZPRDY/Jyu8JrJCrRLIotSyYKNZCjSqZG7EnjOoYhsgS7248bEuhE7CZHsY7ijdaIgAjsYRh0ucwSCgfUb/FKfbueVbe/bKNu1ZZaVMP1yttgafQ5l4Bk5xqx/kBYE7/GSCqoYqbcEBIFEv35qATMreGpDs92QR3ZGvptpo8aDn/Wejmm7dbI9vd6/J69euLUS7itomjZGuGEF1VauO21P0ZKOBpH8KURrCnHwIKDx4BOPQT2QtY7p3X0y1vr+YXv6LtPRhpw+eGveYXxoh4O9wY5bgfAAYfDl7u71wd2pSc/OXbQoe1OHTy5aL9VpBMgBOd4IkC+XHb8/fGSxRhtMc2QPk49qUgkS8449QH5Myo4x9zZgxkaphxK0np86euVOZVZZQc1KniBKgnc8ycih4b82euDQS0nJpF6nPVGd95J7f61FZA9fJvKE/Ofsxz/9Cb14c3l+8xJdMm2YWFZMr2gOpfBBXLhcyuR9gfZFwiBbduHw8McMXxzJGFMysVdxX/2nPdUQBs2NAY98tKHPj7kuBNL+m7rfjuMPcArFTLEItUlvM8Uwj9WdrreR9zhnlXYrIKmQZgXjWDnxZMWmvUME3vVweRXcc83yKTuNdDPlP1pGqL2Ivb6Y7SVPV2dxLvbddQhr+ErDjv/XO4ngkwEveMcN7ZRl5GFXplQpEwMGIRsgtVRLLNgfe7KqRTpWeCixj6B0l6dGyL1gKlhLmqjrzy92OXgtXIsv17toJ6v5V4q5WRGsKCoVzWXBBA4W3HXE0w02jAqjD6bHczzlbt/gk27WtX6kZSLGtVfnayu4SqwMNENqt7pfrE7Y7MgLm4dI1AXNqcKG5lm0pLI9/GGFzy/1ik3w7EbJNcub5mH+e7gsuddUB4zhm//YZ21Xpw0rOO0mWT7RLpslfa8/sx3ZZnB4KGROrpmLnq/6ivtIC7hG6Yw5FPyxmie9B52p86NOJfQysFGno4LGijXSRion8S20ghoMq30N35rZb30d3n3B8pzT6aTcW1jvoXIucLwduXeUnKvHY0yz3Ru/WqfDkNjW0dkzVHJsj8y+z1IhKojalmNefkiFnMCefEAGnWpsy1+lNugtJismRky6HCeSHF/1af1RQKZ/qagVH1Y/ck3O9Ay9yXGJPsH/OP0ol8LVnf5t+HiiFV5TqzlxihX6XFG1RdCDUJdSaFprVOHiVLvfDH4zjbz0PfCIhaxY3QVSuO27vnzjeNZbmgDVloHe++aoD8UUpjyldZj1ebxuLb3TxMjahv7hZRqpSoigHavPmpfHRZ5dG6mRGjsPMfMWZvqDwGjDRC43GumSErZgxH5yFqoT9Hmywwtit+fwbXNu0AvoCEsFaZ8hCF2+7FALVQLe8Td0ickWfdS7jW+bCGzRL6SNnl1rV5jAYB957bumFqACtWrAZPZFHFC86QMQqP7fqTSFcp4h+Xa3nV6hHuvO69TrwI5hh0FG8785YrPT5PWObdVn+HrXey3rrmDr411Ah7uZxmHXBAx2z6ZNyHTHMDihcEOKw8XPUDYQcyTgaIUbbDmnCya8rx6EE3T1K3A50nQQsDuqUCwRbq0Dpqf+xRaMjc829d59L6WR3pSND9sYTFbFxC3w21WB4GhgHXWPI8mQlzkT8SaIRb0bdstQVJj28QwIqW7ZDhyLa6PdlvcHpnYOsE779h3AusSq5in757N2K5sVG7RSR/Z2WFvWJb8/aHsm+swS19ZCqm26A/+LLrH414MdY2pEdruo1+p56GmyZPnLK4B+YG8nU4kGu6r7re/f1SgXZFQYJctjREcuq/nAufAgHvdrWmubHihHABxddce09/BCFiUW2+Y+wrWDcfrOXllTZZ+hjImFDCsFWN+lrhE6ID96VmSN2Yam7Yq++JwqR+CXivMt+o8Kc7ZgNEeXUPfsnINBVDZ0nhEp79iJgu6/0zly67f2M+Zj2nz0brNtOLysDKjcR44wPXzX3zdL+Ck73h3tfPIz9GFbuq23ngNLHHeC44en6CKL2ky2h7bFwTki1Nc61La2j8wUrrpGudzFznkWS6lqbz+EmN+/GTnyTq+cyOxU06JMO4doDynsygc99zWaSspEmsguUnYdex6oxCbsmiQiwzpmtL8DWPly+siQK8UjHnMHasRTaYzRrFKxvCEdmJqqDC/j2ZQt6OjP0y7oqOmPu6A91ycQLPTeUAGqVXzjxMKPxs2NordStJcqE1ujcktMUUu4I3M/wLKgXr3y/33hUXjl/8PnNYXc/phTFc7O89s5YfTcbaYbPAePa2fU2mA7uR+IZk0qJhZUqZG463Dfk+yrq/gfJH3QPTsBknVf4kXnGAJXCsLaMumVCiwxGftdubi9ZbsPkEGsun/6Kx0maI0P/GTliqpp/BFWZ/cZTy8uYPTjS3QB64dRo8pM1CxlhM4XVPnhn3QnC3NPc16aNHTcIWTnwO2iX+tOp+i9J83+ONYr+fjWKOHTRrfsj7C3ht0lkinXf71Cgi6lYe4AyxXWIxOgNJm6rVDnKN3i48MF7VEnmwA1SHDp8VjdOL2uvwknpGi2nKKiYre/UTP18MPooGUrTZjWVXSlEyBDslQ6b93TYiiAIVUqqQ90cChd6XllF0e3EJzeJ50myZBoOoP7KPKLW0jt3P8YdaTncUg+XnruwXFchGrNs3XKF70fUvWO7CAyeWZZD1fR2zTqVIDZHfUWdaLmBl+140q6DxLI1h+QhnidVOj69vyvb2/QjX2n0G9iZPpKi22iSupjsP2wkWFsQQyRFSV3+ign8sOEcNoeZKGhc02/zqZFGKSB+hGErRTco+VSxQZNIU+g5Do8mq4go0YD4GywqSab8NnFco05yx0jBpDoC8LJulrvE4RAsTu61X2xHYnz6wTSyLBXxpQ6YzCDNgloOMoUBCH4GdwmthR15YtUzGwP3CgiiyJpn7gH4u3w8A6hcAn+hinK+5ZmbBfLhmORaX2qgbd2ZSfDf/e7rWu0gti6UuOslGyKtOoQwg4DBBgAUmFrAMhKVliIQeOM1O2m/KqAyEjMdqK2zc3D4mce/v7m/J1/9171lm8eFCNV3/cfvWcb03fZWvIqFQHO6znOws+5aSZj1+N8K8GMRi8cEvoldOuAwt56om4PPAKkg7vhVSJp9sbj+lEw49MFZrtFB2uqIFNgUXFEpCC0NNZQvnVnONJeYbNJKX0d4a3BXo/QtoiWUhkkLX1//bfzUApukOyx+U6q5fQJlv0Cgx0X6xy7ZifBRjH/fvXbzfUNeovvCybyZqx3+Fjt3iZPw9wZojiyLb+Nwe72batRn8Ili9HTs12VY7aYrmDz1EX49ZaTqx07zjIvla8vfZdej8VeDPl0h3LiXgH1jov/8nXDTWGOyIeaZOzbDf4Sa0KfKLvRj6sGK74J6hauuPcM6SqQoo41+os2Sorlv845JnecaUPzv7zyfztrPmViQUn4owVTdIN5UJHBc975DcIiR1qiEbZUdMm0UVtr2U8pLEpsVr5Zf4MD6uMwQBKcUlOh6QqhXb0WkarThbzRJxvMqTCdnJQabz+QcdZMU5v1Lv847mN453SBK24yuBM/owXmO6XIO1vazeB/10mOqCdFtiPj27I1o/BiwQgMEphTKpCcQ9+ITkOv5lw0fsRm+hf7wFaGt75xGVusRWJ1stCp2ySNSBSFN6igWuOl70tEpJXfMMAspEi+kUt0SYnMR8I+HlZ0H5Xr+RwxgamH8JTSCIow7YsmF4gJbbAwNRphG9+wox7xfPhOBVVxuIfMWrfG1Tm14wnQytq2MGH3d2YE1bo+/cNTEARdU9VtUFFipSl6Sw0GTd3X3DZLvXgjl/rVjUuqfTkAf+nTwVq1AqP31AkLx+Gig+ZIJxm6TuLCeVq0udDLtMqzP+O3/p5fX37nAy6u7VtrXUNPgHtMDOJy6c5r2NcGdgeTrD23wPf07twh+3t/sLNRzhiAPopTQpwxgDzOKaNHsp72TF7/40z2n4ldNc2BPO36yvnfs2Cvq2eD3TpVqPRpqCmaMiv26WRLdf+fhhnYfukK7p+GHK5yZjLoR/0c0ds1nJ4RYquIE3WjIsbEcYil1ZhqyfF8OS2nRw2LTUu2BaV56iKQ8bBFt22iayRJ84EeMlASnmZF9PSQAfQDVsQ4FaevM+8Pxg2Sz5FrsM1I5EMBCj6afGQKtdpHBxo1WjX793/a7hq1F1IQ+zhgI5+7ZTsibqBJXUJx2KXuhV3GJb907vMbufRjXX0VA/SSsyaIol5QDba+YPc0R5rCpN2dH++uoccNlvoQBrCfbLA0hzAA/ahDGXoC4/uXjmPMwb4eQZPH0SBii4U9fPlrnVfqOZL3OVJT0XQe5nKpQ2zT8SF9OfRlxzDY4EejhL2+Wf/Q9gMcue594g52b+SXStz1T6nJ+9P/u+RNXPvkadyXC86R1vWW5QijJVtT0TjJvlxFwJLoOP9FWgskf47K35cR0Rh1aMhymyn6OcFZd4OHcMCwb9/M78r3FLuBi3TmvdkGuwprgocSZE7r5NGP18J89xOSCv3CJTbfv95N8yJSLNiyUuP5Le2+j1F3v+B9Qxj0uZZNgmU8Qc+MseyYuproS3cwSLXBKk+m1O2fVO8Ukk87+h5GinI8TE1zrVX9I+rR9s0wgVN12+VDKrZkAvP6N7vaygE6pNK/9iRGXN98+ilAAhTsJosikKDBaEjlGK9Py6hDxfHY12dFcZ6wvH7HtIOl0PXlU6KkDt9usBTAHBcrfdZONk6y5H423OTgtooWXBRrulxIzqFv6pcogC31TpBzY3mOaUQc6erxcB1F9Y0cjrMYJ/QztPgKMn8uqmohtakL9+bbwaE1k7gsQM2Kkm/9OdkvQzIzxWSFNMspevEnZFaqQq9//PEl2mA/SqheZQ8lnoXy+gBK+Lk6yUhBvhiucENVap9C03fVXmUdhIBe4Llc0w4xWLhEpxZv2iiKi9H7Q74YtjkxqWjOjmqacIhQX4U0x8axwBaImbrvD4j0V65NaI30cJzV3xDUi2ypQq/RlSC41BXHTbOyR8n1EPQnBj8CuZWhVb5/jf7FbvcMff89+hdEpLL6sus5UA9T++/c/E/7RabRLlHC7S+EzOmztXXFhmYEcz7H5C596VNOhTT1aDSwKywR65oXME3GptIBcyRvZgQsAw23MQeM3Rx7I5XVrMXWaR32g04zihBSCC1kJXL7wnAYyKChI8DDkhd3b8QAcoxYoL8Oe8JGI6ew5RLnz+Wd8+ggzf6AYZSKkYDV4U3h7pfBFnbPfS2E7bOPTavRykV9bDP0q9zYoxnanEwgqawxZiS6o7Q8QLRn8eJ9IURzgymydcqB51e15IGxVG4+tYBJ/B27cM0UjEy9vtz1vYuAi6M70x2I4Xbhr/r1JVJWWmtwqAxni4xO/28okaye+eSU2J1HMpIvlyQUNBT8bfOr99ANv5nRTBTFfhDQiKC0/9SBmC8g8OJXynTJWeruJc/WnNcsVSHsE1Okj2sa9VB+h1tn34B6IpDnutpq8U/If40IoxMvg3FBk8ToYQSQVOjm4vzG674EC0seVpRS9TVeBE/kF5cGUT0P98dH91SBIR4adYuGpnzV/qQ12J2eA5b5DL3+8Se0AboXFAuEOQ/7Curq5wVq/UdoQxV1YLFBnGJtkBS9cpFdIp5cTfyyiRi4qynCtp52v0uVA+Egq4mSlZBcLrf9QNyCqYEWi9CPiKywwsQ4IlJoX2SxcBPcUSV8Tg/f8ZmPVtTGLuh2gfqUQYR90xasRVFYJVOKOoyg8GZUpoFk7amVmIDG6mIUwvscJCGVqiFqg0WOVY6EVAXm7I9Qfq9URZA+uc9yOJpED5uFt4dILdYNMq84W1DYccDA15RIkY8o2O1xZ9pM0NA+tCEmiCxKTk2QAUadqBgU+PFG09pgZU7EyLd27SA7j7HyLmeOsl8hRfROyPkgQeLJTQ9EfiLCX4k8BdktyD+kOFH3nHr1WsV06bUf+hQeiKhkN/ocwTBuP4Lct8Otscv35YEFzvepzLbtjwJ/OkhFiVQ5zdO9gz7Jxj9Tulmx1jHqTJvmi934+vC1UrKYAdQKivI1oQIrJp1aX1TcsG8NowrhsuR19Uvby6bAAi9DpbkIcQjv1PaiQ8rhqhEzX2skN8JFxgwuyr5n0GNcT00a3j6jEVkxa93InOoZeltpA2ZSF6jrnjWSl4sNPfKQ9gqwxcLivaZTaEJwyPWCjnZuaJogjiGwVa1ztma51WyAH8KC7LYWZB96xAtv8r5karIdtufpYkH3lhOZ4Vu3WW2FntXXLFLAoPt9oxEP/UC371qezQZLtt3VqtgSqIg+irOhf+yrAhrk54pWk7GS5W7HRa183GAYe1p1G3B10SwBuVijHhqiRlQKdgiaQKYtC5Pg9V0WKXAtswSollkK7bmMKYp2gcYa9dFCTaArdV6R05iQPfMx+MYMnstHvTnHis1Dcu2YYEH7QPS6IcR2BGEyUOJjKNa64idqmi8rQ2RBXzkcGuPFD3AZcAgWngQ7BuQIg9A1Vcykbg061n3ar+6LAMdGk/ZcPhMPbnOvdFPpYqFB3MmNum8Nn7B264I5Yz1VvK6cPpspcACNi5Hlg8mwzSTYIN6hKTIJD+HTrpXetQSlQr/d+tRYpuuEgL5fDdavT2isSlKXUrOIguNBvAXmtMjb7sLN3R3twlNxk6VrXfRIUSSqgipGHiuLgnubaPLzAyrZmpvhxJK734OtranIYU7yQbkl538/QfeaOrQrh9Npu4ilrwUfkBvmAe9FzEn6lL3qvhqdBOvFjPdyrXCTWyykQbiZpBZOoOVymdWJKicR6jUjPlqoT9EzZUf2/TukW0HX6mHb70bxl5yR7RTTdkbkwg0g4JtrC74dkcsVT5k3HSbg+8o3/w+LUykMvU+tsTYIXbejAurqqjzX9l/wqGJeIxRqAHPgcSYrLJY0E3STWhaMBS7pphPqByXEGMXmlaEdCTHM0dcOdautd5+/kaHEJY4m7BrK8cGEjkluDhiC/fwih0xXfwsYt1ABZglWNxzUbc6XWlM1Q7fUHUqlqZrhJYVW3j7TfSFVjcMAdg3G6e0Efo/c7zt9K6RCcyU39rP6r6Se42jNrtF+0tf5DVYmtpuuARzbo+LvlBxUh051pyTP2xmkia6ULKkPKKZ6i88Fwpwq02QXqXZR/zcX3vLio9MEAJKQAgpzjoQU3ypaUrBk9mU/TDEXZbePfmgaitPjXjEXYavDP4Od+aEaraxHl7DgHKpNBJLi26W0/73nJQAlJQsojgn3jTvBwFeAgEVSLhBMmGdUz9BtK1P6gw26lVVpML5w5XyVtkaMKxl1yTa5F7/NNBPCK21qhvT/Mzgm+AnT9iR9TbT3b1jFFz4dV4Em137cDQtb9K4tUzql7OtDhpfF8hKwQFhrSRj4S+1pBO1JOLA37I7+3BlkCIMLz1CpYCbKGaKGfB1WlLHCsQZWHwhiwVLUUKVRiTV08dLQyMFPk5ZFYaWY3AnaD0trqCF71T33HpxK4+ucYYKHyYlvIouyGt7BBMeG0YaJXG58Pq2fNnnWZFKMEmOwzUXF+RZ9rjB3zs9cFpj5Qbyw73ohLkeerq7XM9EA+8FoOCbuaO5rgepEdKzBO+UNFPvJVw1qM5bvOzg+6AqRVNR1Jzs5t0QfgRq9325Phddvpfe8otthu54m6ExVwfqDnVK7WP2anTF5+zXt7yNr2gvG09/xZsu/wGrNNVY0rwhFdeSIht1tbqZ+FnhNkz0itztj/PvvY+cBtC/MqF+Akjt9VMuBGB5jv7p96FZYr5obatXCQJVhRVYu87eusWnKDC9qSL0WYXYjzTIzrYj9VfP/w0pTZOW5QAxy7ipBOMXK/gka4bWo+QLCevJrXdh5OPrghF817PP0rF8sIot5M753sfNg+bJR9YjXa81Upaf29HW1EUBg3OM3TYA0cCUu3OquJ+O4p9RZcNMNrnVe5utLP4IbvfCNG+rZlK7o1+L2MqxXOwf0qQb8e/fz9WV3vmsjJobeg92InEsDdFuYOSaysmDDdNhIXettyl72u1FdX6Dt1IW9fmzhjO+Jxx1fNAuj68uDmmws/9wBTdYi9lrkrUY7QxeuPtP3O+Xug/3aLCCodr/x3VfeHTevTFO5KU3zGFWCU+0oI92DspFojRXDcz6oAnRNGZhAJccjgkBToZP2R9k50K6q6laeWUllNYy6vpDZc759dX3T16GRbxnrPApjddlHDhR8cC1kG2lxSKJrYdAtWwoMwmKERUupUjav/XogvyyT3tS6m4SujvCfFpHOXQYuy2WAcd799gExQXiVUyvO/CBb+/MZenF1j4uS05/RjXOIOLAgvWdhvwhE5iaPbYJzqn1awpgxfWdV7iPwekQpXseN+c4/De+ZvtsTcjWKLZdUpRthFybZp24swOMA2ulKUb2SPLfc42z1kUmjO6H3CTwLw9i7l8ov3jsd42XTjOP6MlxG8uDoPJFFmU2cdwWn4nOvYIyr8+/pav6tRUcKqE9dwLgZmVdkzErzaumJssa6mDfSUiroPGDleo3fyJQ4rPINVqfJ0Bt21bfSFfuHyG5ipDXyCytEMXqLSd1POazcWhE0qR0jxbe1gqr2SyFna0Yfaq0o1tFzg7XBpoqlODf+KMz4ycwOu/hc3iOWvxp/v+zLWk2BocXo46DxsbsLFovw1a3fscTT9wZMfjmcu3fMc8aErGLFODt1JHoZ/U5ZSRrT6TDwyP4QGXDqzow7LHHOuZV7SFeEUK0XFUdXdn1EZE61ZYm62W/YsmAip/eRCcCZNsdpnk+ULbAwmGKqRmJOFcQ3C6wYhwyegAfPxd/FEmEg4rf2t8GdiQR8KOeuudCJNGK/OnrR5HOWVOnSF906CTMgmVcR2oT4usPTy5EiQ+fmGr7HqRNKnPLVJHl5X5X7tv0QM6FRTg1mPOBkmMvKdH43sjXJJ8/NrD22uMljAzzGH1JDi5Iny+Y5RzldYB8C8p0v6xi+z9a0WvGaKo63UMhlpH9c0YvAjbQfgNXtf00XdRW489Vrw0wFjRlRcGOtbTBs2PTU6xo1itXx7xAcG9MEsorIorD3KQ0bXTjoiHWSfUsl1yx3/rO6i1xB9WgiVC7J8YHGx3vLfmG81RpJNy8vrBrcl5D0dBpZX6+eVtb/Xc6P9Dsdvb3/Lec+ABO+XSVL1zj3EhKK3cnf3lyj64FC1UUjWddaX12yH4OIhV1NNewyqiH9GH+Yz60OK/dORGRzmaeu+BpU3PWVDo8LsriMqEer+N0SXMhggsrzjgvYlw67BNomHsKWLG9COSNOvCK21TgoA4/w8sdT8pp9l1XKZ6qe7n3z0XXPqQNRkKxxT0nV9SK41K85DZW31l2Y9iVuTOAICXrF812HSFNdideYcTwMZKDGFY6gvnJBlRqZtODu0DG+/nhxN2+sFL4BlAvADrbk0w00W85GJCIrsnmV59vo/hlWZFHrgDpwK02Pa3S+10sVH6JiMmKXg16JXaarKQoSmO5mr7qeq7jKmWkq69q+aB6j0GC7tmLDiZI2vLB/ky5LLDYF15NZ5RefrtALXyvxqeJWV54zDgUckAd2dV9Kbb/5En07dDSIfhTmTsiN2DGENCUVNLNY70IfmbRJ8AQuuH5a6EVd5f7Olya9oUtMtujjqLnG2VzhUxTl+4V3SMwEKjATC4ULujcdo8QKpvam75Owo1zewLLoncxdcnTbFrCTdRZACh3QviBVwBIilYW02zfuHd2gXysBpuRbmVOOXjCxnn1zhpgkZ2hu/0Xtv7DAfKuZnn0Tji8aUmYLjgeT82PrULsa/sUNgkXB1wVyclsPv5KLvY0ajEyKqfvr3ONZt0HQVFlGDiK0LuLK3R5mn97+jhVFH1wC8DfffHr7+/n7q2++cTm3a6wwG+XJjVR3MUuWD16w3+sFuxG2UScYFrGVCF+zE7dLSfMcYGKfi20CE2YhFRWakZgCpONKSoBxEd8LEogPxAKabTAbDid+sncAep/HBmqvT+wSdV3NE10KM8+1UbEr36FeO5lDrPuWRntH65qPdE7SY4td2sFgA5XGF5u0dS++3sWCWLBRR1O91WSO2GO3GuxGFNhmv7wnLJSP7if4eMeFRd7r/++Hq7Yqs5v8dxIWyzs+eo/IXiRPwhx1HHcfflJOkLS1c7Idu/SFaTLa6yw76JP5EtxuA849HJmuW1azKeJhUPS1wIxbWtfNXG68zLi+7Na2QScuaw4augy0MBjPKqxzrjOrIh6xn2MSryHd2lcfXciiqETfEzXAThzXuOmp2L2j9+bfaVinbnDTx2nWT8XtFov832Q4atbiZrBhx0iGJ2M3XHgHOV3pkhEmo2WJTmXBA/YbrMQw6PDcUdeiKDOZShjfvnt7g35zftQ2KTWMyOdJUwlu/+MN+lxRNdK7teIiU7TfqTNtckPHIbpF7+uis2BaV6Olk4gPaReojD1GwAItj3IcHYJqAsGxJ8PN4w9owByrIsFpWbAJ3Au4jFiA3ACt8mhTaXdgxu12tQM6x6avFT4V7pwKsiqwilVW0sDdlngwvvjJ0SdMBulUUWBmq+i8QOgibgFVA3ixhFZLCcDK+d8TQC1x9EkYruNUdPaCoHvGYj84vnNbQa3qGR1pkWECg1Hil59Y2FpENN47gOfLcv2DuDer6O87ERkxKst11L7rHegW8nGRpwcAXnMcXWKIjIolExGLIoegU+RGi2yR6Q0zJLr8ENmCy43GRfzclS5sYdbpoCeIuhCRMZFSnDBRUlXMt9ES3gewS3KXBvga8xS8wsqsVNLILH5ICqCvf8jA4xgfNk92N7lcZnkKYlvA8fPfiMgKfJ8ZE8ttsAvYcjSnCR6FgolESDORDumS64zPeRY7LLoD+08JgUfvDN6BHbsXYhd27KreLuwfE8L+KSHsf04I+38khP3nNLCNLDme0xQipYEe3zwTWVFxUL7n2wTvZA28vEuglxQVZ8uiTKN9Wy0T82XsJCQPmaVQSjT9TOL7RkSmXUJighPUiqSxJi3gNNak3uqqTDCLlIimrDqJqWqksaYHvU8gQow01jBLBRvMmiTAK8HuBRZSU5KACdc/WaokehTWP8nSrCjOE7jVZFFmhCfwYVvACYIkAFfNtya+W9RC1kkgl1WWIKZBFDOMYJ6ggEhneEkF2UbMuurCFphv/6D5PAXe6wzagCaB7NrBpMHaJdYmgT5fluuf0vigdTZn5s9JGo0RncWdFdcDrGR0Ua2TXHOASomKX+WmnY8/2qytDmBqVs7PH9854oCD2pcEuOsmH6+DXAf2gnGawobR2SLFIbJFzOLsXcApdAOdsRKSFLMkoo6V6x9ybcpBM/9IsLUiSWBztqApzBgNjuaC5ixawegubCbScEkh84pTTWQKanvgbJlANslSb7CJOvO/Az2UQR4FsKJLpo3C8T0hLewEGp+iZSpSq2S01tCJXCWSry4z37F4AuhGUVwkUCRdKVAqtNMp15uVZDpzE2bjQ99ihZMweD5SCBsD8trNt48Nl2mDRfQ5x7k280rFGhZYQ6VuVlAKqFV0XOPr0XVNcmywMLlhEX/Y9bGdBvbBXOI8j30HWB47rFq3DkrwFrEiI0rKIklXIgs4gZnGiixNcqTveJSCzOVd9PZMpY7fspSVulQsMlCODTNV9OwzzgSN12KnhaqjTtRp4ELxbXy3Fpeu62m24DL6c94AT5Dyb23e6FLHAk0gcawNnQDV6LkJXC6TsK5YJrnApVSxBVgxr5YprlnBNEkhFgqdhGFTzIEQ1EBzpehwo8tw1wA6dsafgxo7HU9sNrEtkCQVZdINgI5uicr4mpFUbJkF5nE9Ge5GUBX/zSozN5Q3Otiok6lbsG7EaxImS1C46WfixBYGHmxsaVBmzpEUHV2stf0wI6tYdf4D0PS+ZNEDASVVxVJhYQY9d2NA3iQBHP/pdZ3IPn7sTQGNAFjJZYZ1GXFgQBe0wrGhKop5Cv1OUQJ0cF1HEwGPT2QLOW4L1w5kqfIEGMd3ZOoEvmHtfMMJ8gE0jZ0I4AYeJzBONP0cnwFCDVqjQU1gSmm2TCB4dRnby6YVSXEPFMmjK9JakVBX3AiATbwRW12YlY7eVXNNROxCieC02KcCdU06Y2/fLE18tnJA40f0mpmeseFuy+jdWqt8niQPvVI8wVtYaaqynMWuek8ytqKODKUggyHa4CK2N3idMaENXiTQDNZMmRRq+LoUCVo3GakqEdPNGmqLFugoel4Zid5XAg2WbrJHEg7L+4Q5y9GFojkz6AKr3Hcz1ND+PYyOm5yVkEpjE0IBDAzRR9DfgEiOQqU6TT4EE+kod1WUXG7pYLDgQfotZBWtqfcDeczS0PmMYN6Zokt6jwrcb7TQxmLFsuoPA0mOJGcahjPUq/ujhwZKSFdlKZVBw8ajCG1W2CBmUKnoYowVnpCW+5ghFCHCe6ujQQEx4Tu7j/SF5kyknsjfQdWu1sVTIyOX1KyomrXf1ytZDV40hARdU9WMIzISlVhpit5Sg2EiuLuruCHBizdyqV/duLLXl+jSj/g6Q2YVmFIEzYDfUz/6GNAW6B01vzMjqA6f85CpkxBvASO7m1sEi7vNaooVWc2YYEH8YObuBP21e+ITZmFAMsQrjisBs36XFcxxrZu4hxu49/q179lT+nbczZ6aJtx+fvGIsW8PIotY0/SwzquwLPpA7w3cijF3wRTTqEcEUju47h1MqBZ8ZOIldM9NOA4c+udqapCinyuqzZ6m3cdnKz++V75TGWAsj1vVSey+R6rJO911p+zDyWEEsbGdv0OHdv1zcOcxZ/8fnm9oF7u+rIUCrB3mDbAa4iXxPpKF7eMyx5oil67dYIMGt6o5Jf+L0+ArmlHwDeZSufb1QTIihDXSlMK4M7x/XpXCQmMywXjfQYdpt7QAtbdlGlIpmIC2D+mSqoI5dWMqpNsl3WAOtmacLinidE05wlqzpXAH187rD7M+tGQ+ofyG9fdw+vwkk54tZpVgnyvaH5OIw5evg+9xHROPm4JSazQsdxeSSCEo5FagDTOrMUGBUKAypNHYFT2qvOjRpoUlJ8iT5onicskI5shiMGL6ABanxQ6WGhnTeDralautDqPXSWfbyF5Wa+wHHnOGdbaSyW0CZ8Q15hrMUmmHGlmp2B3BE+4HgNylsdjCm+YHsRBOsZqdcy2tIb5z3y4hWI5+9b+YoXOxbf5vAN2ALa+FQTifEVmUlaEqLIaTuPHtxtKZZ1/1zwJmLO4cCDN/q17/6bs/W9v3snMcNcW+CqLt+TSLGzF7qOMGb6lC/9z45PQrjwYgF771set/0vO8aHHe4fq953Fk8vIh2fZ1f2CKXWeG3v324crunSrqnCfgL82ZJoqWWJCt1Sq9esb7uSAIKHSGPrz9GV0L8/3rM3T97vLqP39GH6+F+ekH9GKz2iJBmVlRhchKaj8qTSpFiYFvfffT//pvL78OUoSaVUIZ16cHyNRZgcPjeHRi7nvkNb91vHhdIxW+4vnzQrormw5gfmTDuAc/8CF8e4ppa518YspUmKM35++CyP4hBU3nyzqOM/6PFHQWpq1F94sRobCRw8ITjuA5vsF7zmGJDd3gE4xIB+6+Qed5rsBP67g8hE7z9JKiPDbO+dRYyPXF2xv3Ko2GxwqsJ4x+7DiVnKbq3250fWNRGfF+WRoeOQkiCg3t2uM0rDWxzE3XmlZAdNDFec7slzFvA7adWf7hd25CBrAmIVxw6W/45S4LDFBpc62T6HUPfdIweucxvJHKNCJ5IHRzCLDBATCzPSx59cS0d/thYlk/JvW23o4RXtCQ3TiVF9djB5Yv1loSZlVO5zca6DjIymWFxZLOGtOJSLFgy0rRHM23AJOKHLKGwnKmPLL1wKBodERbDi66SNDvgEfU/bslXNEdAIoW0tDMZ3bHzzOKT9pc6AxnLhU/AejSqDTAFwlYYpGgWpinuA6p+p+UCYiK86z2xKVTy/sWvN3HrL9a15lwAg32yqyoEtSgD9uSnqGP9TP2Bhxg36Ob2gE2eAl+G9PU6lE9EygTI6ZxjbT3i58hzHlQmSjbL0KCG1aQmLemyr6BTBiJtIHHnAn08XpUoBBIkE0mr6KLbAtUlgnGvlnAiurYGb0WbIISF/cixk5FB397AmzdaIWMU7GMPikScLbKR0ItdEQDdSoP5p0AjEAE0gkWCKNfpNpglQ/ndCN0voRkL4WwvfH3kEs3p2ZDqQirnpG7Jj42xi0N5t1QnUMGQct4yIwY7JAJn+cKaQkFM1Ys+REb4S2uORZTxPEf4KCsE0Q6LsrBBnddlm0kZW0t2CUYsLsvT+xIJSXQhWAdrx/cwyL2WBlGKo4Vgn7RqEbixdX9z2/kUi4W4envlGRmRZMf7w6yH+yC7jZ28L6yeFt0zyuzosL4ZPFRtHUVs3PCwxJ63JLjqH/UVI0iLCtD5LSU9kuOI3xbEUK1HsEZOo8f1xztuMQTwAtZFXcp1RYFChMGuE0hnHZwpD0crVSCAJ8upbDvipVbIeWw+SEaKEq7u1rH60c38m5i5LqWQs0AZzRv9uP9MD19mAmkmakC8hNBcQH1ItpDXWGNcC5L+7qYFWUKyY1oj8wRzuB7KWQxklcLMzk0cy3qp1UirHLPRG7lj1S6IQBGvzBO0blHbDYgw0OcvaLZmLuTownjzf5Pkq4wSoJbn7UQlwqhPQYIEbPe/QmEcPl6t75eIzYlxhNC5zJl9UBg83O6wmsmK9AuiSxKJQs2kqFIp0buSuA5hyKyBbrYjxsT60bsJESyj+GO1omCCOxgGHW4zBEIBtZv8Et9up1Xtr1vo2zXlllWwvTL2WJr9DmUgWfkGLP+QVoQvMdLKqhipN4SEAQS/fqpBcys4KkNzXZDHtkZ+W6mjRoPftZ7Oqbt1sn29Hr/nrx64dZKuK+gadoY4YYVVFu57rQ9RUs6GkTypxCtKcTBg4DGg088BvVA1jqmd/fJWOv7h+3pu0xHG3L64K15h/GhHQ72BjtuBcIDhMGXu7vXB3enJj07d9Gi7E0dPrlovVSnESAH5HgjQL5cdvz+8JHFGm0wzZE9TD6qSSVIzDv2APkxKTvG3NuAGRulHkrQen7q6JU7lVllBTUreYIoCd7xJCOHhv/a6IFDLyUlk3qd9kR13kvu/bUWkT18mcgT8p+zH//0J/TizeX5zUt0ybRhYlkxvaI5lMIHceFyKZP3BdoXCYNs2YXDwx8zfHEkY0zJxF7FffWf9lRDGDQ3Bjzy0YY+P+a6EEj7b+p+O44/wCkUM8Ui1Ca9zRTDPFZ3ut5G3uOcVdqtgKRCmhWMY+XEkxWb9g4ReNfD5VVwzzXLp+w00s2U/2gZofYi9vpitpc8XZ3Fudh31yGs4SsNO/5f7ySCTwa84B03tFOWkYddmVKlTAwYhGyA1FItsWB/7MmqFulY4aHEPoLSXZ4aIfeCqWAtaaKuP7/Y5eC1cC2+XO+inazmXynmZkWwoqhUNJcFEzhYcNcRTzfYMCqMPpgez/GUu32DT7pZ1/qRlokY116dr63gKrEy0Ayp3ep+sTphsyMvbB4iURc0pwobmmfRksr28IcVPr/UKzbBsxsl1yxvmof57+Gy5F5THTCGb/5jn7VdnTas4LSbZPlEu2yW9L3+zHZkm8HhoZA5uWYuer7qK+4jLeAapTPmUPDHap70HnSmzo86ldDLwEadjgoaK9ZIG6mcxLfQCmowrPY1fGtmv/V1ePcFy3NOp5Nyb2G9h8q5wPF25N5Rcq4ejzHNdm/8ap0OQ2JbR2fPUMmxPTL7PkuFqCBqW455+SEVcgJ78gEZdKqxLX+V2qC3mKyYGDHpcpxIcnzVp/VHAZn+paJWfFj9yDU50zP0Jscl+gT/4/SjXApXd/q34eOJVnhNrebEKVboc0XVFkEPQl1KoWmtUYWLU+1+M/jNNPLS98AjFrJidRdI4bbv+vKN41lvaQJUWwZ675ujPhRTmPKU1mHW5/G6tfROEyNrG/qHl2mkKiGCdqw+a14eF3l2baRGauw8xMxbmOkPAqMNE7ncaKRLStiCEfvJWahO0OfJDi+I3Z7Dt825QS+gIywVpH2GIHT5skMtVAl4x9/QJSZb9FHvNr5tIrBFv5A2enatXWECg33kte+aWoAK1KoBk9kXcUDxpg9AoPp/p9IUynmG5NvddnqFeqw7r1OvAzuGHQYZzf/miM1Ok9c7tlWf4etd77Wsu4Ktj3cBHe5mGoddEzDYPZs2IdMdw+CEwg0pDhc/Q9lAzJGAoxVusOWcLpjwvnoQTtDVr8DlSNNBwO6oQrFEuLUOmJ76F1swNj7b1Hv3vZRGelM2PmxjMFkVE7fAb1cFgqOBddQ9jiRDXuZMxJsgFvVu2C1DUWHaxzMgpLplO3Asro12W94fmNo5wDrt23cA6xKrmqfsn8/arWxWbNBKHdnbYW1Zl/z+oO2Z6DNLXFsLqbbpDvwvusTiXw92jKkR2e2iXqvnoafJkuUvrwD6gb2dTCUa7Krut75/V6NckFFhlCyPER25rOYD58KDeNyvaa1teqAcAXB01R3T3sMLWZRYbJv7CNcOxuk7e2VNlX2GMiYWMqwUYH2XukbogPzoWZE1Zhuativ64nOqHIFfKs636D8qzNmC0RxdQt2zcw4GUdnQeUakvGMnCrr/TufIrd/az5iPafPRu8224fCyMqByHznC9PBdf98s4afseHe088nP0Idt6bbeeg4scdwJjh+eoossajPZHtoWB+eIUF/rUNvaPjJTuOoa5XIXO+dZLKWqvf0QYn7/ZuTIO71yIrNTTYsy7RyiPaSwKx/03NdoKikTaSK7SNl17HmgEpuwa5KIDOuY0f4OYOXL6SNDrhSPeMwdqBFPpTFGs0rF8oZ0YGqqMryMZ1O2oKM/T7ugo6Y/7oL2XJ9AsNB7QwWoVvGNEws/Gjc3it5K0V6qTGyNyi0xRS3hjsz9AMuCevXK//eFR+GV/w+f1xRy+2NOVTg7z2/nhNFzt5lu8Bw8rp1Ra4Pt5H4gmjWpmFhQpUbirsN9T7KvruJ/kPRB9+wESNZ9iRedYwhcKQhry6RXKrDEZOx35eL2lu0+QAax6v7pr3SYoDU+8JOVK6qm8UdYnd1nPL24gNGPL9EFrB9GjSozUbOUETpfUOWHf9KdLMw9zXlp0tBxh5CdA7eLfq07naL3njT741iv5ONbo4RPG92yP8LeGnaXSKZc//UKCbqUhrkDLFdYj0yA0mTqtkKdo3SLjw8XtEedbALUIMGlx2N14/S6/iackKLZcoqKit3+Rs3Uww+jg5atNGFaV9GVToAMyVLpvHVPi6EAhlSppD7QwaF0peeVXRzdQnB6n3SaJEOi6Qzuo8gvbiG1c/9j1JGexyH5eOm5B8dxEao1z9YpX/R+SNU7soPI5JllPVxFb9OoUwFmd9Rb1ImaG3zVjivpPkggW39AGuJ1UqHr2/O/vr1BN/adQr+JkekrLbaJKqmPwfbDRoaxBTFEVpTc6aOcyA8Twml7kIWGzjX9OpsWYZAG6kcQtlJwj5ZLFRs0hTyBkuvwaLqCjBoNgLPBpppswmcXyzXmLHeMGECiLwgn62q9TxACxe7oVvfFdiTOrxNII8NeGVPqjMEM2iSg4ShTEITgZ3Cb2FLUlS9SMbM9cKOILIqkfeIeiLfDwzuEwiX4G6Yo71uasV0sG45FpvWpBt7alZ0M/93vtq7RCmLrSo2zUrIp0qpDCDsMEGAASIWtASArWWEhBo0zUreb8qsCIiMx24naNjcPi595+Pub83f+3XvVW755UIxUfd9/9J5tTN9la8mrVAQ4r+c4Cz/nppmMXY/zrQQzGr1wSOiX0K0DCnvribo98AiQDu6GV4mk2RuP60fBjE8XmO0WHaypgkyBRcURkYLQ0lhD+dad4Uh7hc0mpfR1hLcGez1C2yJaSmWQtPT99d/OQym4QbLH5jupltMnWPYLDHZcrHPsmp0EG8X8+9VvN9c36C2+L5jIm7He4WO1e5s8DXNniOLItvw2Brvbt61GfQqXLEZPz3ZVjtliuoLNUxfh11tOrnbsOMu8VL6+9F16PRZ7MeTTHcqJewXUOy7+y9cNN4U5Ih9qkrFvN/hLrAl9ouxGP64arPgmqFu44t4zpKtAijrW6C/aKCmW/zrnmNxxpg3N//LK/+2s+ZSJBSXhjxZM0Q3mQUUGz3nnNwiLHGmJRthS0SXTRm2tZT+lsCixWflm/Q0OqI/DAElwSk2FpiuEdvVaRKpOF/JGn2wwp8Ko7T/93wAAAP//Gm+GWA==" + return "eJzs/W1zHDeSII6/30+Bc8T/LDno1li2tTfe2b3gktKaN5LMFSV5/xcTUYFGobsxRAElANXN9qf/BRKoZ1STbAJFam/8wmGzuxOJRCKRz/k9uqb7XxBhmsh/Qsgww+kv6Mz/b041Uaw0TIpf0L/9E0IIvZN5xSlaSYU2WOScibX7OhLU7KS6RjndMkIRl2u9+CeEVozyXP/yT/Br+8/3SOCC+jUXWOPmE4TMvqS/oLWSVdn5awCN+p83AB3QcVicXp2iN0zRHeZ80flqjUb7lxqPgmqN1zRjeQ+yQ+Wa7ndS9T85gA5CHze0g4mHjVhOhWErRlWLUwAVXa1W7OaOaNAbXJT2tDTVmklxdxx/g79j7tdDeGWoQv8/i/BdEZWVIjRjwlC1woTGoNwVwEQNTDhUs6FoxeUOSYXolgpzEK2casMEtvDj4nbeAn4QgqriNLP/GQOp97igSK4AhVNCqNboTAqjJEdvmTawGDIbbFCBDdnQHJkN03fA0p9upalKgauF6/BiGv7g1vPkvBOG3YOeDc3OovfBtcBlSfOsvjJlAM/BH28VMEZhoTk2NK9pd3GJcJ4rqvU9cNlIbe5MtRWuuMlAjP6CVphr+lCc7fL3wLaUKoQtl2L9UEws6Ltg0pMvkQ+yy133O80uVo91pF3s73quXbxTHG4Xp1tP2GwUxSbjdEt5HD3AwkMAD6RFgfkOK4peoKU0ghqL6WrFyAL9JkDmbKnaf8/l7gTZfw3AFTKnCht6gjZsvbGPDXzd/s9dtkWwoWup9jF2duZhNc/f9M7e2EexVlO2TFX6xH9nuD+j5N+xOEHUkIP7IVIIStwFjKKvfRLsS9VV0GBbGN70g5gwUpSZXTSAhd4M2fkgDhdn7y7hl7cvSGQea0EL6q60nthnGrHy+fJ9Z23UWzukC+AyU5RIlev7IfIADR9rzdaC5uj89BINFw+SsiiwyDPOBM2wWlcFFWY+dP3yyC6PmuWtibamOVru4RpzSTBHuMqZsZ8c2k69/eEjeMc93PeVbJ/DlvBGIuw4hTMqDNIVaMCrivN9wz3i4C5KxbaM0zVdSH5PHj7yLH7fUIEwaJa6Xd7ql2SDxbrW0L2+KXmOtphXB7m/3YSguye4CUF3t29iWSltFnL5d0qGUizdpVDUqQluWRD7gAfaYSWYWB+80A5jNg/bdLG1SgC6OD8KXVIpRYXJLIz5ZI9b1CML6GtKxR2wlWLF1pWi+eMg3K7fwf12tPF2/Tj44i1VeE0fROhHQ75D7MA+MOdyR/O7cHhRcWzYlmZEVmI+YWKkwRzBmlaX7+C+YUYjzQShTqg7abPDGhGrmlsBpBDhFKvOBvs+0pXpYvNwH+kbpmgpd1TVVso5XVGh6RNxnL75eP51OU4twv9wnP7DcfoPx+lX7ThFnzRFr8+u/EcLgc2Clf/wpx7pTw2R8wk7Wht0O5/fgwX+4YS9Hac+Wwzp/A8X7T9ctP9w0fYWvNVFqympFDMhpgl6U9oFB8t9wDuv6QNxrzxc9Nq+0oejUF+5mzgligfdxH0bj0kd1ca7+O2qScGp/5k25TBowRln93i47qgN2ifW6dgW+kFOWmHCeJibD9pxV6/P7ncu9ULISLTbMLJxQtLbnIquqNLo2aoVjSfo6v27yxN09f+/OkFYWEVnAHYlldk8X6DTFjjBAi0pwmiDVQ7i16VGnSCMSiWNJJKfIBBlhcuqkquhzLVK/l4bWiAtV8YCWaALg3IqpKE9I8BLeoIr3dDe/XT4TrltLkaM6BO4Fo2dthhYB3JL1U4xYx8tVdERv44P6ZYrdOCguixUZ5a1BuRuQ5Xzp/iHDG2wRktKBZJLTdWW5uP9qV6q2W2bGV++g1uZvluAtcB9lWV69an1Q0t0tDm9HhzzoRUO3arBqXy0tto13VtbrtIu8EJwaSpPf4V3zcUBm4/Igmq7aWk/H4BG6K1co3NqHzYV3oiDxYZIHbudGi6Ym1bbJZEBe4QTU9+T3N14IoWBAJ5cISa0wcLUaOggjoYVxyCYDz3BIey8jW+XQNh4cYpr35pzf2L0nprfmRH2GfCnvxixRrNZvZEVz5GgW6qsBK35rsRKU/SOGmxRw2ilZNFZ6tlbudYvLjG5pkY/H4E/Z4oSw/cnTXwKow/UCQvH4aKD5iJIyLHtcTdKjkyoASXPaakoAYPJYpLTFbNqgxQc0DJ4ya0SX4axKvR6qGrH5UB/xu/8Pb84/8HF9LyXp1bM3bfoDSYQQXbnpUYHAbtjoLQ5boHv2eMosTKMVBwr+L0/2MUkZ4xAH8UpIc4YQZ7mlMkj2c57Ji//cSaHz8SumuZAHnZ95fLvGWxkeCxPBrstPkboJUdNUaf7PkXcLNlS3f+HYaYNNrSgg+DoE0EO0o8ywvHgDj8R9KgwAw/dE0FsM/I6PRHEmDgOsbQaUy05ni6n5RQfIz3Skm1FXcQglg01odeE7MzOF2u3gMVmpIeMlISHWREDPWQE/RYrYpqKo8DrLFQUHa9KkHyOXKNtRiIfClDw3uQjc6jV1SjmUO/f/2nfN2rPpCD2ccBGPnXLdkLcbFlacdil7pldhq0Ywd37/FauXbyhzmipRE4VOEupF1Sjra/YDc2RppB11ftxfw09bbDUhzCC/WCDpTmEEeh7HcrYExjfv3QcY472dQ+a3I8Go5B6Er78VWrTFZF8yJGaipyJdf2hDrFNx4f09dCXHcNgox9NEvbicvtTk8M/dd2HxB3t3sivlbjbV6nJ++r/XfKOos5JZMNQLjhHWtdbliOM1mxLReMk+3oVAUui4/wXaS2Q/Ckqf19HRGPSoSHLfabolwRn3Q0ewgHDvn292Wu3NLqEi3TivdkGo4/7kiKCxxJkSRFlZkMV+nQhzA+vkFToDZfY/PgSLbEGLqoDZFBNAKrfLfs+Rt39ivcNYdB0xmcE/0IwEW4W67he+at3MEi1w2pUnRlN6+hItM62u5S8uPzc0/cw1K8NjxTVuS3uEfVoQ7o9dZyqHfGgcEaxNYPaC/ebvrZyCx1S6V8HEiMuLj+/CpAgnJODIpCgwWhM5RivT8uoY8Xx2NdnQ3FO1Syx619hKXRx/pAoqcO3GywFMMfFSp+0k42TLLmfDdeK1kWraMFFsabLmeScEiPV1yiALfUeIefG8hzTiDjS0dxi2lNU38qh2oIOEPoJWnwFWT4VVbWQGpLdCinQcj86NIQU/VJRDUVQmhUl3/tzsl+GRF2KyQZpllP07E/IbFSFXv7883MoDdWUimaVA5R4EsrrHSihSyk0TUcK8tVwhSsRrn0KVbF0Qs9eZR2EgJ7hpdzSDjGYCGZW1uJNG0VxMXl/yFfDNo9MKpqzaqinxSDUNyHNsXEssBVi5m/Vyz/98GftRPqLEgRojfTfRrv5m7UH3+I9Veglei0ILjUUwUsBJuW95HoI+gODH4HcytAqP75E/2q3e4J+/BH9KyJSQcsLOCa36An6n9z8i/0i06hPlG+CRyhkHigafiK2rtjRjGDOl5hcp9WAHXJ1wQA2zq6wRKQiLyUTpu4uEkQUmCOjSslE+WmtPqhLShjmgDFgqo1UVrMWe6d12A+2mLPcMUYIKYRWshK5fWE4BeSZWHvl6Nbkxf6NGEGOEQv01+FA2GjiFPZc4vypvHMeHaTZHxQV1ChGAlaHN4W7XwZb2D33tRC2zz42rUYrV/WxLdCvcmePZmxzMoGkssaYkeia0vIWoj2JF+8rIZqSUAy2ZXmWp4q6vq4lz5oKqJrVUFZVOTva24VbpkyFuTXae753EXBxsIJZsxti5UAMtwt/1S/OkbLSWoNDBYiG1Zqa5mu3UkKrRElPj06Jumb/ECVUklDQWPBfnNe+1w+0kIaiK8/vda+c5X5KUCLoNuICMV9B4MWvlOmSs5SZDU/anNdspPY/Cd3MytyE/A63zr4BdZmm57raavFPyH+PCKMTLyvGHyFGb1e1xtHl2eml1319US4rSqmGGi+CJ/KrS4Oonob7w7dpAEN83HwNOVdq35Sv2p+0BrvTc8AyX6CXP79CO6B7QbFAmPOwrwCc+qAmtf4jtKPK9cBD0OYDa4OkGJSL9In46Gri103EwF1NEbb1tPtdqhwIB1lNlGyE5HK9HwbiVkyNtFiEfkZkgxUmxhHRXuo94A9Oc4Eq4XN6eM9nPllRG7ug2wXqUwYRDsQuwaIorJIpRR1GUHg3KdNAsg7USkxAY3UxCuF9DpIQ6PEIELXBIscqR0KqAnP2Ryi/V6oiSJ/cZzkcTSJZLUdP0r2I1GLdIPOCsxWFHQcMfE2JFPmEgt0ed6ZNSj/LgQ0xQWRRcmqCDDDpRMWgwBvFBmKwU2+mzCMx8pVdO8jOU6zc58xJ9iukMJtIx9TWp8bKeWmznPJHIvxrkacguwX5hxSpuy0cEIt29VrFdOm1H4cUHomoZDf6FBl6Y/zlQ1uqdKecIj+UBxY434cy257iWNtsy/SIVDnN072DPsnGP1O6WbHWMepMm+aL3fj6+LVSslgA1AqK8jWhAismnVpfVNyw7w2jCuGy5HX1S9vLpsACr0OluQhxCO/02vrUDaUQM99qJHfCRcYMLsqhZ9BjDP03lRwnHzGjEdkwa93InOoFeldpA2ZSF6i9ldhM5OViQ488pIMCbLWyeG/pHJoQHHK9oKMdtIKigjiGwFa1ztmW5VazAX4IC7KrWpB9HBAvvMmbkqnZdtiep4sF3VhOZIbv675XRoK+ZpFyzRkP+kYjHvqkC+fESuNGni1GSzbpZLKKLYGKkSL3UIgN/WNfFdAgv1S0mo2VLHc7Lmrl4w5rBEjkE3wDyP0Qm6gRlYIeQRPItHVhEry+6yIFrmWWANUyS6E9lzFFUR/oy+hQE+hKnVfkcUzIgfkYfGNGz+W93pxjxeZtcu2YYEH7QAy6IcR2BGEyUuJjKNa64qnDThNWlKwMkQV94XBojBfIyh41wESWLxwJegbkBIPQLR21w51tY/XqvgiwE9k55PJJW7w46h3oXumm0sVCg7hTSQlbsdbwCWu3vpX7BE95XTl9NlPgABoXI8vbgonaRZX7IEsQb282z3UIn/tWetcSlAr9duVTY5muEwKGfjXk+8IOBiigXpWkLqVmEQXHnXgLzGmRuw5TkMpf393JLjwVN+OG2Y8likRVUMXIfWVRcG8zVLEd2Fi3kq25GU4sufs92tqWilwqnzB7cGdy+fdH6F5Th3YDbc27iKWvBR+R20rQw4g5SZ+yV9034wvpq/69mPFerg1ucouFNAjDmAiLZDiBlst1VieqPIpQrxnx3kJ9jp4pPdn3H5BuBV2r++MOu1iVkjOyT317DsiFS0DAN9cWfD8hl4PDlhIT8EPFKSAWFqdSGHqTWmNtELoQzl/X9kPFea7tv+BRhVFvgFCoAcwtj7ObkpkNx3UmkAVTgct6JGfTKwQbo9iyMrQjIcY5+n7Ap9XWu89fWHTocjhB7OFWixv1Ov/NAUNwmF/k58529LeAcQsVYJZgdcNB3eZ8qS1VC3RF3aFUmqoFXlNo5e0z3VdS1TiMYNdgnN5O3NAt9/tO3wqp0FLJnf2s/qvXNZ3ZNdlP+iK/xMrEdtM1gGN7VPydGs7xne9ONbN6E14pWVIfUEz1Fp8KhDlVpskuUu2i/m8uvOXFR6cJACQhBRTmHAkpvle0pGDJHMp+ALNhzienHj7a2CumGdD5grkIWx3+Ge1sx8zGK8tO1qNzWHAJ1SYCSfH9Wtr/PvASgJKSBRTHhPvGnWDgC0DAIilXyEoHw6heoKtWpgwHG3Qrq9JgfObK+SptjRhXMuqSbXIvfj3hMSK80qZmSP8/o2OCnzBtT9LXRHv/hlV84dNpFWh27cfdsLBF79oypVPKvr3N8LJYngMWCGstCQN/qT2NoD0JB/aWXdNfEEblZq8ZwRzlTF+foFLBTBQYJfZtWFHGCh9Te3nPh97V2ShcUAPDzLGGLl4aGjm4XgT16HzZC9qPS2t6U9HQ+Gly78FjaXydM0zwMDnxTWRRVuM7mODYMNoxkcudz6clUhBampMmk2KSGKNtrirO9+hLhblzfuaywEx4qSE6C3E58XR1vZ6x1KUDW7cq4Vsmrmnua4HqRHSswTvlDRT7yTcNaguWHzo4PuoKkVTUdSc7ObfEEIEavd+uHguv30rveUVX43Y9TdCZqoINBzuldrH6NQFbx/+HNe0fI2vaK8bT3/Fmy29gteYaK5pXhKI6ckTD7jZNFcM8C7ymyR6RK1iyVpuH72PnAbQvzKRfgJJrfVTLgRgeY7+6feg2WG+aG2rVwkCVYUU2LvO3rrFpygzPakiDFmF2I80yC60IDL6v/39caYqsPBeIQc5dJWBEvv0TNMJrUfMFhO0QPFfYeXv0wQm/atzn6Um/WEQWy3qerlz1HixfNqru8XrBwNe5PX1dbQQQmPb4zRMgDVyJM7e668k47Sl1Flxy13hDPudlvjhH752keeYbNyA3bc8X/Vrcnof1aueAfgxffsf9fHEOJPUlb42YGHsP+hE5lwbotrBwTGRlwY7psJG61fuUvez7UV1foO3UhYN+7InhyIkv3Vk7Kffi/FZNNpZ/7hZN1iL2UuStRrtAZ64+0/c75e6Dw9osIKj63/jhG++OW1amqdyUpnmMKsGpdpSR7kHZSbTFiuElH1UBuqYMTKCS4wlBoKnQSfuj9A60q6q6lRdWUlkNo64vZPacr15cXA51aORbxjqPwlRd9pEDBe9cC9lGWhyS6EIYdMXWAoOwmGDRUqqUzWu/Hckvy6SXte4moasj/KdFpDt82nJZLgOM8/63j4gJwqucWnHmB9m6QfjPXtcDjC+dQ8SBBem9CPtFIDI3e2wTnFPt0xLGjOlrq3Ifgdc9SvE6bsz3/mn4wPT1gZCrUWy9pirdCLswyT53YwEeBzeiWVG9kTy33ONs9YlJo73Q+wyehXHs3UvlZx+cjvG8acZxcR4uI7lzdJ7IosxmzruCU/G5VzDG1fn3dLX83qIjBdSnrtxs7rwiU1aaV0sfKWusi3kjLaWCzgNWrtf4TUyJ84PIH0UBHHfVX8Hsc/cQ2U1MtEZ+ZoUoRu8wqfsph5VbK4JmtWOk+L5WUNVhKeRszehDrRXFOnpusDbYVLEU58YfhRl/NLPDLr6UN4jlL6bfL/uyVnNgaDH6NGp87O6CxSJ8det3LPH0vRGTn4/n7h3znDEhq1gxzk4diV5Hv1NWksZ0Oow8sj9FBpy6M2OPJU45t3IP6YoQqvWq4ui1XR8RmVNtWaJu9hu2LJjI6U1kAnCmzXGa5wNlCywMppiqkVhSBfHNAivGIYMn4MFz8XexRhiI+L39bXBnIgEfyqVrLvRIGrFfHT1r8jlLqnTpi26dhBmRzKsIbUJ83eHp+USRoXNzjd/j1AklTvlqkry8r8p9236ImdAopwYzHnAyLGVlOr+b2Jrks+dm1h5b3OSxAR7TD6mhRcmTZfOcopyusA8B+c6XdQzfZ2tarXhLFcd7KOQy0j+u6FngRtoPwOr2v6arugrc+eq1YaaCxowouLHWNhg3bHrodY0axer4dwiOjWkCWUVkUdj7lIaNzhx0xDrJvqWSW5Y7/1ndRa6gejIRKpfk+EDj/b1lbxhvtUbSzcsLqwY3JSQ9PY6sr1dPK+v/LpdH+p2O3t7/kUsfgAnfrpKla5x7DgnF7uSvLi/QxUih6qKRrGutry45jEHEwq6mGnYd1ZC+jz/M51aHlXsnIrKlzFNXfI0q7oZKh8cFWVwm1KNN/G4JLmQwQ+V5xwXsS4ddAm0TD2FrljehnAknXhHbahyVgUd4+eMpec2+yyrlM1VP97785Lrn1IEoSNa4oaTqehFc6teShspb6y5MhxI3ZnCEBL3ied8h0lRX4i1mHI8DGahxhSOor1xRpSYmLbg7dIyvP17czRsrhW8A5QKwoy35dAPN1osJiciKbFnl+T66f4YVWdQ6oA7cStPjGp0f9FLFh6iYjNjlYFBil+lqjoIEprvZq67nKq5yZprKurYvmscoNNiurdhwoqQNLxzepMsSi03B7WxW+dnn1+iZr5X4XHGrKy8ZhwIOyAN7fVNKbb/5HH0/djSIYRTmWsid6BlCmpIKmlls+9AnJm0SPIMLbpgWelZXub/3pUlv6RqTPfo0aa5xtlT4MYry/cI9EjOBCszESuGCHkzHKLGCqb3p+yT0lMtLWBa9l7lLjm7bAnayzgJIoVu0L0gVsIRIZSH1+8a9pzv0ayXAlHwnc8rRMya2i+9OEJPkBC3tv6j9FxaY7zXTi+/C8UVDymzF8Whyfmwdqq/hn10iWBR8XSAn9/XwK7k62KjByKSYur8uPZ51GwRNlWXkIELbIq7cHWD2+d3vWFH00SUAf/fd53e/n354/d13Lud2ixVmkzy5k+o6ZsnyrRfs93rBboRt0gmGRWwlwtfsxO1S0jwHmNjnYp/AhFlJRYVmJKYA6biSEmBcxPeCBOIDsYBmO8zGw4kf7B2A3uexgdrrE7tEXVfLRJfCLHNtVOzKd6jXTuYQ676l0d7RuuYjnZP02GKXdjDYSKXxxSZt3Yuvd7EgVmzS0VRvNZkj9titBrsRBbY5LO8JC+Wj+wne33Fhkff6/4fxqq3K7Cb/PQqL5R0fvUfkIJKPwhx1HPcQflLOkLTVO9mOXfrMNBntdZYd9Ml8Dm63EefeHpmuW1azOeJhUPS1woxbWtfNXC69zLg479a2QScuaw4aug60MJjOKqxzrjOrIh6xn2MSryHd2lcfncmiqMTQEzXCThzXuOmh2L2nN+Y/aFinbnDTx2nWD8XtCov832U4atbiZrBhx0iGB2M3XriHnK50yQiT0bJE57LgAfsdVmIcdHjqqGtRlJlMJYyv3r+7RL85P2qblBpG5MusqQRX//kWfamomujdWnGRKTrs1Jk2uaHjEN2jD3XRWTCtq9HSScSHtAtUxh4jYIGWRzmOboNqAsGxB8PN4w9owByrIsFpWbAJ3Au4jFiA3ACt8mhTaXsw43a76oHOsRlqhQ+Fu6SCbAqsYpWVNHD3JR6NL35w9AmTUTpVFJjZJjovELqKW0DVAF6todVSArBy+fcEUEscfRKG6zgVnb0g6J6x2A+O79xWUKt6RkdaZJjAYJT45ScWthYRjfcO4OW63P4kbswm+vtOREaMynIdte96B7qFfFzk6Q6AtxxHlxgio2LNRMSiyDHoFLnRIltlescMiS4/RLbicqdxET93pQtbmG066AmiLkRkTKQUJ0yUVBXLfbSE9xHsklynAb7FPAWvsDIrlTQyix+SAujbnzLwOMaHzZPdTS7XWZ6C2BZw/Pw3IrIC32TGxHIb9AFbjuY0waNQMJEIaSbSIV1ynfElz2KHRXuw/5QQePTO4B3YsXshdmHHrurtwv45IexXCWH/c0LY/ysh7D+ngW1kyfGSphApDfT45pnIioqD8r3cJ3gna+DldQK9pKg4WxdlGu3bapmYr2MnIXnILIVSoukXEt83IjLtEhITnKBWJI01aQGnsSb1XldlglmkRDRl1UlMVSONNT3oTQIRYqSxhlkq2GDWJAFeCXYjsJCakgRMuH1lqZLoUdi+kqXZUJwncKvJoswIT+DDtoATBEkArlruTXy3qIWsk0AuqyxBTIMoZhjBPEEBkc7wmgqyj5h11YUtMN//QfNlCry3GbQBTQLZtYNJg7VLrE0Cfbkut6/S+KB1tmTmz0kajRGdxZ0VNwCsZHRRrZNcc4BKiYpf5aadjz/arK0OYGo2zs8f3znigIPalwS46yYfr4NcB/aKcZrChtHZKsUhslXM4uw+4BS6gc5YCUmKWRJRx8rtT7k25aiZfyTYWpEksDlb0RRmjAZHc0FzFq1gtA+biTRcUsi84lQTmYLaHjhbJ5BNstQ7bKLO/O9AD2WQRwGs6Jppo3B8T0gLO4HGp2iZitQqGa01dCJXieSry8x3LJ4AulEUFwkUSVcKlArtdMr1biOZztyE2fjQ91jhJAyeTxTCxoC8dfPtY8Nl2mARfc5xrs2yUrGGBdZQqZsVlAJqFR3X+Hp0XZMcGyxMbljFH3Z9bKeBQzDXOM9j3wGWxw6r1q2DErxFrMiIkrJI0pXIAk5gprEiS5Mc6TsepSBzeR29PVOp47csZaUuFYsMlGPDTBU9+4wzQeO12Gmh6qgTdRq4UHwb363Fpet6mq24jP6cN8ATpPxbmze61LFAE0gca0MnQDV6bgKX6ySsK9ZJLnApVWwBViyrdYprVjBNUoiFQidh2BRzIAQ10FwpOtzoMtw1gI6d8eegxk7HE7tdbAskSUWZdAOgo1uiMr5mJBVbZ4F5XA+GuxNUxX+zyswN5Y0ONupk6hasG/GahMkSFG76mTixhYEHG1salJlzJEVHF2ttP8zIJlad/wg0vSlZ9EBASVWxVliYUc/dGJB3SQDHf3pdJ7JPnwZTQCMAVnKdYV1GHBjQBa1wbKiKYp5Cv1OUAB1c19FEwOMT2UKO28K1A1mqPAHG8R2ZOoFvWDvfcIJ8AE1jJwK4gccJjBNNv8RngFCD1mhQE5hSmq0TCF5dxvayaUVS3ANF8uiKtFYk1BU3AmATb8RWF2alo3fV3BIRu1AiOC32oUBdk87Y2zdrE5+tHND4Eb1mpmdsuPsyerfWKl8myUOvFE/wFlaaqixnsavek4ytqCNDKchgiDa4iO0N3mZMaINXCTSDLVMmhRq+LUWC1k1GqkrEdLOG2qIFOoqeVkaiD5VAo6Wb7JGEw/I+Y85ydKZozgw6wyr33Qw1tH8Po+MmZyWk0tSEUAADQ/QR9DcgkqNQqU6TD8FEOsq9Lkou93Q0WPBW+q1kFa2p9x15zNLQ+Yxg3pmia3qDCjxstNDGYsW6Gg4DSY4kZxqGM9Sr+6OHBkpIV2UplUHjxqMI7TbYIGZQqehqihUekJZ7nyEUIcJ7q6NBATHhO7tP9IXmTKSeyN9B1a7WxVMjI9fUbKhatN/XG1mNXjSEBN1S1YwjMhKVWGmK3lGDYSK4u6u4IcGzt3KtX1y6stfn6NyP+DpBZhOYUgTNgD9QP/oY0BboPTW/MyOoDp/zmKmTEG8FI7ubWwSLu81qihXZLJhgQfxg5u4M/bUH4hNmYUAyxAuOKwGzftcVzHGtm7iHG7gP+rUf2FP6dtzNnpom3H5+8YSxbw8ii1jTdLfOq7As+khvDNyKKXfBHNOoJwRSO7juPUyoFnxi4iV0z004Dhz652pqkKJfKqrNgabdx2cr379XvlMZYCyPW9VJ7KFHqsk77btTDuHkMILYWO/v0KFd/xLceczZ/7fPN7SLXZzXQgHWDvMGWA3xknjvycL2cVliTZFL126wQaNb1ZyS/8Xj4CuaUfAN5lK59vVBMiKENdKUwrgzfHhelcJCYzLDeN9Rh2m3tAC1t2UaUimYgHYI6ZKqgjl1Yy6k2yXdYA62ZZyuKeJ0SznCWrO1cAfXzusPsz60ZH5E+Q3rH+D05aNMeraYVYJ9qehwTCIOX74Ovsd1TDxuCkqt0bDcXUgihaCQW4F2zGymBAVCgcqQRmNX9KjyonubFpacIE+aJ4rLNSOYI4vBhOkDWDwudrDUxJjGx6NdudnrMHqddLadHGS1xn7gMWdYZxuZ3CZwRlxjrsEslXaokZWK3RE84X4AyF0aiy28aX4QC+EUq8Up19Ia4r37dg7BcvSr/8UCnYp9838j6AZseS0MwvmCyKKsDFVhMZzEjW83ls48+2Z4FjBjsXcgzPytevmnH/5sbd/zznHUFPsmiLbn0yxuxOyujhu8pwr9c+OT0y88GoBc+NbHrv9Jz/OixbnH9QfP48jk5dtk27fDgSl2nQV6/9vH13bvVFHnPAF/ac40UbTEguytVunVMz7MBUFAoRP08d0v6EKYH1+eoIv356//6xf06UKYVz+hZ7vNHgnKzIYqRDZS+1FpUilKDHzrh1f/+388/zZIEWo2CWXckB4gUxcFDo/j0Ym5757X/Mrx4kWNVPiK508L6a5sugXzIxvG3fmBD+E7UExb6+QzU6bCHL09fR9E9g8paDpf1nGc8X+loIswbS26X40IhY3cLjzhCJ7iG3zgHNbY0B1+hBHpwN2X6DTPFfhpHZeH0GmeXlKUx8Y5HxoLuTh7d+lepcnwWIH1jNGPnlPJaar+7UYXlxaVCe+XpeGRkyCi0NCuPU3DWhPL3HSteQVEB12c58x+GfM2YNuZ5R9+52ZkAGsSwgWX/oaf91lghEqba51Er7vrk4bRe4/hpVSmEckjoZtDgA0OgJn97ZJXz0x7tx8m1vVjUm/r3RThBQ3ZjXN5cT12YPlirSVhVuV0fqORjoOsXFZYrOmiMZ2IFCu2rhTN0XIPMKnIIWsoLGfKI1sPjIpGJ7Tl4KKrBP0OeETdv1vCFd0BoGghDc18Znf8PKP4pM2FznDmUvETgC6NSgN8lYAlVgmqhXmK65Cq/0mZgKg4z2pPXDq1fGjB230shqt1nQmPoMG+NhuqBDXo476kJ+hT/Yy9BQfYj+iydoCNXoLfpjS1elTPDMrEhGlcI+394icIcx5UJsr2i5DghhUk5m2psm8gE0YibeAxZwJ9upgUKAQSZJPJq+gi2wKVZYKxbxawojp2Rq8Fm6DExb2IsVPRwd+eAFs3WiHjVKyjT4oEnK3ykVALndBAncqDeScAIxCBdIIVwuiNVDus8vGcboRO15DspRC2N/4GcumW1OwoFWHVM3LXxPvGuKXBvBuqc8ggaBkPmRGjHTLh81whLaFgxoolP2IjvMUtx2KOOP4dHJR1gkjHRTnaYN9l2UZSttaCXYMB2395YkcqKYEuBNt4/eDuFrHHyjBScawQ9ItGNRLPXt/88lau5WoVnv5OSWY2NPnx9pD9aBd0t7GD92uLt0X3tDIbKoxPFp9EW1cxOyfcLaHHLTmN+idN1STCsjJEzktpv+Q0wlcVIVTrCZyh8/hxzdGOSzwBvJBVcddS7VGgMGGE2xzCqYcjHeBopRIE+HQphX1XrNwKKYfND9FIUervahuvH93Eu4mR61oKNQOc0bzZj/fDDPRhJpBmpgrITwTFBdSLaA91gzXCuSzt62I2lCkkd6I9Mkc4g2+kkMVEXi3M5NDMtaifV4mwyj0TuZU/UumGABi9YZyiU4/YYkSGuzh7RbMxdycnE8ab/T9KusIkCa581kJcKoT2GCBEzHr3BxDC5etd+XqN2JSYTghdypTVA4HNL+kGb5msQLsksiiVLNhEhiKdG7nXAi85FJGt0Nlh3JjYNmInIZJDDHtaJwoi0MMw6nCZIxAMrN/gl/p0O69se98m2a4ts6yEGZazxdbocygDz8gxZv2dtCB4j9dUUMVIvSUgCCT6DVMLmNnAUxua7YY8sgvyw0IbNR38rPd0TNutR9vTy8N78uqFWyvhvoKmaWOEG1ZQbeW60/YULelkEMmfQrSmELceBDQefOAxqDuy1jG9ux+NtX68255+yHS0Iad33pp3GN+2w9HeYMetQLiDMPh6d/fy1t2pWc/OXbQoe1O3n1y0XqrzCJBb5HgjQL5edvzx9iOLNdpgniO7m3xUs0qQmHfsDvJjVnaMubcRMzZKPZSgDfzU0St3KrPJCmo28hGiJLjnSUYODf+1yQOHXkpKJvU6HYjqfJDc+2stIgf4MpEn5L8WP//pT+jZ2/PTy+fonGnDxLpiekNzKIUP4sLlWibvC3QoEgbZsiuHhz9m+OJExpiSib2Kh+o/7amGMGhuDHjkow19vs91IZD239T9dhx/gFMoZopFqE16mymGeazudIONfMA5q7RbAUmFNCsYx8qJJys27R0i8K6Hy6vgnmuWz9lppJsp/8kyQu1FHPTFbC95ujqLU3HorkNYw1cadvy/3kkEn4x4wTtuaKcsIw+7MqVKmRgwCtkAqaVaY8H+OJBVLdKxwl2JfQSluzw1Qe4VU8Fa0kRdf97Y5eC1cC2+XO+iXlbzrxRzsyFYUVQqmsuCCRwsuOuIp0tsGBVG35oez/Gcu32LH3WzrvUjLRMxrr0631rBVWJloBlSu9XDYnXGZkde2NxFoq5oThU2NM+iJZUd4A8rfN7UKzbBs0sltyxvmof57+Gy5F5THTGGb/5jn7W+ThtWcNpNsnymXTZL+l5/Zj+xzeDwUMic3DIXPd8MFfeJFnCN0hlzKPh9NU96AzpT50edSuh1YKNORwWNFWukjVRO4ltoBTUYVvsWvrWw3/o2vPuC5Tmn80m5d7DeXeVc4Hg7cu8oOVePx5hnu5d+tU6HIbGvo7MnqOTYHpl9n6VCVBC1L6e8/JAKOYM9eYcMOtXYlr9KbdA7TDZMTJh0OU4kOb4Z0vqTgEz/UlErPqx+5Jqc6QV6m+MSfYb/cfpRLoWrO/3b+PFEG7ylVnPiFCv0paJqj6AHoS6l0LTWqMLFqXa/GfxmHnnpe+ARC1mxugukcNt3ffmm8ay3NAOqLQN98M1R74opTHlK6zAb8njdWrrXxMjahv7hZRqpSoigHatPmpfHRZ5dG6mJGjsPMfMWZvqDwGjHRC53GumSErZixH5yEqoT9Hmy4wtit+fwbXNu0DPoCEsFaZ8hCF0+71ALVQLe8bd0jckefdL9xrdNBLYYFtJGz661K8xgsE+89l1TC1CBWjVgMvsijije9AEIVP/3Kk2hnGdMvv620yvUU915nXod2DHsMMho/jdHbHaevN6prfoMX+96r2Xda9j6dBfQ8W7mcdg1AYP+2bQJme4YRicUbkhxe/EzlA3EHAk4WeEGW87pignvqwfhBF39ClxONB0E7I4qFEuEW+uAGah/sQVj47NNvXffS2miN2XjwzYGk00xcwv8dlUgOBpZR93jSDLkZclEvAliUe+G3TIUFaZ9PANCqlu2A8fi2mi35f2BqZ0jrNO+fbdgXWJV85T980m7ld2GjVqpI3s7rC3rkt/vtD0TfWaJa2sh1T7dgf9Fl1j8260dY2pE+l3Ua/U89DRZsvzlBUC/ZW+PphKNdlX3Wz+8q0kuyKgwSpbHiI5cVsuRc+FOPO7XtNY2vaUcAXB01R3z3sMzWZRY7Jv7CNcOxuk7e2VLlX2GMiZWMqwUYH2dukboFvkxsCJrzHY0bVf01ZdUOQJvKs736D8rzNmK0RydQ92zcw4GUdnRZUakvGaPFHT/nS6RW7+1nzGf0uajd5ttw+FlZUDlPnKE6e13/UOzhJ+y493Rzie/QB/3pdt66zmwxHEnOH14iq6yqM1kB2hbHJwjQn2rQ21rh8jM4aprlMs+ds6zWEpVe/shxPzh7cSRd3rlRGanmhZl2jlEB0hhV77Vc1+jqaRMpIn0kbLr2PNAJTZh1yQRGdYxo/0dwMqX00eGXCke8Zg7UCOeSmOMZpWK5Q3pwNRUZXgdz6ZsQUd/nvqgo6Y/9kF7rk8gWOiNoQJUq/jGiYUfjZsbRW+j6CBVJrZG5ZaYo5awJ3M/wrKgXr3w/33mUXjh/8PnNYXc/phTFc7O89t5xOi520w3eA4e186otdF2cj8QzZpUTKyoUhNx1/G+Z9lXV/G/lfRB9+wMSNZ9iVedYwhcKQhry6RXKrDEbOz32sXtLdt9hAxi1f3TX+k4QWt64CcrN1TN44+wOrvPeHp2BqMfn6MzWD+MGlVmpmYpE3Q+o8oP/6S9LMwDzXlp0tBxh5CdA7eLfqs7naIPnjT741iv5P1bo4RPG12xP8LeGnadSKZc/PU1EnQtDXMHWG6wnpgApcncbYU6R+kWnx4uaI862QSoUYLLgMfqxul1/U04IUWz9RwVFf3+Rs3Uw4+Tg5atNGFaV9GVToAMyVLpvHUPi6EAhlSppD7Q0aF0pedruzi6guD0Iek0S4ZE0xncR5GfXUFq5+HHqCM9j0Py/tLzAI7TIlRrnm1TvujDkKp3ZAeRyTPLeriK3qZRpwLMrqm3qBM1N/imHVfSfZBAtv6ENMTrpEIXV6d/fXeJLu07hX4TE9NXWmwTVVIfg+3HnQxjC2KIbCi51kc5ke8mhNP2IAsNnWv6dTYtwiAN1I8gbKXgAS2XKjZqCvkISq7Do+kKMmk0AM4Gm2q2CZ9dLLeYs9wxYgCJoSCcrav1IUEIFLumez0U25E4v04gjQx7Y0ypMwYzaJOAhqNMQRCCn8BtYmtRV75Ixcz+lhtFZFEk7RN3R7wdHt4hFC7B3zFF+dDSjO1i2XEsMq0fa+CtXdnJ8N/9busarSC2rtQ4KyWbI606hLDDAAEGgFTYGgCykg0WYtQ4I3W7Kb8qIDIRs52pbXPzsPiZh7+/PX3v370Xg+WbB8VINfT9R+/ZxvR1tpW8SkWA03qOs/BzbprJ2PU430owo9Ezh4R+Dt06oLC3nqg7AI8A6eBueJVImr31uH4SzPh0gUW/6GBLFWQKrCqOiBSElsYaylfuDCfaK+x2KaWvI7w12OsR2hbRUiqDpKXvr/9+GkrBDZI9Nt9JtZ4/wXJYYNBzsS6xa3YSbBTzH69/u7y4RO/wTcFE3oz1Dh+r3dvsaZi9IYoT2/LbGO3u0LYa9Slcshg9PdtVOWar+Qo2H7sIv95ycrWj5yzzUvni3Hfp9VgcxJDPdyiP3Cug3nHx375uuCnMEflYk4x9u8FfYk3oR8pu9OOqwYpvgrqFK+49QboKpKhjjf6ijZJi/W9Ljsk1Z9rQ/C8v/N9Omk+ZWFES/mjFFN1hHlRk8JJ3foOwyJGWaIItFV0zbdTeWvZzCosSm41v1t/ggIY4jJAEp9RcaLpCaFevRaTqdCFv9MkGcypMJyelxtsPZFw009QWg8s/jfsU3jld4YqbDO7EL2iFea8Uubelfgb/+05yRD0psh0Z35atGYVXK0ZgkMCSUoHkEvpGdBp6Neei8T02M7zYt2xlfOsbl7HFWiRWJwuduk3ShERReIcKqjVe+75ERFr5DQPMQorkW7lG55TIfCLs42FF91G5ns8RE5gGCM8pjaAI075ocoWY0AYLU6MRtvENO+oRz8fvVFAVh3vIrHVrXJ1TO54AbaxtCxN2f2dGUK3r0799CoKgW6q6DSpKrDRF76jBoKn7mttmqWdv5Vq/uHRJtc9H4M99OlirVmD0gTph4ThcdNCc6CRDt0lcOA+LNhd6nVZ59mf8zt/zi/MffMDFtX1rrWvoCXCDiUFcrt15jfvawO5gkrXnFvie7s8dsr/3B7uY5IwR6KM4JcQZI8jTnDJ5JNt5z+TlP87k8JnYVdMcyMOur1z+PQv2unoy2G1ThUofhpqiKbNiH062VPf/YZiB7Zeu4P5hyOEqZyaDftRPEb2+4fSEENtEnKgbFTEmjkMsrcZUS46ny2k5PWpYbFqyrSjNUxeBTIctum0TXSNJmo/0kJGS8DArYqCHjKDfYkVMU3H+OvPhYNwg+Ry5RtuMRD4UoOC9yUfmUKt9dKBRo1Wzf/+nfd+oPZOC2McBG/nULdsJcQNN6hKKwy51z+wyLvmlc5/fyrUf6+qrGKCXnDVBFPWCarT1FbuhOdIUJu32ftxfQ08bLPUhjGA/2GBpDmEE+l6HMvYExvcvHceYo33dgyb3o0HEFgsH+PLXOq/UcyQfcqSmouk8zOVah9im40P6eujLjmGw0Y8mCXtxuf2p7Qc4cd2HxB3t3sivlbjbV6nJ++r/XfImrn3yNB7KBedI63rLcoTRmm2paJxkX68iYEl0nP8irQWSP0Xl7+uIaEw6NGS5zxT9kuCsu8FDOGDYt2/m99r3FLuEi3TivdkGuwprgscSZEnr5NFPF8L88ApJhd5wic2PL/tpXkSKFVtXajq/pd33MeruV7xvCIM+1bJJsIxn6JkxlR1TVxN97Q4GqXZY5cmUusOT6p1C8rmn72GkKMfj1DTXWtU/oh5t3wwTOFW3XT6kYmsmMK9/09dWbqFDKv3rQGLExeXnVwESoGA3WRSBBA1GYyrHeH1aRh0rjse+PhuK84Tl9T3TDpZCF+cPiZI6fLvBUgBzXKz0STvZOMmS+9lwk4PbKlpwUazpciY5h76pX6MAttR7hJwby3NMI+JIV4+H6yiqb+V4nMU0oZ+gxVeQ5VNRVQupTV24t9yPDq2ZxGUBalaUfO/PyX4ZkpkpJhukWU7Rsz8hs1EVevnzz8/RDvtRQvUqByjxJJTXO1DCz9VJRgry1XCFG6pS+xSavqv2KusgBPQML+WWdojBwiU6tXjTRlFcTN4f8tWwzSOTiubsqKYJtxHqm5Dm2DgW2AoxU/f9AZH+wrUJrZEej7P6G4J6kT1V6CV6LQgudcVx06zsXnI9BP2BwY9AbmVolR9fon+12z1BP/6I/hURqay+7HoO1MPU/ic3/2K/yDTqEyXc/kLInD5ZW1fsaEYw50tMrtOXPuVUSFOPRgO7whKxrnkB02RqKh0wR/JmRsAy0HAbc8DYzbE3UlnNWuyd1mE/6DSjCCGF0EpWIrcvDIeBDBo6AtwtebF/I0aQY8QC/XU4EDaaOIU9lzh/Ku+cRwdp9gcMo1SMBKwObwp3vwy2sHvuayFsn31sWo1WrupjW6Bf5c4ezdjmZAJJZY0xI9E1peUtRHsSL95XQjQ3mCLbphx4/rqWPDCWys2nFjCJv2MXbpmCkakX533fuwi4OLoz3YEYbhf+ql+cI2WltQaHyni2yOT0/4YSyeqZH50S/XkkE/lySUJBY8HfNr/6AN3wmxnNRFHsBwFNCEr7Tx2I+QoCL36lTJecpe5e8mTNec1SFcI+MEX6uKZRd+V3uHX2DagnAnmuq60W/4T894gwOvEyGhc0S4weRgBJhS7PTi+97kuwsORhRSnVUONF8ER+dWkQ1dNwf3xyTxUY4qFRt2hsylftT1qD3ek5YJkv0MufX6Ed0L2gWCDMedhXUFc/r1DrP0I7qqgDiw3iFGuDpBiUi/SJ+Ohq4tdNxMBdTRG29bT7XaocCAdZTZRshORyvR8G4lZMjbRYhH5GZIMVJsYRkUL7IouFm+COKuFzenjPZz5ZURu7oNsF6lMGEQ5NW7AWRWGVTCnqMILCu0mZBpJ1oFZiAhqri1EI73OQhFSqhqgNFjlWORJSFZizP0L5vVIVQfrkPsvhaBLdbRbeASK1WDfIvOBsRWHHAQNfUyJFPqFgt8edaTNDQ/vQhpggsig5NUEGmHSiYlDgpxtNa4OVeSRGvrJrB9l5ipX7nDnJfoUU0Tsh56MEiQc3PRD5IxH+tchTkN2C/EOKR+qeU69eq5guvfbjkMIjEZXsRp8iGMbtR5D7drg1dvmhPLDA+T6U2fbDUeAPB6kokSqnebp30CfZ+GdKNyvWOkadadN8sRtfH79WShYLgFpBUb4mVGDFpFPri4ob9r1hVCFclryufml72RRY4HWoNBchDuGd2l50SDlcNWLmW43kTrjImMFFOfQMeozrqUnj22c0IhtmrRuZU71A7yptwEzqAnXdsybycrGhRx7SQQG2Wlm8t3QOTQgOuV7Q0c4NTRPEMQS2qnXOtiy3mg3wQ1iQXdWC7OOAeOFN3pRMzbbD9jxdLOjGciIzfO82q63Qs/qaRQoY9LBvNOKh39Ltu5Zni9GSbXe1KrYEKqKP4mzoH/uqgAb5paLVbKxkudtxUSsfdxjGnlbdBlxdNEtALtaoh4aoEZWCHkETyLR1YRK8vusiBa5llgDVMkuhPZcxRVEfaKxRHy3UBLpS5xV5HBNyYD4G35jRc3mvN+dYsXmbXDsmWNA+EINuCLEdQZiMlPgYirWu+CM1zZeVIbKgLxwOjfHiB7iMOAQLT4KeATnBIHRLFTOpW4NOdZ/2q/siwKnRpAOXz8yD29wr3VS6WGgQd3Kj7lvDJ6zdumDOVE8Vryunz2YKHEDjYmT5aDJsMwk2iHdoikzCQ/jct9K7lqBU6LcrnxrLdJ0QMPSrwfr1CU1VSepSahZRcNyJt8CcFnnbXbi5u5NdeCpusnSti+4pikRVUMXIfWVRcG8zTX6+QyVbczOcWHL3e7S1LRU5zEm+VW7J5d8foXtNHdqV4+m0XcTS14KPyA3zgA8i5iR9yl5130xOgvVixnu5NrjJLRbSINxMUgsn0HK5zupElUcR6jUj3luoz9EzpSf7/gPSraBr9bjtd6P4S87Ifo5pOxNy4RIQ8M21Bd9PyOWKp8ybDhPwQ+Wb/4fFqRSG3qTWWBuELtpRAXV1VZ5r+y94VDGvEQo1gLnlcSYbLNY0E3SXWhZMBS7prhPqByXEGMWWlaEdCTHO0dcOdautd5+/iaHEJY4m7BrK8dGEjlluDhiCw/wih0xXfwsYt1ABZglWNxzUbc6X2lK1QFfUHUqlqVrgNYVW3j7TfSVVjcMIdg3G6e0Efo/c7zt9K6RCSyV39rP6r6Se42jNrsl+0hf5JVYmtpuuARzbo+LvlBxVh851pyTP2xmkia6ULKkPKKZ6i08Fwpwq02QXqXZR/zcX3vLio9MEAJKQAgpzjoQU3ytaUrBkDmU/zDEXpd9HPzQNxelxL5iLsNXhn9HO/FCNVtajc1hwCdUmAknx/Vra/z7wEoCSkgUUx4T7xp1g4AtAwCIpVwgmzDOqF+iqlSnDwQbdyqo0GJ+5cr5KWyPGlYy6ZJvci99mmgnhlTY1Q/r/GR0T/IRpe5K+Jtr7N6ziC59Oq0Czaz/uhoUteteWKZ1S9u1thpfF8hywQFhrSRj4S+1pBO1JOLC37Jr+0hlkCIMLT1CpYCbKCaKGfBtWlLHCsQZW3xLEgqWooUqjEmvo4qWhkYOfJi2Lwkox2Qvaj0trqCEH1T33HjyWxtc5wwQPkxPfRBZlNb6DCY4Nox0Tudz5fFo/bfKkyaSYJMZom6uK8z36UmHunJ+5LDDzg3hh3/VCXE48XV2vZ6IB9qPRcExc09zXAtWJ6FiDd8obKPaTbxrUFiw/dHB81BUiqajrTnZybokhAjV6v109Fl6/ld7ziq7G7XqaoDNVBRsOdkrtYvVrdsbkHda0f4ysaa8YT3/Hmy2/gdWaa6xoXhGK6sgRDbvb3Ez9LPCaJntErnpj/IfvY+cBtC/MpF+Akmt9VMuBGB5jv7p96DZYb5obatXCQJVhRTYu87eusWnKDM9qSIMWYXYjzTILrYj9VfP/40pTZOW5QAxy7ipBOMXK/gka4bWo+QLCevJrXdh5e/TBCb9q3OfpSb9YRBbLZnzvqvdg+bJRdY/Xa8tUpef29HW1EUBg2uM3T4A0cCXO3OquJ+O0p9RZcPMNrnVe5otzP4IbPfONG+rZlK7o1+L2PKxXOwf0Yw349+7ni/PufNdGTIy9B/2InEsDdFtYOCaysmDHdNhI3ep9yl72/aiuL9B26sJBP7ZwxvfM447PmoXRxfmtmmws/9wtmqxF7KXIW412gc5cfabvd8rdB4e1WUBQ9b/xwzfeHbesTFO5KU3zGFWCU+0oI92DspNoixXDSz6qAnRNGZhAJccTgkBToZP2R+kdaFdVdSsvrKSyGkZdX8jsOV+9uLgc6tDIt4x1HoWpuuwjBwreuRayjbQ4JNGFMOiKrQUGYTHBoqVUKZvXfjuSX5ZJL2vdTUJXR/hPi0jnLgOX5TLAOO9/+4iYILzKqRVnfpCt/fkCPXt9g4uS01/QpXOIOLAgvRdhvwhE5maPbYJzqn1awpgxfW1V7iPwukcpXseN+d4/DR+Yvj4QcjWKrddUpRthFybZ524swOMA2ulGUb2RPLfc42z1iUmjvdD7DJ6FcezdS+VnH5yO8bxpxnFxHi4juXN0nsiizGbOu4JT8blXMMbV+fd0tfzeoiMF1KeuYNyMzCsyZaV5tfSRssa6mDfSUiroPGDleo3fxJQ4rPIdVo+ToTfuqm+lK/YPkd3ERGvkZ1aIYvQOk7qfcli5tSJoVjtGiu9rBVUdlkLO1ow+1FpRrKPnBmuDTRVLcW78UZjxRzM77OJLeYNY/mL6/bIvazUHhhajT6PGx+4uWCzCV7d+xxJP3xsx+fl47t4xzxkTsooV4+zUkeh19DtlJWlMp8PII/tTZMCpOzP2WOKUcyv3kK4IoVqvKo5e2/URkTnVliXqZr9hy4KJnN5EJgBn2hyneT5QtsDCYIqpGoklVRDfLLBiHDJ4Ah48F38Xa4SBiN/b3wZ3JhLwoVy65kKPpBH71dGzJp+zpEqXvujWSZgRybyK0CbE1x2enk8UGTo31/g9Tp1Q4pSvJsnL+6rct+2HmAmNcmow4wEnw1JWpvO7ia1JPntuZu2xxU0eG+Ax/ZAaWpQ8WTbPKcrpCvsQkO98Wcfwfbam1Yq3VHG8h0IuI/3jip4FbqT9AKxu/2u6qqvAna9eG2YqaMyIghtrbYNxw6aHXteoUayOf4fg2JgmkFVEFoW9T2nY6MxBR6yT7FsquWW585/VXeQKqicToXJJjg803t9b9obxVmsk3by8sGpwU0LS0+PI+nr1tLL+73J5pN/p6O39H7n0AZjw7SpZusa555BQ7E7+6vICXYwUqi4aybrW+uqSwxhELOxqqmHXUQ3p+/jDfG51WLl3IiJbyjx1xdeo4m6odHhckMVlQj3axO+W4EIGM1Sed1zAvnTYJdA28RC2ZnkTyplw4hWxrcZRGXiElz+ektfsu6xSPlP1dO/LT657Th2IgmSNG0qqrhfBpX4taai8te7CdChxYwZHSNArnvcdIk11Jd5ixvE4kIEaVziC+soVVWpi0oK7Q8f4+uPF3byxUvgGUC4AO9qSTzfQbL2YkIisyJZVnu+j+2dYkUWtA+rArTQ9rtH5QS9VfIiKyYhdDgYldpmu5ihIYLqbvep6ruIqZ6aprGv7onmMQoPt2ooNJ0ra8MLhTbossdgU3M5mlZ99fo2e+VqJzxW3uvKScSjggDyw1zel1Pabz9H3Y0eDGEZhroXciZ4hpCmpoJnFtg99YtImwTO44IZpoWd1lft7X5r0lq4x2aNPk+YaZ0uFH6Mo3y/cIzETqMBMrBQu6MF0jBIrmNqbvk9CT7m8hGXRe5m75Oi2LWAn6yyAFLpF+4JUAUuIVBZSv2/ce7pDv1YCTMl3MqccPWNiu/juBDFJTtDS/ovaf2GB+V4zvfguHF80pMxWHI8m58fWofoa/tklgkXB1wVycl8Pv5Krg40ajEyKqfvr0uNZt0HQVFlGDiK0LeLK3QFmn9/9jhVFH10C8HfffX73++mH199953Jut1hhNsmTO6muY5Ys33rBfq8X7EbYJp1gWMRWInzNTtwuJc1zgIl9LvYJTJiVVFRoRmIKkI4rKQHGRXwvSCA+EAtotsNsPJz4wd4B6H0eG6i9PrFL1HW1THQpzDLXRsWufId67WQOse5bGu0drWs+0jlJjy12aQeDjVQaX2zS1r34ehcLYsUmHU31VpM5Yo/darAbUWCbw/KesFA+up/g/R0XFnmv/38Yr9qqzG7y36OwWN7x0XtEDiL5KMxRx3EP4SflDElbvZPt2KXPTJPRXmfZQZ/M5+B2G3Hu7ZHpumU1myMeBkVfK8y4pXXdzOXSy4yL825tG3TisuagoetAC4PprMI65zqzKuIR+zkm8RrSrX310ZksikoMPVEj7MRxjZseit17emP+g4Z16gY3fZxm/VDcrrDI/12Go2YtbgYbdoxkeDB244V7yOlKl4wwGS1LdC4LHrDfYSXGQYenjroWRZnJVML46v27S/Sb86O2SalhRL7Mmkpw9Z9v0ZeKqonerRUXmaLDTp1pkxs6DtE9+lAXnQXTuhotnUR8SLtAZewxAhZoeZTj6DaoJhAcezDcPP6ABsyxKhKclgWbwL2Ay4gFyA3QKo82lbYHM263qx7oHJuhVvhQuEsqyKbAKlZZSQN3X+LR+OIHR58wGaVTRYGZbaLzAqGruAVUDeDVGlotJQArl39PALXE0SdhuI5T0dkLgu4Zi/3g+M5tBbWqZ3SkRYYJDEaJX35iYWsR0XjvAF6uy+1P4sZsor/vRGTEqCzXUfuud6BbyMdFnu4AeMtxdIkhMirWTEQsihyDTpEbLbJVpnfMkOjyQ2QrLncaF/FzV7qwhdmmg54g6kJExkRKccJESVWx3EdLeB/BLsl1GuBbzFPwCiuzUkkjs/ghKYC+/SkDj2N82DzZ3eRyneUpiG0Bx89/IyIr8E1mTCy3QR+w5WhOEzwKBROJkGYiHdIl1xlf8ix2WLQH+08JgUfvDN6BHbsXYhd27KreLuyfE8J+lRD2PyeE/b8Swv5zGthGlhwvaQqR0kCPb56JrKg4KN/LfYJ3sgZeXifQS4qKs3VRptG+rZaJ+Tp2EpKHzFIoJZp+IfF9IyLTLiExwQlqRdJYkxZwGmtS73VVJphFSkRTVp3EVDXSWNOD3iQQIUYaa5ilgg1mTRLglWA3AgupKUnAhNtXliqJHoXtK1maDcV5AreaLMqM8AQ+bAs4QZAE4Krl3sR3i1rIOgnkssoSxDSIYoYRzBMUEOkMr6kg+4hZV13YAvP9HzRfpsB7m0Eb0CSQXTuYNFi7xNok0JfrcvsqjQ9aZ0tm/pyk0RjRWdxZcQPASkYX1TrJNQeolKj4VW7a+fijzdrqAKZm4/z88Z0jDjiofUmAu27y8TrIdWCvGKcpbBidrVIcIlvFLM7uA06hG+iMlZCkmCURdazc/pRrU46a+UeCrRVJApuzFU1hxmhwNBc0Z9EKRvuwmUjDJYXMK041kSmo7YGzdQLZJEu9wybqzP8O9FAGeRTAiq6ZNgrH94S0sBNofIqWqUitktFaQydylUi+usx8x+IJoBtFcZFAkXSlQKnQTqdc7zaS6cxNmI0PfY8VTsLg+UQhbAzIWzffPjZcpg0W0ecc59osKxVrWGANlbpZQSmgVtFxja9H1zXJscHC5IZV/GHXx3YaOARzjfM89h1geeywat06KMFbxIqMKCmLJF2JLOAEZhorsjTJkb7jUQoyl9fR2zOVOn7LUlbqUrHIQDk2zFTRs884EzRei50Wqo46UaeBC8W38d1aXLqup9mKy+jPeQM8Qcq/tXmjSx0LNIHEsTZ0AlSj5yZwuU7CumKd5AKXUsUWYMWyWqe4ZgXTJIVYKHQShk0xB0JQA82VosONLsNdA+jYGX8Oaux0PLHbxbZAklSUSTcAOrolKuNrRlKxdRaYx/VguDtBVfw3q8zcUN7oYKNOpm7BuhGvSZgsQeGmn4kTWxh4sLGlQZk5R1J0dLHW9sOMbGLV+Y9A05uSRQ8ElFQVa4WFGfXcjQF5lwRw/KfXdSL79GkwBTQCYCXXGdZlxIEBXdAKx4aqKOYp9DtFCdDBdR1NBDw+kS3kuC1cO5ClyhNgHN+RqRP4hrXzDSfIB9A0diKAG3icwDjR9Et8Bgg1aI0GNYEppdk6geDVZWwvm1YkxT1QJI+uSGtFQl1xIwA28UZsdWFWOnpXzS0RsQslgtNiHwrUNemMvX2zNvHZygGNH9FrZnrGhrsvo3drrfJlkjz0SvEEb2GlqcpyFrvqPcnYijoylIIMhmiDi9je4G3GhDZ4lUAz2DJlUqjh21IkaN1kpKpETDdrqC1aoKPoaWUk+lAJNFq6yR5JOCzvM+YsR2eK5sygM6xy381QQ/v3MDpuclZCKk1NCAUwMEQfQX8DIjkKleo0+RBMpKPc66Lkck9HgwVvpd9KVtGaet+RxywNnc8I5p0puqY3qMDDRgttLFasq+EwkORIcqZhOEO9uj96aKCEdFWWUhk0bjyK0G6DDWIGlYqupljhAWm59xlCESK8tzoaFBATvrP7RF9ozkTqifwdVO1qXTw1MnJNzYaqRft9vZHV6EVDSNAtVc04IiNRiZWm6B01GCaCu7uKGxI8eyvX+sWlK3t9js79iK8TZDaBKUXQDPgD9aOPAW2B3lPzOzOC6vA5j5k6CfFWMLK7uUWwuNuspliRzYIJFsQPZu7O0F97ID5hFgYkQ7zguBIw63ddwRzXuol7uIH7oF/7gT2lb8fd7Klpwu3nF08Y+/Ygsog1TXfrvArLoo/0xsCtmHIXzDGNekIgtYPr3sOEasEnJl5C99yE48Chf66mBin6paLaHGjafXy28v175TuVAcbyuFWdxB56pJq807475RBODiOIjfX+Dh3a9S/Bncec/X/7fEO72MV5LRRg7TBvgNUQL4n3nixsH5cl1hS5dO0GGzS6Vc0p+V88Dr6iGQXfYC6Va18fJCNCWCNNKYw7w4fnVSksNCYzjPcddZh2SwtQe1umIZWCCWiHkC6pKphTN+ZCul3SDeZgW8bpmiJOt5QjrDVbC3dw7bz+MOtDS+ZHlN+w/gFOXz7KpGeLWSXYl4oOxyTi8OXr4Htcx8TjpqDUGg3L3YUkUggKuRVox8xmSlAgFKgMaTR2RY8qL7q3aWHJCfKkeaK4XDOCObIYTJg+gMXjYgdLTYxpfDzalZu9DqPXSWfbyUFWa+wHHnOGdbaRyW0CZ8Q15hrMUmmHGlmp2B3BE+4HgNylsdjCm+YHsRBOsVqcci2tId67b+cQLEe/+l8s0KnYN/83gm7AltfCIJwviCzKylAVFsNJ3Ph2Y+nMs2+GZwEzFnsHwszfqpd/+uHP1vY97xxHTbFvgmh7Ps3iRszu6rjBe6rQPzc+Of3CowHIhW997Pqf9DwvWpx7XH/wPI5MXr5Ntn07HJhi11mg9799fG33ThV1zhPwl+ZME0VLLMjeapVePePDXBAEFDpBH9/9gi6E+fHlCbp4f/76v35Bny6EefUTerbb7JGgzGyoQmQjtR+VJpWixMC3fnj1v//H82+DFKFmk1DGDekBMnVR4PA4Hp2Y++55za8cL17USIWveP60kO7KplswP7Jh3J0f+BC+A8W0tU4+M2UqzNHb0/dBZP+QgqbzZR3HGf9XCroI09ai+9WIUNjI7cITjuApvsEHzmGNDd3hRxiRDtx9iU7zXIGf1nF5CJ3m6SVFeWyc86GxkIuzd5fuVZoMjxVYzxj96DmVnKbq3250cWlRmfB+WRoeOQkiCg3t2tM0rDWxzE3XmldAdNDFec7slzFvA7adWf7hd25GBrAmIVxw6W/4eZ8FRqi0udZJ9Lq7PmkYvfcYXkplGpE8Ero5BNjgAJjZ3y559cy0d/thYl0/JvW23k0RXtCQ3TiXF9djB5Yv1loSZlVO5zca6TjIymWFxZouGtOJSLFi60rRHC33AJOKHLKGwnKmPLL1wKhodEJbDi66StDvgEfU/bslXNEdAIoW0tDMZ3bHzzOKT9pc6AxnLhU/AejSqDTAVwlYYpWgWpinuA6p+p+UCYiK86z2xKVTy4cWvN3HYrha15nwCBrsa7OhSlCDPu5LeoI+1c/YW3CA/YguawfY6CX4bUpTq0f1zKBMTJjGNdLeL36CMOdBZaJsvwgJblhBYt6WKvsGMmEk0gYecybQp4tJgUIgQTaZvIousi1QWSYY+2YBK6pjZ/RasAlKXNyLGDsVHfztCbB1oxUyTsU6+qRIwNkqHwm10AkN1Kk8mHcCMAIRSCdYIYzeSLXDKh/P6UbodA3JXgphe+NvIJduSc2OUhFWPSN3TbxvjFsazLuhOocMgpbxkBkx2iETPs8V0hIKZqxY8iM2wlvccizmiOPfwUFZJ4h0XJSjDfZdlm0kZWst2DUYsP2XJ3akkhLoQrCN1w/ubhF7rAwjFccKQb9oVCPx7PXNL2/lWq5W4envlGRmQ5Mfbw/Zj3ZBdxs7eL+2eFt0TyuzocL4ZPFJtHUVs3PC3RJ63JLTqH/SVE0iLCtD5LyU9ktOI3xVEUK1nsAZOo8f1xztuMQTwAtZFXct1R4FChNGuM0hnHo40gGOVipBgE+XUth3xcqtkHLY/BCNFKX+rrbx+tFNvJsYua6lUDPAGc2b/Xg/zEAfZgJpZqqA/ERQXEC9iPZQN1gjnMvSvi5mQ5lCcifaI3OEM/hGCllM5NXCTA7NXIv6eZUIq9wzkVv5I5VuCIDRG8YpOvWILUZkuIuzVzQbc3dyMmG82f+jpCtMkuDKZy3EpUJojwFCxKx3fwAhXL7ela/XiE2J6YTQpUxZPRDY/JJu8JbJCrRLIotSyYJNZCjSuZF7LfCSQxHZCp0dxo2JbSN2EiI5xLCndaIgAj0Mow6XOQLBwPoNfqlPt/PKtvdtku3aMstKmGE5W2yNPocy8IwcY9bfSQuC93hNBVWM1FsCgkCi3zC1gJkNPLWh2W7II7sgPyy0UdPBz3pPx7TderQ9vTy8J69euLUS7itomjZGuGEF1VauO21P0ZJOBpH8KURrCnHrQUDjwQceg7ojax3Tu/vRWOvHu+3ph0xHG3J65615h/FtOxztDXbcCoQ7CIOvd3cvb92dmvXs3EWLsjd1+8lF66U6jwC5RY43AuTrZccfbz+yWKMN5jmyu8lHNasEiXnH7iA/ZmXHmHsbMWOj1EMJ2sBPHb1ypzKbrKBmIx8hSoJ7nmTk0PBfmzxw6KWkZFKv04GozgfJvb/WInKALxN5Qv5r8fOf/oSevT0/vXyOzpk2TKwrpjc0h1L4IC5crmXyvkCHImGQLbtyePhjhi9OZIwpmdireKj+055qCIPmxoBHPtrQ5/tcFwJp/03db8fxBziFYqZYhNqkt5limMfqTjfYyAecs0q7FZBUSLOCcayceLJi094hAu96uLwK7rlm+ZydRrqZ8p8sI9RexEFfzPaSp6uzOBWH7jqENXylYcf/651E8MmIF7zjhnbKMvKwK1OqlIkBo5ANkFqqNRbsjwNZ1SIdK9yV2EdQustTE+ReMRWsJU3U9eeNXQ5eC9fiy/Uu6mU1/0oxNxuCFUWlorksmMDBgruOeLrEhlFh9K3p8RzPudu3+FE361o/0jIR49qr860VXCVWBpohtVs9LFZnbHbkhc1dJOqK5lRhQ/MsWlLZAf6wwudNvWITPLtUcsvypnmY/x4uS+411RFj+OY/9lnr67RhBafdJMtn2mWzpO/1Z/YT2wwOD4XMyS1z0fPNUHGfaAHXKJ0xh4LfV/OkN6AzdX7UqYReBzbqdFTQWLFG2kjlJL6FVlCDYbVv4VsL+61vw7svWJ5zOp+Uewfr3VXOBY63I/eOknP1eIx5tnvpV+t0GBL7Ojp7gkqO7ZHZ91kqRAVR+3LKyw+pkDPYk3fIoFONbfmr1Aa9w2TDxIRJl+NEkuObIa0/Ccj0LxW14sPqR67JmV6gtzku0Wf4H6cf5VK4utO/jR9PtMFbajUnTrFCXyqq9gh6EOpSCk1rjSpcnGr3m8Fv5pGXvgcesZAVq7tACrd915dvGs96SzOg2jLQB98c9a6YwpSntA6zIY/XraV7TYysbegfXqaRqoQI2rH6pHl5XOTZtZGaqLHzEDNvYaY/CIx2TORyp5EuKWErRuwnJ6E6QZ8nO74gdnsO3zbnBj2DjrBUkPYZgtDl8w61UCXgHX9L15js0Sfdb3zbRGCLYSFt9Oxau8IMBvvEa981tQAVqFUDJrMv4ojiTR+AQPV/r9IUynnG5OtvO71CPdWd16nXgR3DDoOM5n9zxGbnyeud2qrP8PWu91rWvYatT3cBHe9mHoddEzDon02bkOmOYXRC4YYUtxc/Q9lAzJGAkxVusOWcrpjwvnoQTtDVr8DlRNNBwO6oQrFEuLUOmIH6F1swNj7b1Hv3vZQmelM2PmxjMNkUM7fAb1cFgqORddQ9jiRDXpZMxJsgFvVu2C1DUWHaxzMgpLplO3Asro12W94fmNo5wjrt23cL1iVWNU/ZP5+0W9lt2KiVOrK3w9qyLvn9Ttsz0WeWuLYWUu3THfhfdInFv93aMaZGpN9FvVbPQ0+TJctfXgD0W/b2aCrRaFd1v/XDu5rkgowKo2R5jOjIZbUcORfuxON+TWtt01vKEQBHV90x7z08k0WJxb65j3DtYJy+s1e2VNlnKGNiJcNKAdbXqWuEbpEfAyuyxmxH03ZFX31JlSPwpuJ8j/6zwpytGM3ROdQ9O+dgEJUdXWZEymv2SEH33+kSufVb+xnzKW0+erfZNhxeVgZU7iNHmN5+1z80S/gpO94d7XzyC/RxX7qtt54DSxx3gtOHp+gqi9pMdoC2xcE5ItS3OtS2dojMHK66RrnsY+c8i6VUtbcfQswf3k4ceadXTmR2qmlRpp1DdIAUduVbPfc1mkrKRJpIHym7jj0PVGITdk0SkWEdM9rfAax8OX1kyJXiEY+5AzXiqTTGaFapWN6QDkxNVYbX8WzKFnT056kPOmr6Yx+05/oEgoXeGCpAtYpvnFj40bi5UfQ2ig5SZWJrVG6JOWoJezL3IywL6tUL/99nHoUX/j98XlPI7Y85VeHsPL+dR4yeu810g+fgce2MWhttJ/cD0axJxcSKKjURdx3ve5Z9dRX/W0kfdM/OgGTdl3jVOYbAlYKwtkx6pQJLzMZ+r13c3rLdR8ggVt0//ZWOE7SmB36yckPVPP4Iq7P7jKdnZzD68Tk6g/XDqFFlZmqWMkHnM6r88E/ay8I80JyXJg0ddwjZOXC76Le60yn64EmzP471St6/NUr4tNEV+yPsrWHXiWTKxV9fI0HX0jB3gOUG64kJUJrM3Vaoc5Ru8enhgvaok02AGiW4DHisbpxe19+EE1I0W89RUdHvb9RMPfw4OWjZShOmdRVd6QTIkCyVzlv3sBgKYEiVSuoDHR1KV3q+toujKwhOH5JOs2RINJ3BfRT52RWkdh5+jDrS8zgk7y89D+A4LUK15tk25Ys+DKl6R3YQmTyzrIer6G0adSrA7Jp6izpRc4Nv2nEl3QcJZOtPSEO8Tip0cXX613eX6NK+U+g3MTF9pcU2USX1Mdh+3MkwtiCGyIaSa32UE/luQjhtD7LQ0LmmX2fTIgzSQP0IwlYKHtByqWKjppCPoOQ6PJquIJNGA+BssKlmm/DZxXKLOcsdIwaQGArC2bpaHxKEQLFrutdDsR2J8+sE0siwN8aUOmMwgzYJaDjKFAQh+AncJrYWdeWLVMzsb7lRRBZF0j5xd8Tb4eEdQuES/B1TlA8tzdgulh3HItP6sQbe2pWdDP/d77au0Qpi60qNs1KyOdKqQwg7DBBgAEiFrQEgK9lgIUaNM1K3m/KrAiITMduZ2jY3D4ufefj729P3/t17MVi+eVCMVEPff/SebUxfZ1vJq1QEOK3nOAs/56aZjF2P860EMxo9c0jo59CtAwp764m6A/AIkA7uhleJpNlbj+snwYxPF1j0iw62VEGmwKriiEhBaGmsoXzlznCivcJul1L6OsJbg70eoW0RLaUySFr6/vrvp6EU3CDZY/OdVOv5EyyHBQY9F+sSu2YnwUYx//H6t8uLS/QO3xRM5M1Y7/Cx2r3NnobZG6I4sS2/jdHuDm2rUZ/CJYvR07NdlWO2mq9g87GL8OstJ1c7es4yL5Uvzn2XXo/FQQz5fIfyyL0C6h0X/+3rhpvCHJGPNcnYtxv8JdaEfqTsRj+uGqz4JqhbuOLeE6SrQIo61ugv2igp1v+25Jhcc6YNzf/ywv/tpPmUiRUl4Y9WTNEd5kFFBi955zcIixxpiSbYUtE100btrWU/p7Aosdn4Zv0NDmiIwwhJcErNhaYrhHb1WkSqThfyRp9sMKfCdHJSWo+7JnJRFUtFOe9a82FO7+HTT79/A1cAbuyZBYo+eaDdh3V8Twbt5tjAYpkmzgFUEDoVCCuFm/z7nK2gjNV01kGKcoj1+DOGutaQFuAdjpFQ+wjZK6RyrgrlquvakRGsrmUf6m0FNmRDdVB5lZyRfVZHDMeBwQegCs2BmmCk60zhUGlaDDJddyBZoNMtZhziZG32PfoRbjheym1Qy+rhHY3Gxnd9a1G3VC1w7psd1Bi/kQrRG1yUnJ6gDxIXTKyhrqAy0BaqnqgawnzJJbmmeRafQ4bcoKC8vi3C7nLGklqUPS4TR/DT4SPwTBiVc+oD2EF2PcA/sX/0CeaG3pgXG1PwED56gzO9wS9/fhUDm1/pDcrZmmpTy4N+14fwtcfbLKfGTf+Ndq4NRO8aIESqzlQYhIVhW6YqjahYM9EOWIHKFiZ06X4eFAMVjiM8kX3vwSnHOSqlJRBzRQFih4Xlwk43IvTs8tPpc8+gugnXlEreMKvBWbyxlRCmUqJT1tdsVBMsRH98b3MERZnlTJdSs5HW+hDxC/GMbtWhbvAFXQQwAlTdU3aabzG0QHiH+c4q35dK1uf47PTd5XO7wxKrhr/qt88Nhblojg2tKGRQ/Asi2F5cdMYpFicWLiNMVvCWfxLXQu6CR2wJUjgcxv67IylysWqXPxmNUvOr9Tn19N3lFHaaSBVNhACwISaQA2oxcAoRqBRNbbrTdev6FXuYO8a5pfSSYxEU4jk2mNDRWIAHoN2lX8MJ59hgdAbrOJHuiwF9HWilqfoe6vWdTqLwasVICF83wXBoOT8AXW8VNw9lE4p2s7pNJQTli3/6/wIAAP//a6iF4Q==" } diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json index 37efb99f483..b7b065dea1c 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json @@ -39,6 +39,7 @@ "destination.bytes": 145, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -147,6 +148,7 @@ "destination.bytes": 193, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -253,6 +255,7 @@ "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -361,6 +364,7 @@ "destination.bytes": 200, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -468,6 +472,7 @@ "destination.bytes": 193, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -574,6 +579,7 @@ "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -683,6 +689,7 @@ "destination.bytes": 199, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -789,6 +796,7 @@ "destination.bytes": 221, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -896,6 +904,7 @@ "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1004,6 +1013,7 @@ "destination.bytes": 722, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1111,6 +1121,7 @@ "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 47.6109, "destination.geo.location.lon": -122.3303, "destination.geo.region_iso_code": "US-WA", @@ -1217,6 +1228,7 @@ "destination.bytes": 313, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1322,6 +1334,7 @@ "destination.bytes": 180, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", "destination.geo.location.lat": 48.8582, "destination.geo.location.lon": 2.3387, "destination.ip": "9.9.9.9", @@ -1428,6 +1441,7 @@ "destination.bytes": 108, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", "destination.geo.location.lat": 48.8582, "destination.geo.location.lon": 2.3387, "destination.ip": "9.9.9.9", @@ -1535,6 +1549,7 @@ "destination.bytes": 162, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", "destination.geo.location.lat": 48.8582, "destination.geo.location.lon": 2.3387, "destination.ip": "9.9.9.9", @@ -1643,6 +1658,7 @@ "destination.bytes": 199, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1749,6 +1765,7 @@ "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1855,6 +1872,7 @@ "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1961,6 +1979,7 @@ "destination.bytes": 221, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -2066,6 +2085,7 @@ "destination.bytes": 131, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -2173,6 +2193,7 @@ "destination.bytes": 722, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json index 3cef5df9a0f..7490bc1ac57 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -217,6 +217,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -321,6 +322,7 @@ "destination.bytes": 314, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -422,6 +424,7 @@ "destination.geo.city_name": "Frankfurt am Main", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 50.1188, "destination.geo.location.lon": 8.6843, "destination.geo.region_iso_code": "DE-HE", @@ -526,6 +529,7 @@ "destination.geo.city_name": "Frankfurt am Main", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 50.1188, "destination.geo.location.lon": 8.6843, "destination.geo.region_iso_code": "DE-HE", @@ -633,6 +637,7 @@ "destination.geo.city_name": "Magdeburg", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 52.1333, "destination.geo.location.lon": 11.6167, "destination.geo.region_iso_code": "DE-ST", @@ -736,6 +741,7 @@ "destination.geo.city_name": "Magdeburg", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 52.1333, "destination.geo.location.lon": 11.6167, "destination.geo.region_iso_code": "DE-ST", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json index 8ab3e55fc87..135a2979210 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json @@ -581,6 +581,7 @@ "destination.geo.city_name": "Magdeburg", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 52.1333, "destination.geo.location.lon": 11.6167, "destination.geo.region_iso_code": "DE-ST", @@ -763,6 +764,7 @@ "destination.geo.city_name": "Frankfurt am Main", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 50.1188, "destination.geo.location.lon": 8.6843, "destination.geo.region_iso_code": "DE-HE", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json index 73ab6378da1..0b669eb5dff 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json @@ -44,6 +44,7 @@ "destination.bytes": 246, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", "destination.geo.location.lat": 48.8582, "destination.geo.location.lon": 2.3387, "destination.ip": "2.2.2.2", @@ -102,6 +103,7 @@ "source.geo.city_name": "Seattle", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 47.6348, "source.geo.location.lon": -122.3451, "source.geo.region_iso_code": "US-WA", diff --git a/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json b/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json index 3485b3ff583..0695d3730aa 100644 --- a/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json +++ b/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json @@ -331,6 +331,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.10.46", @@ -828,6 +829,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.10.46", @@ -1022,6 +1024,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.10.46", @@ -1122,6 +1125,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1210,6 +1214,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "8.8.8.8", @@ -1296,6 +1301,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.10.46", @@ -1537,6 +1543,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.10.46", diff --git a/x-pack/filebeat/module/cisco/meraki/config/pipeline.js b/x-pack/filebeat/module/cisco/meraki/config/pipeline.js index 45a7b628d63..53a05ad2527 100644 --- a/x-pack/filebeat/module/cisco/meraki/config/pipeline.js +++ b/x-pack/filebeat/module/cisco/meraki/config/pipeline.js @@ -29,8 +29,7 @@ var map_actionType = { }, }; -var dup1 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hfld2,false), Constant('.'), Field(hfld3,true), Constant(' '), Field(p0,false)}" -match("HEADER#0:0003/0", "message", "%{hfld1->} %{hfld2}.%{hfld3->} %{p0}"); +var dup1 = match("HEADER#0:0003/0", "message", "%{hfld1->} %{hfld2}.%{hfld3->} %{p0}"); var dup2 = call({ dest: "nwparser.payload", @@ -52,8 +51,7 @@ var dup3 = call({ ], }); -var dup4 = // "Pattern{Field(p0,false)}" -match_copy("MESSAGE#0:flows/2_1", "nwparser.p0", "p0"); +var dup4 = match_copy("MESSAGE#0:flows/2_1", "nwparser.p0", "p0"); var dup5 = setc("eventcategory","1605020000"); @@ -71,20 +69,15 @@ var dup9 = date_time({ ], }); -var dup10 = // "Pattern{}" -match_copy("MESSAGE#1:flows:01/1_2", "nwparser.p0", ""); +var dup10 = match_copy("MESSAGE#1:flows:01/1_2", "nwparser.p0", ""); -var dup11 = // "Pattern{Constant('dhost='), Field(dmacaddr,true), Constant(' direction='), Field(p0,false)}" -match("MESSAGE#10:ids-alerts:01/1_0", "nwparser.p0", "dhost=%{dmacaddr->} direction=%{p0}"); +var dup11 = match("MESSAGE#10:ids-alerts:01/1_0", "nwparser.p0", "dhost=%{dmacaddr->} direction=%{p0}"); -var dup12 = // "Pattern{Constant('shost='), Field(smacaddr,true), Constant(' direction='), Field(p0,false)}" -match("MESSAGE#10:ids-alerts:01/1_1", "nwparser.p0", "shost=%{smacaddr->} direction=%{p0}"); +var dup12 = match("MESSAGE#10:ids-alerts:01/1_1", "nwparser.p0", "shost=%{smacaddr->} direction=%{p0}"); -var dup13 = // "Pattern{Field(direction,true), Constant(' protocol='), Field(protocol,true), Constant(' src='), Field(p0,false)}" -match("MESSAGE#10:ids-alerts:01/2", "nwparser.p0", "%{direction->} protocol=%{protocol->} src=%{p0}"); +var dup13 = match("MESSAGE#10:ids-alerts:01/2", "nwparser.p0", "%{direction->} protocol=%{protocol->} src=%{p0}"); -var dup14 = // "Pattern{Field(signame,false)}" -match_copy("MESSAGE#10:ids-alerts:01/4", "nwparser.p0", "signame"); +var dup14 = match_copy("MESSAGE#10:ids-alerts:01/4", "nwparser.p0", "signame"); var dup15 = setc("eventcategory","1607000000"); @@ -102,13 +95,11 @@ var dup18 = setc("event_type","security_event"); var dup19 = constant("Allow"); -var dup20 = // "Pattern{Field(hfld4,false), Constant('_appliance '), Field(p0,false)}" -match("HEADER#0:0003/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}", processor_chain([ +var dup20 = match("HEADER#0:0003/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}", processor_chain([ dup2, ])); -var dup21 = // "Pattern{Field(hfld4,true), Constant(' '), Field(p0,false)}" -match("HEADER#0:0003/1_1", "nwparser.p0", "%{hfld4->} %{p0}", processor_chain([ +var dup21 = match("HEADER#0:0003/1_1", "nwparser.p0", "%{hfld4->} %{p0}", processor_chain([ dup3, ])); @@ -122,8 +113,7 @@ var dup23 = linear_select([ dup21, ]); -var part1 = // "Pattern{Constant('urls '), Field(p0,false)}" -match("HEADER#0:0003/2", "nwparser.p0", "urls %{p0}"); +var part1 = match("HEADER#0:0003/2", "nwparser.p0", "urls %{p0}"); var all1 = all_match({ processors: [ @@ -137,19 +127,16 @@ var all1 = all_match({ ]), }); -var part2 = // "Pattern{Field(node,false), Constant('_appliance events '), Field(p0,false)}" -match("HEADER#1:0002/1_0", "nwparser.p0", "%{node}_appliance events %{p0}"); +var part2 = match("HEADER#1:0002/1_0", "nwparser.p0", "%{node}_appliance events %{p0}"); -var part3 = // "Pattern{Field(node,true), Constant(' events '), Field(p0,false)}" -match("HEADER#1:0002/1_1", "nwparser.p0", "%{node->} events %{p0}"); +var part3 = match("HEADER#1:0002/1_1", "nwparser.p0", "%{node->} events %{p0}"); var select1 = linear_select([ part2, part3, ]); -var part4 = // "Pattern{Field(payload,false)}" -match_copy("HEADER#1:0002/2", "nwparser.p0", "payload"); +var part4 = match_copy("HEADER#1:0002/2", "nwparser.p0", "payload"); var all2 = all_match({ processors: [ @@ -163,8 +150,7 @@ var all2 = all_match({ ]), }); -var part5 = // "Pattern{Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#2:0001/2", "nwparser.p0", "%{messageid->} %{p0}"); +var part5 = match("HEADER#2:0001/2", "nwparser.p0", "%{messageid->} %{p0}"); var all3 = all_match({ processors: [ @@ -177,19 +163,16 @@ var all3 = all_match({ ]), }); -var part6 = // "Pattern{Field(hfld4,false), Constant('_appliance '), Field(p0,false)}" -match("HEADER#3:0005/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}"); +var part6 = match("HEADER#3:0005/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}"); -var part7 = // "Pattern{Field(hfld4,true), Constant(' '), Field(p0,false)}" -match("HEADER#3:0005/1_1", "nwparser.p0", "%{hfld4->} %{p0}"); +var part7 = match("HEADER#3:0005/1_1", "nwparser.p0", "%{hfld4->} %{p0}"); var select2 = linear_select([ part6, part7, ]); -var part8 = // "Pattern{Field(,true), Constant(' '), Field(hfld5,true), Constant(' '), Field(hfld6,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#3:0005/2", "nwparser.p0", "%{} %{hfld5->} %{hfld6->} %{messageid->} %{p0}", processor_chain([ +var part8 = match("HEADER#3:0005/2", "nwparser.p0", "%{} %{hfld5->} %{hfld6->} %{messageid->} %{p0}", processor_chain([ call({ dest: "nwparser.payload", fn: STRCAT, @@ -214,8 +197,7 @@ var all4 = all_match({ ]), }); -var hdr1 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hfld2,false), Constant('.'), Field(hfld3,true), Constant(' '), Field(hfld4,false), Constant('_'), Field(space,true), Constant(' '), Field(messageid,true), Constant(' '), Field(payload,false)}" -match("HEADER#4:0004", "message", "%{hfld1->} %{hfld2}.%{hfld3->} %{hfld4}_%{space->} %{messageid->} %{payload}", processor_chain([ +var hdr1 = match("HEADER#4:0004", "message", "%{hfld1->} %{hfld2}.%{hfld3->} %{hfld4}_%{space->} %{messageid->} %{payload}", processor_chain([ setc("header_id","0004"), ])); @@ -227,36 +209,29 @@ var select3 = linear_select([ hdr1, ]); -var part9 = // "Pattern{Field(node,false), Constant('_appliance '), Field(p0,false)}" -match("MESSAGE#0:flows/0_0", "nwparser.payload", "%{node}_appliance %{p0}"); +var part9 = match("MESSAGE#0:flows/0_0", "nwparser.payload", "%{node}_appliance %{p0}"); -var part10 = // "Pattern{Field(node,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#0:flows/0_1", "nwparser.payload", "%{node->} %{p0}"); +var part10 = match("MESSAGE#0:flows/0_1", "nwparser.payload", "%{node->} %{p0}"); var select4 = linear_select([ part9, part10, ]); -var part11 = // "Pattern{Constant('flows src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#0:flows/1", "nwparser.p0", "flows src=%{saddr->} dst=%{daddr->} %{p0}"); +var part11 = match("MESSAGE#0:flows/1", "nwparser.p0", "flows src=%{saddr->} dst=%{daddr->} %{p0}"); -var part12 = // "Pattern{Constant('mac='), Field(dmacaddr,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#0:flows/2_0", "nwparser.p0", "mac=%{dmacaddr->} %{p0}"); +var part12 = match("MESSAGE#0:flows/2_0", "nwparser.p0", "mac=%{dmacaddr->} %{p0}"); var select5 = linear_select([ part12, dup4, ]); -var part13 = // "Pattern{Constant('protocol='), Field(protocol,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#0:flows/3", "nwparser.p0", "protocol=%{protocol->} %{p0}"); +var part13 = match("MESSAGE#0:flows/3", "nwparser.p0", "protocol=%{protocol->} %{p0}"); -var part14 = // "Pattern{Constant('sport='), Field(sport,true), Constant(' dport='), Field(dport,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#0:flows/4_0", "nwparser.p0", "sport=%{sport->} dport=%{dport->} %{p0}"); +var part14 = match("MESSAGE#0:flows/4_0", "nwparser.p0", "sport=%{sport->} dport=%{dport->} %{p0}"); -var part15 = // "Pattern{Constant('type='), Field(event_type,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#0:flows/4_1", "nwparser.p0", "type=%{event_type->} %{p0}"); +var part15 = match("MESSAGE#0:flows/4_1", "nwparser.p0", "type=%{event_type->} %{p0}"); var select6 = linear_select([ part14, @@ -264,8 +239,7 @@ var select6 = linear_select([ dup4, ]); -var part16 = // "Pattern{Constant('pattern: '), Field(fld21,true), Constant(' '), Field(info,false)}" -match("MESSAGE#0:flows/5", "nwparser.p0", "pattern: %{fld21->} %{info}"); +var part16 = match("MESSAGE#0:flows/5", "nwparser.p0", "pattern: %{fld21->} %{info}"); var all5 = all_match({ processors: [ @@ -292,14 +266,11 @@ var all5 = all_match({ var msg1 = msg("flows", all5); -var part17 = // "Pattern{Field(node,true), Constant(' flows '), Field(action,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' mac='), Field(smacaddr,true), Constant(' protocol='), Field(protocol,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#1:flows:01/0", "nwparser.payload", "%{node->} flows %{action->} src=%{saddr->} dst=%{daddr->} mac=%{smacaddr->} protocol=%{protocol->} %{p0}"); +var part17 = match("MESSAGE#1:flows:01/0", "nwparser.payload", "%{node->} flows %{action->} src=%{saddr->} dst=%{daddr->} mac=%{smacaddr->} protocol=%{protocol->} %{p0}"); -var part18 = // "Pattern{Constant('sport='), Field(sport,true), Constant(' dport='), Field(dport,true), Constant(' ')}" -match("MESSAGE#1:flows:01/1_0", "nwparser.p0", "sport=%{sport->} dport=%{dport->} "); +var part18 = match("MESSAGE#1:flows:01/1_0", "nwparser.p0", "sport=%{sport->} dport=%{dport->} "); -var part19 = // "Pattern{Constant('type='), Field(event_type,true), Constant(' ')}" -match("MESSAGE#1:flows:01/1_1", "nwparser.p0", "type=%{event_type->} "); +var part19 = match("MESSAGE#1:flows:01/1_1", "nwparser.p0", "type=%{event_type->} "); var select7 = linear_select([ part18, @@ -323,8 +294,7 @@ var all6 = all_match({ var msg2 = msg("flows:01", all6); -var part20 = // "Pattern{Field(node,true), Constant(' flows '), Field(action,false)}" -match("MESSAGE#2:flows:02", "nwparser.payload", "%{node->} flows %{action}", processor_chain([ +var part20 = match("MESSAGE#2:flows:02", "nwparser.payload", "%{node->} flows %{action}", processor_chain([ dup5, dup6, dup7, @@ -340,14 +310,11 @@ var select8 = linear_select([ msg3, ]); -var part21 = // "Pattern{Field(node,false), Constant('_appliance urls src='), Field(p0,false)}" -match("MESSAGE#3:urls/0_0", "nwparser.payload", "%{node}_appliance urls src=%{p0}"); +var part21 = match("MESSAGE#3:urls/0_0", "nwparser.payload", "%{node}_appliance urls src=%{p0}"); -var part22 = // "Pattern{Field(node,true), Constant(' urls src='), Field(p0,false)}" -match("MESSAGE#3:urls/0_1", "nwparser.payload", "%{node->} urls src=%{p0}"); +var part22 = match("MESSAGE#3:urls/0_1", "nwparser.payload", "%{node->} urls src=%{p0}"); -var part23 = // "Pattern{Constant('src='), Field(p0,false)}" -match("MESSAGE#3:urls/0_2", "nwparser.payload", "src=%{p0}"); +var part23 = match("MESSAGE#3:urls/0_2", "nwparser.payload", "src=%{p0}"); var select9 = linear_select([ part21, @@ -355,17 +322,13 @@ var select9 = linear_select([ part23, ]); -var part24 = // "Pattern{Field(sport,false), Constant(':'), Field(saddr,true), Constant(' dst='), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' mac='), Field(macaddr,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#3:urls/1", "nwparser.p0", "%{sport}:%{saddr->} dst=%{daddr}:%{dport->} mac=%{macaddr->} %{p0}"); +var part24 = match("MESSAGE#3:urls/1", "nwparser.p0", "%{sport}:%{saddr->} dst=%{daddr}:%{dport->} mac=%{macaddr->} %{p0}"); -var part25 = // "Pattern{Constant('agent=''), Field(user_agent,false), Constant('' request: '), Field(p0,false)}" -match("MESSAGE#3:urls/2_0", "nwparser.p0", "agent='%{user_agent}' request: %{p0}"); +var part25 = match("MESSAGE#3:urls/2_0", "nwparser.p0", "agent='%{user_agent}' request: %{p0}"); -var part26 = // "Pattern{Constant('agent='), Field(user_agent,true), Constant(' request: '), Field(p0,false)}" -match("MESSAGE#3:urls/2_1", "nwparser.p0", "agent=%{user_agent->} request: %{p0}"); +var part26 = match("MESSAGE#3:urls/2_1", "nwparser.p0", "agent=%{user_agent->} request: %{p0}"); -var part27 = // "Pattern{Constant('request: '), Field(p0,false)}" -match("MESSAGE#3:urls/2_2", "nwparser.p0", "request: %{p0}"); +var part27 = match("MESSAGE#3:urls/2_2", "nwparser.p0", "request: %{p0}"); var select10 = linear_select([ part25, @@ -373,8 +336,7 @@ var select10 = linear_select([ part27, ]); -var part28 = // "Pattern{Field(,true), Constant(' '), Field(web_method,false), Constant(''), Field(url,false)}" -match("MESSAGE#3:urls/3", "nwparser.p0", "%{} %{web_method}%{url}"); +var part28 = match("MESSAGE#3:urls/3", "nwparser.p0", "%{} %{web_method}%{url}"); var all7 = all_match({ processors: [ @@ -394,22 +356,18 @@ var all7 = all_match({ var msg4 = msg("urls", all7); -var part29 = // "Pattern{Constant('dhcp lease of ip '), Field(saddr,true), Constant(' from server mac '), Field(smacaddr,true), Constant(' for client mac '), Field(p0,false)}" -match("MESSAGE#4:events/0", "nwparser.payload", "dhcp lease of ip %{saddr->} from server mac %{smacaddr->} for client mac %{p0}"); +var part29 = match("MESSAGE#4:events/0", "nwparser.payload", "dhcp lease of ip %{saddr->} from server mac %{smacaddr->} for client mac %{p0}"); -var part30 = // "Pattern{Field(dmacaddr,true), Constant(' with hostname '), Field(hostname,true), Constant(' from router '), Field(p0,false)}" -match("MESSAGE#4:events/1_0", "nwparser.p0", "%{dmacaddr->} with hostname %{hostname->} from router %{p0}"); +var part30 = match("MESSAGE#4:events/1_0", "nwparser.p0", "%{dmacaddr->} with hostname %{hostname->} from router %{p0}"); -var part31 = // "Pattern{Field(dmacaddr,true), Constant(' from router '), Field(p0,false)}" -match("MESSAGE#4:events/1_1", "nwparser.p0", "%{dmacaddr->} from router %{p0}"); +var part31 = match("MESSAGE#4:events/1_1", "nwparser.p0", "%{dmacaddr->} from router %{p0}"); var select11 = linear_select([ part30, part31, ]); -var part32 = // "Pattern{Field(hostip,true), Constant(' on subnet '), Field(mask,true), Constant(' with dns '), Field(dns_a_record,false)}" -match("MESSAGE#4:events/2", "nwparser.p0", "%{hostip->} on subnet %{mask->} with dns %{dns_a_record}"); +var part32 = match("MESSAGE#4:events/2", "nwparser.p0", "%{hostip->} on subnet %{mask->} with dns %{dns_a_record}"); var all8 = all_match({ processors: [ @@ -428,11 +386,9 @@ var all8 = all_match({ var msg5 = msg("events", all8); -var part33 = // "Pattern{Constant('content_filtering_block url=''), Field(url,false), Constant('' category0=''), Field(category,false), Constant('' server=''), Field(daddr,false), Constant(':'), Field(dport,false), Constant('''), Field(p0,false)}" -match("MESSAGE#5:events:02/0", "nwparser.payload", "content_filtering_block url='%{url}' category0='%{category}' server='%{daddr}:%{dport}'%{p0}"); +var part33 = match("MESSAGE#5:events:02/0", "nwparser.payload", "content_filtering_block url='%{url}' category0='%{category}' server='%{daddr}:%{dport}'%{p0}"); -var part34 = // "Pattern{Constant(' client_mac=''), Field(dmacaddr,false), Constant(''')}" -match("MESSAGE#5:events:02/1_0", "nwparser.p0", " client_mac='%{dmacaddr}'"); +var part34 = match("MESSAGE#5:events:02/1_0", "nwparser.p0", " client_mac='%{dmacaddr}'"); var select12 = linear_select([ part34, @@ -502,8 +458,7 @@ var part35 = tagval("MESSAGE#6:events:01", "nwparser.payload", tvm, { var msg7 = msg("events:01", part35); -var part36 = // "Pattern{Constant('IDS: '), Field(info,false)}" -match("MESSAGE#7:events:03", "nwparser.payload", "IDS: %{info}", processor_chain([ +var part36 = match("MESSAGE#7:events:03", "nwparser.payload", "IDS: %{info}", processor_chain([ dup5, dup6, setc("event_description","events IDS"), @@ -513,22 +468,18 @@ match("MESSAGE#7:events:03", "nwparser.payload", "IDS: %{info}", processor_chain var msg8 = msg("events:03", part36); -var part37 = // "Pattern{Constant('dhcp '), Field(p0,false)}" -match("MESSAGE#8:events:04/0", "nwparser.payload", "dhcp %{p0}"); +var part37 = match("MESSAGE#8:events:04/0", "nwparser.payload", "dhcp %{p0}"); -var part38 = // "Pattern{Constant('no offers'), Field(p0,false)}" -match("MESSAGE#8:events:04/1_0", "nwparser.p0", "no offers%{p0}"); +var part38 = match("MESSAGE#8:events:04/1_0", "nwparser.p0", "no offers%{p0}"); -var part39 = // "Pattern{Constant('release'), Field(p0,false)}" -match("MESSAGE#8:events:04/1_1", "nwparser.p0", "release%{p0}"); +var part39 = match("MESSAGE#8:events:04/1_1", "nwparser.p0", "release%{p0}"); var select13 = linear_select([ part38, part39, ]); -var part40 = // "Pattern{Field(,false), Constant('for mac '), Field(macaddr,false)}" -match("MESSAGE#8:events:04/2", "nwparser.p0", "%{}for mac %{macaddr}"); +var part40 = match("MESSAGE#8:events:04/2", "nwparser.p0", "%{}for mac %{macaddr}"); var all10 = all_match({ processors: [ @@ -547,8 +498,7 @@ var all10 = all_match({ var msg9 = msg("events:04", all10); -var part41 = // "Pattern{Constant('MAC '), Field(macaddr,true), Constant(' and MAC '), Field(macaddr,true), Constant(' both claim IP: '), Field(saddr,false)}" -match("MESSAGE#9:events:05", "nwparser.payload", "MAC %{macaddr->} and MAC %{macaddr->} both claim IP: %{saddr}", processor_chain([ +var part41 = match("MESSAGE#9:events:05", "nwparser.payload", "MAC %{macaddr->} and MAC %{macaddr->} both claim IP: %{saddr}", processor_chain([ dup5, dup6, setc("event_description"," events MAC"), @@ -567,14 +517,11 @@ var select14 = linear_select([ msg10, ]); -var part42 = // "Pattern{Field(node,true), Constant(' ids-alerts signature='), Field(fld1,true), Constant(' priority='), Field(fld2,true), Constant(' timestamp='), Field(fld3,false), Constant('.'), Field(fld4,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#10:ids-alerts:01/0", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4->} %{p0}"); +var part42 = match("MESSAGE#10:ids-alerts:01/0", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4->} %{p0}"); -var part43 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' dst='), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' message: '), Field(p0,false)}" -match("MESSAGE#10:ids-alerts:01/3_0", "nwparser.p0", "%{saddr}:%{sport->} dst=%{daddr}:%{dport->} message: %{p0}"); +var part43 = match("MESSAGE#10:ids-alerts:01/3_0", "nwparser.p0", "%{saddr}:%{sport->} dst=%{daddr}:%{dport->} message: %{p0}"); -var part44 = // "Pattern{Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' message: '), Field(p0,false)}" -match("MESSAGE#10:ids-alerts:01/3_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} message: %{p0}"); +var part44 = match("MESSAGE#10:ids-alerts:01/3_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} message: %{p0}"); var select15 = linear_select([ part43, @@ -600,8 +547,7 @@ var all11 = all_match({ var msg11 = msg("ids-alerts:01", all11); -var part45 = // "Pattern{Field(node,true), Constant(' ids-alerts signature='), Field(fld1,true), Constant(' priority='), Field(fld2,true), Constant(' timestamp='), Field(fld3,false), Constant('.'), Field(fld4,false), Constant('direction='), Field(direction,true), Constant(' protocol='), Field(protocol,true), Constant(' src='), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#11:ids-alerts:03", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4}direction=%{direction->} protocol=%{protocol->} src=%{saddr}:%{sport}", processor_chain([ +var part45 = match("MESSAGE#11:ids-alerts:03", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4}direction=%{direction->} protocol=%{protocol->} src=%{saddr}:%{sport}", processor_chain([ dup15, dup6, dup16, @@ -611,8 +557,7 @@ match("MESSAGE#11:ids-alerts:03", "nwparser.payload", "%{node->} ids-alerts sign var msg12 = msg("ids-alerts:03", part45); -var part46 = // "Pattern{Field(node,true), Constant(' ids-alerts signature='), Field(fld1,true), Constant(' priority='), Field(fld2,true), Constant(' timestamp='), Field(fld3,false), Constant('.'), Field(fld4,false), Constant('protocol='), Field(protocol,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,false), Constant('message: '), Field(signame,false)}" -match("MESSAGE#12:ids-alerts:02", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4}protocol=%{protocol->} src=%{saddr->} dst=%{daddr}message: %{signame}", processor_chain([ +var part46 = match("MESSAGE#12:ids-alerts:02", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4}protocol=%{protocol->} src=%{saddr->} dst=%{daddr}message: %{signame}", processor_chain([ dup15, dup6, dup16, @@ -628,8 +573,7 @@ var select16 = linear_select([ msg13, ]); -var part47 = // "Pattern{Field(node,false), Constant('security_event '), Field(event_description,true), Constant(' url='), Field(url,true), Constant(' src='), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' dst='), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' mac='), Field(smacaddr,true), Constant(' name='), Field(fld10,true), Constant(' sha256='), Field(fld11,true), Constant(' disposition='), Field(disposition,true), Constant(' action='), Field(action,false)}" -match("MESSAGE#13:security_event", "nwparser.payload", "%{node}security_event %{event_description->} url=%{url->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} mac=%{smacaddr->} name=%{fld10->} sha256=%{fld11->} disposition=%{disposition->} action=%{action}", processor_chain([ +var part47 = match("MESSAGE#13:security_event", "nwparser.payload", "%{node}security_event %{event_description->} url=%{url->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} mac=%{smacaddr->} name=%{fld10->} sha256=%{fld11->} disposition=%{disposition->} action=%{action}", processor_chain([ dup5, dup6, dup18, @@ -639,14 +583,11 @@ match("MESSAGE#13:security_event", "nwparser.payload", "%{node}security_event %{ var msg14 = msg("security_event", part47); -var part48 = // "Pattern{Field(node,true), Constant(' security_event '), Field(event_description,true), Constant(' signature='), Field(fld1,true), Constant(' priority='), Field(fld2,true), Constant(' timestamp='), Field(fld3,false), Constant('.'), Field(fld4,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#14:security_event:01/0", "nwparser.payload", "%{node->} security_event %{event_description->} signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4->} %{p0}"); +var part48 = match("MESSAGE#14:security_event:01/0", "nwparser.payload", "%{node->} security_event %{event_description->} signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4->} %{p0}"); -var part49 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' dst='), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' message:'), Field(p0,false)}" -match("MESSAGE#14:security_event:01/3_0", "nwparser.p0", "%{saddr}:%{sport->} dst=%{daddr}:%{dport->} message:%{p0}"); +var part49 = match("MESSAGE#14:security_event:01/3_0", "nwparser.p0", "%{saddr}:%{sport->} dst=%{daddr}:%{dport->} message:%{p0}"); -var part50 = // "Pattern{Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' message:'), Field(p0,false)}" -match("MESSAGE#14:security_event:01/3_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} message:%{p0}"); +var part50 = match("MESSAGE#14:security_event:01/3_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} message:%{p0}"); var select17 = linear_select([ part49, @@ -688,34 +629,25 @@ var chain1 = processor_chain([ }), ]); -var hdr2 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hfld2,false), Constant('.'), Field(hfld3,true), Constant(' '), Field(p0,false)}" -match("HEADER#0:0003/0", "message", "%{hfld1->} %{hfld2}.%{hfld3->} %{p0}"); +var hdr2 = match("HEADER#0:0003/0", "message", "%{hfld1->} %{hfld2}.%{hfld3->} %{p0}"); -var part51 = // "Pattern{Field(p0,false)}" -match_copy("MESSAGE#0:flows/2_1", "nwparser.p0", "p0"); +var part51 = match_copy("MESSAGE#0:flows/2_1", "nwparser.p0", "p0"); -var part52 = // "Pattern{}" -match_copy("MESSAGE#1:flows:01/1_2", "nwparser.p0", ""); +var part52 = match_copy("MESSAGE#1:flows:01/1_2", "nwparser.p0", ""); -var part53 = // "Pattern{Constant('dhost='), Field(dmacaddr,true), Constant(' direction='), Field(p0,false)}" -match("MESSAGE#10:ids-alerts:01/1_0", "nwparser.p0", "dhost=%{dmacaddr->} direction=%{p0}"); +var part53 = match("MESSAGE#10:ids-alerts:01/1_0", "nwparser.p0", "dhost=%{dmacaddr->} direction=%{p0}"); -var part54 = // "Pattern{Constant('shost='), Field(smacaddr,true), Constant(' direction='), Field(p0,false)}" -match("MESSAGE#10:ids-alerts:01/1_1", "nwparser.p0", "shost=%{smacaddr->} direction=%{p0}"); +var part54 = match("MESSAGE#10:ids-alerts:01/1_1", "nwparser.p0", "shost=%{smacaddr->} direction=%{p0}"); -var part55 = // "Pattern{Field(direction,true), Constant(' protocol='), Field(protocol,true), Constant(' src='), Field(p0,false)}" -match("MESSAGE#10:ids-alerts:01/2", "nwparser.p0", "%{direction->} protocol=%{protocol->} src=%{p0}"); +var part55 = match("MESSAGE#10:ids-alerts:01/2", "nwparser.p0", "%{direction->} protocol=%{protocol->} src=%{p0}"); -var part56 = // "Pattern{Field(signame,false)}" -match_copy("MESSAGE#10:ids-alerts:01/4", "nwparser.p0", "signame"); +var part56 = match_copy("MESSAGE#10:ids-alerts:01/4", "nwparser.p0", "signame"); -var part57 = // "Pattern{Field(hfld4,false), Constant('_appliance '), Field(p0,false)}" -match("HEADER#0:0003/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}", processor_chain([ +var part57 = match("HEADER#0:0003/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}", processor_chain([ dup2, ])); -var part58 = // "Pattern{Field(hfld4,true), Constant(' '), Field(p0,false)}" -match("HEADER#0:0003/1_1", "nwparser.p0", "%{hfld4->} %{p0}", processor_chain([ +var part58 = match("HEADER#0:0003/1_1", "nwparser.p0", "%{hfld4->} %{p0}", processor_chain([ dup3, ])); diff --git a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json index beeffa9b5eb..93b25705912 100644 --- a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json @@ -122,8 +122,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.155.236.240", - "10.112.46.169" + "10.112.46.169", + "10.155.236.240" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -345,8 +345,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.134.0.141", - "10.210.213.18" + "10.210.213.18", + "10.134.0.141" ], "rsa.internal.event_desc": "atquovosecurity_event iumto", "rsa.internal.messageid": "security_event", @@ -519,8 +519,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.85.10.165", - "10.53.150.119" + "10.53.150.119", + "10.85.10.165" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -623,8 +623,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.205.47.51", - "10.219.84.37" + "10.219.84.37", + "10.205.47.51" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -831,8 +831,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.31.77.157", - "10.12.182.70" + "10.12.182.70", + "10.31.77.157" ], "rsa.internal.event_desc": "uiac security_event epte", "rsa.internal.messageid": "security_event", @@ -896,8 +896,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.135.217.12", - "10.93.68.231" + "10.93.68.231", + "10.135.217.12" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -960,8 +960,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.247.30.212", - "10.66.89.5" + "10.66.89.5", + "10.247.30.212" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1064,8 +1064,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.54.37.86", - "10.58.64.108" + "10.58.64.108", + "10.54.37.86" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1142,8 +1142,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.183.44.198", - "10.0.200.27" + "10.0.200.27", + "10.183.44.198" ], "rsa.internal.event_desc": "uradi security_event tot", "rsa.internal.messageid": "security_event", @@ -1177,8 +1177,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.148.124.84", - "10.28.144.180" + "10.28.144.180", + "10.148.124.84" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -1215,8 +1215,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.98.194.212", - "10.204.230.166" + "10.204.230.166", + "10.98.194.212" ], "rsa.counters.dclass_r1": "enimadmi", "rsa.internal.messageid": "events", @@ -1312,8 +1312,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.150.245.88", - "10.242.77.170" + "10.242.77.170", + "10.150.245.88" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1447,8 +1447,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.230.6.127", - "10.111.157.56" + "10.111.157.56", + "10.230.6.127" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1486,8 +1486,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.179.40.170", - "10.193.219.34" + "10.193.219.34", + "10.179.40.170" ], "rsa.counters.dclass_r1": "emip", "rsa.internal.messageid": "events", @@ -1638,8 +1638,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.124.63.4", - "10.90.99.245" + "10.90.99.245", + "10.124.63.4" ], "rsa.internal.event_desc": "etconsec", "rsa.internal.messageid": "security_event", @@ -1733,8 +1733,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.196.96.162", - "10.81.234.34" + "10.81.234.34", + "10.196.96.162" ], "rsa.internal.event_desc": "Utenima security_event iqua", "rsa.internal.messageid": "security_event", @@ -1903,8 +1903,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.86.188.179", - "10.201.168.116" + "10.201.168.116", + "10.86.188.179" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2011,8 +2011,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.120.4.9", - "10.97.46.16" + "10.97.46.16", + "10.120.4.9" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2084,8 +2084,8 @@ "uames4985.mail.localdomain" ], "related.ip": [ - "10.150.163.151", - "10.144.57.239" + "10.144.57.239", + "10.150.163.151" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2126,8 +2126,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.54.44.231", - "10.52.202.158" + "10.52.202.158", + "10.54.44.231" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2252,8 +2252,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.2.110.73", - "10.103.49.129" + "10.103.49.129", + "10.2.110.73" ], "rsa.counters.dclass_r1": "orumS", "rsa.internal.messageid": "events", @@ -2292,8 +2292,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.132.176.96", - "10.158.61.228" + "10.158.61.228", + "10.132.176.96" ], "rsa.counters.dclass_r1": "eserun", "rsa.internal.messageid": "events", @@ -2333,8 +2333,8 @@ "lors2232.api.example" ], "related.ip": [ - "10.46.217.155", - "10.105.136.146" + "10.105.136.146", + "10.46.217.155" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2374,8 +2374,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.123.62.215", - "10.245.199.23" + "10.245.199.23", + "10.123.62.215" ], "rsa.db.index": "iusmodt", "rsa.internal.messageid": "flows", @@ -2480,8 +2480,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.246.152.72", - "10.34.62.190" + "10.34.62.190", + "10.246.152.72" ], "rsa.internal.event_desc": "Nem", "rsa.internal.messageid": "security_event", @@ -2758,8 +2758,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.65.0.157", - "10.17.111.91" + "10.17.111.91", + "10.65.0.157" ], "rsa.db.index": "nostrum", "rsa.internal.messageid": "flows", @@ -2893,8 +2893,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.199.103.185", - "10.51.121.223" + "10.51.121.223", + "10.199.103.185" ], "rsa.internal.event_desc": "dipi security_event ecatc", "rsa.internal.messageid": "security_event", @@ -2988,8 +2988,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.113.152.241", - "10.121.37.244" + "10.121.37.244", + "10.113.152.241" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -3067,8 +3067,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.200.98.243", - "10.101.13.122" + "10.101.13.122", + "10.200.98.243" ], "rsa.counters.dclass_r1": "uteirur", "rsa.internal.messageid": "events", @@ -3143,8 +3143,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.147.165.30", - "10.195.90.73" + "10.195.90.73", + "10.147.165.30" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -3206,8 +3206,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.162.202.14", - "10.137.166.97" + "10.137.166.97", + "10.162.202.14" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -3330,8 +3330,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.75.122.111", - "10.85.59.172" + "10.85.59.172", + "10.75.122.111" ], "rsa.counters.dclass_r1": "sequat", "rsa.internal.messageid": "events", diff --git a/x-pack/filebeat/module/cisco/umbrella/_meta/fields.yml b/x-pack/filebeat/module/cisco/umbrella/_meta/fields.yml new file mode 100644 index 00000000000..e45d12ef732 --- /dev/null +++ b/x-pack/filebeat/module/cisco/umbrella/_meta/fields.yml @@ -0,0 +1,61 @@ +- name: cisco.umbrella + type: group + description: > + Fields for Cisco Umbrella. + fields: + - name: identities + type: keyword + description: > + An array of the different identities related to the event. + - name: categories + type: keyword + description: > + The security or content categories that the destination matches. + - name: policy_identity_type + type: keyword + description: > + The first identity type matched with this request. Available in version 3 and above. + - name: identity_types + type: keyword + description: > + The type of identity that made the request. For example, Roaming Computer or Network. + - name: blocked_categories + type: keyword + description: > + The categories that resulted in the destination being blocked. Available in version 4 and above. + - name: content_type + type: keyword + description: > + The type of web content, typically text/html. + - name: sha_sha256 + type: keyword + description: > + Hex digest of the response content. + - name: av_detections + type: keyword + description: > + The detection name according to the antivirus engine used in file inspection. + - name: puas + type: keyword + description: > + A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. + - name: amp_disposition + type: keyword + description: > + The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. + - name: amp_malware_name + type: keyword + description: > + If Malicious, the name of the malware according to AMP. + - name: amp_score + type: keyword + description: > + The score of the malware from AMP. This field is not currently used and will be blank. + - name: datacenter + type: keyword + description: > + The name of the Umbrella Data Center that processed the user-generated traffic. + - name: origin_id + type: keyword + description: > + The unique identity of the network tunnel. diff --git a/x-pack/filebeat/module/cisco/umbrella/config/input.yml b/x-pack/filebeat/module/cisco/umbrella/config/input.yml new file mode 100644 index 00000000000..8b0ccde6e2e --- /dev/null +++ b/x-pack/filebeat/module/cisco/umbrella/config/input.yml @@ -0,0 +1,23 @@ +{{ if eq .input "s3" }} + +type: s3 +queue_url: {{ .queue_url }} +access_key_id: {{ .access_key_id }} +secret_access_key: {{ .secret_access_key }} + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +processors: +- add_fields: + target: '' + fields: + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/cisco/umbrella/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/umbrella/ingest/pipeline.yml new file mode 100644 index 00000000000..2a602ff2331 --- /dev/null +++ b/x-pack/filebeat/module/cisco/umbrella/ingest/pipeline.yml @@ -0,0 +1,246 @@ +description: Pipeline for parsing cisco umbrella logs +processors: +- set: + field: observer.vendor + value: Cisco +- set: + field: observer.product + value: Umbrella +- set: + field: event.ingested + value: "{{_ingest.timestamp}}" +- set: + field: event.original + value: "{{message}}" +############ +# DNS Logs # +############ +- csv: + field: message + target_fields: + - cisco.umbrella._tmp_time + - source.user.name + - cisco.umbrella.identities + - source.address + - destination.address + - cisco.umbrella.action + - dns.question.type + - dns.response_code + - destination.domain + - cisco.umbrella.categories + - cisco.umbrella.policy_identity_type + - cisco.umbrella.identity_types + - cisco.umbrella.blocked_categories + if: ctx?.log?.file?.path.contains('dnslogs') + +- set: + field: observer.type + value: dns + if: ctx?.log?.file?.path.contains('dnslogs') +########### +# IP Logs # +########### +- csv: + field: message + target_fields: + - cisco.umbrella._tmp_time + - source.user.name + - source.address + - source.port + - destination.address + - destination.port + - cisco.umbrella.categories + if: ctx?.log?.file?.path.contains('iplogs') + +- set: + field: observer.type + value: firewall + if: ctx?.log?.file?.path.contains('iplogs') + +############## +# Proxy Logs # +############## +- csv: + field: message + target_fields: + - cisco.umbrella._tmp_time + - cisco.umbrella.identities + - source.address + - source.nat.ip + - destination.address + - cisco.umbrella.content_type + - cisco.umbrella.verdict + - url.full + - http.request.referrer + - user_agent.original + - http.response.status_code + - http.request.bytes + - http.response.bytes + - http.response.body.bytes + - cisco.umbrella.sha_sha256 + - cisco.umbrella.categories + - cisco.umbrella.av_detections + - cisco.umbrella.puas + - cisco.umbrella.amp_disposition + - cisco.umbrella.amp_malware_name + - cisco.umbrella.amp_score + - cisco.umbrella.identity_types + - cisco.umbrella.blocked_categories + if: ctx?.log?.file?.path.contains('proxylogs') + +- set: + field: observer.type + value: proxy + if: ctx?.log?.file?.path.contains('proxylogs') + +####################### +# Cloud Firewall Logs # +####################### +- csv: + field: message + target_fields: + - cisco.umbrella._tmp_time + - cisco.umbrella.origin_id + - source.user.name + - cisco.umbrella.identity_types + - cisco.umbrella.direction + - network.transport + - source.bytes + - source.address + - source.port + - destination.address + - destination.port + - cisco.umbrella.datacenter + - cisco.umbrella.ruleid + - cisco.umbrella.verdict + if: ctx?.log?.file?.path.contains('cloudfirewalllogs') + +- set: + field: observer.type + value: firewall + if: ctx?.log?.file?.path.contains('cloudfirewalllogs') + +# Identifies is a field that includes any sort of username, device or other asset that is included in the request. +# Converting this to an array to make it easier to use in searches and visualizations +- split: + field: cisco.umbrella.identities + separator: "," + preserve_trailing: false + if: "ctx?.log?.file?.path.contains('dnslogs') && ctx?.cisco?.umbrella?.identities != null" + +###################### +# General ECS Fields # +###################### +# This field is always in UTC, so no timezone should need to be set +- date: + field: cisco.umbrella._tmp_time + target_field: "@timestamp" + formats: + - "yyyy-MM-dd HH:mm:ss" + +################## +# DNS ECS Fields # +################## +- set: + field: dns.type + value: query + if: ctx?.cisco?.umbrella?.action != null + +###################### +# Network ECS Fields # +###################### +- lowercase: + field: cisco.umbrella.direction + target_field: network.direction + if: ctx?.cisco?.umbrella?.direction != null + +################### +# Rule ECS Fields # +################### +- rename: + field: cisco.umbrella.ruleid + target_field: rule.id + if: ctx?.cisco?.umbrella?.ruleid != null + +#################### +# Event ECS Fields # +#################### +- set: + field: event.action + value: "dns-request-{{cisco.umbrella.action}}" + if: ctx?.cisco?.umbrella?.action != null +- set: + field: event.category + value: network + if: ctx?.cisco?.umbrella?.action != null +- append: + field: event.type + value: allowed + if: "ctx?.cisco?.umbrella?.action == 'Allowed' || ctx?.cisco?.umbrella?.verdict == 'ALLOWED' || ctx?.cisco?.umbrella?.verdict == 'ALLOW'" +- append: + field: event.type + value: denied + if: "ctx?.cisco?.umbrella?.action == 'Blocked' || ctx?.cisco?.umbrella?.verdict == 'BLOCKED' || ctx?.cisco?.umbrella?.verdict == 'BLOCK'" +- append: + field: event.type + value: connection + if: ctx?.cisco?.umbrella?.action != null + +# Converting address fields to either ip or domain +- grok: + field: source.address + patterns: + - "(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})" + ignore_failure: true +- grok: + field: destination.address + patterns: + - "(?:%{IP:destination.ip}|%{GREEDYDATA:destination.domain})" + ignore_failure: true + +###################### +# Related ECS Fields # +###################### +- append: + field: related.user + value: "{{source.user.name}}" + if: ctx?.source?.user?.name != null +- append: + field: related.ip + value: "{{source.ip}}" + if: ctx?.source?.ip != null +- append: + field: related.ip + value: "{{source.nat.ip}}" + if: ctx?.source?.nat?.ip != null +- append: + field: related.ip + value: "{{destination.ip}}" + if: ctx?.destination?.ip != null +- append: + field: related.hosts + value: "{{source.domain}}" + if: ctx?.source?.domain != null +- append: + field: related.hosts + value: "{{destination.domain}}" + if: ctx?.destination?.domain != null +- append: + field: related.hash + value: "{{cisco.umbrella.sha_sha256}}" + if: ctx?.cisco?.umbrella?.sha_sha256 != null + +########### +# Cleanup # +########### +- remove: + field: + - cisco.umbrella._tmp_time + - cisco.umbrella.direction + - cisco.umbrella.action + - cisco.umbrella.verdict + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/cisco/umbrella/manifest.yml b/x-pack/filebeat/module/cisco/umbrella/manifest.yml new file mode 100644 index 00000000000..3a7150e714d --- /dev/null +++ b/x-pack/filebeat/module/cisco/umbrella/manifest.yml @@ -0,0 +1,8 @@ +module_version: "1.0" + +var: + - name: tags + default: [cisco-umbrella, forwarded] + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml diff --git a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-cloudfirewalllogs.log b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-cloudfirewalllogs.log new file mode 100644 index 00000000000..3e5f23fced2 --- /dev/null +++ b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-cloudfirewalllogs.log @@ -0,0 +1,2 @@ +2020-07-23 18:03:46,[211039844],Passive Monitor,CDFW Tunnel Device,OUTBOUND,1,84,172.17.3.4,,146.112.255.129,,ams1.edc,12,ALLOW +2020-07-23 18:03:46,[211039844],Passive Monitor,CDFW Tunnel Device,INBOUND,1,84,172.17.3.4,,146.112.255.129,,ams1.edc,12,BLOCK diff --git a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-cloudfirewalllogs.log-expected.json b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-cloudfirewalllogs.log-expected.json new file mode 100644 index 00000000000..65aabab5a88 --- /dev/null +++ b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-cloudfirewalllogs.log-expected.json @@ -0,0 +1,74 @@ +[ + { + "@timestamp": "2020-07-23T18:03:46.000Z", + "cisco.umbrella.datacenter": "ams1.edc", + "cisco.umbrella.identity_types": "CDFW Tunnel Device", + "cisco.umbrella.origin_id": "[211039844]", + "destination.address": "146.112.255.129", + "destination.ip": "146.112.255.129", + "event.dataset": "cisco.umbrella", + "event.module": "cisco", + "event.original": "2020-07-23 18:03:46,[211039844],Passive Monitor,CDFW Tunnel Device,OUTBOUND,1,84,172.17.3.4,,146.112.255.129,,ams1.edc,12,ALLOW", + "event.type": [ + "allowed" + ], + "fileset.name": "umbrella", + "input.type": "log", + "log.offset": 0, + "message": "2020-07-23 18:03:46,[211039844],Passive Monitor,CDFW Tunnel Device,OUTBOUND,1,84,172.17.3.4,,146.112.255.129,,ams1.edc,12,ALLOW", + "network.direction": "outbound", + "network.transport": "1", + "observer.product": "Umbrella", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "172.17.3.4", + "146.112.255.129" + ], + "related.user": [ + "Passive Monitor" + ], + "rule.id": "12", + "service.type": "cisco", + "source.address": "172.17.3.4", + "source.bytes": "84", + "source.ip": "172.17.3.4", + "source.user.name": "Passive Monitor" + }, + { + "@timestamp": "2020-07-23T18:03:46.000Z", + "cisco.umbrella.datacenter": "ams1.edc", + "cisco.umbrella.identity_types": "CDFW Tunnel Device", + "cisco.umbrella.origin_id": "[211039844]", + "destination.address": "146.112.255.129", + "destination.ip": "146.112.255.129", + "event.dataset": "cisco.umbrella", + "event.module": "cisco", + "event.original": "2020-07-23 18:03:46,[211039844],Passive Monitor,CDFW Tunnel Device,INBOUND,1,84,172.17.3.4,,146.112.255.129,,ams1.edc,12,BLOCK", + "event.type": [ + "denied" + ], + "fileset.name": "umbrella", + "input.type": "log", + "log.offset": 128, + "message": "2020-07-23 18:03:46,[211039844],Passive Monitor,CDFW Tunnel Device,INBOUND,1,84,172.17.3.4,,146.112.255.129,,ams1.edc,12,BLOCK", + "network.direction": "inbound", + "network.transport": "1", + "observer.product": "Umbrella", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "172.17.3.4", + "146.112.255.129" + ], + "related.user": [ + "Passive Monitor" + ], + "rule.id": "12", + "service.type": "cisco", + "source.address": "172.17.3.4", + "source.bytes": "84", + "source.ip": "172.17.3.4", + "source.user.name": "Passive Monitor" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-dnslogs.log b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-dnslogs.log new file mode 100644 index 00000000000..403c1c9df33 --- /dev/null +++ b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-dnslogs.log @@ -0,0 +1,2 @@ +"2020-07-23 23:49:54","elasticuser","elasticuser2","some other identity","192.168.1.1","8.8.8.8","Allowed","1 (A)","NOERROR","elastic.co.","Software/Technology,Business Services,Application","Test Policy Name","SomeIdentityType","" +"2020-07-23 23:50:25","elasticuser","elasticuser2","some other identity","192.168.1.1","4.4.4.4","Blocked","1 (A)","NOERROR","elastic.co/something.","Chat,Instant Messaging,Block List,Application","Test Policy Name","SomeIdentityType","BlockedCategories" diff --git a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-dnslogs.log-expected.json b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-dnslogs.log-expected.json new file mode 100644 index 00000000000..81b1478da27 --- /dev/null +++ b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-dnslogs.log-expected.json @@ -0,0 +1,92 @@ +[ + { + "@timestamp": "2020-07-23T23:49:54.000Z", + "cisco.umbrella.blocked_categories": "SomeIdentityType", + "cisco.umbrella.categories": "elastic.co.", + "cisco.umbrella.identities": [ + "elasticuser2" + ], + "cisco.umbrella.identity_types": "Test Policy Name", + "cisco.umbrella.policy_identity_type": "Software/Technology,Business Services,Application", + "destination.address": "192.168.1.1", + "destination.domain": "NOERROR", + "destination.ip": "192.168.1.1", + "dns.question.type": "Allowed", + "dns.response_code": "1 (A)", + "dns.type": "query", + "event.action": "dns-request-8.8.8.8", + "event.category": "network", + "event.dataset": "cisco.umbrella", + "event.module": "cisco", + "event.original": "\\\"2020-07-23 23:49:54\\\",\\\"elasticuser\\\",\\\"elasticuser2\\\",\\\"some other identity\\\",\\\"192.168.1.1\\\",\\\"8.8.8.8\\\",\\\"Allowed\\\",\\\"1 (A)\\\",\\\"NOERROR\\\",\\\"elastic.co.\\\",\\\"Software/Technology,Business Services,Application\\\",\\\"Test Policy Name\\\",\\\"SomeIdentityType\\\",\\\"\\\"", + "event.type": [ + "connection" + ], + "fileset.name": "umbrella", + "input.type": "log", + "log.offset": 0, + "message": "\"2020-07-23 23:49:54\",\"elasticuser\",\"elasticuser2\",\"some other identity\",\"192.168.1.1\",\"8.8.8.8\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"elastic.co.\",\"Software/Technology,Business Services,Application\",\"Test Policy Name\",\"SomeIdentityType\",\"\"", + "observer.product": "Umbrella", + "observer.type": "dns", + "observer.vendor": "Cisco", + "related.hosts": [ + "some other identity", + "NOERROR" + ], + "related.ip": [ + "192.168.1.1" + ], + "related.user": [ + "elasticuser" + ], + "service.type": "cisco", + "source.address": "some other identity", + "source.domain": "some other identity", + "source.user.name": "elasticuser" + }, + { + "@timestamp": "2020-07-23T23:50:25.000Z", + "cisco.umbrella.blocked_categories": "SomeIdentityType", + "cisco.umbrella.categories": "elastic.co/something.", + "cisco.umbrella.identities": [ + "elasticuser2" + ], + "cisco.umbrella.identity_types": "Test Policy Name", + "cisco.umbrella.policy_identity_type": "Chat,Instant Messaging,Block List,Application", + "destination.address": "192.168.1.1", + "destination.domain": "NOERROR", + "destination.ip": "192.168.1.1", + "dns.question.type": "Blocked", + "dns.response_code": "1 (A)", + "dns.type": "query", + "event.action": "dns-request-4.4.4.4", + "event.category": "network", + "event.dataset": "cisco.umbrella", + "event.module": "cisco", + "event.original": "\\\"2020-07-23 23:50:25\\\",\\\"elasticuser\\\",\\\"elasticuser2\\\",\\\"some other identity\\\",\\\"192.168.1.1\\\",\\\"4.4.4.4\\\",\\\"Blocked\\\",\\\"1 (A)\\\",\\\"NOERROR\\\",\\\"elastic.co/something.\\\",\\\"Chat,Instant Messaging,Block List,Application\\\",\\\"Test Policy Name\\\",\\\"SomeIdentityType\\\",\\\"BlockedCategories\\\"", + "event.type": [ + "connection" + ], + "fileset.name": "umbrella", + "input.type": "log", + "log.offset": 232, + "message": "\"2020-07-23 23:50:25\",\"elasticuser\",\"elasticuser2\",\"some other identity\",\"192.168.1.1\",\"4.4.4.4\",\"Blocked\",\"1 (A)\",\"NOERROR\",\"elastic.co/something.\",\"Chat,Instant Messaging,Block List,Application\",\"Test Policy Name\",\"SomeIdentityType\",\"BlockedCategories\"", + "observer.product": "Umbrella", + "observer.type": "dns", + "observer.vendor": "Cisco", + "related.hosts": [ + "some other identity", + "NOERROR" + ], + "related.ip": [ + "192.168.1.1" + ], + "related.user": [ + "elasticuser" + ], + "service.type": "cisco", + "source.address": "some other identity", + "source.domain": "some other identity", + "source.user.name": "elasticuser" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-iplogs.log b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-iplogs.log new file mode 100644 index 00000000000..6200aeab3ae --- /dev/null +++ b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-iplogs.log @@ -0,0 +1,2 @@ +"2020-08-26 20:32:46","elasticuser","192.168.1.1","0","8.8.8.8","0","Test Category" +"2020-08-26 20:32:45","elasticuser","192.168.1.1","61095","8.8.8.8","445","Test Category" diff --git a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-iplogs.log-expected.json b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-iplogs.log-expected.json new file mode 100644 index 00000000000..4d25464cb61 --- /dev/null +++ b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-iplogs.log-expected.json @@ -0,0 +1,60 @@ +[ + { + "@timestamp": "2020-08-26T20:32:46.000Z", + "cisco.umbrella.categories": "Test Category", + "destination.address": "8.8.8.8", + "destination.ip": "8.8.8.8", + "destination.port": "0", + "event.dataset": "cisco.umbrella", + "event.module": "cisco", + "event.original": "\\\"2020-08-26 20:32:46\\\",\\\"elasticuser\\\",\\\"192.168.1.1\\\",\\\"0\\\",\\\"8.8.8.8\\\",\\\"0\\\",\\\"Test Category\\\"", + "fileset.name": "umbrella", + "input.type": "log", + "log.offset": 0, + "message": "\"2020-08-26 20:32:46\",\"elasticuser\",\"192.168.1.1\",\"0\",\"8.8.8.8\",\"0\",\"Test Category\"", + "observer.product": "Umbrella", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.1.1", + "8.8.8.8" + ], + "related.user": [ + "elasticuser" + ], + "service.type": "cisco", + "source.address": "192.168.1.1", + "source.ip": "192.168.1.1", + "source.port": "0", + "source.user.name": "elasticuser" + }, + { + "@timestamp": "2020-08-26T20:32:45.000Z", + "cisco.umbrella.categories": "Test Category", + "destination.address": "8.8.8.8", + "destination.ip": "8.8.8.8", + "destination.port": "445", + "event.dataset": "cisco.umbrella", + "event.module": "cisco", + "event.original": "\\\"2020-08-26 20:32:45\\\",\\\"elasticuser\\\",\\\"192.168.1.1\\\",\\\"61095\\\",\\\"8.8.8.8\\\",\\\"445\\\",\\\"Test Category\\\"", + "fileset.name": "umbrella", + "input.type": "log", + "log.offset": 84, + "message": "\"2020-08-26 20:32:45\",\"elasticuser\",\"192.168.1.1\",\"61095\",\"8.8.8.8\",\"445\",\"Test Category\"", + "observer.product": "Umbrella", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.1.1", + "8.8.8.8" + ], + "related.user": [ + "elasticuser" + ], + "service.type": "cisco", + "source.address": "192.168.1.1", + "source.ip": "192.168.1.1", + "source.port": "61095", + "source.user.name": "elasticuser" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-proxylogs.log b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-proxylogs.log new file mode 100644 index 00000000000..bfe70c6839a --- /dev/null +++ b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-proxylogs.log @@ -0,0 +1,3 @@ +"2020-07-23 23:48:56","elasticuser, someotheruser","192.168.1.1","1.1.1.1","8.8.8.8","","ALLOWED","https://elastic.co/blog/ext_id=Anyclip","https://google.com/elastic","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36","200","850","","","","Business Services","AVDetectionName","Malicious","MalwareName","","","Roaming Computers","" +"2020-07-23 23:48:56","elasticuser, someotheruser","192.168.1.1","1.1.1.1","8.8.8.8","","BLOCKED","https://elastic.co/blog/ext_id=Anyclip","https://google.com/elastic","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36","200","850","","","","Business Services","AVDetectionName","Malicious","MalwareName","","","Roaming Computers","" +"2017-10-02 23:52:53","elasticuser","ActiveDirectoryUserName,ADSite,Network","192.192.192.135","1.1.1.91","","ALLOWED","http://google.com/the.js","www.google.com","Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36","200","562","1489","","","","","","","","Networks" diff --git a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-proxylogs.log-expected.json b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-proxylogs.log-expected.json new file mode 100644 index 00000000000..fd474d2d029 --- /dev/null +++ b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-proxylogs.log-expected.json @@ -0,0 +1,115 @@ +[ + { + "@timestamp": "2020-07-23T23:48:56.000Z", + "cisco.umbrella.amp_disposition": "MalwareName", + "cisco.umbrella.av_detections": "AVDetectionName", + "cisco.umbrella.categories": "Business Services", + "cisco.umbrella.identities": "elasticuser, someotheruser", + "cisco.umbrella.identity_types": "Roaming Computers", + "cisco.umbrella.puas": "Malicious", + "destination.address": "8.8.8.8", + "destination.ip": "8.8.8.8", + "event.dataset": "cisco.umbrella", + "event.module": "cisco", + "event.original": "\\\"2020-07-23 23:48:56\\\",\\\"elasticuser, someotheruser\\\",\\\"192.168.1.1\\\",\\\"1.1.1.1\\\",\\\"8.8.8.8\\\",\\\"\\\",\\\"ALLOWED\\\",\\\"https://elastic.co/blog/ext_id=Anyclip\\\",\\\"https://google.com/elastic\\\",\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\\\",\\\"200\\\",\\\"850\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"Business Services\\\",\\\"AVDetectionName\\\",\\\"Malicious\\\",\\\"MalwareName\\\",\\\"\\\",\\\"\\\",\\\"Roaming Computers\\\",\\\"\\\"", + "event.type": [ + "allowed" + ], + "fileset.name": "umbrella", + "http.request.bytes": "850", + "http.request.referrer": "https://google.com/elastic", + "http.response.status_code": "200", + "input.type": "log", + "log.offset": 0, + "message": "\"2020-07-23 23:48:56\",\"elasticuser, someotheruser\",\"192.168.1.1\",\"1.1.1.1\",\"8.8.8.8\",\"\",\"ALLOWED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"", + "observer.product": "Umbrella", + "observer.type": "proxy", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.1.1", + "1.1.1.1", + "8.8.8.8" + ], + "service.type": "cisco", + "source.address": "192.168.1.1", + "source.ip": "192.168.1.1", + "source.nat.ip": "1.1.1.1", + "url.full": "https://elastic.co/blog/ext_id=Anyclip", + "user_agent.original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36" + }, + { + "@timestamp": "2020-07-23T23:48:56.000Z", + "cisco.umbrella.amp_disposition": "MalwareName", + "cisco.umbrella.av_detections": "AVDetectionName", + "cisco.umbrella.categories": "Business Services", + "cisco.umbrella.identities": "elasticuser, someotheruser", + "cisco.umbrella.identity_types": "Roaming Computers", + "cisco.umbrella.puas": "Malicious", + "destination.address": "8.8.8.8", + "destination.ip": "8.8.8.8", + "event.dataset": "cisco.umbrella", + "event.module": "cisco", + "event.original": "\\\"2020-07-23 23:48:56\\\",\\\"elasticuser, someotheruser\\\",\\\"192.168.1.1\\\",\\\"1.1.1.1\\\",\\\"8.8.8.8\\\",\\\"\\\",\\\"BLOCKED\\\",\\\"https://elastic.co/blog/ext_id=Anyclip\\\",\\\"https://google.com/elastic\\\",\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\\\",\\\"200\\\",\\\"850\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"Business Services\\\",\\\"AVDetectionName\\\",\\\"Malicious\\\",\\\"MalwareName\\\",\\\"\\\",\\\"\\\",\\\"Roaming Computers\\\",\\\"\\\"", + "event.type": [ + "denied" + ], + "fileset.name": "umbrella", + "http.request.bytes": "850", + "http.request.referrer": "https://google.com/elastic", + "http.response.status_code": "200", + "input.type": "log", + "log.offset": 399, + "message": "\"2020-07-23 23:48:56\",\"elasticuser, someotheruser\",\"192.168.1.1\",\"1.1.1.1\",\"8.8.8.8\",\"\",\"BLOCKED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"", + "observer.product": "Umbrella", + "observer.type": "proxy", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.1.1", + "1.1.1.1", + "8.8.8.8" + ], + "service.type": "cisco", + "source.address": "192.168.1.1", + "source.ip": "192.168.1.1", + "source.nat.ip": "1.1.1.1", + "url.full": "https://elastic.co/blog/ext_id=Anyclip", + "user_agent.original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36" + }, + { + "@timestamp": "2017-10-02T23:52:53.000Z", + "cisco.umbrella.amp_score": "Networks", + "cisco.umbrella.identities": "elasticuser", + "destination.address": "1.1.1.91", + "destination.ip": "1.1.1.91", + "event.dataset": "cisco.umbrella", + "event.module": "cisco", + "event.original": "\\\"2017-10-02 23:52:53\\\",\\\"elasticuser\\\",\\\"ActiveDirectoryUserName,ADSite,Network\\\",\\\"192.192.192.135\\\",\\\"1.1.1.91\\\",\\\"\\\",\\\"ALLOWED\\\",\\\"http://google.com/the.js\\\",\\\"www.google.com\\\",\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36\\\",\\\"200\\\",\\\"562\\\",\\\"1489\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"Networks\\\"", + "event.type": [ + "allowed" + ], + "fileset.name": "umbrella", + "http.request.bytes": "562", + "http.request.referrer": "www.google.com", + "http.response.bytes": "1489", + "http.response.status_code": "200", + "input.type": "log", + "log.offset": 798, + "message": "\"2017-10-02 23:52:53\",\"elasticuser\",\"ActiveDirectoryUserName,ADSite,Network\",\"192.192.192.135\",\"1.1.1.91\",\"\",\"ALLOWED\",\"http://google.com/the.js\",\"www.google.com\",\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36\",\"200\",\"562\",\"1489\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"Networks\"", + "observer.product": "Umbrella", + "observer.type": "proxy", + "observer.vendor": "Cisco", + "related.hosts": [ + "ActiveDirectoryUserName,ADSite,Network" + ], + "related.ip": [ + "192.192.192.135", + "1.1.1.91" + ], + "service.type": "cisco", + "source.address": "ActiveDirectoryUserName,ADSite,Network", + "source.domain": "ActiveDirectoryUserName,ADSite,Network", + "source.nat.ip": "192.192.192.135", + "url.full": "http://google.com/the.js", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/citrix/netscaler/config/pipeline.js b/x-pack/filebeat/module/citrix/netscaler/config/pipeline.js index 0da0631e21e..55f1931192c 100644 --- a/x-pack/filebeat/module/citrix/netscaler/config/pipeline.js +++ b/x-pack/filebeat/module/citrix/netscaler/config/pipeline.js @@ -77,14 +77,11 @@ var dup12 = setc("eventcategory","1201000000"); var dup13 = setc("event_description","AppFw Buffer Overflow violation in URL"); -var dup14 = // "Pattern{Field(saddr,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#6:APPFW_APPFW_COOKIE/0", "nwparser.payload", "%{saddr->} %{p0}"); +var dup14 = match("MESSAGE#6:APPFW_APPFW_COOKIE/0", "nwparser.payload", "%{saddr->} %{p0}"); -var dup15 = // "Pattern{Field(url,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#7:APPFW_APPFW_DENYURL/2", "nwparser.p0", "%{url->} \u003c\u003c%{disposition}>"); +var dup15 = match("MESSAGE#7:APPFW_APPFW_DENYURL/2", "nwparser.p0", "%{url->} \u003c\u003c%{disposition}>"); -var dup16 = // "Pattern{Field(url,true), Constant(' '), Field(info,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#8:APPFW_APPFW_FIELDCONSISTENCY/2", "nwparser.p0", "%{url->} %{info->} \u003c\u003c%{disposition}>"); +var dup16 = match("MESSAGE#8:APPFW_APPFW_FIELDCONSISTENCY/2", "nwparser.p0", "%{url->} %{info->} \u003c\u003c%{disposition}>"); var dup17 = setc("event_description","AppFw SQL Injection violation"); @@ -92,25 +89,19 @@ var dup18 = setc("event_description","AppFw Request error. Generated 400 Respons var dup19 = setc("severity","Warning"); -var dup20 = // "Pattern{Constant('"'), Field(p0,false)}" -match("MESSAGE#20:APPFW_Message/0", "nwparser.payload", "\"%{p0}"); +var dup20 = match("MESSAGE#20:APPFW_Message/0", "nwparser.payload", "\"%{p0}"); -var dup21 = // "Pattern{Constant('HASTATE '), Field(p0,false)}" -match("MESSAGE#23:DR_HA_Message/1_0", "nwparser.p0", "HASTATE %{p0}"); +var dup21 = match("MESSAGE#23:DR_HA_Message/1_0", "nwparser.p0", "HASTATE %{p0}"); -var dup22 = // "Pattern{Field(network_service,false), Constant(': '), Field(p0,false)}" -match("MESSAGE#23:DR_HA_Message/1_1", "nwparser.p0", "%{network_service}: %{p0}"); +var dup22 = match("MESSAGE#23:DR_HA_Message/1_1", "nwparser.p0", "%{network_service}: %{p0}"); -var dup23 = // "Pattern{Field(info,false), Constant('"')}" -match("MESSAGE#23:DR_HA_Message/2", "nwparser.p0", "%{info}\""); +var dup23 = match("MESSAGE#23:DR_HA_Message/2", "nwparser.p0", "%{info}\""); var dup24 = setc("event_description","Routing details"); -var dup25 = // "Pattern{Constant('for '), Field(dclass_counter1,false)}" -match("MESSAGE#24:EVENT_ALERTENDED/1_0", "nwparser.p0", "for %{dclass_counter1}"); +var dup25 = match("MESSAGE#24:EVENT_ALERTENDED/1_0", "nwparser.p0", "for %{dclass_counter1}"); -var dup26 = // "Pattern{Field(space,false)}" -match_copy("MESSAGE#24:EVENT_ALERTENDED/1_1", "nwparser.p0", "space"); +var dup26 = match_copy("MESSAGE#24:EVENT_ALERTENDED/1_1", "nwparser.p0", "space"); var dup27 = setc("ec_subject","Configuration"); @@ -120,14 +111,11 @@ var dup29 = setc("ec_theme","Configuration"); var dup30 = setc("ec_activity","Start"); -var dup31 = // "Pattern{Field(obj_type,true), Constant(' "'), Field(obj_name,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#28:EVENT_DEVICEDOWN/0", "nwparser.payload", "%{obj_type->} \"%{obj_name}\"%{p0}"); +var dup31 = match("MESSAGE#28:EVENT_DEVICEDOWN/0", "nwparser.payload", "%{obj_type->} \"%{obj_name}\"%{p0}"); -var dup32 = // "Pattern{Constant(' - State '), Field(event_state,false)}" -match("MESSAGE#28:EVENT_DEVICEDOWN/1_0", "nwparser.p0", " - State %{event_state}"); +var dup32 = match("MESSAGE#28:EVENT_DEVICEDOWN/1_0", "nwparser.p0", " - State %{event_state}"); -var dup33 = // "Pattern{}" -match_copy("MESSAGE#28:EVENT_DEVICEDOWN/1_1", "nwparser.p0", ""); +var dup33 = match_copy("MESSAGE#28:EVENT_DEVICEDOWN/1_1", "nwparser.p0", ""); var dup34 = setc("ec_subject","Service"); @@ -140,14 +128,11 @@ var dup35 = date_time({ ], }); -var dup36 = // "Pattern{Field(obj_type,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#31:EVENT_MONITORDOWN/0", "nwparser.payload", "%{obj_type->} %{p0}"); +var dup36 = match("MESSAGE#31:EVENT_MONITORDOWN/0", "nwparser.payload", "%{obj_type->} %{p0}"); -var dup37 = // "Pattern{Field(obj_name,true), Constant(' - State '), Field(event_state,false)}" -match("MESSAGE#31:EVENT_MONITORDOWN/1_0", "nwparser.p0", "%{obj_name->} - State %{event_state}"); +var dup37 = match("MESSAGE#31:EVENT_MONITORDOWN/1_0", "nwparser.p0", "%{obj_name->} - State %{event_state}"); -var dup38 = // "Pattern{Constant(''), Field(obj_name,false)}" -match("MESSAGE#31:EVENT_MONITORDOWN/1_2", "nwparser.p0", "%{obj_name}"); +var dup38 = match("MESSAGE#31:EVENT_MONITORDOWN/1_2", "nwparser.p0", "%{obj_name}"); var dup39 = setc("event_description","The monitor bound to the service is up"); @@ -155,11 +140,9 @@ var dup40 = setc("ec_subject","NetworkComm"); var dup41 = setc("severity","Debug"); -var dup42 = // "Pattern{Constant('" '), Field(p0,false)}" -match("MESSAGE#45:PITBOSS_Message1/0", "nwparser.payload", "\" %{p0}"); +var dup42 = match("MESSAGE#45:PITBOSS_Message1/0", "nwparser.payload", "\" %{p0}"); -var dup43 = // "Pattern{Constant(''), Field(info,false), Constant('"')}" -match("MESSAGE#45:PITBOSS_Message1/2", "nwparser.p0", "%{info}\""); +var dup43 = match("MESSAGE#45:PITBOSS_Message1/2", "nwparser.p0", "%{info}\""); var dup44 = date_time({ dest: "starttime", @@ -171,16 +154,13 @@ var dup44 = date_time({ var dup45 = setc("event_description","Process"); -var dup46 = // "Pattern{Constant('sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#54:SNMP_TRAP_SENT7/3_3", "nwparser.p0", "sysIpAddress = %{hostip})"); +var dup46 = match("MESSAGE#54:SNMP_TRAP_SENT7/3_3", "nwparser.p0", "sysIpAddress = %{hostip})"); var dup47 = setc("event_description","SNMP TRAP SENT"); -var dup48 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/0", "nwparser.payload", "%{} %{p0}"); +var dup48 = match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/0", "nwparser.payload", "%{} %{p0}"); -var dup49 = // "Pattern{Constant('ClientIP '), Field(p0,false)}" -match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/1_0", "nwparser.p0", "ClientIP %{p0}"); +var dup49 = match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/1_0", "nwparser.p0", "ClientIP %{p0}"); var dup50 = date_time({ dest: "event_time", @@ -193,23 +173,17 @@ var dup50 = date_time({ var dup51 = setc("ec_activity","Request"); -var dup52 = // "Pattern{Constant('" '), Field(fld10,true), Constant(' GMT" - End_time '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_0", "nwparser.p0", "\" %{fld10->} GMT\" - End_time %{p0}"); +var dup52 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_0", "nwparser.p0", "\" %{fld10->} GMT\" - End_time %{p0}"); -var dup53 = // "Pattern{Constant('" '), Field(fld10,false), Constant('" - End_time '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_1", "nwparser.p0", "\" %{fld10}\" - End_time %{p0}"); +var dup53 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_1", "nwparser.p0", "\" %{fld10}\" - End_time %{p0}"); -var dup54 = // "Pattern{Field(fld10,true), Constant(' - End_time '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_2", "nwparser.p0", "%{fld10->} - End_time %{p0}"); +var dup54 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_2", "nwparser.p0", "%{fld10->} - End_time %{p0}"); -var dup55 = // "Pattern{Constant('" '), Field(fld11,true), Constant(' GMT" - Duration '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_0", "nwparser.p0", "\" %{fld11->} GMT\" - Duration %{p0}"); +var dup55 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_0", "nwparser.p0", "\" %{fld11->} GMT\" - Duration %{p0}"); -var dup56 = // "Pattern{Constant('" '), Field(fld11,false), Constant('" - Duration '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_1", "nwparser.p0", "\" %{fld11}\" - Duration %{p0}"); +var dup56 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_1", "nwparser.p0", "\" %{fld11}\" - Duration %{p0}"); -var dup57 = // "Pattern{Field(fld11,true), Constant(' - Duration '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_2", "nwparser.p0", "%{fld11->} - Duration %{p0}"); +var dup57 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_2", "nwparser.p0", "%{fld11->} - Duration %{p0}"); var dup58 = setc("event_description","ICA connection related information for a connection belonging to a SSLVPN session"); @@ -233,61 +207,45 @@ var dup62 = date_time({ ], }); -var dup63 = // "Pattern{Constant('Context '), Field(fld1,true), Constant(' - SessionId: '), Field(sessionid,false), Constant('- User '), Field(p0,false)}" -match("MESSAGE#94:SSLVPN_LOGIN/1_0", "nwparser.p0", "Context %{fld1->} - SessionId: %{sessionid}- User %{p0}"); +var dup63 = match("MESSAGE#94:SSLVPN_LOGIN/1_0", "nwparser.p0", "Context %{fld1->} - SessionId: %{sessionid}- User %{p0}"); -var dup64 = // "Pattern{Constant('Context '), Field(fld1,true), Constant(' - User '), Field(p0,false)}" -match("MESSAGE#94:SSLVPN_LOGIN/1_1", "nwparser.p0", "Context %{fld1->} - User %{p0}"); +var dup64 = match("MESSAGE#94:SSLVPN_LOGIN/1_1", "nwparser.p0", "Context %{fld1->} - User %{p0}"); -var dup65 = // "Pattern{Constant('User '), Field(p0,false)}" -match("MESSAGE#94:SSLVPN_LOGIN/1_2", "nwparser.p0", "User %{p0}"); +var dup65 = match("MESSAGE#94:SSLVPN_LOGIN/1_2", "nwparser.p0", "User %{p0}"); -var dup66 = // "Pattern{Field(,true), Constant(' '), Field(username,false), Constant('- Client_ip '), Field(saddr,true), Constant(' - Nat_ip '), Field(p0,false)}" -match("MESSAGE#94:SSLVPN_LOGIN/2", "nwparser.p0", "%{} %{username}- Client_ip %{saddr->} - Nat_ip %{p0}"); +var dup66 = match("MESSAGE#94:SSLVPN_LOGIN/2", "nwparser.p0", "%{} %{username}- Client_ip %{saddr->} - Nat_ip %{p0}"); -var dup67 = // "Pattern{Constant('"'), Field(stransaddr,false), Constant('" - Vserver '), Field(p0,false)}" -match("MESSAGE#94:SSLVPN_LOGIN/3_0", "nwparser.p0", "\"%{stransaddr}\" - Vserver %{p0}"); +var dup67 = match("MESSAGE#94:SSLVPN_LOGIN/3_0", "nwparser.p0", "\"%{stransaddr}\" - Vserver %{p0}"); -var dup68 = // "Pattern{Field(stransaddr,true), Constant(' - Vserver '), Field(p0,false)}" -match("MESSAGE#94:SSLVPN_LOGIN/3_1", "nwparser.p0", "%{stransaddr->} - Vserver %{p0}"); +var dup68 = match("MESSAGE#94:SSLVPN_LOGIN/3_1", "nwparser.p0", "%{stransaddr->} - Vserver %{p0}"); var dup69 = setc("eventcategory","1401060000"); -var dup70 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Start_time '), Field(p0,false)}" -match("MESSAGE#95:SSLVPN_LOGOUT/4", "nwparser.p0", "%{daddr}:%{dport->} - Start_time %{p0}"); +var dup70 = match("MESSAGE#95:SSLVPN_LOGOUT/4", "nwparser.p0", "%{daddr}:%{dport->} - Start_time %{p0}"); var dup71 = setc("eventcategory","1401070000"); var dup72 = setc("ec_activity","Logoff"); -var dup73 = // "Pattern{Constant('Context '), Field(fld1,true), Constant(' - SessionId: '), Field(sessionid,false), Constant('- User '), Field(username,true), Constant(' - Client_ip '), Field(hostip,true), Constant(' - Nat_ip '), Field(p0,false)}" -match("MESSAGE#97:SSLVPN_UDPFLOWSTAT/0", "nwparser.payload", "Context %{fld1->} - SessionId: %{sessionid}- User %{username->} - Client_ip %{hostip->} - Nat_ip %{p0}"); +var dup73 = match("MESSAGE#97:SSLVPN_UDPFLOWSTAT/0", "nwparser.payload", "Context %{fld1->} - SessionId: %{sessionid}- User %{username->} - Client_ip %{hostip->} - Nat_ip %{p0}"); -var dup74 = // "Pattern{Field(,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#100:SSLVPN_Message/0", "nwparser.payload", "%{}\"%{p0}"); +var dup74 = match("MESSAGE#100:SSLVPN_Message/0", "nwparser.payload", "%{}\"%{p0}"); -var dup75 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Vserver '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - NatIP '), Field(stransaddr,false), Constant(':'), Field(stransport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - Delink Time '), Field(p0,false)}" -match("MESSAGE#102:TCP_CONN_DELINK/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Vserver %{daddr}:%{dport->} - NatIP %{stransaddr}:%{stransport->} - Destination %{dtransaddr}:%{dtransport->} - Delink Time %{p0}"); +var dup75 = match("MESSAGE#102:TCP_CONN_DELINK/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Vserver %{daddr}:%{dport->} - NatIP %{stransaddr}:%{stransport->} - Destination %{dtransaddr}:%{dtransport->} - Delink Time %{p0}"); -var dup76 = // "Pattern{Field(fld11,true), Constant(' GMT - Total_bytes_send '), Field(p0,false)}" -match("MESSAGE#102:TCP_CONN_DELINK/1_0", "nwparser.p0", "%{fld11->} GMT - Total_bytes_send %{p0}"); +var dup76 = match("MESSAGE#102:TCP_CONN_DELINK/1_0", "nwparser.p0", "%{fld11->} GMT - Total_bytes_send %{p0}"); -var dup77 = // "Pattern{Field(fld11,true), Constant(' - Total_bytes_send '), Field(p0,false)}" -match("MESSAGE#102:TCP_CONN_DELINK/1_1", "nwparser.p0", "%{fld11->} - Total_bytes_send %{p0}"); +var dup77 = match("MESSAGE#102:TCP_CONN_DELINK/1_1", "nwparser.p0", "%{fld11->} - Total_bytes_send %{p0}"); -var dup78 = // "Pattern{Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,false)}" -match("MESSAGE#102:TCP_CONN_DELINK/2", "nwparser.p0", "%{sbytes->} - Total_bytes_recv %{rbytes}"); +var dup78 = match("MESSAGE#102:TCP_CONN_DELINK/2", "nwparser.p0", "%{sbytes->} - Total_bytes_recv %{rbytes}"); var dup79 = setc("event_description","A Server side and a Client side TCP connection is delinked"); -var dup80 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Start Time '), Field(p0,false)}" -match("MESSAGE#103:TCP_CONN_TERMINATE/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{daddr}:%{dport->} - Start Time %{p0}"); +var dup80 = match("MESSAGE#103:TCP_CONN_TERMINATE/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{daddr}:%{dport->} - Start Time %{p0}"); -var dup81 = // "Pattern{Field(fld10,true), Constant(' GMT - End Time '), Field(p0,false)}" -match("MESSAGE#103:TCP_CONN_TERMINATE/1_0", "nwparser.p0", "%{fld10->} GMT - End Time %{p0}"); +var dup81 = match("MESSAGE#103:TCP_CONN_TERMINATE/1_0", "nwparser.p0", "%{fld10->} GMT - End Time %{p0}"); -var dup82 = // "Pattern{Field(fld10,true), Constant(' - End Time '), Field(p0,false)}" -match("MESSAGE#103:TCP_CONN_TERMINATE/1_1", "nwparser.p0", "%{fld10->} - End Time %{p0}"); +var dup82 = match("MESSAGE#103:TCP_CONN_TERMINATE/1_1", "nwparser.p0", "%{fld10->} - End Time %{p0}"); var dup83 = setc("event_description","TCP connection terminated"); @@ -317,27 +275,21 @@ var dup88 = setc("eventcategory","1401040000"); var dup89 = setc("event_description","CLI or GUI command executed in NetScaler"); -var dup90 = // "Pattern{Field(info,true), Constant(' "')}" -match("MESSAGE#113:CLUSTERD_Message:02/1_1", "nwparser.p0", "%{info->} \""); +var dup90 = match("MESSAGE#113:CLUSTERD_Message:02/1_1", "nwparser.p0", "%{info->} \""); var dup91 = setf("msg","$MSG"); var dup92 = setc("event_description","GUI command executed in NetScaler"); -var dup93 = // "Pattern{Constant('"'), Field(event_type,false), Constant(': '), Field(p0,false)}" -match("MESSAGE#158:AAA_Message/0", "nwparser.payload", "\"%{event_type}: %{p0}"); +var dup93 = match("MESSAGE#158:AAA_Message/0", "nwparser.payload", "\"%{event_type}: %{p0}"); -var dup94 = // "Pattern{Constant('Sessionid '), Field(sessionid,true), Constant(' - User '), Field(username,true), Constant(' - Client_ip '), Field(saddr,true), Constant(' - Nat_ip '), Field(p0,false)}" -match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/0", "nwparser.payload", "Sessionid %{sessionid->} - User %{username->} - Client_ip %{saddr->} - Nat_ip %{p0}"); +var dup94 = match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/0", "nwparser.payload", "Sessionid %{sessionid->} - User %{username->} - Client_ip %{saddr->} - Nat_ip %{p0}"); -var dup95 = // "Pattern{Constant('"'), Field(stransaddr,false), Constant('" - Vserver_ip '), Field(p0,false)}" -match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/1_0", "nwparser.p0", "\"%{stransaddr}\" - Vserver_ip %{p0}"); +var dup95 = match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/1_0", "nwparser.p0", "\"%{stransaddr}\" - Vserver_ip %{p0}"); -var dup96 = // "Pattern{Field(stransaddr,true), Constant(' - Vserver_ip '), Field(p0,false)}" -match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/1_1", "nwparser.p0", "%{stransaddr->} - Vserver_ip %{p0}"); +var dup96 = match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/1_1", "nwparser.p0", "%{stransaddr->} - Vserver_ip %{p0}"); -var dup97 = // "Pattern{Field(daddr,true), Constant(' - Errmsg " '), Field(event_description,true), Constant(' "')}" -match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/2", "nwparser.p0", "%{daddr->} - Errmsg \" %{event_description->} \""); +var dup97 = match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/2", "nwparser.p0", "%{daddr->} - Errmsg \" %{event_description->} \""); var dup98 = linear_select([ dup21, @@ -354,8 +306,7 @@ var dup100 = linear_select([ dup33, ]); -var dup101 = // "Pattern{Field(fld1,false), Constant(':UserLogin:'), Field(username,true), Constant(' - '), Field(event_description,true), Constant(' from client IP Address '), Field(saddr,false)}" -match("MESSAGE#84:SNMP_TRAP_SENT:05", "nwparser.payload", "%{fld1}:UserLogin:%{username->} - %{event_description->} from client IP Address %{saddr}", processor_chain([ +var dup101 = match("MESSAGE#84:SNMP_TRAP_SENT:05", "nwparser.payload", "%{fld1}:UserLogin:%{username->} - %{event_description->} from client IP Address %{saddr}", processor_chain([ dup5, dup4, ])); @@ -393,28 +344,24 @@ var dup107 = linear_select([ dup82, ]); -var dup108 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "'), Field(action,false), Constant('" - Status "'), Field(disposition,false), Constant('"')}" -match("MESSAGE#109:UI_CMD_EXECUTED", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action}\" - Status \"%{disposition}\"", processor_chain([ +var dup108 = match("MESSAGE#109:UI_CMD_EXECUTED", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action}\" - Status \"%{disposition}\"", processor_chain([ dup88, dup89, dup3, dup4, ])); -var dup109 = // "Pattern{Field(product,false), Constant('|'), Field(version,false), Constant('|'), Field(rule,false), Constant('|'), Field(fld1,false), Constant('|'), Field(severity,false), Constant('|src='), Field(saddr,true), Constant(' spt='), Field(sport,true), Constant(' method='), Field(web_method,true), Constant(' request='), Field(url,true), Constant(' msg='), Field(info,true), Constant(' cn1='), Field(fld2,true), Constant(' cn2='), Field(fld3,true), Constant(' cs1='), Field(policyname,true), Constant(' cs2='), Field(fld5,true), Constant(' cs3='), Field(fld6,true), Constant(' cs4='), Field(severity,true), Constant(' cs5='), Field(fld8,true), Constant(' act='), Field(action,false)}" -match("MESSAGE#122:APPFW_COOKIE", "nwparser.payload", "%{product}|%{version}|%{rule}|%{fld1}|%{severity}|src=%{saddr->} spt=%{sport->} method=%{web_method->} request=%{url->} msg=%{info->} cn1=%{fld2->} cn2=%{fld3->} cs1=%{policyname->} cs2=%{fld5->} cs3=%{fld6->} cs4=%{severity->} cs5=%{fld8->} act=%{action}", processor_chain([ +var dup109 = match("MESSAGE#122:APPFW_COOKIE", "nwparser.payload", "%{product}|%{version}|%{rule}|%{fld1}|%{severity}|src=%{saddr->} spt=%{sport->} method=%{web_method->} request=%{url->} msg=%{info->} cn1=%{fld2->} cn2=%{fld3->} cs1=%{policyname->} cs2=%{fld5->} cs3=%{fld6->} cs4=%{severity->} cs5=%{fld8->} act=%{action}", processor_chain([ dup9, dup91, ])); -var dup110 = // "Pattern{Field(product,false), Constant('|'), Field(version,false), Constant('|'), Field(rule,false), Constant('|'), Field(fld1,false), Constant('|'), Field(severity,false), Constant('|src='), Field(saddr,true), Constant(' spt='), Field(sport,true), Constant(' method='), Field(web_method,true), Constant(' request='), Field(url,true), Constant(' msg='), Field(info,true), Constant(' cn1='), Field(fld2,true), Constant(' cn2='), Field(fld3,true), Constant(' cs1='), Field(policyname,true), Constant(' cs2='), Field(fld5,true), Constant(' cs4='), Field(severity,true), Constant(' cs5='), Field(fld8,true), Constant(' act='), Field(action,false)}" -match("MESSAGE#128:AF_400_RESP", "nwparser.payload", "%{product}|%{version}|%{rule}|%{fld1}|%{severity}|src=%{saddr->} spt=%{sport->} method=%{web_method->} request=%{url->} msg=%{info->} cn1=%{fld2->} cn2=%{fld3->} cs1=%{policyname->} cs2=%{fld5->} cs4=%{severity->} cs5=%{fld8->} act=%{action}", processor_chain([ +var dup110 = match("MESSAGE#128:AF_400_RESP", "nwparser.payload", "%{product}|%{version}|%{rule}|%{fld1}|%{severity}|src=%{saddr->} spt=%{sport->} method=%{web_method->} request=%{url->} msg=%{info->} cn1=%{fld2->} cn2=%{fld3->} cs1=%{policyname->} cs2=%{fld5->} cs4=%{severity->} cs5=%{fld8->} act=%{action}", processor_chain([ dup11, dup91, ])); -var dup111 = // "Pattern{Field(info,false)}" -match_copy("MESSAGE#165:AAATM_Message:06", "nwparser.payload", "info", processor_chain([ +var dup111 = match_copy("MESSAGE#165:AAATM_Message:06", "nwparser.payload", "info", processor_chain([ dup9, dup4, ])); @@ -450,34 +397,28 @@ var dup114 = all_match({ ]), }); -var hdr1 = // "Pattern{Field(hdatetime,true), Constant(' '), Field(hfld1,true), Constant(' : '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' '), Field(hfld2,false), Constant(':'), Field(payload,false)}" -match("HEADER#0:0001", "message", "%{hdatetime->} %{hfld1->} : %{msgIdPart1->} %{msgIdPart2->} %{hfld2}:%{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%{hdatetime->} %{hfld1->} : %{msgIdPart1->} %{msgIdPart2->} %{hfld2}:%{payload}", processor_chain([ setc("header_id","0001"), dup1, ])); -var hdr2 = // "Pattern{Field(hdatetime,true), Constant(' '), Field(hfld1,true), Constant(' : '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' :'), Field(payload,false)}" -match("HEADER#1:0005", "message", "%{hdatetime->} %{hfld1->} : %{msgIdPart1->} %{msgIdPart2->} :%{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0005", "message", "%{hdatetime->} %{hfld1->} : %{msgIdPart1->} %{msgIdPart2->} :%{payload}", processor_chain([ setc("header_id","0005"), dup1, ])); -var hdr3 = // "Pattern{Field(hdatetime,true), Constant(' '), Field(hfld1,true), Constant(' : '), Field(hfld2,true), Constant(' '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" -match("HEADER#2:0002/0", "message", "%{hdatetime->} %{hfld1->} : %{hfld2->} %{msgIdPart1->} %{msgIdPart2->} %{p0}"); +var hdr3 = match("HEADER#2:0002/0", "message", "%{hdatetime->} %{hfld1->} : %{hfld2->} %{msgIdPart1->} %{msgIdPart2->} %{p0}"); -var part1 = // "Pattern{Field(hfld3,true), Constant(' '), Field(p0,false)}" -match("HEADER#2:0002/1_0", "nwparser.p0", "%{hfld3->} %{p0}"); +var part1 = match("HEADER#2:0002/1_0", "nwparser.p0", "%{hfld3->} %{p0}"); -var part2 = // "Pattern{Field(p0,false)}" -match_copy("HEADER#2:0002/1_1", "nwparser.p0", "p0"); +var part2 = match_copy("HEADER#2:0002/1_1", "nwparser.p0", "p0"); var select1 = linear_select([ part1, part2, ]); -var part3 = // "Pattern{Constant(':'), Field(payload,false)}" -match("HEADER#2:0002/2", "nwparser.p0", ":%{payload}"); +var part3 = match("HEADER#2:0002/2", "nwparser.p0", ":%{payload}"); var all1 = all_match({ processors: [ @@ -491,8 +432,7 @@ var all1 = all_match({ ]), }); -var hdr4 = // "Pattern{Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#3:0003", "message", "%{messageid->} %{p0}", processor_chain([ +var hdr4 = match("HEADER#3:0003", "message", "%{messageid->} %{p0}", processor_chain([ setc("header_id","0003"), call({ dest: "nwparser.payload", @@ -505,8 +445,7 @@ match("HEADER#3:0003", "message", "%{messageid->} %{p0}", processor_chain([ }), ])); -var hdr5 = // "Pattern{Constant('CEF:0|Citrix|'), Field(fld1,false), Constant('|'), Field(fld2,false), Constant('|'), Field(fld3,false), Constant('|'), Field(messageid,false), Constant('| '), Field(p0,false)}" -match("HEADER#4:0004", "message", "CEF:0|Citrix|%{fld1}|%{fld2}|%{fld3}|%{messageid}| %{p0}", processor_chain([ +var hdr5 = match("HEADER#4:0004", "message", "CEF:0|Citrix|%{fld1}|%{fld2}|%{fld3}|%{messageid}| %{p0}", processor_chain([ setc("header_id","0004"), call({ dest: "nwparser.payload", @@ -525,8 +464,7 @@ match("HEADER#4:0004", "message", "CEF:0|Citrix|%{fld1}|%{fld2}|%{fld3}|%{messag }), ])); -var hdr6 = // "Pattern{Constant('CEF:0|Citrix|'), Field(product,false), Constant('|'), Field(version,false), Constant('|'), Field(rule,false), Constant('|'), Field(hfld1,false), Constant('|'), Field(severity,false), Constant('| '), Field(payload,false)}" -match("HEADER#5:0006", "message", "CEF:0|Citrix|%{product}|%{version}|%{rule}|%{hfld1}|%{severity}| %{payload}", processor_chain([ +var hdr6 = match("HEADER#5:0006", "message", "CEF:0|Citrix|%{product}|%{version}|%{rule}|%{hfld1}|%{severity}| %{payload}", processor_chain([ setc("header_id","0006"), setc("messageid","CITRIX_TVM"), ])); @@ -540,11 +478,9 @@ var select2 = linear_select([ hdr6, ]); -var part4 = // "Pattern{Constant('Extracted_groups "'), Field(group,false), Constant('" ')}" -match("MESSAGE#0:AAA_EXTRACTED_GROUPS/0_0", "nwparser.payload", "Extracted_groups \"%{group}\" "); +var part4 = match("MESSAGE#0:AAA_EXTRACTED_GROUPS/0_0", "nwparser.payload", "Extracted_groups \"%{group}\" "); -var part5 = // "Pattern{Constant(' Extracted_groups "'), Field(group,false)}" -match("MESSAGE#0:AAA_EXTRACTED_GROUPS/0_1", "nwparser.payload", " Extracted_groups \"%{group}"); +var part5 = match("MESSAGE#0:AAA_EXTRACTED_GROUPS/0_1", "nwparser.payload", " Extracted_groups \"%{group}"); var select3 = linear_select([ part4, @@ -565,8 +501,7 @@ var all2 = all_match({ var msg1 = msg("AAA_EXTRACTED_GROUPS", all2); -var part6 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Client_ip '), Field(saddr,true), Constant(' - Failure_reason "'), Field(result,false), Constant('"')}" -match("MESSAGE#1:AAA_LOGIN_FAILED", "nwparser.payload", "User %{username->} - Client_ip %{saddr->} - Failure_reason \"%{result}\"", processor_chain([ +var part6 = match("MESSAGE#1:AAA_LOGIN_FAILED", "nwparser.payload", "User %{username->} - Client_ip %{saddr->} - Failure_reason \"%{result}\"", processor_chain([ dup5, setc("ec_subject","User"), dup6, @@ -579,8 +514,7 @@ match("MESSAGE#1:AAA_LOGIN_FAILED", "nwparser.payload", "User %{username->} - Cl var msg2 = msg("AAA_LOGIN_FAILED", part6); -var part7 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' --> Destination '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Protocol '), Field(protocol,true), Constant(' - TimeStamp '), Field(info,true), Constant(' - Hitcount '), Field(dclass_counter1,true), Constant(' - Hit Rule '), Field(rulename,true), Constant(' - Data '), Field(message_body,false)}" -match("MESSAGE#2:ACL_ACL_PKT_LOG", "nwparser.payload", "Source %{saddr}:%{sport->} --> Destination %{daddr}:%{dport->} - Protocol %{protocol->} - TimeStamp %{info->} - Hitcount %{dclass_counter1->} - Hit Rule %{rulename->} - Data %{message_body}", processor_chain([ +var part7 = match("MESSAGE#2:ACL_ACL_PKT_LOG", "nwparser.payload", "Source %{saddr}:%{sport->} --> Destination %{daddr}:%{dport->} - Protocol %{protocol->} - TimeStamp %{info->} - Hitcount %{dclass_counter1->} - Hit Rule %{rulename->} - Data %{message_body}", processor_chain([ dup9, setc("event_description","ACL_PKT_LOG"), dup10, @@ -589,8 +523,7 @@ match("MESSAGE#2:ACL_ACL_PKT_LOG", "nwparser.payload", "Source %{saddr}:%{sport- var msg3 = msg("ACL_ACL_PKT_LOG", part7); -var part8 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(info,false), Constant(': '), Field(url,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#3:APPFW_APPFW_BUFFEROVERFLOW_COOKIE", "nwparser.payload", "%{saddr->} %{fld2->} %{rule_group->} %{info}: %{url->} \u003c\u003c%{disposition}>", processor_chain([ +var part8 = match("MESSAGE#3:APPFW_APPFW_BUFFEROVERFLOW_COOKIE", "nwparser.payload", "%{saddr->} %{fld2->} %{rule_group->} %{info}: %{url->} \u003c\u003c%{disposition}>", processor_chain([ dup11, setc("event_description","AppFw Buffer Overflow violation in Cookie"), dup3, @@ -599,8 +532,7 @@ match("MESSAGE#3:APPFW_APPFW_BUFFEROVERFLOW_COOKIE", "nwparser.payload", "%{sadd var msg4 = msg("APPFW_APPFW_BUFFEROVERFLOW_COOKIE", part8); -var part9 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(info,false), Constant(': '), Field(url,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#4:APPFW_APPFW_BUFFEROVERFLOW_HDR", "nwparser.payload", "%{saddr->} %{fld2->} %{rule_group->} %{info}: %{url->} \u003c\u003c%{disposition}>", processor_chain([ +var part9 = match("MESSAGE#4:APPFW_APPFW_BUFFEROVERFLOW_HDR", "nwparser.payload", "%{saddr->} %{fld2->} %{rule_group->} %{info}: %{url->} \u003c\u003c%{disposition}>", processor_chain([ dup11, setc("event_description","AppFw Buffer Overflow violation in HTTP Headers"), dup3, @@ -609,8 +541,7 @@ match("MESSAGE#4:APPFW_APPFW_BUFFEROVERFLOW_HDR", "nwparser.payload", "%{saddr-> var msg5 = msg("APPFW_APPFW_BUFFEROVERFLOW_HDR", part9); -var part10 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(info,false), Constant(': '), Field(url,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#5:APPFW_APPFW_BUFFEROVERFLOW_URL", "nwparser.payload", "%{saddr->} %{fld2->} %{rule_group->} %{info}: %{url->} \u003c\u003c%{disposition}>", processor_chain([ +var part10 = match("MESSAGE#5:APPFW_APPFW_BUFFEROVERFLOW_URL", "nwparser.payload", "%{saddr->} %{fld2->} %{rule_group->} %{info}: %{url->} \u003c\u003c%{disposition}>", processor_chain([ dup12, dup13, dup3, @@ -619,8 +550,7 @@ match("MESSAGE#5:APPFW_APPFW_BUFFEROVERFLOW_URL", "nwparser.payload", "%{saddr-> var msg6 = msg("APPFW_APPFW_BUFFEROVERFLOW_URL", part10); -var part11 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld2,true), Constant(' '), Field(info,false), Constant(': '), Field(url,false)}" -match("MESSAGE#137:APPFW_APPFW_BUFFEROVERFLOW_URL:01", "nwparser.payload", "%{saddr->} %{fld2->} %{info}: %{url}", processor_chain([ +var part11 = match("MESSAGE#137:APPFW_APPFW_BUFFEROVERFLOW_URL:01", "nwparser.payload", "%{saddr->} %{fld2->} %{info}: %{url}", processor_chain([ dup12, dup13, dup3, @@ -634,14 +564,11 @@ var select4 = linear_select([ msg7, ]); -var part12 = // "Pattern{Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' '), Field(rule_group,true), Constant(' Cookie'), Field(p0,false)}" -match("MESSAGE#6:APPFW_APPFW_COOKIE/1_0", "nwparser.p0", "%{fld2->} %{fld3->} %{rule_group->} Cookie%{p0}"); +var part12 = match("MESSAGE#6:APPFW_APPFW_COOKIE/1_0", "nwparser.p0", "%{fld2->} %{fld3->} %{rule_group->} Cookie%{p0}"); -var part13 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' Cookie'), Field(p0,false)}" -match("MESSAGE#6:APPFW_APPFW_COOKIE/1_1", "nwparser.p0", "%{fld2->} %{rule_group->} Cookie%{p0}"); +var part13 = match("MESSAGE#6:APPFW_APPFW_COOKIE/1_1", "nwparser.p0", "%{fld2->} %{rule_group->} Cookie%{p0}"); -var part14 = // "Pattern{Field(rule_group,true), Constant(' Cookie'), Field(p0,false)}" -match("MESSAGE#6:APPFW_APPFW_COOKIE/1_2", "nwparser.p0", "%{rule_group->} Cookie%{p0}"); +var part14 = match("MESSAGE#6:APPFW_APPFW_COOKIE/1_2", "nwparser.p0", "%{rule_group->} Cookie%{p0}"); var select5 = linear_select([ part12, @@ -649,8 +576,7 @@ var select5 = linear_select([ part14, ]); -var part15 = // "Pattern{Field(url,true), Constant(' validation failed for '), Field(fld3,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#6:APPFW_APPFW_COOKIE/2", "nwparser.p0", "%{url->} validation failed for %{fld3->} \u003c\u003c%{disposition}>"); +var part15 = match("MESSAGE#6:APPFW_APPFW_COOKIE/2", "nwparser.p0", "%{url->} validation failed for %{fld3->} \u003c\u003c%{disposition}>"); var all3 = all_match({ processors: [ @@ -668,11 +594,9 @@ var all3 = all_match({ var msg8 = msg("APPFW_APPFW_COOKIE", all3); -var part16 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' Disallow Deny URL: '), Field(p0,false)}" -match("MESSAGE#7:APPFW_APPFW_DENYURL/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} Disallow Deny URL: %{p0}"); +var part16 = match("MESSAGE#7:APPFW_APPFW_DENYURL/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} Disallow Deny URL: %{p0}"); -var part17 = // "Pattern{Field(rule_group,true), Constant(' Disallow Deny URL: '), Field(p0,false)}" -match("MESSAGE#7:APPFW_APPFW_DENYURL/1_1", "nwparser.p0", "%{rule_group->} Disallow Deny URL: %{p0}"); +var part17 = match("MESSAGE#7:APPFW_APPFW_DENYURL/1_1", "nwparser.p0", "%{rule_group->} Disallow Deny URL: %{p0}"); var select6 = linear_select([ part16, @@ -697,14 +621,11 @@ var all4 = all_match({ var msg9 = msg("APPFW_APPFW_DENYURL", all4); -var part18 = // "Pattern{Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' Field consistency'), Field(p0,false)}" -match("MESSAGE#8:APPFW_APPFW_FIELDCONSISTENCY/1_0", "nwparser.p0", "%{fld1->} %{fld2->} %{rule_group->} Field consistency%{p0}"); +var part18 = match("MESSAGE#8:APPFW_APPFW_FIELDCONSISTENCY/1_0", "nwparser.p0", "%{fld1->} %{fld2->} %{rule_group->} Field consistency%{p0}"); -var part19 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' Field consistency'), Field(p0,false)}" -match("MESSAGE#8:APPFW_APPFW_FIELDCONSISTENCY/1_1", "nwparser.p0", "%{fld2->} %{rule_group->} Field consistency%{p0}"); +var part19 = match("MESSAGE#8:APPFW_APPFW_FIELDCONSISTENCY/1_1", "nwparser.p0", "%{fld2->} %{rule_group->} Field consistency%{p0}"); -var part20 = // "Pattern{Field(rule_group,true), Constant(' Field consistency'), Field(p0,false)}" -match("MESSAGE#8:APPFW_APPFW_FIELDCONSISTENCY/1_2", "nwparser.p0", "%{rule_group->} Field consistency%{p0}"); +var part20 = match("MESSAGE#8:APPFW_APPFW_FIELDCONSISTENCY/1_2", "nwparser.p0", "%{rule_group->} Field consistency%{p0}"); var select7 = linear_select([ part18, @@ -728,19 +649,16 @@ var all5 = all_match({ var msg10 = msg("APPFW_APPFW_FIELDCONSISTENCY", all5); -var part21 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' Field'), Field(p0,false)}" -match("MESSAGE#9:APPFW_APPFW_FIELDFORMAT/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} Field%{p0}"); +var part21 = match("MESSAGE#9:APPFW_APPFW_FIELDFORMAT/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} Field%{p0}"); -var part22 = // "Pattern{Field(rule_group,true), Constant(' Field'), Field(p0,false)}" -match("MESSAGE#9:APPFW_APPFW_FIELDFORMAT/1_1", "nwparser.p0", "%{rule_group->} Field%{p0}"); +var part22 = match("MESSAGE#9:APPFW_APPFW_FIELDFORMAT/1_1", "nwparser.p0", "%{rule_group->} Field%{p0}"); var select8 = linear_select([ part21, part22, ]); -var part23 = // "Pattern{Field(url,true), Constant(' '), Field(info,true), Constant(' ="'), Field(fld4,false), Constant('" <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#9:APPFW_APPFW_FIELDFORMAT/2", "nwparser.p0", "%{url->} %{info->} =\"%{fld4}\" \u003c\u003c%{disposition}>"); +var part23 = match("MESSAGE#9:APPFW_APPFW_FIELDFORMAT/2", "nwparser.p0", "%{url->} %{info->} =\"%{fld4}\" \u003c\u003c%{disposition}>"); var all6 = all_match({ processors: [ @@ -758,11 +676,9 @@ var all6 = all_match({ var msg11 = msg("APPFW_APPFW_FIELDFORMAT", all6); -var part24 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' SQL'), Field(p0,false)}" -match("MESSAGE#10:APPFW_APPFW_SQL/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} SQL%{p0}"); +var part24 = match("MESSAGE#10:APPFW_APPFW_SQL/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} SQL%{p0}"); -var part25 = // "Pattern{Field(rule_group,true), Constant(' SQL'), Field(p0,false)}" -match("MESSAGE#10:APPFW_APPFW_SQL/1_1", "nwparser.p0", "%{rule_group->} SQL%{p0}"); +var part25 = match("MESSAGE#10:APPFW_APPFW_SQL/1_1", "nwparser.p0", "%{rule_group->} SQL%{p0}"); var select9 = linear_select([ part24, @@ -785,11 +701,9 @@ var all7 = all_match({ var msg12 = msg("APPFW_APPFW_SQL", all7); -var part26 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#11:APPFW_APPFW_SQL_1/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} %{p0}"); +var part26 = match("MESSAGE#11:APPFW_APPFW_SQL_1/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} %{p0}"); -var part27 = // "Pattern{Field(rule_group,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#11:APPFW_APPFW_SQL_1/1_1", "nwparser.p0", "%{rule_group->} %{p0}"); +var part27 = match("MESSAGE#11:APPFW_APPFW_SQL_1/1_1", "nwparser.p0", "%{rule_group->} %{p0}"); var select10 = linear_select([ part26, @@ -817,19 +731,16 @@ var select11 = linear_select([ msg13, ]); -var part28 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' Maximum no. '), Field(p0,false)}" -match("MESSAGE#12:APPFW_APPFW_SAFECOMMERCE/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} Maximum no. %{p0}"); +var part28 = match("MESSAGE#12:APPFW_APPFW_SAFECOMMERCE/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} Maximum no. %{p0}"); -var part29 = // "Pattern{Field(rule_group,true), Constant(' Maximum no. '), Field(p0,false)}" -match("MESSAGE#12:APPFW_APPFW_SAFECOMMERCE/1_1", "nwparser.p0", "%{rule_group->} Maximum no. %{p0}"); +var part29 = match("MESSAGE#12:APPFW_APPFW_SAFECOMMERCE/1_1", "nwparser.p0", "%{rule_group->} Maximum no. %{p0}"); var select12 = linear_select([ part28, part29, ]); -var part30 = // "Pattern{Field(url,true), Constant(' of potential credit card numbers seen <<'), Field(info,false), Constant('>')}" -match("MESSAGE#12:APPFW_APPFW_SAFECOMMERCE/2", "nwparser.p0", "%{url->} of potential credit card numbers seen \u003c\u003c%{info}>"); +var part30 = match("MESSAGE#12:APPFW_APPFW_SAFECOMMERCE/2", "nwparser.p0", "%{url->} of potential credit card numbers seen \u003c\u003c%{info}>"); var all9 = all_match({ processors: [ @@ -847,19 +758,16 @@ var all9 = all_match({ var msg14 = msg("APPFW_APPFW_SAFECOMMERCE", all9); -var part31 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(url,true), Constant(' Transformed ('), Field(info,false), Constant(') Maximum no. '), Field(p0,false)}" -match("MESSAGE#13:APPFW_APPFW_SAFECOMMERCE_XFORM/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} %{url->} Transformed (%{info}) Maximum no. %{p0}"); +var part31 = match("MESSAGE#13:APPFW_APPFW_SAFECOMMERCE_XFORM/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} %{url->} Transformed (%{info}) Maximum no. %{p0}"); -var part32 = // "Pattern{Field(rule_group,true), Constant(' '), Field(url,true), Constant(' ('), Field(info,false), Constant(') '), Field(p0,false)}" -match("MESSAGE#13:APPFW_APPFW_SAFECOMMERCE_XFORM/1_1", "nwparser.p0", "%{rule_group->} %{url->} (%{info}) %{p0}"); +var part32 = match("MESSAGE#13:APPFW_APPFW_SAFECOMMERCE_XFORM/1_1", "nwparser.p0", "%{rule_group->} %{url->} (%{info}) %{p0}"); var select13 = linear_select([ part31, part32, ]); -var part33 = // "Pattern{Constant('potential credit card numbers seen in server response'), Field(,false)}" -match("MESSAGE#13:APPFW_APPFW_SAFECOMMERCE_XFORM/2", "nwparser.p0", "potential credit card numbers seen in server response%{}"); +var part33 = match("MESSAGE#13:APPFW_APPFW_SAFECOMMERCE_XFORM/2", "nwparser.p0", "potential credit card numbers seen in server response%{}"); var all10 = all_match({ processors: [ @@ -877,14 +785,11 @@ var all10 = all_match({ var msg15 = msg("APPFW_APPFW_SAFECOMMERCE_XFORM", all10); -var part34 = // "Pattern{Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' '), Field(rule_group,true), Constant(' Disallow Illegal URL: '), Field(p0,false)}" -match("MESSAGE#14:APPFW_APPFW_STARTURL/1_0", "nwparser.p0", "%{fld2->} %{fld3->} %{rule_group->} Disallow Illegal URL: %{p0}"); +var part34 = match("MESSAGE#14:APPFW_APPFW_STARTURL/1_0", "nwparser.p0", "%{fld2->} %{fld3->} %{rule_group->} Disallow Illegal URL: %{p0}"); -var part35 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' Disallow Illegal URL: '), Field(p0,false)}" -match("MESSAGE#14:APPFW_APPFW_STARTURL/1_1", "nwparser.p0", "%{fld2->} %{rule_group->} Disallow Illegal URL: %{p0}"); +var part35 = match("MESSAGE#14:APPFW_APPFW_STARTURL/1_1", "nwparser.p0", "%{fld2->} %{rule_group->} Disallow Illegal URL: %{p0}"); -var part36 = // "Pattern{Field(rule_group,true), Constant(' Disallow Illegal URL: '), Field(p0,false)}" -match("MESSAGE#14:APPFW_APPFW_STARTURL/1_2", "nwparser.p0", "%{rule_group->} Disallow Illegal URL: %{p0}"); +var part36 = match("MESSAGE#14:APPFW_APPFW_STARTURL/1_2", "nwparser.p0", "%{rule_group->} Disallow Illegal URL: %{p0}"); var select14 = linear_select([ part34, @@ -908,19 +813,16 @@ var all11 = all_match({ var msg16 = msg("APPFW_APPFW_STARTURL", all11); -var part37 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' Cross-site'), Field(p0,false)}" -match("MESSAGE#15:APPFW_APPFW_XSS/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} Cross-site%{p0}"); +var part37 = match("MESSAGE#15:APPFW_APPFW_XSS/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} Cross-site%{p0}"); -var part38 = // "Pattern{Field(rule_group,true), Constant(' Cross-site'), Field(p0,false)}" -match("MESSAGE#15:APPFW_APPFW_XSS/1_1", "nwparser.p0", "%{rule_group->} Cross-site%{p0}"); +var part38 = match("MESSAGE#15:APPFW_APPFW_XSS/1_1", "nwparser.p0", "%{rule_group->} Cross-site%{p0}"); var select15 = linear_select([ part37, part38, ]); -var part39 = // "Pattern{Field(url,true), Constant(' script '), Field(info,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#15:APPFW_APPFW_XSS/2", "nwparser.p0", "%{url->} script %{info->} \u003c\u003c%{disposition}>"); +var part39 = match("MESSAGE#15:APPFW_APPFW_XSS/2", "nwparser.p0", "%{url->} script %{info->} \u003c\u003c%{disposition}>"); var all12 = all_match({ processors: [ @@ -938,8 +840,7 @@ var all12 = all_match({ var msg17 = msg("APPFW_APPFW_XSS", all12); -var part40 = // "Pattern{Field(saddr,true), Constant(' "'), Field(info,false), Constant('"')}" -match("MESSAGE#16:APPFW_AF_400_RESP", "nwparser.payload", "%{saddr->} \"%{info}\"", processor_chain([ +var part40 = match("MESSAGE#16:APPFW_AF_400_RESP", "nwparser.payload", "%{saddr->} \"%{info}\"", processor_chain([ dup11, dup18, dup3, @@ -948,8 +849,7 @@ match("MESSAGE#16:APPFW_AF_400_RESP", "nwparser.payload", "%{saddr->} \"%{info}\ var msg18 = msg("APPFW_AF_400_RESP", part40); -var part41 = // "Pattern{Field(saddr,true), Constant(' '), Field(info,false)}" -match("MESSAGE#138:APPFW_AF_400_RESP:01", "nwparser.payload", "%{saddr->} %{info}", processor_chain([ +var part41 = match("MESSAGE#138:APPFW_AF_400_RESP:01", "nwparser.payload", "%{saddr->} %{info}", processor_chain([ dup11, dup18, dup3, @@ -963,8 +863,7 @@ var select16 = linear_select([ msg19, ]); -var part42 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld10,true), Constant(' Match found with Safe Object: '), Field(info,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#17:APPFW_APPFW_SAFEOBJECT", "nwparser.payload", "%{saddr->} %{fld10->} Match found with Safe Object: %{info->} \u003c\u003c%{disposition}>", processor_chain([ +var part42 = match("MESSAGE#17:APPFW_APPFW_SAFEOBJECT", "nwparser.payload", "%{saddr->} %{fld10->} Match found with Safe Object: %{info->} \u003c\u003c%{disposition}>", processor_chain([ dup11, setc("event_description","AppFw Safe Object"), dup3, @@ -973,8 +872,7 @@ match("MESSAGE#17:APPFW_APPFW_SAFEOBJECT", "nwparser.payload", "%{saddr->} %{fld var msg20 = msg("APPFW_APPFW_SAFEOBJECT", part42); -var part43 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld10,true), Constant(' CSRF Tag validation failed: <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#18:APPFW_APPFW_CSRF_TAG", "nwparser.payload", "%{saddr->} %{fld10->} CSRF Tag validation failed: \u003c\u003c%{disposition}>", processor_chain([ +var part43 = match("MESSAGE#18:APPFW_APPFW_CSRF_TAG", "nwparser.payload", "%{saddr->} %{fld10->} CSRF Tag validation failed: \u003c\u003c%{disposition}>", processor_chain([ dup11, setc("event_description","AppFw CSRF Tag Validation Failed"), dup3, @@ -983,8 +881,7 @@ match("MESSAGE#18:APPFW_APPFW_CSRF_TAG", "nwparser.payload", "%{saddr->} %{fld10 var msg21 = msg("APPFW_APPFW_CSRF_TAG", part43); -var part44 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' '), Field(url,false)}" -match("MESSAGE#135:APPFW_APPFW_CSRF_TAG:01", "nwparser.payload", "%{saddr->} %{fld1->} %{fld2->} %{fld3->} %{url}", processor_chain([ +var part44 = match("MESSAGE#135:APPFW_APPFW_CSRF_TAG:01", "nwparser.payload", "%{saddr->} %{fld1->} %{fld2->} %{fld3->} %{url}", processor_chain([ dup9, dup3, dup4, @@ -997,8 +894,7 @@ var select17 = linear_select([ msg22, ]); -var part45 = // "Pattern{Constant('Memory allocation request for '), Field(bytes,true), Constant(' bytes failed. Call stack PCs: '), Field(fld1,false)}" -match("MESSAGE#19:APPFW_AF_MEMORY_ERR", "nwparser.payload", "Memory allocation request for %{bytes->} bytes failed. Call stack PCs: %{fld1}", processor_chain([ +var part45 = match("MESSAGE#19:APPFW_AF_MEMORY_ERR", "nwparser.payload", "Memory allocation request for %{bytes->} bytes failed. Call stack PCs: %{fld1}", processor_chain([ dup11, setc("event_description","Memory allocation request for some bytes failed"), dup19, @@ -1007,19 +903,16 @@ match("MESSAGE#19:APPFW_AF_MEMORY_ERR", "nwparser.payload", "Memory allocation r var msg23 = msg("APPFW_AF_MEMORY_ERR", part45); -var part46 = // "Pattern{Constant('Invalid rule id '), Field(p0,false)}" -match("MESSAGE#20:APPFW_Message/1_0", "nwparser.p0", "Invalid rule id %{p0}"); +var part46 = match("MESSAGE#20:APPFW_Message/1_0", "nwparser.p0", "Invalid rule id %{p0}"); -var part47 = // "Pattern{Constant('Duplicate rule id '), Field(p0,false)}" -match("MESSAGE#20:APPFW_Message/1_1", "nwparser.p0", "Duplicate rule id %{p0}"); +var part47 = match("MESSAGE#20:APPFW_Message/1_1", "nwparser.p0", "Duplicate rule id %{p0}"); var select18 = linear_select([ part46, part47, ]); -var part48 = // "Pattern{Field(fld1,false), Constant('"')}" -match("MESSAGE#20:APPFW_Message/2", "nwparser.p0", "%{fld1}\""); +var part48 = match("MESSAGE#20:APPFW_Message/2", "nwparser.p0", "%{fld1}\""); var all13 = all_match({ processors: [ @@ -1037,8 +930,7 @@ var all13 = all_match({ var msg24 = msg("APPFW_Message", all13); -var part49 = // "Pattern{Constant('"Setting default custom settings for profile '), Field(fld1,true), Constant(' ('), Field(fld2,false), Constant(')"')}" -match("MESSAGE#21:APPFW_Message:01", "nwparser.payload", "\"Setting default custom settings for profile %{fld1->} (%{fld2})\"", processor_chain([ +var part49 = match("MESSAGE#21:APPFW_Message:01", "nwparser.payload", "\"Setting default custom settings for profile %{fld1->} (%{fld2})\"", processor_chain([ dup9, setc("event_description","Setting default custom settings for profile"), dup19, @@ -1047,8 +939,7 @@ match("MESSAGE#21:APPFW_Message:01", "nwparser.payload", "\"Setting default cust var msg25 = msg("APPFW_Message:01", part49); -var part50 = // "Pattern{Constant('"Setting same CustomSettings( ) to profile. '), Field(fld2,false), Constant('"')}" -match("MESSAGE#22:APPFW_Message:02", "nwparser.payload", "\"Setting same CustomSettings( ) to profile. %{fld2}\"", processor_chain([ +var part50 = match("MESSAGE#22:APPFW_Message:02", "nwparser.payload", "\"Setting same CustomSettings( ) to profile. %{fld2}\"", processor_chain([ dup9, setc("event_description","Setting same CustomSettings( ) to profile."), dup4, @@ -1064,8 +955,7 @@ var select19 = linear_select([ var msg27 = msg("DR_HA_Message", dup113); -var part51 = // "Pattern{Field(process,true), Constant(' ended '), Field(p0,false)}" -match("MESSAGE#24:EVENT_ALERTENDED/0", "nwparser.payload", "%{process->} ended %{p0}"); +var part51 = match("MESSAGE#24:EVENT_ALERTENDED/0", "nwparser.payload", "%{process->} ended %{p0}"); var all14 = all_match({ processors: [ @@ -1082,8 +972,7 @@ var all14 = all_match({ var msg28 = msg("EVENT_ALERTENDED", all14); -var part52 = // "Pattern{Field(process,true), Constant(' started '), Field(p0,false)}" -match("MESSAGE#25:EVENT_ALERTSTARTED/0", "nwparser.payload", "%{process->} started %{p0}"); +var part52 = match("MESSAGE#25:EVENT_ALERTSTARTED/0", "nwparser.payload", "%{process->} started %{p0}"); var all15 = all_match({ processors: [ @@ -1100,8 +989,7 @@ var all15 = all_match({ var msg29 = msg("EVENT_ALERTSTARTED", all15); -var part53 = // "Pattern{Constant('CONFIG '), Field(info,false)}" -match("MESSAGE#26:EVENT_CONFIGEND", "nwparser.payload", "CONFIG %{info}", processor_chain([ +var part53 = match("MESSAGE#26:EVENT_CONFIGEND", "nwparser.payload", "CONFIG %{info}", processor_chain([ dup2, dup27, dup28, @@ -1113,8 +1001,7 @@ match("MESSAGE#26:EVENT_CONFIGEND", "nwparser.payload", "CONFIG %{info}", proces var msg30 = msg("EVENT_CONFIGEND", part53); -var part54 = // "Pattern{Constant('CONFIG '), Field(info,false)}" -match("MESSAGE#27:EVENT_CONFIGSTART", "nwparser.payload", "CONFIG %{info}", processor_chain([ +var part54 = match("MESSAGE#27:EVENT_CONFIGSTART", "nwparser.payload", "CONFIG %{info}", processor_chain([ dup2, dup27, dup30, @@ -1143,8 +1030,7 @@ var all16 = all_match({ var msg32 = msg("EVENT_DEVICEDOWN", all16); -var part55 = // "Pattern{Field(obj_type,true), Constant(' "'), Field(obj_name,false), Constant('" - State '), Field(event_state,false)}" -match("MESSAGE#29:EVENT_DEVICEOFS", "nwparser.payload", "%{obj_type->} \"%{obj_name}\" - State %{event_state}", processor_chain([ +var part55 = match("MESSAGE#29:EVENT_DEVICEOFS", "nwparser.payload", "%{obj_type->} \"%{obj_name}\" - State %{event_state}", processor_chain([ dup11, dup34, dup28, @@ -1172,8 +1058,7 @@ var all17 = all_match({ var msg34 = msg("EVENT_DEVICEUP", all17); -var part56 = // "Pattern{Constant('"'), Field(obj_name,false), Constant('"')}" -match("MESSAGE#31:EVENT_MONITORDOWN/1_1", "nwparser.p0", "\"%{obj_name}\""); +var part56 = match("MESSAGE#31:EVENT_MONITORDOWN/1_1", "nwparser.p0", "\"%{obj_name}\""); var select20 = linear_select([ dup37, @@ -1216,8 +1101,7 @@ var all19 = all_match({ var msg36 = msg("EVENT_MONITORUP", all19); -var part57 = // "Pattern{Field(obj_type,true), Constant(' "'), Field(obj_name,false), Constant('" - State '), Field(event_state,false)}" -match("MESSAGE#33:EVENT_NICRESET", "nwparser.payload", "%{obj_type->} \"%{obj_name}\" - State %{event_state}", processor_chain([ +var part57 = match("MESSAGE#33:EVENT_NICRESET", "nwparser.payload", "%{obj_type->} \"%{obj_name}\" - State %{event_state}", processor_chain([ dup2, dup39, dup3, @@ -1226,8 +1110,7 @@ match("MESSAGE#33:EVENT_NICRESET", "nwparser.payload", "%{obj_type->} \"%{obj_na var msg37 = msg("EVENT_NICRESET", part57); -var part58 = // "Pattern{Field(obj_type,true), Constant(' '), Field(obj_name,true), Constant(' - State '), Field(event_state,false)}" -match("MESSAGE#34:EVENT_ROUTEDOWN", "nwparser.payload", "%{obj_type->} %{obj_name->} - State %{event_state}", processor_chain([ +var part58 = match("MESSAGE#34:EVENT_ROUTEDOWN", "nwparser.payload", "%{obj_type->} %{obj_name->} - State %{event_state}", processor_chain([ dup11, dup40, dup28, @@ -1238,8 +1121,7 @@ match("MESSAGE#34:EVENT_ROUTEDOWN", "nwparser.payload", "%{obj_type->} %{obj_nam var msg38 = msg("EVENT_ROUTEDOWN", part58); -var part59 = // "Pattern{Field(obj_type,true), Constant(' '), Field(obj_name,true), Constant(' - State '), Field(event_state,false)}" -match("MESSAGE#35:EVENT_ROUTEUP", "nwparser.payload", "%{obj_type->} %{obj_name->} - State %{event_state}", processor_chain([ +var part59 = match("MESSAGE#35:EVENT_ROUTEUP", "nwparser.payload", "%{obj_type->} %{obj_name->} - State %{event_state}", processor_chain([ dup2, dup40, dup30, @@ -1250,8 +1132,7 @@ match("MESSAGE#35:EVENT_ROUTEUP", "nwparser.payload", "%{obj_type->} %{obj_name- var msg39 = msg("EVENT_ROUTEUP", part59); -var part60 = // "Pattern{Constant('CPU_started '), Field(info,false)}" -match("MESSAGE#36:EVENT_STARTCPU", "nwparser.payload", "CPU_started %{info}", processor_chain([ +var part60 = match("MESSAGE#36:EVENT_STARTCPU", "nwparser.payload", "CPU_started %{info}", processor_chain([ dup2, setc("event_description","CPU Started"), dup3, @@ -1260,8 +1141,7 @@ match("MESSAGE#36:EVENT_STARTCPU", "nwparser.payload", "CPU_started %{info}", pr var msg40 = msg("EVENT_STARTCPU", part60); -var part61 = // "Pattern{Constant('SAVECONFIG '), Field(info,false)}" -match("MESSAGE#37:EVENT_STARTSAVECONFIG", "nwparser.payload", "SAVECONFIG %{info}", processor_chain([ +var part61 = match("MESSAGE#37:EVENT_STARTSAVECONFIG", "nwparser.payload", "SAVECONFIG %{info}", processor_chain([ dup2, setc("event_description","Save configuration started"), dup3, @@ -1270,8 +1150,7 @@ match("MESSAGE#37:EVENT_STARTSAVECONFIG", "nwparser.payload", "SAVECONFIG %{info var msg41 = msg("EVENT_STARTSAVECONFIG", part61); -var part62 = // "Pattern{Constant('System started - '), Field(info,false)}" -match("MESSAGE#38:EVENT_STARTSYS", "nwparser.payload", "System started - %{info}", processor_chain([ +var part62 = match("MESSAGE#38:EVENT_STARTSYS", "nwparser.payload", "System started - %{info}", processor_chain([ dup2, dup34, dup30, @@ -1282,8 +1161,7 @@ match("MESSAGE#38:EVENT_STARTSYS", "nwparser.payload", "System started - %{info} var msg42 = msg("EVENT_STARTSYS", part62); -var part63 = // "Pattern{Field(obj_type,true), Constant(' "'), Field(obj_name,false), Constant('" - State '), Field(event_state,false)}" -match("MESSAGE#39:EVENT_STATECHANGE", "nwparser.payload", "%{obj_type->} \"%{obj_name}\" - State %{event_state}", processor_chain([ +var part63 = match("MESSAGE#39:EVENT_STATECHANGE", "nwparser.payload", "%{obj_type->} \"%{obj_name}\" - State %{event_state}", processor_chain([ dup2, dup34, dup30, @@ -1294,8 +1172,7 @@ match("MESSAGE#39:EVENT_STATECHANGE", "nwparser.payload", "%{obj_type->} \"%{obj var msg43 = msg("EVENT_STATECHANGE", part63); -var part64 = // "Pattern{Field(obj_type,true), Constant(' ('), Field(obj_name,false), Constant(') - '), Field(event_state,true), Constant(' '), Field(info,false)}" -match("MESSAGE#40:EVENT_STATECHANGE_HEARTBEAT", "nwparser.payload", "%{obj_type->} (%{obj_name}) - %{event_state->} %{info}", processor_chain([ +var part64 = match("MESSAGE#40:EVENT_STATECHANGE_HEARTBEAT", "nwparser.payload", "%{obj_type->} (%{obj_name}) - %{event_state->} %{info}", processor_chain([ dup2, setc("event_description","Heartbeat State report"), dup3, @@ -1304,8 +1181,7 @@ match("MESSAGE#40:EVENT_STATECHANGE_HEARTBEAT", "nwparser.payload", "%{obj_type- var msg44 = msg("EVENT_STATECHANGE_HEARTBEAT", part64); -var part65 = // "Pattern{Field(obj_type,true), Constant(' "'), Field(obj_name,false), Constant('" - '), Field(event_state,true), Constant(' '), Field(info,false)}" -match("MESSAGE#41:EVENT_STATECHANGE:01", "nwparser.payload", "%{obj_type->} \"%{obj_name}\" - %{event_state->} %{info}", processor_chain([ +var part65 = match("MESSAGE#41:EVENT_STATECHANGE:01", "nwparser.payload", "%{obj_type->} \"%{obj_name}\" - %{event_state->} %{info}", processor_chain([ dup2, dup4, ])); @@ -1318,8 +1194,7 @@ var select22 = linear_select([ msg45, ]); -var part66 = // "Pattern{Constant('SAVECONFIG'), Field(info,false)}" -match("MESSAGE#42:EVENT_STOPSAVECONFIG", "nwparser.payload", "SAVECONFIG%{info}", processor_chain([ +var part66 = match("MESSAGE#42:EVENT_STOPSAVECONFIG", "nwparser.payload", "SAVECONFIG%{info}", processor_chain([ dup2, dup27, dup28, @@ -1330,8 +1205,7 @@ match("MESSAGE#42:EVENT_STOPSAVECONFIG", "nwparser.payload", "SAVECONFIG%{info}" var msg46 = msg("EVENT_STOPSAVECONFIG", part66); -var part67 = // "Pattern{Constant('System stopped - '), Field(info,false)}" -match("MESSAGE#43:EVENT_STOPSYS", "nwparser.payload", "System stopped - %{info}", processor_chain([ +var part67 = match("MESSAGE#43:EVENT_STOPSYS", "nwparser.payload", "System stopped - %{info}", processor_chain([ dup2, dup34, dup28, @@ -1342,8 +1216,7 @@ match("MESSAGE#43:EVENT_STOPSYS", "nwparser.payload", "System stopped - %{info}" var msg47 = msg("EVENT_STOPSYS", part67); -var part68 = // "Pattern{Field(info,false)}" -match_copy("MESSAGE#44:EVENT_UNKNOWN", "nwparser.payload", "info", processor_chain([ +var part68 = match_copy("MESSAGE#44:EVENT_UNKNOWN", "nwparser.payload", "info", processor_chain([ dup11, setc("event_description","Unknown Event"), dup3, @@ -1352,11 +1225,9 @@ match_copy("MESSAGE#44:EVENT_UNKNOWN", "nwparser.payload", "info", processor_cha var msg48 = msg("EVENT_UNKNOWN", part68); -var part69 = // "Pattern{Field(fld1,true), Constant(' '), Field(fld10,true), Constant(' Adding '), Field(p0,false)}" -match("MESSAGE#45:PITBOSS_Message1/1_0", "nwparser.p0", "%{fld1->} %{fld10->} Adding %{p0}"); +var part69 = match("MESSAGE#45:PITBOSS_Message1/1_0", "nwparser.p0", "%{fld1->} %{fld10->} Adding %{p0}"); -var part70 = // "Pattern{Constant('Adding '), Field(p0,false)}" -match("MESSAGE#45:PITBOSS_Message1/1_1", "nwparser.p0", "Adding %{p0}"); +var part70 = match("MESSAGE#45:PITBOSS_Message1/1_1", "nwparser.p0", "Adding %{p0}"); var select23 = linear_select([ part69, @@ -1379,11 +1250,9 @@ var all20 = all_match({ var msg49 = msg("PITBOSS_Message1", all20); -var part71 = // "Pattern{Field(fld1,true), Constant(' '), Field(fld10,true), Constant(' Deleting '), Field(p0,false)}" -match("MESSAGE#46:PITBOSS_Message2/1_0", "nwparser.p0", "%{fld1->} %{fld10->} Deleting %{p0}"); +var part71 = match("MESSAGE#46:PITBOSS_Message2/1_0", "nwparser.p0", "%{fld1->} %{fld10->} Deleting %{p0}"); -var part72 = // "Pattern{Constant('Deleting '), Field(p0,false)}" -match("MESSAGE#46:PITBOSS_Message2/1_1", "nwparser.p0", "Deleting %{p0}"); +var part72 = match("MESSAGE#46:PITBOSS_Message2/1_1", "nwparser.p0", "Deleting %{p0}"); var select24 = linear_select([ part71, @@ -1406,17 +1275,13 @@ var all21 = all_match({ var msg50 = msg("PITBOSS_Message2", all21); -var part73 = // "Pattern{Constant('"'), Field(fld1,true), Constant(' '), Field(fld10,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#47:PITBOSS_Message3/0", "nwparser.payload", "\"%{fld1->} %{fld10->} %{p0}"); +var part73 = match("MESSAGE#47:PITBOSS_Message3/0", "nwparser.payload", "\"%{fld1->} %{fld10->} %{p0}"); -var part74 = // "Pattern{Constant('Pitboss policy is'), Field(p0,false)}" -match("MESSAGE#47:PITBOSS_Message3/1_0", "nwparser.p0", "Pitboss policy is%{p0}"); +var part74 = match("MESSAGE#47:PITBOSS_Message3/1_0", "nwparser.p0", "Pitboss policy is%{p0}"); -var part75 = // "Pattern{Constant('PB_OP_CHANGE_POLICY new policy'), Field(p0,false)}" -match("MESSAGE#47:PITBOSS_Message3/1_1", "nwparser.p0", "PB_OP_CHANGE_POLICY new policy%{p0}"); +var part75 = match("MESSAGE#47:PITBOSS_Message3/1_1", "nwparser.p0", "PB_OP_CHANGE_POLICY new policy%{p0}"); -var part76 = // "Pattern{Constant('pb_op_longer_hb'), Field(p0,false)}" -match("MESSAGE#47:PITBOSS_Message3/1_2", "nwparser.p0", "pb_op_longer_hb%{p0}"); +var part76 = match("MESSAGE#47:PITBOSS_Message3/1_2", "nwparser.p0", "pb_op_longer_hb%{p0}"); var select25 = linear_select([ part74, @@ -1424,8 +1289,7 @@ var select25 = linear_select([ part76, ]); -var part77 = // "Pattern{Field(,true), Constant(' '), Field(info,false), Constant('"')}" -match("MESSAGE#47:PITBOSS_Message3/2", "nwparser.p0", "%{} %{info}\""); +var part77 = match("MESSAGE#47:PITBOSS_Message3/2", "nwparser.p0", "%{} %{info}\""); var all22 = all_match({ processors: [ @@ -1444,11 +1308,9 @@ var all22 = all_match({ var msg51 = msg("PITBOSS_Message3", all22); -var part78 = // "Pattern{Field(fld1,true), Constant(' '), Field(fld10,true), Constant(' process '), Field(p0,false)}" -match("MESSAGE#48:PITBOSS_Message4/1_0", "nwparser.p0", "%{fld1->} %{fld10->} process %{p0}"); +var part78 = match("MESSAGE#48:PITBOSS_Message4/1_0", "nwparser.p0", "%{fld1->} %{fld10->} process %{p0}"); -var part79 = // "Pattern{Constant('process '), Field(p0,false)}" -match("MESSAGE#48:PITBOSS_Message4/1_1", "nwparser.p0", "process %{p0}"); +var part79 = match("MESSAGE#48:PITBOSS_Message4/1_1", "nwparser.p0", "process %{p0}"); var select26 = linear_select([ part78, @@ -1472,11 +1334,9 @@ var all23 = all_match({ var msg52 = msg("PITBOSS_Message4", all23); -var part80 = // "Pattern{Field(fld1,true), Constant(' '), Field(fld10,true), Constant(' New '), Field(p0,false)}" -match("MESSAGE#49:PITBOSS_Message5/1_0", "nwparser.p0", "%{fld1->} %{fld10->} New %{p0}"); +var part80 = match("MESSAGE#49:PITBOSS_Message5/1_0", "nwparser.p0", "%{fld1->} %{fld10->} New %{p0}"); -var part81 = // "Pattern{Constant('New '), Field(p0,false)}" -match("MESSAGE#49:PITBOSS_Message5/1_1", "nwparser.p0", "New %{p0}"); +var part81 = match("MESSAGE#49:PITBOSS_Message5/1_1", "nwparser.p0", "New %{p0}"); var select27 = linear_select([ part80, @@ -1508,8 +1368,7 @@ var select28 = linear_select([ msg53, ]); -var part82 = // "Pattern{Constant('"IMI: '), Field(event_description,true), Constant(' : nodeID('), Field(fld1,false), Constant(') IP('), Field(saddr,false), Constant(') instance('), Field(fld2,false), Constant(') Configuration Coordinator('), Field(fld3,false), Constant(') Nodeset('), Field(fld4,false), Constant(')"')}" -match("MESSAGE#50:ROUTING_Message", "nwparser.payload", "\"IMI: %{event_description->} : nodeID(%{fld1}) IP(%{saddr}) instance(%{fld2}) Configuration Coordinator(%{fld3}) Nodeset(%{fld4})\"", processor_chain([ +var part82 = match("MESSAGE#50:ROUTING_Message", "nwparser.payload", "\"IMI: %{event_description->} : nodeID(%{fld1}) IP(%{saddr}) instance(%{fld2}) Configuration Coordinator(%{fld3}) Nodeset(%{fld4})\"", processor_chain([ dup9, dup4, ])); @@ -1518,8 +1377,7 @@ var msg54 = msg("ROUTING_Message", part82); var msg55 = msg("ROUTING_Message:01", dup113); -var part83 = // "Pattern{Constant('"'), Field(fld1,true), Constant(' started"')}" -match("MESSAGE#52:ROUTING_Message:02", "nwparser.payload", "\"%{fld1->} started\"", processor_chain([ +var part83 = match("MESSAGE#52:ROUTING_Message:02", "nwparser.payload", "\"%{fld1->} started\"", processor_chain([ dup9, dup4, ])); @@ -1532,8 +1390,7 @@ var select29 = linear_select([ msg56, ]); -var part84 = // "Pattern{Field(obj_type,true), Constant(' Command "'), Field(action,false), Constant('" '), Field(info,false)}" -match("MESSAGE#53:ROUTING_ZEBOS_CMD_EXECUTED", "nwparser.payload", "%{obj_type->} Command \"%{action}\" %{info}", processor_chain([ +var part84 = match("MESSAGE#53:ROUTING_ZEBOS_CMD_EXECUTED", "nwparser.payload", "%{obj_type->} Command \"%{action}\" %{info}", processor_chain([ dup2, setc("event_description","User has executed a command in ZebOS(vtysh)"), dup3, @@ -1542,31 +1399,24 @@ match("MESSAGE#53:ROUTING_ZEBOS_CMD_EXECUTED", "nwparser.payload", "%{obj_type-> var msg57 = msg("ROUTING_ZEBOS_CMD_EXECUTED", part84); -var part85 = // "Pattern{Field(obj_type,true), Constant(' ( '), Field(space,false), Constant('entityName = "'), Field(p0,false)}" -match("MESSAGE#54:SNMP_TRAP_SENT7/0", "nwparser.payload", "%{obj_type->} ( %{space}entityName = \"%{p0}"); +var part85 = match("MESSAGE#54:SNMP_TRAP_SENT7/0", "nwparser.payload", "%{obj_type->} ( %{space}entityName = \"%{p0}"); -var part86 = // "Pattern{Field(obj_name,false), Constant('('), Field(info,false), Constant('...",'), Field(p0,false)}" -match("MESSAGE#54:SNMP_TRAP_SENT7/1_0", "nwparser.p0", "%{obj_name}(%{info}...\",%{p0}"); +var part86 = match("MESSAGE#54:SNMP_TRAP_SENT7/1_0", "nwparser.p0", "%{obj_name}(%{info}...\",%{p0}"); -var part87 = // "Pattern{Field(obj_name,false), Constant('...",'), Field(p0,false)}" -match("MESSAGE#54:SNMP_TRAP_SENT7/1_1", "nwparser.p0", "%{obj_name}...\",%{p0}"); +var part87 = match("MESSAGE#54:SNMP_TRAP_SENT7/1_1", "nwparser.p0", "%{obj_name}...\",%{p0}"); var select30 = linear_select([ part86, part87, ]); -var part88 = // "Pattern{Field(,false), Constant('alarmEntityCurState = '), Field(event_state,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#54:SNMP_TRAP_SENT7/2", "nwparser.p0", "%{}alarmEntityCurState = %{event_state}, %{p0}"); +var part88 = match("MESSAGE#54:SNMP_TRAP_SENT7/2", "nwparser.p0", "%{}alarmEntityCurState = %{event_state}, %{p0}"); -var part89 = // "Pattern{Constant('svcServiceFullName.'), Field(fld2,true), Constant(' = "'), Field(service,false), Constant('", nsPartitionName = '), Field(fld4,false), Constant(')')}" -match("MESSAGE#54:SNMP_TRAP_SENT7/3_0", "nwparser.p0", "svcServiceFullName.%{fld2->} = \"%{service}\", nsPartitionName = %{fld4})"); +var part89 = match("MESSAGE#54:SNMP_TRAP_SENT7/3_0", "nwparser.p0", "svcServiceFullName.%{fld2->} = \"%{service}\", nsPartitionName = %{fld4})"); -var part90 = // "Pattern{Constant('vsvrFullName.'), Field(fld3,true), Constant(' = "'), Field(obj_server,false), Constant('", nsPartitionName = '), Field(fld4,false), Constant(')')}" -match("MESSAGE#54:SNMP_TRAP_SENT7/3_1", "nwparser.p0", "vsvrFullName.%{fld3->} = \"%{obj_server}\", nsPartitionName = %{fld4})"); +var part90 = match("MESSAGE#54:SNMP_TRAP_SENT7/3_1", "nwparser.p0", "vsvrFullName.%{fld3->} = \"%{obj_server}\", nsPartitionName = %{fld4})"); -var part91 = // "Pattern{Constant('svcGrpMemberFullName.'), Field(fld6,true), Constant(' = "'), Field(fld7,false), Constant('", nsPartitionName = '), Field(fld4,false), Constant(')')}" -match("MESSAGE#54:SNMP_TRAP_SENT7/3_2", "nwparser.p0", "svcGrpMemberFullName.%{fld6->} = \"%{fld7}\", nsPartitionName = %{fld4})"); +var part91 = match("MESSAGE#54:SNMP_TRAP_SENT7/3_2", "nwparser.p0", "svcGrpMemberFullName.%{fld6->} = \"%{fld7}\", nsPartitionName = %{fld4})"); var select31 = linear_select([ part89, @@ -1592,8 +1442,7 @@ var all25 = all_match({ var msg58 = msg("SNMP_TRAP_SENT7", all25); -var part92 = // "Pattern{Field(obj_type,true), Constant(' ( entityName = "'), Field(obj_name,false), Constant('...", sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#55:SNMP_TRAP_SENT8", "nwparser.payload", "%{obj_type->} ( entityName = \"%{obj_name}...\", sysIpAddress = %{hostip})", processor_chain([ +var part92 = match("MESSAGE#55:SNMP_TRAP_SENT8", "nwparser.payload", "%{obj_type->} ( entityName = \"%{obj_name}...\", sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup4, @@ -1601,8 +1450,7 @@ match("MESSAGE#55:SNMP_TRAP_SENT8", "nwparser.payload", "%{obj_type->} ( entityN var msg59 = msg("SNMP_TRAP_SENT8", part92); -var part93 = // "Pattern{Field(obj_type,true), Constant(' ( haNicsMonitorFailed = '), Field(obj_name,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#56:SNMP_TRAP_SENT9", "nwparser.payload", "%{obj_type->} ( haNicsMonitorFailed = %{obj_name}, sysIpAddress = %{hostip})", processor_chain([ +var part93 = match("MESSAGE#56:SNMP_TRAP_SENT9", "nwparser.payload", "%{obj_type->} ( haNicsMonitorFailed = %{obj_name}, sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup4, @@ -1610,8 +1458,7 @@ match("MESSAGE#56:SNMP_TRAP_SENT9", "nwparser.payload", "%{obj_type->} ( haNicsM var msg60 = msg("SNMP_TRAP_SENT9", part93); -var part94 = // "Pattern{Field(obj_type,true), Constant(' ( '), Field(space,false), Constant('haPeerSystemState = "'), Field(event_state,false), Constant('", sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#57:SNMP_TRAP_SENT10", "nwparser.payload", "%{obj_type->} ( %{space}haPeerSystemState = \"%{event_state}\", sysIpAddress = %{hostip})", processor_chain([ +var part94 = match("MESSAGE#57:SNMP_TRAP_SENT10", "nwparser.payload", "%{obj_type->} ( %{space}haPeerSystemState = \"%{event_state}\", sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1620,8 +1467,7 @@ match("MESSAGE#57:SNMP_TRAP_SENT10", "nwparser.payload", "%{obj_type->} ( %{spac var msg61 = msg("SNMP_TRAP_SENT10", part94); -var part95 = // "Pattern{Field(obj_type,true), Constant(' ( sysHealthDiskName = "'), Field(obj_name,false), Constant('", sysHealthDiskPerusage = '), Field(fld2,false), Constant(', alarmHighThreshold = '), Field(dclass_counter2,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#58:SNMP_TRAP_SENT11", "nwparser.payload", "%{obj_type->} ( sysHealthDiskName = \"%{obj_name}\", sysHealthDiskPerusage = %{fld2}, alarmHighThreshold = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ +var part95 = match("MESSAGE#58:SNMP_TRAP_SENT11", "nwparser.payload", "%{obj_type->} ( sysHealthDiskName = \"%{obj_name}\", sysHealthDiskPerusage = %{fld2}, alarmHighThreshold = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1630,8 +1476,7 @@ match("MESSAGE#58:SNMP_TRAP_SENT11", "nwparser.payload", "%{obj_type->} ( sysHea var msg62 = msg("SNMP_TRAP_SENT11", part95); -var part96 = // "Pattern{Field(obj_type,true), Constant(' ( vsvrName = "'), Field(dclass_counter1_string,false), Constant('", vsvrRequestRate = "'), Field(dclass_counter1,false), Constant('", alarmHighThreshold = '), Field(dclass_counter2,false), Constant(', vsvrFullName = "'), Field(fld1,false), Constant('", sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#59:SNMP_TRAP_SENT12", "nwparser.payload", "%{obj_type->} ( vsvrName = \"%{dclass_counter1_string}\", vsvrRequestRate = \"%{dclass_counter1}\", alarmHighThreshold = %{dclass_counter2}, vsvrFullName = \"%{fld1}\", sysIpAddress = %{hostip})", processor_chain([ +var part96 = match("MESSAGE#59:SNMP_TRAP_SENT12", "nwparser.payload", "%{obj_type->} ( vsvrName = \"%{dclass_counter1_string}\", vsvrRequestRate = \"%{dclass_counter1}\", alarmHighThreshold = %{dclass_counter2}, vsvrFullName = \"%{fld1}\", sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1640,8 +1485,7 @@ match("MESSAGE#59:SNMP_TRAP_SENT12", "nwparser.payload", "%{obj_type->} ( vsvrNa var msg63 = msg("SNMP_TRAP_SENT12", part96); -var part97 = // "Pattern{Field(obj_type,true), Constant(' ( monServiceName = "'), Field(fld1,false), Constant('", monitorName = "'), Field(dclass_counter1_string,false), Constant('", responseTimeoutThreshold = '), Field(dclass_counter1,false), Constant(', alarmMonrespto = '), Field(dclass_counter2,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#60:SNMP_TRAP_SENT13", "nwparser.payload", "%{obj_type->} ( monServiceName = \"%{fld1}\", monitorName = \"%{dclass_counter1_string}\", responseTimeoutThreshold = %{dclass_counter1}, alarmMonrespto = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ +var part97 = match("MESSAGE#60:SNMP_TRAP_SENT13", "nwparser.payload", "%{obj_type->} ( monServiceName = \"%{fld1}\", monitorName = \"%{dclass_counter1_string}\", responseTimeoutThreshold = %{dclass_counter1}, alarmMonrespto = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1650,8 +1494,7 @@ match("MESSAGE#60:SNMP_TRAP_SENT13", "nwparser.payload", "%{obj_type->} ( monSer var msg64 = msg("SNMP_TRAP_SENT13", part97); -var part98 = // "Pattern{Field(obj_type,true), Constant(' ( sysHealthCounterName = "'), Field(dclass_counter1_string,false), Constant('", sysHealthCounterValue = '), Field(dclass_counter1,false), Constant(', alarmNormalThreshold = '), Field(dclass_counter2,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#61:SNMP_TRAP_SENT14", "nwparser.payload", "%{obj_type->} ( sysHealthCounterName = \"%{dclass_counter1_string}\", sysHealthCounterValue = %{dclass_counter1}, alarmNormalThreshold = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ +var part98 = match("MESSAGE#61:SNMP_TRAP_SENT14", "nwparser.payload", "%{obj_type->} ( sysHealthCounterName = \"%{dclass_counter1_string}\", sysHealthCounterValue = %{dclass_counter1}, alarmNormalThreshold = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1660,8 +1503,7 @@ match("MESSAGE#61:SNMP_TRAP_SENT14", "nwparser.payload", "%{obj_type->} ( sysHea var msg65 = msg("SNMP_TRAP_SENT14", part98); -var part99 = // "Pattern{Field(obj_type,true), Constant(' ( sysHealthCounterName = "'), Field(dclass_counter1_string,false), Constant('", sysHealthCounterValue = '), Field(dclass_counter1,false), Constant(', alarmLowThreshold = '), Field(dclass_counter2,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#62:SNMP_TRAP_SENT15", "nwparser.payload", "%{obj_type->} ( sysHealthCounterName = \"%{dclass_counter1_string}\", sysHealthCounterValue = %{dclass_counter1}, alarmLowThreshold = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ +var part99 = match("MESSAGE#62:SNMP_TRAP_SENT15", "nwparser.payload", "%{obj_type->} ( sysHealthCounterName = \"%{dclass_counter1_string}\", sysHealthCounterValue = %{dclass_counter1}, alarmLowThreshold = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1670,8 +1512,7 @@ match("MESSAGE#62:SNMP_TRAP_SENT15", "nwparser.payload", "%{obj_type->} ( sysHea var msg66 = msg("SNMP_TRAP_SENT15", part99); -var part100 = // "Pattern{Field(obj_type,true), Constant(' ( sysHealthCounterName = "'), Field(dclass_counter1_string,false), Constant('", sysHealthCounterValue = '), Field(dclass_counter1,false), Constant(', alarmHighThreshold = '), Field(dclass_counter2,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#63:SNMP_TRAP_SENT16", "nwparser.payload", "%{obj_type->} ( sysHealthCounterName = \"%{dclass_counter1_string}\", sysHealthCounterValue = %{dclass_counter1}, alarmHighThreshold = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ +var part100 = match("MESSAGE#63:SNMP_TRAP_SENT16", "nwparser.payload", "%{obj_type->} ( sysHealthCounterName = \"%{dclass_counter1_string}\", sysHealthCounterValue = %{dclass_counter1}, alarmHighThreshold = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1680,8 +1521,7 @@ match("MESSAGE#63:SNMP_TRAP_SENT16", "nwparser.payload", "%{obj_type->} ( sysHea var msg67 = msg("SNMP_TRAP_SENT16", part100); -var part101 = // "Pattern{Field(obj_type,true), Constant(' ( alarmRateLmtThresholdExceeded = "'), Field(obj_name,false), Constant(': "'), Field(info,false), Constant('...", ipAddressGathered = "'), Field(fld1,false), Constant('", stringComputed = "'), Field(fld2,false), Constant('", sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#64:SNMP_TRAP_SENT17", "nwparser.payload", "%{obj_type->} ( alarmRateLmtThresholdExceeded = \"%{obj_name}: \"%{info}...\", ipAddressGathered = \"%{fld1}\", stringComputed = \"%{fld2}\", sysIpAddress = %{hostip})", processor_chain([ +var part101 = match("MESSAGE#64:SNMP_TRAP_SENT17", "nwparser.payload", "%{obj_type->} ( alarmRateLmtThresholdExceeded = \"%{obj_name}: \"%{info}...\", ipAddressGathered = \"%{fld1}\", stringComputed = \"%{fld2}\", sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1690,22 +1530,18 @@ match("MESSAGE#64:SNMP_TRAP_SENT17", "nwparser.payload", "%{obj_type->} ( alarmR var msg68 = msg("SNMP_TRAP_SENT17", part101); -var part102 = // "Pattern{Field(obj_type,true), Constant(' ( entityName = "'), Field(obj_name,true), Constant(' ('), Field(p0,false)}" -match("MESSAGE#65:SNMP_TRAP_SENT/0", "nwparser.payload", "%{obj_type->} ( entityName = \"%{obj_name->} (%{p0}"); +var part102 = match("MESSAGE#65:SNMP_TRAP_SENT/0", "nwparser.payload", "%{obj_type->} ( entityName = \"%{obj_name->} (%{p0}"); -var part103 = // "Pattern{Field(info,false), Constant('..." '), Field(p0,false)}" -match("MESSAGE#65:SNMP_TRAP_SENT/1_0", "nwparser.p0", "%{info}...\" %{p0}"); +var part103 = match("MESSAGE#65:SNMP_TRAP_SENT/1_0", "nwparser.p0", "%{info}...\" %{p0}"); -var part104 = // "Pattern{Field(info,false), Constant('" '), Field(p0,false)}" -match("MESSAGE#65:SNMP_TRAP_SENT/1_1", "nwparser.p0", "%{info}\" %{p0}"); +var part104 = match("MESSAGE#65:SNMP_TRAP_SENT/1_1", "nwparser.p0", "%{info}\" %{p0}"); var select32 = linear_select([ part103, part104, ]); -var part105 = // "Pattern{Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#65:SNMP_TRAP_SENT/2", "nwparser.p0", ", sysIpAddress = %{hostip})"); +var part105 = match("MESSAGE#65:SNMP_TRAP_SENT/2", "nwparser.p0", ", sysIpAddress = %{hostip})"); var all26 = all_match({ processors: [ @@ -1723,8 +1559,7 @@ var all26 = all_match({ var msg69 = msg("SNMP_TRAP_SENT", all26); -var part106 = // "Pattern{Field(obj_type,true), Constant(' ( appfwLogMsg = '), Field(obj_name,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#66:SNMP_TRAP_SENT6", "nwparser.payload", "%{obj_type->} ( appfwLogMsg = %{obj_name}, sysIpAddress = %{hostip})", processor_chain([ +var part106 = match("MESSAGE#66:SNMP_TRAP_SENT6", "nwparser.payload", "%{obj_type->} ( appfwLogMsg = %{obj_name}, sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1733,37 +1568,28 @@ match("MESSAGE#66:SNMP_TRAP_SENT6", "nwparser.payload", "%{obj_type->} ( appfwLo var msg70 = msg("SNMP_TRAP_SENT6", part106); -var part107 = // "Pattern{Field(obj_type,true), Constant(' ( '), Field(space,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#67:SNMP_TRAP_SENT5/0", "nwparser.payload", "%{obj_type->} ( %{space->} %{p0}"); +var part107 = match("MESSAGE#67:SNMP_TRAP_SENT5/0", "nwparser.payload", "%{obj_type->} ( %{space->} %{p0}"); -var part108 = // "Pattern{Constant('partition id = '), Field(fld12,false), Constant(', nsUserName = "'), Field(p0,false)}" -match("MESSAGE#67:SNMP_TRAP_SENT5/1_0", "nwparser.p0", "partition id = %{fld12}, nsUserName = \"%{p0}"); +var part108 = match("MESSAGE#67:SNMP_TRAP_SENT5/1_0", "nwparser.p0", "partition id = %{fld12}, nsUserName = \"%{p0}"); -var part109 = // "Pattern{Constant('nsUserName = "'), Field(p0,false)}" -match("MESSAGE#67:SNMP_TRAP_SENT5/1_1", "nwparser.p0", "nsUserName = \"%{p0}"); +var part109 = match("MESSAGE#67:SNMP_TRAP_SENT5/1_1", "nwparser.p0", "nsUserName = \"%{p0}"); var select33 = linear_select([ part108, part109, ]); -var part110 = // "Pattern{Constant('",'), Field(username,true), Constant(' configurationCmd = "'), Field(action,false), Constant('", authorizationStatus = '), Field(event_state,false), Constant(', commandExecutionStatus = '), Field(disposition,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#67:SNMP_TRAP_SENT5/2", "nwparser.p0", "\",%{username->} configurationCmd = \"%{action}\", authorizationStatus = %{event_state}, commandExecutionStatus = %{disposition}, %{p0}"); +var part110 = match("MESSAGE#67:SNMP_TRAP_SENT5/2", "nwparser.p0", "\",%{username->} configurationCmd = \"%{action}\", authorizationStatus = %{event_state}, commandExecutionStatus = %{disposition}, %{p0}"); -var part111 = // "Pattern{Constant('commandFailureReason = "'), Field(result,false), Constant('", nsClientIPAddr = '), Field(saddr,false), Constant(', sysIpAddress ='), Field(hostip,false), Constant(')')}" -match("MESSAGE#67:SNMP_TRAP_SENT5/3_0", "nwparser.p0", "commandFailureReason = \"%{result}\", nsClientIPAddr = %{saddr}, sysIpAddress =%{hostip})"); +var part111 = match("MESSAGE#67:SNMP_TRAP_SENT5/3_0", "nwparser.p0", "commandFailureReason = \"%{result}\", nsClientIPAddr = %{saddr}, sysIpAddress =%{hostip})"); -var part112 = // "Pattern{Constant('commandFailureReason = "'), Field(result,false), Constant('", nsClientIPAddr = '), Field(saddr,false), Constant(', nsPartitionName = '), Field(fld1,false), Constant(')')}" -match("MESSAGE#67:SNMP_TRAP_SENT5/3_1", "nwparser.p0", "commandFailureReason = \"%{result}\", nsClientIPAddr = %{saddr}, nsPartitionName = %{fld1})"); +var part112 = match("MESSAGE#67:SNMP_TRAP_SENT5/3_1", "nwparser.p0", "commandFailureReason = \"%{result}\", nsClientIPAddr = %{saddr}, nsPartitionName = %{fld1})"); -var part113 = // "Pattern{Constant('nsClientIPAddr = '), Field(saddr,false), Constant(', nsPartitionName = '), Field(fld1,false), Constant(')')}" -match("MESSAGE#67:SNMP_TRAP_SENT5/3_2", "nwparser.p0", "nsClientIPAddr = %{saddr}, nsPartitionName = %{fld1})"); +var part113 = match("MESSAGE#67:SNMP_TRAP_SENT5/3_2", "nwparser.p0", "nsClientIPAddr = %{saddr}, nsPartitionName = %{fld1})"); -var part114 = // "Pattern{Constant('nsClientIPAddr = '), Field(saddr,false), Constant(', sysIpAddress ='), Field(hostip,true), Constant(' )')}" -match("MESSAGE#67:SNMP_TRAP_SENT5/3_3", "nwparser.p0", "nsClientIPAddr = %{saddr}, sysIpAddress =%{hostip->} )"); +var part114 = match("MESSAGE#67:SNMP_TRAP_SENT5/3_3", "nwparser.p0", "nsClientIPAddr = %{saddr}, sysIpAddress =%{hostip->} )"); -var part115 = // "Pattern{Constant('sysIpAddress ='), Field(hostip,false), Constant(')')}" -match("MESSAGE#67:SNMP_TRAP_SENT5/3_4", "nwparser.p0", "sysIpAddress =%{hostip})"); +var part115 = match("MESSAGE#67:SNMP_TRAP_SENT5/3_4", "nwparser.p0", "sysIpAddress =%{hostip})"); var select34 = linear_select([ part111, @@ -1790,8 +1616,7 @@ var all27 = all_match({ var msg71 = msg("SNMP_TRAP_SENT5", all27); -var part116 = // "Pattern{Field(obj_type,true), Constant(' ( nsUserName = "'), Field(username,false), Constant('", sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#68:SNMP_TRAP_SENT1", "nwparser.payload", "%{obj_type->} ( nsUserName = \"%{username}\", sysIpAddress = %{hostip})", processor_chain([ +var part116 = match("MESSAGE#68:SNMP_TRAP_SENT1", "nwparser.payload", "%{obj_type->} ( nsUserName = \"%{username}\", sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, setf("obj_name","username"), @@ -1801,8 +1626,7 @@ match("MESSAGE#68:SNMP_TRAP_SENT1", "nwparser.payload", "%{obj_type->} ( nsUserN var msg72 = msg("SNMP_TRAP_SENT1", part116); -var part117 = // "Pattern{Field(obj_type,true), Constant(' ( nsCPUusage = '), Field(dclass_counter1,false), Constant(', alarm '), Field(trigger_val,true), Constant(' = '), Field(dclass_counter2,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#69:SNMP_TRAP_SENT2", "nwparser.payload", "%{obj_type->} ( nsCPUusage = %{dclass_counter1}, alarm %{trigger_val->} = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ +var part117 = match("MESSAGE#69:SNMP_TRAP_SENT2", "nwparser.payload", "%{obj_type->} ( nsCPUusage = %{dclass_counter1}, alarm %{trigger_val->} = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1811,8 +1635,7 @@ match("MESSAGE#69:SNMP_TRAP_SENT2", "nwparser.payload", "%{obj_type->} ( nsCPUus var msg73 = msg("SNMP_TRAP_SENT2", part117); -var part118 = // "Pattern{Field(obj_type,true), Constant(' ( sysHealthDiskName = "'), Field(filename,false), Constant('", sysHealthDiskPerusage = '), Field(dclass_counter1,false), Constant(', alarmNormalThreshold = '), Field(dclass_counter2,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#70:SNMP_TRAP_SENT3", "nwparser.payload", "%{obj_type->} ( sysHealthDiskName = \"%{filename}\", sysHealthDiskPerusage = %{dclass_counter1}, alarmNormalThreshold = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ +var part118 = match("MESSAGE#70:SNMP_TRAP_SENT3", "nwparser.payload", "%{obj_type->} ( sysHealthDiskName = \"%{filename}\", sysHealthDiskPerusage = %{dclass_counter1}, alarmNormalThreshold = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1821,8 +1644,7 @@ match("MESSAGE#70:SNMP_TRAP_SENT3", "nwparser.payload", "%{obj_type->} ( sysHeal var msg74 = msg("SNMP_TRAP_SENT3", part118); -var part119 = // "Pattern{Field(obj_type,true), Constant(' ( sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#71:SNMP_TRAP_SENT4", "nwparser.payload", "%{obj_type->} ( sysIpAddress = %{hostip})", processor_chain([ +var part119 = match("MESSAGE#71:SNMP_TRAP_SENT4", "nwparser.payload", "%{obj_type->} ( sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1831,8 +1653,7 @@ match("MESSAGE#71:SNMP_TRAP_SENT4", "nwparser.payload", "%{obj_type->} ( sysIpAd var msg75 = msg("SNMP_TRAP_SENT4", part119); -var part120 = // "Pattern{Field(obj_type,true), Constant(' (entityName = "'), Field(obj_name,false), Constant('", sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#72:SNMP_TRAP_SENT18", "nwparser.payload", "%{obj_type->} (entityName = \"%{obj_name}\", sysIpAddress = %{hostip})", processor_chain([ +var part120 = match("MESSAGE#72:SNMP_TRAP_SENT18", "nwparser.payload", "%{obj_type->} (entityName = \"%{obj_name}\", sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup4, @@ -1840,8 +1661,7 @@ match("MESSAGE#72:SNMP_TRAP_SENT18", "nwparser.payload", "%{obj_type->} (entityN var msg76 = msg("SNMP_TRAP_SENT18", part120); -var part121 = // "Pattern{Field(obj_type,true), Constant(' ( '), Field(space,true), Constant(' nsUserName = "'), Field(username,false), Constant('", sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#73:SNMP_TRAP_SENT19", "nwparser.payload", "%{obj_type->} ( %{space->} nsUserName = \"%{username}\", sysIpAddress = %{hostip})", processor_chain([ +var part121 = match("MESSAGE#73:SNMP_TRAP_SENT19", "nwparser.payload", "%{obj_type->} ( %{space->} nsUserName = \"%{username}\", sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1850,28 +1670,22 @@ match("MESSAGE#73:SNMP_TRAP_SENT19", "nwparser.payload", "%{obj_type->} ( %{spac var msg77 = msg("SNMP_TRAP_SENT19", part121); -var part122 = // "Pattern{Field(obj_type,true), Constant(' (partition id = '), Field(fld12,false), Constant(', entityName = "'), Field(p0,false)}" -match("MESSAGE#74:SNMP_TRAP_SENT21/0", "nwparser.payload", "%{obj_type->} (partition id = %{fld12}, entityName = \"%{p0}"); +var part122 = match("MESSAGE#74:SNMP_TRAP_SENT21/0", "nwparser.payload", "%{obj_type->} (partition id = %{fld12}, entityName = \"%{p0}"); -var part123 = // "Pattern{Field(obj_name,false), Constant('('), Field(fld4,false), Constant('...", '), Field(p0,false)}" -match("MESSAGE#74:SNMP_TRAP_SENT21/1_0", "nwparser.p0", "%{obj_name}(%{fld4}...\", %{p0}"); +var part123 = match("MESSAGE#74:SNMP_TRAP_SENT21/1_0", "nwparser.p0", "%{obj_name}(%{fld4}...\", %{p0}"); -var part124 = // "Pattern{Field(obj_name,false), Constant('...", '), Field(p0,false)}" -match("MESSAGE#74:SNMP_TRAP_SENT21/1_1", "nwparser.p0", "%{obj_name}...\", %{p0}"); +var part124 = match("MESSAGE#74:SNMP_TRAP_SENT21/1_1", "nwparser.p0", "%{obj_name}...\", %{p0}"); var select35 = linear_select([ part123, part124, ]); -var part125 = // "Pattern{Constant('svcGrpMemberFullName.'), Field(fld2,true), Constant(' = "'), Field(fld3,false), Constant('", sysIpAddress = '), Field(hostip,true), Constant(' )')}" -match("MESSAGE#74:SNMP_TRAP_SENT21/2_0", "nwparser.p0", "svcGrpMemberFullName.%{fld2->} = \"%{fld3}\", sysIpAddress = %{hostip->} )"); +var part125 = match("MESSAGE#74:SNMP_TRAP_SENT21/2_0", "nwparser.p0", "svcGrpMemberFullName.%{fld2->} = \"%{fld3}\", sysIpAddress = %{hostip->} )"); -var part126 = // "Pattern{Constant('vsvrFullName.'), Field(fld2,true), Constant(' = "'), Field(fld3,false), Constant('", sysIpAddress = '), Field(hostip,true), Constant(' )')}" -match("MESSAGE#74:SNMP_TRAP_SENT21/2_1", "nwparser.p0", "vsvrFullName.%{fld2->} = \"%{fld3}\", sysIpAddress = %{hostip->} )"); +var part126 = match("MESSAGE#74:SNMP_TRAP_SENT21/2_1", "nwparser.p0", "vsvrFullName.%{fld2->} = \"%{fld3}\", sysIpAddress = %{hostip->} )"); -var part127 = // "Pattern{Constant('sysIpAddress = '), Field(hostip,true), Constant(' )')}" -match("MESSAGE#74:SNMP_TRAP_SENT21/2_2", "nwparser.p0", "sysIpAddress = %{hostip->} )"); +var part127 = match("MESSAGE#74:SNMP_TRAP_SENT21/2_2", "nwparser.p0", "sysIpAddress = %{hostip->} )"); var select36 = linear_select([ part125, @@ -1895,31 +1709,24 @@ var all28 = all_match({ var msg78 = msg("SNMP_TRAP_SENT21", all28); -var part128 = // "Pattern{Field(obj_type,true), Constant(' (entityName = "'), Field(p0,false)}" -match("MESSAGE#75:SNMP_TRAP_SENT22/0", "nwparser.payload", "%{obj_type->} (entityName = \"%{p0}"); +var part128 = match("MESSAGE#75:SNMP_TRAP_SENT22/0", "nwparser.payload", "%{obj_type->} (entityName = \"%{p0}"); -var part129 = // "Pattern{Field(obj_name,false), Constant('..." '), Field(p0,false)}" -match("MESSAGE#75:SNMP_TRAP_SENT22/1_0", "nwparser.p0", "%{obj_name}...\" %{p0}"); +var part129 = match("MESSAGE#75:SNMP_TRAP_SENT22/1_0", "nwparser.p0", "%{obj_name}...\" %{p0}"); -var part130 = // "Pattern{Field(obj_name,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#75:SNMP_TRAP_SENT22/1_1", "nwparser.p0", "%{obj_name}\"%{p0}"); +var part130 = match("MESSAGE#75:SNMP_TRAP_SENT22/1_1", "nwparser.p0", "%{obj_name}\"%{p0}"); var select37 = linear_select([ part129, part130, ]); -var part131 = // "Pattern{Constant(', '), Field(p0,false)}" -match("MESSAGE#75:SNMP_TRAP_SENT22/2", "nwparser.p0", ", %{p0}"); +var part131 = match("MESSAGE#75:SNMP_TRAP_SENT22/2", "nwparser.p0", ", %{p0}"); -var part132 = // "Pattern{Constant('svcGrpMemberFullName.'), Field(p0,false)}" -match("MESSAGE#75:SNMP_TRAP_SENT22/3_0", "nwparser.p0", "svcGrpMemberFullName.%{p0}"); +var part132 = match("MESSAGE#75:SNMP_TRAP_SENT22/3_0", "nwparser.p0", "svcGrpMemberFullName.%{p0}"); -var part133 = // "Pattern{Constant('vsvrFullName.'), Field(p0,false)}" -match("MESSAGE#75:SNMP_TRAP_SENT22/3_1", "nwparser.p0", "vsvrFullName.%{p0}"); +var part133 = match("MESSAGE#75:SNMP_TRAP_SENT22/3_1", "nwparser.p0", "vsvrFullName.%{p0}"); -var part134 = // "Pattern{Constant('svcServiceFullName.'), Field(p0,false)}" -match("MESSAGE#75:SNMP_TRAP_SENT22/3_2", "nwparser.p0", "svcServiceFullName.%{p0}"); +var part134 = match("MESSAGE#75:SNMP_TRAP_SENT22/3_2", "nwparser.p0", "svcServiceFullName.%{p0}"); var select38 = linear_select([ part132, @@ -1927,8 +1734,7 @@ var select38 = linear_select([ part134, ]); -var part135 = // "Pattern{Field(fld2,true), Constant(' = "'), Field(fld3,false), Constant('", nsPartitionName = '), Field(fld1,false), Constant(')')}" -match("MESSAGE#75:SNMP_TRAP_SENT22/4", "nwparser.p0", "%{fld2->} = \"%{fld3}\", nsPartitionName = %{fld1})"); +var part135 = match("MESSAGE#75:SNMP_TRAP_SENT22/4", "nwparser.p0", "%{fld2->} = \"%{fld3}\", nsPartitionName = %{fld1})"); var all29 = all_match({ processors: [ @@ -1948,8 +1754,7 @@ var all29 = all_match({ var msg79 = msg("SNMP_TRAP_SENT22", all29); -var part136 = // "Pattern{Field(obj_type,true), Constant(' (platformRateLimitPacketDropCount = '), Field(dclass_counter1,false), Constant(', platformLicensedThroughput = '), Field(fld2,false), Constant(', nsPartitionName = '), Field(fld3,false), Constant(')')}" -match("MESSAGE#76:SNMP_TRAP_SENT23", "nwparser.payload", "%{obj_type->} (platformRateLimitPacketDropCount = %{dclass_counter1}, platformLicensedThroughput = %{fld2}, nsPartitionName = %{fld3})", processor_chain([ +var part136 = match("MESSAGE#76:SNMP_TRAP_SENT23", "nwparser.payload", "%{obj_type->} (platformRateLimitPacketDropCount = %{dclass_counter1}, platformLicensedThroughput = %{fld2}, nsPartitionName = %{fld3})", processor_chain([ dup9, dup47, dup10, @@ -1958,8 +1763,7 @@ match("MESSAGE#76:SNMP_TRAP_SENT23", "nwparser.payload", "%{obj_type->} (platfor var msg80 = msg("SNMP_TRAP_SENT23", part136); -var part137 = // "Pattern{Field(obj_type,true), Constant(' (vsvrName.'), Field(fld2,true), Constant(' = "'), Field(fld3,false), Constant('", vsvrCurSoValue = '), Field(fld4,false), Constant(', vsvrSoMethod = "'), Field(fld5,false), Constant('", vsvrSoThresh = "'), Field(info,false), Constant('", vsvrFullName.'), Field(fld6,true), Constant(' = "'), Field(fld7,false), Constant('", nsPartitionName = '), Field(fld8,false), Constant(')')}" -match("MESSAGE#77:SNMP_TRAP_SENT24", "nwparser.payload", "%{obj_type->} (vsvrName.%{fld2->} = \"%{fld3}\", vsvrCurSoValue = %{fld4}, vsvrSoMethod = \"%{fld5}\", vsvrSoThresh = \"%{info}\", vsvrFullName.%{fld6->} = \"%{fld7}\", nsPartitionName = %{fld8})", processor_chain([ +var part137 = match("MESSAGE#77:SNMP_TRAP_SENT24", "nwparser.payload", "%{obj_type->} (vsvrName.%{fld2->} = \"%{fld3}\", vsvrCurSoValue = %{fld4}, vsvrSoMethod = \"%{fld5}\", vsvrSoThresh = \"%{info}\", vsvrFullName.%{fld6->} = \"%{fld7}\", nsPartitionName = %{fld8})", processor_chain([ dup9, dup47, dup10, @@ -1968,25 +1772,20 @@ match("MESSAGE#77:SNMP_TRAP_SENT24", "nwparser.payload", "%{obj_type->} (vsvrNam var msg81 = msg("SNMP_TRAP_SENT24", part137); -var part138 = // "Pattern{Field(obj_type,true), Constant(' ('), Field(p0,false)}" -match("MESSAGE#78:SNMP_TRAP_SENT25/0", "nwparser.payload", "%{obj_type->} (%{p0}"); +var part138 = match("MESSAGE#78:SNMP_TRAP_SENT25/0", "nwparser.payload", "%{obj_type->} (%{p0}"); -var part139 = // "Pattern{Constant('partition id = '), Field(fld12,false), Constant(', sslCertKeyName.'), Field(p0,false)}" -match("MESSAGE#78:SNMP_TRAP_SENT25/1_0", "nwparser.p0", "partition id = %{fld12}, sslCertKeyName.%{p0}"); +var part139 = match("MESSAGE#78:SNMP_TRAP_SENT25/1_0", "nwparser.p0", "partition id = %{fld12}, sslCertKeyName.%{p0}"); -var part140 = // "Pattern{Constant(' sslCertKeyName.'), Field(p0,false)}" -match("MESSAGE#78:SNMP_TRAP_SENT25/1_1", "nwparser.p0", " sslCertKeyName.%{p0}"); +var part140 = match("MESSAGE#78:SNMP_TRAP_SENT25/1_1", "nwparser.p0", " sslCertKeyName.%{p0}"); var select39 = linear_select([ part139, part140, ]); -var part141 = // "Pattern{Constant('",'), Field(fld2,true), Constant(' = "'), Field(fld1,true), Constant(' sslDaysToExpire.'), Field(fld3,true), Constant(' = '), Field(dclass_counter1,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#78:SNMP_TRAP_SENT25/2", "nwparser.p0", "\",%{fld2->} = \"%{fld1->} sslDaysToExpire.%{fld3->} = %{dclass_counter1}, %{p0}"); +var part141 = match("MESSAGE#78:SNMP_TRAP_SENT25/2", "nwparser.p0", "\",%{fld2->} = \"%{fld1->} sslDaysToExpire.%{fld3->} = %{dclass_counter1}, %{p0}"); -var part142 = // "Pattern{Constant('nsPartitionName = '), Field(fld4,false), Constant(')')}" -match("MESSAGE#78:SNMP_TRAP_SENT25/3_0", "nwparser.p0", "nsPartitionName = %{fld4})"); +var part142 = match("MESSAGE#78:SNMP_TRAP_SENT25/3_0", "nwparser.p0", "nsPartitionName = %{fld4})"); var select40 = linear_select([ part142, @@ -2010,8 +1809,7 @@ var all30 = all_match({ var msg82 = msg("SNMP_TRAP_SENT25", all30); -var part143 = // "Pattern{Field(obj_type,true), Constant(' (nsUserName = "'), Field(username,false), Constant('", nsPartitionName = '), Field(fld1,false), Constant(')')}" -match("MESSAGE#79:SNMP_TRAP_SENT26", "nwparser.payload", "%{obj_type->} (nsUserName = \"%{username}\", nsPartitionName = %{fld1})", processor_chain([ +var part143 = match("MESSAGE#79:SNMP_TRAP_SENT26", "nwparser.payload", "%{obj_type->} (nsUserName = \"%{username}\", nsPartitionName = %{fld1})", processor_chain([ dup9, dup47, dup4, @@ -2019,8 +1817,7 @@ match("MESSAGE#79:SNMP_TRAP_SENT26", "nwparser.payload", "%{obj_type->} (nsUserN var msg83 = msg("SNMP_TRAP_SENT26", part143); -var part144 = // "Pattern{Field(info,true), Constant(' (sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#80:SNMP_TRAP_SENT20", "nwparser.payload", "%{info->} (sysIpAddress = %{hostip})", processor_chain([ +var part144 = match("MESSAGE#80:SNMP_TRAP_SENT20", "nwparser.payload", "%{info->} (sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -2029,8 +1826,7 @@ match("MESSAGE#80:SNMP_TRAP_SENT20", "nwparser.payload", "%{info->} (sysIpAddres var msg84 = msg("SNMP_TRAP_SENT20", part144); -var part145 = // "Pattern{Field(obj_type,false), Constant('(lldpRemLocalPortNum.'), Field(fld1,false), Constant('= "'), Field(fld5,false), Constant('", lldpRemChassisId.'), Field(fld2,false), Constant('= "'), Field(dmacaddr,false), Constant('", lldpRemPortId.'), Field(fld3,false), Constant('= "'), Field(dinterface,false), Constant('", sysIpAddress ='), Field(hostip,false), Constant(')')}" -match("MESSAGE#81:SNMP_TRAP_SENT28", "nwparser.payload", "%{obj_type}(lldpRemLocalPortNum.%{fld1}= \"%{fld5}\", lldpRemChassisId.%{fld2}= \"%{dmacaddr}\", lldpRemPortId.%{fld3}= \"%{dinterface}\", sysIpAddress =%{hostip})", processor_chain([ +var part145 = match("MESSAGE#81:SNMP_TRAP_SENT28", "nwparser.payload", "%{obj_type}(lldpRemLocalPortNum.%{fld1}= \"%{fld5}\", lldpRemChassisId.%{fld2}= \"%{dmacaddr}\", lldpRemPortId.%{fld3}= \"%{dinterface}\", sysIpAddress =%{hostip})", processor_chain([ dup9, dup47, dup10, @@ -2039,8 +1835,7 @@ match("MESSAGE#81:SNMP_TRAP_SENT28", "nwparser.payload", "%{obj_type}(lldpRemLoc var msg85 = msg("SNMP_TRAP_SENT28", part145); -var part146 = // "Pattern{Field(obj_type,false), Constant('(haNicMonitorSucceeded = "'), Field(fld1,false), Constant('", sysIpAddress ='), Field(hostip,false), Constant(')')}" -match("MESSAGE#82:SNMP_TRAP_SENT29", "nwparser.payload", "%{obj_type}(haNicMonitorSucceeded = \"%{fld1}\", sysIpAddress =%{hostip})", processor_chain([ +var part146 = match("MESSAGE#82:SNMP_TRAP_SENT29", "nwparser.payload", "%{obj_type}(haNicMonitorSucceeded = \"%{fld1}\", sysIpAddress =%{hostip})", processor_chain([ dup9, dup47, dup10, @@ -2049,8 +1844,7 @@ match("MESSAGE#82:SNMP_TRAP_SENT29", "nwparser.payload", "%{obj_type}(haNicMonit var msg86 = msg("SNMP_TRAP_SENT29", part146); -var part147 = // "Pattern{Field(fld1,false), Constant(':StatusPoll:'), Field(fld2,true), Constant(' - Device State changed to '), Field(disposition,true), Constant(' for '), Field(saddr,false)}" -match("MESSAGE#83:SNMP_TRAP_SENT:04", "nwparser.payload", "%{fld1}:StatusPoll:%{fld2->} - Device State changed to %{disposition->} for %{saddr}", processor_chain([ +var part147 = match("MESSAGE#83:SNMP_TRAP_SENT:04", "nwparser.payload", "%{fld1}:StatusPoll:%{fld2->} - Device State changed to %{disposition->} for %{saddr}", processor_chain([ dup9, dup4, setc("event_description","Device State changed"), @@ -2060,14 +1854,11 @@ var msg87 = msg("SNMP_TRAP_SENT:04", part147); var msg88 = msg("SNMP_TRAP_SENT:05", dup101); -var part148 = // "Pattern{Field(obj_type,true), Constant(' (appfwLogMsg = "'), Field(obj_name,true), Constant(' '), Field(info,false), Constant('",'), Field(p0,false)}" -match("MESSAGE#136:SNMP_TRAP_SENT:01/0", "nwparser.payload", "%{obj_type->} (appfwLogMsg = \"%{obj_name->} %{info}\",%{p0}"); +var part148 = match("MESSAGE#136:SNMP_TRAP_SENT:01/0", "nwparser.payload", "%{obj_type->} (appfwLogMsg = \"%{obj_name->} %{info}\",%{p0}"); -var part149 = // "Pattern{Constant('sysIpAddress = '), Field(hostip,false)}" -match("MESSAGE#136:SNMP_TRAP_SENT:01/1_0", "nwparser.p0", "sysIpAddress = %{hostip}"); +var part149 = match("MESSAGE#136:SNMP_TRAP_SENT:01/1_0", "nwparser.p0", "sysIpAddress = %{hostip}"); -var part150 = // "Pattern{Constant('nsPartitionName ='), Field(fld1,false)}" -match("MESSAGE#136:SNMP_TRAP_SENT:01/1_1", "nwparser.p0", "nsPartitionName =%{fld1}"); +var part150 = match("MESSAGE#136:SNMP_TRAP_SENT:01/1_1", "nwparser.p0", "nsPartitionName =%{fld1}"); var select41 = linear_select([ part149, @@ -2089,8 +1880,7 @@ var all31 = all_match({ var msg89 = msg("SNMP_TRAP_SENT:01", all31); -var part151 = // "Pattern{Field(obj_type,true), Constant(' (haNicsMonitorFailed = "'), Field(fld1,false), Constant('", sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#143:SNMP_TRAP_SENT:02", "nwparser.payload", "%{obj_type->} (haNicsMonitorFailed = \"%{fld1}\", sysIpAddress = %{hostip})", processor_chain([ +var part151 = match("MESSAGE#143:SNMP_TRAP_SENT:02", "nwparser.payload", "%{obj_type->} (haNicsMonitorFailed = \"%{fld1}\", sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -2099,8 +1889,7 @@ match("MESSAGE#143:SNMP_TRAP_SENT:02", "nwparser.payload", "%{obj_type->} (haNic var msg90 = msg("SNMP_TRAP_SENT:02", part151); -var part152 = // "Pattern{Field(obj_type,true), Constant(' (partition id = '), Field(fld1,false), Constant(', entityName = "'), Field(obj_name,false), Constant('('), Field(fld31,false), Constant('", svcServiceFullName.'), Field(fld2,true), Constant(' = "'), Field(fld3,false), Constant('", sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#178:SNMP_TRAP_SENT27", "nwparser.payload", "%{obj_type->} (partition id = %{fld1}, entityName = \"%{obj_name}(%{fld31}\", svcServiceFullName.%{fld2->} = \"%{fld3}\", sysIpAddress = %{hostip})", processor_chain([ +var part152 = match("MESSAGE#178:SNMP_TRAP_SENT27", "nwparser.payload", "%{obj_type->} (partition id = %{fld1}, entityName = \"%{obj_name}(%{fld31}\", svcServiceFullName.%{fld2->} = \"%{fld3}\", sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -2109,8 +1898,7 @@ match("MESSAGE#178:SNMP_TRAP_SENT27", "nwparser.payload", "%{obj_type->} (partit var msg91 = msg("SNMP_TRAP_SENT27", part152); -var part153 = // "Pattern{Field(obj_type,false), Constant('(sysHealthCounterName.PowerSupply1Status = "'), Field(dclass_counter1_string,false), Constant('", sysHealthCounterValue.PowerSupply1Status = '), Field(dclass_counter1,false), Constant(', sysHealthPowerSupplyStatus = "'), Field(result,false), Constant('", sysIpAddress ='), Field(hostip,false), Constant(')')}" -match("MESSAGE#179:SNMP_TRAP_SENT:03", "nwparser.payload", "%{obj_type}(sysHealthCounterName.PowerSupply1Status = \"%{dclass_counter1_string}\", sysHealthCounterValue.PowerSupply1Status = %{dclass_counter1}, sysHealthPowerSupplyStatus = \"%{result}\", sysIpAddress =%{hostip})", processor_chain([ +var part153 = match("MESSAGE#179:SNMP_TRAP_SENT:03", "nwparser.payload", "%{obj_type}(sysHealthCounterName.PowerSupply1Status = \"%{dclass_counter1_string}\", sysHealthCounterValue.PowerSupply1Status = %{dclass_counter1}, sysHealthPowerSupplyStatus = \"%{result}\", sysIpAddress =%{hostip})", processor_chain([ dup9, dup47, dup4, @@ -2156,8 +1944,7 @@ var select42 = linear_select([ msg92, ]); -var part154 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Client IP '), Field(hostip,true), Constant(' - Vserver '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Client_security_expression "CLIENT.REG(''), Field(info,false), Constant('').VALUE == '), Field(trigger_val,true), Constant(' || '), Field(change_new,true), Constant(' - '), Field(result,false)}" -match("MESSAGE#85:SSLVPN_CLISEC_CHECK", "nwparser.payload", "User %{username->} - Client IP %{hostip->} - Vserver %{saddr}:%{sport->} - Client_security_expression \"CLIENT.REG('%{info}').VALUE == %{trigger_val->} || %{change_new->} - %{result}", processor_chain([ +var part154 = match("MESSAGE#85:SSLVPN_CLISEC_CHECK", "nwparser.payload", "User %{username->} - Client IP %{hostip->} - Vserver %{saddr}:%{sport->} - Client_security_expression \"CLIENT.REG('%{info}').VALUE == %{trigger_val->} || %{change_new->} - %{result}", processor_chain([ dup9, dup47, dup4, @@ -2165,16 +1952,14 @@ match("MESSAGE#85:SSLVPN_CLISEC_CHECK", "nwparser.payload", "User %{username->} var msg93 = msg("SSLVPN_CLISEC_CHECK", part154); -var part155 = // "Pattern{Constant('SPCBId '), Field(sessionid,true), Constant(' - ClientIP '), Field(p0,false)}" -match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/1_1", "nwparser.p0", "SPCBId %{sessionid->} - ClientIP %{p0}"); +var part155 = match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/1_1", "nwparser.p0", "SPCBId %{sessionid->} - ClientIP %{p0}"); var select43 = linear_select([ dup49, part155, ]); -var part156 = // "Pattern{Field(,true), Constant(' '), Field(saddr,false), Constant('- ClientPort '), Field(sport,true), Constant(' - VserverServiceIP '), Field(daddr,true), Constant(' - VserverServicePort '), Field(dport,true), Constant(' - ClientVersion '), Field(s_sslver,true), Constant(' - CipherSuite "'), Field(s_cipher,false), Constant('" - Reason "'), Field(result,false), Constant('"')}" -match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/2", "nwparser.p0", "%{} %{saddr}- ClientPort %{sport->} - VserverServiceIP %{daddr->} - VserverServicePort %{dport->} - ClientVersion %{s_sslver->} - CipherSuite \"%{s_cipher}\" - Reason \"%{result}\""); +var part156 = match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/2", "nwparser.p0", "%{} %{saddr}- ClientPort %{sport->} - VserverServiceIP %{daddr->} - VserverServicePort %{dport->} - ClientVersion %{s_sslver->} - CipherSuite \"%{s_cipher}\" - Reason \"%{result}\""); var all32 = all_match({ processors: [ @@ -2194,16 +1979,14 @@ var all32 = all_match({ var msg94 = msg("SSLLOG_SSL_HANDSHAKE_FAILURE", all32); -var part157 = // "Pattern{Constant('SPCBId '), Field(sessionid,true), Constant(' ClientIP '), Field(p0,false)}" -match("MESSAGE#87:SSLLOG_SSL_HANDSHAKE_SUCCESS/1_0", "nwparser.p0", "SPCBId %{sessionid->} ClientIP %{p0}"); +var part157 = match("MESSAGE#87:SSLLOG_SSL_HANDSHAKE_SUCCESS/1_0", "nwparser.p0", "SPCBId %{sessionid->} ClientIP %{p0}"); var select44 = linear_select([ part157, dup49, ]); -var part158 = // "Pattern{Constant(''), Field(saddr,true), Constant(' - ClientPort '), Field(sport,true), Constant(' - VserverServiceIP '), Field(daddr,true), Constant(' - VserverServicePort '), Field(dport,true), Constant(' - ClientVersion '), Field(s_sslver,true), Constant(' - CipherSuite "'), Field(s_cipher,false), Constant('" - Session '), Field(info,false)}" -match("MESSAGE#87:SSLLOG_SSL_HANDSHAKE_SUCCESS/2", "nwparser.p0", "%{saddr->} - ClientPort %{sport->} - VserverServiceIP %{daddr->} - VserverServicePort %{dport->} - ClientVersion %{s_sslver->} - CipherSuite \"%{s_cipher}\" - Session %{info}"); +var part158 = match("MESSAGE#87:SSLLOG_SSL_HANDSHAKE_SUCCESS/2", "nwparser.p0", "%{saddr->} - ClientPort %{sport->} - VserverServiceIP %{daddr->} - VserverServicePort %{dport->} - ClientVersion %{s_sslver->} - CipherSuite \"%{s_cipher}\" - Session %{info}"); var all33 = all_match({ processors: [ @@ -2223,8 +2006,7 @@ var all33 = all_match({ var msg95 = msg("SSLLOG_SSL_HANDSHAKE_SUCCESS", all33); -var part159 = // "Pattern{Constant('SPCBId '), Field(sessionid,true), Constant(' - SubjectName "'), Field(cert_subject,false), Constant('"')}" -match("MESSAGE#88:SSLLOG_SSL_HANDSHAKE_SUBJECTNAME", "nwparser.payload", "SPCBId %{sessionid->} - SubjectName \"%{cert_subject}\"", processor_chain([ +var part159 = match("MESSAGE#88:SSLLOG_SSL_HANDSHAKE_SUBJECTNAME", "nwparser.payload", "SPCBId %{sessionid->} - SubjectName \"%{cert_subject}\"", processor_chain([ dup9, dup41, dup50, @@ -2232,8 +2014,7 @@ match("MESSAGE#88:SSLLOG_SSL_HANDSHAKE_SUBJECTNAME", "nwparser.payload", "SPCBId var msg96 = msg("SSLLOG_SSL_HANDSHAKE_SUBJECTNAME", part159); -var part160 = // "Pattern{Constant('SPCBId '), Field(sessionid,true), Constant(' - IssuerName "'), Field(fld1,false), Constant('"')}" -match("MESSAGE#89:SSLLOG_SSL_HANDSHAKE_ISSUERNAME", "nwparser.payload", "SPCBId %{sessionid->} - IssuerName \"%{fld1}\"", processor_chain([ +var part160 = match("MESSAGE#89:SSLLOG_SSL_HANDSHAKE_ISSUERNAME", "nwparser.payload", "SPCBId %{sessionid->} - IssuerName \"%{fld1}\"", processor_chain([ dup9, dup41, dup50, @@ -2241,8 +2022,7 @@ match("MESSAGE#89:SSLLOG_SSL_HANDSHAKE_ISSUERNAME", "nwparser.payload", "SPCBId var msg97 = msg("SSLLOG_SSL_HANDSHAKE_ISSUERNAME", part160); -var part161 = // "Pattern{Constant('Extracted_groups "'), Field(group,false), Constant('"')}" -match("MESSAGE#90:SSLVPN_AAAEXTRACTED_GROUPS", "nwparser.payload", "Extracted_groups \"%{group}\"", processor_chain([ +var part161 = match("MESSAGE#90:SSLVPN_AAAEXTRACTED_GROUPS", "nwparser.payload", "Extracted_groups \"%{group}\"", processor_chain([ dup2, setc("event_description","The groups extracted after user logs into SSLVPN"), dup3, @@ -2251,22 +2031,18 @@ match("MESSAGE#90:SSLVPN_AAAEXTRACTED_GROUPS", "nwparser.payload", "Extracted_gr var msg98 = msg("SSLVPN_AAAEXTRACTED_GROUPS", part161); -var part162 = // "Pattern{Constant('User '), Field(username,true), Constant(' : - Client IP '), Field(hostip,true), Constant(' - Vserver '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Client security expression CLIENT.REG(''), Field(info,false), Constant('') '), Field(p0,false)}" -match("MESSAGE#91:SSLVPN_CLISEC_EXP_EVAL/0", "nwparser.payload", "User %{username->} : - Client IP %{hostip->} - Vserver %{saddr}:%{sport->} - Client security expression CLIENT.REG('%{info}') %{p0}"); +var part162 = match("MESSAGE#91:SSLVPN_CLISEC_EXP_EVAL/0", "nwparser.payload", "User %{username->} : - Client IP %{hostip->} - Vserver %{saddr}:%{sport->} - Client security expression CLIENT.REG('%{info}') %{p0}"); -var part163 = // "Pattern{Constant('EXISTS '), Field(p0,false)}" -match("MESSAGE#91:SSLVPN_CLISEC_EXP_EVAL/1_0", "nwparser.p0", "EXISTS %{p0}"); +var part163 = match("MESSAGE#91:SSLVPN_CLISEC_EXP_EVAL/1_0", "nwparser.p0", "EXISTS %{p0}"); -var part164 = // "Pattern{Constant('.VALUE == '), Field(trigger_val,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#91:SSLVPN_CLISEC_EXP_EVAL/1_1", "nwparser.p0", ".VALUE == %{trigger_val->} %{p0}"); +var part164 = match("MESSAGE#91:SSLVPN_CLISEC_EXP_EVAL/1_1", "nwparser.p0", ".VALUE == %{trigger_val->} %{p0}"); var select45 = linear_select([ part163, part164, ]); -var part165 = // "Pattern{Constant('evaluated to '), Field(change_new,false), Constant('('), Field(ntype,false), Constant(')')}" -match("MESSAGE#91:SSLVPN_CLISEC_EXP_EVAL/2", "nwparser.p0", "evaluated to %{change_new}(%{ntype})"); +var part165 = match("MESSAGE#91:SSLVPN_CLISEC_EXP_EVAL/2", "nwparser.p0", "evaluated to %{change_new}(%{ntype})"); var all34 = all_match({ processors: [ @@ -2284,47 +2060,38 @@ var all34 = all_match({ var msg99 = msg("SSLVPN_CLISEC_EXP_EVAL", all34); -var part166 = // "Pattern{Constant('Context '), Field(fld1,true), Constant(' - '), Field(p0,false)}" -match("MESSAGE#92:SSLVPN_HTTPREQUEST/0", "nwparser.payload", "Context %{fld1->} - %{p0}"); +var part166 = match("MESSAGE#92:SSLVPN_HTTPREQUEST/0", "nwparser.payload", "Context %{fld1->} - %{p0}"); -var part167 = // "Pattern{Constant('SessionId: '), Field(sessionid,true), Constant(' User '), Field(p0,false)}" -match("MESSAGE#92:SSLVPN_HTTPREQUEST/1_0", "nwparser.p0", "SessionId: %{sessionid->} User %{p0}"); +var part167 = match("MESSAGE#92:SSLVPN_HTTPREQUEST/1_0", "nwparser.p0", "SessionId: %{sessionid->} User %{p0}"); -var part168 = // "Pattern{Field(fld5,true), Constant(' User '), Field(p0,false)}" -match("MESSAGE#92:SSLVPN_HTTPREQUEST/1_1", "nwparser.p0", "%{fld5->} User %{p0}"); +var part168 = match("MESSAGE#92:SSLVPN_HTTPREQUEST/1_1", "nwparser.p0", "%{fld5->} User %{p0}"); var select46 = linear_select([ part167, part168, ]); -var part169 = // "Pattern{Field(username,true), Constant(' : Group(s) '), Field(group,true), Constant(' : '), Field(p0,false)}" -match("MESSAGE#92:SSLVPN_HTTPREQUEST/2", "nwparser.p0", "%{username->} : Group(s) %{group->} : %{p0}"); +var part169 = match("MESSAGE#92:SSLVPN_HTTPREQUEST/2", "nwparser.p0", "%{username->} : Group(s) %{group->} : %{p0}"); -var part170 = // "Pattern{Constant('Vserver '), Field(hostip,true), Constant(' - '), Field(fld6,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#92:SSLVPN_HTTPREQUEST/3_0", "nwparser.p0", "Vserver %{hostip->} - %{fld6->} %{p0}"); +var part170 = match("MESSAGE#92:SSLVPN_HTTPREQUEST/3_0", "nwparser.p0", "Vserver %{hostip->} - %{fld6->} %{p0}"); -var part171 = // "Pattern{Constant('- '), Field(fld7,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#92:SSLVPN_HTTPREQUEST/3_1", "nwparser.p0", "- %{fld7->} %{p0}"); +var part171 = match("MESSAGE#92:SSLVPN_HTTPREQUEST/3_1", "nwparser.p0", "- %{fld7->} %{p0}"); var select47 = linear_select([ part170, part171, ]); -var part172 = // "Pattern{Constant('GMT '), Field(web_method,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#92:SSLVPN_HTTPREQUEST/4_0", "nwparser.p0", "GMT %{web_method->} %{p0}"); +var part172 = match("MESSAGE#92:SSLVPN_HTTPREQUEST/4_0", "nwparser.p0", "GMT %{web_method->} %{p0}"); -var part173 = // "Pattern{Field(web_method,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#92:SSLVPN_HTTPREQUEST/4_1", "nwparser.p0", "%{web_method->} %{p0}"); +var part173 = match("MESSAGE#92:SSLVPN_HTTPREQUEST/4_1", "nwparser.p0", "%{web_method->} %{p0}"); var select48 = linear_select([ part172, part173, ]); -var part174 = // "Pattern{Field(url,true), Constant(' '), Field(fld8,false)}" -match("MESSAGE#92:SSLVPN_HTTPREQUEST/5", "nwparser.p0", "%{url->} %{fld8}"); +var part174 = match("MESSAGE#92:SSLVPN_HTTPREQUEST/5", "nwparser.p0", "%{url->} %{fld8}"); var all35 = all_match({ processors: [ @@ -2346,11 +2113,9 @@ var all35 = all_match({ var msg100 = msg("SSLVPN_HTTPREQUEST", all35); -var part175 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - Start_time '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - Start_time %{p0}"); +var part175 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - Start_time %{p0}"); -var part176 = // "Pattern{Field(duration_string,true), Constant(' - Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,true), Constant(' - Total_compressedbytes_send '), Field(comp_sbytes,true), Constant(' - Total_compressedbytes_recv '), Field(comp_rbytes,true), Constant(' - Compression_ratio_send '), Field(dclass_ratio1,true), Constant(' - Compression_ratio_recv '), Field(dclass_ratio2,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/3", "nwparser.p0", "%{duration_string->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Total_compressedbytes_send %{comp_sbytes->} - Total_compressedbytes_recv %{comp_rbytes->} - Compression_ratio_send %{dclass_ratio1->} - Compression_ratio_recv %{dclass_ratio2}"); +var part176 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/3", "nwparser.p0", "%{duration_string->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Total_compressedbytes_send %{comp_sbytes->} - Total_compressedbytes_recv %{comp_rbytes->} - Compression_ratio_send %{dclass_ratio1->} - Compression_ratio_recv %{dclass_ratio2}"); var all36 = all_match({ processors: [ @@ -2373,17 +2138,13 @@ var all36 = all_match({ var msg101 = msg("SSLVPN_ICAEND_CONNSTAT", all36); -var part177 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - username:domainname '), Field(username,false), Constant(':'), Field(ddomain,true), Constant(' - startTime '), Field(p0,false)}" -match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - username:domainname %{username}:%{ddomain->} - startTime %{p0}"); +var part177 = match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - username:domainname %{username}:%{ddomain->} - startTime %{p0}"); -var part178 = // "Pattern{Constant('" '), Field(fld10,true), Constant(' GMT" - endTime '), Field(p0,false)}" -match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/1_0", "nwparser.p0", "\" %{fld10->} GMT\" - endTime %{p0}"); +var part178 = match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/1_0", "nwparser.p0", "\" %{fld10->} GMT\" - endTime %{p0}"); -var part179 = // "Pattern{Constant('" '), Field(fld10,false), Constant('" - endTime '), Field(p0,false)}" -match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/1_1", "nwparser.p0", "\" %{fld10}\" - endTime %{p0}"); +var part179 = match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/1_1", "nwparser.p0", "\" %{fld10}\" - endTime %{p0}"); -var part180 = // "Pattern{Field(fld10,true), Constant(' - endTime '), Field(p0,false)}" -match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/1_2", "nwparser.p0", "%{fld10->} - endTime %{p0}"); +var part180 = match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/1_2", "nwparser.p0", "%{fld10->} - endTime %{p0}"); var select49 = linear_select([ part178, @@ -2391,14 +2152,11 @@ var select49 = linear_select([ part180, ]); -var part181 = // "Pattern{Field(duration_string,true), Constant(' - Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,true), Constant(' - Total_compressedbytes_send '), Field(comp_sbytes,true), Constant(' - Total_compressedbytes_recv '), Field(comp_rbytes,true), Constant(' - Compression_ratio_send '), Field(dclass_ratio1,true), Constant(' - Compression_ratio_recv '), Field(dclass_ratio2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/3", "nwparser.p0", "%{duration_string->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Total_compressedbytes_send %{comp_sbytes->} - Total_compressedbytes_recv %{comp_rbytes->} - Compression_ratio_send %{dclass_ratio1->} - Compression_ratio_recv %{dclass_ratio2->} %{p0}"); +var part181 = match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/3", "nwparser.p0", "%{duration_string->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Total_compressedbytes_send %{comp_sbytes->} - Total_compressedbytes_recv %{comp_rbytes->} - Compression_ratio_send %{dclass_ratio1->} - Compression_ratio_recv %{dclass_ratio2->} %{p0}"); -var part182 = // "Pattern{Constant('- connectionId '), Field(connectionid,false)}" -match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/4_0", "nwparser.p0", "- connectionId %{connectionid}"); +var part182 = match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/4_0", "nwparser.p0", "- connectionId %{connectionid}"); -var part183 = // "Pattern{Field(fld2,false)}" -match_copy("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/4_1", "nwparser.p0", "fld2"); +var part183 = match_copy("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/4_1", "nwparser.p0", "fld2"); var select50 = linear_select([ part182, @@ -2432,8 +2190,7 @@ var select51 = linear_select([ msg102, ]); -var part184 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Browser_type '), Field(fld2,true), Constant(' - SSLVPN_client_type '), Field(info,true), Constant(' - Group(s) "'), Field(group,false), Constant('"')}" -match("MESSAGE#94:SSLVPN_LOGIN/4", "nwparser.p0", "%{daddr}:%{dport->} - Browser_type %{fld2->} - SSLVPN_client_type %{info->} - Group(s) \"%{group}\""); +var part184 = match("MESSAGE#94:SSLVPN_LOGIN/4", "nwparser.p0", "%{daddr}:%{dport->} - Browser_type %{fld2->} - SSLVPN_client_type %{info->} - Group(s) \"%{group}\""); var all38 = all_match({ processors: [ @@ -2455,8 +2212,7 @@ var all38 = all_match({ var msg103 = msg("SSLVPN_LOGIN", all38); -var part185 = // "Pattern{Field(duration_string,true), Constant(' - Http_resources_accessed '), Field(fld3,true), Constant(' - NonHttp_services_accessed '), Field(fld4,true), Constant(' - Total_TCP_connections '), Field(fld5,true), Constant(' - Total_UDP_flows '), Field(fld6,true), Constant(' - Total_policies_allowed '), Field(fld7,true), Constant(' - Total_policies_denied '), Field(fld8,true), Constant(' - Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,true), Constant(' - Total_compressedbytes_send '), Field(comp_sbytes,true), Constant(' - Total_compressedbytes_recv '), Field(comp_rbytes,true), Constant(' - Compression_ratio_send '), Field(dclass_ratio1,true), Constant(' - Compression_ratio_recv '), Field(dclass_ratio2,true), Constant(' - LogoutMethod "'), Field(result,false), Constant('" - Group(s) "'), Field(group,false), Constant('"')}" -match("MESSAGE#95:SSLVPN_LOGOUT/7", "nwparser.p0", "%{duration_string->} - Http_resources_accessed %{fld3->} - NonHttp_services_accessed %{fld4->} - Total_TCP_connections %{fld5->} - Total_UDP_flows %{fld6->} - Total_policies_allowed %{fld7->} - Total_policies_denied %{fld8->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Total_compressedbytes_send %{comp_sbytes->} - Total_compressedbytes_recv %{comp_rbytes->} - Compression_ratio_send %{dclass_ratio1->} - Compression_ratio_recv %{dclass_ratio2->} - LogoutMethod \"%{result}\" - Group(s) \"%{group}\""); +var part185 = match("MESSAGE#95:SSLVPN_LOGOUT/7", "nwparser.p0", "%{duration_string->} - Http_resources_accessed %{fld3->} - NonHttp_services_accessed %{fld4->} - Total_TCP_connections %{fld5->} - Total_UDP_flows %{fld6->} - Total_policies_allowed %{fld7->} - Total_policies_denied %{fld8->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Total_compressedbytes_send %{comp_sbytes->} - Total_compressedbytes_recv %{comp_rbytes->} - Compression_ratio_send %{dclass_ratio1->} - Compression_ratio_recv %{dclass_ratio2->} - LogoutMethod \"%{result}\" - Group(s) \"%{group}\""); var all39 = all_match({ processors: [ @@ -2486,8 +2242,7 @@ var all39 = all_match({ var msg104 = msg("SSLVPN_LOGOUT", all39); -var part186 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Last_contact '), Field(fld2,true), Constant(' - Group(s) "'), Field(group,false), Constant('"')}" -match("MESSAGE#96:SSLVPN_TCPCONN_TIMEDOUT/4", "nwparser.p0", "%{daddr}:%{dport->} - Last_contact %{fld2->} - Group(s) \"%{group}\""); +var part186 = match("MESSAGE#96:SSLVPN_TCPCONN_TIMEDOUT/4", "nwparser.p0", "%{daddr}:%{dport->} - Last_contact %{fld2->} - Group(s) \"%{group}\""); var all40 = all_match({ processors: [ @@ -2509,11 +2264,9 @@ var all40 = all_match({ var msg105 = msg("SSLVPN_TCPCONN_TIMEDOUT", all40); -var part187 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - Start_time '), Field(p0,false)}" -match("MESSAGE#97:SSLVPN_UDPFLOWSTAT/2", "nwparser.p0", "%{daddr}:%{dport->} - Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - Start_time %{p0}"); +var part187 = match("MESSAGE#97:SSLVPN_UDPFLOWSTAT/2", "nwparser.p0", "%{daddr}:%{dport->} - Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - Start_time %{p0}"); -var part188 = // "Pattern{Field(duration_string,true), Constant(' - Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,true), Constant(' - Access '), Field(disposition,true), Constant(' - Group(s) "'), Field(group,false), Constant('"')}" -match("MESSAGE#97:SSLVPN_UDPFLOWSTAT/5", "nwparser.p0", "%{duration_string->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Access %{disposition->} - Group(s) \"%{group}\""); +var part188 = match("MESSAGE#97:SSLVPN_UDPFLOWSTAT/5", "nwparser.p0", "%{duration_string->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Access %{disposition->} - Group(s) \"%{group}\""); var all41 = all_match({ processors: [ @@ -2536,8 +2289,7 @@ var all41 = all_match({ var msg106 = msg("SSLVPN_UDPFLOWSTAT", all41); -var part189 = // "Pattern{Constant('Server port = '), Field(dport,true), Constant(' - Server server ip = '), Field(daddr,true), Constant(' - username:domain_name = '), Field(username,false), Constant(':'), Field(ddomain,true), Constant(' - application name = '), Field(application,false)}" -match("MESSAGE#98:SSLVPN_ICASTART", "nwparser.payload", "Server port = %{dport->} - Server server ip = %{daddr->} - username:domain_name = %{username}:%{ddomain->} - application name = %{application}", processor_chain([ +var part189 = match("MESSAGE#98:SSLVPN_ICASTART", "nwparser.payload", "Server port = %{dport->} - Server server ip = %{daddr->} - username:domain_name = %{username}:%{ddomain->} - application name = %{application}", processor_chain([ dup69, setc("event_description","ICA started"), dup3, @@ -2546,17 +2298,13 @@ match("MESSAGE#98:SSLVPN_ICASTART", "nwparser.payload", "Server port = %{dport-> var msg107 = msg("SSLVPN_ICASTART", part189); -var part190 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - username:domainname '), Field(username,false), Constant(':'), Field(ddomain,true), Constant(' - applicationName '), Field(application,true), Constant(' - startTime '), Field(p0,false)}" -match("MESSAGE#99:SSLVPN_ICASTART:01/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - username:domainname %{username}:%{ddomain->} - applicationName %{application->} - startTime %{p0}"); +var part190 = match("MESSAGE#99:SSLVPN_ICASTART:01/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - username:domainname %{username}:%{ddomain->} - applicationName %{application->} - startTime %{p0}"); -var part191 = // "Pattern{Constant('" '), Field(fld10,true), Constant(' GMT" - connectionId '), Field(p0,false)}" -match("MESSAGE#99:SSLVPN_ICASTART:01/1_0", "nwparser.p0", "\" %{fld10->} GMT\" - connectionId %{p0}"); +var part191 = match("MESSAGE#99:SSLVPN_ICASTART:01/1_0", "nwparser.p0", "\" %{fld10->} GMT\" - connectionId %{p0}"); -var part192 = // "Pattern{Constant('" '), Field(fld10,false), Constant('" - connectionId '), Field(p0,false)}" -match("MESSAGE#99:SSLVPN_ICASTART:01/1_1", "nwparser.p0", "\" %{fld10}\" - connectionId %{p0}"); +var part192 = match("MESSAGE#99:SSLVPN_ICASTART:01/1_1", "nwparser.p0", "\" %{fld10}\" - connectionId %{p0}"); -var part193 = // "Pattern{Field(fld10,true), Constant(' - connectionId '), Field(p0,false)}" -match("MESSAGE#99:SSLVPN_ICASTART:01/1_2", "nwparser.p0", "%{fld10->} - connectionId %{p0}"); +var part193 = match("MESSAGE#99:SSLVPN_ICASTART:01/1_2", "nwparser.p0", "%{fld10->} - connectionId %{p0}"); var select52 = linear_select([ part191, @@ -2564,8 +2312,7 @@ var select52 = linear_select([ part193, ]); -var part194 = // "Pattern{Field(fld5,false)}" -match_copy("MESSAGE#99:SSLVPN_ICASTART:01/2", "nwparser.p0", "fld5"); +var part194 = match_copy("MESSAGE#99:SSLVPN_ICASTART:01/2", "nwparser.p0", "fld5"); var all42 = all_match({ processors: [ @@ -2587,14 +2334,11 @@ var select53 = linear_select([ msg108, ]); -var part195 = // "Pattern{Field(action,false), Constant(': '), Field(fld1,true), Constant(' "')}" -match("MESSAGE#100:SSLVPN_Message/1_0", "nwparser.p0", "%{action}: %{fld1->} \""); +var part195 = match("MESSAGE#100:SSLVPN_Message/1_0", "nwparser.p0", "%{action}: %{fld1->} \""); -var part196 = // "Pattern{Field(action,true), Constant(' '), Field(fld1,false), Constant('"')}" -match("MESSAGE#100:SSLVPN_Message/1_1", "nwparser.p0", "%{action->} %{fld1}\""); +var part196 = match("MESSAGE#100:SSLVPN_Message/1_1", "nwparser.p0", "%{action->} %{fld1}\""); -var part197 = // "Pattern{Field(action,false), Constant(': '), Field(fld1,false)}" -match("MESSAGE#100:SSLVPN_Message/1_2", "nwparser.p0", "%{action}: %{fld1}"); +var part197 = match("MESSAGE#100:SSLVPN_Message/1_2", "nwparser.p0", "%{action}: %{fld1}"); var select54 = linear_select([ part195, @@ -2617,11 +2361,9 @@ var all43 = all_match({ var msg109 = msg("SSLVPN_Message", all43); -var part198 = // "Pattern{Field(,true), Constant(' '), Field(username,false), Constant('- Client_ip '), Field(hostip,true), Constant(' - Nat_ip '), Field(stransaddr,true), Constant(' - Vserver '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - Start_time '), Field(p0,false)}" -match("MESSAGE#101:SSLVPN_TCPCONNSTAT/2", "nwparser.p0", "%{} %{username}- Client_ip %{hostip->} - Nat_ip %{stransaddr->} - Vserver %{daddr}:%{dport->} - Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - Start_time %{p0}"); +var part198 = match("MESSAGE#101:SSLVPN_TCPCONNSTAT/2", "nwparser.p0", "%{} %{username}- Client_ip %{hostip->} - Nat_ip %{stransaddr->} - Vserver %{daddr}:%{dport->} - Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - Start_time %{p0}"); -var part199 = // "Pattern{Field(duration_string,true), Constant(' - Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,true), Constant(' - Total_compressedbytes_send '), Field(comp_sbytes,true), Constant(' - Total_compressedbytes_recv '), Field(comp_rbytes,true), Constant(' - Compression_ratio_send '), Field(dclass_ratio1,true), Constant(' - Compression_ratio_recv '), Field(dclass_ratio2,true), Constant(' - Access '), Field(disposition,true), Constant(' - Group(s) "'), Field(group,false), Constant('"')}" -match("MESSAGE#101:SSLVPN_TCPCONNSTAT/5", "nwparser.p0", "%{duration_string->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Total_compressedbytes_send %{comp_sbytes->} - Total_compressedbytes_recv %{comp_rbytes->} - Compression_ratio_send %{dclass_ratio1->} - Compression_ratio_recv %{dclass_ratio2->} - Access %{disposition->} - Group(s) \"%{group}\""); +var part199 = match("MESSAGE#101:SSLVPN_TCPCONNSTAT/5", "nwparser.p0", "%{duration_string->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Total_compressedbytes_send %{comp_sbytes->} - Total_compressedbytes_recv %{comp_rbytes->} - Compression_ratio_send %{dclass_ratio1->} - Compression_ratio_recv %{dclass_ratio2->} - Access %{disposition->} - Group(s) \"%{group}\""); var all44 = all_match({ processors: [ @@ -2686,8 +2428,7 @@ var all46 = all_match({ var msg112 = msg("TCP_CONN_TERMINATE", all46); -var part200 = // "Pattern{Constant('Source '), Field(saddr,false), Constant('Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,false)}" -match("MESSAGE#140:TCP_CONN_TERMINATE:01", "nwparser.payload", "Source %{saddr}Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes}", processor_chain([ +var part200 = match("MESSAGE#140:TCP_CONN_TERMINATE:01", "nwparser.payload", "Source %{saddr}Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes}", processor_chain([ dup2, dup40, dup28, @@ -2703,11 +2444,9 @@ var select55 = linear_select([ msg113, ]); -var part201 = // "Pattern{Field(fld11,true), Constant(' GMT Total_bytes_send '), Field(p0,false)}" -match("MESSAGE#104:TCP_OTHERCONN_DELINK/1_0", "nwparser.p0", "%{fld11->} GMT Total_bytes_send %{p0}"); +var part201 = match("MESSAGE#104:TCP_OTHERCONN_DELINK/1_0", "nwparser.p0", "%{fld11->} GMT Total_bytes_send %{p0}"); -var part202 = // "Pattern{Field(fld11,true), Constant(' Total_bytes_send '), Field(p0,false)}" -match("MESSAGE#104:TCP_OTHERCONN_DELINK/1_1", "nwparser.p0", "%{fld11->} Total_bytes_send %{p0}"); +var part202 = match("MESSAGE#104:TCP_OTHERCONN_DELINK/1_1", "nwparser.p0", "%{fld11->} Total_bytes_send %{p0}"); var select56 = linear_select([ part201, @@ -2733,22 +2472,18 @@ var all47 = all_match({ var msg114 = msg("TCP_OTHERCONN_DELINK", all47); -var part203 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - NatIP '), Field(stransaddr,false), Constant(':'), Field(stransport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - Start Time '), Field(p0,false)}" -match("MESSAGE#105:TCP_NAT_OTHERCONN_DELINK/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{daddr}:%{dport->} - NatIP %{stransaddr}:%{stransport->} - Destination %{dtransaddr}:%{dtransport->} - Start Time %{p0}"); +var part203 = match("MESSAGE#105:TCP_NAT_OTHERCONN_DELINK/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{daddr}:%{dport->} - NatIP %{stransaddr}:%{stransport->} - Destination %{dtransaddr}:%{dtransport->} - Start Time %{p0}"); -var part204 = // "Pattern{Field(fld10,true), Constant(' GMT - Delink Time '), Field(p0,false)}" -match("MESSAGE#105:TCP_NAT_OTHERCONN_DELINK/1_0", "nwparser.p0", "%{fld10->} GMT - Delink Time %{p0}"); +var part204 = match("MESSAGE#105:TCP_NAT_OTHERCONN_DELINK/1_0", "nwparser.p0", "%{fld10->} GMT - Delink Time %{p0}"); -var part205 = // "Pattern{Field(fld10,true), Constant(' - Delink Time '), Field(p0,false)}" -match("MESSAGE#105:TCP_NAT_OTHERCONN_DELINK/1_1", "nwparser.p0", "%{fld10->} - Delink Time %{p0}"); +var part205 = match("MESSAGE#105:TCP_NAT_OTHERCONN_DELINK/1_1", "nwparser.p0", "%{fld10->} - Delink Time %{p0}"); var select57 = linear_select([ part204, part205, ]); -var part206 = // "Pattern{Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,true), Constant(' - '), Field(info,false)}" -match("MESSAGE#105:TCP_NAT_OTHERCONN_DELINK/3", "nwparser.p0", "%{sbytes->} - Total_bytes_recv %{rbytes->} - %{info}"); +var part206 = match("MESSAGE#105:TCP_NAT_OTHERCONN_DELINK/3", "nwparser.p0", "%{sbytes->} - Total_bytes_recv %{rbytes->} - %{info}"); var all48 = all_match({ processors: [ @@ -2770,8 +2505,7 @@ var all48 = all_match({ var msg115 = msg("TCP_NAT_OTHERCONN_DELINK", all48); -var part207 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "login '), Field(fld11,false), Constant('" - Status "Success'), Field(info,false), Constant('"')}" -match("MESSAGE#106:UI_CMD_EXECUTED:Login", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"login %{fld11}\" - Status \"Success%{info}\"", processor_chain([ +var part207 = match("MESSAGE#106:UI_CMD_EXECUTED:Login", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"login %{fld11}\" - Status \"Success%{info}\"", processor_chain([ dup69, dup84, dup3, @@ -2783,8 +2517,7 @@ match("MESSAGE#106:UI_CMD_EXECUTED:Login", "nwparser.payload", "User %{username- var msg116 = msg("UI_CMD_EXECUTED:Login", part207); -var part208 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "login '), Field(fld11,false), Constant('" - Status "ERROR:'), Field(info,false), Constant('"')}" -match("MESSAGE#107:UI_CMD_EXECUTED:LoginFail", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"login %{fld11}\" - Status \"ERROR:%{info}\"", processor_chain([ +var part208 = match("MESSAGE#107:UI_CMD_EXECUTED:LoginFail", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"login %{fld11}\" - Status \"ERROR:%{info}\"", processor_chain([ dup5, dup84, dup3, @@ -2796,8 +2529,7 @@ match("MESSAGE#107:UI_CMD_EXECUTED:LoginFail", "nwparser.payload", "User %{usern var msg117 = msg("UI_CMD_EXECUTED:LoginFail", part208); -var part209 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "logout '), Field(fld11,false), Constant('" - Status "Success'), Field(info,false), Constant('"')}" -match("MESSAGE#108:UI_CMD_EXECUTED:Logout", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"logout %{fld11}\" - Status \"Success%{info}\"", processor_chain([ +var part209 = match("MESSAGE#108:UI_CMD_EXECUTED:Logout", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"logout %{fld11}\" - Status \"Success%{info}\"", processor_chain([ dup71, dup84, dup3, @@ -2811,8 +2543,7 @@ var msg118 = msg("UI_CMD_EXECUTED:Logout", part209); var msg119 = msg("UI_CMD_EXECUTED", dup108); -var part210 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "login '), Field(fld11,false), Constant('"')}" -match("MESSAGE#144:UI_CMD_EXECUTED:01_Login", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"login %{fld11}\"", processor_chain([ +var part210 = match("MESSAGE#144:UI_CMD_EXECUTED:01_Login", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"login %{fld11}\"", processor_chain([ dup69, dup84, dup3, @@ -2823,8 +2554,7 @@ match("MESSAGE#144:UI_CMD_EXECUTED:01_Login", "nwparser.payload", "User %{userna var msg120 = msg("UI_CMD_EXECUTED:01_Login", part210); -var part211 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "logout '), Field(fld11,false), Constant('"')}" -match("MESSAGE#145:UI_CMD_EXECUTED:01_Logout", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"logout %{fld11}\"", processor_chain([ +var part211 = match("MESSAGE#145:UI_CMD_EXECUTED:01_Logout", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"logout %{fld11}\"", processor_chain([ dup71, dup84, dup3, @@ -2835,8 +2565,7 @@ match("MESSAGE#145:UI_CMD_EXECUTED:01_Logout", "nwparser.payload", "User %{usern var msg121 = msg("UI_CMD_EXECUTED:01_Logout", part211); -var part212 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "'), Field(action,false), Constant('"')}" -match("MESSAGE#146:UI_CMD_EXECUTED:01", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action}\"", processor_chain([ +var part212 = match("MESSAGE#146:UI_CMD_EXECUTED:01", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action}\"", processor_chain([ dup88, dup89, dup3, @@ -2855,8 +2584,7 @@ var select58 = linear_select([ msg122, ]); -var part213 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - Total_bytes_send '), Field(comp_sbytes,true), Constant(' - Total_bytes_recv '), Field(comp_rbytes,true), Constant(' - Denied_by_policy "'), Field(fld2,false), Constant('" - Group(s) "'), Field(group,false), Constant('"')}" -match("MESSAGE#110:SSLVPN_NONHTTP_RESOURCEACCESS_DENIED/2", "nwparser.p0", "%{daddr}:%{dport->} - Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - Total_bytes_send %{comp_sbytes->} - Total_bytes_recv %{comp_rbytes->} - Denied_by_policy \"%{fld2}\" - Group(s) \"%{group}\""); +var part213 = match("MESSAGE#110:SSLVPN_NONHTTP_RESOURCEACCESS_DENIED/2", "nwparser.p0", "%{daddr}:%{dport->} - Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - Total_bytes_send %{comp_sbytes->} - Total_bytes_recv %{comp_rbytes->} - Denied_by_policy \"%{fld2}\" - Group(s) \"%{group}\""); var all49 = all_match({ processors: [ @@ -2874,24 +2602,21 @@ var all49 = all_match({ var msg123 = msg("SSLVPN_NONHTTP_RESOURCEACCESS_DENIED", all49); -var part214 = // "Pattern{Field(fld1,true), Constant(' - State Init')}" -match("MESSAGE#111:EVENT_VRIDINIT", "nwparser.payload", "%{fld1->} - State Init", processor_chain([ +var part214 = match("MESSAGE#111:EVENT_VRIDINIT", "nwparser.payload", "%{fld1->} - State Init", processor_chain([ dup9, dup4, ])); var msg124 = msg("EVENT_VRIDINIT", part214); -var part215 = // "Pattern{Constant('"REC: status '), Field(info,true), Constant(' from client '), Field(fld1,true), Constant(' for ID '), Field(id,false), Constant('"')}" -match("MESSAGE#112:CLUSTERD_Message:01", "nwparser.payload", "\"REC: status %{info->} from client %{fld1->} for ID %{id}\"", processor_chain([ +var part215 = match("MESSAGE#112:CLUSTERD_Message:01", "nwparser.payload", "\"REC: status %{info->} from client %{fld1->} for ID %{id}\"", processor_chain([ dup9, dup4, ])); var msg125 = msg("CLUSTERD_Message:01", part215); -var part216 = // "Pattern{Field(info,false), Constant('('), Field(saddr,false), Constant(') port('), Field(sport,false), Constant(') msglen('), Field(fld1,false), Constant(') rcv('), Field(packets,false), Constant(') R('), Field(result,false), Constant(') " ')}" -match("MESSAGE#113:CLUSTERD_Message:02/1_0", "nwparser.p0", "%{info}(%{saddr}) port(%{sport}) msglen(%{fld1}) rcv(%{packets}) R(%{result}) \" "); +var part216 = match("MESSAGE#113:CLUSTERD_Message:02/1_0", "nwparser.p0", "%{info}(%{saddr}) port(%{sport}) msglen(%{fld1}) rcv(%{packets}) R(%{result}) \" "); var select59 = linear_select([ part216, @@ -2916,11 +2641,9 @@ var select60 = linear_select([ msg126, ]); -var part217 = // "Pattern{Constant('"crypto: driver '), Field(fld1,true), Constant(' registers alg '), Field(fld2,true), Constant(' flags '), Field(fld3,true), Constant(' maxoplen '), Field(fld4,true), Constant(' "')}" -match("MESSAGE#114:IPSEC_Message/0_0", "nwparser.payload", "\"crypto: driver %{fld1->} registers alg %{fld2->} flags %{fld3->} maxoplen %{fld4->} \""); +var part217 = match("MESSAGE#114:IPSEC_Message/0_0", "nwparser.payload", "\"crypto: driver %{fld1->} registers alg %{fld2->} flags %{fld3->} maxoplen %{fld4->} \""); -var part218 = // "Pattern{Constant(' "'), Field(info,true), Constant(' "')}" -match("MESSAGE#114:IPSEC_Message/0_1", "nwparser.payload", " \"%{info->} \""); +var part218 = match("MESSAGE#114:IPSEC_Message/0_1", "nwparser.payload", " \"%{info->} \""); var select61 = linear_select([ part217, @@ -2939,16 +2662,14 @@ var all51 = all_match({ var msg127 = msg("IPSEC_Message", all51); -var part219 = // "Pattern{Constant('"'), Field(event_type,false), Constant(': '), Field(info,true), Constant(' "')}" -match("MESSAGE#115:NSNETSVC_Message", "nwparser.payload", "\"%{event_type}: %{info->} \"", processor_chain([ +var part219 = match("MESSAGE#115:NSNETSVC_Message", "nwparser.payload", "\"%{event_type}: %{info->} \"", processor_chain([ dup9, dup4, ])); var msg128 = msg("NSNETSVC_Message", part219); -var part220 = // "Pattern{Field(,true), Constant(' '), Field(username,false), Constant('- Vserver '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Total_bytes_send '), Field(sbytes,true), Constant(' - Remote_host '), Field(hostname,true), Constant(' - Denied_url '), Field(url,true), Constant(' - Denied_by_policy '), Field(policyname,true), Constant(' - Group(s) "'), Field(group,false), Constant('"')}" -match("MESSAGE#116:SSLVPN_HTTP_RESOURCEACCESS_DENIED/2", "nwparser.p0", "%{} %{username}- Vserver %{daddr}:%{dport->} - Total_bytes_send %{sbytes->} - Remote_host %{hostname->} - Denied_url %{url->} - Denied_by_policy %{policyname->} - Group(s) \"%{group}\""); +var part220 = match("MESSAGE#116:SSLVPN_HTTP_RESOURCEACCESS_DENIED/2", "nwparser.p0", "%{} %{username}- Vserver %{daddr}:%{dport->} - Total_bytes_send %{sbytes->} - Remote_host %{hostname->} - Denied_url %{url->} - Denied_by_policy %{policyname->} - Group(s) \"%{group}\""); var all52 = all_match({ processors: [ @@ -2964,14 +2685,11 @@ var all52 = all_match({ var msg129 = msg("SSLVPN_HTTP_RESOURCEACCESS_DENIED", all52); -var part221 = // "Pattern{Constant('Client '), Field(saddr,true), Constant(' - Profile '), Field(p0,false)}" -match("MESSAGE#117:NSNETSVC_REQ_PARSE_ERROR/0", "nwparser.payload", "Client %{saddr->} - Profile %{p0}"); +var part221 = match("MESSAGE#117:NSNETSVC_REQ_PARSE_ERROR/0", "nwparser.payload", "Client %{saddr->} - Profile %{p0}"); -var part222 = // "Pattern{Field(info,false), Constant(', '), Field(event_description,true), Constant(' - URL')}" -match("MESSAGE#117:NSNETSVC_REQ_PARSE_ERROR/1_0", "nwparser.p0", "%{info}, %{event_description->} - URL"); +var part222 = match("MESSAGE#117:NSNETSVC_REQ_PARSE_ERROR/1_0", "nwparser.p0", "%{info}, %{event_description->} - URL"); -var part223 = // "Pattern{Field(info,true), Constant(' - '), Field(event_description,true), Constant(' - URL')}" -match("MESSAGE#117:NSNETSVC_REQ_PARSE_ERROR/1_1", "nwparser.p0", "%{info->} - %{event_description->} - URL"); +var part223 = match("MESSAGE#117:NSNETSVC_REQ_PARSE_ERROR/1_1", "nwparser.p0", "%{info->} - %{event_description->} - URL"); var select62 = linear_select([ part222, @@ -2991,20 +2709,15 @@ var all53 = all_match({ var msg130 = msg("NSNETSVC_REQ_PARSE_ERROR", all53); -var part224 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Vserver '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - NatIP '), Field(stransaddr,false), Constant(':'), Field(stransport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - Delink Time '), Field(fld11,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#118:Source:01/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Vserver %{daddr}:%{dport->} - NatIP %{stransaddr}:%{stransport->} - Destination %{dtransaddr}:%{dtransport->} - Delink Time %{fld11->} %{p0}"); +var part224 = match("MESSAGE#118:Source:01/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Vserver %{daddr}:%{dport->} - NatIP %{stransaddr}:%{stransport->} - Destination %{dtransaddr}:%{dtransport->} - Delink Time %{fld11->} %{p0}"); -var part225 = // "Pattern{Constant('GMT - Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(p0,false)}" -match("MESSAGE#118:Source:01/1_0", "nwparser.p0", "GMT - Total_bytes_send %{sbytes->} - Total_bytes_recv %{p0}"); +var part225 = match("MESSAGE#118:Source:01/1_0", "nwparser.p0", "GMT - Total_bytes_send %{sbytes->} - Total_bytes_recv %{p0}"); -var part226 = // "Pattern{Constant('- Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(p0,false)}" -match("MESSAGE#118:Source:01/1_1", "nwparser.p0", "- Total_bytes_send %{sbytes->} - Total_bytes_recv %{p0}"); +var part226 = match("MESSAGE#118:Source:01/1_1", "nwparser.p0", "- Total_bytes_send %{sbytes->} - Total_bytes_recv %{p0}"); -var part227 = // "Pattern{Constant('GMT Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(p0,false)}" -match("MESSAGE#118:Source:01/1_2", "nwparser.p0", "GMT Total_bytes_send %{sbytes->} - Total_bytes_recv %{p0}"); +var part227 = match("MESSAGE#118:Source:01/1_2", "nwparser.p0", "GMT Total_bytes_send %{sbytes->} - Total_bytes_recv %{p0}"); -var part228 = // "Pattern{Constant('Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(p0,false)}" -match("MESSAGE#118:Source:01/1_3", "nwparser.p0", "Total_bytes_send %{sbytes->} - Total_bytes_recv %{p0}"); +var part228 = match("MESSAGE#118:Source:01/1_3", "nwparser.p0", "Total_bytes_send %{sbytes->} - Total_bytes_recv %{p0}"); var select63 = linear_select([ part225, @@ -3013,8 +2726,7 @@ var select63 = linear_select([ part228, ]); -var part229 = // "Pattern{Field(rbytes,false)}" -match_copy("MESSAGE#118:Source:01/2", "nwparser.p0", "rbytes"); +var part229 = match_copy("MESSAGE#118:Source:01/2", "nwparser.p0", "rbytes"); var all54 = all_match({ processors: [ @@ -3051,15 +2763,13 @@ var select64 = linear_select([ msg132, ]); -var part230 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "'), Field(fld1,false), Constant('" - Status "'), Field(result,false), Constant('"')}" -match("MESSAGE#120:User", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{fld1}\" - Status \"%{result}\"", processor_chain([ +var part230 = match("MESSAGE#120:User", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{fld1}\" - Status \"%{result}\"", processor_chain([ dup2, ])); var msg133 = msg("User", part230); -var part231 = // "Pattern{Constant('SPCBId '), Field(sessionid,true), Constant(' - ClientIP '), Field(saddr,true), Constant(' - ClientPort '), Field(sport,true), Constant(' - VserverServiceIP '), Field(daddr,true), Constant(' - VserverServicePort '), Field(dport,true), Constant(' - ClientVersion '), Field(s_sslver,true), Constant(' - CipherSuite "'), Field(s_cipher,false), Constant('" - '), Field(result,false)}" -match("MESSAGE#121:SPCBId", "nwparser.payload", "SPCBId %{sessionid->} - ClientIP %{saddr->} - ClientPort %{sport->} - VserverServiceIP %{daddr->} - VserverServicePort %{dport->} - ClientVersion %{s_sslver->} - CipherSuite \"%{s_cipher}\" - %{result}", processor_chain([ +var part231 = match("MESSAGE#121:SPCBId", "nwparser.payload", "SPCBId %{sessionid->} - ClientIP %{saddr->} - ClientPort %{sport->} - VserverServiceIP %{daddr->} - VserverServicePort %{dport->} - ClientVersion %{s_sslver->} - CipherSuite \"%{s_cipher}\" - %{result}", processor_chain([ dup11, dup40, dup8, @@ -3078,8 +2788,7 @@ var msg138 = msg("APPFW_FIELDCONSISTENCY", dup109); var msg139 = msg("APPFW_REFERER_HEADER", dup109); -var part232 = // "Pattern{Field(product,false), Constant('|'), Field(version,false), Constant('|'), Field(rule,false), Constant('|'), Field(fld1,false), Constant('|'), Field(severity,false), Constant('|src='), Field(saddr,true), Constant(' spt='), Field(sport,true), Constant(' method='), Field(web_method,true), Constant(' request='), Field(url,true), Constant(' msg='), Field(info,true), Constant(' cn1='), Field(fld2,true), Constant(' cn2='), Field(fld3,true), Constant(' cs1='), Field(policyname,true), Constant(' cs2='), Field(fld5,true), Constant(' cs3='), Field(fld6,true), Constant(' cs4='), Field(severity,true), Constant(' cs5='), Field(fld8,true), Constant(' cs6='), Field(fld9,true), Constant(' act='), Field(action,false)}" -match("MESSAGE#127:APPFW_SIGNATURE_MATCH", "nwparser.payload", "%{product}|%{version}|%{rule}|%{fld1}|%{severity}|src=%{saddr->} spt=%{sport->} method=%{web_method->} request=%{url->} msg=%{info->} cn1=%{fld2->} cn2=%{fld3->} cs1=%{policyname->} cs2=%{fld5->} cs3=%{fld6->} cs4=%{severity->} cs5=%{fld8->} cs6=%{fld9->} act=%{action}", processor_chain([ +var part232 = match("MESSAGE#127:APPFW_SIGNATURE_MATCH", "nwparser.payload", "%{product}|%{version}|%{rule}|%{fld1}|%{severity}|src=%{saddr->} spt=%{sport->} method=%{web_method->} request=%{url->} msg=%{info->} cn1=%{fld2->} cn2=%{fld3->} cs1=%{policyname->} cs2=%{fld5->} cs3=%{fld6->} cs4=%{severity->} cs5=%{fld8->} cs6=%{fld9->} act=%{action}", processor_chain([ dup9, dup91, ])); @@ -3122,8 +2831,7 @@ var part233 = tagval("MESSAGE#130:CITRIX_TVM", "nwparser.payload", tvm, { var msg143 = msg("CITRIX_TVM", part233); -var part234 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' '), Field(url,true), Constant(' '), Field(event_description,false)}" -match("MESSAGE#131:APPFW_APPFW_POLICY_HIT", "nwparser.payload", "%{saddr->} %{fld1->} %{fld2->} %{fld3->} %{url->} %{event_description}", processor_chain([ +var part234 = match("MESSAGE#131:APPFW_APPFW_POLICY_HIT", "nwparser.payload", "%{saddr->} %{fld1->} %{fld2->} %{fld3->} %{url->} %{event_description}", processor_chain([ dup9, dup40, dup3, @@ -3132,8 +2840,7 @@ match("MESSAGE#131:APPFW_APPFW_POLICY_HIT", "nwparser.payload", "%{saddr->} %{fl var msg144 = msg("APPFW_APPFW_POLICY_HIT", part234); -var part235 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(url,true), Constant(' Unknown content-type header value='), Field(fld4,true), Constant(' '), Field(info,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#132:APPFW_APPFW_CONTENT_TYPE", "nwparser.payload", "%{saddr->} %{fld1->} %{fld2->} %{rule_group->} %{url->} Unknown content-type header value=%{fld4->} %{info->} \u003c\u003c%{disposition}>", processor_chain([ +var part235 = match("MESSAGE#132:APPFW_APPFW_CONTENT_TYPE", "nwparser.payload", "%{saddr->} %{fld1->} %{fld2->} %{rule_group->} %{url->} Unknown content-type header value=%{fld4->} %{info->} \u003c\u003c%{disposition}>", processor_chain([ dup9, dup91, dup4, @@ -3141,8 +2848,7 @@ match("MESSAGE#132:APPFW_APPFW_CONTENT_TYPE", "nwparser.payload", "%{saddr->} %{ var msg145 = msg("APPFW_APPFW_CONTENT_TYPE", part235); -var part236 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(url,true), Constant(' WSI check failed: '), Field(fld4,false), Constant(': '), Field(info,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#133:APPFW_RESP_APPFW_XML_WSI_ERR_BODY_ENV_NAMESPACE", "nwparser.payload", "%{saddr->} %{fld1->} %{fld2->} %{rule_group->} %{url->} WSI check failed: %{fld4}: %{info->} \u003c\u003c%{disposition}>", processor_chain([ +var part236 = match("MESSAGE#133:APPFW_RESP_APPFW_XML_WSI_ERR_BODY_ENV_NAMESPACE", "nwparser.payload", "%{saddr->} %{fld1->} %{fld2->} %{rule_group->} %{url->} WSI check failed: %{fld4}: %{info->} \u003c\u003c%{disposition}>", processor_chain([ dup9, dup91, dup4, @@ -3150,8 +2856,7 @@ match("MESSAGE#133:APPFW_RESP_APPFW_XML_WSI_ERR_BODY_ENV_NAMESPACE", "nwparser.p var msg146 = msg("APPFW_RESP_APPFW_XML_WSI_ERR_BODY_ENV_NAMESPACE", part236); -var part237 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(url,true), Constant(' Referer header check failed: referer header URL ''), Field(web_referer,false), Constant('' not in Start URL or closure list <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#134:APPFW_APPFW_REFERER_HEADER", "nwparser.payload", "%{saddr->} %{fld2->} %{fld3->} %{rule_group->} %{url->} Referer header check failed: referer header URL '%{web_referer}' not in Start URL or closure list \u003c\u003c%{disposition}>", processor_chain([ +var part237 = match("MESSAGE#134:APPFW_APPFW_REFERER_HEADER", "nwparser.payload", "%{saddr->} %{fld2->} %{fld3->} %{rule_group->} %{url->} Referer header check failed: referer header URL '%{web_referer}' not in Start URL or closure list \u003c\u003c%{disposition}>", processor_chain([ dup9, dup40, dup3, @@ -3161,8 +2866,7 @@ match("MESSAGE#134:APPFW_APPFW_REFERER_HEADER", "nwparser.payload", "%{saddr->} var msg147 = msg("APPFW_APPFW_REFERER_HEADER", part237); -var part238 = // "Pattern{Constant('"URL'), Field(url,false), Constant('Client IP'), Field(hostip,false), Constant('Client Dest'), Field(fld1,false)}" -match("MESSAGE#141:RESPONDER_Message", "nwparser.payload", "\"URL%{url}Client IP%{hostip}Client Dest%{fld1}", processor_chain([ +var part238 = match("MESSAGE#141:RESPONDER_Message", "nwparser.payload", "\"URL%{url}Client IP%{hostip}Client Dest%{fld1}", processor_chain([ dup9, dup3, dup4, @@ -3170,8 +2874,7 @@ match("MESSAGE#141:RESPONDER_Message", "nwparser.payload", "\"URL%{url}Client IP var msg148 = msg("RESPONDER_Message", part238); -var part239 = // "Pattern{Constant('"NSRateLimit='), Field(filter,false), Constant(', ClientIP='), Field(saddr,false), Constant('"')}" -match("MESSAGE#142:RESPONDER_Message:01", "nwparser.payload", "\"NSRateLimit=%{filter}, ClientIP=%{saddr}\"", processor_chain([ +var part239 = match("MESSAGE#142:RESPONDER_Message:01", "nwparser.payload", "\"NSRateLimit=%{filter}, ClientIP=%{saddr}\"", processor_chain([ dup9, dup3, dup4, @@ -3184,8 +2887,7 @@ var select65 = linear_select([ msg149, ]); -var part240 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' - '), Field(fld2,true), Constant(' - '), Field(event_description,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#147:APPFW_AF_MALFORMED_REQ_ERR", "nwparser.payload", "%{saddr->} %{fld1->} - %{fld2->} - %{event_description->} \u003c\u003c%{disposition}>", processor_chain([ +var part240 = match("MESSAGE#147:APPFW_AF_MALFORMED_REQ_ERR", "nwparser.payload", "%{saddr->} %{fld1->} - %{fld2->} - %{event_description->} \u003c\u003c%{disposition}>", processor_chain([ dup11, dup3, dup4, @@ -3193,8 +2895,7 @@ match("MESSAGE#147:APPFW_AF_MALFORMED_REQ_ERR", "nwparser.payload", "%{saddr->} var msg150 = msg("APPFW_AF_MALFORMED_REQ_ERR", part240); -var part241 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' - '), Field(fld2,true), Constant(' - '), Field(rule_group,true), Constant(' '), Field(url,true), Constant(' '), Field(event_description,true), Constant(' rule ID '), Field(rule_uid,false), Constant(': '), Field(info,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#148:APPFW_APPFW_SIGNATURE_MATCH", "nwparser.payload", "%{saddr->} %{fld1->} - %{fld2->} - %{rule_group->} %{url->} %{event_description->} rule ID %{rule_uid}: %{info->} \u003c\u003c%{disposition}>", processor_chain([ +var part241 = match("MESSAGE#148:APPFW_APPFW_SIGNATURE_MATCH", "nwparser.payload", "%{saddr->} %{fld1->} - %{fld2->} - %{rule_group->} %{url->} %{event_description->} rule ID %{rule_uid}: %{info->} \u003c\u003c%{disposition}>", processor_chain([ dup9, domain("web_domain","url"), root("web_root","url"), @@ -3206,8 +2907,7 @@ match("MESSAGE#148:APPFW_APPFW_SIGNATURE_MATCH", "nwparser.payload", "%{saddr->} var msg151 = msg("APPFW_APPFW_SIGNATURE_MATCH", part241); -var part242 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(url,true), Constant(' Signature violation rule ID '), Field(rule_uid,false), Constant(': '), Field(info,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#149:APPFW_APPFW_SIGNATURE_MATCH:01", "nwparser.payload", "%{saddr->} %{fld1->} %{fld2->} %{rule_group->} %{url->} Signature violation rule ID %{rule_uid}: %{info->} \u003c\u003c%{disposition}>", processor_chain([ +var part242 = match("MESSAGE#149:APPFW_APPFW_SIGNATURE_MATCH:01", "nwparser.payload", "%{saddr->} %{fld1->} %{fld2->} %{rule_group->} %{url->} Signature violation rule ID %{rule_uid}: %{info->} \u003c\u003c%{disposition}>", processor_chain([ dup9, dup91, dup4, @@ -3221,8 +2921,7 @@ var select66 = linear_select([ msg152, ]); -var part243 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "'), Field(action,false), Constant('" -serverIP '), Field(daddr,true), Constant(' -serverPort '), Field(dport,true), Constant(' -logLevel '), Field(fld1,true), Constant(' -dateFormat '), Field(fld2,true), Constant(' -logFacility '), Field(fld3,true), Constant(' -tcp '), Field(fld4,true), Constant(' -acl '), Field(fld5,true), Constant(' -timeZone '), Field(fld6,true), Constant(' -userDefinedAuditlog '), Field(fld7,true), Constant(' -appflowExport '), Field(fld8,false), Constant('" - Status "'), Field(disposition,false), Constant('"')}" -match("MESSAGE#150:GUI_CMD_EXECUTED:01", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action}\" -serverIP %{daddr->} -serverPort %{dport->} -logLevel %{fld1->} -dateFormat %{fld2->} -logFacility %{fld3->} -tcp %{fld4->} -acl %{fld5->} -timeZone %{fld6->} -userDefinedAuditlog %{fld7->} -appflowExport %{fld8}\" - Status \"%{disposition}\"", processor_chain([ +var part243 = match("MESSAGE#150:GUI_CMD_EXECUTED:01", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action}\" -serverIP %{daddr->} -serverPort %{dport->} -logLevel %{fld1->} -dateFormat %{fld2->} -logFacility %{fld3->} -tcp %{fld4->} -acl %{fld5->} -timeZone %{fld6->} -userDefinedAuditlog %{fld7->} -appflowExport %{fld8}\" - Status \"%{disposition}\"", processor_chain([ dup88, dup89, dup3, @@ -3231,8 +2930,7 @@ match("MESSAGE#150:GUI_CMD_EXECUTED:01", "nwparser.payload", "User %{username->} var msg153 = msg("GUI_CMD_EXECUTED:01", part243); -var part244 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "'), Field(action,true), Constant(' -priority '), Field(fld1,true), Constant(' -devno '), Field(fld2,false), Constant('" - Status "'), Field(disposition,false), Constant('"')}" -match("MESSAGE#151:GUI_CMD_EXECUTED:02", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action->} -priority %{fld1->} -devno %{fld2}\" - Status \"%{disposition}\"", processor_chain([ +var part244 = match("MESSAGE#151:GUI_CMD_EXECUTED:02", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action->} -priority %{fld1->} -devno %{fld2}\" - Status \"%{disposition}\"", processor_chain([ dup88, dup89, dup3, @@ -3241,8 +2939,7 @@ match("MESSAGE#151:GUI_CMD_EXECUTED:02", "nwparser.payload", "User %{username->} var msg154 = msg("GUI_CMD_EXECUTED:02", part244); -var part245 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "login '), Field(fld11,false), Constant('" - Status "Success'), Field(info,false), Constant('"')}" -match("MESSAGE#152:GUI_CMD_EXECUTED:Login", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"login %{fld11}\" - Status \"Success%{info}\"", processor_chain([ +var part245 = match("MESSAGE#152:GUI_CMD_EXECUTED:Login", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"login %{fld11}\" - Status \"Success%{info}\"", processor_chain([ dup69, dup92, dup3, @@ -3254,8 +2951,7 @@ match("MESSAGE#152:GUI_CMD_EXECUTED:Login", "nwparser.payload", "User %{username var msg155 = msg("GUI_CMD_EXECUTED:Login", part245); -var part246 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "logout '), Field(fld11,false), Constant('" - Status "Success'), Field(info,false), Constant('"')}" -match("MESSAGE#153:GUI_CMD_EXECUTED:Logout", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"logout %{fld11}\" - Status \"Success%{info}\"", processor_chain([ +var part246 = match("MESSAGE#153:GUI_CMD_EXECUTED:Logout", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"logout %{fld11}\" - Status \"Success%{info}\"", processor_chain([ dup71, dup92, dup3, @@ -3269,8 +2965,7 @@ var msg156 = msg("GUI_CMD_EXECUTED:Logout", part246); var msg157 = msg("GUI_CMD_EXECUTED", dup108); -var part247 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "'), Field(action,true), Constant(' - Status "'), Field(disposition,false), Constant('" - Message "'), Field(info,false), Constant('"')}" -match("MESSAGE#155:GUI_CMD_EXECUTED:03", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action->} - Status \"%{disposition}\" - Message \"%{info}\"", processor_chain([ +var part247 = match("MESSAGE#155:GUI_CMD_EXECUTED:03", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action->} - Status \"%{disposition}\" - Message \"%{info}\"", processor_chain([ dup88, dup89, dup4, @@ -3289,8 +2984,7 @@ var select67 = linear_select([ var msg159 = msg("CLI_CMD_EXECUTED", dup108); -var part248 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "'), Field(action,false), Constant('" - Status "'), Field(disposition,false), Constant('"')}" -match("MESSAGE#157:API_CMD_EXECUTED", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action}\" - Status \"%{disposition}\"", processor_chain([ +var part248 = match("MESSAGE#157:API_CMD_EXECUTED", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action}\" - Status \"%{disposition}\"", processor_chain([ dup88, setc("event_description","API command executed in NetScaler"), dup3, @@ -3299,11 +2993,9 @@ match("MESSAGE#157:API_CMD_EXECUTED", "nwparser.payload", "User %{username->} - var msg160 = msg("API_CMD_EXECUTED", part248); -var part249 = // "Pattern{Field(result,true), Constant(' for user '), Field(username,true), Constant(' = '), Field(fld1,true), Constant(' "')}" -match("MESSAGE#158:AAA_Message/1_0", "nwparser.p0", "%{result->} for user %{username->} = %{fld1->} \""); +var part249 = match("MESSAGE#158:AAA_Message/1_0", "nwparser.p0", "%{result->} for user %{username->} = %{fld1->} \""); -var part250 = // "Pattern{Constant(''), Field(info,true), Constant(' "')}" -match("MESSAGE#158:AAA_Message/1_1", "nwparser.p0", "%{info->} \""); +var part250 = match("MESSAGE#158:AAA_Message/1_1", "nwparser.p0", "%{info->} \""); var select68 = linear_select([ part249, @@ -3323,8 +3015,7 @@ var all56 = all_match({ var msg161 = msg("AAA_Message", all56); -var part251 = // "Pattern{Constant('"'), Field(event_type,false), Constant(': created session for <<'), Field(domain,false), Constant('> with cookie: <<'), Field(web_cookie,false), Constant('>"')}" -match("MESSAGE#159:AAATM_Message:04", "nwparser.payload", "\"%{event_type}: created session for \u003c\u003c%{domain}> with cookie: \u003c\u003c%{web_cookie}>\"", processor_chain([ +var part251 = match("MESSAGE#159:AAATM_Message:04", "nwparser.payload", "\"%{event_type}: created session for \u003c\u003c%{domain}> with cookie: \u003c\u003c%{web_cookie}>\"", processor_chain([ dup9, dup91, dup4, @@ -3332,8 +3023,7 @@ match("MESSAGE#159:AAATM_Message:04", "nwparser.payload", "\"%{event_type}: crea var msg162 = msg("AAATM_Message:04", part251); -var part252 = // "Pattern{Field(fld1,true), Constant(' for user '), Field(username,true), Constant(' "')}" -match("MESSAGE#160:AAATM_Message/1_0", "nwparser.p0", "%{fld1->} for user %{username->} \""); +var part252 = match("MESSAGE#160:AAATM_Message/1_0", "nwparser.p0", "%{fld1->} for user %{username->} \""); var select69 = linear_select([ part252, @@ -3353,8 +3043,7 @@ var all57 = all_match({ var msg163 = msg("AAATM_Message", all57); -var part253 = // "Pattern{Constant('"'), Field(fld1,true), Constant(' creating session '), Field(info,false), Constant('"')}" -match("MESSAGE#161:AAATM_Message:01", "nwparser.payload", "\"%{fld1->} creating session %{info}\"", processor_chain([ +var part253 = match("MESSAGE#161:AAATM_Message:01", "nwparser.payload", "\"%{fld1->} creating session %{info}\"", processor_chain([ dup9, dup4, setc("event_type","creating session"), @@ -3362,8 +3051,7 @@ match("MESSAGE#161:AAATM_Message:01", "nwparser.payload", "\"%{fld1->} creating var msg164 = msg("AAATM_Message:01", part253); -var part254 = // "Pattern{Constant('"cookie idx is '), Field(fld1,false), Constant(', '), Field(info,false), Constant('"')}" -match("MESSAGE#162:AAATM_Message:02", "nwparser.payload", "\"cookie idx is %{fld1}, %{info}\"", processor_chain([ +var part254 = match("MESSAGE#162:AAATM_Message:02", "nwparser.payload", "\"cookie idx is %{fld1}, %{info}\"", processor_chain([ dup9, dup4, setc("event_type","cookie idx"), @@ -3371,8 +3059,7 @@ match("MESSAGE#162:AAATM_Message:02", "nwparser.payload", "\"cookie idx is %{fld var msg165 = msg("AAATM_Message:02", part254); -var part255 = // "Pattern{Constant('"sent request to '), Field(fld1,true), Constant(' for authentication, user <<'), Field(domain,false), Constant('\'), Field(username,false), Constant('>, client ip '), Field(saddr,false), Constant('"')}" -match("MESSAGE#163:AAATM_Message:03", "nwparser.payload", "\"sent request to %{fld1->} for authentication, user \u003c\u003c%{domain}\\%{username}>, client ip %{saddr}\"", processor_chain([ +var part255 = match("MESSAGE#163:AAATM_Message:03", "nwparser.payload", "\"sent request to %{fld1->} for authentication, user \u003c\u003c%{domain}\\%{username}>, client ip %{saddr}\"", processor_chain([ setc("eventcategory","1304000000"), dup4, setc("event_type","sent request"), @@ -3380,8 +3067,7 @@ match("MESSAGE#163:AAATM_Message:03", "nwparser.payload", "\"sent request to %{f var msg166 = msg("AAATM_Message:03", part255); -var part256 = // "Pattern{Constant('"authentication succeeded for user <<'), Field(domain,false), Constant('\'), Field(username,false), Constant('>, client ip '), Field(saddr,false), Constant(', setting up session"')}" -match("MESSAGE#164:AAATM_Message:05", "nwparser.payload", "\"authentication succeeded for user \u003c\u003c%{domain}\\%{username}>, client ip %{saddr}, setting up session\"", processor_chain([ +var part256 = match("MESSAGE#164:AAATM_Message:05", "nwparser.payload", "\"authentication succeeded for user \u003c\u003c%{domain}\\%{username}>, client ip %{saddr}, setting up session\"", processor_chain([ setc("eventcategory","1302000000"), dup4, setc("event_type","setting up session"), @@ -3401,22 +3087,18 @@ var select70 = linear_select([ msg168, ]); -var part257 = // "Pattern{Constant('Context '), Field(fld1,true), Constant(' - SessionId: '), Field(sessionid,false), Constant('- '), Field(event_computer,true), Constant(' User '), Field(username,true), Constant(' : Group(s) '), Field(group,true), Constant(' : Vserver '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - '), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#166:AAATM_HTTPREQUEST/0", "nwparser.payload", "Context %{fld1->} - SessionId: %{sessionid}- %{event_computer->} User %{username->} : Group(s) %{group->} : Vserver %{daddr}:%{dport->} - %{fld2->} %{p0}"); +var part257 = match("MESSAGE#166:AAATM_HTTPREQUEST/0", "nwparser.payload", "Context %{fld1->} - SessionId: %{sessionid}- %{event_computer->} User %{username->} : Group(s) %{group->} : Vserver %{daddr}:%{dport->} - %{fld2->} %{p0}"); -var part258 = // "Pattern{Field(timezone,false), Constant(': SSO is '), Field(fld3,true), Constant(' : '), Field(p0,false)}" -match("MESSAGE#166:AAATM_HTTPREQUEST/1_0", "nwparser.p0", "%{timezone}: SSO is %{fld3->} : %{p0}"); +var part258 = match("MESSAGE#166:AAATM_HTTPREQUEST/1_0", "nwparser.p0", "%{timezone}: SSO is %{fld3->} : %{p0}"); -var part259 = // "Pattern{Field(timezone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#166:AAATM_HTTPREQUEST/1_1", "nwparser.p0", "%{timezone->} %{p0}"); +var part259 = match("MESSAGE#166:AAATM_HTTPREQUEST/1_1", "nwparser.p0", "%{timezone->} %{p0}"); var select71 = linear_select([ part258, part259, ]); -var part260 = // "Pattern{Field(web_method,true), Constant(' '), Field(url,true), Constant(' '), Field(fld4,false)}" -match("MESSAGE#166:AAATM_HTTPREQUEST/2", "nwparser.p0", "%{web_method->} %{url->} %{fld4}"); +var part260 = match("MESSAGE#166:AAATM_HTTPREQUEST/2", "nwparser.p0", "%{web_method->} %{url->} %{fld4}"); var all58 = all_match({ processors: [ @@ -3446,16 +3128,14 @@ var msg171 = msg("SSLVPN_REMOVE_SESSION", dup114); var msg172 = msg("SSLVPN_REMOVE_SESSION_INFO", dup114); -var part261 = // "Pattern{Constant('session_guid '), Field(fld1,true), Constant(' - device_serial_number '), Field(fld2,true), Constant(' - client_cookie '), Field(fld3,true), Constant(' - flags '), Field(fld4,true), Constant(' - ica_rtt '), Field(fld5,true), Constant(' - clientside_rxbytes '), Field(rbytes,false), Constant('- clientside_txbytes '), Field(sbytes,true), Constant(' - clientside_packet_retransmits '), Field(fld6,true), Constant(' - serverside_packet_retransmits '), Field(fld7,true), Constant(' - clientside_rtt '), Field(fld8,true), Constant(' - serverside_rtt '), Field(fld9,true), Constant(' - clientside_jitter '), Field(fld10,true), Constant(' - serverside_jitter '), Field(fld11,false)}" -match("MESSAGE#170:ICA_NETWORK_UPDATE", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - ica_rtt %{fld5->} - clientside_rxbytes %{rbytes}- clientside_txbytes %{sbytes->} - clientside_packet_retransmits %{fld6->} - serverside_packet_retransmits %{fld7->} - clientside_rtt %{fld8->} - serverside_rtt %{fld9->} - clientside_jitter %{fld10->} - serverside_jitter %{fld11}", processor_chain([ +var part261 = match("MESSAGE#170:ICA_NETWORK_UPDATE", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - ica_rtt %{fld5->} - clientside_rxbytes %{rbytes}- clientside_txbytes %{sbytes->} - clientside_packet_retransmits %{fld6->} - serverside_packet_retransmits %{fld7->} - clientside_rtt %{fld8->} - serverside_rtt %{fld9->} - clientside_jitter %{fld10->} - serverside_jitter %{fld11}", processor_chain([ dup9, dup4, ])); var msg173 = msg("ICA_NETWORK_UPDATE", part261); -var part262 = // "Pattern{Constant('session_guid '), Field(fld1,true), Constant(' - device_serial_number '), Field(fld2,true), Constant(' - client_cookie '), Field(fld3,true), Constant(' - flags '), Field(fld4,true), Constant(' - channel_update_begin '), Field(fld5,true), Constant(' - channel_update_end '), Field(fld6,true), Constant(' - channel_id_1 '), Field(fld7,true), Constant(' - channel_id_1_val '), Field(fld8,true), Constant(' - channel_id_2 '), Field(fld9,true), Constant(' - channel_id_2_val '), Field(fld10,true), Constant(' -channel_id_3 '), Field(fld11,true), Constant(' - channel_id_3_val '), Field(fld12,true), Constant(' - channel_id_4 '), Field(fld13,true), Constant(' - channel_id_4_val '), Field(fld14,true), Constant(' -channel_id_5 '), Field(fld15,true), Constant(' - channel_id_5_val '), Field(fld16,false)}" -match("MESSAGE#171:ICA_CHANNEL_UPDATE", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - channel_update_begin %{fld5->} - channel_update_end %{fld6->} - channel_id_1 %{fld7->} - channel_id_1_val %{fld8->} - channel_id_2 %{fld9->} - channel_id_2_val %{fld10->} -channel_id_3 %{fld11->} - channel_id_3_val %{fld12->} - channel_id_4 %{fld13->} - channel_id_4_val %{fld14->} -channel_id_5 %{fld15->} - channel_id_5_val %{fld16}", processor_chain([ +var part262 = match("MESSAGE#171:ICA_CHANNEL_UPDATE", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - channel_update_begin %{fld5->} - channel_update_end %{fld6->} - channel_id_1 %{fld7->} - channel_id_1_val %{fld8->} - channel_id_2 %{fld9->} - channel_id_2_val %{fld10->} -channel_id_3 %{fld11->} - channel_id_3_val %{fld12->} - channel_id_4 %{fld13->} - channel_id_4_val %{fld14->} -channel_id_5 %{fld15->} - channel_id_5_val %{fld16}", processor_chain([ dup9, date_time({ dest: "starttime", @@ -3476,8 +3156,7 @@ match("MESSAGE#171:ICA_CHANNEL_UPDATE", "nwparser.payload", "session_guid %{fld1 var msg174 = msg("ICA_CHANNEL_UPDATE", part262); -var part263 = // "Pattern{Constant('session_guid '), Field(fld1,true), Constant(' - device_serial_number '), Field(fld2,true), Constant(' - client_cookie '), Field(fld3,true), Constant(' - flags '), Field(fld4,true), Constant(' - nsica_session_status '), Field(fld5,true), Constant(' - nsica_session_client_ip '), Field(saddr,true), Constant(' - nsica_session_client_port '), Field(sport,true), Constant(' - nsica_session_server_ip '), Field(daddr,true), Constant(' - nsica_session_server_port '), Field(dport,true), Constant(' - nsica_session_reconnect_count '), Field(fld6,true), Constant(' - nsica_session_acr_count '), Field(fld7,true), Constant(' - connection_priority '), Field(fld8,true), Constant(' - timestamp '), Field(fld9,false)}" -match("MESSAGE#172:ICA_SESSION_UPDATE", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - nsica_session_status %{fld5->} - nsica_session_client_ip %{saddr->} - nsica_session_client_port %{sport->} - nsica_session_server_ip %{daddr->} - nsica_session_server_port %{dport->} - nsica_session_reconnect_count %{fld6->} - nsica_session_acr_count %{fld7->} - connection_priority %{fld8->} - timestamp %{fld9}", processor_chain([ +var part263 = match("MESSAGE#172:ICA_SESSION_UPDATE", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - nsica_session_status %{fld5->} - nsica_session_client_ip %{saddr->} - nsica_session_client_port %{sport->} - nsica_session_server_ip %{daddr->} - nsica_session_server_port %{dport->} - nsica_session_reconnect_count %{fld6->} - nsica_session_acr_count %{fld7->} - connection_priority %{fld8->} - timestamp %{fld9}", processor_chain([ dup9, dup4, ])); @@ -3486,16 +3165,14 @@ var msg175 = msg("ICA_SESSION_UPDATE", part263); var msg176 = msg("ICA_Message", dup111); -var part264 = // "Pattern{Constant('session_guid '), Field(fld1,true), Constant(' - device_serial_number '), Field(fld2,true), Constant(' - client_cookie '), Field(fld3,true), Constant(' - flags '), Field(fld4,true), Constant(' - session_setup_time '), Field(fld5,true), Constant(' - client_ip '), Field(saddr,true), Constant(' - client_type '), Field(fld6,true), Constant(' - client_launcher '), Field(fld7,true), Constant(' - client_version '), Field(version,true), Constant(' - client_hostname '), Field(shost,true), Constant(' - domain_name '), Field(domain,true), Constant(' - server_name '), Field(dhost,true), Constant(' - connection_priority '), Field(fld8,false)}" -match("MESSAGE#174:ICA_SESSION_SETUP", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - session_setup_time %{fld5->} - client_ip %{saddr->} - client_type %{fld6->} - client_launcher %{fld7->} - client_version %{version->} - client_hostname %{shost->} - domain_name %{domain->} - server_name %{dhost->} - connection_priority %{fld8}", processor_chain([ +var part264 = match("MESSAGE#174:ICA_SESSION_SETUP", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - session_setup_time %{fld5->} - client_ip %{saddr->} - client_type %{fld6->} - client_launcher %{fld7->} - client_version %{version->} - client_hostname %{shost->} - domain_name %{domain->} - server_name %{dhost->} - connection_priority %{fld8}", processor_chain([ dup9, dup4, ])); var msg177 = msg("ICA_SESSION_SETUP", part264); -var part265 = // "Pattern{Constant('session_guid '), Field(fld1,true), Constant(' - device_serial_number '), Field(fld2,true), Constant(' - client_cookie '), Field(fld3,true), Constant(' - flags '), Field(fld4,true), Constant(' - launch_mechanism '), Field(fld5,true), Constant(' - app_launch_time '), Field(fld6,true), Constant(' - app_process_id '), Field(fld7,true), Constant(' - app_name '), Field(fld8,true), Constant(' - module_path '), Field(filename,false)}" -match("MESSAGE#175:ICA_APPLICATION_LAUNCH", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - launch_mechanism %{fld5->} - app_launch_time %{fld6->} - app_process_id %{fld7->} - app_name %{fld8->} - module_path %{filename}", processor_chain([ +var part265 = match("MESSAGE#175:ICA_APPLICATION_LAUNCH", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - launch_mechanism %{fld5->} - app_launch_time %{fld6->} - app_process_id %{fld7->} - app_name %{fld8->} - module_path %{filename}", processor_chain([ dup9, date_time({ dest: "starttime", @@ -3509,8 +3186,7 @@ match("MESSAGE#175:ICA_APPLICATION_LAUNCH", "nwparser.payload", "session_guid %{ var msg178 = msg("ICA_APPLICATION_LAUNCH", part265); -var part266 = // "Pattern{Constant('session_guid '), Field(fld1,true), Constant(' - device_serial_number '), Field(fld2,true), Constant(' - client_cookie '), Field(fld3,true), Constant(' - flags '), Field(fld4,true), Constant(' - session_end_time '), Field(fld5,false)}" -match("MESSAGE#176:ICA_SESSION_TERMINATE", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - session_end_time %{fld5}", processor_chain([ +var part266 = match("MESSAGE#176:ICA_SESSION_TERMINATE", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - session_end_time %{fld5}", processor_chain([ dup9, date_time({ dest: "endtime", @@ -3524,8 +3200,7 @@ match("MESSAGE#176:ICA_SESSION_TERMINATE", "nwparser.payload", "session_guid %{f var msg179 = msg("ICA_SESSION_TERMINATE", part266); -var part267 = // "Pattern{Constant('session_guid '), Field(fld1,true), Constant(' - device_serial_number '), Field(fld2,true), Constant(' - client_cookie '), Field(fld3,true), Constant(' - flags '), Field(fld4,true), Constant(' - app_termination_type '), Field(fld5,true), Constant(' - app_process_id '), Field(fld6,true), Constant(' - app_termination_time '), Field(fld7,false)}" -match("MESSAGE#177:ICA_APPLICATION_TERMINATE", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - app_termination_type %{fld5->} - app_process_id %{fld6->} - app_termination_time %{fld7}", processor_chain([ +var part267 = match("MESSAGE#177:ICA_APPLICATION_TERMINATE", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - app_termination_type %{fld5->} - app_process_id %{fld6->} - app_termination_time %{fld7}", processor_chain([ dup9, date_time({ dest: "endtime", @@ -3553,8 +3228,7 @@ var all59 = all_match({ var msg181 = msg("SSLVPN_REMOVE_SESSION_DEBUG", all59); -var part268 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Browser_type '), Field(user_agent,false), Constant('- Group(s) "'), Field(group,false), Constant('"')}" -match("MESSAGE#181:AAATM_LOGIN/4", "nwparser.p0", "%{daddr}:%{dport->} - Browser_type %{user_agent}- Group(s) \"%{group}\""); +var part268 = match("MESSAGE#181:AAATM_LOGIN/4", "nwparser.p0", "%{daddr}:%{dport->} - Browser_type %{user_agent}- Group(s) \"%{group}\""); var all60 = all_match({ processors: [ @@ -3574,8 +3248,7 @@ var all60 = all_match({ var msg182 = msg("AAATM_LOGIN", all60); -var part269 = // "Pattern{Field(duration_string,true), Constant(' - Http_resources_accessed '), Field(fld3,true), Constant(' - Total_TCP_connections '), Field(fld5,true), Constant(' - Total_policies_allowed '), Field(fld7,true), Constant(' - Total_policies_denied '), Field(fld8,true), Constant(' - Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,true), Constant(' - Total_compressedbytes_send '), Field(fld12,true), Constant(' - Total_compressedbytes_recv '), Field(fld13,true), Constant(' - Compression_ratio_send '), Field(dclass_ratio1,true), Constant(' - Compression_ratio_recv '), Field(dclass_ratio2,true), Constant(' - LogoutMethod "'), Field(result,false), Constant('" - Group(s) "'), Field(group,false), Constant('"')}" -match("MESSAGE#182:AAATM_LOGOUT/7", "nwparser.p0", "%{duration_string->} - Http_resources_accessed %{fld3->} - Total_TCP_connections %{fld5->} - Total_policies_allowed %{fld7->} - Total_policies_denied %{fld8->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Total_compressedbytes_send %{fld12->} - Total_compressedbytes_recv %{fld13->} - Compression_ratio_send %{dclass_ratio1->} - Compression_ratio_recv %{dclass_ratio2->} - LogoutMethod \"%{result}\" - Group(s) \"%{group}\""); +var part269 = match("MESSAGE#182:AAATM_LOGOUT/7", "nwparser.p0", "%{duration_string->} - Http_resources_accessed %{fld3->} - Total_TCP_connections %{fld5->} - Total_policies_allowed %{fld7->} - Total_policies_denied %{fld8->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Total_compressedbytes_send %{fld12->} - Total_compressedbytes_recv %{fld13->} - Compression_ratio_send %{dclass_ratio1->} - Compression_ratio_recv %{dclass_ratio2->} - LogoutMethod \"%{result}\" - Group(s) \"%{group}\""); var all61 = all_match({ processors: [ @@ -3722,149 +3395,101 @@ var chain1 = processor_chain([ }), ]); -var part270 = // "Pattern{Field(saddr,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#6:APPFW_APPFW_COOKIE/0", "nwparser.payload", "%{saddr->} %{p0}"); +var part270 = match("MESSAGE#6:APPFW_APPFW_COOKIE/0", "nwparser.payload", "%{saddr->} %{p0}"); -var part271 = // "Pattern{Field(url,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#7:APPFW_APPFW_DENYURL/2", "nwparser.p0", "%{url->} \u003c\u003c%{disposition}>"); +var part271 = match("MESSAGE#7:APPFW_APPFW_DENYURL/2", "nwparser.p0", "%{url->} \u003c\u003c%{disposition}>"); -var part272 = // "Pattern{Field(url,true), Constant(' '), Field(info,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#8:APPFW_APPFW_FIELDCONSISTENCY/2", "nwparser.p0", "%{url->} %{info->} \u003c\u003c%{disposition}>"); +var part272 = match("MESSAGE#8:APPFW_APPFW_FIELDCONSISTENCY/2", "nwparser.p0", "%{url->} %{info->} \u003c\u003c%{disposition}>"); -var part273 = // "Pattern{Constant('"'), Field(p0,false)}" -match("MESSAGE#20:APPFW_Message/0", "nwparser.payload", "\"%{p0}"); +var part273 = match("MESSAGE#20:APPFW_Message/0", "nwparser.payload", "\"%{p0}"); -var part274 = // "Pattern{Constant('HASTATE '), Field(p0,false)}" -match("MESSAGE#23:DR_HA_Message/1_0", "nwparser.p0", "HASTATE %{p0}"); +var part274 = match("MESSAGE#23:DR_HA_Message/1_0", "nwparser.p0", "HASTATE %{p0}"); -var part275 = // "Pattern{Field(network_service,false), Constant(': '), Field(p0,false)}" -match("MESSAGE#23:DR_HA_Message/1_1", "nwparser.p0", "%{network_service}: %{p0}"); +var part275 = match("MESSAGE#23:DR_HA_Message/1_1", "nwparser.p0", "%{network_service}: %{p0}"); -var part276 = // "Pattern{Field(info,false), Constant('"')}" -match("MESSAGE#23:DR_HA_Message/2", "nwparser.p0", "%{info}\""); +var part276 = match("MESSAGE#23:DR_HA_Message/2", "nwparser.p0", "%{info}\""); -var part277 = // "Pattern{Constant('for '), Field(dclass_counter1,false)}" -match("MESSAGE#24:EVENT_ALERTENDED/1_0", "nwparser.p0", "for %{dclass_counter1}"); +var part277 = match("MESSAGE#24:EVENT_ALERTENDED/1_0", "nwparser.p0", "for %{dclass_counter1}"); -var part278 = // "Pattern{Field(space,false)}" -match_copy("MESSAGE#24:EVENT_ALERTENDED/1_1", "nwparser.p0", "space"); +var part278 = match_copy("MESSAGE#24:EVENT_ALERTENDED/1_1", "nwparser.p0", "space"); -var part279 = // "Pattern{Field(obj_type,true), Constant(' "'), Field(obj_name,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#28:EVENT_DEVICEDOWN/0", "nwparser.payload", "%{obj_type->} \"%{obj_name}\"%{p0}"); +var part279 = match("MESSAGE#28:EVENT_DEVICEDOWN/0", "nwparser.payload", "%{obj_type->} \"%{obj_name}\"%{p0}"); -var part280 = // "Pattern{Constant(' - State '), Field(event_state,false)}" -match("MESSAGE#28:EVENT_DEVICEDOWN/1_0", "nwparser.p0", " - State %{event_state}"); +var part280 = match("MESSAGE#28:EVENT_DEVICEDOWN/1_0", "nwparser.p0", " - State %{event_state}"); -var part281 = // "Pattern{}" -match_copy("MESSAGE#28:EVENT_DEVICEDOWN/1_1", "nwparser.p0", ""); +var part281 = match_copy("MESSAGE#28:EVENT_DEVICEDOWN/1_1", "nwparser.p0", ""); -var part282 = // "Pattern{Field(obj_type,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#31:EVENT_MONITORDOWN/0", "nwparser.payload", "%{obj_type->} %{p0}"); +var part282 = match("MESSAGE#31:EVENT_MONITORDOWN/0", "nwparser.payload", "%{obj_type->} %{p0}"); -var part283 = // "Pattern{Field(obj_name,true), Constant(' - State '), Field(event_state,false)}" -match("MESSAGE#31:EVENT_MONITORDOWN/1_0", "nwparser.p0", "%{obj_name->} - State %{event_state}"); +var part283 = match("MESSAGE#31:EVENT_MONITORDOWN/1_0", "nwparser.p0", "%{obj_name->} - State %{event_state}"); -var part284 = // "Pattern{Constant(''), Field(obj_name,false)}" -match("MESSAGE#31:EVENT_MONITORDOWN/1_2", "nwparser.p0", "%{obj_name}"); +var part284 = match("MESSAGE#31:EVENT_MONITORDOWN/1_2", "nwparser.p0", "%{obj_name}"); -var part285 = // "Pattern{Constant('" '), Field(p0,false)}" -match("MESSAGE#45:PITBOSS_Message1/0", "nwparser.payload", "\" %{p0}"); +var part285 = match("MESSAGE#45:PITBOSS_Message1/0", "nwparser.payload", "\" %{p0}"); -var part286 = // "Pattern{Constant(''), Field(info,false), Constant('"')}" -match("MESSAGE#45:PITBOSS_Message1/2", "nwparser.p0", "%{info}\""); +var part286 = match("MESSAGE#45:PITBOSS_Message1/2", "nwparser.p0", "%{info}\""); -var part287 = // "Pattern{Constant('sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#54:SNMP_TRAP_SENT7/3_3", "nwparser.p0", "sysIpAddress = %{hostip})"); +var part287 = match("MESSAGE#54:SNMP_TRAP_SENT7/3_3", "nwparser.p0", "sysIpAddress = %{hostip})"); -var part288 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/0", "nwparser.payload", "%{} %{p0}"); +var part288 = match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/0", "nwparser.payload", "%{} %{p0}"); -var part289 = // "Pattern{Constant('ClientIP '), Field(p0,false)}" -match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/1_0", "nwparser.p0", "ClientIP %{p0}"); +var part289 = match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/1_0", "nwparser.p0", "ClientIP %{p0}"); -var part290 = // "Pattern{Constant('" '), Field(fld10,true), Constant(' GMT" - End_time '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_0", "nwparser.p0", "\" %{fld10->} GMT\" - End_time %{p0}"); +var part290 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_0", "nwparser.p0", "\" %{fld10->} GMT\" - End_time %{p0}"); -var part291 = // "Pattern{Constant('" '), Field(fld10,false), Constant('" - End_time '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_1", "nwparser.p0", "\" %{fld10}\" - End_time %{p0}"); +var part291 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_1", "nwparser.p0", "\" %{fld10}\" - End_time %{p0}"); -var part292 = // "Pattern{Field(fld10,true), Constant(' - End_time '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_2", "nwparser.p0", "%{fld10->} - End_time %{p0}"); +var part292 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_2", "nwparser.p0", "%{fld10->} - End_time %{p0}"); -var part293 = // "Pattern{Constant('" '), Field(fld11,true), Constant(' GMT" - Duration '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_0", "nwparser.p0", "\" %{fld11->} GMT\" - Duration %{p0}"); +var part293 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_0", "nwparser.p0", "\" %{fld11->} GMT\" - Duration %{p0}"); -var part294 = // "Pattern{Constant('" '), Field(fld11,false), Constant('" - Duration '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_1", "nwparser.p0", "\" %{fld11}\" - Duration %{p0}"); +var part294 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_1", "nwparser.p0", "\" %{fld11}\" - Duration %{p0}"); -var part295 = // "Pattern{Field(fld11,true), Constant(' - Duration '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_2", "nwparser.p0", "%{fld11->} - Duration %{p0}"); +var part295 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_2", "nwparser.p0", "%{fld11->} - Duration %{p0}"); -var part296 = // "Pattern{Constant('Context '), Field(fld1,true), Constant(' - SessionId: '), Field(sessionid,false), Constant('- User '), Field(p0,false)}" -match("MESSAGE#94:SSLVPN_LOGIN/1_0", "nwparser.p0", "Context %{fld1->} - SessionId: %{sessionid}- User %{p0}"); +var part296 = match("MESSAGE#94:SSLVPN_LOGIN/1_0", "nwparser.p0", "Context %{fld1->} - SessionId: %{sessionid}- User %{p0}"); -var part297 = // "Pattern{Constant('Context '), Field(fld1,true), Constant(' - User '), Field(p0,false)}" -match("MESSAGE#94:SSLVPN_LOGIN/1_1", "nwparser.p0", "Context %{fld1->} - User %{p0}"); +var part297 = match("MESSAGE#94:SSLVPN_LOGIN/1_1", "nwparser.p0", "Context %{fld1->} - User %{p0}"); -var part298 = // "Pattern{Constant('User '), Field(p0,false)}" -match("MESSAGE#94:SSLVPN_LOGIN/1_2", "nwparser.p0", "User %{p0}"); +var part298 = match("MESSAGE#94:SSLVPN_LOGIN/1_2", "nwparser.p0", "User %{p0}"); -var part299 = // "Pattern{Field(,true), Constant(' '), Field(username,false), Constant('- Client_ip '), Field(saddr,true), Constant(' - Nat_ip '), Field(p0,false)}" -match("MESSAGE#94:SSLVPN_LOGIN/2", "nwparser.p0", "%{} %{username}- Client_ip %{saddr->} - Nat_ip %{p0}"); +var part299 = match("MESSAGE#94:SSLVPN_LOGIN/2", "nwparser.p0", "%{} %{username}- Client_ip %{saddr->} - Nat_ip %{p0}"); -var part300 = // "Pattern{Constant('"'), Field(stransaddr,false), Constant('" - Vserver '), Field(p0,false)}" -match("MESSAGE#94:SSLVPN_LOGIN/3_0", "nwparser.p0", "\"%{stransaddr}\" - Vserver %{p0}"); +var part300 = match("MESSAGE#94:SSLVPN_LOGIN/3_0", "nwparser.p0", "\"%{stransaddr}\" - Vserver %{p0}"); -var part301 = // "Pattern{Field(stransaddr,true), Constant(' - Vserver '), Field(p0,false)}" -match("MESSAGE#94:SSLVPN_LOGIN/3_1", "nwparser.p0", "%{stransaddr->} - Vserver %{p0}"); +var part301 = match("MESSAGE#94:SSLVPN_LOGIN/3_1", "nwparser.p0", "%{stransaddr->} - Vserver %{p0}"); -var part302 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Start_time '), Field(p0,false)}" -match("MESSAGE#95:SSLVPN_LOGOUT/4", "nwparser.p0", "%{daddr}:%{dport->} - Start_time %{p0}"); +var part302 = match("MESSAGE#95:SSLVPN_LOGOUT/4", "nwparser.p0", "%{daddr}:%{dport->} - Start_time %{p0}"); -var part303 = // "Pattern{Constant('Context '), Field(fld1,true), Constant(' - SessionId: '), Field(sessionid,false), Constant('- User '), Field(username,true), Constant(' - Client_ip '), Field(hostip,true), Constant(' - Nat_ip '), Field(p0,false)}" -match("MESSAGE#97:SSLVPN_UDPFLOWSTAT/0", "nwparser.payload", "Context %{fld1->} - SessionId: %{sessionid}- User %{username->} - Client_ip %{hostip->} - Nat_ip %{p0}"); +var part303 = match("MESSAGE#97:SSLVPN_UDPFLOWSTAT/0", "nwparser.payload", "Context %{fld1->} - SessionId: %{sessionid}- User %{username->} - Client_ip %{hostip->} - Nat_ip %{p0}"); -var part304 = // "Pattern{Field(,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#100:SSLVPN_Message/0", "nwparser.payload", "%{}\"%{p0}"); +var part304 = match("MESSAGE#100:SSLVPN_Message/0", "nwparser.payload", "%{}\"%{p0}"); -var part305 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Vserver '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - NatIP '), Field(stransaddr,false), Constant(':'), Field(stransport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - Delink Time '), Field(p0,false)}" -match("MESSAGE#102:TCP_CONN_DELINK/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Vserver %{daddr}:%{dport->} - NatIP %{stransaddr}:%{stransport->} - Destination %{dtransaddr}:%{dtransport->} - Delink Time %{p0}"); +var part305 = match("MESSAGE#102:TCP_CONN_DELINK/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Vserver %{daddr}:%{dport->} - NatIP %{stransaddr}:%{stransport->} - Destination %{dtransaddr}:%{dtransport->} - Delink Time %{p0}"); -var part306 = // "Pattern{Field(fld11,true), Constant(' GMT - Total_bytes_send '), Field(p0,false)}" -match("MESSAGE#102:TCP_CONN_DELINK/1_0", "nwparser.p0", "%{fld11->} GMT - Total_bytes_send %{p0}"); +var part306 = match("MESSAGE#102:TCP_CONN_DELINK/1_0", "nwparser.p0", "%{fld11->} GMT - Total_bytes_send %{p0}"); -var part307 = // "Pattern{Field(fld11,true), Constant(' - Total_bytes_send '), Field(p0,false)}" -match("MESSAGE#102:TCP_CONN_DELINK/1_1", "nwparser.p0", "%{fld11->} - Total_bytes_send %{p0}"); +var part307 = match("MESSAGE#102:TCP_CONN_DELINK/1_1", "nwparser.p0", "%{fld11->} - Total_bytes_send %{p0}"); -var part308 = // "Pattern{Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,false)}" -match("MESSAGE#102:TCP_CONN_DELINK/2", "nwparser.p0", "%{sbytes->} - Total_bytes_recv %{rbytes}"); +var part308 = match("MESSAGE#102:TCP_CONN_DELINK/2", "nwparser.p0", "%{sbytes->} - Total_bytes_recv %{rbytes}"); -var part309 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Start Time '), Field(p0,false)}" -match("MESSAGE#103:TCP_CONN_TERMINATE/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{daddr}:%{dport->} - Start Time %{p0}"); +var part309 = match("MESSAGE#103:TCP_CONN_TERMINATE/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{daddr}:%{dport->} - Start Time %{p0}"); -var part310 = // "Pattern{Field(fld10,true), Constant(' GMT - End Time '), Field(p0,false)}" -match("MESSAGE#103:TCP_CONN_TERMINATE/1_0", "nwparser.p0", "%{fld10->} GMT - End Time %{p0}"); +var part310 = match("MESSAGE#103:TCP_CONN_TERMINATE/1_0", "nwparser.p0", "%{fld10->} GMT - End Time %{p0}"); -var part311 = // "Pattern{Field(fld10,true), Constant(' - End Time '), Field(p0,false)}" -match("MESSAGE#103:TCP_CONN_TERMINATE/1_1", "nwparser.p0", "%{fld10->} - End Time %{p0}"); +var part311 = match("MESSAGE#103:TCP_CONN_TERMINATE/1_1", "nwparser.p0", "%{fld10->} - End Time %{p0}"); -var part312 = // "Pattern{Field(info,true), Constant(' "')}" -match("MESSAGE#113:CLUSTERD_Message:02/1_1", "nwparser.p0", "%{info->} \""); +var part312 = match("MESSAGE#113:CLUSTERD_Message:02/1_1", "nwparser.p0", "%{info->} \""); -var part313 = // "Pattern{Constant('"'), Field(event_type,false), Constant(': '), Field(p0,false)}" -match("MESSAGE#158:AAA_Message/0", "nwparser.payload", "\"%{event_type}: %{p0}"); +var part313 = match("MESSAGE#158:AAA_Message/0", "nwparser.payload", "\"%{event_type}: %{p0}"); -var part314 = // "Pattern{Constant('Sessionid '), Field(sessionid,true), Constant(' - User '), Field(username,true), Constant(' - Client_ip '), Field(saddr,true), Constant(' - Nat_ip '), Field(p0,false)}" -match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/0", "nwparser.payload", "Sessionid %{sessionid->} - User %{username->} - Client_ip %{saddr->} - Nat_ip %{p0}"); +var part314 = match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/0", "nwparser.payload", "Sessionid %{sessionid->} - User %{username->} - Client_ip %{saddr->} - Nat_ip %{p0}"); -var part315 = // "Pattern{Constant('"'), Field(stransaddr,false), Constant('" - Vserver_ip '), Field(p0,false)}" -match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/1_0", "nwparser.p0", "\"%{stransaddr}\" - Vserver_ip %{p0}"); +var part315 = match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/1_0", "nwparser.p0", "\"%{stransaddr}\" - Vserver_ip %{p0}"); -var part316 = // "Pattern{Field(stransaddr,true), Constant(' - Vserver_ip '), Field(p0,false)}" -match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/1_1", "nwparser.p0", "%{stransaddr->} - Vserver_ip %{p0}"); +var part316 = match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/1_1", "nwparser.p0", "%{stransaddr->} - Vserver_ip %{p0}"); -var part317 = // "Pattern{Field(daddr,true), Constant(' - Errmsg " '), Field(event_description,true), Constant(' "')}" -match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/2", "nwparser.p0", "%{daddr->} - Errmsg \" %{event_description->} \""); +var part317 = match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/2", "nwparser.p0", "%{daddr->} - Errmsg \" %{event_description->} \""); var select72 = linear_select([ dup21, @@ -3881,8 +3506,7 @@ var select74 = linear_select([ dup33, ]); -var part318 = // "Pattern{Field(fld1,false), Constant(':UserLogin:'), Field(username,true), Constant(' - '), Field(event_description,true), Constant(' from client IP Address '), Field(saddr,false)}" -match("MESSAGE#84:SNMP_TRAP_SENT:05", "nwparser.payload", "%{fld1}:UserLogin:%{username->} - %{event_description->} from client IP Address %{saddr}", processor_chain([ +var part318 = match("MESSAGE#84:SNMP_TRAP_SENT:05", "nwparser.payload", "%{fld1}:UserLogin:%{username->} - %{event_description->} from client IP Address %{saddr}", processor_chain([ dup5, dup4, ])); @@ -3920,28 +3544,24 @@ var select80 = linear_select([ dup82, ]); -var part319 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "'), Field(action,false), Constant('" - Status "'), Field(disposition,false), Constant('"')}" -match("MESSAGE#109:UI_CMD_EXECUTED", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action}\" - Status \"%{disposition}\"", processor_chain([ +var part319 = match("MESSAGE#109:UI_CMD_EXECUTED", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action}\" - Status \"%{disposition}\"", processor_chain([ dup88, dup89, dup3, dup4, ])); -var part320 = // "Pattern{Field(product,false), Constant('|'), Field(version,false), Constant('|'), Field(rule,false), Constant('|'), Field(fld1,false), Constant('|'), Field(severity,false), Constant('|src='), Field(saddr,true), Constant(' spt='), Field(sport,true), Constant(' method='), Field(web_method,true), Constant(' request='), Field(url,true), Constant(' msg='), Field(info,true), Constant(' cn1='), Field(fld2,true), Constant(' cn2='), Field(fld3,true), Constant(' cs1='), Field(policyname,true), Constant(' cs2='), Field(fld5,true), Constant(' cs3='), Field(fld6,true), Constant(' cs4='), Field(severity,true), Constant(' cs5='), Field(fld8,true), Constant(' act='), Field(action,false)}" -match("MESSAGE#122:APPFW_COOKIE", "nwparser.payload", "%{product}|%{version}|%{rule}|%{fld1}|%{severity}|src=%{saddr->} spt=%{sport->} method=%{web_method->} request=%{url->} msg=%{info->} cn1=%{fld2->} cn2=%{fld3->} cs1=%{policyname->} cs2=%{fld5->} cs3=%{fld6->} cs4=%{severity->} cs5=%{fld8->} act=%{action}", processor_chain([ +var part320 = match("MESSAGE#122:APPFW_COOKIE", "nwparser.payload", "%{product}|%{version}|%{rule}|%{fld1}|%{severity}|src=%{saddr->} spt=%{sport->} method=%{web_method->} request=%{url->} msg=%{info->} cn1=%{fld2->} cn2=%{fld3->} cs1=%{policyname->} cs2=%{fld5->} cs3=%{fld6->} cs4=%{severity->} cs5=%{fld8->} act=%{action}", processor_chain([ dup9, dup91, ])); -var part321 = // "Pattern{Field(product,false), Constant('|'), Field(version,false), Constant('|'), Field(rule,false), Constant('|'), Field(fld1,false), Constant('|'), Field(severity,false), Constant('|src='), Field(saddr,true), Constant(' spt='), Field(sport,true), Constant(' method='), Field(web_method,true), Constant(' request='), Field(url,true), Constant(' msg='), Field(info,true), Constant(' cn1='), Field(fld2,true), Constant(' cn2='), Field(fld3,true), Constant(' cs1='), Field(policyname,true), Constant(' cs2='), Field(fld5,true), Constant(' cs4='), Field(severity,true), Constant(' cs5='), Field(fld8,true), Constant(' act='), Field(action,false)}" -match("MESSAGE#128:AF_400_RESP", "nwparser.payload", "%{product}|%{version}|%{rule}|%{fld1}|%{severity}|src=%{saddr->} spt=%{sport->} method=%{web_method->} request=%{url->} msg=%{info->} cn1=%{fld2->} cn2=%{fld3->} cs1=%{policyname->} cs2=%{fld5->} cs4=%{severity->} cs5=%{fld8->} act=%{action}", processor_chain([ +var part321 = match("MESSAGE#128:AF_400_RESP", "nwparser.payload", "%{product}|%{version}|%{rule}|%{fld1}|%{severity}|src=%{saddr->} spt=%{sport->} method=%{web_method->} request=%{url->} msg=%{info->} cn1=%{fld2->} cn2=%{fld3->} cs1=%{policyname->} cs2=%{fld5->} cs4=%{severity->} cs5=%{fld8->} act=%{action}", processor_chain([ dup11, dup91, ])); -var part322 = // "Pattern{Field(info,false)}" -match_copy("MESSAGE#165:AAATM_Message:06", "nwparser.payload", "info", processor_chain([ +var part322 = match_copy("MESSAGE#165:AAATM_Message:06", "nwparser.payload", "info", processor_chain([ dup9, dup4, ])); diff --git a/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json b/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json index cb772d91268..837f7b744a7 100644 --- a/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json +++ b/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json @@ -101,8 +101,8 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.72.11.247", - "10.134.175.248" + "10.134.175.248", + "10.72.11.247" ], "rsa.counters.dclass_c1": 1279, "rsa.db.index": "antium", @@ -185,10 +185,10 @@ "observer.vendor": "Citrix", "related.ip": [ "10.96.119.12", + "10.156.210.168", "10.21.92.218", - "10.83.234.60", "10.109.68.21", - "10.156.210.168" + "10.83.234.60" ], "related.user": [ "picia" @@ -1332,11 +1332,11 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.45.114.111", - "10.180.83.140", - "10.243.226.122", "10.117.94.131", - "10.3.23.172" + "10.180.83.140", + "10.3.23.172", + "10.45.114.111", + "10.243.226.122" ], "related.user": [ "ehender" @@ -2085,8 +2085,8 @@ "observer.vendor": "Citrix", "related.ip": [ "10.225.146.5", - "10.41.65.89", - "10.80.5.101" + "10.80.5.101", + "10.41.65.89" ], "related.user": [ "picia" @@ -2209,8 +2209,8 @@ "observer.vendor": "Citrix", "related.ip": [ "10.33.231.173", - "10.183.26.222", - "10.22.34.206" + "10.22.34.206", + "10.183.26.222" ], "related.user": [ "abill" @@ -2585,10 +2585,10 @@ "observer.vendor": "Citrix", "related.ip": [ "10.148.244.55", + "10.76.129.136", "10.133.153.174", - "10.8.82.22", "10.113.135.78", - "10.76.129.136" + "10.8.82.22" ], "related.user": [ "asiar" @@ -2662,8 +2662,8 @@ "rsa.db.index": "aturE", "rsa.internal.messageid": "APPFW_REFERER_HEADER", "rsa.misc.action": [ - "remip", - "cancel" + "cancel", + "remip" ], "rsa.misc.policy_name": "oNemoeni", "rsa.misc.rule": "citation", @@ -2938,9 +2938,9 @@ "observer.vendor": "Citrix", "related.ip": [ "10.29.202.248", - "10.161.218.47", + "10.206.5.50", "10.247.251.223", - "10.206.5.50" + "10.161.218.47" ], "rsa.internal.event_desc": "A Server side and a Client side TCP connection is delinked. This is not tracked by Netscaler", "rsa.internal.messageid": "TCP_OTHERCONN_DELINK", @@ -3076,8 +3076,8 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.148.72.78", - "10.37.99.189" + "10.37.99.189", + "10.148.72.78" ], "rsa.crypto.cipher_src": "ritatis", "rsa.crypto.ssl_ver_src": "ugitsed", diff --git a/x-pack/filebeat/module/coredns/log/config/coredns.yml b/x-pack/filebeat/module/coredns/log/config/coredns.yml index be7f27f551f..4f9992ae2d4 100644 --- a/x-pack/filebeat/module/coredns/log/config/coredns.yml +++ b/x-pack/filebeat/module/coredns/log/config/coredns.yml @@ -9,4 +9,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/crowdstrike/falcon/config/falcon.yml b/x-pack/filebeat/module/crowdstrike/falcon/config/falcon.yml index 689bd725530..2af0eeca092 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/config/falcon.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/config/falcon.yml @@ -23,4 +23,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/cyberark/corepas/config/pipeline.js b/x-pack/filebeat/module/cyberark/corepas/config/pipeline.js index 02a511984c0..0f8be954311 100644 --- a/x-pack/filebeat/module/cyberark/corepas/config/pipeline.js +++ b/x-pack/filebeat/module/cyberark/corepas/config/pipeline.js @@ -93,146 +93,99 @@ var dup29 = setc("ec_activity","Disable"); var dup30 = setc("eventcategory","1401050200"); -var dup31 = // "Pattern{Constant('Version='), Field(p0,false)}" -match("MESSAGE#568:300:02/0", "nwparser.payload", "Version=%{p0}"); +var dup31 = match("MESSAGE#568:300:02/0", "nwparser.payload", "Version=%{p0}"); -var dup32 = // "Pattern{Constant('"'), Field(version,false), Constant('";Message='), Field(p0,false)}" -match("MESSAGE#568:300:02/1_0", "nwparser.p0", "\"%{version}\";Message=%{p0}"); +var dup32 = match("MESSAGE#568:300:02/1_0", "nwparser.p0", "\"%{version}\";Message=%{p0}"); -var dup33 = // "Pattern{Field(version,false), Constant(';Message='), Field(p0,false)}" -match("MESSAGE#568:300:02/1_1", "nwparser.p0", "%{version};Message=%{p0}"); +var dup33 = match("MESSAGE#568:300:02/1_1", "nwparser.p0", "%{version};Message=%{p0}"); -var dup34 = // "Pattern{Constant('"'), Field(action,false), Constant('";Issuer='), Field(p0,false)}" -match("MESSAGE#568:300:02/2_0", "nwparser.p0", "\"%{action}\";Issuer=%{p0}"); +var dup34 = match("MESSAGE#568:300:02/2_0", "nwparser.p0", "\"%{action}\";Issuer=%{p0}"); -var dup35 = // "Pattern{Field(action,false), Constant(';Issuer='), Field(p0,false)}" -match("MESSAGE#568:300:02/2_1", "nwparser.p0", "%{action};Issuer=%{p0}"); +var dup35 = match("MESSAGE#568:300:02/2_1", "nwparser.p0", "%{action};Issuer=%{p0}"); -var dup36 = // "Pattern{Constant('"'), Field(username,false), Constant('";Station='), Field(p0,false)}" -match("MESSAGE#568:300:02/3_0", "nwparser.p0", "\"%{username}\";Station=%{p0}"); +var dup36 = match("MESSAGE#568:300:02/3_0", "nwparser.p0", "\"%{username}\";Station=%{p0}"); -var dup37 = // "Pattern{Field(username,false), Constant(';Station='), Field(p0,false)}" -match("MESSAGE#568:300:02/3_1", "nwparser.p0", "%{username};Station=%{p0}"); +var dup37 = match("MESSAGE#568:300:02/3_1", "nwparser.p0", "%{username};Station=%{p0}"); -var dup38 = // "Pattern{Constant('"'), Field(hostip,false), Constant('";File='), Field(p0,false)}" -match("MESSAGE#568:300:02/4_0", "nwparser.p0", "\"%{hostip}\";File=%{p0}"); +var dup38 = match("MESSAGE#568:300:02/4_0", "nwparser.p0", "\"%{hostip}\";File=%{p0}"); -var dup39 = // "Pattern{Field(hostip,false), Constant(';File='), Field(p0,false)}" -match("MESSAGE#568:300:02/4_1", "nwparser.p0", "%{hostip};File=%{p0}"); +var dup39 = match("MESSAGE#568:300:02/4_1", "nwparser.p0", "%{hostip};File=%{p0}"); -var dup40 = // "Pattern{Constant('"'), Field(filename,false), Constant('";Safe='), Field(p0,false)}" -match("MESSAGE#568:300:02/5_0", "nwparser.p0", "\"%{filename}\";Safe=%{p0}"); +var dup40 = match("MESSAGE#568:300:02/5_0", "nwparser.p0", "\"%{filename}\";Safe=%{p0}"); -var dup41 = // "Pattern{Field(filename,false), Constant(';Safe='), Field(p0,false)}" -match("MESSAGE#568:300:02/5_1", "nwparser.p0", "%{filename};Safe=%{p0}"); +var dup41 = match("MESSAGE#568:300:02/5_1", "nwparser.p0", "%{filename};Safe=%{p0}"); -var dup42 = // "Pattern{Constant('"'), Field(group_object,false), Constant('";Location='), Field(p0,false)}" -match("MESSAGE#568:300:02/6_0", "nwparser.p0", "\"%{group_object}\";Location=%{p0}"); +var dup42 = match("MESSAGE#568:300:02/6_0", "nwparser.p0", "\"%{group_object}\";Location=%{p0}"); -var dup43 = // "Pattern{Field(group_object,false), Constant(';Location='), Field(p0,false)}" -match("MESSAGE#568:300:02/6_1", "nwparser.p0", "%{group_object};Location=%{p0}"); +var dup43 = match("MESSAGE#568:300:02/6_1", "nwparser.p0", "%{group_object};Location=%{p0}"); -var dup44 = // "Pattern{Constant('"'), Field(directory,false), Constant('";Category='), Field(p0,false)}" -match("MESSAGE#568:300:02/7_0", "nwparser.p0", "\"%{directory}\";Category=%{p0}"); +var dup44 = match("MESSAGE#568:300:02/7_0", "nwparser.p0", "\"%{directory}\";Category=%{p0}"); -var dup45 = // "Pattern{Field(directory,false), Constant(';Category='), Field(p0,false)}" -match("MESSAGE#568:300:02/7_1", "nwparser.p0", "%{directory};Category=%{p0}"); +var dup45 = match("MESSAGE#568:300:02/7_1", "nwparser.p0", "%{directory};Category=%{p0}"); -var dup46 = // "Pattern{Constant('"'), Field(category,false), Constant('";RequestId='), Field(p0,false)}" -match("MESSAGE#568:300:02/8_0", "nwparser.p0", "\"%{category}\";RequestId=%{p0}"); +var dup46 = match("MESSAGE#568:300:02/8_0", "nwparser.p0", "\"%{category}\";RequestId=%{p0}"); -var dup47 = // "Pattern{Field(category,false), Constant(';RequestId='), Field(p0,false)}" -match("MESSAGE#568:300:02/8_1", "nwparser.p0", "%{category};RequestId=%{p0}"); +var dup47 = match("MESSAGE#568:300:02/8_1", "nwparser.p0", "%{category};RequestId=%{p0}"); -var dup48 = // "Pattern{Constant('"'), Field(id1,false), Constant('";Reason='), Field(p0,false)}" -match("MESSAGE#568:300:02/9_0", "nwparser.p0", "\"%{id1}\";Reason=%{p0}"); +var dup48 = match("MESSAGE#568:300:02/9_0", "nwparser.p0", "\"%{id1}\";Reason=%{p0}"); -var dup49 = // "Pattern{Field(id1,false), Constant(';Reason='), Field(p0,false)}" -match("MESSAGE#568:300:02/9_1", "nwparser.p0", "%{id1};Reason=%{p0}"); +var dup49 = match("MESSAGE#568:300:02/9_1", "nwparser.p0", "%{id1};Reason=%{p0}"); -var dup50 = // "Pattern{Constant('"'), Field(event_description,false), Constant('";Severity='), Field(p0,false)}" -match("MESSAGE#568:300:02/10_0", "nwparser.p0", "\"%{event_description}\";Severity=%{p0}"); +var dup50 = match("MESSAGE#568:300:02/10_0", "nwparser.p0", "\"%{event_description}\";Severity=%{p0}"); -var dup51 = // "Pattern{Field(event_description,false), Constant(';Severity='), Field(p0,false)}" -match("MESSAGE#568:300:02/10_1", "nwparser.p0", "%{event_description};Severity=%{p0}"); +var dup51 = match("MESSAGE#568:300:02/10_1", "nwparser.p0", "%{event_description};Severity=%{p0}"); -var dup52 = // "Pattern{Constant('"'), Field(severity,false), Constant('";SourceUser='), Field(p0,false)}" -match("MESSAGE#568:300:02/11_0", "nwparser.p0", "\"%{severity}\";SourceUser=%{p0}"); +var dup52 = match("MESSAGE#568:300:02/11_0", "nwparser.p0", "\"%{severity}\";SourceUser=%{p0}"); -var dup53 = // "Pattern{Field(severity,false), Constant(';SourceUser='), Field(p0,false)}" -match("MESSAGE#568:300:02/11_1", "nwparser.p0", "%{severity};SourceUser=%{p0}"); +var dup53 = match("MESSAGE#568:300:02/11_1", "nwparser.p0", "%{severity};SourceUser=%{p0}"); -var dup54 = // "Pattern{Constant('"'), Field(group,false), Constant('";TargetUser='), Field(p0,false)}" -match("MESSAGE#568:300:02/12_0", "nwparser.p0", "\"%{group}\";TargetUser=%{p0}"); +var dup54 = match("MESSAGE#568:300:02/12_0", "nwparser.p0", "\"%{group}\";TargetUser=%{p0}"); -var dup55 = // "Pattern{Field(group,false), Constant(';TargetUser='), Field(p0,false)}" -match("MESSAGE#568:300:02/12_1", "nwparser.p0", "%{group};TargetUser=%{p0}"); +var dup55 = match("MESSAGE#568:300:02/12_1", "nwparser.p0", "%{group};TargetUser=%{p0}"); -var dup56 = // "Pattern{Constant('"'), Field(uid,false), Constant('";GatewayStation='), Field(p0,false)}" -match("MESSAGE#568:300:02/13_0", "nwparser.p0", "\"%{uid}\";GatewayStation=%{p0}"); +var dup56 = match("MESSAGE#568:300:02/13_0", "nwparser.p0", "\"%{uid}\";GatewayStation=%{p0}"); -var dup57 = // "Pattern{Field(uid,false), Constant(';GatewayStation='), Field(p0,false)}" -match("MESSAGE#568:300:02/13_1", "nwparser.p0", "%{uid};GatewayStation=%{p0}"); +var dup57 = match("MESSAGE#568:300:02/13_1", "nwparser.p0", "%{uid};GatewayStation=%{p0}"); -var dup58 = // "Pattern{Constant('"'), Field(saddr,false), Constant('";TicketID='), Field(p0,false)}" -match("MESSAGE#568:300:02/14_0", "nwparser.p0", "\"%{saddr}\";TicketID=%{p0}"); +var dup58 = match("MESSAGE#568:300:02/14_0", "nwparser.p0", "\"%{saddr}\";TicketID=%{p0}"); -var dup59 = // "Pattern{Field(saddr,false), Constant(';TicketID='), Field(p0,false)}" -match("MESSAGE#568:300:02/14_1", "nwparser.p0", "%{saddr};TicketID=%{p0}"); +var dup59 = match("MESSAGE#568:300:02/14_1", "nwparser.p0", "%{saddr};TicketID=%{p0}"); -var dup60 = // "Pattern{Constant('"'), Field(operation_id,false), Constant('";PolicyID='), Field(p0,false)}" -match("MESSAGE#568:300:02/15_0", "nwparser.p0", "\"%{operation_id}\";PolicyID=%{p0}"); +var dup60 = match("MESSAGE#568:300:02/15_0", "nwparser.p0", "\"%{operation_id}\";PolicyID=%{p0}"); -var dup61 = // "Pattern{Field(operation_id,false), Constant(';PolicyID='), Field(p0,false)}" -match("MESSAGE#568:300:02/15_1", "nwparser.p0", "%{operation_id};PolicyID=%{p0}"); +var dup61 = match("MESSAGE#568:300:02/15_1", "nwparser.p0", "%{operation_id};PolicyID=%{p0}"); -var dup62 = // "Pattern{Constant('"'), Field(policyname,false), Constant('";UserName='), Field(p0,false)}" -match("MESSAGE#568:300:02/16_0", "nwparser.p0", "\"%{policyname}\";UserName=%{p0}"); +var dup62 = match("MESSAGE#568:300:02/16_0", "nwparser.p0", "\"%{policyname}\";UserName=%{p0}"); -var dup63 = // "Pattern{Field(policyname,false), Constant(';UserName='), Field(p0,false)}" -match("MESSAGE#568:300:02/16_1", "nwparser.p0", "%{policyname};UserName=%{p0}"); +var dup63 = match("MESSAGE#568:300:02/16_1", "nwparser.p0", "%{policyname};UserName=%{p0}"); -var dup64 = // "Pattern{Constant('"'), Field(fld11,false), Constant('";LogonDomain='), Field(p0,false)}" -match("MESSAGE#568:300:02/17_0", "nwparser.p0", "\"%{fld11}\";LogonDomain=%{p0}"); +var dup64 = match("MESSAGE#568:300:02/17_0", "nwparser.p0", "\"%{fld11}\";LogonDomain=%{p0}"); -var dup65 = // "Pattern{Field(fld11,false), Constant(';LogonDomain='), Field(p0,false)}" -match("MESSAGE#568:300:02/17_1", "nwparser.p0", "%{fld11};LogonDomain=%{p0}"); +var dup65 = match("MESSAGE#568:300:02/17_1", "nwparser.p0", "%{fld11};LogonDomain=%{p0}"); -var dup66 = // "Pattern{Constant('"'), Field(domain,false), Constant('";Address='), Field(p0,false)}" -match("MESSAGE#568:300:02/18_0", "nwparser.p0", "\"%{domain}\";Address=%{p0}"); +var dup66 = match("MESSAGE#568:300:02/18_0", "nwparser.p0", "\"%{domain}\";Address=%{p0}"); -var dup67 = // "Pattern{Field(domain,false), Constant(';Address='), Field(p0,false)}" -match("MESSAGE#568:300:02/18_1", "nwparser.p0", "%{domain};Address=%{p0}"); +var dup67 = match("MESSAGE#568:300:02/18_1", "nwparser.p0", "%{domain};Address=%{p0}"); -var dup68 = // "Pattern{Constant('"'), Field(fld14,false), Constant('";CPMStatus='), Field(p0,false)}" -match("MESSAGE#568:300:02/19_0", "nwparser.p0", "\"%{fld14}\";CPMStatus=%{p0}"); +var dup68 = match("MESSAGE#568:300:02/19_0", "nwparser.p0", "\"%{fld14}\";CPMStatus=%{p0}"); -var dup69 = // "Pattern{Field(fld14,false), Constant(';CPMStatus='), Field(p0,false)}" -match("MESSAGE#568:300:02/19_1", "nwparser.p0", "%{fld14};CPMStatus=%{p0}"); +var dup69 = match("MESSAGE#568:300:02/19_1", "nwparser.p0", "%{fld14};CPMStatus=%{p0}"); -var dup70 = // "Pattern{Constant('"'), Field(disposition,false), Constant('";Port='), Field(p0,false)}" -match("MESSAGE#568:300:02/20_0", "nwparser.p0", "\"%{disposition}\";Port=%{p0}"); +var dup70 = match("MESSAGE#568:300:02/20_0", "nwparser.p0", "\"%{disposition}\";Port=%{p0}"); -var dup71 = // "Pattern{Field(disposition,false), Constant(';Port='), Field(p0,false)}" -match("MESSAGE#568:300:02/20_1", "nwparser.p0", "%{disposition};Port=%{p0}"); +var dup71 = match("MESSAGE#568:300:02/20_1", "nwparser.p0", "%{disposition};Port=%{p0}"); -var dup72 = // "Pattern{Constant('"'), Field(dport,false), Constant('";Database='), Field(p0,false)}" -match("MESSAGE#568:300:02/21_0", "nwparser.p0", "\"%{dport}\";Database=%{p0}"); +var dup72 = match("MESSAGE#568:300:02/21_0", "nwparser.p0", "\"%{dport}\";Database=%{p0}"); -var dup73 = // "Pattern{Field(dport,false), Constant(';Database='), Field(p0,false)}" -match("MESSAGE#568:300:02/21_1", "nwparser.p0", "%{dport};Database=%{p0}"); +var dup73 = match("MESSAGE#568:300:02/21_1", "nwparser.p0", "%{dport};Database=%{p0}"); -var dup74 = // "Pattern{Constant('"'), Field(db_name,false), Constant('";DeviceType='), Field(p0,false)}" -match("MESSAGE#568:300:02/22_0", "nwparser.p0", "\"%{db_name}\";DeviceType=%{p0}"); +var dup74 = match("MESSAGE#568:300:02/22_0", "nwparser.p0", "\"%{db_name}\";DeviceType=%{p0}"); -var dup75 = // "Pattern{Field(db_name,false), Constant(';DeviceType='), Field(p0,false)}" -match("MESSAGE#568:300:02/22_1", "nwparser.p0", "%{db_name};DeviceType=%{p0}"); +var dup75 = match("MESSAGE#568:300:02/22_1", "nwparser.p0", "%{db_name};DeviceType=%{p0}"); -var dup76 = // "Pattern{Constant('"'), Field(obj_type,false), Constant('";ExtraDetails="ApplicationType='), Field(p0,false)}" -match("MESSAGE#568:300:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"ApplicationType=%{p0}"); +var dup76 = match("MESSAGE#568:300:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"ApplicationType=%{p0}"); -var dup77 = // "Pattern{Field(obj_type,false), Constant(';ExtraDetails="ApplicationType='), Field(p0,false)}" -match("MESSAGE#568:300:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"ApplicationType=%{p0}"); +var dup77 = match("MESSAGE#568:300:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"ApplicationType=%{p0}"); var dup78 = setc("eventcategory","1502000000"); @@ -248,203 +201,137 @@ var dup83 = setc("eventcategory","1501000000"); var dup84 = setc("eventcategory","1206000000"); -var dup85 = // "Pattern{Constant('"'), Field(version,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/1_0", "nwparser.p0", "\"%{version}\";%{p0}"); +var dup85 = match("MESSAGE#621:411/1_0", "nwparser.p0", "\"%{version}\";%{p0}"); -var dup86 = // "Pattern{Field(version,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/1_1", "nwparser.p0", "%{version};%{p0}"); +var dup86 = match("MESSAGE#621:411/1_1", "nwparser.p0", "%{version};%{p0}"); -var dup87 = // "Pattern{Constant('Message='), Field(p0,false)}" -match("MESSAGE#621:411/2", "nwparser.p0", "Message=%{p0}"); +var dup87 = match("MESSAGE#621:411/2", "nwparser.p0", "Message=%{p0}"); -var dup88 = // "Pattern{Constant('"'), Field(action,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/3_0", "nwparser.p0", "\"%{action}\";%{p0}"); +var dup88 = match("MESSAGE#621:411/3_0", "nwparser.p0", "\"%{action}\";%{p0}"); -var dup89 = // "Pattern{Field(action,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/3_1", "nwparser.p0", "%{action};%{p0}"); +var dup89 = match("MESSAGE#621:411/3_1", "nwparser.p0", "%{action};%{p0}"); -var dup90 = // "Pattern{Constant('Issuer='), Field(p0,false)}" -match("MESSAGE#621:411/4", "nwparser.p0", "Issuer=%{p0}"); +var dup90 = match("MESSAGE#621:411/4", "nwparser.p0", "Issuer=%{p0}"); -var dup91 = // "Pattern{Constant('"'), Field(username,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/5_0", "nwparser.p0", "\"%{username}\";%{p0}"); +var dup91 = match("MESSAGE#621:411/5_0", "nwparser.p0", "\"%{username}\";%{p0}"); -var dup92 = // "Pattern{Field(username,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/5_1", "nwparser.p0", "%{username};%{p0}"); +var dup92 = match("MESSAGE#621:411/5_1", "nwparser.p0", "%{username};%{p0}"); -var dup93 = // "Pattern{Constant('Station='), Field(p0,false)}" -match("MESSAGE#621:411/6", "nwparser.p0", "Station=%{p0}"); +var dup93 = match("MESSAGE#621:411/6", "nwparser.p0", "Station=%{p0}"); -var dup94 = // "Pattern{Constant('"'), Field(hostip,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/7_0", "nwparser.p0", "\"%{hostip}\";%{p0}"); +var dup94 = match("MESSAGE#621:411/7_0", "nwparser.p0", "\"%{hostip}\";%{p0}"); -var dup95 = // "Pattern{Field(hostip,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/7_1", "nwparser.p0", "%{hostip};%{p0}"); +var dup95 = match("MESSAGE#621:411/7_1", "nwparser.p0", "%{hostip};%{p0}"); -var dup96 = // "Pattern{Constant('File='), Field(p0,false)}" -match("MESSAGE#621:411/8", "nwparser.p0", "File=%{p0}"); +var dup96 = match("MESSAGE#621:411/8", "nwparser.p0", "File=%{p0}"); -var dup97 = // "Pattern{Constant('"'), Field(filename,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/9_0", "nwparser.p0", "\"%{filename}\";%{p0}"); +var dup97 = match("MESSAGE#621:411/9_0", "nwparser.p0", "\"%{filename}\";%{p0}"); -var dup98 = // "Pattern{Field(filename,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/9_1", "nwparser.p0", "%{filename};%{p0}"); +var dup98 = match("MESSAGE#621:411/9_1", "nwparser.p0", "%{filename};%{p0}"); -var dup99 = // "Pattern{Constant('Safe='), Field(p0,false)}" -match("MESSAGE#621:411/10", "nwparser.p0", "Safe=%{p0}"); +var dup99 = match("MESSAGE#621:411/10", "nwparser.p0", "Safe=%{p0}"); -var dup100 = // "Pattern{Constant('"'), Field(group_object,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/11_0", "nwparser.p0", "\"%{group_object}\";%{p0}"); +var dup100 = match("MESSAGE#621:411/11_0", "nwparser.p0", "\"%{group_object}\";%{p0}"); -var dup101 = // "Pattern{Field(group_object,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/11_1", "nwparser.p0", "%{group_object};%{p0}"); +var dup101 = match("MESSAGE#621:411/11_1", "nwparser.p0", "%{group_object};%{p0}"); -var dup102 = // "Pattern{Constant('Location='), Field(p0,false)}" -match("MESSAGE#621:411/12", "nwparser.p0", "Location=%{p0}"); +var dup102 = match("MESSAGE#621:411/12", "nwparser.p0", "Location=%{p0}"); -var dup103 = // "Pattern{Constant('"'), Field(directory,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/13_0", "nwparser.p0", "\"%{directory}\";%{p0}"); +var dup103 = match("MESSAGE#621:411/13_0", "nwparser.p0", "\"%{directory}\";%{p0}"); -var dup104 = // "Pattern{Field(directory,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/13_1", "nwparser.p0", "%{directory};%{p0}"); +var dup104 = match("MESSAGE#621:411/13_1", "nwparser.p0", "%{directory};%{p0}"); -var dup105 = // "Pattern{Constant('Category='), Field(p0,false)}" -match("MESSAGE#621:411/14", "nwparser.p0", "Category=%{p0}"); +var dup105 = match("MESSAGE#621:411/14", "nwparser.p0", "Category=%{p0}"); -var dup106 = // "Pattern{Constant('"'), Field(category,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/15_0", "nwparser.p0", "\"%{category}\";%{p0}"); +var dup106 = match("MESSAGE#621:411/15_0", "nwparser.p0", "\"%{category}\";%{p0}"); -var dup107 = // "Pattern{Field(category,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/15_1", "nwparser.p0", "%{category};%{p0}"); +var dup107 = match("MESSAGE#621:411/15_1", "nwparser.p0", "%{category};%{p0}"); -var dup108 = // "Pattern{Constant('RequestId='), Field(p0,false)}" -match("MESSAGE#621:411/16", "nwparser.p0", "RequestId=%{p0}"); +var dup108 = match("MESSAGE#621:411/16", "nwparser.p0", "RequestId=%{p0}"); -var dup109 = // "Pattern{Constant('"'), Field(id1,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/17_0", "nwparser.p0", "\"%{id1}\";%{p0}"); +var dup109 = match("MESSAGE#621:411/17_0", "nwparser.p0", "\"%{id1}\";%{p0}"); -var dup110 = // "Pattern{Field(id1,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/17_1", "nwparser.p0", "%{id1};%{p0}"); +var dup110 = match("MESSAGE#621:411/17_1", "nwparser.p0", "%{id1};%{p0}"); -var dup111 = // "Pattern{Constant('Reason='), Field(p0,false)}" -match("MESSAGE#621:411/18", "nwparser.p0", "Reason=%{p0}"); +var dup111 = match("MESSAGE#621:411/18", "nwparser.p0", "Reason=%{p0}"); -var dup112 = // "Pattern{Constant('"'), Field(event_description,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/19_0", "nwparser.p0", "\"%{event_description}\";%{p0}"); +var dup112 = match("MESSAGE#621:411/19_0", "nwparser.p0", "\"%{event_description}\";%{p0}"); -var dup113 = // "Pattern{Field(event_description,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/19_1", "nwparser.p0", "%{event_description};%{p0}"); +var dup113 = match("MESSAGE#621:411/19_1", "nwparser.p0", "%{event_description};%{p0}"); -var dup114 = // "Pattern{Constant('Severity='), Field(p0,false)}" -match("MESSAGE#621:411/20", "nwparser.p0", "Severity=%{p0}"); +var dup114 = match("MESSAGE#621:411/20", "nwparser.p0", "Severity=%{p0}"); -var dup115 = // "Pattern{Constant('"'), Field(severity,false), Constant('";SourceUser="'), Field(group,false), Constant('";TargetUser="'), Field(uid,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/21_0", "nwparser.p0", "\"%{severity}\";SourceUser=\"%{group}\";TargetUser=\"%{uid}\";%{p0}"); +var dup115 = match("MESSAGE#621:411/21_0", "nwparser.p0", "\"%{severity}\";SourceUser=\"%{group}\";TargetUser=\"%{uid}\";%{p0}"); -var dup116 = // "Pattern{Field(severity,false), Constant(';SourceUser='), Field(group,false), Constant(';TargetUser='), Field(uid,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/21_1", "nwparser.p0", "%{severity};SourceUser=%{group};TargetUser=%{uid};%{p0}"); +var dup116 = match("MESSAGE#621:411/21_1", "nwparser.p0", "%{severity};SourceUser=%{group};TargetUser=%{uid};%{p0}"); -var dup117 = // "Pattern{Constant('"'), Field(severity,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/21_2", "nwparser.p0", "\"%{severity}\";%{p0}"); +var dup117 = match("MESSAGE#621:411/21_2", "nwparser.p0", "\"%{severity}\";%{p0}"); -var dup118 = // "Pattern{Field(severity,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/21_3", "nwparser.p0", "%{severity};%{p0}"); +var dup118 = match("MESSAGE#621:411/21_3", "nwparser.p0", "%{severity};%{p0}"); -var dup119 = // "Pattern{Constant('GatewayStation='), Field(p0,false)}" -match("MESSAGE#621:411/22", "nwparser.p0", "GatewayStation=%{p0}"); +var dup119 = match("MESSAGE#621:411/22", "nwparser.p0", "GatewayStation=%{p0}"); -var dup120 = // "Pattern{Constant('"'), Field(saddr,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/23_0", "nwparser.p0", "\"%{saddr}\";%{p0}"); +var dup120 = match("MESSAGE#621:411/23_0", "nwparser.p0", "\"%{saddr}\";%{p0}"); -var dup121 = // "Pattern{Field(saddr,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/23_1", "nwparser.p0", "%{saddr};%{p0}"); +var dup121 = match("MESSAGE#621:411/23_1", "nwparser.p0", "%{saddr};%{p0}"); -var dup122 = // "Pattern{Constant('TicketID='), Field(p0,false)}" -match("MESSAGE#621:411/24", "nwparser.p0", "TicketID=%{p0}"); +var dup122 = match("MESSAGE#621:411/24", "nwparser.p0", "TicketID=%{p0}"); -var dup123 = // "Pattern{Constant('"'), Field(operation_id,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/25_0", "nwparser.p0", "\"%{operation_id}\";%{p0}"); +var dup123 = match("MESSAGE#621:411/25_0", "nwparser.p0", "\"%{operation_id}\";%{p0}"); -var dup124 = // "Pattern{Field(operation_id,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/25_1", "nwparser.p0", "%{operation_id};%{p0}"); +var dup124 = match("MESSAGE#621:411/25_1", "nwparser.p0", "%{operation_id};%{p0}"); -var dup125 = // "Pattern{Constant('PolicyID='), Field(p0,false)}" -match("MESSAGE#621:411/26", "nwparser.p0", "PolicyID=%{p0}"); +var dup125 = match("MESSAGE#621:411/26", "nwparser.p0", "PolicyID=%{p0}"); -var dup126 = // "Pattern{Constant('"'), Field(policyname,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/27_0", "nwparser.p0", "\"%{policyname}\";%{p0}"); +var dup126 = match("MESSAGE#621:411/27_0", "nwparser.p0", "\"%{policyname}\";%{p0}"); -var dup127 = // "Pattern{Field(policyname,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/27_1", "nwparser.p0", "%{policyname};%{p0}"); +var dup127 = match("MESSAGE#621:411/27_1", "nwparser.p0", "%{policyname};%{p0}"); -var dup128 = // "Pattern{Constant('UserName='), Field(p0,false)}" -match("MESSAGE#621:411/28", "nwparser.p0", "UserName=%{p0}"); +var dup128 = match("MESSAGE#621:411/28", "nwparser.p0", "UserName=%{p0}"); -var dup129 = // "Pattern{Constant('"'), Field(c_username,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/29_0", "nwparser.p0", "\"%{c_username}\";%{p0}"); +var dup129 = match("MESSAGE#621:411/29_0", "nwparser.p0", "\"%{c_username}\";%{p0}"); -var dup130 = // "Pattern{Field(c_username,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/29_1", "nwparser.p0", "%{c_username};%{p0}"); +var dup130 = match("MESSAGE#621:411/29_1", "nwparser.p0", "%{c_username};%{p0}"); -var dup131 = // "Pattern{Constant('LogonDomain='), Field(p0,false)}" -match("MESSAGE#621:411/30", "nwparser.p0", "LogonDomain=%{p0}"); +var dup131 = match("MESSAGE#621:411/30", "nwparser.p0", "LogonDomain=%{p0}"); -var dup132 = // "Pattern{Constant('"'), Field(domain,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/31_0", "nwparser.p0", "\"%{domain}\";%{p0}"); +var dup132 = match("MESSAGE#621:411/31_0", "nwparser.p0", "\"%{domain}\";%{p0}"); -var dup133 = // "Pattern{Field(domain,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/31_1", "nwparser.p0", "%{domain};%{p0}"); +var dup133 = match("MESSAGE#621:411/31_1", "nwparser.p0", "%{domain};%{p0}"); -var dup134 = // "Pattern{Constant('Address='), Field(p0,false)}" -match("MESSAGE#621:411/32", "nwparser.p0", "Address=%{p0}"); +var dup134 = match("MESSAGE#621:411/32", "nwparser.p0", "Address=%{p0}"); -var dup135 = // "Pattern{Constant('"'), Field(dhost,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/33_0", "nwparser.p0", "\"%{dhost}\";%{p0}"); +var dup135 = match("MESSAGE#621:411/33_0", "nwparser.p0", "\"%{dhost}\";%{p0}"); -var dup136 = // "Pattern{Field(dhost,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/33_1", "nwparser.p0", "%{dhost};%{p0}"); +var dup136 = match("MESSAGE#621:411/33_1", "nwparser.p0", "%{dhost};%{p0}"); -var dup137 = // "Pattern{Constant('CPMStatus='), Field(p0,false)}" -match("MESSAGE#621:411/34", "nwparser.p0", "CPMStatus=%{p0}"); +var dup137 = match("MESSAGE#621:411/34", "nwparser.p0", "CPMStatus=%{p0}"); -var dup138 = // "Pattern{Constant('"'), Field(disposition,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/35_0", "nwparser.p0", "\"%{disposition}\";%{p0}"); +var dup138 = match("MESSAGE#621:411/35_0", "nwparser.p0", "\"%{disposition}\";%{p0}"); -var dup139 = // "Pattern{Field(disposition,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/35_1", "nwparser.p0", "%{disposition};%{p0}"); +var dup139 = match("MESSAGE#621:411/35_1", "nwparser.p0", "%{disposition};%{p0}"); -var dup140 = // "Pattern{Constant('Port='), Field(p0,false)}" -match("MESSAGE#621:411/36", "nwparser.p0", "Port=%{p0}"); +var dup140 = match("MESSAGE#621:411/36", "nwparser.p0", "Port=%{p0}"); -var dup141 = // "Pattern{Constant('"'), Field(dport,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/37_0", "nwparser.p0", "\"%{dport}\";%{p0}"); +var dup141 = match("MESSAGE#621:411/37_0", "nwparser.p0", "\"%{dport}\";%{p0}"); -var dup142 = // "Pattern{Field(dport,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/37_1", "nwparser.p0", "%{dport};%{p0}"); +var dup142 = match("MESSAGE#621:411/37_1", "nwparser.p0", "%{dport};%{p0}"); -var dup143 = // "Pattern{Constant('Database='), Field(p0,false)}" -match("MESSAGE#621:411/38", "nwparser.p0", "Database=%{p0}"); +var dup143 = match("MESSAGE#621:411/38", "nwparser.p0", "Database=%{p0}"); -var dup144 = // "Pattern{Constant('"'), Field(db_name,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/39_0", "nwparser.p0", "\"%{db_name}\";%{p0}"); +var dup144 = match("MESSAGE#621:411/39_0", "nwparser.p0", "\"%{db_name}\";%{p0}"); -var dup145 = // "Pattern{Field(db_name,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/39_1", "nwparser.p0", "%{db_name};%{p0}"); +var dup145 = match("MESSAGE#621:411/39_1", "nwparser.p0", "%{db_name};%{p0}"); -var dup146 = // "Pattern{Constant('DeviceType='), Field(p0,false)}" -match("MESSAGE#621:411/40", "nwparser.p0", "DeviceType=%{p0}"); +var dup146 = match("MESSAGE#621:411/40", "nwparser.p0", "DeviceType=%{p0}"); -var dup147 = // "Pattern{Constant('"'), Field(obj_type,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/41_0", "nwparser.p0", "\"%{obj_type}\";%{p0}"); +var dup147 = match("MESSAGE#621:411/41_0", "nwparser.p0", "\"%{obj_type}\";%{p0}"); -var dup148 = // "Pattern{Field(obj_type,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/41_1", "nwparser.p0", "%{obj_type};%{p0}"); +var dup148 = match("MESSAGE#621:411/41_1", "nwparser.p0", "%{obj_type};%{p0}"); -var dup149 = // "Pattern{Constant('ExtraDetails='), Field(p0,false)}" -match("MESSAGE#621:411/42", "nwparser.p0", "ExtraDetails=%{p0}"); +var dup149 = match("MESSAGE#621:411/42", "nwparser.p0", "ExtraDetails=%{p0}"); -var dup150 = // "Pattern{Field(info,false), Constant(';')}" -match("MESSAGE#621:411/43_1", "nwparser.p0", "%{info};"); +var dup150 = match("MESSAGE#621:411/43_1", "nwparser.p0", "%{info};"); var dup151 = tagval("MESSAGE#0:1:01", "nwparser.payload", tvm, { "Address": "dhost", @@ -477,8 +364,7 @@ var dup151 = tagval("MESSAGE#0:1:01", "nwparser.payload", tvm, { dup3, ])); -var dup152 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#1:1", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup152 = match("MESSAGE#1:1", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup1, dup2, ])); @@ -514,8 +400,7 @@ var dup153 = tagval("MESSAGE#2:2:01", "nwparser.payload", tvm, { dup3, ])); -var dup154 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#3:2", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup154 = match("MESSAGE#3:2", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup4, dup2, ])); @@ -555,8 +440,7 @@ var dup155 = tagval("MESSAGE#6:4:01", "nwparser.payload", tvm, { dup3, ])); -var dup156 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#7:4", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup156 = match("MESSAGE#7:4", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup5, dup6, dup7, @@ -599,8 +483,7 @@ var dup157 = tagval("MESSAGE#20:13:01", "nwparser.payload", tvm, { dup3, ])); -var dup158 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#21:13", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup158 = match("MESSAGE#21:13", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup15, dup16, dup17, @@ -639,8 +522,7 @@ var dup159 = tagval("MESSAGE#26:16:01", "nwparser.payload", tvm, { dup3, ])); -var dup160 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#27:16", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup160 = match("MESSAGE#27:16", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup19, dup2, ])); @@ -676,8 +558,7 @@ var dup161 = tagval("MESSAGE#30:18:01", "nwparser.payload", tvm, { dup3, ])); -var dup162 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#31:18", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup162 = match("MESSAGE#31:18", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup15, dup2, ])); @@ -713,8 +594,7 @@ var dup163 = tagval("MESSAGE#38:22:01", "nwparser.payload", tvm, { dup3, ])); -var dup164 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#39:22", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup164 = match("MESSAGE#39:22", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup21, dup2, ])); @@ -750,8 +630,7 @@ var dup165 = tagval("MESSAGE#70:38:01", "nwparser.payload", tvm, { dup3, ])); -var dup166 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#71:38", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup166 = match("MESSAGE#71:38", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup23, dup2, ])); @@ -787,8 +666,7 @@ var dup167 = tagval("MESSAGE#116:61:01", "nwparser.payload", tvm, { dup3, ])); -var dup168 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#117:61", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup168 = match("MESSAGE#117:61", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup20, dup2, ])); @@ -824,8 +702,7 @@ var dup169 = tagval("MESSAGE#126:66:01", "nwparser.payload", tvm, { dup3, ])); -var dup170 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#127:66", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup170 = match("MESSAGE#127:66", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup26, dup2, ])); @@ -1011,8 +888,7 @@ var dup195 = tagval("MESSAGE#591:317:01", "nwparser.payload", tvm, { dup3, ])); -var dup196 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#592:317", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup196 = match("MESSAGE#592:317", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup79, dup80, dup81, @@ -1050,8 +926,7 @@ var dup197 = tagval("MESSAGE#595:355:01", "nwparser.payload", tvm, { dup3, ])); -var dup198 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#596:355", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup198 = match("MESSAGE#596:355", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup82, dup2, ])); @@ -1087,14 +962,12 @@ var dup199 = tagval("MESSAGE#599:357:01", "nwparser.payload", tvm, { dup3, ])); -var dup200 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#600:357", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup200 = match("MESSAGE#600:357", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup83, dup2, ])); -var dup201 = // "Pattern{Constant('Version='), Field(version,false), Constant(';Message='), Field(action,false), Constant(';Issuer='), Field(username,false), Constant(';Station='), Field(hostip,false), Constant(';File='), Field(filename,false), Constant(';Safe='), Field(group_object,false), Constant(';Location='), Field(directory,false), Constant(';Category='), Field(category,false), Constant(';RequestId='), Field(id1,false), Constant(';Reason='), Field(event_description,false), Constant(';Severity='), Field(severity,false), Constant(';GatewayStation='), Field(saddr,false), Constant(';TicketID='), Field(operation_id,false), Constant(';PolicyID='), Field(policyname,false), Constant(';UserName='), Field(c_username,false), Constant(';LogonDomain='), Field(domain,false), Constant(';Address='), Field(dhost,false), Constant(';CPMStatus='), Field(disposition,false), Constant(';Port="'), Field(dport,false), Constant('";Database='), Field(db_name,false), Constant(';DeviceType='), Field(obj_type,false), Constant(';ExtraDetails='), Field(info,false), Constant(';')}" -match("MESSAGE#617:372", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=%{directory};Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info};", processor_chain([ +var dup201 = match("MESSAGE#617:372", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=%{directory};Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info};", processor_chain([ dup4, dup2, dup3, @@ -1207,8 +1080,7 @@ var dup222 = linear_select([ dup148, ]); -var hdr1 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hproduct,true), Constant(' ProductName="'), Field(hdevice,false), Constant('",ProductAccount="'), Field(hfld1,false), Constant('",ProductProcess="'), Field(process,false), Constant('",EventId="'), Field(messageid,false), Constant('", '), Field(p0,false)}" -match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hproduct->} ProductName=\"%{hdevice}\",ProductAccount=\"%{hfld1}\",ProductProcess=\"%{process}\",EventId=\"%{messageid}\", %{p0}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hproduct->} ProductName=\"%{hdevice}\",ProductAccount=\"%{hfld1}\",ProductProcess=\"%{process}\",EventId=\"%{messageid}\", %{p0}", processor_chain([ setc("header_id","0001"), call({ dest: "nwparser.payload", @@ -1227,8 +1099,7 @@ match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hproduct-> }), ])); -var hdr2 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hdatetime,true), Constant(' '), Field(hproduct,true), Constant(' ProductName="'), Field(hdevice,false), Constant('",ProductAccount="'), Field(hfld4,false), Constant('",ProductProcess="'), Field(process,false), Constant('",EventId="'), Field(messageid,false), Constant('", '), Field(p0,false)}" -match("HEADER#1:0005", "message", "%{hfld1->} %{hdatetime->} %{hproduct->} ProductName=\"%{hdevice}\",ProductAccount=\"%{hfld4}\",ProductProcess=\"%{process}\",EventId=\"%{messageid}\", %{p0}", processor_chain([ +var hdr2 = match("HEADER#1:0005", "message", "%{hfld1->} %{hdatetime->} %{hproduct->} ProductName=\"%{hdevice}\",ProductAccount=\"%{hfld4}\",ProductProcess=\"%{process}\",EventId=\"%{messageid}\", %{p0}", processor_chain([ setc("header_id","0005"), call({ dest: "nwparser.payload", @@ -1247,23 +1118,19 @@ match("HEADER#1:0005", "message", "%{hfld1->} %{hdatetime->} %{hproduct->} Produ }), ])); -var hdr3 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hproduct,true), Constant(' %CYBERARK: MessageID="'), Field(messageid,false), Constant('";'), Field(payload,false)}" -match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hproduct->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ +var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hproduct->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ setc("header_id","0002"), ])); -var hdr4 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hdatetime,true), Constant(' '), Field(hostname,true), Constant(' %CYBERARK: MessageID="'), Field(messageid,false), Constant('";'), Field(payload,false)}" -match("HEADER#3:0003", "message", "%{hfld1->} %{hdatetime->} %{hostname->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ +var hdr4 = match("HEADER#3:0003", "message", "%{hfld1->} %{hdatetime->} %{hostname->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ setc("header_id","0003"), ])); -var hdr5 = // "Pattern{Constant('%CYBERARK: MessageID="'), Field(messageid,false), Constant('";'), Field(payload,false)}" -match("HEADER#4:0004", "message", "%CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ +var hdr5 = match("HEADER#4:0004", "message", "%CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ setc("header_id","0004"), ])); -var hdr6 = // "Pattern{Field(hdatetime,true), Constant(' '), Field(hostname,true), Constant(' %CYBERARK: MessageID="'), Field(messageid,false), Constant('";'), Field(payload,false)}" -match("HEADER#5:0006", "message", "%{hdatetime->} %{hostname->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ +var hdr6 = match("HEADER#5:0006", "message", "%{hdatetime->} %{hostname->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ setc("header_id","0006"), ])); @@ -1349,8 +1216,7 @@ var part1 = tagval("MESSAGE#8:7:01", "nwparser.payload", tvm, { var msg9 = msg("7:01", part1); -var part2 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#9:7", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part2 = match("MESSAGE#9:7", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup10, dup6, dup7, @@ -1403,8 +1269,7 @@ var part3 = tagval("MESSAGE#10:8:01", "nwparser.payload", tvm, { var msg11 = msg("8:01", part3); -var part4 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#11:8", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part4 = match("MESSAGE#11:8", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup12, dup6, dup13, @@ -1455,8 +1320,7 @@ var part5 = tagval("MESSAGE#12:9:01", "nwparser.payload", tvm, { var msg13 = msg("9:01", part5); -var part6 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#13:9", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part6 = match("MESSAGE#13:9", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup1, dup14, dup9, @@ -1550,8 +1414,7 @@ var part7 = tagval("MESSAGE#24:15:01", "nwparser.payload", tvm, { var msg25 = msg("15:01", part7); -var part8 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#25:15", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part8 = match("MESSAGE#25:15", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup15, dup18, dup9, @@ -1627,8 +1490,7 @@ var part9 = tagval("MESSAGE#32:19:01", "nwparser.payload", tvm, { var msg33 = msg("19:01", part9); -var part10 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#33:19", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part10 = match("MESSAGE#33:19", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup20, dup16, dup11, @@ -1676,8 +1538,7 @@ var part11 = tagval("MESSAGE#34:20:01", "nwparser.payload", tvm, { var msg35 = msg("20:01", part11); -var part12 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#35:20", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part12 = match("MESSAGE#35:20", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup19, dup16, dup2, @@ -1725,8 +1586,7 @@ var part13 = tagval("MESSAGE#36:21:01", "nwparser.payload", tvm, { var msg37 = msg("21:01", part13); -var part14 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#37:21", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part14 = match("MESSAGE#37:21", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup15, dup16, dup9, @@ -1782,8 +1642,7 @@ var part15 = tagval("MESSAGE#40:23:01", "nwparser.payload", tvm, { var msg41 = msg("23:01", part15); -var part16 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#41:23", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part16 = match("MESSAGE#41:23", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup22, dup2, ])); @@ -2576,8 +2435,7 @@ var part18 = tagval("MESSAGE#200:103:01", "nwparser.payload", tvm, { var msg201 = msg("103:01", part18); -var part19 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#201:103", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part19 = match("MESSAGE#201:103", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup27, dup6, dup7, @@ -2628,8 +2486,7 @@ var part20 = tagval("MESSAGE#202:104:01", "nwparser.payload", tvm, { var msg203 = msg("104:01", part20); -var part21 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#203:104", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part21 = match("MESSAGE#203:104", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup27, dup6, dup29, @@ -2928,8 +2785,7 @@ var part22 = tagval("MESSAGE#260:134:01", "nwparser.payload", tvm, { var msg261 = msg("134:01", part22); -var part23 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#261:134", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part23 = match("MESSAGE#261:134", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup30, dup2, ])); @@ -4318,8 +4174,7 @@ var select285 = linear_select([ msg568, ]); -var part24 = // "Pattern{Field(application,false), Constant(';DstHost='), Field(dhost,false), Constant(';Protocol='), Field(protocol,false), Constant(';PSMID='), Field(fld10,false), Constant(';SessionID='), Field(sessionid,false), Constant(';SrcHost='), Field(shost,false), Constant(';User='), Field(c_username,false), Constant(';"')}" -match("MESSAGE#568:300:02/24", "nwparser.p0", "%{application};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld10};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); +var part24 = match("MESSAGE#568:300:02/24", "nwparser.p0", "%{application};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld10};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); var all1 = all_match({ processors: [ @@ -4410,8 +4265,7 @@ var select287 = linear_select([ msg573, ]); -var part26 = // "Pattern{Field(application,false), Constant(';DstHost='), Field(dhost,false), Constant(';Protocol='), Field(protocol,false), Constant(';PSMID='), Field(fld12,false), Constant(';SessionDuration='), Field(duration_string,false), Constant(';SessionID='), Field(sessionid,false), Constant(';SrcHost='), Field(shost,false), Constant(';User='), Field(c_username,false), Constant(';"')}" -match("MESSAGE#573:302:02/24", "nwparser.p0", "%{application};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld12};SessionDuration=%{duration_string};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); +var part26 = match("MESSAGE#573:302:02/24", "nwparser.p0", "%{application};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld12};SessionDuration=%{duration_string};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); var all2 = all_match({ processors: [ @@ -4470,19 +4324,16 @@ var select289 = linear_select([ msg578, ]); -var part27 = // "Pattern{Constant('"'), Field(obj_type,false), Constant('";ExtraDetails="DstHost='), Field(p0,false)}" -match("MESSAGE#578:304:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"DstHost=%{p0}"); +var part27 = match("MESSAGE#578:304:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"DstHost=%{p0}"); -var part28 = // "Pattern{Field(obj_type,false), Constant(';ExtraDetails="DstHost='), Field(p0,false)}" -match("MESSAGE#578:304:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"DstHost=%{p0}"); +var part28 = match("MESSAGE#578:304:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"DstHost=%{p0}"); var select290 = linear_select([ part27, part28, ]); -var part29 = // "Pattern{Field(dhost,false), Constant(';Protocol='), Field(protocol,false), Constant(';PSMID='), Field(fld10,false), Constant(';SessionDuration='), Field(duration_string,false), Constant(';SessionID='), Field(sessionid,false), Constant(';SrcHost='), Field(shost,false), Constant(';User='), Field(c_username,false), Constant(';"')}" -match("MESSAGE#578:304:02/24", "nwparser.p0", "%{dhost};Protocol=%{protocol};PSMID=%{fld10};SessionDuration=%{duration_string};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); +var part29 = match("MESSAGE#578:304:02/24", "nwparser.p0", "%{dhost};Protocol=%{protocol};PSMID=%{fld10};SessionDuration=%{duration_string};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); var all3 = all_match({ processors: [ @@ -4592,8 +4443,7 @@ var part30 = tagval("MESSAGE#587:308:01", "nwparser.payload", tvm, { var msg588 = msg("308:01", part30); -var part31 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#588:308", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part31 = match("MESSAGE#588:308", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup78, dup2, ])); @@ -4642,8 +4492,7 @@ var part32 = tagval("MESSAGE#589:309:01", "nwparser.payload", tvm, { var msg590 = msg("309:01", part32); -var part33 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#590:309", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part33 = match("MESSAGE#590:309", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup10, dup6, dup7, @@ -4746,8 +4595,7 @@ var part34 = tagval("MESSAGE#603:190:01", "nwparser.payload", tvm, { var msg604 = msg("190:01", part34); -var part35 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#604:190", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part35 = match("MESSAGE#604:190", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup84, dup2, ])); @@ -4819,30 +4667,25 @@ var msg619 = msg("374", dup201); var msg620 = msg("376", dup201); -var part36 = // "Pattern{Constant('"'), Field(fld89,false), Constant('";LogonDomain='), Field(p0,false)}" -match("MESSAGE#620:411:01/17_0", "nwparser.p0", "\"%{fld89}\";LogonDomain=%{p0}"); +var part36 = match("MESSAGE#620:411:01/17_0", "nwparser.p0", "\"%{fld89}\";LogonDomain=%{p0}"); -var part37 = // "Pattern{Field(fld89,false), Constant(';LogonDomain='), Field(p0,false)}" -match("MESSAGE#620:411:01/17_1", "nwparser.p0", "%{fld89};LogonDomain=%{p0}"); +var part37 = match("MESSAGE#620:411:01/17_1", "nwparser.p0", "%{fld89};LogonDomain=%{p0}"); var select310 = linear_select([ part36, part37, ]); -var part38 = // "Pattern{Constant('"'), Field(obj_type,false), Constant('";ExtraDetails="Command='), Field(p0,false)}" -match("MESSAGE#620:411:01/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"Command=%{p0}"); +var part38 = match("MESSAGE#620:411:01/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"Command=%{p0}"); -var part39 = // "Pattern{Field(obj_type,false), Constant(';ExtraDetails="Command='), Field(p0,false)}" -match("MESSAGE#620:411:01/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"Command=%{p0}"); +var part39 = match("MESSAGE#620:411:01/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"Command=%{p0}"); var select311 = linear_select([ part38, part39, ]); -var part40 = // "Pattern{Field(param,false), Constant(';ConnectionComponentId='), Field(fld67,false), Constant(';DstHost='), Field(dhost,false), Constant(';Protocol='), Field(protocol,false), Constant(';PSMID='), Field(fld11,false), Constant(';RDPOffset='), Field(fld12,false), Constant(';SessionID='), Field(sessionid,false), Constant(';SrcHost='), Field(shost,false), Constant(';User='), Field(c_username,false), Constant(';VIDOffset='), Field(fld13,false), Constant(';')}" -match("MESSAGE#620:411:01/24", "nwparser.p0", "%{param};ConnectionComponentId=%{fld67};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld11};RDPOffset=%{fld12};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};VIDOffset=%{fld13};"); +var part40 = match("MESSAGE#620:411:01/24", "nwparser.p0", "%{param};ConnectionComponentId=%{fld67};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld11};RDPOffset=%{fld12};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};VIDOffset=%{fld13};"); var all4 = all_match({ processors: [ @@ -4882,8 +4725,7 @@ var all4 = all_match({ var msg621 = msg("411:01", all4); -var part41 = // "Pattern{Constant('"Command='), Field(param,false), Constant(';ConnectionComponentId='), Field(fld1,false), Constant(';DstHost='), Field(fld2,false), Constant(';ProcessId='), Field(process_id,false), Constant(';ProcessName='), Field(process,false), Constant(';Protocol='), Field(protocol,false), Constant(';PSMID='), Field(fld3,false), Constant(';RDPOffset='), Field(fld4,false), Constant(';SessionID='), Field(sessionid,false), Constant(';SrcHost='), Field(shost,false), Constant(';User='), Field(fld5,false), Constant(';VIDOffset='), Field(fld6,false), Constant(';"')}" -match("MESSAGE#621:411/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};ProcessId=%{process_id};ProcessName=%{process};Protocol=%{protocol};PSMID=%{fld3};RDPOffset=%{fld4};SessionID=%{sessionid};SrcHost=%{shost};User=%{fld5};VIDOffset=%{fld6};\""); +var part41 = match("MESSAGE#621:411/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};ProcessId=%{process_id};ProcessName=%{process};Protocol=%{protocol};PSMID=%{fld3};RDPOffset=%{fld4};SessionID=%{sessionid};SrcHost=%{shost};User=%{fld5};VIDOffset=%{fld6};\""); var select312 = linear_select([ part41, @@ -4951,8 +4793,7 @@ var select313 = linear_select([ msg622, ]); -var part42 = // "Pattern{Constant('Version='), Field(version,false), Constant(';Message='), Field(action,false), Constant(';Issuer='), Field(username,false), Constant(';Station='), Field(hostip,false), Constant(';File='), Field(filename,false), Constant(';Safe='), Field(group_object,false), Constant(';Location="'), Field(directory,false), Constant('";Category='), Field(category,false), Constant(';RequestId='), Field(id1,false), Constant(';Reason='), Field(event_description,false), Constant(';Severity='), Field(severity,false), Constant(';GatewayStation='), Field(saddr,false), Constant(';TicketID='), Field(operation_id,false), Constant(';PolicyID='), Field(policyname,false), Constant(';UserName='), Field(c_username,false), Constant(';LogonDomain='), Field(domain,false), Constant(';Address='), Field(dhost,false), Constant(';CPMStatus='), Field(disposition,false), Constant(';Port="'), Field(dport,false), Constant('";Database='), Field(db_name,false), Constant(';DeviceType='), Field(obj_type,false), Constant(';ExtraDetails='), Field(info,false)}" -match("MESSAGE#622:385", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=\"%{directory}\";Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info}", processor_chain([ +var part42 = match("MESSAGE#622:385", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=\"%{directory}\";Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info}", processor_chain([ dup4, dup2, dup3, @@ -4960,8 +4801,7 @@ match("MESSAGE#622:385", "nwparser.payload", "Version=%{version};Message=%{actio var msg623 = msg("385", part42); -var part43 = // "Pattern{Constant('"Command='), Field(param,false), Constant(';ConnectionComponentId='), Field(fld1,false), Constant(';DstHost='), Field(fld2,false), Constant(';Protocol='), Field(protocol,false), Constant(';PSMID='), Field(fld3,false), Constant(';SessionID='), Field(sessionid,false), Constant(';SrcHost='), Field(shost,false), Constant(';SSHOffset='), Field(fld4,false), Constant(';User='), Field(fld5,false), Constant(';VIDOffset='), Field(fld6,false), Constant(';"')}" -match("MESSAGE#623:361/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};Protocol=%{protocol};PSMID=%{fld3};SessionID=%{sessionid};SrcHost=%{shost};SSHOffset=%{fld4};User=%{fld5};VIDOffset=%{fld6};\""); +var part43 = match("MESSAGE#623:361/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};Protocol=%{protocol};PSMID=%{fld3};SessionID=%{sessionid};SrcHost=%{shost};SSHOffset=%{fld4};User=%{fld5};VIDOffset=%{fld6};\""); var select314 = linear_select([ part43, @@ -5024,8 +4864,7 @@ var all6 = all_match({ var msg624 = msg("361", all6); -var part44 = // "Pattern{Constant('"Command='), Field(param,false), Constant(';ConnectionComponentId='), Field(fld1,false), Constant(';DstHost='), Field(fld2,false), Constant(';Protocol='), Field(protocol,false), Constant(';PSMID='), Field(fld3,false), Constant(';SessionID='), Field(sessionid,false), Constant(';SrcHost='), Field(shost,false), Constant(';TXTOffset='), Field(fld4,false), Constant(';User='), Field(fld5,false), Constant(';VIDOffset='), Field(fld6,false), Constant(';"')}" -match("MESSAGE#624:412/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};Protocol=%{protocol};PSMID=%{fld3};SessionID=%{sessionid};SrcHost=%{shost};TXTOffset=%{fld4};User=%{fld5};VIDOffset=%{fld6};\""); +var part44 = match("MESSAGE#624:412/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};Protocol=%{protocol};PSMID=%{fld3};SessionID=%{sessionid};SrcHost=%{shost};TXTOffset=%{fld4};User=%{fld5};VIDOffset=%{fld6};\""); var select315 = linear_select([ part44, @@ -5426,344 +5265,231 @@ var chain1 = processor_chain([ }), ]); -var part45 = // "Pattern{Constant('Version='), Field(p0,false)}" -match("MESSAGE#568:300:02/0", "nwparser.payload", "Version=%{p0}"); +var part45 = match("MESSAGE#568:300:02/0", "nwparser.payload", "Version=%{p0}"); -var part46 = // "Pattern{Constant('"'), Field(version,false), Constant('";Message='), Field(p0,false)}" -match("MESSAGE#568:300:02/1_0", "nwparser.p0", "\"%{version}\";Message=%{p0}"); +var part46 = match("MESSAGE#568:300:02/1_0", "nwparser.p0", "\"%{version}\";Message=%{p0}"); -var part47 = // "Pattern{Field(version,false), Constant(';Message='), Field(p0,false)}" -match("MESSAGE#568:300:02/1_1", "nwparser.p0", "%{version};Message=%{p0}"); +var part47 = match("MESSAGE#568:300:02/1_1", "nwparser.p0", "%{version};Message=%{p0}"); -var part48 = // "Pattern{Constant('"'), Field(action,false), Constant('";Issuer='), Field(p0,false)}" -match("MESSAGE#568:300:02/2_0", "nwparser.p0", "\"%{action}\";Issuer=%{p0}"); +var part48 = match("MESSAGE#568:300:02/2_0", "nwparser.p0", "\"%{action}\";Issuer=%{p0}"); -var part49 = // "Pattern{Field(action,false), Constant(';Issuer='), Field(p0,false)}" -match("MESSAGE#568:300:02/2_1", "nwparser.p0", "%{action};Issuer=%{p0}"); +var part49 = match("MESSAGE#568:300:02/2_1", "nwparser.p0", "%{action};Issuer=%{p0}"); -var part50 = // "Pattern{Constant('"'), Field(username,false), Constant('";Station='), Field(p0,false)}" -match("MESSAGE#568:300:02/3_0", "nwparser.p0", "\"%{username}\";Station=%{p0}"); +var part50 = match("MESSAGE#568:300:02/3_0", "nwparser.p0", "\"%{username}\";Station=%{p0}"); -var part51 = // "Pattern{Field(username,false), Constant(';Station='), Field(p0,false)}" -match("MESSAGE#568:300:02/3_1", "nwparser.p0", "%{username};Station=%{p0}"); +var part51 = match("MESSAGE#568:300:02/3_1", "nwparser.p0", "%{username};Station=%{p0}"); -var part52 = // "Pattern{Constant('"'), Field(hostip,false), Constant('";File='), Field(p0,false)}" -match("MESSAGE#568:300:02/4_0", "nwparser.p0", "\"%{hostip}\";File=%{p0}"); +var part52 = match("MESSAGE#568:300:02/4_0", "nwparser.p0", "\"%{hostip}\";File=%{p0}"); -var part53 = // "Pattern{Field(hostip,false), Constant(';File='), Field(p0,false)}" -match("MESSAGE#568:300:02/4_1", "nwparser.p0", "%{hostip};File=%{p0}"); +var part53 = match("MESSAGE#568:300:02/4_1", "nwparser.p0", "%{hostip};File=%{p0}"); -var part54 = // "Pattern{Constant('"'), Field(filename,false), Constant('";Safe='), Field(p0,false)}" -match("MESSAGE#568:300:02/5_0", "nwparser.p0", "\"%{filename}\";Safe=%{p0}"); +var part54 = match("MESSAGE#568:300:02/5_0", "nwparser.p0", "\"%{filename}\";Safe=%{p0}"); -var part55 = // "Pattern{Field(filename,false), Constant(';Safe='), Field(p0,false)}" -match("MESSAGE#568:300:02/5_1", "nwparser.p0", "%{filename};Safe=%{p0}"); +var part55 = match("MESSAGE#568:300:02/5_1", "nwparser.p0", "%{filename};Safe=%{p0}"); -var part56 = // "Pattern{Constant('"'), Field(group_object,false), Constant('";Location='), Field(p0,false)}" -match("MESSAGE#568:300:02/6_0", "nwparser.p0", "\"%{group_object}\";Location=%{p0}"); +var part56 = match("MESSAGE#568:300:02/6_0", "nwparser.p0", "\"%{group_object}\";Location=%{p0}"); -var part57 = // "Pattern{Field(group_object,false), Constant(';Location='), Field(p0,false)}" -match("MESSAGE#568:300:02/6_1", "nwparser.p0", "%{group_object};Location=%{p0}"); +var part57 = match("MESSAGE#568:300:02/6_1", "nwparser.p0", "%{group_object};Location=%{p0}"); -var part58 = // "Pattern{Constant('"'), Field(directory,false), Constant('";Category='), Field(p0,false)}" -match("MESSAGE#568:300:02/7_0", "nwparser.p0", "\"%{directory}\";Category=%{p0}"); +var part58 = match("MESSAGE#568:300:02/7_0", "nwparser.p0", "\"%{directory}\";Category=%{p0}"); -var part59 = // "Pattern{Field(directory,false), Constant(';Category='), Field(p0,false)}" -match("MESSAGE#568:300:02/7_1", "nwparser.p0", "%{directory};Category=%{p0}"); +var part59 = match("MESSAGE#568:300:02/7_1", "nwparser.p0", "%{directory};Category=%{p0}"); -var part60 = // "Pattern{Constant('"'), Field(category,false), Constant('";RequestId='), Field(p0,false)}" -match("MESSAGE#568:300:02/8_0", "nwparser.p0", "\"%{category}\";RequestId=%{p0}"); +var part60 = match("MESSAGE#568:300:02/8_0", "nwparser.p0", "\"%{category}\";RequestId=%{p0}"); -var part61 = // "Pattern{Field(category,false), Constant(';RequestId='), Field(p0,false)}" -match("MESSAGE#568:300:02/8_1", "nwparser.p0", "%{category};RequestId=%{p0}"); +var part61 = match("MESSAGE#568:300:02/8_1", "nwparser.p0", "%{category};RequestId=%{p0}"); -var part62 = // "Pattern{Constant('"'), Field(id1,false), Constant('";Reason='), Field(p0,false)}" -match("MESSAGE#568:300:02/9_0", "nwparser.p0", "\"%{id1}\";Reason=%{p0}"); +var part62 = match("MESSAGE#568:300:02/9_0", "nwparser.p0", "\"%{id1}\";Reason=%{p0}"); -var part63 = // "Pattern{Field(id1,false), Constant(';Reason='), Field(p0,false)}" -match("MESSAGE#568:300:02/9_1", "nwparser.p0", "%{id1};Reason=%{p0}"); +var part63 = match("MESSAGE#568:300:02/9_1", "nwparser.p0", "%{id1};Reason=%{p0}"); -var part64 = // "Pattern{Constant('"'), Field(event_description,false), Constant('";Severity='), Field(p0,false)}" -match("MESSAGE#568:300:02/10_0", "nwparser.p0", "\"%{event_description}\";Severity=%{p0}"); +var part64 = match("MESSAGE#568:300:02/10_0", "nwparser.p0", "\"%{event_description}\";Severity=%{p0}"); -var part65 = // "Pattern{Field(event_description,false), Constant(';Severity='), Field(p0,false)}" -match("MESSAGE#568:300:02/10_1", "nwparser.p0", "%{event_description};Severity=%{p0}"); +var part65 = match("MESSAGE#568:300:02/10_1", "nwparser.p0", "%{event_description};Severity=%{p0}"); -var part66 = // "Pattern{Constant('"'), Field(severity,false), Constant('";SourceUser='), Field(p0,false)}" -match("MESSAGE#568:300:02/11_0", "nwparser.p0", "\"%{severity}\";SourceUser=%{p0}"); +var part66 = match("MESSAGE#568:300:02/11_0", "nwparser.p0", "\"%{severity}\";SourceUser=%{p0}"); -var part67 = // "Pattern{Field(severity,false), Constant(';SourceUser='), Field(p0,false)}" -match("MESSAGE#568:300:02/11_1", "nwparser.p0", "%{severity};SourceUser=%{p0}"); +var part67 = match("MESSAGE#568:300:02/11_1", "nwparser.p0", "%{severity};SourceUser=%{p0}"); -var part68 = // "Pattern{Constant('"'), Field(group,false), Constant('";TargetUser='), Field(p0,false)}" -match("MESSAGE#568:300:02/12_0", "nwparser.p0", "\"%{group}\";TargetUser=%{p0}"); +var part68 = match("MESSAGE#568:300:02/12_0", "nwparser.p0", "\"%{group}\";TargetUser=%{p0}"); -var part69 = // "Pattern{Field(group,false), Constant(';TargetUser='), Field(p0,false)}" -match("MESSAGE#568:300:02/12_1", "nwparser.p0", "%{group};TargetUser=%{p0}"); +var part69 = match("MESSAGE#568:300:02/12_1", "nwparser.p0", "%{group};TargetUser=%{p0}"); -var part70 = // "Pattern{Constant('"'), Field(uid,false), Constant('";GatewayStation='), Field(p0,false)}" -match("MESSAGE#568:300:02/13_0", "nwparser.p0", "\"%{uid}\";GatewayStation=%{p0}"); +var part70 = match("MESSAGE#568:300:02/13_0", "nwparser.p0", "\"%{uid}\";GatewayStation=%{p0}"); -var part71 = // "Pattern{Field(uid,false), Constant(';GatewayStation='), Field(p0,false)}" -match("MESSAGE#568:300:02/13_1", "nwparser.p0", "%{uid};GatewayStation=%{p0}"); +var part71 = match("MESSAGE#568:300:02/13_1", "nwparser.p0", "%{uid};GatewayStation=%{p0}"); -var part72 = // "Pattern{Constant('"'), Field(saddr,false), Constant('";TicketID='), Field(p0,false)}" -match("MESSAGE#568:300:02/14_0", "nwparser.p0", "\"%{saddr}\";TicketID=%{p0}"); +var part72 = match("MESSAGE#568:300:02/14_0", "nwparser.p0", "\"%{saddr}\";TicketID=%{p0}"); -var part73 = // "Pattern{Field(saddr,false), Constant(';TicketID='), Field(p0,false)}" -match("MESSAGE#568:300:02/14_1", "nwparser.p0", "%{saddr};TicketID=%{p0}"); +var part73 = match("MESSAGE#568:300:02/14_1", "nwparser.p0", "%{saddr};TicketID=%{p0}"); -var part74 = // "Pattern{Constant('"'), Field(operation_id,false), Constant('";PolicyID='), Field(p0,false)}" -match("MESSAGE#568:300:02/15_0", "nwparser.p0", "\"%{operation_id}\";PolicyID=%{p0}"); +var part74 = match("MESSAGE#568:300:02/15_0", "nwparser.p0", "\"%{operation_id}\";PolicyID=%{p0}"); -var part75 = // "Pattern{Field(operation_id,false), Constant(';PolicyID='), Field(p0,false)}" -match("MESSAGE#568:300:02/15_1", "nwparser.p0", "%{operation_id};PolicyID=%{p0}"); +var part75 = match("MESSAGE#568:300:02/15_1", "nwparser.p0", "%{operation_id};PolicyID=%{p0}"); -var part76 = // "Pattern{Constant('"'), Field(policyname,false), Constant('";UserName='), Field(p0,false)}" -match("MESSAGE#568:300:02/16_0", "nwparser.p0", "\"%{policyname}\";UserName=%{p0}"); +var part76 = match("MESSAGE#568:300:02/16_0", "nwparser.p0", "\"%{policyname}\";UserName=%{p0}"); -var part77 = // "Pattern{Field(policyname,false), Constant(';UserName='), Field(p0,false)}" -match("MESSAGE#568:300:02/16_1", "nwparser.p0", "%{policyname};UserName=%{p0}"); +var part77 = match("MESSAGE#568:300:02/16_1", "nwparser.p0", "%{policyname};UserName=%{p0}"); -var part78 = // "Pattern{Constant('"'), Field(fld11,false), Constant('";LogonDomain='), Field(p0,false)}" -match("MESSAGE#568:300:02/17_0", "nwparser.p0", "\"%{fld11}\";LogonDomain=%{p0}"); +var part78 = match("MESSAGE#568:300:02/17_0", "nwparser.p0", "\"%{fld11}\";LogonDomain=%{p0}"); -var part79 = // "Pattern{Field(fld11,false), Constant(';LogonDomain='), Field(p0,false)}" -match("MESSAGE#568:300:02/17_1", "nwparser.p0", "%{fld11};LogonDomain=%{p0}"); +var part79 = match("MESSAGE#568:300:02/17_1", "nwparser.p0", "%{fld11};LogonDomain=%{p0}"); -var part80 = // "Pattern{Constant('"'), Field(domain,false), Constant('";Address='), Field(p0,false)}" -match("MESSAGE#568:300:02/18_0", "nwparser.p0", "\"%{domain}\";Address=%{p0}"); +var part80 = match("MESSAGE#568:300:02/18_0", "nwparser.p0", "\"%{domain}\";Address=%{p0}"); -var part81 = // "Pattern{Field(domain,false), Constant(';Address='), Field(p0,false)}" -match("MESSAGE#568:300:02/18_1", "nwparser.p0", "%{domain};Address=%{p0}"); +var part81 = match("MESSAGE#568:300:02/18_1", "nwparser.p0", "%{domain};Address=%{p0}"); -var part82 = // "Pattern{Constant('"'), Field(fld14,false), Constant('";CPMStatus='), Field(p0,false)}" -match("MESSAGE#568:300:02/19_0", "nwparser.p0", "\"%{fld14}\";CPMStatus=%{p0}"); +var part82 = match("MESSAGE#568:300:02/19_0", "nwparser.p0", "\"%{fld14}\";CPMStatus=%{p0}"); -var part83 = // "Pattern{Field(fld14,false), Constant(';CPMStatus='), Field(p0,false)}" -match("MESSAGE#568:300:02/19_1", "nwparser.p0", "%{fld14};CPMStatus=%{p0}"); +var part83 = match("MESSAGE#568:300:02/19_1", "nwparser.p0", "%{fld14};CPMStatus=%{p0}"); -var part84 = // "Pattern{Constant('"'), Field(disposition,false), Constant('";Port='), Field(p0,false)}" -match("MESSAGE#568:300:02/20_0", "nwparser.p0", "\"%{disposition}\";Port=%{p0}"); +var part84 = match("MESSAGE#568:300:02/20_0", "nwparser.p0", "\"%{disposition}\";Port=%{p0}"); -var part85 = // "Pattern{Field(disposition,false), Constant(';Port='), Field(p0,false)}" -match("MESSAGE#568:300:02/20_1", "nwparser.p0", "%{disposition};Port=%{p0}"); +var part85 = match("MESSAGE#568:300:02/20_1", "nwparser.p0", "%{disposition};Port=%{p0}"); -var part86 = // "Pattern{Constant('"'), Field(dport,false), Constant('";Database='), Field(p0,false)}" -match("MESSAGE#568:300:02/21_0", "nwparser.p0", "\"%{dport}\";Database=%{p0}"); +var part86 = match("MESSAGE#568:300:02/21_0", "nwparser.p0", "\"%{dport}\";Database=%{p0}"); -var part87 = // "Pattern{Field(dport,false), Constant(';Database='), Field(p0,false)}" -match("MESSAGE#568:300:02/21_1", "nwparser.p0", "%{dport};Database=%{p0}"); +var part87 = match("MESSAGE#568:300:02/21_1", "nwparser.p0", "%{dport};Database=%{p0}"); -var part88 = // "Pattern{Constant('"'), Field(db_name,false), Constant('";DeviceType='), Field(p0,false)}" -match("MESSAGE#568:300:02/22_0", "nwparser.p0", "\"%{db_name}\";DeviceType=%{p0}"); +var part88 = match("MESSAGE#568:300:02/22_0", "nwparser.p0", "\"%{db_name}\";DeviceType=%{p0}"); -var part89 = // "Pattern{Field(db_name,false), Constant(';DeviceType='), Field(p0,false)}" -match("MESSAGE#568:300:02/22_1", "nwparser.p0", "%{db_name};DeviceType=%{p0}"); +var part89 = match("MESSAGE#568:300:02/22_1", "nwparser.p0", "%{db_name};DeviceType=%{p0}"); -var part90 = // "Pattern{Constant('"'), Field(obj_type,false), Constant('";ExtraDetails="ApplicationType='), Field(p0,false)}" -match("MESSAGE#568:300:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"ApplicationType=%{p0}"); +var part90 = match("MESSAGE#568:300:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"ApplicationType=%{p0}"); -var part91 = // "Pattern{Field(obj_type,false), Constant(';ExtraDetails="ApplicationType='), Field(p0,false)}" -match("MESSAGE#568:300:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"ApplicationType=%{p0}"); +var part91 = match("MESSAGE#568:300:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"ApplicationType=%{p0}"); -var part92 = // "Pattern{Constant('"'), Field(version,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/1_0", "nwparser.p0", "\"%{version}\";%{p0}"); +var part92 = match("MESSAGE#621:411/1_0", "nwparser.p0", "\"%{version}\";%{p0}"); -var part93 = // "Pattern{Field(version,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/1_1", "nwparser.p0", "%{version};%{p0}"); +var part93 = match("MESSAGE#621:411/1_1", "nwparser.p0", "%{version};%{p0}"); -var part94 = // "Pattern{Constant('Message='), Field(p0,false)}" -match("MESSAGE#621:411/2", "nwparser.p0", "Message=%{p0}"); +var part94 = match("MESSAGE#621:411/2", "nwparser.p0", "Message=%{p0}"); -var part95 = // "Pattern{Constant('"'), Field(action,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/3_0", "nwparser.p0", "\"%{action}\";%{p0}"); +var part95 = match("MESSAGE#621:411/3_0", "nwparser.p0", "\"%{action}\";%{p0}"); -var part96 = // "Pattern{Field(action,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/3_1", "nwparser.p0", "%{action};%{p0}"); +var part96 = match("MESSAGE#621:411/3_1", "nwparser.p0", "%{action};%{p0}"); -var part97 = // "Pattern{Constant('Issuer='), Field(p0,false)}" -match("MESSAGE#621:411/4", "nwparser.p0", "Issuer=%{p0}"); +var part97 = match("MESSAGE#621:411/4", "nwparser.p0", "Issuer=%{p0}"); -var part98 = // "Pattern{Constant('"'), Field(username,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/5_0", "nwparser.p0", "\"%{username}\";%{p0}"); +var part98 = match("MESSAGE#621:411/5_0", "nwparser.p0", "\"%{username}\";%{p0}"); -var part99 = // "Pattern{Field(username,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/5_1", "nwparser.p0", "%{username};%{p0}"); +var part99 = match("MESSAGE#621:411/5_1", "nwparser.p0", "%{username};%{p0}"); -var part100 = // "Pattern{Constant('Station='), Field(p0,false)}" -match("MESSAGE#621:411/6", "nwparser.p0", "Station=%{p0}"); +var part100 = match("MESSAGE#621:411/6", "nwparser.p0", "Station=%{p0}"); -var part101 = // "Pattern{Constant('"'), Field(hostip,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/7_0", "nwparser.p0", "\"%{hostip}\";%{p0}"); +var part101 = match("MESSAGE#621:411/7_0", "nwparser.p0", "\"%{hostip}\";%{p0}"); -var part102 = // "Pattern{Field(hostip,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/7_1", "nwparser.p0", "%{hostip};%{p0}"); +var part102 = match("MESSAGE#621:411/7_1", "nwparser.p0", "%{hostip};%{p0}"); -var part103 = // "Pattern{Constant('File='), Field(p0,false)}" -match("MESSAGE#621:411/8", "nwparser.p0", "File=%{p0}"); +var part103 = match("MESSAGE#621:411/8", "nwparser.p0", "File=%{p0}"); -var part104 = // "Pattern{Constant('"'), Field(filename,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/9_0", "nwparser.p0", "\"%{filename}\";%{p0}"); +var part104 = match("MESSAGE#621:411/9_0", "nwparser.p0", "\"%{filename}\";%{p0}"); -var part105 = // "Pattern{Field(filename,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/9_1", "nwparser.p0", "%{filename};%{p0}"); +var part105 = match("MESSAGE#621:411/9_1", "nwparser.p0", "%{filename};%{p0}"); -var part106 = // "Pattern{Constant('Safe='), Field(p0,false)}" -match("MESSAGE#621:411/10", "nwparser.p0", "Safe=%{p0}"); +var part106 = match("MESSAGE#621:411/10", "nwparser.p0", "Safe=%{p0}"); -var part107 = // "Pattern{Constant('"'), Field(group_object,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/11_0", "nwparser.p0", "\"%{group_object}\";%{p0}"); +var part107 = match("MESSAGE#621:411/11_0", "nwparser.p0", "\"%{group_object}\";%{p0}"); -var part108 = // "Pattern{Field(group_object,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/11_1", "nwparser.p0", "%{group_object};%{p0}"); +var part108 = match("MESSAGE#621:411/11_1", "nwparser.p0", "%{group_object};%{p0}"); -var part109 = // "Pattern{Constant('Location='), Field(p0,false)}" -match("MESSAGE#621:411/12", "nwparser.p0", "Location=%{p0}"); +var part109 = match("MESSAGE#621:411/12", "nwparser.p0", "Location=%{p0}"); -var part110 = // "Pattern{Constant('"'), Field(directory,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/13_0", "nwparser.p0", "\"%{directory}\";%{p0}"); +var part110 = match("MESSAGE#621:411/13_0", "nwparser.p0", "\"%{directory}\";%{p0}"); -var part111 = // "Pattern{Field(directory,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/13_1", "nwparser.p0", "%{directory};%{p0}"); +var part111 = match("MESSAGE#621:411/13_1", "nwparser.p0", "%{directory};%{p0}"); -var part112 = // "Pattern{Constant('Category='), Field(p0,false)}" -match("MESSAGE#621:411/14", "nwparser.p0", "Category=%{p0}"); +var part112 = match("MESSAGE#621:411/14", "nwparser.p0", "Category=%{p0}"); -var part113 = // "Pattern{Constant('"'), Field(category,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/15_0", "nwparser.p0", "\"%{category}\";%{p0}"); +var part113 = match("MESSAGE#621:411/15_0", "nwparser.p0", "\"%{category}\";%{p0}"); -var part114 = // "Pattern{Field(category,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/15_1", "nwparser.p0", "%{category};%{p0}"); +var part114 = match("MESSAGE#621:411/15_1", "nwparser.p0", "%{category};%{p0}"); -var part115 = // "Pattern{Constant('RequestId='), Field(p0,false)}" -match("MESSAGE#621:411/16", "nwparser.p0", "RequestId=%{p0}"); +var part115 = match("MESSAGE#621:411/16", "nwparser.p0", "RequestId=%{p0}"); -var part116 = // "Pattern{Constant('"'), Field(id1,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/17_0", "nwparser.p0", "\"%{id1}\";%{p0}"); +var part116 = match("MESSAGE#621:411/17_0", "nwparser.p0", "\"%{id1}\";%{p0}"); -var part117 = // "Pattern{Field(id1,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/17_1", "nwparser.p0", "%{id1};%{p0}"); +var part117 = match("MESSAGE#621:411/17_1", "nwparser.p0", "%{id1};%{p0}"); -var part118 = // "Pattern{Constant('Reason='), Field(p0,false)}" -match("MESSAGE#621:411/18", "nwparser.p0", "Reason=%{p0}"); +var part118 = match("MESSAGE#621:411/18", "nwparser.p0", "Reason=%{p0}"); -var part119 = // "Pattern{Constant('"'), Field(event_description,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/19_0", "nwparser.p0", "\"%{event_description}\";%{p0}"); +var part119 = match("MESSAGE#621:411/19_0", "nwparser.p0", "\"%{event_description}\";%{p0}"); -var part120 = // "Pattern{Field(event_description,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/19_1", "nwparser.p0", "%{event_description};%{p0}"); +var part120 = match("MESSAGE#621:411/19_1", "nwparser.p0", "%{event_description};%{p0}"); -var part121 = // "Pattern{Constant('Severity='), Field(p0,false)}" -match("MESSAGE#621:411/20", "nwparser.p0", "Severity=%{p0}"); +var part121 = match("MESSAGE#621:411/20", "nwparser.p0", "Severity=%{p0}"); -var part122 = // "Pattern{Constant('"'), Field(severity,false), Constant('";SourceUser="'), Field(group,false), Constant('";TargetUser="'), Field(uid,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/21_0", "nwparser.p0", "\"%{severity}\";SourceUser=\"%{group}\";TargetUser=\"%{uid}\";%{p0}"); +var part122 = match("MESSAGE#621:411/21_0", "nwparser.p0", "\"%{severity}\";SourceUser=\"%{group}\";TargetUser=\"%{uid}\";%{p0}"); -var part123 = // "Pattern{Field(severity,false), Constant(';SourceUser='), Field(group,false), Constant(';TargetUser='), Field(uid,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/21_1", "nwparser.p0", "%{severity};SourceUser=%{group};TargetUser=%{uid};%{p0}"); +var part123 = match("MESSAGE#621:411/21_1", "nwparser.p0", "%{severity};SourceUser=%{group};TargetUser=%{uid};%{p0}"); -var part124 = // "Pattern{Constant('"'), Field(severity,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/21_2", "nwparser.p0", "\"%{severity}\";%{p0}"); +var part124 = match("MESSAGE#621:411/21_2", "nwparser.p0", "\"%{severity}\";%{p0}"); -var part125 = // "Pattern{Field(severity,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/21_3", "nwparser.p0", "%{severity};%{p0}"); +var part125 = match("MESSAGE#621:411/21_3", "nwparser.p0", "%{severity};%{p0}"); -var part126 = // "Pattern{Constant('GatewayStation='), Field(p0,false)}" -match("MESSAGE#621:411/22", "nwparser.p0", "GatewayStation=%{p0}"); +var part126 = match("MESSAGE#621:411/22", "nwparser.p0", "GatewayStation=%{p0}"); -var part127 = // "Pattern{Constant('"'), Field(saddr,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/23_0", "nwparser.p0", "\"%{saddr}\";%{p0}"); +var part127 = match("MESSAGE#621:411/23_0", "nwparser.p0", "\"%{saddr}\";%{p0}"); -var part128 = // "Pattern{Field(saddr,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/23_1", "nwparser.p0", "%{saddr};%{p0}"); +var part128 = match("MESSAGE#621:411/23_1", "nwparser.p0", "%{saddr};%{p0}"); -var part129 = // "Pattern{Constant('TicketID='), Field(p0,false)}" -match("MESSAGE#621:411/24", "nwparser.p0", "TicketID=%{p0}"); +var part129 = match("MESSAGE#621:411/24", "nwparser.p0", "TicketID=%{p0}"); -var part130 = // "Pattern{Constant('"'), Field(operation_id,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/25_0", "nwparser.p0", "\"%{operation_id}\";%{p0}"); +var part130 = match("MESSAGE#621:411/25_0", "nwparser.p0", "\"%{operation_id}\";%{p0}"); -var part131 = // "Pattern{Field(operation_id,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/25_1", "nwparser.p0", "%{operation_id};%{p0}"); +var part131 = match("MESSAGE#621:411/25_1", "nwparser.p0", "%{operation_id};%{p0}"); -var part132 = // "Pattern{Constant('PolicyID='), Field(p0,false)}" -match("MESSAGE#621:411/26", "nwparser.p0", "PolicyID=%{p0}"); +var part132 = match("MESSAGE#621:411/26", "nwparser.p0", "PolicyID=%{p0}"); -var part133 = // "Pattern{Constant('"'), Field(policyname,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/27_0", "nwparser.p0", "\"%{policyname}\";%{p0}"); +var part133 = match("MESSAGE#621:411/27_0", "nwparser.p0", "\"%{policyname}\";%{p0}"); -var part134 = // "Pattern{Field(policyname,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/27_1", "nwparser.p0", "%{policyname};%{p0}"); +var part134 = match("MESSAGE#621:411/27_1", "nwparser.p0", "%{policyname};%{p0}"); -var part135 = // "Pattern{Constant('UserName='), Field(p0,false)}" -match("MESSAGE#621:411/28", "nwparser.p0", "UserName=%{p0}"); +var part135 = match("MESSAGE#621:411/28", "nwparser.p0", "UserName=%{p0}"); -var part136 = // "Pattern{Constant('"'), Field(c_username,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/29_0", "nwparser.p0", "\"%{c_username}\";%{p0}"); +var part136 = match("MESSAGE#621:411/29_0", "nwparser.p0", "\"%{c_username}\";%{p0}"); -var part137 = // "Pattern{Field(c_username,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/29_1", "nwparser.p0", "%{c_username};%{p0}"); +var part137 = match("MESSAGE#621:411/29_1", "nwparser.p0", "%{c_username};%{p0}"); -var part138 = // "Pattern{Constant('LogonDomain='), Field(p0,false)}" -match("MESSAGE#621:411/30", "nwparser.p0", "LogonDomain=%{p0}"); +var part138 = match("MESSAGE#621:411/30", "nwparser.p0", "LogonDomain=%{p0}"); -var part139 = // "Pattern{Constant('"'), Field(domain,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/31_0", "nwparser.p0", "\"%{domain}\";%{p0}"); +var part139 = match("MESSAGE#621:411/31_0", "nwparser.p0", "\"%{domain}\";%{p0}"); -var part140 = // "Pattern{Field(domain,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/31_1", "nwparser.p0", "%{domain};%{p0}"); +var part140 = match("MESSAGE#621:411/31_1", "nwparser.p0", "%{domain};%{p0}"); -var part141 = // "Pattern{Constant('Address='), Field(p0,false)}" -match("MESSAGE#621:411/32", "nwparser.p0", "Address=%{p0}"); +var part141 = match("MESSAGE#621:411/32", "nwparser.p0", "Address=%{p0}"); -var part142 = // "Pattern{Constant('"'), Field(dhost,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/33_0", "nwparser.p0", "\"%{dhost}\";%{p0}"); +var part142 = match("MESSAGE#621:411/33_0", "nwparser.p0", "\"%{dhost}\";%{p0}"); -var part143 = // "Pattern{Field(dhost,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/33_1", "nwparser.p0", "%{dhost};%{p0}"); +var part143 = match("MESSAGE#621:411/33_1", "nwparser.p0", "%{dhost};%{p0}"); -var part144 = // "Pattern{Constant('CPMStatus='), Field(p0,false)}" -match("MESSAGE#621:411/34", "nwparser.p0", "CPMStatus=%{p0}"); +var part144 = match("MESSAGE#621:411/34", "nwparser.p0", "CPMStatus=%{p0}"); -var part145 = // "Pattern{Constant('"'), Field(disposition,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/35_0", "nwparser.p0", "\"%{disposition}\";%{p0}"); +var part145 = match("MESSAGE#621:411/35_0", "nwparser.p0", "\"%{disposition}\";%{p0}"); -var part146 = // "Pattern{Field(disposition,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/35_1", "nwparser.p0", "%{disposition};%{p0}"); +var part146 = match("MESSAGE#621:411/35_1", "nwparser.p0", "%{disposition};%{p0}"); -var part147 = // "Pattern{Constant('Port='), Field(p0,false)}" -match("MESSAGE#621:411/36", "nwparser.p0", "Port=%{p0}"); +var part147 = match("MESSAGE#621:411/36", "nwparser.p0", "Port=%{p0}"); -var part148 = // "Pattern{Constant('"'), Field(dport,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/37_0", "nwparser.p0", "\"%{dport}\";%{p0}"); +var part148 = match("MESSAGE#621:411/37_0", "nwparser.p0", "\"%{dport}\";%{p0}"); -var part149 = // "Pattern{Field(dport,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/37_1", "nwparser.p0", "%{dport};%{p0}"); +var part149 = match("MESSAGE#621:411/37_1", "nwparser.p0", "%{dport};%{p0}"); -var part150 = // "Pattern{Constant('Database='), Field(p0,false)}" -match("MESSAGE#621:411/38", "nwparser.p0", "Database=%{p0}"); +var part150 = match("MESSAGE#621:411/38", "nwparser.p0", "Database=%{p0}"); -var part151 = // "Pattern{Constant('"'), Field(db_name,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/39_0", "nwparser.p0", "\"%{db_name}\";%{p0}"); +var part151 = match("MESSAGE#621:411/39_0", "nwparser.p0", "\"%{db_name}\";%{p0}"); -var part152 = // "Pattern{Field(db_name,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/39_1", "nwparser.p0", "%{db_name};%{p0}"); +var part152 = match("MESSAGE#621:411/39_1", "nwparser.p0", "%{db_name};%{p0}"); -var part153 = // "Pattern{Constant('DeviceType='), Field(p0,false)}" -match("MESSAGE#621:411/40", "nwparser.p0", "DeviceType=%{p0}"); +var part153 = match("MESSAGE#621:411/40", "nwparser.p0", "DeviceType=%{p0}"); -var part154 = // "Pattern{Constant('"'), Field(obj_type,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/41_0", "nwparser.p0", "\"%{obj_type}\";%{p0}"); +var part154 = match("MESSAGE#621:411/41_0", "nwparser.p0", "\"%{obj_type}\";%{p0}"); -var part155 = // "Pattern{Field(obj_type,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/41_1", "nwparser.p0", "%{obj_type};%{p0}"); +var part155 = match("MESSAGE#621:411/41_1", "nwparser.p0", "%{obj_type};%{p0}"); -var part156 = // "Pattern{Constant('ExtraDetails='), Field(p0,false)}" -match("MESSAGE#621:411/42", "nwparser.p0", "ExtraDetails=%{p0}"); +var part156 = match("MESSAGE#621:411/42", "nwparser.p0", "ExtraDetails=%{p0}"); -var part157 = // "Pattern{Field(info,false), Constant(';')}" -match("MESSAGE#621:411/43_1", "nwparser.p0", "%{info};"); +var part157 = match("MESSAGE#621:411/43_1", "nwparser.p0", "%{info};"); var part158 = tagval("MESSAGE#0:1:01", "nwparser.payload", tvm, { "Address": "dhost", @@ -5796,8 +5522,7 @@ var part158 = tagval("MESSAGE#0:1:01", "nwparser.payload", tvm, { dup3, ])); -var part159 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#1:1", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part159 = match("MESSAGE#1:1", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup1, dup2, ])); @@ -5833,8 +5558,7 @@ var part160 = tagval("MESSAGE#2:2:01", "nwparser.payload", tvm, { dup3, ])); -var part161 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#3:2", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part161 = match("MESSAGE#3:2", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup4, dup2, ])); @@ -5874,8 +5598,7 @@ var part162 = tagval("MESSAGE#6:4:01", "nwparser.payload", tvm, { dup3, ])); -var part163 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#7:4", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part163 = match("MESSAGE#7:4", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup5, dup6, dup7, @@ -5918,8 +5641,7 @@ var part164 = tagval("MESSAGE#20:13:01", "nwparser.payload", tvm, { dup3, ])); -var part165 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#21:13", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part165 = match("MESSAGE#21:13", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup15, dup16, dup17, @@ -5958,8 +5680,7 @@ var part166 = tagval("MESSAGE#26:16:01", "nwparser.payload", tvm, { dup3, ])); -var part167 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#27:16", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part167 = match("MESSAGE#27:16", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup19, dup2, ])); @@ -5995,8 +5716,7 @@ var part168 = tagval("MESSAGE#30:18:01", "nwparser.payload", tvm, { dup3, ])); -var part169 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#31:18", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part169 = match("MESSAGE#31:18", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup15, dup2, ])); @@ -6032,8 +5752,7 @@ var part170 = tagval("MESSAGE#38:22:01", "nwparser.payload", tvm, { dup3, ])); -var part171 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#39:22", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part171 = match("MESSAGE#39:22", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup21, dup2, ])); @@ -6069,8 +5788,7 @@ var part172 = tagval("MESSAGE#70:38:01", "nwparser.payload", tvm, { dup3, ])); -var part173 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#71:38", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part173 = match("MESSAGE#71:38", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup23, dup2, ])); @@ -6106,8 +5824,7 @@ var part174 = tagval("MESSAGE#116:61:01", "nwparser.payload", tvm, { dup3, ])); -var part175 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#117:61", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part175 = match("MESSAGE#117:61", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup20, dup2, ])); @@ -6143,8 +5860,7 @@ var part176 = tagval("MESSAGE#126:66:01", "nwparser.payload", tvm, { dup3, ])); -var part177 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#127:66", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part177 = match("MESSAGE#127:66", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup26, dup2, ])); @@ -6330,8 +6046,7 @@ var part179 = tagval("MESSAGE#591:317:01", "nwparser.payload", tvm, { dup3, ])); -var part180 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#592:317", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part180 = match("MESSAGE#592:317", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup79, dup80, dup81, @@ -6369,8 +6084,7 @@ var part181 = tagval("MESSAGE#595:355:01", "nwparser.payload", tvm, { dup3, ])); -var part182 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#596:355", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part182 = match("MESSAGE#596:355", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup82, dup2, ])); @@ -6406,14 +6120,12 @@ var part183 = tagval("MESSAGE#599:357:01", "nwparser.payload", tvm, { dup3, ])); -var part184 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#600:357", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part184 = match("MESSAGE#600:357", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup83, dup2, ])); -var part185 = // "Pattern{Constant('Version='), Field(version,false), Constant(';Message='), Field(action,false), Constant(';Issuer='), Field(username,false), Constant(';Station='), Field(hostip,false), Constant(';File='), Field(filename,false), Constant(';Safe='), Field(group_object,false), Constant(';Location='), Field(directory,false), Constant(';Category='), Field(category,false), Constant(';RequestId='), Field(id1,false), Constant(';Reason='), Field(event_description,false), Constant(';Severity='), Field(severity,false), Constant(';GatewayStation='), Field(saddr,false), Constant(';TicketID='), Field(operation_id,false), Constant(';PolicyID='), Field(policyname,false), Constant(';UserName='), Field(c_username,false), Constant(';LogonDomain='), Field(domain,false), Constant(';Address='), Field(dhost,false), Constant(';CPMStatus='), Field(disposition,false), Constant(';Port="'), Field(dport,false), Constant('";Database='), Field(db_name,false), Constant(';DeviceType='), Field(obj_type,false), Constant(';ExtraDetails='), Field(info,false), Constant(';')}" -match("MESSAGE#617:372", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=%{directory};Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info};", processor_chain([ +var part185 = match("MESSAGE#617:372", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=%{directory};Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info};", processor_chain([ dup4, dup2, dup3, diff --git a/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml b/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml index ffe90e79f85..4e401931415 100644 --- a/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml @@ -55,7 +55,7 @@ processors: ignore_missing: true - append: field: related.hosts - value: '{{host.hostname server.domain}}' + value: '{{host.hostname}}' allow_duplicates: false if: ctx?.host?.hostname != null && ctx.host?.hostname != '' - append: diff --git a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json index 2bf31b06a52..90805d72bcd 100644 --- a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json @@ -67,12 +67,12 @@ "iatnu3810.mail.localdomain" ], "related.ip": [ - "10.92.136.230", - "10.175.75.18" + "10.175.75.18", + "10.92.136.230" ], "related.user": [ - "nnumqu", "orev", + "nnumqu", "dolore" ], "rsa.db.database": "umdo", @@ -134,9 +134,9 @@ "10.46.185.46" ], "related.user": [ - "incid", + "serror", "nse", - "serror" + "incid" ], "rsa.db.database": "byC", "rsa.db.index": "tur", @@ -198,8 +198,8 @@ ], "related.user": [ "psumquia", - "ptass", - "atcup" + "atcup", + "ptass" ], "rsa.db.database": "aperi", "rsa.db.index": "llumd", @@ -254,8 +254,8 @@ ], "related.user": [ "oremips", - "giatq", - "eos" + "eos", + "giatq" ], "rsa.db.index": "tempo", "rsa.internal.event_desc": "uian", @@ -300,8 +300,8 @@ "temq1198.internal.example" ], "related.ip": [ - "10.139.186.201", - "10.172.14.142" + "10.172.14.142", + "10.139.186.201" ], "related.user": [ "tcupida", @@ -363,8 +363,8 @@ "tenbyCic5882.api.home" ], "related.ip": [ - "10.104.111.129", - "10.47.76.251" + "10.47.76.251", + "10.104.111.129" ], "related.user": [ "ele", @@ -423,8 +423,8 @@ "10.116.120.216" ], "related.user": [ - "umdo", "animi", + "umdo", "quiratio" ], "rsa.db.index": "oll", @@ -470,12 +470,12 @@ "isqu7224.localdomain" ], "related.ip": [ - "10.57.40.29", - "10.62.54.220" + "10.62.54.220", + "10.57.40.29" ], "related.user": [ - "taevi", "psum", + "taevi", "rnatura" ], "rsa.db.database": "emeumfug", @@ -531,8 +531,8 @@ ], "related.user": [ "tnon", - "ema", - "cup" + "cup", + "ema" ], "rsa.db.index": "remeumf", "rsa.internal.event_desc": "lup", @@ -574,8 +574,8 @@ "10.18.165.35" ], "related.user": [ - "modocons", "remeum", + "modocons", "lor" ], "rsa.db.index": "etM", @@ -619,8 +619,8 @@ ], "related.user": [ "icab", - "tema", - "onproide" + "onproide", + "tema" ], "rsa.db.index": "mqui", "rsa.internal.event_desc": "eomnisis", @@ -722,9 +722,9 @@ "10.21.78.128" ], "related.user": [ - "upt", + "giatquov", "taut", - "giatquov" + "upt" ], "rsa.db.index": "iadese", "rsa.internal.event_desc": "deFinibu", @@ -766,9 +766,9 @@ "10.18.109.121" ], "related.user": [ - "pida", + "tatn", "hil", - "tatn" + "pida" ], "rsa.db.index": "quip", "rsa.internal.event_desc": "ecillu", @@ -813,12 +813,12 @@ "iavolu5352.localhost" ], "related.ip": [ - "10.63.37.192", - "10.225.115.13" + "10.225.115.13", + "10.63.37.192" ], "related.user": [ - "iunt", "reetd", + "iunt", "equep" ], "rsa.db.database": "aliqu", @@ -876,13 +876,13 @@ "estiae3750.api.corp" ], "related.ip": [ - "10.47.202.102", - "10.95.64.124" + "10.95.64.124", + "10.47.202.102" ], "related.user": [ - "run", "ice", - "ntor" + "ntor", + "run" ], "rsa.db.database": "ite", "rsa.db.index": "iquipex", @@ -942,8 +942,8 @@ "10.106.239.55" ], "related.user": [ - "itquiin", - "serunt" + "serunt", + "itquiin" ], "rsa.db.database": "itame", "rsa.db.index": "oluptas", @@ -1003,8 +1003,8 @@ "10.125.160.129" ], "related.user": [ - "abi", "one", + "abi", "ione" ], "rsa.db.database": "sperna", @@ -1066,9 +1066,9 @@ "10.227.177.121" ], "related.user": [ - "iduntu", + "tasuntex", "liqui", - "tasuntex" + "iduntu" ], "rsa.db.database": "rvel", "rsa.db.index": "onsecte", @@ -1125,7 +1125,7 @@ "process.name": "laboree.exe", "process.pid": 6501, "related.hosts": [ - "", + "xeacomm6855.api.corp", "nsecte3304.mail.corp" ], "related.ip": [ @@ -1133,8 +1133,8 @@ "10.167.85.181" ], "related.user": [ - "fde", - "econs" + "econs", + "fde" ], "rsa.db.database": "equat", "rsa.internal.event_desc": "orpor", @@ -1236,8 +1236,8 @@ "nevo4284.internal.local" ], "related.ip": [ - "10.72.148.32", - "10.214.191.180" + "10.214.191.180", + "10.72.148.32" ], "related.user": [ "tDuisaut", @@ -1299,13 +1299,13 @@ "itas981.mail.domain" ], "related.ip": [ - "10.252.124.150", - "10.136.190.236" + "10.136.190.236", + "10.252.124.150" ], "related.user": [ - "ipsumd", + "com", "litessec", - "com" + "ipsumd" ], "rsa.db.database": "tasn", "rsa.db.index": "squirati", @@ -1362,12 +1362,12 @@ "tnonpro7635.localdomain" ], "related.ip": [ - "10.192.34.76", - "10.213.144.249" + "10.213.144.249", + "10.192.34.76" ], "related.user": [ - "lore", "temqu", + "lore", "iquipe" ], "rsa.db.database": "gnamal", @@ -1424,12 +1424,12 @@ "rQuisau5300.www5.example" ], "related.ip": [ - "10.154.4.197", - "10.216.84.30" + "10.216.84.30", + "10.154.4.197" ], "related.user": [ - "untu", - "intoc" + "intoc", + "untu" ], "rsa.db.database": "oditem", "rsa.db.index": "borios", @@ -1482,9 +1482,9 @@ "10.143.193.199" ], "related.user": [ - "tqu", + "niamqui", "quid", - "niamqui" + "tqu" ], "rsa.db.index": "inci", "rsa.internal.event_desc": "eroinBCS", @@ -1529,8 +1529,8 @@ "uamei2389.internal.example" ], "related.ip": [ - "10.65.175.9", - "10.193.83.81" + "10.193.83.81", + "10.65.175.9" ], "related.user": [ "umqu", @@ -1589,9 +1589,9 @@ "10.205.72.243" ], "related.user": [ + "tatn", "umdolo", - "isiuta", - "tatn" + "isiuta" ], "rsa.db.index": "proide", "rsa.internal.event_desc": "ameiusm", @@ -1633,9 +1633,9 @@ "10.107.9.163" ], "related.user": [ + "mac", "mquisno", - "sit", - "mac" + "sit" ], "rsa.db.index": "sit", "rsa.internal.event_desc": "tdol", @@ -1678,8 +1678,8 @@ ], "related.user": [ "asiarc", - "quidexea", - "umSe" + "umSe", + "quidexea" ], "rsa.db.index": "veli", "rsa.internal.event_desc": "quatu", @@ -1728,9 +1728,9 @@ "10.39.10.155" ], "related.user": [ + "ptass", "aboreetd", - "urExcept", - "ptass" + "urExcept" ], "rsa.db.database": "teirured", "rsa.db.index": "dolorem", @@ -1829,8 +1829,8 @@ ], "related.user": [ "reseo", - "aec", - "moenimi" + "moenimi", + "aec" ], "rsa.db.index": "mac", "rsa.internal.event_desc": "quamest", @@ -1943,9 +1943,9 @@ "10.134.65.15" ], "related.user": [ - "quaUten", "cab", - "utaliqu" + "utaliqu", + "quaUten" ], "rsa.db.database": "isciv", "rsa.db.index": "nofd", @@ -2003,8 +2003,8 @@ ], "related.user": [ "tten", - "emqu", - "cidunt" + "cidunt", + "emqu" ], "rsa.db.index": "eaqu", "rsa.internal.event_desc": "quidol", @@ -2049,13 +2049,13 @@ "tesse1089.www.host" ], "related.ip": [ - "10.178.242.100", - "10.24.111.229" + "10.24.111.229", + "10.178.242.100" ], "related.user": [ - "loi", + "idid", "dqu", - "idid" + "loi" ], "rsa.db.database": "tenatuse", "rsa.db.index": "ullamcor", @@ -2109,9 +2109,9 @@ "10.211.179.168" ], "related.user": [ - "ritati", + "untincul", "mmodoc", - "untincul" + "ritati" ], "rsa.db.index": "emvele", "rsa.internal.event_desc": "oluptas", @@ -2200,13 +2200,13 @@ "dictasun3878.internal.localhost" ], "related.ip": [ - "10.212.214.4", - "10.6.79.159" + "10.6.79.159", + "10.212.214.4" ], "related.user": [ - "midestl", "quid", - "amvo" + "amvo", + "midestl" ], "rsa.db.database": "urExce", "rsa.db.index": "ectiono", @@ -2263,13 +2263,13 @@ "aecatcup2241.www5.test" ], "related.ip": [ - "10.237.170.202", - "10.70.147.46" + "10.70.147.46", + "10.237.170.202" ], "related.user": [ + "rcit", "liquide", - "atDu", - "rcit" + "atDu" ], "rsa.db.database": "taedict", "rsa.db.index": "loremeu", @@ -2326,13 +2326,13 @@ "mad5185.www5.localhost" ], "related.ip": [ - "10.228.118.81", - "10.179.50.138" + "10.179.50.138", + "10.228.118.81" ], "related.user": [ + "tatemU", "emoe", - "itasper", - "tatemU" + "itasper" ], "rsa.db.database": "toditaut", "rsa.db.index": "ugit", @@ -2389,13 +2389,13 @@ "esseq7889.www.invalid" ], "related.ip": [ - "10.49.71.118", - "10.234.165.130" + "10.234.165.130", + "10.49.71.118" ], "related.user": [ - "emip", + "henderit", "iuntNequ", - "henderit" + "emip" ], "rsa.db.database": "veniamqu", "rsa.db.index": "atquo", @@ -2450,8 +2450,8 @@ ], "related.user": [ "turadipi", - "emip", - "olorema" + "olorema", + "emip" ], "rsa.db.index": "ataevi", "rsa.internal.event_desc": "minim", @@ -2493,9 +2493,9 @@ "10.193.219.34" ], "related.user": [ - "uamei", + "olorem", "utlabo", - "olorem" + "uamei" ], "rsa.db.index": "nse", "rsa.internal.event_desc": "orisni", @@ -2540,13 +2540,13 @@ "tem6815.home" ], "related.ip": [ - "10.174.185.109", - "10.120.167.217" + "10.120.167.217", + "10.174.185.109" ], "related.user": [ - "animid", + "rsp", "dolorem", - "rsp" + "animid" ], "rsa.db.database": "tsuntinc", "rsa.db.index": "quovo", @@ -2607,9 +2607,9 @@ "10.141.213.219" ], "related.user": [ + "atev", "accusa", - "ate", - "atev" + "ate" ], "rsa.db.database": "nibus", "rsa.db.index": "ser", @@ -2666,8 +2666,8 @@ "caboNem1043.internal.home" ], "related.ip": [ - "10.166.90.130", - "10.94.224.229" + "10.94.224.229", + "10.166.90.130" ], "related.user": [ "eavol", @@ -2731,13 +2731,13 @@ "tatio6513.www.invalid" ], "related.ip": [ - "10.201.81.46", - "10.38.28.151" + "10.38.28.151", + "10.201.81.46" ], "related.user": [ - "tiumto", + "mipsumqu", "incidid", - "mipsumqu" + "tiumto" ], "rsa.db.database": "abor", "rsa.db.index": "adol", @@ -2800,9 +2800,9 @@ "10.214.245.95" ], "related.user": [ + "rerepre", "umdolors", - "uptatem", - "rerepre" + "uptatem" ], "rsa.db.database": "odt", "rsa.db.index": "riosa", @@ -2856,8 +2856,8 @@ "10.45.35.180" ], "related.user": [ - "mip", "Utenima", + "mip", "qui" ], "rsa.db.index": "boree", @@ -2900,9 +2900,9 @@ "10.141.200.133" ], "related.user": [ - "enim", + "ess", "iame", - "ess" + "enim" ], "rsa.db.index": "nofdeFi", "rsa.internal.event_desc": "isnostru", @@ -2944,9 +2944,9 @@ "10.83.238.145" ], "related.user": [ + "runtmo", "ugi", - "illoi", - "runtmo" + "illoi" ], "rsa.db.index": "eetdo", "rsa.internal.event_desc": "quaer", @@ -2991,8 +2991,8 @@ "mestq2106.api.host" ], "related.ip": [ - "10.41.89.217", - "10.39.143.155" + "10.39.143.155", + "10.41.89.217" ], "related.user": [ "tem", @@ -3058,9 +3058,9 @@ "10.5.5.1" ], "related.user": [ + "CSe", "minim", - "unt", - "CSe" + "unt" ], "rsa.db.database": "atu", "rsa.db.index": "roi", @@ -3117,12 +3117,12 @@ "olu5333.www.domain" ], "related.ip": [ - "10.168.132.175", - "10.210.61.109" + "10.210.61.109", + "10.168.132.175" ], "related.user": [ - "giatquov", "iamea", + "giatquov", "eursinto" ], "rsa.db.database": "ici", @@ -3177,9 +3177,9 @@ "10.123.154.17" ], "related.user": [ + "quiac", "dolorsi", - "lmo", - "quiac" + "lmo" ], "rsa.db.index": "idunt", "rsa.internal.event_desc": "usantiu", @@ -3223,8 +3223,8 @@ ], "related.user": [ "oeni", - "etquasia", - "xplic" + "xplic", + "etquasia" ], "rsa.db.index": "hend", "rsa.internal.event_desc": "piscivel", @@ -3270,9 +3270,9 @@ "10.126.205.76" ], "related.user": [ - "rsitvol", + "Nemoenim", "iati", - "Nemoenim" + "rsitvol" ], "rsa.db.index": "eFini", "rsa.internal.event_desc": "acom", @@ -3317,13 +3317,13 @@ "fic5107.home" ], "related.ip": [ - "10.169.101.161", - "10.164.66.154" + "10.164.66.154", + "10.169.101.161" ], "related.user": [ - "orissu", "eufug", - "ine" + "ine", + "orissu" ], "rsa.db.database": "stquidol", "rsa.db.index": "imadmini", @@ -3377,9 +3377,9 @@ "10.70.83.200" ], "related.user": [ - "ihilmole", "riat", - "metco" + "metco", + "ihilmole" ], "rsa.db.index": "urQuis", "rsa.internal.event_desc": "iutaliq", @@ -3424,13 +3424,13 @@ "onpr47.api.home" ], "related.ip": [ - "10.207.97.192", - "10.134.55.11" + "10.134.55.11", + "10.207.97.192" ], "related.user": [ + "madminim", "tanimid", - "mmod", - "madminim" + "mmod" ], "rsa.db.database": "tetura", "rsa.db.index": "uptasnul", @@ -3491,8 +3491,8 @@ "10.52.150.104" ], "related.user": [ - "texplica", "eritq", + "texplica", "oinBCSed" ], "rsa.db.database": "lit", @@ -3550,13 +3550,13 @@ "eufugia4481.corp" ], "related.ip": [ - "10.41.232.147", - "10.61.175.217" + "10.61.175.217", + "10.41.232.147" ], "related.user": [ + "runtm", "ntexpl", - "tat", - "runtm" + "tat" ], "rsa.db.database": "rere", "rsa.db.index": "nonn", @@ -3655,8 +3655,8 @@ ], "related.user": [ "CSe", - "fugitse", - "onse" + "onse", + "fugitse" ], "rsa.db.index": "Dui", "rsa.internal.event_desc": "isci", @@ -3698,9 +3698,9 @@ "10.252.251.143" ], "related.user": [ + "nonn", "remq", - "rspic", - "nonn" + "rspic" ], "rsa.db.index": "nre", "rsa.internal.event_desc": "tev", @@ -3786,8 +3786,8 @@ "10.187.170.23" ], "related.user": [ - "sectetu", "enima", + "sectetu", "ibusBo" ], "rsa.db.index": "uido", @@ -3833,13 +3833,13 @@ "involu1450.www.localhost" ], "related.ip": [ - "10.250.248.215", - "10.123.62.215" + "10.123.62.215", + "10.250.248.215" ], "related.user": [ - "aevitaed", + "tinculpa", "quaeratv", - "tinculpa" + "aevitaed" ], "rsa.db.database": "lica", "rsa.db.index": "uisnos", @@ -3895,8 +3895,8 @@ "osa3211.www5.example" ], "related.ip": [ - "10.147.154.118", - "10.146.57.23" + "10.146.57.23", + "10.147.154.118" ], "related.user": [ "tateveli", @@ -3997,8 +3997,8 @@ "10.154.172.82" ], "related.user": [ - "nesci", "tetura", + "nesci", "onnumqua" ], "rsa.db.index": "oinBCSed", @@ -4041,8 +4041,8 @@ "10.47.63.70" ], "related.user": [ - "expl", "tpers", + "expl", "midestl" ], "rsa.db.index": "olu", @@ -4086,8 +4086,8 @@ ], "related.user": [ "turQuis", - "olupta", - "fdeFinib" + "fdeFinib", + "olupta" ], "rsa.db.index": "rsint", "rsa.internal.event_desc": "odico", @@ -4199,9 +4199,9 @@ "10.65.207.234" ], "related.user": [ - "itame", + "eve", "eruntmo", - "eve" + "itame" ], "rsa.db.database": "udexerc", "rsa.db.index": "volup", @@ -4255,9 +4255,9 @@ "10.16.181.60" ], "related.user": [ - "oinven", + "olore", "gnama", - "olore" + "oinven" ], "rsa.db.index": "uatu", "rsa.internal.event_desc": "nderiti", @@ -4299,9 +4299,9 @@ "10.91.213.82" ], "related.user": [ - "illoin", "amnis", - "uianon" + "uianon", + "illoin" ], "rsa.db.index": "ons", "rsa.internal.event_desc": "temaccus", @@ -4343,9 +4343,9 @@ "10.204.214.98" ], "related.user": [ - "tdolo", "eprehe", - "porissus" + "porissus", + "tdolo" ], "rsa.db.index": "abo", "rsa.internal.event_desc": "ecte", @@ -4387,9 +4387,9 @@ "10.223.178.192" ], "related.user": [ + "evel", "etc", - "moenimip", - "evel" + "moenimip" ], "rsa.db.index": "iarchit", "rsa.internal.event_desc": "apari", @@ -4438,8 +4438,8 @@ "10.26.137.126" ], "related.user": [ - "audant", "ati", + "audant", "taevit" ], "rsa.db.database": "com", @@ -4497,13 +4497,13 @@ "olupt966.www5.corp" ], "related.ip": [ - "10.142.161.116", - "10.148.195.208" + "10.148.195.208", + "10.142.161.116" ], "related.user": [ - "mpori", "isi", - "quaerat" + "quaerat", + "mpori" ], "rsa.db.database": "squamest", "rsa.db.index": "pteu", @@ -4564,9 +4564,9 @@ "10.107.24.54" ], "related.user": [ + "itinvo", "hend", - "uptasn", - "itinvo" + "uptasn" ], "rsa.db.database": "lup", "rsa.db.index": "isau", @@ -4621,9 +4621,9 @@ "10.87.92.17" ], "related.user": [ - "tamr", + "eeufug", "luptate", - "eeufug" + "tamr" ], "rsa.db.index": "oreeufug", "rsa.internal.event_desc": "ura", @@ -4672,13 +4672,13 @@ "dictasun3408.internal.invalid" ], "related.ip": [ - "10.161.51.135", - "10.231.51.136" + "10.231.51.136", + "10.161.51.135" ], "related.user": [ - "Finibus", + "accus", "asper", - "accus" + "Finibus" ], "rsa.db.database": "litani", "rsa.db.index": "arch", @@ -4776,9 +4776,9 @@ "10.108.123.148" ], "related.user": [ + "ollita", "cusa", - "mmodicon", - "ollita" + "mmodicon" ], "rsa.db.index": "ercitati", "rsa.internal.event_desc": "pteurs", @@ -4824,13 +4824,13 @@ "uidol6868.mail.localdomain" ], "related.ip": [ - "10.114.0.148", - "10.198.187.144" + "10.198.187.144", + "10.114.0.148" ], "related.user": [ - "rsitamet", "equatD", - "ons" + "ons", + "rsitamet" ], "rsa.db.database": "periam", "rsa.db.index": "umiurer", @@ -4889,8 +4889,8 @@ ], "related.user": [ "naaliq", - "loru", - "equa" + "equa", + "loru" ], "rsa.db.index": "umfugiat", "rsa.internal.event_desc": "ora", @@ -4935,12 +4935,12 @@ "ptat4878.lan" ], "related.ip": [ - "10.149.238.108", - "10.93.24.151" + "10.93.24.151", + "10.149.238.108" ], "related.user": [ - "sequamn", "ite", + "sequamn", "nven" ], "rsa.db.database": "fugi", @@ -4995,9 +4995,9 @@ "10.101.45.225" ], "related.user": [ + "uinesc", "cipitla", - "emi", - "uinesc" + "emi" ], "rsa.db.index": "caecat", "rsa.internal.event_desc": "tsunt", @@ -5040,9 +5040,9 @@ "10.2.204.161" ], "related.user": [ - "quela", + "eumfugia", "ore", - "eumfugia" + "quela" ], "rsa.db.index": "olup", "rsa.internal.event_desc": "quuntur", @@ -5088,9 +5088,9 @@ "10.33.112.100" ], "related.user": [ - "ptatemse", "aliqu", - "enimad" + "enimad", + "ptatemse" ], "rsa.db.index": "Except", "rsa.internal.event_desc": "cons", @@ -5135,8 +5135,8 @@ "isno4595.local" ], "related.ip": [ - "10.151.110.250", - "10.94.152.238" + "10.94.152.238", + "10.151.110.250" ], "related.user": [ "tla", @@ -5198,13 +5198,13 @@ "tatemse5403.home" ], "related.ip": [ - "10.146.61.5", - "10.77.9.17" + "10.77.9.17", + "10.146.61.5" ], "related.user": [ - "tevel", "umS", - "alorumwr" + "alorumwr", + "tevel" ], "rsa.db.database": "amremap", "rsa.db.index": "aqu", @@ -5258,9 +5258,9 @@ "10.128.102.130" ], "related.user": [ - "que", + "sequatu", "ore", - "sequatu" + "que" ], "rsa.db.index": "exerci", "rsa.internal.event_desc": "olu", @@ -5305,12 +5305,12 @@ "reprehe650.www.corp" ], "related.ip": [ - "10.200.162.248", - "10.31.86.83" + "10.31.86.83", + "10.200.162.248" ], "related.user": [ - "onnu", "reseo", + "onnu", "doloremi" ], "rsa.db.database": "billo", @@ -5365,8 +5365,8 @@ "10.103.215.159" ], "related.user": [ - "volup", "apa", + "volup", "atatn" ], "rsa.db.index": "atcupi", diff --git a/x-pack/filebeat/module/envoyproxy/log/config/envoyproxy.yml b/x-pack/filebeat/module/envoyproxy/log/config/envoyproxy.yml index be7f27f551f..4f9992ae2d4 100644 --- a/x-pack/filebeat/module/envoyproxy/log/config/envoyproxy.yml +++ b/x-pack/filebeat/module/envoyproxy/log/config/envoyproxy.yml @@ -9,4 +9,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/envoyproxy/log/test/envoy-json.log-expected.json b/x-pack/filebeat/module/envoyproxy/log/test/envoy-json.log-expected.json index e6ca9516ad0..483625d8bea 100644 --- a/x-pack/filebeat/module/envoyproxy/log/test/envoy-json.log-expected.json +++ b/x-pack/filebeat/module/envoyproxy/log/test/envoy-json.log-expected.json @@ -7,6 +7,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", diff --git a/x-pack/filebeat/module/envoyproxy/log/test/envoy.log-expected.json b/x-pack/filebeat/module/envoyproxy/log/test/envoy.log-expected.json index 1c9482cefdb..703b5e977b3 100644 --- a/x-pack/filebeat/module/envoyproxy/log/test/envoy.log-expected.json +++ b/x-pack/filebeat/module/envoyproxy/log/test/envoy.log-expected.json @@ -140,6 +140,7 @@ "destination.as.organization.name": "Fastly", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "151.101.66.217", diff --git a/x-pack/filebeat/module/f5/bigipafm/config/pipeline.js b/x-pack/filebeat/module/f5/bigipafm/config/pipeline.js index a32c606c1ba..e749db584be 100644 --- a/x-pack/filebeat/module/f5/bigipafm/config/pipeline.js +++ b/x-pack/filebeat/module/f5/bigipafm/config/pipeline.js @@ -33,8 +33,7 @@ var map_getEventCategoryActivity = { var dup1 = constant("Deny"); -var hdr1 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hfld2,true), Constant(' '), Field(hhostname,true), Constant(' '), Field(hfld3,true), Constant(' '), Field(hfld4,true), Constant(' '), Field(hfld5,true), Constant(' [F5@'), Field(hfld6,true), Constant(' '), Field(payload,false)}" -match("HEADER#0:0001", "message", "%{hfld1->} %{hfld2->} %{hhostname->} %{hfld3->} %{hfld4->} %{hfld5->} [F5@%{hfld6->} %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%{hfld1->} %{hfld2->} %{hhostname->} %{hfld3->} %{hfld4->} %{hfld5->} [F5@%{hfld6->} %{payload}", processor_chain([ setc("header_id","0001"), setc("messageid","BIGIP_AFM"), ])); diff --git a/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json index d1729062282..13fe3560c05 100644 --- a/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json @@ -24,10 +24,10 @@ "tatemac3541.api.corp" ], "related.ip": [ + "10.208.121.85", "10.165.201.71", - "10.228.193.207", "10.11.196.142", - "10.208.121.85" + "10.228.193.207" ], "related.user": [ "billoi" @@ -93,9 +93,9 @@ ], "related.ip": [ "10.51.132.10", - "10.162.9.235", + "10.92.202.200", "10.94.67.230", - "10.92.202.200" + "10.162.9.235" ], "related.user": [ "byC" @@ -228,9 +228,9 @@ ], "related.ip": [ "10.12.44.169", - "10.202.66.28", + "10.131.233.27", "10.50.112.141", - "10.131.233.27" + "10.202.66.28" ], "related.user": [ "elits" @@ -296,9 +296,9 @@ ], "related.ip": [ "10.159.182.171", + "10.206.197.113", "10.151.111.38", - "10.96.35.212", - "10.206.197.113" + "10.96.35.212" ], "related.user": [ "mol" @@ -365,8 +365,8 @@ "related.ip": [ "10.126.177.162", "10.213.113.28", - "10.169.144.147", - "10.89.163.114" + "10.89.163.114", + "10.169.144.147" ], "related.user": [ "ist" @@ -430,10 +430,10 @@ "ittenbyC7838.api.localdomain" ], "related.ip": [ - "10.101.223.43", - "10.18.124.28", + "10.146.88.52", "10.103.107.47", - "10.146.88.52" + "10.101.223.43", + "10.18.124.28" ], "related.user": [ "rudexerc" @@ -498,8 +498,8 @@ "ume465.corp" ], "related.ip": [ - "10.150.220.75", "10.189.109.245", + "10.150.220.75", "10.69.57.206", "10.110.99.17" ], @@ -565,8 +565,8 @@ "iciatisu1463.www5.localdomain" ], "related.ip": [ - "10.199.34.241", "10.121.219.204", + "10.199.34.241", "10.153.136.222", "10.19.194.101" ], @@ -632,9 +632,9 @@ "aliqu6801.api.localdomain" ], "related.ip": [ - "10.57.103.192", "10.64.141.105", "10.46.27.57", + "10.57.103.192", "10.182.199.231" ], "related.user": [ @@ -699,10 +699,10 @@ "itame189.domain" ], "related.ip": [ - "10.32.67.231", - "10.3.134.237", + "10.164.6.207", "10.160.210.31", - "10.164.6.207" + "10.3.134.237", + "10.32.67.231" ], "related.user": [ "pic" @@ -768,8 +768,8 @@ ], "related.ip": [ "10.42.138.192", - "10.201.6.10", "10.235.101.253", + "10.201.6.10", "10.182.178.217" ], "related.user": [ @@ -835,9 +835,9 @@ "stlabo1228.mail.host" ], "related.ip": [ - "10.86.101.235", - "10.194.247.171", "10.151.161.70", + "10.194.247.171", + "10.86.101.235", "10.22.102.198" ], "related.user": [ @@ -904,9 +904,9 @@ ], "related.ip": [ "10.174.252.105", - "10.204.35.15", + "10.167.172.155", "10.107.168.60", - "10.167.172.155" + "10.204.35.15" ], "related.user": [ "mnisi" @@ -971,9 +971,9 @@ ], "related.ip": [ "10.99.249.210", + "10.214.249.164", "10.182.191.174", - "10.81.26.208", - "10.214.249.164" + "10.81.26.208" ], "related.user": [ "upta" @@ -1037,9 +1037,9 @@ "sauteiru4554.api.domain" ], "related.ip": [ + "10.220.5.143", "10.88.101.53", "10.201.238.90", - "10.220.5.143", "10.101.226.128" ], "related.user": [ @@ -1104,10 +1104,10 @@ "untut4046.internal.domain" ], "related.ip": [ - "10.243.218.215", - "10.217.150.196", + "10.30.133.66", "10.157.18.252", - "10.30.133.66" + "10.243.218.215", + "10.217.150.196" ], "related.user": [ "evit" @@ -1171,10 +1171,10 @@ "quid3147.mail.home" ], "related.ip": [ - "10.167.227.44", "10.181.133.187", "10.148.161.250", - "10.66.181.6" + "10.66.181.6", + "10.167.227.44" ], "related.user": [ "adipisc" @@ -1239,10 +1239,10 @@ "umdolo1029.mail.localhost" ], "related.ip": [ - "10.74.11.43", - "10.54.17.32", "10.84.163.178", - "10.107.9.163" + "10.107.9.163", + "10.54.17.32", + "10.74.11.43" ], "related.user": [ "mquisno" @@ -1307,9 +1307,9 @@ ], "related.ip": [ "10.230.129.252", - "10.184.73.211", + "10.112.32.213", "10.192.229.221", - "10.112.32.213" + "10.184.73.211" ], "related.user": [ "odi" @@ -1374,10 +1374,10 @@ "paquioff624.mail.invalid" ], "related.ip": [ - "10.161.148.64", + "10.198.213.189", "10.199.216.143", - "10.7.200.140", - "10.198.213.189" + "10.161.148.64", + "10.7.200.140" ], "related.user": [ "ccaeca" @@ -1441,10 +1441,10 @@ "mex2054.mail.corp" ], "related.ip": [ + "10.65.232.27", "10.206.96.56", - "10.22.187.69", "10.128.157.27", - "10.65.232.27" + "10.22.187.69" ], "related.user": [ "uaeab" @@ -1509,9 +1509,9 @@ ], "related.ip": [ "10.194.210.62", - "10.68.253.120", "10.183.130.225", - "10.71.114.14" + "10.71.114.14", + "10.68.253.120" ], "related.user": [ "admin" @@ -1576,10 +1576,10 @@ "loi7596.www5.home" ], "related.ip": [ - "10.47.255.237", - "10.45.253.103", "10.107.45.175", - "10.31.177.226" + "10.31.177.226", + "10.47.255.237", + "10.45.253.103" ], "related.user": [ "remagn" @@ -1644,10 +1644,10 @@ "nsequat1971.internal.invalid" ], "related.ip": [ + "10.225.212.189", "10.44.58.106", - "10.55.105.113", "10.213.94.135", - "10.225.212.189" + "10.55.105.113" ], "related.user": [ "dquia" @@ -1711,9 +1711,9 @@ "ectiono2241.lan" ], "related.ip": [ - "10.255.74.136", "10.69.161.78", "10.163.209.70", + "10.255.74.136", "10.2.114.9" ], "related.user": [ @@ -1778,10 +1778,10 @@ "umetMal1664.mail.lan" ], "related.ip": [ - "10.46.115.216", - "10.252.102.110", + "10.184.59.148", "10.12.129.137", - "10.184.59.148" + "10.46.115.216", + "10.252.102.110" ], "related.user": [ "perspici" @@ -1848,8 +1848,8 @@ "related.ip": [ "10.81.184.7", "10.199.194.79", - "10.155.204.243", - "10.105.52.140" + "10.105.52.140", + "10.155.204.243" ], "related.user": [ "eetd" @@ -1916,8 +1916,8 @@ "related.ip": [ "10.251.231.142", "10.177.238.45", - "10.18.226.72", - "10.110.2.166" + "10.110.2.166", + "10.18.226.72" ], "related.user": [ "taliqui" @@ -1982,10 +1982,10 @@ "iutali7297.www.domain" ], "related.ip": [ + "10.192.98.247", "10.99.202.229", - "10.100.199.226", "10.190.122.27", - "10.192.98.247" + "10.100.199.226" ], "related.user": [ "lloinven" @@ -2050,10 +2050,10 @@ "orumw5960.www5.home" ], "related.ip": [ + "10.172.154.97", "10.248.111.207", - "10.162.97.197", "10.37.193.70", - "10.172.154.97" + "10.162.97.197" ], "related.user": [ "culpaq" @@ -2117,10 +2117,10 @@ "oinv5493.internal.domain" ], "related.ip": [ + "10.36.63.31", "10.171.221.230", "10.222.165.250", - "10.45.35.180", - "10.36.63.31" + "10.45.35.180" ], "related.user": [ "otamr" @@ -2184,9 +2184,9 @@ "tnonproi195.api.home" ], "related.ip": [ - "10.1.171.61", - "10.199.127.211", "10.83.238.145", + "10.199.127.211", + "10.1.171.61", "10.238.4.219" ], "related.user": [ @@ -2252,9 +2252,9 @@ ], "related.ip": [ "10.170.252.219", - "10.65.141.244", + "10.44.226.104", "10.74.213.42", - "10.44.226.104" + "10.65.141.244" ], "related.user": [ "Nequepo" @@ -2385,10 +2385,10 @@ "redo6311.api.invalid" ], "related.ip": [ - "10.176.64.28", + "10.169.123.103", "10.97.138.181", "10.205.174.181", - "10.169.123.103" + "10.176.64.28" ], "related.user": [ "eseruntm" @@ -2453,10 +2453,10 @@ "dolorem1698.www.domain" ], "related.ip": [ + "10.204.4.40", "10.75.120.11", - "10.169.101.161", "10.53.101.131", - "10.204.4.40" + "10.169.101.161" ], "related.user": [ "tquo" @@ -2521,10 +2521,10 @@ "evitae7333.www.lan" ], "related.ip": [ - "10.156.117.169", "10.28.51.219", - "10.6.222.112", - "10.87.120.87" + "10.156.117.169", + "10.87.120.87", + "10.6.222.112" ], "related.user": [ "onsequu" @@ -2589,9 +2589,9 @@ ], "related.ip": [ "10.247.44.59", + "10.4.126.103", "10.57.89.155", - "10.253.167.17", - "10.4.126.103" + "10.253.167.17" ], "related.user": [ "ntorever" @@ -2655,10 +2655,10 @@ "olorsi2746.internal.localhost" ], "related.ip": [ - "10.36.69.125", "10.15.240.220", + "10.143.183.208", "10.248.206.210", - "10.143.183.208" + "10.36.69.125" ], "related.user": [ "met" @@ -2724,8 +2724,8 @@ ], "related.ip": [ "10.69.170.107", - "10.6.32.7", "10.34.133.2", + "10.6.32.7", "10.142.186.43" ], "related.user": [ @@ -2791,10 +2791,10 @@ "ender5647.www5.example" ], "related.ip": [ - "10.59.103.10", - "10.170.165.164", "10.121.153.197", - "10.142.22.24" + "10.142.22.24", + "10.59.103.10", + "10.170.165.164" ], "related.user": [ "borumSec" @@ -2859,9 +2859,9 @@ "sis3986.internal.lan" ], "related.ip": [ - "10.19.99.129", - "10.247.114.30", "10.176.83.7", + "10.247.114.30", + "10.19.99.129", "10.133.10.122" ], "related.user": [ @@ -2927,10 +2927,10 @@ "uatu2894.api.lan" ], "related.ip": [ + "10.64.139.17", "10.70.7.23", - "10.40.177.138", "10.8.29.219", - "10.64.139.17" + "10.40.177.138" ], "related.user": [ "rep" @@ -2996,8 +2996,8 @@ "related.ip": [ "10.2.189.20", "10.67.221.220", - "10.67.173.228", - "10.180.62.222" + "10.180.62.222", + "10.67.173.228" ], "related.user": [ "uptasnul" @@ -3062,10 +3062,10 @@ "uian521.www.example" ], "related.ip": [ - "10.147.127.181", + "10.196.176.243", "10.209.52.47", "10.56.134.118", - "10.196.176.243" + "10.147.127.181" ], "related.user": [ "tasu" @@ -3130,9 +3130,9 @@ ], "related.ip": [ "10.226.24.84", - "10.248.140.59", + "10.85.13.237", "10.231.18.90", - "10.85.13.237" + "10.248.140.59" ], "related.user": [ "Nem" @@ -3197,10 +3197,10 @@ "ntsunt4894.mail.domain" ], "related.ip": [ - "10.59.215.207", - "10.207.183.204", + "10.203.46.215", "10.8.224.72", - "10.203.46.215" + "10.207.183.204", + "10.59.215.207" ], "related.user": [ "eruntmo" @@ -3265,10 +3265,10 @@ "mexer3864.api.corp" ], "related.ip": [ - "10.98.154.146", "10.73.84.95", + "10.255.145.22", "10.230.38.148", - "10.255.145.22" + "10.98.154.146" ], "related.user": [ "sitam" @@ -3332,10 +3332,10 @@ "oluptat6960.www5.test" ], "related.ip": [ - "10.166.142.198", "10.105.120.162", - "10.175.181.138", - "10.211.29.187" + "10.211.29.187", + "10.166.142.198", + "10.175.181.138" ], "related.user": [ "tium" @@ -3400,10 +3400,10 @@ "fugiatnu2498.www.localhost" ], "related.ip": [ - "10.182.213.195", - "10.195.139.25", "10.122.133.162", - "10.220.202.102" + "10.220.202.102", + "10.182.213.195", + "10.195.139.25" ], "related.user": [ "aquae" @@ -3535,10 +3535,10 @@ "exer447.internal.localhost" ], "related.ip": [ - "10.241.143.145", - "10.35.190.164", "10.21.58.162", - "10.113.65.192" + "10.35.190.164", + "10.113.65.192", + "10.241.143.145" ], "related.user": [ "porin" @@ -3672,9 +3672,9 @@ ], "related.ip": [ "10.150.153.61", - "10.22.213.196", + "10.125.150.220", "10.120.50.13", - "10.125.150.220" + "10.22.213.196" ], "related.user": [ "inculpa" @@ -3739,10 +3739,10 @@ "edquiaco6562.api.lan" ], "related.ip": [ + "10.113.2.13", "10.85.52.249", - "10.229.155.171", "10.238.171.184", - "10.113.2.13" + "10.229.155.171" ], "related.user": [ "tatiset" @@ -3808,9 +3808,9 @@ ], "related.ip": [ "10.249.174.35", + "10.198.150.185", "10.51.245.225", - "10.220.1.249", - "10.198.150.185" + "10.220.1.249" ], "related.user": [ "quela" @@ -3875,8 +3875,8 @@ "eosqui3723.api.localdomain" ], "related.ip": [ - "10.38.185.31", "10.251.82.195", + "10.38.185.31", "10.190.96.181", "10.152.157.32" ], @@ -3942,10 +3942,10 @@ "itaedict199.mail.corp" ], "related.ip": [ - "10.103.102.242", - "10.190.247.194", "10.230.112.179", - "10.211.198.50" + "10.211.198.50", + "10.103.102.242", + "10.190.247.194" ], "related.user": [ "tDuisaut" @@ -4010,9 +4010,9 @@ ], "related.ip": [ "10.219.83.199", + "10.251.101.61", "10.47.223.155", - "10.101.13.122", - "10.251.101.61" + "10.101.13.122" ], "related.user": [ "ectetur" @@ -4077,10 +4077,10 @@ "saute7421.www.invalid" ], "related.ip": [ + "10.83.136.233", "10.31.86.83", - "10.21.30.43", "10.21.80.157", - "10.83.136.233" + "10.21.30.43" ], "related.user": [ "litsed" @@ -4145,9 +4145,9 @@ "oluptas1637.home" ], "related.ip": [ - "10.27.181.27", "10.45.152.205", "10.194.197.107", + "10.27.181.27", "10.195.90.73" ], "related.user": [ @@ -4213,10 +4213,10 @@ "ididu5505.api.localdomain" ], "related.ip": [ - "10.222.2.132", - "10.183.90.25", "10.43.239.97", - "10.129.161.18" + "10.129.161.18", + "10.183.90.25", + "10.222.2.132" ], "related.user": [ "aedicta" @@ -4280,10 +4280,10 @@ "mqui1099.api.corp" ], "related.ip": [ + "10.248.156.138", "10.67.129.100", - "10.231.167.171", "10.189.162.131", - "10.248.156.138" + "10.231.167.171" ], "related.user": [ "sedquia" @@ -4348,9 +4348,9 @@ "siuta2155.lan" ], "related.ip": [ + "10.63.103.30", "10.6.146.184", "10.185.107.27", - "10.63.103.30", "10.142.106.66" ], "related.user": [ @@ -4415,10 +4415,10 @@ "tatiset4191.localdomain" ], "related.ip": [ - "10.93.39.237", "10.119.179.182", + "10.214.93.200", "10.0.202.9", - "10.214.93.200" + "10.93.39.237" ], "related.user": [ "tionofd" @@ -4484,8 +4484,8 @@ ], "related.ip": [ "10.28.145.163", - "10.252.204.162", "10.123.154.140", + "10.252.204.162", "10.30.189.166" ], "related.user": [ @@ -4550,9 +4550,9 @@ "idolo6535.internal.example" ], "related.ip": [ + "10.46.162.198", "10.145.128.250", "10.79.49.3", - "10.46.162.198", "10.29.122.183" ], "related.user": [ @@ -4618,10 +4618,10 @@ "one7728.api.localdomain" ], "related.ip": [ - "10.166.169.167", - "10.65.174.196", + "10.142.235.217", "10.177.232.136", - "10.142.235.217" + "10.65.174.196", + "10.166.169.167" ], "related.user": [ "olors" @@ -4686,9 +4686,9 @@ "uptatem4446.internal.localhost" ], "related.ip": [ - "10.29.217.44", "10.215.184.154", "10.191.78.86", + "10.29.217.44", "10.53.188.140" ], "related.user": [ @@ -4754,8 +4754,8 @@ "emq2514.api.localhost" ], "related.ip": [ - "10.135.77.156", "10.46.222.149", + "10.135.77.156", "10.76.148.147", "10.74.74.129" ], @@ -4821,10 +4821,10 @@ "agna5654.www.corp" ], "related.ip": [ - "10.145.49.29", + "10.130.203.37", "10.96.200.223", - "10.11.146.253", - "10.130.203.37" + "10.145.49.29", + "10.11.146.253" ], "related.user": [ "mvele" @@ -4888,10 +4888,10 @@ "ipi4827.mail.lan" ], "related.ip": [ - "10.24.23.209", "10.162.78.48", - "10.48.75.140", - "10.162.2.180" + "10.162.2.180", + "10.24.23.209", + "10.48.75.140" ], "related.user": [ "rumwr" @@ -4955,10 +4955,10 @@ "sequatD163.internal.example" ], "related.ip": [ - "10.151.206.38", - "10.66.92.83", "10.119.12.186", - "10.97.105.115" + "10.97.105.115", + "10.151.206.38", + "10.66.92.83" ], "related.user": [ "nproide" @@ -5022,10 +5022,10 @@ "itamet1303.invalid" ], "related.ip": [ - "10.64.76.142", "10.169.139.250", "10.12.148.73", - "10.201.132.114" + "10.201.132.114", + "10.64.76.142" ], "related.user": [ "borisnis" @@ -5090,10 +5090,10 @@ "epr3512.internal.domain" ], "related.ip": [ - "10.111.128.11", - "10.9.236.18", "10.35.38.185", - "10.200.116.191" + "10.200.116.191", + "10.111.128.11", + "10.9.236.18" ], "related.user": [ "umfug" @@ -5157,10 +5157,10 @@ "uredol2174.home" ], "related.ip": [ - "10.134.238.8", "10.191.27.182", - "10.236.67.227", - "10.240.62.238" + "10.134.238.8", + "10.240.62.238", + "10.236.67.227" ], "related.user": [ "tlabo" @@ -5224,10 +5224,10 @@ "ididunt7607.mail.localhost" ], "related.ip": [ - "10.109.14.142", "10.22.231.91", - "10.65.35.64", - "10.165.66.92" + "10.165.66.92", + "10.109.14.142", + "10.65.35.64" ], "related.user": [ "perna" @@ -5292,9 +5292,9 @@ ], "related.ip": [ "10.64.161.215", + "10.29.230.203", "10.71.112.86", - "10.89.221.90", - "10.29.230.203" + "10.89.221.90" ], "related.user": [ "rnatur" @@ -5358,10 +5358,10 @@ "nonn1650.www.test" ], "related.ip": [ - "10.221.199.137", - "10.88.226.76", + "10.140.118.182", "10.79.208.135", - "10.140.118.182" + "10.221.199.137", + "10.88.226.76" ], "related.user": [ "erspic" @@ -5426,10 +5426,10 @@ "acons3940.api.lan" ], "related.ip": [ + "10.133.48.55", "10.35.73.208", - "10.126.61.230", "10.189.244.22", - "10.133.48.55" + "10.126.61.230" ], "related.user": [ "tia" @@ -5493,8 +5493,8 @@ "suscipit587.www.localhost" ], "related.ip": [ - "10.240.94.109", "10.239.194.105", + "10.240.94.109", "10.81.154.115", "10.35.65.72" ], @@ -5562,8 +5562,8 @@ ], "related.ip": [ "10.150.56.227", - "10.52.70.192", "10.248.72.104", + "10.52.70.192", "10.38.253.213" ], "related.user": [ @@ -5629,10 +5629,10 @@ "borios1067.www5.home" ], "related.ip": [ - "10.218.15.164", - "10.62.218.239", "10.73.172.186", - "10.203.193.134" + "10.203.193.134", + "10.218.15.164", + "10.62.218.239" ], "related.user": [ "reh" @@ -5696,9 +5696,9 @@ "msequ323.www.example" ], "related.ip": [ + "10.60.20.76", "10.10.46.43", "10.131.127.113", - "10.60.20.76", "10.136.211.234" ], "related.user": [ @@ -5764,10 +5764,10 @@ "tdolorem813.internal.host" ], "related.ip": [ + "10.50.177.151", "10.248.0.74", - "10.233.181.250", "10.187.237.220", - "10.50.177.151" + "10.233.181.250" ], "related.user": [ "ugiatq" @@ -5832,10 +5832,10 @@ "volupt4626.internal.test" ], "related.ip": [ - "10.96.223.46", - "10.80.129.81", + "10.248.248.120", "10.189.43.11", - "10.248.248.120" + "10.80.129.81", + "10.96.223.46" ], "related.user": [ "iatn" @@ -5900,9 +5900,9 @@ "ntium5103.www5.localhost" ], "related.ip": [ - "10.91.115.139", - "10.102.109.199", "10.173.114.63", + "10.102.109.199", + "10.91.115.139", "10.66.106.186" ], "related.user": [ @@ -5968,9 +5968,9 @@ "orpori3334.www.local" ], "related.ip": [ + "10.159.155.88", "10.0.175.17", "10.198.157.122", - "10.159.155.88", "10.221.223.127" ], "related.user": [ @@ -6035,10 +6035,10 @@ "equu7361.www5.localdomain" ], "related.ip": [ - "10.252.136.130", - "10.189.70.237", "10.30.20.187", - "10.7.212.201" + "10.7.212.201", + "10.189.70.237", + "10.252.136.130" ], "related.user": [ "ugiat" @@ -6103,10 +6103,10 @@ "tse2979.internal.localhost" ], "related.ip": [ - "10.60.224.93", - "10.242.121.165", "10.83.105.69", - "10.102.109.194" + "10.102.109.194", + "10.60.224.93", + "10.242.121.165" ], "related.user": [ "mni" @@ -6171,10 +6171,10 @@ "uisnostr2390.mail.domain" ], "related.ip": [ + "10.17.20.93", "10.219.174.45", - "10.181.134.69", "10.251.167.219", - "10.17.20.93" + "10.181.134.69" ], "related.user": [ "Uteni" @@ -6239,10 +6239,10 @@ "luptate4811.mail.example" ], "related.ip": [ - "10.28.233.253", - "10.37.14.20", + "10.223.99.90", "10.30.117.82", - "10.223.99.90" + "10.37.14.20", + "10.28.233.253" ], "related.user": [ "numqua" @@ -6307,10 +6307,10 @@ "lites1614.www.corp" ], "related.ip": [ - "10.57.85.113", - "10.8.32.17", + "10.125.20.22", "10.50.61.114", - "10.125.20.22" + "10.57.85.113", + "10.8.32.17" ], "related.user": [ "qua" @@ -6375,9 +6375,9 @@ "lorinrep7686.mail.corp" ], "related.ip": [ - "10.200.28.55", - "10.215.224.27", "10.113.78.101", + "10.215.224.27", + "10.200.28.55", "10.181.63.82" ], "related.user": [ @@ -6443,10 +6443,10 @@ "nderit6272.mail.example" ], "related.ip": [ - "10.243.43.168", + "10.169.95.128", "10.177.14.106", "10.139.20.223", - "10.169.95.128" + "10.243.43.168" ], "related.user": [ "ofd" @@ -6512,9 +6512,9 @@ ], "related.ip": [ "10.92.168.198", - "10.90.93.4", "10.39.100.88", - "10.18.176.44" + "10.18.176.44", + "10.90.93.4" ], "related.user": [ "adminima" @@ -6579,9 +6579,9 @@ "essequam1161.domain" ], "related.ip": [ - "10.163.203.191", "10.193.43.135", "10.49.68.8", + "10.163.203.191", "10.173.13.179" ], "related.user": [ @@ -6647,9 +6647,9 @@ ], "related.ip": [ "10.240.47.113", - "10.209.226.7", + "10.84.64.28", "10.31.147.51", - "10.84.64.28" + "10.209.226.7" ], "related.user": [ "ull" @@ -6714,9 +6714,9 @@ "item3647.home" ], "related.ip": [ + "10.52.13.192", "10.225.189.229", "10.86.1.244", - "10.52.13.192", "10.32.20.4" ], "related.user": [ diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json index fe5ce75e182..81c2af5f702 100644 --- a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json @@ -367,8 +367,8 @@ "observer.vendor": "F5", "process.pid": 2289, "related.ip": [ - "10.204.123.107", - "10.225.160.182" + "10.225.160.182", + "10.204.123.107" ], "rsa.internal.messageid": "01490500", "rsa.misc.log_session_id": "eFinib", @@ -983,8 +983,8 @@ "observer.vendor": "F5", "process.pid": 4318, "related.ip": [ - "10.169.101.161", - "10.122.204.151" + "10.122.204.151", + "10.169.101.161" ], "rsa.internal.messageid": "01490500", "rsa.misc.log_session_id": "snulap", @@ -1565,8 +1565,8 @@ "observer.vendor": "F5", "process.pid": 1973, "related.ip": [ - "10.47.99.72", - "10.187.64.126" + "10.187.64.126", + "10.47.99.72" ], "rsa.internal.messageid": "01490500", "rsa.misc.category": "oremipsu", diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json index 69eab97fe35..2633519ac68 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json @@ -25,8 +25,8 @@ "litesse6379.api.domain" ], "related.ip": [ - "10.150.92.220", - "10.102.123.34" + "10.102.123.34", + "10.150.92.220" ], "related.user": [ "sumdo" @@ -143,8 +143,8 @@ "quis1130.internal.corp" ], "related.ip": [ - "10.118.175.9", - "10.173.116.41" + "10.173.116.41", + "10.118.175.9" ], "related.user": [ "uame" @@ -261,8 +261,8 @@ "enimad2283.internal.domain" ], "related.ip": [ - "10.245.142.250", - "10.70.0.60" + "10.70.0.60", + "10.245.142.250" ], "related.user": [ "eos" @@ -379,8 +379,8 @@ "iutal13.api.localdomain" ], "related.ip": [ - "10.12.44.169", - "10.214.225.125" + "10.214.225.125", + "10.12.44.169" ], "related.user": [ "erep" @@ -438,8 +438,8 @@ "uovol492.www.localhost" ], "related.ip": [ - "10.198.136.50", - "10.66.108.11" + "10.66.108.11", + "10.198.136.50" ], "related.user": [ "uptatev" @@ -556,8 +556,8 @@ "eniam7007.api.invalid" ], "related.ip": [ - "10.54.231.100", - "10.203.5.162" + "10.203.5.162", + "10.54.231.100" ], "related.user": [ "umdolore" @@ -615,8 +615,8 @@ "snulapar3794.api.domain" ], "related.ip": [ - "10.65.83.160", - "10.136.252.240" + "10.136.252.240", + "10.65.83.160" ], "related.user": [ "ender" @@ -674,8 +674,8 @@ "liq5883.localdomain" ], "related.ip": [ - "10.210.213.18", - "10.57.40.29" + "10.57.40.29", + "10.210.213.18" ], "related.user": [ "onse" @@ -969,8 +969,8 @@ "tion1761.home" ], "related.ip": [ - "10.73.69.75", - "10.19.201.13" + "10.19.201.13", + "10.73.69.75" ], "related.user": [ "tat" @@ -1028,8 +1028,8 @@ "santium4235.api.local" ], "related.ip": [ - "10.84.105.75", - "10.78.151.178" + "10.78.151.178", + "10.84.105.75" ], "related.user": [ "iquaUten" @@ -1087,8 +1087,8 @@ "CSed2857.www5.example" ], "related.ip": [ - "10.25.192.202", - "10.135.233.146" + "10.135.233.146", + "10.25.192.202" ], "related.user": [ "emeumfu" @@ -1146,8 +1146,8 @@ "equep5085.mail.domain" ], "related.ip": [ - "10.104.134.200", - "10.121.219.204" + "10.121.219.204", + "10.104.134.200" ], "related.user": [ "uptat" @@ -1205,8 +1205,8 @@ "conseq557.mail.lan" ], "related.ip": [ - "10.225.160.182", - "10.191.105.82" + "10.191.105.82", + "10.225.160.182" ], "related.user": [ "eirure" @@ -1323,8 +1323,8 @@ "lit5929.test" ], "related.ip": [ - "10.153.111.103", - "10.6.167.7" + "10.6.167.7", + "10.153.111.103" ], "related.user": [ "eumfug" @@ -1618,8 +1618,8 @@ "xeacomm6855.api.corp" ], "related.ip": [ - "10.168.90.81", - "10.101.57.120" + "10.101.57.120", + "10.168.90.81" ], "related.user": [ "eporr" @@ -1913,8 +1913,8 @@ "eprehen3224.www5.localdomain" ], "related.ip": [ - "10.195.2.130", - "10.75.99.127" + "10.75.99.127", + "10.195.2.130" ], "related.user": [ "inibusB" @@ -1972,8 +1972,8 @@ "ptasn6599.www.localhost" ], "related.ip": [ - "10.201.238.90", - "10.245.104.182" + "10.245.104.182", + "10.201.238.90" ], "related.user": [ "ovol" @@ -2090,8 +2090,8 @@ "gitsedqu2649.mail.lan" ], "related.ip": [ - "10.184.18.202", - "10.4.157.1" + "10.4.157.1", + "10.184.18.202" ], "related.user": [ "oditem" @@ -2208,8 +2208,8 @@ "tut2703.www.host" ], "related.ip": [ - "10.27.16.118", - "10.83.177.2" + "10.83.177.2", + "10.27.16.118" ], "related.user": [ "borios" @@ -2385,8 +2385,8 @@ "tot5313.mail.invalid" ], "related.ip": [ - "10.9.18.237", - "10.9.12.248" + "10.9.12.248", + "10.9.18.237" ], "related.user": [ "uradi" @@ -2444,8 +2444,8 @@ "rumet3801.internal.domain" ], "related.ip": [ - "10.41.123.102", - "10.83.130.226" + "10.83.130.226", + "10.41.123.102" ], "related.user": [ "tenim" @@ -2562,8 +2562,8 @@ "sequat7273.api.host" ], "related.ip": [ - "10.134.18.114", - "10.142.25.100" + "10.142.25.100", + "10.134.18.114" ], "related.user": [ "osqui" @@ -2621,8 +2621,8 @@ "uidol4575.localhost" ], "related.ip": [ - "10.28.118.160", - "10.223.119.218" + "10.223.119.218", + "10.28.118.160" ], "related.user": [ "ntsunt" @@ -2916,8 +2916,8 @@ "iosamnis1047.internal.localdomain" ], "related.ip": [ - "10.210.89.183", - "10.150.245.88" + "10.150.245.88", + "10.210.89.183" ], "related.user": [ "sequa" @@ -2975,8 +2975,8 @@ "orroq6677.internal.example" ], "related.ip": [ - "10.85.185.13", - "10.180.195.43" + "10.180.195.43", + "10.85.185.13" ], "related.user": [ "voluptas" @@ -3093,8 +3093,8 @@ "itaedict7233.mail.localdomain" ], "related.ip": [ - "10.86.11.48", - "10.248.165.185" + "10.248.165.185", + "10.86.11.48" ], "related.user": [ "dquiac" @@ -3152,8 +3152,8 @@ "numquam5869.internal.example" ], "related.ip": [ - "10.118.6.177", - "10.47.125.38" + "10.47.125.38", + "10.118.6.177" ], "related.user": [ "quunt" @@ -3211,8 +3211,8 @@ "onu6137.api.home" ], "related.ip": [ - "10.60.142.127", - "10.50.233.155" + "10.50.233.155", + "10.60.142.127" ], "related.user": [ "atv" @@ -3270,8 +3270,8 @@ "aecatcup2241.www5.test" ], "related.ip": [ - "10.28.82.189", - "10.120.10.211" + "10.120.10.211", + "10.28.82.189" ], "related.user": [ "rcit" @@ -3388,8 +3388,8 @@ "mveleum4322.www5.host" ], "related.ip": [ - "10.226.5.189", - "10.125.165.144" + "10.125.165.144", + "10.226.5.189" ], "related.user": [ "mvolu" @@ -3565,8 +3565,8 @@ "nreprehe715.api.home" ], "related.ip": [ - "10.17.87.79", - "10.123.199.198" + "10.123.199.198", + "10.17.87.79" ], "related.user": [ "ratvolu" @@ -3624,8 +3624,8 @@ "unte893.internal.host" ], "related.ip": [ - "10.38.86.177", - "10.115.68.40" + "10.115.68.40", + "10.38.86.177" ], "related.user": [ "mpo" @@ -4096,8 +4096,8 @@ "squira4455.api.domain" ], "related.ip": [ - "10.196.96.162", - "10.34.131.224" + "10.34.131.224", + "10.196.96.162" ], "related.user": [ "tnonproi" @@ -4804,8 +4804,8 @@ "lamcola4879.www5.localdomain" ], "related.ip": [ - "10.14.204.36", - "10.85.104.146" + "10.85.104.146", + "10.14.204.36" ], "related.user": [ "emp" @@ -4863,8 +4863,8 @@ "edquian330.mail.local" ], "related.ip": [ - "10.208.18.210", - "10.30.246.132" + "10.30.246.132", + "10.208.18.210" ], "related.user": [ "veniam" @@ -4922,8 +4922,8 @@ "santi837.api.domain" ], "related.ip": [ - "10.19.119.17", - "10.106.249.91" + "10.106.249.91", + "10.19.119.17" ], "related.user": [ "lit" @@ -5040,8 +5040,8 @@ "nonn4478.host" ], "related.ip": [ - "10.164.207.42", - "10.164.120.197" + "10.164.120.197", + "10.164.207.42" ], "related.user": [ "pta" @@ -5099,8 +5099,8 @@ "amquaer3985.www5.example" ], "related.ip": [ - "10.183.189.133", - "10.154.191.225" + "10.154.191.225", + "10.183.189.133" ], "related.user": [ "ita" @@ -5276,8 +5276,8 @@ "orumS757.www5.corp" ], "related.ip": [ - "10.91.2.135", - "10.126.245.73" + "10.126.245.73", + "10.91.2.135" ], "related.user": [ "olore" @@ -5335,8 +5335,8 @@ "emi4534.www.localdomain" ], "related.ip": [ - "10.137.85.123", - "10.183.243.246" + "10.183.243.246", + "10.137.85.123" ], "related.user": [ "cid" @@ -5453,8 +5453,8 @@ "aturQu7083.mail.host" ], "related.ip": [ - "10.79.73.195", - "10.125.143.153" + "10.125.143.153", + "10.79.73.195" ], "related.user": [ "emip" @@ -5571,8 +5571,8 @@ "siarc6339.internal.corp" ], "related.ip": [ - "10.222.245.80", - "10.87.90.49" + "10.87.90.49", + "10.222.245.80" ], "related.user": [ "ptatemse" @@ -5689,8 +5689,8 @@ "byC5766.internal.home" ], "related.ip": [ - "10.105.97.134", - "10.204.178.19" + "10.204.178.19", + "10.105.97.134" ], "related.user": [ "mexercit" @@ -5866,8 +5866,8 @@ "porissu1470.domain" ], "related.ip": [ - "10.180.90.112", - "10.116.153.19" + "10.116.153.19", + "10.180.90.112" ], "related.user": [ "itessequ" diff --git a/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json index 367d81f9868..1bc7032f6d2 100644 --- a/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json +++ b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json @@ -6,6 +6,7 @@ "destination.bytes": 1130, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -81,6 +82,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -151,6 +153,7 @@ "destination.bytes": 6812, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -225,6 +228,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -299,6 +303,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -373,6 +378,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -442,6 +448,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -512,6 +519,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -585,6 +593,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -654,6 +663,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -714,6 +724,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.4.4", @@ -825,6 +836,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.4.4", @@ -874,6 +886,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "8.8.8.8", @@ -889,6 +902,7 @@ "destination.as.organization.name": "Level 3 Parent, LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.4.5.4", @@ -942,6 +956,7 @@ "source.as.organization.name": "Quad9", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "FR", + "source.geo.country_name": "France", "source.geo.location.lat": 48.8582, "source.geo.location.lon": 2.3387, "source.ip": "9.9.9.9", @@ -1049,6 +1064,7 @@ "destination.as.organization.name": "Level 3 Parent, LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.5.4", @@ -1100,6 +1116,7 @@ "service.type": "fortinet", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "7.6.3.4", @@ -1186,6 +1203,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.6", @@ -1235,6 +1253,7 @@ "destination.as.organization.name": "Level 3 Parent, LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.5.4", @@ -1396,6 +1415,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1465,6 +1485,7 @@ "destination.bytes": 65446, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.6.4.7", @@ -1532,6 +1553,7 @@ "source.geo.city_name": "Beijing", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 39.9288, "source.geo.location.lon": 116.3889, "source.geo.region_iso_code": "CN-BJ", @@ -1553,6 +1575,7 @@ "destination.bytes": 20, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "2001:4860:4860::8888", @@ -1613,6 +1636,7 @@ "source.bytes": 3014, "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "2001:4860:4860::8888", @@ -1629,6 +1653,7 @@ "destination.bytes": 10, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1689,6 +1714,7 @@ "source.bytes": 0, "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "9.7.7.7", @@ -1772,6 +1798,7 @@ "destination.bytes": 77654, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1857,6 +1884,7 @@ "source.geo.city_name": "Ashburn", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 39.0481, "source.geo.location.lon": -77.4728, "source.geo.region_iso_code": "US-VA", @@ -1879,6 +1907,7 @@ "destination.as.organization.name": "Dailymotion S.A.", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", "destination.geo.location.lat": 48.8582, "destination.geo.location.lon": 2.3387, "destination.ip": "195.8.215.136", diff --git a/x-pack/filebeat/module/fortinet/fortimail/config/pipeline.js b/x-pack/filebeat/module/fortinet/fortimail/config/pipeline.js index b40147eb1d5..28f099e0484 100644 --- a/x-pack/filebeat/module/fortinet/fortimail/config/pipeline.js +++ b/x-pack/filebeat/module/fortinet/fortimail/config/pipeline.js @@ -31,20 +31,15 @@ var dup1 = call({ ], }); -var dup2 = // "Pattern{Constant('user='), Field(username,true), Constant(' ui='), Field(p0,false)}" -match("MESSAGE#0:event_admin/0", "nwparser.payload", "user=%{username->} ui=%{p0}"); +var dup2 = match("MESSAGE#0:event_admin/0", "nwparser.payload", "user=%{username->} ui=%{p0}"); -var dup3 = // "Pattern{Field(network_service,false), Constant('('), Field(saddr,false), Constant(') action='), Field(p0,false)}" -match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); +var dup3 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); -var dup4 = // "Pattern{Field(network_service,true), Constant(' action='), Field(p0,false)}" -match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); +var dup4 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); -var dup5 = // "Pattern{Constant('"'), Field(event_description,false), Constant('"')}" -match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); +var dup5 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); -var dup6 = // "Pattern{Field(event_description,false)}" -match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); +var dup6 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); var dup7 = setc("eventcategory","1401000000"); @@ -70,139 +65,97 @@ var dup14 = setf("category","msgIdPart2"); var dup15 = setf("severity","hseverity"); -var dup16 = // "Pattern{Field(action,true), Constant(' status='), Field(event_state,true), Constant(' msg='), Field(p0,false)}" -match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); +var dup16 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); var dup17 = setc("eventcategory","1602000000"); -var dup18 = // "Pattern{Constant('user='), Field(username,false), Constant('ui='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); +var dup18 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); -var dup19 = // "Pattern{Field(network_service,false), Constant('('), Field(hostip,false), Constant(') action='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); +var dup19 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); -var dup20 = // "Pattern{Field(network_service,false), Constant('action='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); +var dup20 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); -var dup21 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); +var dup21 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); -var dup22 = // "Pattern{Constant('"'), Field(sessionid,false), Constant('"msg="STARTTLS='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); +var dup22 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); -var dup23 = // "Pattern{Field(sessionid,false), Constant('msg="STARTTLS='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); +var dup23 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); -var dup24 = // "Pattern{Constant('"'), Field(sessionid,false), Constant('" msg='), Field(p0,false)}" -match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); +var dup24 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); -var dup25 = // "Pattern{Field(sessionid,true), Constant(' msg='), Field(p0,false)}" -match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); +var dup25 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); -var dup26 = // "Pattern{Constant('from='), Field(p0,false)}" -match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); +var dup26 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); -var dup27 = // "Pattern{Constant('"'), Field(from,false), Constant('" to='), Field(p0,false)}" -match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); +var dup27 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); -var dup28 = // "Pattern{Field(from,true), Constant(' to='), Field(p0,false)}" -match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); +var dup28 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); -var dup29 = // "Pattern{Constant('"'), Field(to,false), Constant('" src='), Field(p0,false)}" -match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); +var dup29 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); -var dup30 = // "Pattern{Field(to,true), Constant(' src='), Field(p0,false)}" -match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); +var dup30 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); -var dup31 = // "Pattern{Constant('"'), Field(saddr,false), Constant('" session_id='), Field(p0,false)}" -match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); +var dup31 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); -var dup32 = // "Pattern{Field(saddr,true), Constant(' session_id='), Field(p0,false)}" -match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); +var dup32 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); var dup33 = setc("eventcategory","1003010000"); var dup34 = setf("event_type","messageid"); -var dup35 = // "Pattern{Constant('session_id='), Field(p0,false)}" -match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); +var dup35 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); -var dup36 = // "Pattern{Constant('"'), Field(sessionid,false), Constant('" from='), Field(p0,false)}" -match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); +var dup36 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); -var dup37 = // "Pattern{Field(sessionid,true), Constant(' from='), Field(p0,false)}" -match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); +var dup37 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); -var dup38 = // "Pattern{Constant('"'), Field(from,false), Constant('" mailer='), Field(p0,false)}" -match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); +var dup38 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); -var dup39 = // "Pattern{Field(from,true), Constant(' mailer='), Field(p0,false)}" -match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); +var dup39 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); -var dup40 = // "Pattern{Constant('"'), Field(agent,false), Constant('" client_name="'), Field(p0,false)}" -match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); +var dup40 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); -var dup41 = // "Pattern{Field(agent,true), Constant(' client_name="'), Field(p0,false)}" -match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); +var dup41 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); -var dup42 = // "Pattern{Field(fqdn,true), Constant(' ['), Field(saddr,false), Constant('] ('), Field(info,false), Constant(')"'), Field(p0,false)}" -match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); +var dup42 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); -var dup43 = // "Pattern{Field(fqdn,true), Constant(' ['), Field(saddr,false), Constant(']"'), Field(p0,false)}" -match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); +var dup43 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); -var dup44 = // "Pattern{Field(saddr,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); +var dup44 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); -var dup45 = // "Pattern{Constant('"'), Field(context,false), Constant('" to='), Field(p0,false)}" -match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); +var dup45 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); -var dup46 = // "Pattern{Field(context,true), Constant(' to='), Field(p0,false)}" -match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); +var dup46 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); -var dup47 = // "Pattern{Constant('"'), Field(to,false), Constant('" direction='), Field(p0,false)}" -match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); +var dup47 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); -var dup48 = // "Pattern{Field(to,true), Constant(' direction='), Field(p0,false)}" -match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); +var dup48 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); -var dup49 = // "Pattern{Constant('"'), Field(direction,false), Constant('" message_length='), Field(p0,false)}" -match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); +var dup49 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); -var dup50 = // "Pattern{Field(direction,true), Constant(' message_length='), Field(p0,false)}" -match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); +var dup50 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); -var dup51 = // "Pattern{Field(fld4,true), Constant(' virus='), Field(p0,false)}" -match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); +var dup51 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); -var dup52 = // "Pattern{Constant('"'), Field(virusname,false), Constant('" disposition='), Field(p0,false)}" -match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); +var dup52 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); -var dup53 = // "Pattern{Field(virusname,true), Constant(' disposition='), Field(p0,false)}" -match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); +var dup53 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); -var dup54 = // "Pattern{Constant('"'), Field(disposition,false), Constant('" classifier='), Field(p0,false)}" -match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); +var dup54 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); -var dup55 = // "Pattern{Field(disposition,true), Constant(' classifier='), Field(p0,false)}" -match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); +var dup55 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); -var dup56 = // "Pattern{Constant('"'), Field(filter,false), Constant('" subject='), Field(p0,false)}" -match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); +var dup56 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); -var dup57 = // "Pattern{Field(filter,true), Constant(' subject='), Field(p0,false)}" -match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); +var dup57 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); -var dup58 = // "Pattern{Constant('"'), Field(subject,false), Constant('"')}" -match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); +var dup58 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); -var dup59 = // "Pattern{Field(subject,false)}" -match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); +var dup59 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); var dup60 = setc("eventcategory","1207000000"); -var dup61 = // "Pattern{Field(,false), Constant('resolved='), Field(p0,false)}" -match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); +var dup61 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); var dup62 = setc("eventcategory","1207040000"); @@ -322,25 +275,21 @@ var dup82 = all_match({ ]), }); -var hdr1 = // "Pattern{Constant('date='), Field(hdate,true), Constant(' time='), Field(htime,true), Constant(' device_id='), Field(hfld1,true), Constant(' log_id='), Field(hfld2,true), Constant(' log_part='), Field(hfld3,true), Constant(' type='), Field(msgIdPart1,true), Constant(' subtype='), Field(msgIdPart2,true), Constant(' pri='), Field(hseverity,true), Constant(' '), Field(payload,false)}" -match("HEADER#0:0001", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ setc("header_id","0001"), dup1, ])); -var hdr2 = // "Pattern{Constant('date='), Field(hdate,true), Constant(' time='), Field(htime,true), Constant(' device_id='), Field(hfld1,true), Constant(' log_id='), Field(hfld2,true), Constant(' log_part='), Field(hfld3,true), Constant(' type='), Field(messageid,true), Constant(' pri='), Field(hseverity,true), Constant(' '), Field(payload,false)}" -match("HEADER#1:0002", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0002", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ setc("header_id","0002"), ])); -var hdr3 = // "Pattern{Constant('date='), Field(hdate,true), Constant(' time='), Field(htime,true), Constant(' device_id='), Field(hfld1,true), Constant(' log_id='), Field(hfld2,true), Constant(' type='), Field(msgIdPart1,true), Constant(' subtype='), Field(msgIdPart2,true), Constant(' pri='), Field(hseverity,true), Constant(' '), Field(payload,false)}" -match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ +var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ setc("header_id","0003"), dup1, ])); -var hdr4 = // "Pattern{Constant('date='), Field(hdate,true), Constant(' time='), Field(htime,true), Constant(' device_id='), Field(hfld1,true), Constant(' log_id='), Field(hfld2,true), Constant(' type='), Field(messageid,true), Constant(' pri='), Field(hseverity,true), Constant(' '), Field(payload,false)}" -match("HEADER#3:0004", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ +var hdr4 = match("HEADER#3:0004", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ setc("header_id","0004"), ])); @@ -351,8 +300,7 @@ var select1 = linear_select([ hdr4, ]); -var part1 = // "Pattern{Field(action,true), Constant(' status='), Field(event_state,true), Constant(' reason='), Field(result,true), Constant(' msg='), Field(p0,false)}" -match("MESSAGE#0:event_admin/2", "nwparser.p0", "%{action->} status=%{event_state->} reason=%{result->} msg=%{p0}"); +var part1 = match("MESSAGE#0:event_admin/2", "nwparser.p0", "%{action->} status=%{event_state->} reason=%{result->} msg=%{p0}"); var all1 = all_match({ processors: [ @@ -404,22 +352,18 @@ var msg4 = msg("event_system", dup82); var msg5 = msg("event_imap", dup82); -var part2 = // "Pattern{Field(fld1,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/4", "nwparser.p0", "%{fld1}, relay=%{p0}"); +var part2 = match("MESSAGE#5:event_smtp:01/4", "nwparser.p0", "%{fld1}, relay=%{p0}"); -var part3 = // "Pattern{Field(shost,false), Constant('['), Field(saddr,false), Constant('], version='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/5_0", "nwparser.p0", "%{shost}[%{saddr}], version=%{p0}"); +var part3 = match("MESSAGE#5:event_smtp:01/5_0", "nwparser.p0", "%{shost}[%{saddr}], version=%{p0}"); -var part4 = // "Pattern{Field(shost,false), Constant(', version='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/5_1", "nwparser.p0", "%{shost}, version=%{p0}"); +var part4 = match("MESSAGE#5:event_smtp:01/5_1", "nwparser.p0", "%{shost}, version=%{p0}"); var select2 = linear_select([ part3, part4, ]); -var part5 = // "Pattern{Field(version,false), Constant(', verify='), Field(fld2,false), Constant(', cipher='), Field(s_cipher,false), Constant(', bits='), Field(fld3,false), Constant('"')}" -match("MESSAGE#5:event_smtp:01/6", "nwparser.p0", "%{version}, verify=%{fld2}, cipher=%{s_cipher}, bits=%{fld3}\""); +var part5 = match("MESSAGE#5:event_smtp:01/6", "nwparser.p0", "%{version}, verify=%{fld2}, cipher=%{s_cipher}, bits=%{fld3}\""); var all3 = all_match({ processors: [ @@ -446,8 +390,7 @@ var all3 = all_match({ var msg6 = msg("event_smtp:01", all3); -var part6 = // "Pattern{Field(fld1,false), Constant(', cert-subject='), Field(cert_subject,false), Constant(', cert-issuer='), Field(fld2,false), Constant(', verifymsg='), Field(fld3,false), Constant('"')}" -match("MESSAGE#6:event_smtp:02/4", "nwparser.p0", "%{fld1}, cert-subject=%{cert_subject}, cert-issuer=%{fld2}, verifymsg=%{fld3}\""); +var part6 = match("MESSAGE#6:event_smtp:02/4", "nwparser.p0", "%{fld1}, cert-subject=%{cert_subject}, cert-issuer=%{fld2}, verifymsg=%{fld3}\""); var all4 = all_match({ processors: [ @@ -472,8 +415,7 @@ var all4 = all_match({ var msg7 = msg("event_smtp:02", all4); -var part7 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" msg="to=<<'), Field(to,false), Constant('>, delay='), Field(fld1,false), Constant(', xdelay='), Field(fld2,false), Constant(', mailer='), Field(protocol,false), Constant(', pri='), Field(fld3,false), Constant(', relay='), Field(shost,false), Constant('['), Field(saddr,false), Constant('], dsn='), Field(fld4,false), Constant(', stat='), Field(fld5,false), Constant('"')}" -match("MESSAGE#7:event_smtp:03/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"to=\u003c\u003c%{to}>, delay=%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}[%{saddr}], dsn=%{fld4}, stat=%{fld5}\""); +var part7 = match("MESSAGE#7:event_smtp:03/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"to=\u003c\u003c%{to}>, delay=%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}[%{saddr}], dsn=%{fld4}, stat=%{fld5}\""); var all5 = all_match({ processors: [ @@ -496,31 +438,24 @@ var all5 = all_match({ var msg8 = msg("event_smtp:03", all5); -var part8 = // "Pattern{Constant('user='), Field(username,false), Constant('ui='), Field(network_service,false), Constant('action='), Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" msg="from=<<'), Field(from,false), Constant('>, size='), Field(bytes,false), Constant(', class='), Field(fld2,false), Constant(', nrcpts='), Field(p0,false)}" -match("MESSAGE#8:event_smtp:04/0", "nwparser.payload", "user=%{username}ui=%{network_service}action=%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"from=\u003c\u003c%{from}>, size=%{bytes}, class=%{fld2}, nrcpts=%{p0}"); +var part8 = match("MESSAGE#8:event_smtp:04/0", "nwparser.payload", "user=%{username}ui=%{network_service}action=%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"from=\u003c\u003c%{from}>, size=%{bytes}, class=%{fld2}, nrcpts=%{p0}"); -var part9 = // "Pattern{Field(fld3,false), Constant(', msgid=<<'), Field(fld4,false), Constant('>, proto='), Field(p0,false)}" -match("MESSAGE#8:event_smtp:04/1_0", "nwparser.p0", "%{fld3}, msgid=\u003c\u003c%{fld4}>, proto=%{p0}"); +var part9 = match("MESSAGE#8:event_smtp:04/1_0", "nwparser.p0", "%{fld3}, msgid=\u003c\u003c%{fld4}>, proto=%{p0}"); -var part10 = // "Pattern{Field(fld3,false), Constant(', proto='), Field(p0,false)}" -match("MESSAGE#8:event_smtp:04/1_1", "nwparser.p0", "%{fld3}, proto=%{p0}"); +var part10 = match("MESSAGE#8:event_smtp:04/1_1", "nwparser.p0", "%{fld3}, proto=%{p0}"); var select3 = linear_select([ part9, part10, ]); -var part11 = // "Pattern{Field(protocol,false), Constant(', daemon='), Field(process,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#8:event_smtp:04/2", "nwparser.p0", "%{protocol}, daemon=%{process}, relay=%{p0}"); +var part11 = match("MESSAGE#8:event_smtp:04/2", "nwparser.p0", "%{protocol}, daemon=%{process}, relay=%{p0}"); -var part12 = // "Pattern{Field(shost,false), Constant('['), Field(saddr,false), Constant('] (may be forged)"')}" -match("MESSAGE#8:event_smtp:04/3_0", "nwparser.p0", "%{shost}[%{saddr}] (may be forged)\""); +var part12 = match("MESSAGE#8:event_smtp:04/3_0", "nwparser.p0", "%{shost}[%{saddr}] (may be forged)\""); -var part13 = // "Pattern{Field(shost,false), Constant('['), Field(saddr,false), Constant(']"')}" -match("MESSAGE#8:event_smtp:04/3_1", "nwparser.p0", "%{shost}[%{saddr}]\""); +var part13 = match("MESSAGE#8:event_smtp:04/3_1", "nwparser.p0", "%{shost}[%{saddr}]\""); -var part14 = // "Pattern{Field(shost,false), Constant('"')}" -match("MESSAGE#8:event_smtp:04/3_2", "nwparser.p0", "%{shost}\""); +var part14 = match("MESSAGE#8:event_smtp:04/3_2", "nwparser.p0", "%{shost}\""); var select4 = linear_select([ part12, @@ -550,8 +485,7 @@ var all6 = all_match({ var msg9 = msg("event_smtp:04", all6); -var part15 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" msg="Milter: to=<<'), Field(to,false), Constant('>, reject='), Field(fld1,false), Constant('"')}" -match("MESSAGE#9:event_smtp:05/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"Milter: to=\u003c\u003c%{to}>, reject=%{fld1}\""); +var part15 = match("MESSAGE#9:event_smtp:05/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"Milter: to=\u003c\u003c%{to}>, reject=%{fld1}\""); var all7 = all_match({ processors: [ @@ -574,22 +508,18 @@ var all7 = all_match({ var msg10 = msg("event_smtp:05", all7); -var part16 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" msg="timeout waiting for input from'), Field(p0,false)}" -match("MESSAGE#10:event_smtp:06/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"timeout waiting for input from%{p0}"); +var part16 = match("MESSAGE#10:event_smtp:06/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"timeout waiting for input from%{p0}"); -var part17 = // "Pattern{Constant('['), Field(saddr,false), Constant(']during server cmd'), Field(p0,false)}" -match("MESSAGE#10:event_smtp:06/3_0", "nwparser.p0", "[%{saddr}]during server cmd%{p0}"); +var part17 = match("MESSAGE#10:event_smtp:06/3_0", "nwparser.p0", "[%{saddr}]during server cmd%{p0}"); -var part18 = // "Pattern{Field(saddr,false), Constant('during server cmd'), Field(p0,false)}" -match("MESSAGE#10:event_smtp:06/3_1", "nwparser.p0", "%{saddr}during server cmd%{p0}"); +var part18 = match("MESSAGE#10:event_smtp:06/3_1", "nwparser.p0", "%{saddr}during server cmd%{p0}"); var select5 = linear_select([ part17, part18, ]); -var part19 = // "Pattern{Field(fld5,false), Constant('"')}" -match("MESSAGE#10:event_smtp:06/4", "nwparser.p0", "%{fld5}\""); +var part19 = match("MESSAGE#10:event_smtp:06/4", "nwparser.p0", "%{fld5}\""); var all8 = all_match({ processors: [ @@ -614,8 +544,7 @@ var all8 = all_match({ var msg11 = msg("event_smtp:06", all8); -var part20 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" msg="collect:'), Field(fld1,false), Constant('timeout on connection from'), Field(shost,false), Constant(', from=<<'), Field(from,false), Constant('>"')}" -match("MESSAGE#11:event_smtp:07/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"collect:%{fld1}timeout on connection from%{shost}, from=\u003c\u003c%{from}>\""); +var part20 = match("MESSAGE#11:event_smtp:07/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"collect:%{fld1}timeout on connection from%{shost}, from=\u003c\u003c%{from}>\""); var all9 = all_match({ processors: [ @@ -638,8 +567,7 @@ var all9 = all_match({ var msg12 = msg("event_smtp:07", all9); -var part21 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" msg="DSN: to <<'), Field(to,false), Constant('>; reason:'), Field(result,false), Constant('; sessionid:'), Field(fld5,false), Constant('"')}" -match("MESSAGE#12:event_smtp:08/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"DSN: to \u003c\u003c%{to}>; reason:%{result}; sessionid:%{fld5}\""); +var part21 = match("MESSAGE#12:event_smtp:08/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"DSN: to \u003c\u003c%{to}>; reason:%{result}; sessionid:%{fld5}\""); var all10 = all_match({ processors: [ @@ -662,8 +590,7 @@ var all10 = all_match({ var msg13 = msg("event_smtp:08", all10); -var part22 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" msg="lost input channel from'), Field(shost,false), Constant('['), Field(saddr,false), Constant('] (may be forged) to SMTP_MTA after rcpt"')}" -match("MESSAGE#13:event_smtp:09/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"lost input channel from%{shost}[%{saddr}] (may be forged) to SMTP_MTA after rcpt\""); +var part22 = match("MESSAGE#13:event_smtp:09/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"lost input channel from%{shost}[%{saddr}] (may be forged) to SMTP_MTA after rcpt\""); var all11 = all_match({ processors: [ @@ -686,8 +613,7 @@ var all11 = all_match({ var msg14 = msg("event_smtp:09", all11); -var part23 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" msg="'), Field(shost,false), Constant('['), Field(saddr,false), Constant(']: possible SMTP attack: command='), Field(fld1,false), Constant(', count='), Field(dclass_counter1,false), Constant('"')}" -match("MESSAGE#14:event_smtp:10/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"%{shost}[%{saddr}]: possible SMTP attack: command=%{fld1}, count=%{dclass_counter1}\""); +var part23 = match("MESSAGE#14:event_smtp:10/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"%{shost}[%{saddr}]: possible SMTP attack: command=%{fld1}, count=%{dclass_counter1}\""); var all12 = all_match({ processors: [ @@ -711,20 +637,15 @@ var all12 = all_match({ var msg15 = msg("event_smtp:10", all12); -var part24 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" log_part='), Field(id1,true), Constant(' msg="to=<<'), Field(to,false), Constant(', delay='), Field(p0,false)}" -match("MESSAGE#15:event_smtp:11/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" log_part=%{id1->} msg=\"to=\u003c\u003c%{to}, delay=%{p0}"); +var part24 = match("MESSAGE#15:event_smtp:11/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" log_part=%{id1->} msg=\"to=\u003c\u003c%{to}, delay=%{p0}"); -var part25 = // "Pattern{Field(fld1,false), Constant(', xdelay='), Field(fld2,false), Constant(', mailer='), Field(protocol,false), Constant(', pri='), Field(fld3,false), Constant(', relay='), Field(shost,false), Constant('"')}" -match("MESSAGE#15:event_smtp:11/3_0", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}\""); +var part25 = match("MESSAGE#15:event_smtp:11/3_0", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}\""); -var part26 = // "Pattern{Field(fld1,false), Constant(', xdelay='), Field(fld2,false), Constant(', mailer='), Field(protocol,false), Constant(', pri='), Field(fld3,false), Constant('"')}" -match("MESSAGE#15:event_smtp:11/3_1", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}\""); +var part26 = match("MESSAGE#15:event_smtp:11/3_1", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}\""); -var part27 = // "Pattern{Field(fld1,false), Constant(', xdelay='), Field(fld2,false), Constant(', mailer='), Field(protocol,false), Constant('"')}" -match("MESSAGE#15:event_smtp:11/3_2", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}\""); +var part27 = match("MESSAGE#15:event_smtp:11/3_2", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}\""); -var part28 = // "Pattern{Field(fld1,false), Constant('"')}" -match("MESSAGE#15:event_smtp:11/3_3", "nwparser.p0", "%{fld1}\""); +var part28 = match("MESSAGE#15:event_smtp:11/3_3", "nwparser.p0", "%{fld1}\""); var select6 = linear_select([ part25, @@ -755,8 +676,7 @@ var all13 = all_match({ var msg16 = msg("event_smtp:11", all13); -var part29 = // "Pattern{Field(action,true), Constant(' status='), Field(event_state,true), Constant(' session_id='), Field(p0,false)}" -match("MESSAGE#16:event_smtp/2", "nwparser.p0", "%{action->} status=%{event_state->} session_id=%{p0}"); +var part29 = match("MESSAGE#16:event_smtp/2", "nwparser.p0", "%{action->} status=%{event_state->} session_id=%{p0}"); var all14 = all_match({ processors: [ @@ -819,8 +739,7 @@ var select7 = linear_select([ msg18, ]); -var part31 = // "Pattern{Constant('msg='), Field(p0,false)}" -match("MESSAGE#18:event_update/0", "nwparser.payload", "msg=%{p0}"); +var part31 = match("MESSAGE#18:event_update/0", "nwparser.payload", "msg=%{p0}"); var all15 = all_match({ processors: [ @@ -842,19 +761,16 @@ var all15 = all_match({ var msg19 = msg("event_update", all15); -var part32 = // "Pattern{Field(network_service,false), Constant('('), Field(saddr,false), Constant(') module='), Field(p0,false)}" -match("MESSAGE#19:event_config/1_0", "nwparser.p0", "%{network_service}(%{saddr}) module=%{p0}"); +var part32 = match("MESSAGE#19:event_config/1_0", "nwparser.p0", "%{network_service}(%{saddr}) module=%{p0}"); -var part33 = // "Pattern{Field(network_service,true), Constant(' module='), Field(p0,false)}" -match("MESSAGE#19:event_config/1_1", "nwparser.p0", "%{network_service->} module=%{p0}"); +var part33 = match("MESSAGE#19:event_config/1_1", "nwparser.p0", "%{network_service->} module=%{p0}"); var select8 = linear_select([ part32, part33, ]); -var part34 = // "Pattern{Field(fld1,true), Constant(' submodule='), Field(fld2,true), Constant(' msg='), Field(p0,false)}" -match("MESSAGE#19:event_config/2", "nwparser.p0", "%{fld1->} submodule=%{fld2->} msg=%{p0}"); +var part34 = match("MESSAGE#19:event_config/2", "nwparser.p0", "%{fld1->} submodule=%{fld2->} msg=%{p0}"); var all16 = all_match({ processors: [ @@ -906,19 +822,16 @@ var all17 = all_match({ var msg21 = msg("virus", all17); -var part35 = // "Pattern{Constant('"'), Field(to,false), Constant('" client_name="'), Field(p0,false)}" -match("MESSAGE#21:virus_infected/2_0", "nwparser.p0", "\"%{to}\" client_name=\"%{p0}"); +var part35 = match("MESSAGE#21:virus_infected/2_0", "nwparser.p0", "\"%{to}\" client_name=\"%{p0}"); -var part36 = // "Pattern{Field(to,true), Constant(' client_name="'), Field(p0,false)}" -match("MESSAGE#21:virus_infected/2_1", "nwparser.p0", "%{to->} client_name=\"%{p0}"); +var part36 = match("MESSAGE#21:virus_infected/2_1", "nwparser.p0", "%{to->} client_name=\"%{p0}"); var select10 = linear_select([ part35, part36, ]); -var part37 = // "Pattern{Field(fqdn,false), Constant('" client_ip="'), Field(saddr,false), Constant('" session_id='), Field(p0,false)}" -match("MESSAGE#21:virus_infected/3", "nwparser.p0", "%{fqdn}\" client_ip=\"%{saddr}\" session_id=%{p0}"); +var part37 = match("MESSAGE#21:virus_infected/3", "nwparser.p0", "%{fqdn}\" client_ip=\"%{saddr}\" session_id=%{p0}"); var all18 = all_match({ processors: [ @@ -943,28 +856,22 @@ var all18 = all_match({ var msg22 = msg("virus_infected", all18); -var part38 = // "Pattern{Constant('from="'), Field(from,false), Constant('" to='), Field(p0,false)}" -match("MESSAGE#22:virus_file-signature/0_0", "nwparser.payload", "from=\"%{from}\" to=%{p0}"); +var part38 = match("MESSAGE#22:virus_file-signature/0_0", "nwparser.payload", "from=\"%{from}\" to=%{p0}"); -var part39 = // "Pattern{Field(from,true), Constant(' to='), Field(p0,false)}" -match("MESSAGE#22:virus_file-signature/0_1", "nwparser.payload", "%{from->} to=%{p0}"); +var part39 = match("MESSAGE#22:virus_file-signature/0_1", "nwparser.payload", "%{from->} to=%{p0}"); var select11 = linear_select([ part38, part39, ]); -var part40 = // "Pattern{Constant('"'), Field(sdomain,true), Constant(' ['), Field(saddr,false), Constant(']" session_id='), Field(p0,false)}" -match("MESSAGE#22:virus_file-signature/2_0", "nwparser.p0", "\"%{sdomain->} [%{saddr}]\" session_id=%{p0}"); +var part40 = match("MESSAGE#22:virus_file-signature/2_0", "nwparser.p0", "\"%{sdomain->} [%{saddr}]\" session_id=%{p0}"); -var part41 = // "Pattern{Field(sdomain,true), Constant(' ['), Field(saddr,false), Constant('] session_id='), Field(p0,false)}" -match("MESSAGE#22:virus_file-signature/2_1", "nwparser.p0", "%{sdomain->} [%{saddr}] session_id=%{p0}"); +var part41 = match("MESSAGE#22:virus_file-signature/2_1", "nwparser.p0", "%{sdomain->} [%{saddr}] session_id=%{p0}"); -var part42 = // "Pattern{Constant('"['), Field(saddr,false), Constant(']" session_id='), Field(p0,false)}" -match("MESSAGE#22:virus_file-signature/2_2", "nwparser.p0", "\"[%{saddr}]\" session_id=%{p0}"); +var part42 = match("MESSAGE#22:virus_file-signature/2_2", "nwparser.p0", "\"[%{saddr}]\" session_id=%{p0}"); -var part43 = // "Pattern{Constant('['), Field(saddr,false), Constant('] session_id='), Field(p0,false)}" -match("MESSAGE#22:virus_file-signature/2_3", "nwparser.p0", "[%{saddr}] session_id=%{p0}"); +var part43 = match("MESSAGE#22:virus_file-signature/2_3", "nwparser.p0", "[%{saddr}] session_id=%{p0}"); var select12 = linear_select([ part40, @@ -975,8 +882,7 @@ var select12 = linear_select([ dup32, ]); -var part44 = // "Pattern{Constant('"Attachment file ('), Field(filename,false), Constant(') has sha1 hash value: '), Field(checksum,false), Constant('"')}" -match("MESSAGE#22:virus_file-signature/4_0", "nwparser.p0", "\"Attachment file (%{filename}) has sha1 hash value: %{checksum}\""); +var part44 = match("MESSAGE#22:virus_file-signature/4_0", "nwparser.p0", "\"Attachment file (%{filename}) has sha1 hash value: %{checksum}\""); var select13 = linear_select([ part44, @@ -1006,8 +912,7 @@ var all19 = all_match({ var msg23 = msg("virus_file-signature", all19); -var part45 = // "Pattern{Field(,false), Constant('MSISDN='), Field(fld3,true), Constant(' resolved='), Field(p0,false)}" -match("MESSAGE#23:statistics/5", "nwparser.p0", "%{}MSISDN=%{fld3->} resolved=%{p0}"); +var part45 = match("MESSAGE#23:statistics/5", "nwparser.p0", "%{}MSISDN=%{fld3->} resolved=%{p0}"); var all20 = all_match({ processors: [ @@ -1071,74 +976,61 @@ var all21 = all_match({ var msg25 = msg("statistics:01", all21); -var part46 = // "Pattern{Constant('"'), Field(direction,false), Constant('" subject='), Field(p0,false)}" -match("MESSAGE#25:statistics:02/4_0", "nwparser.p0", "\"%{direction}\" subject=%{p0}"); +var part46 = match("MESSAGE#25:statistics:02/4_0", "nwparser.p0", "\"%{direction}\" subject=%{p0}"); -var part47 = // "Pattern{Field(direction,true), Constant(' subject='), Field(p0,false)}" -match("MESSAGE#25:statistics:02/4_1", "nwparser.p0", "%{direction->} subject=%{p0}"); +var part47 = match("MESSAGE#25:statistics:02/4_1", "nwparser.p0", "%{direction->} subject=%{p0}"); var select14 = linear_select([ part46, part47, ]); -var part48 = // "Pattern{Constant('"'), Field(subject,false), Constant('" classifier='), Field(p0,false)}" -match("MESSAGE#25:statistics:02/5_0", "nwparser.p0", "\"%{subject}\" classifier=%{p0}"); +var part48 = match("MESSAGE#25:statistics:02/5_0", "nwparser.p0", "\"%{subject}\" classifier=%{p0}"); -var part49 = // "Pattern{Field(subject,true), Constant(' classifier='), Field(p0,false)}" -match("MESSAGE#25:statistics:02/5_1", "nwparser.p0", "%{subject->} classifier=%{p0}"); +var part49 = match("MESSAGE#25:statistics:02/5_1", "nwparser.p0", "%{subject->} classifier=%{p0}"); var select15 = linear_select([ part48, part49, ]); -var part50 = // "Pattern{Constant('"'), Field(filter,false), Constant('" disposition='), Field(p0,false)}" -match("MESSAGE#25:statistics:02/6_0", "nwparser.p0", "\"%{filter}\" disposition=%{p0}"); +var part50 = match("MESSAGE#25:statistics:02/6_0", "nwparser.p0", "\"%{filter}\" disposition=%{p0}"); -var part51 = // "Pattern{Field(filter,true), Constant(' disposition='), Field(p0,false)}" -match("MESSAGE#25:statistics:02/6_1", "nwparser.p0", "%{filter->} disposition=%{p0}"); +var part51 = match("MESSAGE#25:statistics:02/6_1", "nwparser.p0", "%{filter->} disposition=%{p0}"); var select16 = linear_select([ part50, part51, ]); -var part52 = // "Pattern{Constant('"'), Field(disposition,false), Constant('" client_name="'), Field(p0,false)}" -match("MESSAGE#25:statistics:02/7_0", "nwparser.p0", "\"%{disposition}\" client_name=\"%{p0}"); +var part52 = match("MESSAGE#25:statistics:02/7_0", "nwparser.p0", "\"%{disposition}\" client_name=\"%{p0}"); -var part53 = // "Pattern{Field(disposition,true), Constant(' client_name="'), Field(p0,false)}" -match("MESSAGE#25:statistics:02/7_1", "nwparser.p0", "%{disposition->} client_name=\"%{p0}"); +var part53 = match("MESSAGE#25:statistics:02/7_1", "nwparser.p0", "%{disposition->} client_name=\"%{p0}"); var select17 = linear_select([ part52, part53, ]); -var part54 = // "Pattern{Constant('"'), Field(context,false), Constant('" virus='), Field(p0,false)}" -match("MESSAGE#25:statistics:02/10_0", "nwparser.p0", "\"%{context}\" virus=%{p0}"); +var part54 = match("MESSAGE#25:statistics:02/10_0", "nwparser.p0", "\"%{context}\" virus=%{p0}"); -var part55 = // "Pattern{Field(context,true), Constant(' virus='), Field(p0,false)}" -match("MESSAGE#25:statistics:02/10_1", "nwparser.p0", "%{context->} virus=%{p0}"); +var part55 = match("MESSAGE#25:statistics:02/10_1", "nwparser.p0", "%{context->} virus=%{p0}"); var select18 = linear_select([ part54, part55, ]); -var part56 = // "Pattern{Constant('"'), Field(virusname,false), Constant('" message_length='), Field(p0,false)}" -match("MESSAGE#25:statistics:02/11_0", "nwparser.p0", "\"%{virusname}\" message_length=%{p0}"); +var part56 = match("MESSAGE#25:statistics:02/11_0", "nwparser.p0", "\"%{virusname}\" message_length=%{p0}"); -var part57 = // "Pattern{Field(virusname,true), Constant(' message_length='), Field(p0,false)}" -match("MESSAGE#25:statistics:02/11_1", "nwparser.p0", "%{virusname->} message_length=%{p0}"); +var part57 = match("MESSAGE#25:statistics:02/11_1", "nwparser.p0", "%{virusname->} message_length=%{p0}"); var select19 = linear_select([ part56, part57, ]); -var part58 = // "Pattern{Field(fld4,false)}" -match_copy("MESSAGE#25:statistics:02/12", "nwparser.p0", "fld4"); +var part58 = match_copy("MESSAGE#25:statistics:02/12", "nwparser.p0", "fld4"); var all22 = all_match({ processors: [ @@ -1170,17 +1062,13 @@ var all22 = all_match({ var msg26 = msg("statistics:02", all22); -var part59 = // "Pattern{Constant('session_id="'), Field(sessionid,false), Constant('" client_name="'), Field(p0,false)}" -match("MESSAGE#26:statistics:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{p0}"); +var part59 = match("MESSAGE#26:statistics:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{p0}"); -var part60 = // "Pattern{Field(fqdn,false), Constant('['), Field(saddr,false), Constant('] (may be forged)"'), Field(p0,false)}" -match("MESSAGE#26:statistics:03/1_0", "nwparser.p0", "%{fqdn}[%{saddr}] (may be forged)\"%{p0}"); +var part60 = match("MESSAGE#26:statistics:03/1_0", "nwparser.p0", "%{fqdn}[%{saddr}] (may be forged)\"%{p0}"); -var part61 = // "Pattern{Field(fqdn,false), Constant('['), Field(saddr,false), Constant(']"'), Field(p0,false)}" -match("MESSAGE#26:statistics:03/1_1", "nwparser.p0", "%{fqdn}[%{saddr}]\"%{p0}"); +var part61 = match("MESSAGE#26:statistics:03/1_1", "nwparser.p0", "%{fqdn}[%{saddr}]\"%{p0}"); -var part62 = // "Pattern{Constant('['), Field(saddr,false), Constant(']"'), Field(p0,false)}" -match("MESSAGE#26:statistics:03/1_2", "nwparser.p0", "[%{saddr}]\"%{p0}"); +var part62 = match("MESSAGE#26:statistics:03/1_2", "nwparser.p0", "[%{saddr}]\"%{p0}"); var select20 = linear_select([ part60, @@ -1188,22 +1076,18 @@ var select20 = linear_select([ part62, ]); -var part63 = // "Pattern{Constant('dst_ip="'), Field(daddr,false), Constant('" from="'), Field(from,false), Constant('" to="'), Field(to,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#26:statistics:03/2", "nwparser.p0", "dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\"%{p0}"); +var part63 = match("MESSAGE#26:statistics:03/2", "nwparser.p0", "dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\"%{p0}"); -var part64 = // "Pattern{Constant(' polid="'), Field(fld5,false), Constant('" domain="'), Field(domain,false), Constant('" subject="'), Field(subject,false), Constant('" mailer="'), Field(agent,false), Constant('" resolved="'), Field(context,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#26:statistics:03/3_0", "nwparser.p0", " polid=\"%{fld5}\" domain=\"%{domain}\" subject=\"%{subject}\" mailer=\"%{agent}\" resolved=\"%{context}\"%{p0}"); +var part64 = match("MESSAGE#26:statistics:03/3_0", "nwparser.p0", " polid=\"%{fld5}\" domain=\"%{domain}\" subject=\"%{subject}\" mailer=\"%{agent}\" resolved=\"%{context}\"%{p0}"); -var part65 = // "Pattern{Field(p0,false)}" -match_copy("MESSAGE#26:statistics:03/3_1", "nwparser.p0", "p0"); +var part65 = match_copy("MESSAGE#26:statistics:03/3_1", "nwparser.p0", "p0"); var select21 = linear_select([ part64, part65, ]); -var part66 = // "Pattern{Field(,false), Constant('direction="'), Field(direction,false), Constant('" virus="'), Field(virusname,false), Constant('" disposition="'), Field(disposition,false), Constant('" classifier="'), Field(filter,false), Constant('" message_length='), Field(fld4,false)}" -match("MESSAGE#26:statistics:03/4", "nwparser.p0", "%{}direction=\"%{direction}\" virus=\"%{virusname}\" disposition=\"%{disposition}\" classifier=\"%{filter}\" message_length=%{fld4}"); +var part66 = match("MESSAGE#26:statistics:03/4", "nwparser.p0", "%{}direction=\"%{direction}\" virus=\"%{virusname}\" disposition=\"%{disposition}\" classifier=\"%{filter}\" message_length=%{fld4}"); var all23 = all_match({ processors: [ @@ -1227,34 +1111,26 @@ var all23 = all_match({ var msg27 = msg("statistics:03", all23); -var part67 = // "Pattern{Constant('"'), Field(sessionid,false), Constant('" client_name='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=%{p0}"); +var part67 = match("MESSAGE#27:statistics:04/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=%{p0}"); -var part68 = // "Pattern{Field(sessionid,true), Constant(' client_name='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/1_1", "nwparser.p0", "%{sessionid->} client_name=%{p0}"); +var part68 = match("MESSAGE#27:statistics:04/1_1", "nwparser.p0", "%{sessionid->} client_name=%{p0}"); var select22 = linear_select([ part67, part68, ]); -var part69 = // "Pattern{Constant('"'), Field(fqdn,false), Constant('['), Field(saddr,false), Constant(']"dst_ip='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/2_0", "nwparser.p0", "\"%{fqdn}[%{saddr}]\"dst_ip=%{p0}"); +var part69 = match("MESSAGE#27:statistics:04/2_0", "nwparser.p0", "\"%{fqdn}[%{saddr}]\"dst_ip=%{p0}"); -var part70 = // "Pattern{Field(fqdn,false), Constant('['), Field(saddr,false), Constant(']dst_ip='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/2_1", "nwparser.p0", "%{fqdn}[%{saddr}]dst_ip=%{p0}"); +var part70 = match("MESSAGE#27:statistics:04/2_1", "nwparser.p0", "%{fqdn}[%{saddr}]dst_ip=%{p0}"); -var part71 = // "Pattern{Constant('"['), Field(saddr,false), Constant(']"dst_ip='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/2_2", "nwparser.p0", "\"[%{saddr}]\"dst_ip=%{p0}"); +var part71 = match("MESSAGE#27:statistics:04/2_2", "nwparser.p0", "\"[%{saddr}]\"dst_ip=%{p0}"); -var part72 = // "Pattern{Constant('['), Field(saddr,false), Constant(']dst_ip='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/2_3", "nwparser.p0", "[%{saddr}]dst_ip=%{p0}"); +var part72 = match("MESSAGE#27:statistics:04/2_3", "nwparser.p0", "[%{saddr}]dst_ip=%{p0}"); -var part73 = // "Pattern{Constant('"'), Field(saddr,false), Constant('"dst_ip='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/2_4", "nwparser.p0", "\"%{saddr}\"dst_ip=%{p0}"); +var part73 = match("MESSAGE#27:statistics:04/2_4", "nwparser.p0", "\"%{saddr}\"dst_ip=%{p0}"); -var part74 = // "Pattern{Field(saddr,false), Constant('dst_ip='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/2_5", "nwparser.p0", "%{saddr}dst_ip=%{p0}"); +var part74 = match("MESSAGE#27:statistics:04/2_5", "nwparser.p0", "%{saddr}dst_ip=%{p0}"); var select23 = linear_select([ part69, @@ -1265,132 +1141,108 @@ var select23 = linear_select([ part74, ]); -var part75 = // "Pattern{Constant('"'), Field(daddr,false), Constant('" from='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/3_0", "nwparser.p0", "\"%{daddr}\" from=%{p0}"); +var part75 = match("MESSAGE#27:statistics:04/3_0", "nwparser.p0", "\"%{daddr}\" from=%{p0}"); -var part76 = // "Pattern{Field(daddr,true), Constant(' from='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/3_1", "nwparser.p0", "%{daddr->} from=%{p0}"); +var part76 = match("MESSAGE#27:statistics:04/3_1", "nwparser.p0", "%{daddr->} from=%{p0}"); var select24 = linear_select([ part75, part76, ]); -var part77 = // "Pattern{Constant('"'), Field(from,false), Constant('" hfrom='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/4_0", "nwparser.p0", "\"%{from}\" hfrom=%{p0}"); +var part77 = match("MESSAGE#27:statistics:04/4_0", "nwparser.p0", "\"%{from}\" hfrom=%{p0}"); -var part78 = // "Pattern{Field(from,true), Constant(' hfrom='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/4_1", "nwparser.p0", "%{from->} hfrom=%{p0}"); +var part78 = match("MESSAGE#27:statistics:04/4_1", "nwparser.p0", "%{from->} hfrom=%{p0}"); var select25 = linear_select([ part77, part78, ]); -var part79 = // "Pattern{Constant('"'), Field(fld3,false), Constant('" to='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/5_0", "nwparser.p0", "\"%{fld3}\" to=%{p0}"); +var part79 = match("MESSAGE#27:statistics:04/5_0", "nwparser.p0", "\"%{fld3}\" to=%{p0}"); -var part80 = // "Pattern{Field(fld3,true), Constant(' to='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/5_1", "nwparser.p0", "%{fld3->} to=%{p0}"); +var part80 = match("MESSAGE#27:statistics:04/5_1", "nwparser.p0", "%{fld3->} to=%{p0}"); var select26 = linear_select([ part79, part80, ]); -var part81 = // "Pattern{Constant('"'), Field(to,false), Constant('" polid='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/6_0", "nwparser.p0", "\"%{to}\" polid=%{p0}"); +var part81 = match("MESSAGE#27:statistics:04/6_0", "nwparser.p0", "\"%{to}\" polid=%{p0}"); -var part82 = // "Pattern{Field(to,true), Constant(' polid='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/6_1", "nwparser.p0", "%{to->} polid=%{p0}"); +var part82 = match("MESSAGE#27:statistics:04/6_1", "nwparser.p0", "%{to->} polid=%{p0}"); var select27 = linear_select([ part81, part82, ]); -var part83 = // "Pattern{Constant('"'), Field(fld5,false), Constant('" domain='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/7_0", "nwparser.p0", "\"%{fld5}\" domain=%{p0}"); +var part83 = match("MESSAGE#27:statistics:04/7_0", "nwparser.p0", "\"%{fld5}\" domain=%{p0}"); -var part84 = // "Pattern{Field(fld5,true), Constant(' domain='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/7_1", "nwparser.p0", "%{fld5->} domain=%{p0}"); +var part84 = match("MESSAGE#27:statistics:04/7_1", "nwparser.p0", "%{fld5->} domain=%{p0}"); var select28 = linear_select([ part83, part84, ]); -var part85 = // "Pattern{Constant('"'), Field(domain,false), Constant('" subject='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/8_0", "nwparser.p0", "\"%{domain}\" subject=%{p0}"); +var part85 = match("MESSAGE#27:statistics:04/8_0", "nwparser.p0", "\"%{domain}\" subject=%{p0}"); -var part86 = // "Pattern{Field(domain,true), Constant(' subject='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/8_1", "nwparser.p0", "%{domain->} subject=%{p0}"); +var part86 = match("MESSAGE#27:statistics:04/8_1", "nwparser.p0", "%{domain->} subject=%{p0}"); var select29 = linear_select([ part85, part86, ]); -var part87 = // "Pattern{Constant('"'), Field(subject,false), Constant('" mailer='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/9_0", "nwparser.p0", "\"%{subject}\" mailer=%{p0}"); +var part87 = match("MESSAGE#27:statistics:04/9_0", "nwparser.p0", "\"%{subject}\" mailer=%{p0}"); -var part88 = // "Pattern{Field(subject,true), Constant(' mailer='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/9_1", "nwparser.p0", "%{subject->} mailer=%{p0}"); +var part88 = match("MESSAGE#27:statistics:04/9_1", "nwparser.p0", "%{subject->} mailer=%{p0}"); var select30 = linear_select([ part87, part88, ]); -var part89 = // "Pattern{Constant('"'), Field(agent,false), Constant('" resolved='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/10_0", "nwparser.p0", "\"%{agent}\" resolved=%{p0}"); +var part89 = match("MESSAGE#27:statistics:04/10_0", "nwparser.p0", "\"%{agent}\" resolved=%{p0}"); -var part90 = // "Pattern{Field(agent,true), Constant(' resolved='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/10_1", "nwparser.p0", "%{agent->} resolved=%{p0}"); +var part90 = match("MESSAGE#27:statistics:04/10_1", "nwparser.p0", "%{agent->} resolved=%{p0}"); var select31 = linear_select([ part89, part90, ]); -var part91 = // "Pattern{Constant('"'), Field(context,false), Constant('" direction='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/11_0", "nwparser.p0", "\"%{context}\" direction=%{p0}"); +var part91 = match("MESSAGE#27:statistics:04/11_0", "nwparser.p0", "\"%{context}\" direction=%{p0}"); -var part92 = // "Pattern{Field(context,true), Constant(' direction='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/11_1", "nwparser.p0", "%{context->} direction=%{p0}"); +var part92 = match("MESSAGE#27:statistics:04/11_1", "nwparser.p0", "%{context->} direction=%{p0}"); var select32 = linear_select([ part91, part92, ]); -var part93 = // "Pattern{Constant('"'), Field(direction,false), Constant('" virus='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/12_0", "nwparser.p0", "\"%{direction}\" virus=%{p0}"); +var part93 = match("MESSAGE#27:statistics:04/12_0", "nwparser.p0", "\"%{direction}\" virus=%{p0}"); -var part94 = // "Pattern{Field(direction,true), Constant(' virus='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/12_1", "nwparser.p0", "%{direction->} virus=%{p0}"); +var part94 = match("MESSAGE#27:statistics:04/12_1", "nwparser.p0", "%{direction->} virus=%{p0}"); var select33 = linear_select([ part93, part94, ]); -var part95 = // "Pattern{Constant('"'), Field(filter,false), Constant('" message_length='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/15_0", "nwparser.p0", "\"%{filter}\" message_length=%{p0}"); +var part95 = match("MESSAGE#27:statistics:04/15_0", "nwparser.p0", "\"%{filter}\" message_length=%{p0}"); -var part96 = // "Pattern{Field(filter,true), Constant(' message_length='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/15_1", "nwparser.p0", "%{filter->} message_length=%{p0}"); +var part96 = match("MESSAGE#27:statistics:04/15_1", "nwparser.p0", "%{filter->} message_length=%{p0}"); var select34 = linear_select([ part95, part96, ]); -var part97 = // "Pattern{Constant('"'), Field(fld6,false), Constant('"')}" -match("MESSAGE#27:statistics:04/16_0", "nwparser.p0", "\"%{fld6}\""); +var part97 = match("MESSAGE#27:statistics:04/16_0", "nwparser.p0", "\"%{fld6}\""); -var part98 = // "Pattern{Field(fld6,false)}" -match_copy("MESSAGE#27:statistics:04/16_1", "nwparser.p0", "fld6"); +var part98 = match_copy("MESSAGE#27:statistics:04/16_1", "nwparser.p0", "fld6"); var select35 = linear_select([ part97, @@ -1472,36 +1324,29 @@ var select36 = linear_select([ msg29, ]); -var part100 = // "Pattern{Constant('"'), Field(sessionid,false), Constant('" client_name="'), Field(p0,false)}" -match("MESSAGE#29:spam/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=\"%{p0}"); +var part100 = match("MESSAGE#29:spam/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=\"%{p0}"); -var part101 = // "Pattern{Field(sessionid,true), Constant(' client_name="'), Field(p0,false)}" -match("MESSAGE#29:spam/1_1", "nwparser.p0", "%{sessionid->} client_name=\"%{p0}"); +var part101 = match("MESSAGE#29:spam/1_1", "nwparser.p0", "%{sessionid->} client_name=\"%{p0}"); var select37 = linear_select([ part100, part101, ]); -var part102 = // "Pattern{Field(,false), Constant('from='), Field(p0,false)}" -match("MESSAGE#29:spam/3", "nwparser.p0", "%{}from=%{p0}"); +var part102 = match("MESSAGE#29:spam/3", "nwparser.p0", "%{}from=%{p0}"); -var part103 = // "Pattern{Constant('"'), Field(to,false), Constant('" subject='), Field(p0,false)}" -match("MESSAGE#29:spam/5_0", "nwparser.p0", "\"%{to}\" subject=%{p0}"); +var part103 = match("MESSAGE#29:spam/5_0", "nwparser.p0", "\"%{to}\" subject=%{p0}"); -var part104 = // "Pattern{Field(to,true), Constant(' subject='), Field(p0,false)}" -match("MESSAGE#29:spam/5_1", "nwparser.p0", "%{to->} subject=%{p0}"); +var part104 = match("MESSAGE#29:spam/5_1", "nwparser.p0", "%{to->} subject=%{p0}"); var select38 = linear_select([ part103, part104, ]); -var part105 = // "Pattern{Constant('"'), Field(subject,false), Constant('" msg='), Field(p0,false)}" -match("MESSAGE#29:spam/6_0", "nwparser.p0", "\"%{subject}\" msg=%{p0}"); +var part105 = match("MESSAGE#29:spam/6_0", "nwparser.p0", "\"%{subject}\" msg=%{p0}"); -var part106 = // "Pattern{Field(subject,true), Constant(' msg='), Field(p0,false)}" -match("MESSAGE#29:spam/6_1", "nwparser.p0", "%{subject->} msg=%{p0}"); +var part106 = match("MESSAGE#29:spam/6_1", "nwparser.p0", "%{subject->} msg=%{p0}"); var select39 = linear_select([ part105, @@ -1533,8 +1378,7 @@ var all25 = all_match({ var msg30 = msg("spam", all25); -var part107 = // "Pattern{Constant('session_id="'), Field(sessionid,false), Constant('" client_name="'), Field(fqdn,true), Constant(' ['), Field(saddr,false), Constant('] ('), Field(fld2,false), Constant(')" dst_ip="'), Field(daddr,false), Constant('" from="'), Field(from,false), Constant('" to="'), Field(to,false), Constant('" subject="'), Field(subject,false), Constant('" msg="'), Field(event_description,false), Constant('"')}" -match("MESSAGE#30:spam:04", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{fqdn->} [%{saddr}] (%{fld2})\" dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ +var part107 = match("MESSAGE#30:spam:04", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{fqdn->} [%{saddr}] (%{fld2})\" dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ dup62, dup8, dup9, @@ -1547,22 +1391,18 @@ match("MESSAGE#30:spam:04", "nwparser.payload", "session_id=\"%{sessionid}\" cli var msg31 = msg("spam:04", part107); -var part108 = // "Pattern{Constant('session_id="'), Field(sessionid,false), Constant('" client_name='), Field(p0,false)}" -match("MESSAGE#31:spam:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=%{p0}"); +var part108 = match("MESSAGE#31:spam:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=%{p0}"); -var part109 = // "Pattern{Constant('"'), Field(fqdn,true), Constant(' ['), Field(saddr,false), Constant(']" '), Field(p0,false)}" -match("MESSAGE#31:spam:03/1_0", "nwparser.p0", "\"%{fqdn->} [%{saddr}]\" %{p0}"); +var part109 = match("MESSAGE#31:spam:03/1_0", "nwparser.p0", "\"%{fqdn->} [%{saddr}]\" %{p0}"); -var part110 = // "Pattern{Constant(' "'), Field(fqdn,false), Constant('" client_ip="'), Field(saddr,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#31:spam:03/1_1", "nwparser.p0", " \"%{fqdn}\" client_ip=\"%{saddr}\"%{p0}"); +var part110 = match("MESSAGE#31:spam:03/1_1", "nwparser.p0", " \"%{fqdn}\" client_ip=\"%{saddr}\"%{p0}"); var select40 = linear_select([ part109, part110, ]); -var part111 = // "Pattern{Field(,false), Constant('dst_ip="'), Field(daddr,false), Constant('" from="'), Field(from,false), Constant('" to="'), Field(to,false), Constant('" subject="'), Field(subject,false), Constant('" msg="'), Field(event_description,false), Constant('"')}" -match("MESSAGE#31:spam:03/2", "nwparser.p0", "%{}dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\""); +var part111 = match("MESSAGE#31:spam:03/2", "nwparser.p0", "%{}dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\""); var all26 = all_match({ processors: [ @@ -1584,8 +1424,7 @@ var all26 = all_match({ var msg32 = msg("spam:03", all26); -var part112 = // "Pattern{Constant('session_id="'), Field(sessionid,false), Constant('" from="'), Field(from,false), Constant('" to="'), Field(to,false), Constant('" subject="'), Field(subject,false), Constant('" msg="'), Field(event_description,false), Constant('"')}" -match("MESSAGE#32:spam:02", "nwparser.payload", "session_id=\"%{sessionid}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ +var part112 = match("MESSAGE#32:spam:02", "nwparser.payload", "session_id=\"%{sessionid}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ dup62, dup8, dup9, @@ -1598,11 +1437,9 @@ match("MESSAGE#32:spam:02", "nwparser.payload", "session_id=\"%{sessionid}\" fro var msg33 = msg("spam:02", part112); -var part113 = // "Pattern{Constant('"'), Field(to,false), Constant('" msg='), Field(p0,false)}" -match("MESSAGE#33:spam:01/3_0", "nwparser.p0", "\"%{to}\" msg=%{p0}"); +var part113 = match("MESSAGE#33:spam:01/3_0", "nwparser.p0", "\"%{to}\" msg=%{p0}"); -var part114 = // "Pattern{Field(to,true), Constant(' msg='), Field(p0,false)}" -match("MESSAGE#33:spam:01/3_1", "nwparser.p0", "%{to->} msg=%{p0}"); +var part114 = match("MESSAGE#33:spam:01/3_1", "nwparser.p0", "%{to->} msg=%{p0}"); var select41 = linear_select([ part113, @@ -1658,146 +1495,99 @@ var chain1 = processor_chain([ }), ]); -var part115 = // "Pattern{Constant('user='), Field(username,true), Constant(' ui='), Field(p0,false)}" -match("MESSAGE#0:event_admin/0", "nwparser.payload", "user=%{username->} ui=%{p0}"); +var part115 = match("MESSAGE#0:event_admin/0", "nwparser.payload", "user=%{username->} ui=%{p0}"); -var part116 = // "Pattern{Field(network_service,false), Constant('('), Field(saddr,false), Constant(') action='), Field(p0,false)}" -match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); +var part116 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); -var part117 = // "Pattern{Field(network_service,true), Constant(' action='), Field(p0,false)}" -match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); +var part117 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); -var part118 = // "Pattern{Constant('"'), Field(event_description,false), Constant('"')}" -match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); +var part118 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); -var part119 = // "Pattern{Field(event_description,false)}" -match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); +var part119 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); -var part120 = // "Pattern{Field(action,true), Constant(' status='), Field(event_state,true), Constant(' msg='), Field(p0,false)}" -match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); +var part120 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); -var part121 = // "Pattern{Constant('user='), Field(username,false), Constant('ui='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); +var part121 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); -var part122 = // "Pattern{Field(network_service,false), Constant('('), Field(hostip,false), Constant(') action='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); +var part122 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); -var part123 = // "Pattern{Field(network_service,false), Constant('action='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); +var part123 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); -var part124 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); +var part124 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); -var part125 = // "Pattern{Constant('"'), Field(sessionid,false), Constant('"msg="STARTTLS='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); +var part125 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); -var part126 = // "Pattern{Field(sessionid,false), Constant('msg="STARTTLS='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); +var part126 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); -var part127 = // "Pattern{Constant('"'), Field(sessionid,false), Constant('" msg='), Field(p0,false)}" -match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); +var part127 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); -var part128 = // "Pattern{Field(sessionid,true), Constant(' msg='), Field(p0,false)}" -match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); +var part128 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); -var part129 = // "Pattern{Constant('from='), Field(p0,false)}" -match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); +var part129 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); -var part130 = // "Pattern{Constant('"'), Field(from,false), Constant('" to='), Field(p0,false)}" -match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); +var part130 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); -var part131 = // "Pattern{Field(from,true), Constant(' to='), Field(p0,false)}" -match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); +var part131 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); -var part132 = // "Pattern{Constant('"'), Field(to,false), Constant('" src='), Field(p0,false)}" -match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); +var part132 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); -var part133 = // "Pattern{Field(to,true), Constant(' src='), Field(p0,false)}" -match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); +var part133 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); -var part134 = // "Pattern{Constant('"'), Field(saddr,false), Constant('" session_id='), Field(p0,false)}" -match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); +var part134 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); -var part135 = // "Pattern{Field(saddr,true), Constant(' session_id='), Field(p0,false)}" -match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); +var part135 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); -var part136 = // "Pattern{Constant('session_id='), Field(p0,false)}" -match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); +var part136 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); -var part137 = // "Pattern{Constant('"'), Field(sessionid,false), Constant('" from='), Field(p0,false)}" -match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); +var part137 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); -var part138 = // "Pattern{Field(sessionid,true), Constant(' from='), Field(p0,false)}" -match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); +var part138 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); -var part139 = // "Pattern{Constant('"'), Field(from,false), Constant('" mailer='), Field(p0,false)}" -match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); +var part139 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); -var part140 = // "Pattern{Field(from,true), Constant(' mailer='), Field(p0,false)}" -match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); +var part140 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); -var part141 = // "Pattern{Constant('"'), Field(agent,false), Constant('" client_name="'), Field(p0,false)}" -match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); +var part141 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); -var part142 = // "Pattern{Field(agent,true), Constant(' client_name="'), Field(p0,false)}" -match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); +var part142 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); -var part143 = // "Pattern{Field(fqdn,true), Constant(' ['), Field(saddr,false), Constant('] ('), Field(info,false), Constant(')"'), Field(p0,false)}" -match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); +var part143 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); -var part144 = // "Pattern{Field(fqdn,true), Constant(' ['), Field(saddr,false), Constant(']"'), Field(p0,false)}" -match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); +var part144 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); -var part145 = // "Pattern{Field(saddr,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); +var part145 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); -var part146 = // "Pattern{Constant('"'), Field(context,false), Constant('" to='), Field(p0,false)}" -match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); +var part146 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); -var part147 = // "Pattern{Field(context,true), Constant(' to='), Field(p0,false)}" -match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); +var part147 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); -var part148 = // "Pattern{Constant('"'), Field(to,false), Constant('" direction='), Field(p0,false)}" -match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); +var part148 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); -var part149 = // "Pattern{Field(to,true), Constant(' direction='), Field(p0,false)}" -match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); +var part149 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); -var part150 = // "Pattern{Constant('"'), Field(direction,false), Constant('" message_length='), Field(p0,false)}" -match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); +var part150 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); -var part151 = // "Pattern{Field(direction,true), Constant(' message_length='), Field(p0,false)}" -match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); +var part151 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); -var part152 = // "Pattern{Field(fld4,true), Constant(' virus='), Field(p0,false)}" -match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); +var part152 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); -var part153 = // "Pattern{Constant('"'), Field(virusname,false), Constant('" disposition='), Field(p0,false)}" -match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); +var part153 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); -var part154 = // "Pattern{Field(virusname,true), Constant(' disposition='), Field(p0,false)}" -match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); +var part154 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); -var part155 = // "Pattern{Constant('"'), Field(disposition,false), Constant('" classifier='), Field(p0,false)}" -match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); +var part155 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); -var part156 = // "Pattern{Field(disposition,true), Constant(' classifier='), Field(p0,false)}" -match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); +var part156 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); -var part157 = // "Pattern{Constant('"'), Field(filter,false), Constant('" subject='), Field(p0,false)}" -match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); +var part157 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); -var part158 = // "Pattern{Field(filter,true), Constant(' subject='), Field(p0,false)}" -match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); +var part158 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); -var part159 = // "Pattern{Constant('"'), Field(subject,false), Constant('"')}" -match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); +var part159 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); -var part160 = // "Pattern{Field(subject,false)}" -match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); +var part160 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); -var part161 = // "Pattern{Field(,false), Constant('resolved='), Field(p0,false)}" -match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); +var part161 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); var select43 = linear_select([ dup3, diff --git a/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json index e3803f80ef3..0f8cf25378a 100644 --- a/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json @@ -994,8 +994,8 @@ "observer.type": "Firewall", "observer.vendor": "Fortinet", "related.ip": [ - "10.68.246.187", - "10.140.7.83" + "10.140.7.83", + "10.68.246.187" ], "rsa.email.email_dst": "gna", "rsa.email.email_src": "icabo", @@ -1248,8 +1248,8 @@ "atise3421.www5.localdomain" ], "related.ip": [ - "10.179.210.218", - "10.73.207.70" + "10.73.207.70", + "10.179.210.218" ], "rsa.email.email_dst": "rumSecti", "rsa.email.email_src": "taut", @@ -3094,8 +3094,8 @@ "taevitae6868.www.corp" ], "related.ip": [ - "10.60.164.100", - "10.161.1.146" + "10.161.1.146", + "10.60.164.100" ], "rsa.email.email_dst": "nproiden", "rsa.email.email_src": "etconse", @@ -3194,8 +3194,8 @@ "tetura7106.www5.corp" ], "related.ip": [ - "10.93.239.216", - "10.44.35.57" + "10.44.35.57", + "10.93.239.216" ], "rsa.email.email_dst": "ciun", "rsa.email.email_src": "vento", @@ -3794,8 +3794,8 @@ "observer.type": "Firewall", "observer.vendor": "Fortinet", "related.ip": [ - "10.251.183.113", - "10.201.105.58" + "10.201.105.58", + "10.251.183.113" ], "rsa.email.email_dst": "ionemu", "rsa.email.email_src": "ent", @@ -3838,8 +3838,8 @@ "observer.type": "Firewall", "observer.vendor": "Fortinet", "related.ip": [ - "10.209.203.156", - "10.132.139.98" + "10.132.139.98", + "10.209.203.156" ], "rsa.email.email_dst": "borisnis", "rsa.email.email_src": "pariat", diff --git a/x-pack/filebeat/module/fortinet/fortimanager/config/pipeline.js b/x-pack/filebeat/module/fortinet/fortimanager/config/pipeline.js index ca32adec710..4cb7669b950 100644 --- a/x-pack/filebeat/module/fortinet/fortimanager/config/pipeline.js +++ b/x-pack/filebeat/module/fortinet/fortimanager/config/pipeline.js @@ -124,8 +124,7 @@ var dup23 = lookup({ key: dup15, }); -var hdr1 = // "Pattern{Constant('date='), Field(hdate,true), Constant(' time='), Field(htime,true), Constant(' devname='), Field(hdevice,true), Constant(' device_id='), Field(hfld1,true), Constant(' log_id='), Field(id,true), Constant(' type='), Field(hfld2,true), Constant(' subtype='), Field(hfld3,true), Constant(' pri='), Field(hseverity,true), Constant(' '), Field(payload,false)}" -match("HEADER#0:0001", "message", "date=%{hdate->} time=%{htime->} devname=%{hdevice->} device_id=%{hfld1->} log_id=%{id->} type=%{hfld2->} subtype=%{hfld3->} pri=%{hseverity->} %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "date=%{hdate->} time=%{htime->} devname=%{hdevice->} device_id=%{hfld1->} log_id=%{id->} type=%{hfld2->} subtype=%{hfld3->} pri=%{hseverity->} %{payload}", processor_chain([ setc("header_id","0001"), call({ dest: "nwparser.messageid", @@ -137,26 +136,22 @@ match("HEADER#0:0001", "message", "date=%{hdate->} time=%{htime->} devname=%{hde }), ])); -var hdr2 = // "Pattern{Constant('logver='), Field(hfld1,true), Constant(' date='), Field(hdate,true), Constant(' time='), Field(htime,true), Constant(' log_id='), Field(id,true), Constant(' '), Field(payload,false)}" -match("HEADER#1:0002", "message", "logver=%{hfld1->} date=%{hdate->} time=%{htime->} log_id=%{id->} %{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0002", "message", "logver=%{hfld1->} date=%{hdate->} time=%{htime->} log_id=%{id->} %{payload}", processor_chain([ setc("header_id","0002"), dup1, ])); -var hdr3 = // "Pattern{Constant('date='), Field(hdate,true), Constant(' time='), Field(htime,true), Constant(' logver='), Field(fld1,true), Constant(' '), Field(payload,false)}" -match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} logver=%{fld1->} %{payload}", processor_chain([ +var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} logver=%{fld1->} %{payload}", processor_chain([ setc("header_id","0003"), dup1, ])); -var hdr4 = // "Pattern{Constant('logver='), Field(hfld1,true), Constant(' dtime='), Field(hdatetime,true), Constant(' devid='), Field(hfld2,true), Constant(' devname='), Field(hdevice,true), Constant(' '), Field(payload,false)}" -match("HEADER#3:0004", "message", "logver=%{hfld1->} dtime=%{hdatetime->} devid=%{hfld2->} devname=%{hdevice->} %{payload}", processor_chain([ +var hdr4 = match("HEADER#3:0004", "message", "logver=%{hfld1->} dtime=%{hdatetime->} devid=%{hfld2->} devname=%{hdevice->} %{payload}", processor_chain([ setc("header_id","0004"), dup2, ])); -var hdr5 = // "Pattern{Constant('logver='), Field(hfld1,true), Constant(' devname="'), Field(hdevice,false), Constant('" devid="'), Field(hfld2,false), Constant('" '), Field(payload,false)}" -match("HEADER#4:0005", "message", "logver=%{hfld1->} devname=\"%{hdevice}\" devid=\"%{hfld2}\" %{payload}", processor_chain([ +var hdr5 = match("HEADER#4:0005", "message", "logver=%{hfld1->} devname=\"%{hdevice}\" devid=\"%{hfld2}\" %{payload}", processor_chain([ setc("header_id","0005"), dup2, ])); @@ -169,8 +164,7 @@ var select1 = linear_select([ hdr5, ]); -var part1 = // "Pattern{Constant('user='), Field(fld1,true), Constant(' adom='), Field(domain,true), Constant(' user='), Field(username,true), Constant(' ui='), Field(fld2,true), Constant(' action='), Field(action,true), Constant(' status='), Field(event_state,true), Constant(' msg="'), Field(event_description,false), Constant('"')}" -match("MESSAGE#0:fortinetmgr:01", "nwparser.payload", "user=%{fld1->} adom=%{domain->} user=%{username->} ui=%{fld2->} action=%{action->} status=%{event_state->} msg=\"%{event_description}\"", processor_chain([ +var part1 = match("MESSAGE#0:fortinetmgr:01", "nwparser.payload", "user=%{fld1->} adom=%{domain->} user=%{username->} ui=%{fld2->} action=%{action->} status=%{event_state->} msg=\"%{event_description}\"", processor_chain([ dup3, dup4, dup5, @@ -183,8 +177,7 @@ match("MESSAGE#0:fortinetmgr:01", "nwparser.payload", "user=%{fld1->} adom=%{dom var msg1 = msg("fortinetmgr:01", part1); -var part2 = // "Pattern{Constant('user='), Field(username,true), Constant(' adom='), Field(domain,true), Constant(' msg="'), Field(event_description,false), Constant('"')}" -match("MESSAGE#1:fortinetmgr", "nwparser.payload", "user=%{username->} adom=%{domain->} msg=\"%{event_description}\"", processor_chain([ +var part2 = match("MESSAGE#1:fortinetmgr", "nwparser.payload", "user=%{username->} adom=%{domain->} msg=\"%{event_description}\"", processor_chain([ dup3, dup4, dup5, @@ -197,42 +190,33 @@ match("MESSAGE#1:fortinetmgr", "nwparser.payload", "user=%{username->} adom=%{do var msg2 = msg("fortinetmgr", part2); -var part3 = // "Pattern{Constant('user="'), Field(username,false), Constant('" userfrom='), Field(fld7,true), Constant(' msg="'), Field(p0,false)}" -match("MESSAGE#2:fortinetmgr:04/0", "nwparser.payload", "user=\"%{username}\" userfrom=%{fld7->} msg=\"%{p0}"); +var part3 = match("MESSAGE#2:fortinetmgr:04/0", "nwparser.payload", "user=\"%{username}\" userfrom=%{fld7->} msg=\"%{p0}"); -var part4 = // "Pattern{Constant('User'), Field(p0,false)}" -match("MESSAGE#2:fortinetmgr:04/1_0", "nwparser.p0", "User%{p0}"); +var part4 = match("MESSAGE#2:fortinetmgr:04/1_0", "nwparser.p0", "User%{p0}"); -var part5 = // "Pattern{Constant('user'), Field(p0,false)}" -match("MESSAGE#2:fortinetmgr:04/1_1", "nwparser.p0", "user%{p0}"); +var part5 = match("MESSAGE#2:fortinetmgr:04/1_1", "nwparser.p0", "user%{p0}"); var select2 = linear_select([ part4, part5, ]); -var part6 = // "Pattern{Field(,false), Constant('''), Field(fld3,false), Constant('' with profile ''), Field(fld4,false), Constant('' '), Field(fld5,true), Constant(' from '), Field(fld6,false), Constant('('), Field(hostip,false), Constant(')'), Field(p0,false)}" -match("MESSAGE#2:fortinetmgr:04/2", "nwparser.p0", "%{}'%{fld3}' with profile '%{fld4}' %{fld5->} from %{fld6}(%{hostip})%{p0}"); +var part6 = match("MESSAGE#2:fortinetmgr:04/2", "nwparser.p0", "%{}'%{fld3}' with profile '%{fld4}' %{fld5->} from %{fld6}(%{hostip})%{p0}"); -var part7 = // "Pattern{Constant('."'), Field(p0,false)}" -match("MESSAGE#2:fortinetmgr:04/3_0", "nwparser.p0", ".\"%{p0}"); +var part7 = match("MESSAGE#2:fortinetmgr:04/3_0", "nwparser.p0", ".\"%{p0}"); -var part8 = // "Pattern{Constant('"'), Field(p0,false)}" -match("MESSAGE#2:fortinetmgr:04/3_1", "nwparser.p0", "\"%{p0}"); +var part8 = match("MESSAGE#2:fortinetmgr:04/3_1", "nwparser.p0", "\"%{p0}"); var select3 = linear_select([ part7, part8, ]); -var part9 = // "Pattern{Field(,false), Constant('adminprof='), Field(p0,false)}" -match("MESSAGE#2:fortinetmgr:04/4", "nwparser.p0", "%{}adminprof=%{p0}"); +var part9 = match("MESSAGE#2:fortinetmgr:04/4", "nwparser.p0", "%{}adminprof=%{p0}"); -var part10 = // "Pattern{Field(fld2,true), Constant(' sid='), Field(sid,true), Constant(' user_type="'), Field(profile,false), Constant('"')}" -match("MESSAGE#2:fortinetmgr:04/5_0", "nwparser.p0", "%{fld2->} sid=%{sid->} user_type=\"%{profile}\""); +var part10 = match("MESSAGE#2:fortinetmgr:04/5_0", "nwparser.p0", "%{fld2->} sid=%{sid->} user_type=\"%{profile}\""); -var part11 = // "Pattern{Field(fld2,false)}" -match_copy("MESSAGE#2:fortinetmgr:04/5_1", "nwparser.p0", "fld2"); +var part11 = match_copy("MESSAGE#2:fortinetmgr:04/5_1", "nwparser.p0", "fld2"); var select4 = linear_select([ part10, @@ -268,8 +252,7 @@ var all1 = all_match({ var msg3 = msg("fortinetmgr:04", all1); -var part12 = // "Pattern{Constant('user='), Field(username,true), Constant(' userfrom='), Field(fld4,true), Constant(' msg="'), Field(event_description,false), Constant('" adminprof='), Field(fld2,false)}" -match("MESSAGE#3:fortinetmgr:02", "nwparser.payload", "user=%{username->} userfrom=%{fld4->} msg=\"%{event_description}\" adminprof=%{fld2}", processor_chain([ +var part12 = match("MESSAGE#3:fortinetmgr:02", "nwparser.payload", "user=%{username->} userfrom=%{fld4->} msg=\"%{event_description}\" adminprof=%{fld2}", processor_chain([ dup3, dup4, dup5, @@ -282,8 +265,7 @@ match("MESSAGE#3:fortinetmgr:02", "nwparser.payload", "user=%{username->} userfr var msg4 = msg("fortinetmgr:02", part12); -var part13 = // "Pattern{Constant('user="'), Field(username,false), Constant('" msg="Login from ssh:'), Field(fld1,true), Constant(' for '), Field(fld2,true), Constant(' from '), Field(saddr,true), Constant(' port '), Field(sport,false), Constant('" remote_ip="'), Field(daddr,false), Constant('" remote_port='), Field(dport,true), Constant(' valid='), Field(fld3,true), Constant(' authmsg="'), Field(result,false), Constant('" extrainfo='), Field(fld5,false)}" -match("MESSAGE#4:fortinetmgr:03", "nwparser.payload", "user=\"%{username}\" msg=\"Login from ssh:%{fld1->} for %{fld2->} from %{saddr->} port %{sport}\" remote_ip=\"%{daddr}\" remote_port=%{dport->} valid=%{fld3->} authmsg=\"%{result}\" extrainfo=%{fld5}", processor_chain([ +var part13 = match("MESSAGE#4:fortinetmgr:03", "nwparser.payload", "user=\"%{username}\" msg=\"Login from ssh:%{fld1->} for %{fld2->} from %{saddr->} port %{sport}\" remote_ip=\"%{daddr}\" remote_port=%{dport->} valid=%{fld3->} authmsg=\"%{result}\" extrainfo=%{fld5}", processor_chain([ dup11, dup4, dup5, @@ -302,22 +284,18 @@ match("MESSAGE#4:fortinetmgr:03", "nwparser.payload", "user=\"%{username}\" msg= var msg5 = msg("fortinetmgr:03", part13); -var part14 = // "Pattern{Constant('user="'), Field(username,false), Constant('" userfrom="'), Field(fld1,false), Constant('"msg="'), Field(p0,false)}" -match("MESSAGE#5:fortinetmgr:05/0", "nwparser.payload", "user=\"%{username}\" userfrom=\"%{fld1}\"msg=\"%{p0}"); +var part14 = match("MESSAGE#5:fortinetmgr:05/0", "nwparser.payload", "user=\"%{username}\" userfrom=\"%{fld1}\"msg=\"%{p0}"); -var part15 = // "Pattern{Constant('dev='), Field(fld2,false), Constant(',vdom='), Field(fld3,false), Constant(',type='), Field(fld4,false), Constant(',key='), Field(fld5,false), Constant(',act='), Field(action,false), Constant(',pkgname='), Field(fld7,false), Constant(',allowaccess='), Field(fld8,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#5:fortinetmgr:05/1_0", "nwparser.p0", "dev=%{fld2},vdom=%{fld3},type=%{fld4},key=%{fld5},act=%{action},pkgname=%{fld7},allowaccess=%{fld8}\"%{p0}"); +var part15 = match("MESSAGE#5:fortinetmgr:05/1_0", "nwparser.p0", "dev=%{fld2},vdom=%{fld3},type=%{fld4},key=%{fld5},act=%{action},pkgname=%{fld7},allowaccess=%{fld8}\"%{p0}"); -var part16 = // "Pattern{Field(event_description,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#5:fortinetmgr:05/1_1", "nwparser.p0", "%{event_description}\"%{p0}"); +var part16 = match("MESSAGE#5:fortinetmgr:05/1_1", "nwparser.p0", "%{event_description}\"%{p0}"); var select5 = linear_select([ part15, part16, ]); -var part17 = // "Pattern{Field(domain,false), Constant('" adom="')}" -match("MESSAGE#5:fortinetmgr:05/2", "nwparser.p0", "%{domain}\" adom=\""); +var part17 = match("MESSAGE#5:fortinetmgr:05/2", "nwparser.p0", "%{domain}\" adom=\""); var all2 = all_match({ processors: [ diff --git a/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json index 78030aa2c53..ee8c3414d5e 100644 --- a/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json @@ -26,8 +26,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.44.173.44", - "10.20.234.169", - "10.189.58.145" + "10.189.58.145", + "10.20.234.169" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -244,8 +244,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.131.233.27", "10.27.88.95", + "10.131.233.27", "10.50.112.141" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -314,8 +314,8 @@ "olo7148.mail.home" ], "related.ip": [ - "10.87.212.179", - "10.157.213.15" + "10.157.213.15", + "10.87.212.179" ], "related.user": [ "rveli" @@ -405,8 +405,8 @@ "agna7678.internal.host" ], "related.ip": [ - "10.76.73.140", - "10.114.150.67" + "10.114.150.67", + "10.76.73.140" ], "related.user": [ "aperia" @@ -507,8 +507,8 @@ "rsa.investigations.event_vcat": "quae", "rsa.misc.OS": "qui", "rsa.misc.action": [ - "accept", - "iadese" + "iadese", + "accept" ], "rsa.misc.category": "aturve", "rsa.misc.client": "utei", @@ -582,9 +582,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.114.16.155", + "10.186.85.3", "10.176.216.90", - "10.186.85.3" + "10.114.16.155" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -828,9 +828,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ + "10.58.214.16", "10.238.164.74", - "10.106.162.153", - "10.58.214.16" + "10.106.162.153" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -972,8 +972,8 @@ "rsa.investigations.event_vcat": "xer", "rsa.misc.OS": "fugi", "rsa.misc.action": [ - "umdolo", - "deny" + "deny", + "umdolo" ], "rsa.misc.category": "conseq", "rsa.misc.client": "cusant", @@ -1127,8 +1127,8 @@ "rsa.investigations.event_vcat": "psumqu", "rsa.misc.OS": "oraincid", "rsa.misc.action": [ - "ritt", - "deny" + "deny", + "ritt" ], "rsa.misc.category": "idunt", "rsa.misc.client": "siu", @@ -1202,9 +1202,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.98.194.212", "10.51.213.42", - "10.233.120.207" + "10.233.120.207", + "10.98.194.212" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -1266,9 +1266,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ + "10.245.187.229", "10.67.132.242", - "10.241.132.176", - "10.245.187.229" + "10.241.132.176" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -1335,8 +1335,8 @@ "tore7088.www.invalid" ], "related.ip": [ - "10.199.47.220", - "10.212.214.4" + "10.212.214.4", + "10.199.47.220" ], "related.user": [ "atv" @@ -1437,8 +1437,8 @@ "rsa.investigations.event_vcat": "metcons", "rsa.misc.OS": "ehende", "rsa.misc.action": [ - "deny", - "umf" + "umf", + "deny" ], "rsa.misc.category": "emUte", "rsa.misc.client": "archite", @@ -1517,8 +1517,8 @@ "eturad6143.www.home" ], "related.ip": [ - "10.128.46.70", - "10.95.117.134" + "10.95.117.134", + "10.128.46.70" ], "related.user": [ "enim" @@ -1608,8 +1608,8 @@ "orinrep5386.www.corp" ], "related.ip": [ - "10.253.228.140", - "10.208.21.135" + "10.208.21.135", + "10.253.228.140" ], "related.user": [ "inculp" @@ -1619,8 +1619,8 @@ "rsa.investigations.event_vcat": "emagn", "rsa.misc.OS": "oditempo", "rsa.misc.action": [ - "ugitse", - "cancel" + "cancel", + "ugitse" ], "rsa.misc.category": "magnid", "rsa.misc.client": "sci", @@ -1699,8 +1699,8 @@ "henderi724.www5.home" ], "related.ip": [ - "10.3.23.172", - "10.243.226.122" + "10.243.226.122", + "10.3.23.172" ], "related.user": [ "olorem" @@ -1710,8 +1710,8 @@ "rsa.investigations.event_vcat": "ess", "rsa.misc.OS": "equatDu", "rsa.misc.action": [ - "cancel", - "emullamc" + "emullamc", + "cancel" ], "rsa.misc.category": "niamquis", "rsa.misc.client": "tutlabo", @@ -1801,8 +1801,8 @@ "rsa.investigations.event_vcat": "snostrum", "rsa.misc.OS": "tiaecon", "rsa.misc.action": [ - "cancel", - "atiset" + "atiset", + "cancel" ], "rsa.misc.category": "ehende", "rsa.misc.client": "umquam", @@ -1878,8 +1878,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.117.63.181", - "10.247.53.179", - "10.168.20.20" + "10.168.20.20", + "10.247.53.179" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -1947,8 +1947,8 @@ "tasnul4179.internal.host" ], "related.ip": [ - "10.141.156.217", - "10.53.168.187" + "10.53.168.187", + "10.141.156.217" ], "related.user": [ "amqu" @@ -1958,8 +1958,8 @@ "rsa.investigations.event_vcat": "illumq", "rsa.misc.OS": "idata", "rsa.misc.action": [ - "emacc", - "block" + "block", + "emacc" ], "rsa.misc.category": "ueporro", "rsa.misc.client": "veli", @@ -2050,8 +2050,8 @@ "rsa.investigations.event_vcat": "eturadip", "rsa.misc.OS": "turadip", "rsa.misc.action": [ - "accept", - "odoc" + "odoc", + "accept" ], "rsa.misc.category": "volup", "rsa.misc.client": "tur", @@ -2232,8 +2232,8 @@ "rsa.investigations.event_vcat": "uatu", "rsa.misc.OS": "tnulapar", "rsa.misc.action": [ - "deny", - "odic" + "odic", + "deny" ], "rsa.misc.category": "deri", "rsa.misc.client": "scivelit", @@ -2307,8 +2307,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.37.161.101", "10.111.182.212", + "10.37.161.101", "10.17.209.252" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -2371,9 +2371,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.170.196.181", + "10.153.166.133", "10.158.175.98", - "10.153.166.133" + "10.170.196.181" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2526,9 +2526,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.174.17.46", + "10.38.168.190", "10.77.105.81", - "10.38.168.190" + "10.174.17.46" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2654,9 +2654,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.214.156.161", + "10.66.90.225", "10.145.194.12", - "10.66.90.225" + "10.214.156.161" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2719,8 +2719,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.156.208.5", - "10.163.36.101", - "10.6.242.108" + "10.6.242.108", + "10.163.36.101" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2787,8 +2787,8 @@ "remeum2641.www5.corp" ], "related.ip": [ - "10.68.233.163", - "10.220.148.127" + "10.220.148.127", + "10.68.233.163" ], "related.user": [ "estiaec" @@ -2798,8 +2798,8 @@ "rsa.investigations.event_vcat": "olore", "rsa.misc.OS": "tatem", "rsa.misc.action": [ - "allow", - "itanimi" + "itanimi", + "allow" ], "rsa.misc.category": "psa", "rsa.misc.client": "ugits", @@ -2889,8 +2889,8 @@ "rsa.investigations.event_vcat": "ihi", "rsa.misc.OS": "amquaera", "rsa.misc.action": [ - "allow", - "nimides" + "nimides", + "allow" ], "rsa.misc.category": "mve", "rsa.misc.client": "plica", @@ -2970,8 +2970,8 @@ "mea6298.api.example" ], "related.ip": [ - "10.113.152.241", - "10.115.121.243" + "10.115.121.243", + "10.113.152.241" ], "related.user": [ "norumetM" @@ -3061,8 +3061,8 @@ "iqu7510.internal.corp" ], "related.ip": [ - "10.49.82.45", - "10.179.153.97" + "10.179.153.97", + "10.49.82.45" ], "related.user": [ "dictasun" @@ -3072,8 +3072,8 @@ "rsa.investigations.event_vcat": "tatemse", "rsa.misc.OS": "eturadi", "rsa.misc.action": [ - "ade", - "accept" + "accept", + "ade" ], "rsa.misc.category": "laboreet", "rsa.misc.client": "ano", @@ -3147,8 +3147,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.205.83.138", "10.98.52.184", + "10.205.83.138", "10.99.55.115" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -3211,8 +3211,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.197.128.162", "10.228.11.50", + "10.197.128.162", "10.90.189.248" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -3320,8 +3320,8 @@ "deFinibu3940.internal.lan" ], "related.ip": [ - "10.22.248.52", - "10.124.71.88" + "10.124.71.88", + "10.22.248.52" ], "related.user": [ "tcons" @@ -3331,8 +3331,8 @@ "rsa.investigations.event_vcat": "uiratio", "rsa.misc.OS": "xce", "rsa.misc.action": [ - "cancel", - "cons" + "cons", + "cancel" ], "rsa.misc.category": "ciun", "rsa.misc.client": "amquisn", @@ -3411,8 +3411,8 @@ "tatiset4191.localdomain" ], "related.ip": [ - "10.26.58.20", - "10.185.37.176" + "10.185.37.176", + "10.26.58.20" ], "related.user": [ "eumiure" @@ -3422,8 +3422,8 @@ "rsa.investigations.event_vcat": "iae", "rsa.misc.OS": "evelite", "rsa.misc.action": [ - "essequam", - "block" + "block", + "essequam" ], "rsa.misc.category": "tmollita", "rsa.misc.client": "uiinea", @@ -3497,8 +3497,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.14.145.107", "10.200.12.126", + "10.14.145.107", "10.250.231.196" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -3561,9 +3561,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.225.34.176", "10.21.203.112", - "10.103.36.192" + "10.103.36.192", + "10.225.34.176" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -3625,9 +3625,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.5.67.140", + "10.140.59.161", "10.118.111.183", - "10.140.59.161" + "10.5.67.140" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -3694,8 +3694,8 @@ "nimadmi4084.api.home" ], "related.ip": [ - "10.7.70.169", - "10.28.212.191" + "10.28.212.191", + "10.7.70.169" ], "related.user": [ "itsed" @@ -3705,8 +3705,8 @@ "rsa.investigations.event_vcat": "Loremips", "rsa.misc.OS": "eritquii", "rsa.misc.action": [ - "accept", - "nostru" + "nostru", + "accept" ], "rsa.misc.category": "amnisiu", "rsa.misc.client": "rcita", @@ -3796,8 +3796,8 @@ "rsa.investigations.event_vcat": "uep", "rsa.misc.OS": "iatisund", "rsa.misc.action": [ - "block", - "nvo" + "nvo", + "block" ], "rsa.misc.category": "tenima", "rsa.misc.client": "iuntNe", @@ -4277,8 +4277,8 @@ "ntex5135.corp" ], "related.ip": [ - "10.239.194.105", - "10.234.171.117" + "10.234.171.117", + "10.239.194.105" ], "related.user": [ "tat" @@ -4288,8 +4288,8 @@ "rsa.investigations.event_vcat": "uia", "rsa.misc.OS": "mquae", "rsa.misc.action": [ - "deny", - "tenatus" + "tenatus", + "deny" ], "rsa.misc.category": "abo", "rsa.misc.client": "umtota", @@ -4743,8 +4743,8 @@ "spici5547.internal.test" ], "related.ip": [ - "10.112.242.68", - "10.216.49.112" + "10.216.49.112", + "10.112.242.68" ], "related.user": [ "urmag" @@ -4920,9 +4920,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.246.41.77", "10.228.61.5", - "10.157.22.21" + "10.157.22.21", + "10.246.41.77" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -4984,9 +4984,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ + "10.188.131.18", "10.242.119.111", - "10.239.231.168", - "10.188.131.18" + "10.239.231.168" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -5064,8 +5064,8 @@ "rsa.investigations.event_vcat": "amnihil", "rsa.misc.OS": "tten", "rsa.misc.action": [ - "inea", - "accept" + "accept", + "inea" ], "rsa.misc.category": "quam", "rsa.misc.client": "oreseo", @@ -5184,8 +5184,8 @@ "riaturE1644.www5.example" ], "related.ip": [ - "10.215.144.167", - "10.162.114.52" + "10.162.114.52", + "10.215.144.167" ], "related.user": [ "erspici" @@ -5195,8 +5195,8 @@ "rsa.investigations.event_vcat": "empori", "rsa.misc.OS": "ostru", "rsa.misc.action": [ - "quepor", - "allow" + "allow", + "quepor" ], "rsa.misc.category": "cipitla", "rsa.misc.client": "exeacomm", @@ -5361,9 +5361,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.75.198.93", + "10.51.106.43", "10.137.36.151", - "10.51.106.43" + "10.75.198.93" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -5425,9 +5425,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.7.230.206", "10.154.151.111", - "10.249.93.150" + "10.249.93.150", + "10.7.230.206" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -5505,8 +5505,8 @@ "rsa.investigations.event_vcat": "santiumd", "rsa.misc.OS": "oris", "rsa.misc.action": [ - "deny", - "rsitame" + "rsitame", + "deny" ], "rsa.misc.category": "agnaal", "rsa.misc.client": "urmagn", @@ -5585,8 +5585,8 @@ "dquiac6194.api.lan" ], "related.ip": [ - "10.241.140.241", - "10.180.162.174" + "10.180.162.174", + "10.241.140.241" ], "related.user": [ "nulapar" @@ -5596,8 +5596,8 @@ "rsa.investigations.event_vcat": "luptatev", "rsa.misc.OS": "emipsu", "rsa.misc.action": [ - "ido", - "accept" + "accept", + "ido" ], "rsa.misc.category": "litse", "rsa.misc.client": "evita", @@ -5687,8 +5687,8 @@ "rsa.investigations.event_vcat": "atvolupt", "rsa.misc.OS": "riosam", "rsa.misc.action": [ - "ssitasp", - "deny" + "deny", + "ssitasp" ], "rsa.misc.category": "enimadmi", "rsa.misc.client": "uatDui", @@ -5767,8 +5767,8 @@ "dicta7226.mail.example" ], "related.ip": [ - "10.53.50.77", - "10.4.244.115" + "10.4.244.115", + "10.53.50.77" ], "related.user": [ "idolo" @@ -5853,9 +5853,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.236.211.111", "10.120.212.78", - "10.221.100.157" + "10.221.100.157", + "10.236.211.111" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -5933,8 +5933,8 @@ "rsa.investigations.event_vcat": "lauda", "rsa.misc.OS": "enatuser", "rsa.misc.action": [ - "accept", - "rios" + "rios", + "accept" ], "rsa.misc.category": "aUte", "rsa.misc.client": "iusm", @@ -6009,8 +6009,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.123.59.69", - "10.226.255.3", - "10.53.251.202" + "10.53.251.202", + "10.226.255.3" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6072,9 +6072,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.212.56.26", "10.3.85.176", - "10.29.141.252" + "10.29.141.252", + "10.212.56.26" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6227,9 +6227,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.11.150.136", + "10.83.98.220", "10.171.60.173", - "10.83.98.220" + "10.11.150.136" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6291,9 +6291,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ + "10.74.88.209", "10.92.3.166", - "10.238.49.73", - "10.74.88.209" + "10.238.49.73" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6355,9 +6355,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ + "10.84.200.121", "10.119.248.36", - "10.187.107.47", - "10.84.200.121" + "10.187.107.47" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6419,9 +6419,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.135.213.17", + "10.30.239.222", "10.167.128.229", - "10.30.239.222" + "10.135.213.17" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6488,8 +6488,8 @@ "rspic5637.api.local" ], "related.ip": [ - "10.169.133.219", - "10.115.166.48" + "10.115.166.48", + "10.169.133.219" ], "related.user": [ "emq" @@ -6499,8 +6499,8 @@ "rsa.investigations.event_vcat": "iumdol", "rsa.misc.OS": "min", "rsa.misc.action": [ - "eleumiur", - "block" + "block", + "eleumiur" ], "rsa.misc.category": "ero", "rsa.misc.client": "gia", @@ -6579,8 +6579,8 @@ "rror3870.www5.local" ], "related.ip": [ - "10.146.255.40", - "10.226.39.82" + "10.226.39.82", + "10.146.255.40" ], "related.user": [ "caecatcu" @@ -6729,8 +6729,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.66.149.234", "10.186.253.240", + "10.66.149.234", "10.233.128.7" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -6793,9 +6793,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.227.133.134", "10.46.11.114", - "10.173.140.201" + "10.173.140.201", + "10.227.133.134" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6926,8 +6926,8 @@ "velill3821.mail.invalid" ], "related.ip": [ - "10.97.254.192", - "10.124.34.251" + "10.124.34.251", + "10.97.254.192" ], "related.user": [ "epor" @@ -7012,9 +7012,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.9.41.221", + "10.204.98.238", "10.81.58.91", - "10.204.98.238" + "10.9.41.221" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -7117,8 +7117,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.35.84.125", - "10.212.208.70", - "10.37.120.29" + "10.37.120.29", + "10.212.208.70" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -7180,9 +7180,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.199.201.26", "10.207.207.106", - "10.143.65.84" + "10.143.65.84", + "10.199.201.26" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -7244,8 +7244,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.41.61.88", "10.204.27.48", + "10.41.61.88", "10.163.236.253" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -7308,8 +7308,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.246.81.164", "10.53.110.111", + "10.246.81.164", "10.185.44.26" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -7378,8 +7378,8 @@ "cupida6106.www5.local" ], "related.ip": [ - "10.146.77.206", - "10.109.172.90" + "10.109.172.90", + "10.146.77.206" ], "related.user": [ "aquaeab" @@ -7469,8 +7469,8 @@ "unt2122.internal.local" ], "related.ip": [ - "10.202.250.141", - "10.38.18.72" + "10.38.18.72", + "10.202.250.141" ], "related.user": [ "maperia" @@ -7662,8 +7662,8 @@ "rsa.investigations.event_vcat": "olupt", "rsa.misc.OS": "rumw", "rsa.misc.action": [ - "block", - "tali" + "tali", + "block" ], "rsa.misc.category": "itsedq", "rsa.misc.client": "esciu", diff --git a/x-pack/filebeat/module/googlecloud/audit/config/input.yml b/x-pack/filebeat/module/googlecloud/audit/config/input.yml index 4c30e23b5e3..b5e392ee0b6 100644 --- a/x-pack/filebeat/module/googlecloud/audit/config/input.yml +++ b/x-pack/filebeat/module/googlecloud/audit/config/input.yml @@ -34,4 +34,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json index 2d1832bc54a..d8efe2892a5 100644 --- a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json +++ b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json @@ -282,6 +282,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", @@ -327,6 +328,7 @@ "source.geo.city_name": "Clermont-Ferrand", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "FR", + "source.geo.country_name": "France", "source.geo.location.lat": 45.7838, "source.geo.location.lon": 3.0966, "source.geo.region_iso_code": "FR-63", diff --git a/x-pack/filebeat/module/googlecloud/firewall/config/input.yml b/x-pack/filebeat/module/googlecloud/firewall/config/input.yml index d6579aa9f47..39648636c59 100644 --- a/x-pack/filebeat/module/googlecloud/firewall/config/input.yml +++ b/x-pack/filebeat/module/googlecloud/firewall/config/input.yml @@ -35,4 +35,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/googlecloud/firewall/test/test.log-expected.json b/x-pack/filebeat/module/googlecloud/firewall/test/test.log-expected.json index c8b16376e8f..73f9e79c29a 100644 --- a/x-pack/filebeat/module/googlecloud/firewall/test/test.log-expected.json +++ b/x-pack/filebeat/module/googlecloud/firewall/test/test.log-expected.json @@ -6,6 +6,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -801,6 +802,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -866,6 +868,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", diff --git a/x-pack/filebeat/module/googlecloud/vpcflow/config/input.yml b/x-pack/filebeat/module/googlecloud/vpcflow/config/input.yml index cf89526bbe5..f1976195687 100644 --- a/x-pack/filebeat/module/googlecloud/vpcflow/config/input.yml +++ b/x-pack/filebeat/module/googlecloud/vpcflow/config/input.yml @@ -34,4 +34,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/gsuite/admin/config/config.yml b/x-pack/filebeat/module/gsuite/admin/config/config.yml index b5c62d3657f..9ec19a83615 100644 --- a/x-pack/filebeat/module/gsuite/admin/config/config.yml +++ b/x-pack/filebeat/module/gsuite/admin/config/config.yml @@ -39,7 +39,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 - script: lang: javascript id: gsuite-common diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json index 7c44c612d13..a3840436672 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_APPLICATION_SETTING", "event.category": [ "iam" @@ -42,6 +41,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -56,7 +56,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_APPLICATION_SETTING", "event.category": [ "iam" @@ -97,6 +96,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -111,7 +111,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_APPLICATION_SETTING", "event.category": [ "iam" @@ -152,6 +151,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -166,7 +166,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REORDER_GROUP_BASED_POLICIES_EVENT", "event.category": [ "iam" @@ -206,6 +205,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -220,7 +220,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GPLUS_PREMIUM_FEATURES", "event.category": [ "iam" @@ -255,6 +254,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -269,7 +269,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_MANAGED_CONFIGURATION", "event.category": [ "iam" @@ -304,6 +303,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -318,7 +318,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_MANAGED_CONFIGURATION", "event.category": [ "iam" @@ -353,6 +352,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -367,7 +367,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_MANAGED_CONFIGURATION", "event.category": [ "iam" @@ -402,6 +401,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -416,7 +416,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED", "event.category": [ "iam" @@ -450,6 +449,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json index 88580177907..2a8eb8eb3fe 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_BUILDING", "event.category": [ "iam" @@ -35,6 +34,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -49,7 +49,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_BUILDING", "event.category": [ "iam" @@ -84,6 +83,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -98,7 +98,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_BUILDING", "event.category": [ "iam" @@ -136,6 +135,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -150,7 +150,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_CALENDAR_RESOURCE", "event.category": [ "iam" @@ -185,6 +184,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -199,7 +199,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_CALENDAR_RESOURCE", "event.category": [ "iam" @@ -234,6 +233,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -248,7 +248,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_CALENDAR_RESOURCE_FEATURE", "event.category": [ "iam" @@ -283,6 +282,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -297,7 +297,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_CALENDAR_RESOURCE_FEATURE", "event.category": [ "iam" @@ -332,6 +331,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -346,7 +346,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_CALENDAR_RESOURCE_FEATURE", "event.category": [ "iam" @@ -384,6 +383,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -398,7 +398,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RENAME_CALENDAR_RESOURCE", "event.category": [ "iam" @@ -434,6 +433,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -448,7 +448,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_CALENDAR_RESOURCE", "event.category": [ "iam" @@ -486,6 +485,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -500,7 +500,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CALENDAR_SETTING", "event.category": [ "iam" @@ -541,6 +540,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -555,7 +555,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CANCEL_CALENDAR_EVENTS", "event.category": [ "iam" @@ -590,6 +589,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -604,7 +604,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RELEASE_CALENDAR_RESOURCES", "event.category": [ "iam" @@ -639,6 +638,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json index 70de8368e2c..4736114f427 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MEET_INTEROP_CREATE_GATEWAY", "event.category": [ "iam" @@ -34,6 +33,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -48,7 +48,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MEET_INTEROP_DELETE_GATEWAY", "event.category": [ "iam" @@ -82,6 +81,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -96,7 +96,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MEET_INTEROP_MODIFY_GATEWAY", "event.category": [ "iam" @@ -130,6 +129,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -144,7 +144,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHAT_SETTING", "event.category": [ "iam" @@ -185,6 +184,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json index 4ce27e5aff2..00f51c0bc79 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING", "event.category": [ "iam" @@ -42,6 +41,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -56,7 +56,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DEVICE_STATE", "event.category": [ "iam" @@ -93,6 +92,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -107,7 +107,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_APPLICATION_SETTING", "event.category": [ "iam" @@ -149,6 +148,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -163,7 +163,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "SEND_CHROME_OS_DEVICE_COMMAND", "event.category": [ "iam" @@ -198,6 +197,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -212,7 +212,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_DEVICE_ANNOTATION", "event.category": [ "iam" @@ -246,6 +245,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -260,7 +260,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_DEVICE_SETTING", "event.category": [ "iam" @@ -297,6 +296,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -311,7 +311,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_DEVICE_STATE", "event.category": [ "iam" @@ -348,6 +347,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -362,7 +362,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING", "event.category": [ "iam" @@ -399,6 +398,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -413,7 +413,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "INSERT_CHROME_OS_PRINT_SERVER", "event.category": [ "iam" @@ -447,6 +446,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -461,7 +461,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_CHROME_OS_PRINT_SERVER", "event.category": [ "iam" @@ -495,6 +494,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -509,7 +509,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_CHROME_OS_PRINT_SERVER", "event.category": [ "iam" @@ -545,6 +544,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -559,7 +559,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "INSERT_CHROME_OS_PRINTER", "event.category": [ "iam" @@ -593,6 +592,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -607,7 +607,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_CHROME_OS_PRINTER", "event.category": [ "iam" @@ -641,6 +640,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -655,7 +655,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_CHROME_OS_PRINTER", "event.category": [ "iam" @@ -691,6 +690,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -705,7 +705,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_SETTING", "event.category": [ "iam" @@ -742,6 +741,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -756,7 +756,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_USER_SETTING", "event.category": [ "iam" @@ -793,6 +792,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -807,7 +807,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ISSUE_DEVICE_COMMAND", "event.category": [ "iam" @@ -846,6 +845,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -860,7 +860,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOVE_DEVICE_TO_ORG_UNIT_DETAILED", "event.category": [ "iam" @@ -897,6 +896,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -911,7 +911,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_CHROME_OS_APPLICATION_SETTINGS", "event.category": [ "iam" @@ -945,6 +944,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -959,7 +959,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_DEVICE", "event.category": [ "iam" @@ -994,6 +993,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1008,7 +1008,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CONTACTS_SETTING", "event.category": [ "iam" @@ -1046,6 +1045,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json index ed54f20525a..dee1917e48d 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CONTACTS_SETTING", "event.category": [ "iam" @@ -38,6 +37,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json index c43835104fa..b5c6d47d8b3 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ASSIGN_ROLE", "event.category": [ "iam" @@ -37,6 +36,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -51,7 +51,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_ROLE", "event.category": [ "iam" @@ -86,6 +85,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -100,7 +100,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_ROLE", "event.category": [ "iam" @@ -135,6 +134,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -149,7 +149,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_PRIVILEGE", "event.category": [ "iam" @@ -185,6 +184,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -199,7 +199,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_PRIVILEGE", "event.category": [ "iam" @@ -235,6 +234,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -249,7 +249,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RENAME_ROLE", "event.category": [ "iam" @@ -284,6 +283,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -298,7 +298,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_ROLE", "event.category": [ "iam" @@ -333,6 +332,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -347,7 +347,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNASSIGN_ROLE", "event.category": [ "iam" @@ -384,6 +383,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json index 4fb31027b62..e0f00e25443 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TRANSFER_DOCUMENT_OWNERSHIP", "event.category": [ "iam" @@ -37,6 +36,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -51,7 +51,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DRIVE_DATA_RESTORE", "event.category": [ "iam" @@ -89,6 +88,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -103,7 +103,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DOCS_SETTING", "event.category": [ "iam" @@ -144,6 +143,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -157,4 +157,4 @@ "forwarded" ] } -] +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json index a8d965c7c8d..a349010fdb4 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_ACCOUNT_AUTO_RENEWAL", "event.category": [ "iam" @@ -35,6 +34,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -49,7 +49,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_APPLICATION", "event.category": [ "iam" @@ -85,6 +84,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -99,7 +99,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_APPLICATION_TO_WHITELIST", "event.category": [ "iam" @@ -134,6 +133,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -148,7 +148,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_ADVERTISEMENT_OPTION", "event.category": [ "iam" @@ -184,6 +183,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -198,7 +198,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_ALERT", "event.category": [ "iam" @@ -232,6 +231,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -246,7 +246,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_ALERT_CRITERIA", "event.category": [ "iam" @@ -280,6 +279,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -294,7 +294,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_ALERT", "event.category": [ "iam" @@ -328,6 +327,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -342,7 +342,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ALERT_RECEIVERS_CHANGED", "event.category": [ "iam" @@ -378,6 +377,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -392,7 +392,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RENAME_ALERT", "event.category": [ "iam" @@ -427,6 +426,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -441,7 +441,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ALERT_STATUS_CHANGED", "event.category": [ "iam" @@ -477,6 +476,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -491,7 +491,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_DOMAIN_ALIAS", "event.category": [ "iam" @@ -526,6 +525,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -540,7 +540,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_DOMAIN_ALIAS", "event.category": [ "iam" @@ -575,6 +574,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -589,7 +589,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "SKIP_DOMAIN_ALIAS_MX", "event.category": [ "iam" @@ -624,6 +623,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -638,7 +638,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "VERIFY_DOMAIN_ALIAS_MX", "event.category": [ "iam" @@ -673,6 +672,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -687,7 +687,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "VERIFY_DOMAIN_ALIAS", "event.category": [ "iam" @@ -723,6 +722,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -737,7 +737,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS", "event.category": [ "iam" @@ -772,6 +771,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -786,7 +786,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET", "event.category": [ "iam" @@ -821,6 +820,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -835,7 +835,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENABLE_API_ACCESS", "event.category": [ "iam" @@ -871,6 +870,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -885,7 +885,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "AUTHORIZE_API_CLIENT_ACCESS", "event.category": [ "iam" @@ -924,6 +923,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -938,7 +938,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_API_CLIENT_ACCESS", "event.category": [ "iam" @@ -973,6 +972,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -987,7 +987,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHROME_LICENSES_REDEEMED", "event.category": [ "iam" @@ -1023,6 +1022,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1037,7 +1037,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_AUTO_ADD_NEW_SERVICE", "event.category": [ "iam" @@ -1072,6 +1071,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1086,7 +1086,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_PRIMARY_DOMAIN", "event.category": [ "iam" @@ -1121,6 +1120,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1135,7 +1135,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_WHITELIST_SETTING", "event.category": [ "iam" @@ -1171,6 +1170,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1185,7 +1185,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "COMMUNICATION_PREFERENCES_SETTING_CHANGE", "event.category": [ "iam" @@ -1222,6 +1221,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1236,7 +1236,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CONFLICT_ACCOUNT_ACTION", "event.category": [ "iam" @@ -1272,6 +1271,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1286,7 +1286,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENABLE_FEEDBACK_SOLICITATION", "event.category": [ "iam" @@ -1322,6 +1321,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1336,7 +1336,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_CONTACT_SHARING", "event.category": [ "iam" @@ -1371,6 +1370,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1385,7 +1385,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_PLAY_FOR_WORK_TOKEN", "event.category": [ "iam" @@ -1419,6 +1418,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1433,7 +1433,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_USE_CUSTOM_LOGO", "event.category": [ "iam" @@ -1468,6 +1467,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1482,7 +1482,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CUSTOM_LOGO", "event.category": [ "iam" @@ -1516,6 +1515,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1530,7 +1530,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", "event.category": [ "iam" @@ -1566,6 +1565,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1580,7 +1580,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DATA_LOCALIZATION_SETTING", "event.category": [ "iam" @@ -1616,6 +1615,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1630,7 +1630,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO", "event.category": [ "iam" @@ -1666,6 +1665,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1680,7 +1680,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_PLAY_FOR_WORK_TOKEN", "event.category": [ "iam" @@ -1714,6 +1713,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1728,7 +1728,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "VIEW_DNS_LOGIN_DETAILS", "event.category": [ "iam" @@ -1762,6 +1761,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1776,7 +1776,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DOMAIN_DEFAULT_LOCALE", "event.category": [ "iam" @@ -1812,6 +1811,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1826,7 +1826,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DOMAIN_DEFAULT_TIMEZONE", "event.category": [ "iam" @@ -1862,6 +1861,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1876,7 +1876,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DOMAIN_NAME", "event.category": [ "iam" @@ -1911,6 +1910,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1925,7 +1925,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_ENABLE_PRE_RELEASE_FEATURES", "event.category": [ "iam" @@ -1960,6 +1959,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1974,7 +1974,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DOMAIN_SUPPORT_MESSAGE", "event.category": [ "iam" @@ -2010,6 +2009,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2024,7 +2024,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_TRUSTED_DOMAINS", "event.category": [ "iam" @@ -2058,6 +2057,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2072,7 +2072,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_TRUSTED_DOMAINS", "event.category": [ "iam" @@ -2106,6 +2105,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2120,7 +2120,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_EDU_TYPE", "event.category": [ "iam" @@ -2156,6 +2155,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2170,7 +2170,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY", "event.category": [ "iam" @@ -2205,6 +2204,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2219,7 +2219,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_SSO_ENABLED", "event.category": [ "iam" @@ -2254,6 +2253,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2268,7 +2268,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_SSL", "event.category": [ "iam" @@ -2303,6 +2302,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2317,7 +2317,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO", "event.category": [ "iam" @@ -2353,6 +2352,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2367,7 +2367,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GENERATE_TRANSFER_TOKEN", "event.category": [ "iam" @@ -2400,6 +2399,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2414,7 +2414,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_LOGIN_BACKGROUND_COLOR", "event.category": [ "iam" @@ -2450,6 +2449,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2464,7 +2464,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_LOGIN_BORDER_COLOR", "event.category": [ "iam" @@ -2500,6 +2499,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2514,7 +2514,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_LOGIN_ACTIVITY_TRACE", "event.category": [ "iam" @@ -2550,6 +2549,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2564,7 +2564,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "PLAY_FOR_WORK_ENROLL", "event.category": [ "iam" @@ -2599,6 +2598,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2613,7 +2613,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "PLAY_FOR_WORK_UNENROLL", "event.category": [ "iam" @@ -2647,6 +2646,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2661,7 +2661,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MX_RECORD_VERIFICATION_CLAIM", "event.category": [ "iam" @@ -2697,6 +2696,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2711,7 +2711,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_NEW_APP_FEATURES", "event.category": [ "iam" @@ -2746,6 +2745,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2760,7 +2760,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL", "event.category": [ "iam" @@ -2795,6 +2794,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2809,7 +2809,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPLOAD_OAUTH_CERTIFICATE", "event.category": [ "iam" @@ -2843,6 +2842,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2857,7 +2857,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REGENERATE_OAUTH_CONSUMER_SECRET", "event.category": [ "iam" @@ -2891,6 +2890,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2905,7 +2905,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_OPEN_ID_ENABLED", "event.category": [ "iam" @@ -2940,6 +2939,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2954,7 +2954,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_ORGANIZATION_NAME", "event.category": [ "iam" @@ -2990,6 +2989,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3004,7 +3004,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_OUTBOUND_RELAY", "event.category": [ "iam" @@ -3041,6 +3040,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3055,7 +3055,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_PASSWORD_MAX_LENGTH", "event.category": [ "iam" @@ -3091,6 +3090,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3105,7 +3105,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_PASSWORD_MIN_LENGTH", "event.category": [ "iam" @@ -3141,6 +3140,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3155,7 +3155,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL", "event.category": [ "iam" @@ -3191,6 +3190,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3205,7 +3205,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS", "event.category": [ "iam" @@ -3241,6 +3240,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3255,7 +3255,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_APPLICATION", "event.category": [ "iam" @@ -3290,6 +3289,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3304,7 +3304,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_APPLICATION_FROM_WHITELIST", "event.category": [ "iam" @@ -3339,6 +3338,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3353,7 +3353,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_RENEW_DOMAIN_REGISTRATION", "event.category": [ "iam" @@ -3389,6 +3388,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3403,7 +3403,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_RESELLER_ACCESS", "event.category": [ "iam" @@ -3438,6 +3437,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3452,7 +3452,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RULE_ACTIONS_CHANGED", "event.category": [ "iam" @@ -3486,6 +3485,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3500,7 +3500,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_RULE", "event.category": [ "iam" @@ -3534,6 +3533,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3548,7 +3548,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_RULE_CRITERIA", "event.category": [ "iam" @@ -3582,6 +3581,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3596,7 +3596,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_RULE", "event.category": [ "iam" @@ -3630,6 +3629,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3644,7 +3644,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RENAME_RULE", "event.category": [ "iam" @@ -3679,6 +3678,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3693,7 +3693,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RULE_STATUS_CHANGED", "event.category": [ "iam" @@ -3729,6 +3728,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3743,7 +3743,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_SECONDARY_DOMAIN", "event.category": [ "iam" @@ -3778,6 +3777,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3792,7 +3792,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_SECONDARY_DOMAIN", "event.category": [ "iam" @@ -3827,6 +3826,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3841,7 +3841,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "SKIP_SECONDARY_DOMAIN_MX", "event.category": [ "iam" @@ -3876,6 +3875,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3890,7 +3890,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "VERIFY_SECONDARY_DOMAIN_MX", "event.category": [ "iam" @@ -3925,6 +3924,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3939,7 +3939,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "VERIFY_SECONDARY_DOMAIN", "event.category": [ "iam" @@ -3974,6 +3973,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3988,7 +3988,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_DOMAIN_SECONDARY_EMAIL", "event.category": [ "iam" @@ -4024,6 +4023,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -4038,7 +4038,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_SSO_SETTINGS", "event.category": [ "iam" @@ -4072,6 +4071,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -4086,7 +4086,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GENERATE_PIN", "event.category": [ "iam" @@ -4119,6 +4118,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -4133,7 +4133,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_RULE", "event.category": [ "iam" @@ -4167,6 +4166,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json index bdb57f64b88..f62dad33200 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DROP_FROM_QUARANTINE", "event.category": [ "iam" @@ -35,6 +34,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -49,7 +49,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "EMAIL_LOG_SEARCH", "event.category": [ "iam" @@ -89,6 +88,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -103,7 +103,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "EMAIL_UNDELETE", "event.category": [ "iam" @@ -141,6 +140,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -155,7 +155,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_EMAIL_SETTING", "event.category": [ "iam" @@ -196,6 +195,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -210,7 +210,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_GMAIL_SETTING", "event.category": [ "iam" @@ -247,6 +246,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -261,7 +261,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_GMAIL_SETTING", "event.category": [ "iam" @@ -298,6 +297,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -312,7 +312,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_GMAIL_SETTING", "event.category": [ "iam" @@ -349,6 +348,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -363,7 +363,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REJECT_FROM_QUARANTINE", "event.category": [ "iam" @@ -398,6 +397,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -412,7 +412,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RELEASE_FROM_QUARANTINE", "event.category": [ "iam" @@ -447,6 +446,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -460,4 +460,4 @@ "forwarded" ] } -] +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json index 42a9699094c..ff894cd6c05 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_GROUP", "event.category": [ "iam" @@ -37,6 +36,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -51,7 +51,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_GROUP", "event.category": [ "iam" @@ -88,6 +87,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -102,7 +102,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_GROUP_DESCRIPTION", "event.category": [ "iam" @@ -139,6 +138,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -153,7 +153,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GROUP_LIST_DOWNLOAD", "event.category": [ "iam" @@ -187,6 +186,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -201,7 +201,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_GROUP_MEMBER", "event.category": [ "iam" @@ -240,6 +239,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -254,7 +254,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_GROUP_MEMBER", "event.category": [ "iam" @@ -293,6 +292,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -307,7 +307,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_GROUP_MEMBER", "event.category": [ "iam" @@ -348,6 +347,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -362,7 +362,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS", "event.category": [ "iam" @@ -403,6 +402,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -417,7 +417,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE", "event.category": [ "iam" @@ -458,6 +457,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -472,7 +472,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GROUP_MEMBER_BULK_UPLOAD", "event.category": [ "iam" @@ -508,6 +507,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -522,7 +522,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GROUP_MEMBERS_DOWNLOAD", "event.category": [ "iam" @@ -556,6 +555,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -570,7 +570,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_GROUP_NAME", "event.category": [ "iam" @@ -608,6 +607,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -622,7 +622,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_GROUP_SETTING", "event.category": [ "iam" @@ -662,6 +661,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -676,7 +676,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "WHITELISTED_GROUPS_UPDATED", "event.category": [ "iam" @@ -715,6 +714,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json index d51d602ae7b..1fd3a0da6e2 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ORG_USERS_LICENSE_ASSIGNMENT", "event.category": [ "iam" @@ -36,6 +35,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -50,7 +50,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ORG_ALL_USERS_LICENSE_ASSIGNMENT", "event.category": [ "iam" @@ -86,6 +85,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -100,7 +100,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USER_LICENSE_ASSIGNMENT", "event.category": [ "iam" @@ -137,6 +136,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -151,7 +151,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_LICENSE_AUTO_ASSIGN", "event.category": [ "iam" @@ -187,6 +186,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -201,7 +201,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USER_LICENSE_REASSIGNMENT", "event.category": [ "iam" @@ -239,6 +238,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -253,7 +253,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ORG_LICENSE_REVOKE", "event.category": [ "iam" @@ -289,6 +288,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -303,7 +303,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USER_LICENSE_REVOKE", "event.category": [ "iam" @@ -340,6 +339,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -354,7 +354,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_DYNAMIC_LICENSE", "event.category": [ "iam" @@ -391,6 +390,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json index 8e2f2896bdb..99bea4702c3 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ACTION_CANCELLED", "event.category": [ "iam" @@ -40,6 +39,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -54,7 +54,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ACTION_REQUESTED", "event.category": [ "iam" @@ -94,6 +93,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -108,7 +108,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_MOBILE_CERTIFICATE", "event.category": [ "iam" @@ -144,6 +143,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -158,7 +158,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "COMPANY_DEVICES_BULK_CREATION", "event.category": [ "iam" @@ -192,6 +191,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -206,7 +206,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "COMPANY_OWNED_DEVICE_BLOCKED", "event.category": [ "iam" @@ -241,6 +240,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -255,7 +255,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "COMPANY_DEVICE_DELETION", "event.category": [ "iam" @@ -290,6 +289,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -304,7 +304,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "COMPANY_OWNED_DEVICE_UNBLOCKED", "event.category": [ "iam" @@ -339,6 +338,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -353,7 +353,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "COMPANY_OWNED_DEVICE_WIPED", "event.category": [ "iam" @@ -388,6 +387,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -402,7 +402,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT", "event.category": [ "iam" @@ -442,6 +441,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -456,7 +456,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER", "event.category": [ "iam" @@ -491,6 +490,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -505,7 +505,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST", "event.category": [ "iam" @@ -542,6 +541,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -556,7 +556,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_MOBILE_APPLICATION_SETTINGS", "event.category": [ "iam" @@ -596,6 +595,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -610,7 +610,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_MOBILE_APPLICATION_TO_WHITELIST", "event.category": [ "iam" @@ -647,6 +646,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -661,7 +661,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOBILE_DEVICE_APPROVE", "event.category": [ "iam" @@ -699,6 +698,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -713,7 +713,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOBILE_DEVICE_BLOCK", "event.category": [ "iam" @@ -751,6 +750,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -765,7 +765,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOBILE_DEVICE_DELETE", "event.category": [ "iam" @@ -803,6 +802,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -817,7 +817,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOBILE_DEVICE_WIPE", "event.category": [ "iam" @@ -855,6 +854,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -869,7 +869,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_MOBILE_SETTING", "event.category": [ "iam" @@ -907,6 +906,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -921,7 +921,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_ADMIN_RESTRICTIONS_PIN", "event.category": [ "iam" @@ -956,6 +955,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -970,7 +970,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK", "event.category": [ "iam" @@ -1006,6 +1005,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1020,7 +1020,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_MOBILE_WIRELESS_NETWORK", "event.category": [ "iam" @@ -1056,6 +1055,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1070,7 +1070,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_MOBILE_WIRELESS_NETWORK", "event.category": [ "iam" @@ -1106,6 +1105,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1120,7 +1120,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD", "event.category": [ "iam" @@ -1156,6 +1155,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1170,7 +1170,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_MOBILE_CERTIFICATE", "event.category": [ "iam" @@ -1206,6 +1205,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1220,7 +1220,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT", "event.category": [ "iam" @@ -1253,6 +1252,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1267,7 +1267,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT", "event.category": [ "iam" @@ -1300,6 +1299,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1314,7 +1314,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS", "event.category": [ "iam" @@ -1347,6 +1346,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1361,7 +1361,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS", "event.category": [ "iam" @@ -1394,6 +1393,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1408,7 +1408,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOBILE_ACCOUNT_WIPE", "event.category": [ "iam" @@ -1446,6 +1445,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1460,7 +1460,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE", "event.category": [ "iam" @@ -1498,6 +1497,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1512,7 +1512,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK", "event.category": [ "iam" @@ -1550,6 +1549,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json index b2a88d67fe8..b4cdd02f0bd 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHROME_LICENSES_ENABLED", "event.category": [ "iam" @@ -36,6 +35,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -50,7 +50,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED", "event.category": [ "iam" @@ -87,6 +86,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -101,7 +101,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED", "event.category": [ "iam" @@ -137,6 +136,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -151,7 +151,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED", "event.category": [ "iam" @@ -189,6 +188,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -203,7 +203,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_DEVICE_ENROLLMENT_TOKEN", "event.category": [ "iam" @@ -237,6 +236,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -251,7 +251,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ASSIGN_CUSTOM_LOGO", "event.category": [ "iam" @@ -285,6 +284,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -299,7 +299,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNASSIGN_CUSTOM_LOGO", "event.category": [ "iam" @@ -333,6 +332,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -347,7 +347,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_ENROLLMENT_TOKEN", "event.category": [ "iam" @@ -381,6 +380,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -395,7 +395,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REVOKE_ENROLLMENT_TOKEN", "event.category": [ "iam" @@ -429,6 +428,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -443,7 +443,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHROME_LICENSES_ALLOWED", "event.category": [ "iam" @@ -479,6 +478,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -493,7 +493,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_ORG_UNIT", "event.category": [ "iam" @@ -527,6 +526,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -541,7 +541,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_ORG_UNIT", "event.category": [ "iam" @@ -575,6 +574,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -589,7 +589,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "EDIT_ORG_UNIT_DESCRIPTION", "event.category": [ "iam" @@ -623,6 +622,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -637,7 +637,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOVE_ORG_UNIT", "event.category": [ "iam" @@ -672,6 +671,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -686,7 +686,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "EDIT_ORG_UNIT_NAME", "event.category": [ "iam" @@ -721,6 +720,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -735,7 +735,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REVOKE_DEVICE_ENROLLMENT_TOKEN", "event.category": [ "iam" @@ -769,6 +768,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -783,7 +783,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_SERVICE_ENABLED", "event.category": [ "iam" @@ -823,6 +822,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json index 65321e3842a..ccfe0f5b3ed 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ALLOW_STRONG_AUTHENTICATION", "event.category": [ "iam" @@ -36,6 +35,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -50,7 +50,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ALLOW_SERVICE_FOR_OAUTH2_ACCESS", "event.category": [ "iam" @@ -85,6 +84,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -99,7 +99,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS", "event.category": [ "iam" @@ -134,6 +133,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -148,7 +148,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID", "event.category": [ "iam" @@ -186,6 +185,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -200,7 +200,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_TO_TRUSTED_OAUTH2_APPS", "event.category": [ "iam" @@ -237,6 +236,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -251,7 +251,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_FROM_TRUSTED_OAUTH2_APPS", "event.category": [ "iam" @@ -288,6 +287,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -302,7 +302,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "BLOCK_ON_DEVICE_ACCESS", "event.category": [ "iam" @@ -337,6 +336,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -351,7 +351,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", "event.category": [ "iam" @@ -390,6 +389,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -404,7 +404,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", "event.category": [ "iam" @@ -443,6 +442,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -457,7 +457,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION", "event.category": [ "iam" @@ -496,6 +495,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -510,7 +510,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_TWO_STEP_VERIFICATION_START_DATE", "event.category": [ "iam" @@ -549,6 +548,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -563,7 +563,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", "event.category": [ "iam" @@ -601,6 +600,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -615,7 +615,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_CAA_ENABLEMENT", "event.category": [ "iam" @@ -649,6 +648,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -663,7 +663,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CAA_ERROR_MESSAGE", "event.category": [ "iam" @@ -698,6 +697,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -712,7 +712,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CAA_APP_ASSIGNMENTS", "event.category": [ "iam" @@ -750,6 +749,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -764,7 +764,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS", "event.category": [ "iam" @@ -798,6 +797,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -812,7 +812,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TRUST_DOMAIN_OWNED_OAUTH2_APPS", "event.category": [ "iam" @@ -846,6 +845,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -860,7 +860,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY", "event.category": [ "iam" @@ -899,6 +898,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -913,7 +913,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENFORCE_STRONG_AUTHENTICATION", "event.category": [ "iam" @@ -954,6 +953,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -968,7 +968,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS", "event.category": [ "iam" @@ -1004,6 +1003,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1018,7 +1018,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", "event.category": [ "iam" @@ -1057,6 +1056,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1071,7 +1071,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "SESSION_CONTROL_SETTINGS_CHANGE", "event.category": [ "iam" @@ -1108,6 +1107,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1122,7 +1122,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_SESSION_LENGTH", "event.category": [ "iam" @@ -1157,6 +1156,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1171,7 +1171,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNBLOCK_ON_DEVICE_ACCESS", "event.category": [ "iam" @@ -1206,6 +1205,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json index b5afcff1ea3..272f4fb77e7 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_WEB_ADDRESS", "event.category": [ "iam" @@ -37,6 +36,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -53,7 +53,6 @@ "url.path": "/path/in/url" }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_WEB_ADDRESS", "event.category": [ "iam" @@ -90,6 +89,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -106,7 +106,6 @@ "url.path": "/path/in/url" }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_SITES_SETTING", "event.category": [ "iam" @@ -144,6 +143,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -158,7 +158,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES", "event.category": [ "iam" @@ -192,6 +191,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -208,7 +208,6 @@ "url.path": "/path/in/url" }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "VIEW_SITE_DETAILS", "event.category": [ "iam" @@ -242,6 +241,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json index f6220f7fcbd..b3be5557b03 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_2SV_SCRATCH_CODES", "event.category": [ "iam" @@ -36,6 +35,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -50,7 +50,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GENERATE_2SV_SCRATCH_CODES", "event.category": [ "iam" @@ -86,6 +85,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -100,7 +100,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REVOKE_3LO_DEVICE_TOKENS", "event.category": [ "iam" @@ -138,6 +137,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -152,7 +152,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REVOKE_3LO_TOKEN", "event.category": [ "iam" @@ -189,6 +188,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -203,7 +203,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_RECOVERY_EMAIL", "event.category": [ "iam" @@ -239,6 +238,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -253,7 +253,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_RECOVERY_PHONE", "event.category": [ "iam" @@ -289,6 +288,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -303,7 +303,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GRANT_ADMIN_PRIVILEGE", "event.category": [ "iam" @@ -339,6 +338,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -353,7 +353,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REVOKE_ADMIN_PRIVILEGE", "event.category": [ "iam" @@ -389,6 +388,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -403,7 +403,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REVOKE_ASP", "event.category": [ "iam" @@ -440,6 +439,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -454,7 +454,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_AUTOMATIC_CONTACT_SHARING", "event.category": [ "iam" @@ -491,6 +490,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -505,7 +505,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "BULK_UPLOAD", "event.category": [ "iam" @@ -541,6 +540,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -555,7 +555,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "BULK_UPLOAD_NOTIFICATION_SENT", "event.category": [ "iam" @@ -592,6 +591,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -606,7 +606,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CANCEL_USER_INVITE", "event.category": [ "iam" @@ -643,6 +642,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -657,7 +657,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_CUSTOM_FIELD", "event.category": [ "iam" @@ -696,6 +695,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -710,7 +710,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_EXTERNAL_ID", "event.category": [ "iam" @@ -748,6 +747,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -762,7 +762,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_GENDER", "event.category": [ "iam" @@ -800,6 +799,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -814,7 +814,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_IM", "event.category": [ "iam" @@ -852,6 +851,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -866,7 +866,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENABLE_USER_IP_WHITELIST", "event.category": [ "iam" @@ -904,6 +903,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -918,7 +918,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_KEYWORD", "event.category": [ "iam" @@ -956,6 +955,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -970,7 +970,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_LANGUAGE", "event.category": [ "iam" @@ -1008,6 +1007,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1022,7 +1022,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_LOCATION", "event.category": [ "iam" @@ -1060,6 +1059,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1074,7 +1074,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_ORGANIZATION", "event.category": [ "iam" @@ -1112,6 +1111,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1126,7 +1126,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_PHONE_NUMBER", "event.category": [ "iam" @@ -1164,6 +1163,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1178,7 +1178,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_RECOVERY_EMAIL", "event.category": [ "iam" @@ -1214,6 +1213,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1228,7 +1228,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_RECOVERY_PHONE", "event.category": [ "iam" @@ -1264,6 +1263,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1278,7 +1278,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_RELATION", "event.category": [ "iam" @@ -1316,6 +1315,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1330,7 +1330,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_ADDRESS", "event.category": [ "iam" @@ -1368,6 +1367,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1382,7 +1382,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_EMAIL_MONITOR", "event.category": [ "iam" @@ -1426,6 +1425,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1440,7 +1440,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_DATA_TRANSFER_REQUEST", "event.category": [ "iam" @@ -1478,6 +1477,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1492,7 +1492,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GRANT_DELEGATED_ADMIN_PRIVILEGES", "event.category": [ "iam" @@ -1529,6 +1528,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1543,7 +1543,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_ACCOUNT_INFO_DUMP", "event.category": [ "iam" @@ -1580,6 +1579,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1594,7 +1594,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_EMAIL_MONITOR", "event.category": [ "iam" @@ -1631,6 +1630,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1645,7 +1645,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_MAILBOX_DUMP", "event.category": [ "iam" @@ -1682,6 +1681,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1696,7 +1696,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_FIRST_NAME", "event.category": [ "iam" @@ -1734,6 +1733,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1748,7 +1748,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GMAIL_RESET_USER", "event.category": [ "iam" @@ -1785,6 +1784,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1799,7 +1799,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_LAST_NAME", "event.category": [ "iam" @@ -1837,6 +1836,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1851,7 +1851,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MAIL_ROUTING_DESTINATION_ADDED", "event.category": [ "iam" @@ -1888,6 +1887,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1902,7 +1902,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MAIL_ROUTING_DESTINATION_REMOVED", "event.category": [ "iam" @@ -1939,6 +1938,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1953,7 +1953,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_NICKNAME", "event.category": [ "iam" @@ -1990,6 +1989,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2004,7 +2004,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_NICKNAME", "event.category": [ "iam" @@ -2041,6 +2040,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2055,7 +2055,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_PASSWORD", "event.category": [ "iam" @@ -2091,6 +2090,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2105,7 +2105,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_PASSWORD_ON_NEXT_LOGIN", "event.category": [ "iam" @@ -2143,6 +2142,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2157,7 +2157,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DOWNLOAD_PENDING_INVITES_LIST", "event.category": [ "iam" @@ -2190,6 +2189,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2204,7 +2204,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_RECOVERY_EMAIL", "event.category": [ "iam" @@ -2240,6 +2239,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2254,7 +2254,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_RECOVERY_PHONE", "event.category": [ "iam" @@ -2290,6 +2289,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2304,7 +2304,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REQUEST_ACCOUNT_INFO", "event.category": [ "iam" @@ -2340,6 +2339,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2354,7 +2354,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REQUEST_MAILBOX_DUMP", "event.category": [ "iam" @@ -2396,6 +2395,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2410,7 +2410,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RESEND_USER_INVITE", "event.category": [ "iam" @@ -2447,6 +2446,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2461,7 +2461,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RESET_SIGNIN_COOKIES", "event.category": [ "iam" @@ -2497,6 +2496,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2511,7 +2511,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "SECURITY_KEY_REGISTERED_FOR_USER", "event.category": [ "iam" @@ -2547,6 +2546,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2561,7 +2561,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REVOKE_SECURITY_KEY", "event.category": [ "iam" @@ -2597,6 +2596,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2611,7 +2611,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USER_INVITE", "event.category": [ "iam" @@ -2648,6 +2647,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2662,7 +2662,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "VIEW_TEMP_PASSWORD", "event.category": [ "iam" @@ -2699,6 +2698,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2713,7 +2713,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TURN_OFF_2_STEP_VERIFICATION", "event.category": [ "iam" @@ -2749,6 +2748,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2763,7 +2763,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNBLOCK_USER_SESSION", "event.category": [ "iam" @@ -2799,6 +2798,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2813,7 +2813,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNENROLL_USER_FROM_TITANIUM", "event.category": [ "iam" @@ -2849,6 +2848,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2863,7 +2863,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ARCHIVE_USER", "event.category": [ "iam" @@ -2899,6 +2898,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2913,7 +2913,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_BIRTHDATE", "event.category": [ "iam" @@ -2950,6 +2949,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2964,7 +2964,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_USER", "event.category": [ "iam" @@ -3000,6 +2999,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3014,7 +3014,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_USER", "event.category": [ "iam" @@ -3050,6 +3049,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3064,7 +3064,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DOWNGRADE_USER_FROM_GPLUS", "event.category": [ "iam" @@ -3100,6 +3099,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3114,7 +3114,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USER_ENROLLED_IN_TWO_STEP_VERIFICATION", "event.category": [ "iam" @@ -3150,6 +3149,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3164,7 +3164,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DOWNLOAD_USERLIST_CSV", "event.category": [ "iam" @@ -3197,6 +3196,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3211,7 +3211,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOVE_USER_TO_ORG_UNIT", "event.category": [ "iam" @@ -3249,6 +3248,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3263,7 +3263,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD", "event.category": [ "iam" @@ -3300,6 +3299,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3314,7 +3314,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RENAME_USER", "event.category": [ "iam" @@ -3351,6 +3350,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3365,7 +3365,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNENROLL_USER_FROM_STRONG_AUTH", "event.category": [ "iam" @@ -3401,6 +3400,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3415,7 +3415,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "SUSPEND_USER", "event.category": [ "iam" @@ -3451,6 +3450,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3465,7 +3465,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNARCHIVE_USER", "event.category": [ "iam" @@ -3501,6 +3500,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3515,7 +3515,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNDELETE_USER", "event.category": [ "iam" @@ -3551,6 +3550,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3565,7 +3565,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNSUSPEND_USER", "event.category": [ "iam" @@ -3601,6 +3600,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3615,7 +3615,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPGRADE_USER_TO_GPLUS", "event.category": [ "iam" @@ -3651,6 +3650,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3665,7 +3665,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USERS_BULK_UPLOAD", "event.category": [ "iam" @@ -3700,6 +3699,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3714,7 +3714,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USERS_BULK_UPLOAD_NOTIFICATION_SENT", "event.category": [ "iam" @@ -3750,6 +3749,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3763,4 +3763,4 @@ "forwarded" ] } -] +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/drive/config/config.yml b/x-pack/filebeat/module/gsuite/drive/config/config.yml index 5f1bd6ecbf3..92e464164b0 100644 --- a/x-pack/filebeat/module/gsuite/drive/config/config.yml +++ b/x-pack/filebeat/module/gsuite/drive/config/config.yml @@ -39,7 +39,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 - script: lang: javascript id: gsuite-common diff --git a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json index 3d75fea232d..9ffde6ce107 100644 --- a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "add_to_folder", "event.category": [ "file" @@ -47,6 +46,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -61,7 +61,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "approval_canceled", "event.category": [ "file", @@ -107,6 +106,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -121,7 +121,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "approval_comment_added", "event.category": [ "file", @@ -167,6 +166,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -181,7 +181,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "approval_requested", "event.category": [ "file", @@ -227,6 +226,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -241,7 +241,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "approval_reviewer_responded", "event.category": [ "file", @@ -287,6 +286,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -301,7 +301,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "create", "event.category": [ "file" @@ -346,6 +345,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -360,7 +360,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "delete", "event.category": [ "file" @@ -405,6 +404,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -419,7 +419,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "download", "event.category": [ "file" @@ -464,6 +463,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -478,7 +478,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "edit", "event.category": [ "file" @@ -523,6 +522,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -537,7 +537,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "add_lock", "event.category": [ "file" @@ -582,6 +581,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -596,7 +596,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "move", "event.category": [ "file" @@ -645,6 +644,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -659,7 +659,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "preview", "event.category": [ "file" @@ -704,6 +703,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -718,7 +718,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "print", "event.category": [ "file" @@ -763,6 +762,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -777,7 +777,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "remove_from_folder", "event.category": [ "file" @@ -824,6 +823,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -838,7 +838,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "rename", "event.category": [ "file" @@ -885,6 +884,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -899,7 +899,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "untrash", "event.category": [ "file" @@ -944,6 +943,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -958,7 +958,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "sheets_import_range", "event.category": [ "file" @@ -1003,6 +1002,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1017,7 +1017,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "trash", "event.category": [ "file" @@ -1062,6 +1061,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1076,7 +1076,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "remove_lock", "event.category": [ "file" @@ -1121,6 +1120,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1135,7 +1135,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "upload", "event.category": [ "file" @@ -1180,6 +1179,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1194,7 +1194,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "view", "event.category": [ "file" @@ -1240,6 +1239,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1254,7 +1254,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_acl_editors", "event.category": [ "file", @@ -1304,6 +1303,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1318,7 +1318,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_document_access_scope", "event.category": [ "file", @@ -1369,6 +1368,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1383,7 +1383,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_document_visibility", "event.category": [ "file", @@ -1434,6 +1433,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1448,7 +1448,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "shared_drive_membership_change", "event.category": [ "file", @@ -1499,6 +1498,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1513,7 +1513,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "shared_drive_settings_change", "event.category": [ "file", @@ -1564,6 +1563,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1578,7 +1578,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "sheets_import_range_access_change", "event.category": [ "file", @@ -1624,6 +1623,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1638,7 +1638,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_user_access", "event.category": [ "file", @@ -1690,6 +1689,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/groups/config/config.yml b/x-pack/filebeat/module/gsuite/groups/config/config.yml index 46a3ed338d9..ba6890c80e4 100644 --- a/x-pack/filebeat/module/gsuite/groups/config/config.yml +++ b/x-pack/filebeat/module/gsuite/groups/config/config.yml @@ -39,7 +39,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 - script: lang: javascript id: gsuite-common diff --git a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json index 8944e12d5e7..f62ef0391c0 100644 --- a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_acl_permission", "event.category": [ "iam" @@ -45,6 +44,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -59,7 +59,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "accept_invitation", "event.category": [ "iam" @@ -97,6 +96,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -111,7 +111,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "approve_join_request", "event.category": [ "iam" @@ -151,6 +150,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -165,7 +165,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "join", "event.category": [ "iam" @@ -203,6 +202,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -217,7 +217,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "request_to_join", "event.category": [ "iam" @@ -255,6 +254,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -269,7 +269,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_basic_setting", "event.category": [ "iam" @@ -309,6 +308,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -323,7 +323,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "create_group", "event.category": [ "iam" @@ -360,6 +359,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -374,7 +374,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "delete_group", "event.category": [ "iam" @@ -411,6 +410,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -425,7 +425,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_identity_setting", "event.category": [ "iam" @@ -465,6 +464,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -479,7 +479,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "add_info_setting", "event.category": [ "iam" @@ -518,6 +517,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -532,7 +532,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_info_setting", "event.category": [ "iam" @@ -572,6 +571,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -586,7 +586,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "remove_info_setting", "event.category": [ "iam" @@ -625,6 +624,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -639,7 +639,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_new_members_restrictions_setting", "event.category": [ "iam" @@ -679,6 +678,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -693,7 +693,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_post_replies_setting", "event.category": [ "iam" @@ -733,6 +732,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -747,7 +747,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_spam_moderation_setting", "event.category": [ "iam" @@ -787,6 +786,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -801,7 +801,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_topic_setting", "event.category": [ "iam" @@ -841,6 +840,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -855,7 +855,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "moderate_message", "event.category": [ "iam" @@ -896,6 +895,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -910,7 +910,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "always_post_from_user", "event.category": [ "iam" @@ -951,6 +950,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -965,7 +965,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "add_user", "event.category": [ "iam" @@ -1006,6 +1005,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1020,7 +1020,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ban_user_with_moderation", "event.category": [ "iam" @@ -1061,6 +1060,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1075,7 +1075,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "revoke_invitation", "event.category": [ "iam" @@ -1115,6 +1114,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1129,7 +1129,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "invite_user", "event.category": [ "iam" @@ -1169,6 +1168,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1183,7 +1183,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "reject_join_request", "event.category": [ "iam" @@ -1223,6 +1222,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1237,7 +1237,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "reinvite_user", "event.category": [ "iam" @@ -1277,6 +1276,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1291,7 +1291,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "remove_user", "event.category": [ "iam" @@ -1331,6 +1330,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/login/config/config.yml b/x-pack/filebeat/module/gsuite/login/config/config.yml index b501012b3d2..95ccc04ed2c 100644 --- a/x-pack/filebeat/module/gsuite/login/config/config.yml +++ b/x-pack/filebeat/module/gsuite/login/config/config.yml @@ -39,7 +39,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 - script: lang: javascript id: gsuite-common diff --git a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json index 00731f235f3..287e6245a25 100644 --- a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "account_disabled_password_leak", "event.category": [ "authentication" @@ -35,6 +34,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -49,7 +49,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "account_disabled_generic", "event.category": [ "authentication" @@ -84,6 +83,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -98,7 +98,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "account_disabled_spamming_through_relay", "event.category": [ "authentication" @@ -133,6 +132,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -147,7 +147,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "account_disabled_spamming", "event.category": [ "authentication" @@ -182,6 +181,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -196,7 +196,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "gov_attack_warning", "event.category": [ "authentication" @@ -229,6 +228,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -243,7 +243,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "login_failure", "event.category": [ "authentication" @@ -280,6 +279,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -294,7 +294,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "login_challenge", "event.category": [ "authentication" @@ -330,6 +329,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -344,7 +344,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "login_verification", "event.category": [ "authentication" @@ -381,6 +380,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -395,7 +395,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "logout", "event.category": [ "authentication" @@ -429,6 +428,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -443,7 +443,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "login_success", "event.category": [ "authentication" @@ -480,6 +479,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/saml/config/config.yml b/x-pack/filebeat/module/gsuite/saml/config/config.yml index 1e703737e0d..8d1c7645fda 100644 --- a/x-pack/filebeat/module/gsuite/saml/config/config.yml +++ b/x-pack/filebeat/module/gsuite/saml/config/config.yml @@ -39,7 +39,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 - script: lang: javascript id: gsuite-common diff --git a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json index 36dec3bfb61..6dd2d0216b0 100644 --- a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "login_failure", "event.category": [ "authentication" @@ -40,6 +39,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -54,7 +54,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:01.000Z", "event.action": "login_success", "event.category": [ "authentication" @@ -92,6 +91,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml b/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml index 773ab620173..dc9e3d353e6 100644 --- a/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml +++ b/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml @@ -39,7 +39,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 - script: lang: javascript id: gsuite-common diff --git a/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json index 47aba59e1da..689aad5cde2 100644 --- a/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "2sv_disable", "event.category": [ "iam" @@ -34,6 +33,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -48,7 +48,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "2sv_enroll", "event.category": [ "iam" @@ -82,6 +81,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -96,7 +96,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "password_edit", "event.category": [ "iam" @@ -130,6 +129,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -144,7 +144,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "recovery_email_edit", "event.category": [ "iam" @@ -178,6 +177,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -192,7 +192,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "recovery_phone_edit", "event.category": [ "iam" @@ -226,6 +225,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -240,7 +240,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "recovery_secret_qa_edit", "event.category": [ "iam" @@ -274,6 +273,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -288,7 +288,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "titanium_enroll", "event.category": [ "iam" @@ -322,6 +321,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -336,7 +336,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "titanium_unenroll", "event.category": [ "iam" @@ -370,6 +369,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/ibmmq/errorlog/config/errorlog.yml b/x-pack/filebeat/module/ibmmq/errorlog/config/errorlog.yml index 2130bb419d2..bca14ecccaa 100644 --- a/x-pack/filebeat/module/ibmmq/errorlog/config/errorlog.yml +++ b/x-pack/filebeat/module/ibmmq/errorlog/config/errorlog.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json index 7894d6ff317..9aee12937a0 100644 --- a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json @@ -112,13 +112,13 @@ "ccusan7572.api.home" ], "related.ip": [ - "10.58.116.231", - "10.159.182.171" + "10.159.182.171", + "10.58.116.231" ], "related.user": [ - "temUten", + "qua", "uradi", - "qua" + "temUten" ], "rsa.counters.dclass_c1": 3626, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -174,9 +174,9 @@ "10.18.124.28" ], "related.user": [ - "modocons", + "mquidol", "lapariat", - "mquidol" + "modocons" ], "rsa.counters.dclass_c1": 6564, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -239,8 +239,8 @@ ], "related.user": [ "oluptas", - "occae", - "intoc" + "intoc", + "occae" ], "rsa.counters.event_counter": 7243, "rsa.db.database": "tNequepo", @@ -374,9 +374,9 @@ "10.211.105.204" ], "related.user": [ + "orema", "eveli", - "labor", - "orema" + "labor" ], "rsa.counters.dclass_c1": 6855, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -432,13 +432,13 @@ "pora6854.www5.home" ], "related.ip": [ - "10.214.191.180", - "10.112.250.193" + "10.112.250.193", + "10.214.191.180" ], "related.user": [ - "Exc", + "ipsumdol", "ide", - "ipsumdol" + "Exc" ], "rsa.counters.dclass_c1": 6852, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -493,12 +493,12 @@ "ptasn6599.www.localhost" ], "related.ip": [ - "10.192.34.76", - "10.251.20.13" + "10.251.20.13", + "10.192.34.76" ], "related.user": [ - "iquipe", "tnonpro", + "iquipe", "ovol" ], "rsa.counters.dclass_c1": 3645, @@ -556,8 +556,8 @@ ], "related.user": [ "idunt", - "archite", - "boree" + "boree", + "archite" ], "rsa.counters.dclass_c1": 248, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -617,8 +617,8 @@ "10.168.159.13" ], "related.user": [ - "atemq", "inci", + "atemq", "isnostr" ], "rsa.counters.dclass_c1": 6135, @@ -679,9 +679,9 @@ "10.49.167.57" ], "related.user": [ + "tali", "ccaeca", - "sau", - "tali" + "sau" ], "rsa.counters.dclass_c1": 6818, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -743,17 +743,17 @@ "10.216.125.252" ], "related.user": [ + "lorsita", "dolore", - "llamco", - "lorsita" + "llamco" ], "rsa.counters.event_counter": 4603, "rsa.db.database": "uptate", "rsa.internal.event_desc": "aquae", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "accept", - "quasia" + "quasia", + "accept" ], "rsa.misc.category": "boreetdo", "rsa.misc.disposition": "aturve", @@ -809,8 +809,8 @@ "umdolor4389.api.home" ], "related.ip": [ - "10.52.125.9", - "10.204.128.215" + "10.204.128.215", + "10.52.125.9" ], "related.user": [ "nci", @@ -875,8 +875,8 @@ "rationev6444.localhost" ], "related.ip": [ - "10.34.148.166", - "10.200.68.129" + "10.200.68.129", + "10.34.148.166" ], "related.user": [ "icabo", @@ -938,8 +938,8 @@ ], "related.user": [ "siu", - "conse", - "licabo" + "licabo", + "conse" ], "rsa.counters.dclass_c1": 6356, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -995,13 +995,13 @@ "spernatu5539.domain" ], "related.ip": [ - "10.30.98.10", - "10.126.26.131" + "10.126.26.131", + "10.30.98.10" ], "related.user": [ - "dipisci", + "velite", "olori", - "velite" + "dipisci" ], "rsa.counters.dclass_c1": 7717, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1061,9 +1061,9 @@ "10.190.10.219" ], "related.user": [ - "item", + "accusant", "quamnih", - "accusant" + "item" ], "rsa.counters.dclass_c1": 3278, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1147,12 +1147,12 @@ "maliquam2147.internal.home" ], "related.ip": [ - "10.100.98.56", - "10.248.184.200" + "10.248.184.200", + "10.100.98.56" ], "related.user": [ - "ritati", "proident", + "ritati", "boru" ], "rsa.counters.dclass_c1": 5923, @@ -1209,13 +1209,13 @@ "olabor2983.internal.localhost" ], "related.ip": [ - "10.197.6.245", - "10.82.28.220" + "10.82.28.220", + "10.197.6.245" ], "related.user": [ - "oluptat", "dtempo", - "aecatcup" + "aecatcup", + "oluptat" ], "rsa.counters.dclass_c1": 3071, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1276,8 +1276,8 @@ ], "related.user": [ "redol", - "asnu", - "ationul" + "ationul", + "asnu" ], "rsa.counters.dclass_c1": 6606, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1339,17 +1339,17 @@ "10.88.45.111" ], "related.user": [ + "undeomni", "lmole", - "iameaque", - "undeomni" + "iameaque" ], "rsa.counters.event_counter": 6344, "rsa.db.database": "nderi", "rsa.internal.event_desc": "iae", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "illu", - "deny" + "deny", + "illu" ], "rsa.misc.category": "quido", "rsa.misc.disposition": "emip", @@ -1407,8 +1407,8 @@ "10.214.3.140" ], "related.user": [ - "edolorin", "scipitl", + "edolorin", "taliqui" ], "rsa.counters.dclass_c1": 5140, @@ -1472,8 +1472,8 @@ ], "related.user": [ "caboNem", - "pta", - "etconsec" + "etconsec", + "pta" ], "rsa.counters.event_counter": 5347, "rsa.db.database": "urExcept", @@ -1535,13 +1535,13 @@ "nder347.www.corp" ], "related.ip": [ - "10.105.190.170", - "10.182.152.242" + "10.182.152.242", + "10.105.190.170" ], "related.user": [ + "doeiu", "litan", - "mquisn", - "doeiu" + "mquisn" ], "rsa.counters.dclass_c1": 3474, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1604,8 +1604,8 @@ ], "related.user": [ "emUte", - "liquam", - "min" + "min", + "liquam" ], "rsa.counters.event_counter": 7102, "rsa.db.database": "oluptat", @@ -1666,13 +1666,13 @@ "ectob4634.mail.localhost" ], "related.ip": [ - "10.72.75.207", - "10.201.168.116" + "10.201.168.116", + "10.72.75.207" ], "related.user": [ + "urau", "eFini", - "eufug", - "urau" + "eufug" ], "rsa.counters.dclass_c1": 3348, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1728,13 +1728,13 @@ "snu6436.www.local" ], "related.ip": [ - "10.9.46.123", - "10.58.133.175" + "10.58.133.175", + "10.9.46.123" ], "related.user": [ + "nde", "oco", - "mfu", - "nde" + "mfu" ], "rsa.counters.dclass_c1": 3795, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1794,8 +1794,8 @@ "10.70.29.203" ], "related.user": [ - "mquisnos", "veniamq", + "mquisnos", "pta" ], "rsa.counters.dclass_c1": 2358, @@ -1856,8 +1856,8 @@ "10.165.182.111" ], "related.user": [ - "ames", "Bonorum", + "ames", "sis" ], "rsa.counters.dclass_c1": 6401, @@ -1944,8 +1944,8 @@ "upt6017.api.localdomain" ], "related.ip": [ - "10.64.184.196", - "10.173.178.109" + "10.173.178.109", + "10.64.184.196" ], "related.user": [ "tam", @@ -1957,8 +1957,8 @@ "rsa.internal.event_desc": "orin", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "block", - "lamco" + "lamco", + "block" ], "rsa.misc.category": "enia", "rsa.misc.disposition": "iavol", @@ -2012,13 +2012,13 @@ "turQuis4046.api.test" ], "related.ip": [ - "10.90.50.149", - "10.168.225.209" + "10.168.225.209", + "10.90.50.149" ], "related.user": [ "aUtenima", - "olupta", - "olu" + "olu", + "olupta" ], "rsa.counters.dclass_c1": 1127, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2079,8 +2079,8 @@ ], "related.user": [ "mtota", - "luptat", - "qua" + "qua", + "luptat" ], "rsa.counters.dclass_c1": 6112, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2163,13 +2163,13 @@ "tatnonp1371.www.invalid" ], "related.ip": [ - "10.151.240.35", - "10.228.229.144" + "10.228.229.144", + "10.151.240.35" ], "related.user": [ + "lam", "ametcons", - "ama", - "lam" + "ama" ], "rsa.counters.dclass_c1": 4325, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2289,17 +2289,17 @@ "10.254.10.98" ], "related.user": [ - "civeli", "eufugia", - "ttenb" + "ttenb", + "civeli" ], "rsa.counters.event_counter": 7365, "rsa.db.database": "utlabore", "rsa.internal.event_desc": "culpaq", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "uptasn" + "uptasn", + "cancel" ], "rsa.misc.category": "quamq", "rsa.misc.disposition": "usan", @@ -2383,13 +2383,13 @@ "ihi7294.www5.localhost" ], "related.ip": [ - "10.169.28.157", - "10.116.1.130" + "10.116.1.130", + "10.169.28.157" ], "related.user": [ - "reseo", + "eturadip", "amco", - "eturadip" + "reseo" ], "rsa.counters.event_counter": 1295, "rsa.db.database": "ons", @@ -2451,13 +2451,13 @@ "caecat4920.api.host" ], "related.ip": [ - "10.29.138.31", - "10.45.69.152" + "10.45.69.152", + "10.29.138.31" ], "related.user": [ - "volupta", "umq", - "tsunt" + "tsunt", + "volupta" ], "rsa.counters.dclass_c1": 744, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2513,13 +2513,13 @@ "setquas6188.internal.local" ], "related.ip": [ - "10.100.113.11", - "10.152.213.228" + "10.152.213.228", + "10.100.113.11" ], "related.user": [ - "ptatev", "itationu", - "velillum" + "velillum", + "ptatev" ], "rsa.counters.dclass_c1": 7245, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2603,13 +2603,13 @@ "nibusBo3674.www5.localhost" ], "related.ip": [ - "10.208.33.55", - "10.248.102.129" + "10.248.102.129", + "10.208.33.55" ], "related.user": [ + "ulapari", "mremaper", - "inimv", - "ulapari" + "inimv" ], "rsa.counters.dclass_c1": 6433, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2669,8 +2669,8 @@ "10.109.230.216" ], "related.user": [ - "mporin", "ectobea", + "mporin", "ibus" ], "rsa.counters.dclass_c1": 547, @@ -2731,9 +2731,9 @@ "10.117.81.75" ], "related.user": [ - "iconsequ", + "dol", "exeac", - "dol" + "iconsequ" ], "rsa.counters.dclass_c1": 484, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2793,8 +2793,8 @@ "10.45.152.205" ], "related.user": [ - "eriti", "utlabo", + "eriti", "imav" ], "rsa.counters.dclass_c1": 922, @@ -2856,17 +2856,17 @@ "10.60.164.100" ], "related.user": [ - "hite", + "adipis", "ugi", - "adipis" + "hite" ], "rsa.counters.event_counter": 508, "rsa.db.database": "abo", "rsa.internal.event_desc": "epteurs", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "taevitae", - "allow" + "allow", + "taevitae" ], "rsa.misc.category": "itse", "rsa.misc.disposition": "rever", @@ -2919,13 +2919,13 @@ "aliquip7229.mail.domain" ], "related.ip": [ - "10.248.244.203", - "10.146.228.234" + "10.146.228.234", + "10.248.244.203" ], "related.user": [ "mquamei", - "eiusm", - "sum" + "sum", + "eiusm" ], "rsa.counters.dclass_c1": 3058, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2981,8 +2981,8 @@ "10.86.121.152" ], "related.user": [ - "ine", "consecte", + "ine", "nimv" ], "rsa.counters.dclass_c1": 2771, @@ -3039,13 +3039,13 @@ "agnama5013.internal.example" ], "related.ip": [ - "10.201.223.119", - "10.204.223.184" + "10.204.223.184", + "10.201.223.119" ], "related.user": [ + "tuserror", "rcit", - "teni", - "tuserror" + "teni" ], "rsa.counters.dclass_c1": 4113, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3106,8 +3106,8 @@ ], "related.user": [ "magnido", - "Nequepo", - "elitsedd" + "elitsedd", + "Nequepo" ], "rsa.counters.dclass_c1": 3243, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3169,17 +3169,17 @@ "10.65.225.101" ], "related.user": [ - "tuserror", "citation", - "emquel" + "emquel", + "tuserror" ], "rsa.counters.event_counter": 2513, "rsa.db.database": "rspiciat", "rsa.internal.event_desc": "atuse", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "eruntmol", - "cancel" + "cancel", + "eruntmol" ], "rsa.misc.category": "imad", "rsa.misc.disposition": "tura", @@ -3236,9 +3236,9 @@ "10.191.184.105" ], "related.user": [ + "uta", "iin", - "tione", - "uta" + "tione" ], "rsa.counters.dclass_c1": 5836, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3296,8 +3296,8 @@ "10.224.148.48" ], "related.user": [ - "equepor", "niam", + "equepor", "iosamn" ], "rsa.counters.event_counter": 7468, @@ -3360,12 +3360,12 @@ "amcorp7299.api.example" ], "related.ip": [ - "10.21.208.103", - "10.21.61.134" + "10.21.61.134", + "10.21.208.103" ], "related.user": [ - "ostr", "imidest", + "ostr", "mipsa" ], "rsa.counters.dclass_c1": 7766, @@ -3426,8 +3426,8 @@ "10.221.192.116" ], "related.user": [ - "iarchit", "iamquisn", + "iarchit", "tevelite" ], "rsa.counters.dclass_c1": 639, @@ -3486,8 +3486,8 @@ "tionevol3157.mail.invalid" ], "related.ip": [ - "10.191.142.143", - "10.240.62.238" + "10.240.62.238", + "10.191.142.143" ], "related.user": [ "nofde", @@ -3555,21 +3555,21 @@ "mquis319.api.local" ], "related.ip": [ - "10.178.79.217", - "10.111.22.134" + "10.111.22.134", + "10.178.79.217" ], "related.user": [ - "ccusan", + "tqui", "inibusBo", - "tqui" + "ccusan" ], "rsa.counters.event_counter": 3538, "rsa.db.database": "sequun", "rsa.internal.event_desc": "adeseru", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "deny", - "orisnis" + "orisnis", + "deny" ], "rsa.misc.category": "sitas", "rsa.misc.disposition": "eni", @@ -3622,13 +3622,13 @@ "urad5712.api.host" ], "related.ip": [ - "10.161.225.172", - "10.77.86.215" + "10.77.86.215", + "10.161.225.172" ], "related.user": [ - "xerc", + "rcit", "meaqu", - "rcit" + "xerc" ], "rsa.counters.dclass_c1": 7286, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3687,9 +3687,9 @@ "10.211.161.187" ], "related.user": [ - "boriosa", "sci", - "acons" + "acons", + "boriosa" ], "rsa.counters.dclass_c1": 1578, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3740,13 +3740,13 @@ "inBCSed5308.api.corp" ], "related.ip": [ - "10.254.198.47", - "10.160.147.230" + "10.160.147.230", + "10.254.198.47" ], "related.user": [ - "nimvenia", "ndeomnis", - "illoin" + "illoin", + "nimvenia" ], "rsa.counters.dclass_c1": 5988, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3802,9 +3802,9 @@ "10.40.24.93" ], "related.user": [ - "exerci", + "orisnis", "mSecti", - "orisnis" + "exerci" ], "rsa.counters.dclass_c1": 4129, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3860,13 +3860,13 @@ "itte6905.mail.invalid" ], "related.ip": [ - "10.249.13.159", - "10.108.130.106" + "10.108.130.106", + "10.249.13.159" ], "related.user": [ + "colab", "uisautei", - "exeacomm", - "colab" + "exeacomm" ], "rsa.counters.dclass_c1": 1044, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3924,13 +3924,13 @@ "caboNemo274.www.host" ], "related.ip": [ - "10.39.244.49", - "10.64.94.174" + "10.64.94.174", + "10.39.244.49" ], "related.user": [ + "estiae", "iunt", - "Sedut", - "estiae" + "Sedut" ], "rsa.counters.event_counter": 7128, "rsa.db.database": "eFinibu", @@ -4047,13 +4047,13 @@ "qui5978.api.test" ], "related.ip": [ - "10.115.203.143", - "10.134.135.22" + "10.134.135.22", + "10.115.203.143" ], "related.user": [ + "utoditau", "involu", - "orpori", - "utoditau" + "orpori" ], "rsa.counters.dclass_c1": 7868, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4203,9 +4203,9 @@ "10.20.231.188" ], "related.user": [ - "tesseq", + "mqu", "uatDuisa", - "mqu" + "tesseq" ], "rsa.counters.dclass_c1": 1623, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4289,13 +4289,13 @@ "abor3266.mail.home" ], "related.ip": [ - "10.225.11.197", - "10.231.77.26" + "10.231.77.26", + "10.225.11.197" ], "related.user": [ + "rehe", "ineavol", - "volu", - "rehe" + "volu" ], "rsa.counters.dclass_c1": 3064, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4349,13 +4349,13 @@ "eprehe2455.www.home" ], "related.ip": [ - "10.148.3.197", - "10.106.166.105" + "10.106.166.105", + "10.148.3.197" ], "related.user": [ - "olupt", "usa", - "avolup" + "avolup", + "olupt" ], "rsa.counters.dclass_c1": 2658, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4411,9 +4411,9 @@ "10.172.121.239" ], "related.user": [ - "ipsu", + "ctas", "iuta", - "ctas" + "ipsu" ], "rsa.counters.dclass_c1": 392, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4469,13 +4469,13 @@ "exerc3694.api.home" ], "related.ip": [ - "10.129.234.200", - "10.42.218.103" + "10.42.218.103", + "10.129.234.200" ], "related.user": [ - "tevelit", "tisundeo", - "dquia" + "dquia", + "tevelit" ], "rsa.counters.dclass_c1": 6709, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4535,9 +4535,9 @@ "10.111.132.221" ], "related.user": [ - "oloremi", + "ali", "scive", - "ali" + "oloremi" ], "rsa.counters.dclass_c1": 6155, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4593,13 +4593,13 @@ "boriosa7066.www.corp" ], "related.ip": [ - "10.195.8.141", - "10.17.214.21" + "10.17.214.21", + "10.195.8.141" ], "related.user": [ "dolo", - "ota", - "enimip" + "enimip", + "ota" ], "rsa.counters.dclass_c1": 469, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4659,8 +4659,8 @@ "10.173.13.179" ], "related.user": [ - "apar", "ptasn", + "apar", "isn" ], "rsa.counters.dclass_c1": 758, @@ -4717,13 +4717,13 @@ "iatisund424.mail.localdomain" ], "related.ip": [ - "10.178.190.123", - "10.42.135.34" + "10.42.135.34", + "10.178.190.123" ], "related.user": [ - "tiset", "orsi", - "ore" + "ore", + "tiset" ], "rsa.counters.dclass_c1": 2290, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4872,9 +4872,9 @@ "10.206.221.180" ], "related.user": [ - "oNe", + "nseq", "litesseq", - "nseq" + "oNe" ], "rsa.counters.dclass_c1": 3218, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4930,9 +4930,9 @@ "10.86.180.150" ], "related.user": [ - "mnisis", + "etconsec", "itasper", - "etconsec" + "mnisis" ], "rsa.counters.dclass_c1": 4564, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4994,8 +4994,8 @@ "10.158.161.5" ], "related.user": [ - "rrors", - "dolo" + "dolo", + "rrors" ], "rsa.counters.event_counter": 4098, "rsa.db.database": "tsed", @@ -5084,12 +5084,12 @@ "nisiutal4437.www.example" ], "related.ip": [ - "10.150.27.144", - "10.248.16.82" + "10.248.16.82", + "10.150.27.144" ], "related.user": [ - "res", "ditautf", + "res", "tuserror" ], "rsa.counters.dclass_c1": 4367, @@ -5211,9 +5211,9 @@ "10.69.5.227" ], "related.user": [ - "rumw", "ntocc", - "doloreme" + "doloreme", + "rumw" ], "rsa.counters.dclass_c1": 5201, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5269,9 +5269,9 @@ "10.253.175.129" ], "related.user": [ + "epteurs", "nrep", - "ate", - "epteurs" + "ate" ], "rsa.counters.dclass_c1": 6260, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5333,8 +5333,8 @@ "10.89.26.170" ], "related.user": [ - "atus", "aboris", + "atus", "orumetMa" ], "rsa.counters.event_counter": 5863, @@ -5398,8 +5398,8 @@ "gitse6744.api.local" ], "related.ip": [ - "10.81.108.232", - "10.52.106.68" + "10.52.106.68", + "10.81.108.232" ], "related.user": [ "uaturve", @@ -5411,8 +5411,8 @@ "rsa.internal.event_desc": "pis", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "allow", - "Quisaut" + "Quisaut", + "allow" ], "rsa.misc.category": "idol", "rsa.misc.disposition": "mmodico", @@ -5472,9 +5472,9 @@ "10.223.10.28" ], "related.user": [ - "erit", "untex", - "usmodte" + "usmodte", + "erit" ], "rsa.counters.event_counter": 4029, "rsa.db.database": "ommodi", @@ -5541,8 +5541,8 @@ ], "related.user": [ "sequamn", - "res", - "tasnul" + "tasnul", + "res" ], "rsa.counters.dclass_c1": 4846, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5600,12 +5600,12 @@ "labo3477.www5.domain" ], "related.ip": [ - "10.226.75.20", - "10.247.108.144" + "10.247.108.144", + "10.226.75.20" ], "related.user": [ - "maccusan", "tema", + "maccusan", "fugia" ], "rsa.counters.event_counter": 3711, @@ -5667,13 +5667,13 @@ "itseddo2209.mail.domain" ], "related.ip": [ - "10.97.22.61", - "10.192.15.65" + "10.192.15.65", + "10.97.22.61" ], "related.user": [ - "illumd", "rExcep", - "nimides" + "nimides", + "illumd" ], "rsa.counters.dclass_c1": 4173, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5798,9 +5798,9 @@ "10.28.77.79" ], "related.user": [ + "utlab", "rspic", - "upta", - "utlab" + "upta" ], "rsa.counters.dclass_c1": 4810, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5855,13 +5855,13 @@ "tsunti1164.www.example" ], "related.ip": [ - "10.18.15.43", - "10.248.177.182" + "10.248.177.182", + "10.18.15.43" ], "related.user": [ - "quei", "caecat", - "quaturve" + "quaturve", + "quei" ], "rsa.counters.dclass_c1": 983, "rsa.counters.dclass_c1_str": "Affected Rows", diff --git a/x-pack/filebeat/module/iptables/log/config/input.yml b/x-pack/filebeat/module/iptables/log/config/input.yml index 6183661122a..bcfde17c3c5 100644 --- a/x-pack/filebeat/module/iptables/log/config/input.yml +++ b/x-pack/filebeat/module/iptables/log/config/input.yml @@ -55,4 +55,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json b/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json index 40bbac9e3f5..73f2a49fabc 100644 --- a/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json @@ -55,6 +55,7 @@ "source.as.organization.name": "Consorci de Serveis Universitaris de Catalunya", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.4172, "source.geo.location.lon": -3.684, "source.ip": "158.109.0.1", diff --git a/x-pack/filebeat/module/juniper/_meta/config.yml b/x-pack/filebeat/module/juniper/_meta/config.yml index be40af66202..7f992656788 100644 --- a/x-pack/filebeat/module/juniper/_meta/config.yml +++ b/x-pack/filebeat/module/juniper/_meta/config.yml @@ -36,3 +36,16 @@ # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local + + srx: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9006. + #var.syslog_port: 9006 diff --git a/x-pack/filebeat/module/juniper/_meta/docs.asciidoc b/x-pack/filebeat/module/juniper/_meta/docs.asciidoc index c59b7ac4a95..3e145ea81c9 100644 --- a/x-pack/filebeat/module/juniper/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/juniper/_meta/docs.asciidoc @@ -5,18 +5,131 @@ == Juniper module -experimental[] +This is a module for ingesting data from the different Juniper Products. Currently supports these filesets: -This is a module for receiving Juniper JUNOS logs over Syslog or a file. +- `srx` fileset: Supports Juniper SRX logs +- `junos` fileset: Supports Juniper JUNOS logs +- `netscreen` fileset: Supports Juniper Netscreen logs include::../include/gs-link.asciidoc[] include::../include/configuring-intro.asciidoc[] -:fileset_ex: junos - include::../include/config-option-intro.asciidoc[] +:fileset_ex: srx +beta[] + +[float] +==== `srx` fileset settings + +The Juniper-SRX module only supports syslog messages in the format "structured-data + brief" https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/structured-data-edit-system.html[JunOS Documentation structured-data] + +To configure a remote syslog destination, please reference the https://kb.juniper.net/InfoCenter/index?page=content&id=kb16502[SRX Getting Started - Configure System Logging]. + +The following processes and tags are supported: + +[options="header"] +|============================================================== +| JunOS processes | JunOS tags | +| RT_FLOW | RT_FLOW_SESSION_CREATE | +| | RT_FLOW_SESSION_CLOSE | +| | RT_FLOW_SESSION_DENY | +| | APPTRACK_SESSION_CREATE | +| | APPTRACK_SESSION_CLOSE | +| | APPTRACK_SESSION_VOL_UPDATE | +| RT_IDS | RT_SCREEN_TCP | +| | RT_SCREEN_UDP | +| | RT_SCREEN_ICMP | +| | RT_SCREEN_IP | +| | RT_SCREEN_TCP_DST_IP | +| | RT_SCREEN_TCP_SRC_IP | +| RT_UTM | WEBFILTER_URL_PERMITTED | +| | WEBFILTER_URL_BLOCKED | +| | AV_VIRUS_DETECTED_MT | +| | CONTENT_FILTERING_BLOCKED_MT | +| | ANTISPAM_SPAM_DETECTED_MT | +| RT_IDP | IDP_ATTACK_LOG_EVENT | +| | IDP_APPDDOS_APP_STATE_EVENT | +| RT_AAMW | SRX_AAMW_ACTION_LOG | +| | AAMW_MALWARE_EVENT_LOG | +| | AAMW_HOST_INFECTED_EVENT_LOG | +| | AAMW_ACTION_LOG | +| RT_SECINTEL | SECINTEL_ACTION_LOG | +|============================================================== + +The syslog format choosen should be `Default`. + +[float] +=== Compatibility + +This module has been tested against JunOS version 19.x and 20.x. +Versions above this are expected to work but have not been tested. + +[source,yaml] +---- +- module: sophosxg + firewall: + enabled: true + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9006 +---- + +include::../include/var-paths.asciidoc[] + +*`var.input`*:: + +The input to use, can be either the value `tcp`, `udp` or `file`. + +*`var.syslog_host`*:: + +The interface to listen to all syslog traffic. Defaults to localhost. +Set to 0.0.0.0 to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to 9006. + + +[float] +==== Juniper SRX ECS fields + +This is a list of JunOS fields that are mapped to ECS. + +[options="header"] +|============================================================== +| Juniper SRX Fields | ECS Fields | +| application-risk | event.risk_score | +| bytes-from-client | source.bytes | +| bytes-from-server | destination.bytes | +| destination-interface-name | observer.egress.interface.name | +| destination-zone-name | observer.egress.zone | +| destination-address | destination.ip | +| destination-port | destination.port | +| dst_domainname | url.domain | +| elapsed-time | event.duration | +| filename | file.name | +| nat-destination-address | destination.nat.ip | +| nat-destination-port | destination.nat.port | +| nat-source-address | source.nat.ip | +| nat-source-port | source.nat.port | +| message | message | +| obj | url.path | +| packets-from-client | source.packets | +| packets-from-server | destination.packets | +| policy-name | rule.name | +| protocol | network.transport | +| source-address | source.ip | +| source-interface-name | observer.ingress.interface.name| +| source-port | source.port | +| source-zone-name | observer.ingress.zone | +| url | url.domain | +|============================================================== + + +:fileset_ex: junos + [float] ==== `junos` fileset settings diff --git a/x-pack/filebeat/module/juniper/fields.go b/x-pack/filebeat/module/juniper/fields.go index 6122a564654..e22907d0244 100644 --- a/x-pack/filebeat/module/juniper/fields.go +++ b/x-pack/filebeat/module/juniper/fields.go @@ -19,5 +19,5 @@ func init() { // AssetJuniper returns asset data. // This is the base64 encoded gzipped contents of module/juniper. func AssetJuniper() string { - return "eJzsvW2TGzeSIPx9fwUefzhJDpmyZVt7o5udC213e9w7ktyrluSNi4moAFEgCTcKKAEosulf/wQSqBdWochuNlBs7d18mLCaZCKRSCTyPb9DN3T7Gv1RCVZS9S8IGWY4fY3+w/0B/cen979d/wtCOdVEsdIwKV6jv/0LQqj+DVowynM9+xfk/+s1fGr/9x0SuKCvkaBmI9XNjAlD1QITOrN/b76GkFxTtVHM0NfIqKr7idmW9LXFcSNV3vl7The44iaDJV+jBeaa7nw8QLf+33tcUCQXyKxojRhqEEObFVUUPjMKLxaMoBXWaE6pQHKuqVrTfDbYn9L4HptZKlmVd99Kn6jtsoC1wHxne+Orj60fWqJdpNDLnb/vX2H8wAan8nHFtP0eYhpVmubISERwaSpPf4U3qKBa46X9NzaIyIJqu2lpP++BRuitXKJzSmQObBzYiIPF+kgdu50aLl1TYTK7tciAPcKJqe9JroHmRApDhdH2fjChDRamRkMHcTSsOAbBHJv+B0PsmMPJLoGwQZsVIyuEkaZaMynQihmNMHpPze/MCKp1ffqzAWs0m9UrWfEcCbqmCs1pw3clVpqid9RgixpGCyWLzlJP38qlfnGFyQ01+tkA/DlTlBi+fY6MxxujD9QJC8fhooPmLEhITteUH0FJLkX/fu5Q8pyWihJsPCY5XTBBcyQFB7QMnnOKClyGsSr0Mot2Yfac8Tt/zy/Pf0BrzCt/41lOhWEL5rmT3mJiEJdLd15qcBCwO2bBe26B79njKLEyjFQcK/i9P9jZKGcMQB/FKSHOGEAe55TRI1lPeyYv/9+Z7D8Tu2qaA3nY9ZXzPzLYSP9YHg12a3yM0EuOmqJaVookensfTrZU9/9hmGmDDS2oMI8ROVzlzGSE494dfiToUWHU9jEitrI61WNEjInjEEurMdWS4/FyWk7xMdIjLdkWlOYxbagRvSZkZ3a+WLsFLDYDPWSgJDzMiujpIQPoB6yIcSr2XCsTUVF0vCpB8jlyDbYZiXwoQMF7k49MoVZXgn2paKtGq2b//k/bXaP2TApiHwds5GO3bEfEzZqlFYdd6p7ZZdiCEdy9z2/lEl2sqTDoGoQzqkROlTVBFPWCarD1BbulOdLUWCA7P95dQ48bLPUhDGA/2GBpDmEA+l6HMvQExvcvHceYg33dgyb3o8FK6kT6apcvf5XadEUk73OkpiJnYll/qENs0/EhfT30Zccw2OBHo4S9vFr/hHCeKysrx657n7iD3Rv5tRJ3/So1eV/930teS630sqEvF5wjrestyxFGS7amonGSfb2KgCXRcf6LtBZI/hiVv68jojHq0JDlNlP0S4Kz7gYP4YBh3/MtUPnCLY2u4CI9995sg9HHbUkRwUMJMqeIMrOiCn26FOaHV0gq9AuX2Pz4Es2xBi6qA2QLtqwUqH4H9n2MuvsV7xvCoOmMzwj+BfvrpUzlZttnHdcrf/UOBqk2WOXJlLqOROtsu0vJy6vPO/oeRopy3D9ShPRWG1r4R9SjbaGtqONU7Yhn/y0VWzKBef2bXW3lAB1S6V97EiMurz6/CpDAoz+gxMNJ0GA0pHKM16dl1KHieOzrs6I4p2qS2PWvsBS6PH9IlNTh2w2WApjjYqWP2snGSZbcz4ZrReuyVbTgoljT5UxyTomR6msUwJZ6J8i5sTzHNCKOdDS3mO4oqm9lX21Bewj9CC2+gswfi6paSA3JboUUaL4dHBpCin6pqDYWoGZFybf+nOyXraBHFJMV0iyn6On3yKxUhV7+/PMztMEaaUpFs8oeSjwK5fUOlNClFJqmIwX5ariCyEqYxqdQFXMn9OxV1kEI6CmeyzXtEIOJYGZlLd60URQXo/eHfDVsc2JS0ZxVfT0tBqG+CWmOjWOBLRAz/6xefv/DX7QT6S9KEKA10v8c7Oaf1h58i7dUoZfoQhBc6oq7yIo1Ke8l10PQHxj8CORWhlb58SX6N7vd5+jHH9G/ISKV1ZdhF37R5+h/cPO/7BeZRrtE+SZ4hELm9NHaumJDM4I5n2Nyk1YDdsgJaeDaYOPsCktEKvJSMmHANDE0nOAMzJFRpWSi/LRWH9QlJQxzwBgw1UYqq1mLrdM67AdrzFnuGCOEFEILWYncvjCcAvJMLL1ydDB5cfdGDCDHiAX667AnbDRyClsucf5Y3jmPDtLsT4oKahQjAavDm8LdL4Mt7J77WgjbZx+bVqOVi/rYZuhXubFHM7Q5mUBSWWPMSHRDaXmAaI/ixftKiKYkoVpna5Zneaqo60UteZZUUIUNXPLcUrBjF66ZMhXm1mjf8b2LgIuDFcya3RArB2K4XfirfnmOlJXWGhwqQDSsltQ0XztICa0SJT2dnBIuE24/JVSSUNBQ8F+e177XD7SQhqJrz+9EUXho59sxQWn/VwdivoLAi18p0yVnKTMbHrU5r9lA7X8UupmVuQn5HW6dfQM8r9dcV1st/gn57xFhdOJlwfgJYvR2VWscXZ29ufK6L8HCkocVpVR9jRfBE/nVpUFUj8P98ck9VWCIg+kecqXumvJV+5PWYHd6DljmM/Ty51doA3QvKBYIcx72FYBTH9Sk1n+ENlRRBxYbxCnWBknRKxfZJeLJ1cSvm4iBu5oibOtp97tUORAOspooWQnJ5XLbD8QtmBposQj9jMgKK0yMI6K91FvAH5zmAlXC5/TwHZ/5aEVt7IJuF6hPGUTYE7sEi6KwSqYUdRhB4c2oTAPJ2lMrMQGN1cUohPc5SEIqVUPUBoscqxwJqQrM2Z+h/F6piiB9cp/lcDSJZDUfPEn3IlKLdYPMC84WFHYcMPA1JVLkIwp2e9yZNin9LHs2xASRRcmpCTLAqBMVgwJvFOuJwU69mTInYuRru3aQncdYeZczR9mvkMKsIh1TW58aK+elzXLKT0T4C5GnILsF+acUqbst7BGLdvVaxXTptR/7FB6IqGQ3+g0y9Nb4y4fWVOlOOUW+Lw8scL4PZbYtxbG22ZbpEalymqd7B32SjX+mdLNirWPUmTbNF7vx9eFrpWQxA6gVFOVrQgVWTDq1vqi4Yd8ZRhXCZcnr6pe2l02BBV6GSnMR4hDeqe1Fh5TDVSNmnmgkN8JFxgwuyr5n0GNsV7MoDm+f0YismLVuZE71DL2rtAEzqQvU3kpsRvJysaFHHtJeAbZYWLzXdApNCA65XtDRTtEFVVQQxxDYqtY5W7PcajbAD2FBdl0Lso894oU3eVsyNdkO2/N0saBby4nM8K3brLZCz+prFilg0P2+0YiHPurCeW6lcSPPZoMlm3QyWcWWQMVAkXsoxIb+sa8KaJBfKlpNxkqWux0XtfJxgzUCJPIRvgHkfohN1IhKwQ5BE8i0ZWESvL7LIgWuZZYA1TJLoT2XMUXRLtCX0aEm0JU6r8hpTMie+Rh8YwbP5b3enGPF5iG5dkywoH0get0QYjuCMBko8TEUa13x1GGnEStKVobIgr5wODTGC2Rly8WAQ7DwJNgxIEcYhK6pYiZl6ciejdWr+yLATmRnn8snbfHioHege6WbShcLDeJOJSVswVrDJ6zdumDOWE8Vryunz2YKHEDjYmR5WzBRu6hyH2QJ4u3N5qkO4fOuld61BKVCv1371Fim64SAvl8N1q9PaKxKUpdSs4iC4068Bea0yF2HKUjlr+/uaBeeipssXeuie4oiURVUMXJfWRTc2wRVbHs21q1ka26GE0vufg+2tqYil8onzO7dmZz/cYLuNXVoV87/oCRsR1vE0teCD8htJeh+xJykT9mr7pvhhfRV/17MeC/XCje5xUIahNHKd7wIJ9ByuczqRJWTCPWaEe8t1KfombIj+/4O6VbQtRrER1jxl5yRberbs0cuXAECvrm24NsRuVzxlHnTYQJ+qDgFxMLiVApDb1NrrA1Cl8L569p+qDjPtf0/eFQxrxEKNYA58DiTFRZLmgm6SS0LxgKXdNMJ9YMSYoxi88rQjoQY5uhrh7rV1rvPX1h06BJHE3YN5ThL1rZyH9HAEOznFzlkuvpbwLiFCjBLsLrhoG5zvtSaqhm6pu5QKk3VDC8ptPL2me4LqWocBrBrME5vJ/B75H7f6VshFZorubGf1X/1uqYzu0b7SV/mV1iZ2G66BnBsj4q/U3JQHTrVnZI8b9TGVFdKltQHFFO9xW8Ewpwq02QXqXZR/zcX3vLio9MEAJKQAgpzjoQU3ylaUrBk9mU/gNkw5ZNDKqXshWnsFThJ0ONeMBdhq8M/g51tmFl5ZdnJenQOC86h2kQgKb5bSvvfe14CUFKygOKYcN+4Ewx8AQhYJOUCWelgGNUzdN3KlP5gg25lVRqMz1w5X6WtEeNKRl2yTe7Fryc8RoRX2tQM6f8xOCb4CdP2JH1NtPdvWMUXPh1XgSbXftwNC1v0ri1TOqXsySHDy2J5DlggrLUkDPyl9jSC9iQc2Ft2Q18jjMrVVjOCOcqZvnmOSgUzUZ4jasiTsKKMFT6m9vKeD72rs1G4oIYqjUqsoYuXhkYOrhcBkUVhpZjcCdoPS2uoIXvVPfcenErj65xhgofJiW8ii7Ia3sEEx4bRholcbnw+LZGC0NI8bzIpRokx2Oai4nyLvlSYO+dnLgvMhJcaorMQlyNPV9frGUtd2rN1qxK+ZeKG5r4WqE5Exxq8U95AsZ9806A2Y/m+g+ODrhBJRV13spNzS/QRqNGDkVYnweu30nte0fWwXU8TdKaqYP3BTqldrH5NwNbx/35N+8fImvaC8fR3vNnyL7Bac40VzStCUR05omF3m6aKYZ4FXtNkj8g1LFmrzf33sfMA2hdm1C9AyY0+quVADI+xX90+dCusV80NtWphoMqwIiuX+VvX2DRlhmc1pF6LMLuRZpmZVsT+qvn3sNIUWXkuEIOcu0oQTrGyf4JGeC1qvoDQeztVXdh5OPrghF817PP0qF8sIos5E03f7O6D5ctG1T1erzVTlZ7a09fVRgCBcY/fNAHSwJU4c6u7nozjnlJnwSV3jTfkc17my3P03kmap75xA3LT9nzRr8XtWVivdg7oU/jyO+7ny3MgqS95a8TE0HuwG5FzaYBuCzPHRFYWbJgOG6lrvU3Zy343qusLtJ26sNePLZzxPSHXWNKfNQujy/ODmmws/9wBTdYi9lLkrUY7Q2euPtP3O+Xug/3aLCCodr/xwzfeHTevTFO5KU3zGFWCU+0oI92DspFojRXDcz6oAnRNGZhAJccjgkBToZP2R9k50K6q6laeWUllNYy6vpDZc75+cXnV16GRbxnrPApjddlHDhS8cy1kG2lxSKJLYdA1WwoMwmKERUupUjavfTKQX5ZJr2rdTUJXR/hPi0jnLgOX5TLAOO9/+4iYILzKqRVnfpCt/fkMPb24xUXJ6Wt05RwiDixI71nYLwKRucljm+Ccap+WMGZM31iV+wi87lGK13FjvvdPwwemb/aEXI1iyyVV6UbYhUn2uRsL8DiAdrpSVK8kzy33OFt9ZNLoTuh9As/CMPbupfLTD07HeNY047g8D5eR3Dk6T2RRZhPnXcGp+NwrGOPq/Hu6mn9n0ZEC6lMXMG5G5hUZs9K8WnqirLEu5o20lAo6D1i5XuM3MiUOq3yD1Wky9IZd9a10xf4hspsYaY381ApRjN5hUvdTDiu3VgRNasdI8V2toKr9UsjZmtGHWiuKdfTcYG2wqWIpzo0/CjN+MrPDLj6Xt4jlL8bfL/uyVlNgaDH6NGh87O6CxSJ8det3LPH0vQGTnw/n7h3znDEhq1gxzk4diV5Gv1NWksZ0Ogw8sj9FBpy6M+MOS7zh3Mo9pCtCqNaLiqMLuz4iMqfaskTd7DdsWTCR09vIBOBMm+M0zwfKFlgYTDFVIzGnCuKbBVaMQwZPwIPn4u9iiTAQ8Tv72+DORAI+lHPXXOhEGrFfHT1t8jlLqnTpi26dhBmQzKsIbUJ83eHp2UiRoXNzDd/j1AklTvlqkry8r8p9236ImdAopwYzHnAyzGVlOr8b2Zrkk+dm1h5b3OSxAR7jD6mhRcmTZfO8QTldYB8C8p0v6xi+z9a0WvGaKo63UMhlpH9c0dPAjbQfgNXtf00XdRW489Vrw0wFjRlRcGOtbTBs2PTQ6xo1itXx7xAcG9MEsorIorD3KQ0bnTnoiHWSfUsl1yx3/rO6i1xB9WgiVC7J8YHG+3vLfmG81RpJNy8vrBrclpD0dBpZX6+eVtb/IedH+p2O3t5/yLkPwIRvV8nSNc49h4Rid/LXV5focqBQddFI1rXWV5fsxyBiYVdTDbuMakjfxx/mc6vDyr0TEdlc5qkrvgYVd32lw+OCLC4j6tEqfrcEFzKYoPK84wL2pcMugbaJh7Aly5tQzogTr4htNQ7KwCO8/PGUvGbfZZXymaqne199ct1z6kAUJGvcUlJ1vQgu9WtOQ+WtdRemfYkbEzhCgl7xfNch0lRX4jVmHA8DGahxhSOor1xQpUYmLbg7dIyvP17czRsrhW8A5QKwgy35dAPNlrMRiciKbF7l+Ta6f4YVWdQ6oA7cStPjGp3v9VLFh6iYjNjloFdil+lqioIEprvZq67nKq5yZprKurYvmscoNNiurdhwoqQNL+zfpMsSi03B9WRW+dnnC/TU10p8rrjVleeMQwEH5IFd3JZS228+Q98NHQ2iH4W5EXIjdgwhTUkFzSzWu9BHJm0SPIELrp8WelZXub/3pUlv6RKTLfo0aq5xNlf4FEX5fuEdEjOBCszEQuGC7k3HKLGCqb3p+yTsKJdXsCx6L3OXHN22BexknQWQQge0L0gVsIRIZSHt9o17Tzfo10qAKflO5pSjp0ysZ98+R0yS52hu/4/a/8MC861mevZtOL5oSJktOB5Mzo+tQ+1q+GdXCBYFXxfIyW09/Eou9jZqMDIppu6vc49n3QZBU2UZOYjQuogrd3uYfX73O1YUfXQJwN9++/nd728+XHz7rcu5XWOF2ShPbqS6iVmyfPCC/V4v2I2wjTrBsIitRPianbhdSprnABP7XGwTmDALqajQjMQUIB1XUgKMi/hekEB8IBbQbIPZcDjxg70D0Ps8NlB7fWKXqOtqnuhSmHmujYpd+Q712skcYt23NNo7Wtd8pHOSHlvs0g4GG6g0vtikrXvx9S4WxIKNOprqrSZzxB671WA3osA2++U9YaF8dD/B+zsuLPJe//8wXLVVmd3kv5OwWN7x0XtE9iJ5Euao47j78JNygqStnZPt2KVPTZPRXmfZQZ/MZ+B2G3Du4ch03bKaTREPg6KvBWbc0rpu5nLlZcblebe2DTpxWXPQ0GWghcF4VmGdc51ZFfGI/RyTeA3p1r766EwWRSX6nqgBduK4xk0Pxe49vTV/p2GdusFNH6dZPxS3ayzyf5fhqFmLm8GGHSMZHozdcOEd5HSlS0aYjJYlOpUFD9hvsBLDoMNjR12LosxkKmF8/f7dFfrN+VHbpNQwIl8mTSW4/s+36EtF1Ujv1oqLTNF+p860yQ0dh+gWfaiLzoJpXY2WTiI+pF2gMvYYAQu0PMpxdAiqCQTHHgw3jz+gAXOsigSnZcEmcC/gMmIBcgO0yqNNpd2BGbfb1Q7oHJu+VvhQuHMqyKrAKlZZSQN3W+LB+OIHR58wGaRTRYGZraLzAqGLuAVUDeDFElotJQAr538kgFri6JMwXMep6OwFQfeMxX5wfOe2glrVMzrSIsMEBqPELz+xsLWIaLx3AM+X5foncWtW0d93IjJiVJbrqH3XO9At5OMiT3cAvOY4usQQGRVLJiIWRQ5Bp8iNFtki0xtmSHT5IbIFlxuNi/i5K13YwqzTQU8QdSEiYyKlOGGipKqYb6MlvA9gl+QmDfA15il4hZVZqaSRWfyQFEBf/5SBxzE+bJ7sbnK5zPIUxLaA4+e/EZEV+DYzJpbbYBew5WhOEzwKBROJkGYiHdIl1xmf8yx2WHQH9vcJgUfvDN6BHbsXYhd27KreLuyfE8J+lRD2vyaE/T8Twv5LGthGlhzPaQqR0kCPb56JrKg4KN/zbYJ3sgZe3iTQS4qKs2VRptG+rZaJ+TJ2EpKHzFIoJZp+IfF9IyLTLiExwQlqRdJYkxZwGmtSb3VVJphFSkRTVp3EVDXSWNOD3iYQIUYaa5ilgg1mTRLglWC3AgupKUnAhOtXliqJHoX1K1maFcV5AreaLMqM8AQ+bAs4QZAE4Kr51sR3i1rIOgnkssoSxDSIYoYRzBMUEOkML6kg24hZV13YAvPtnzSfp8B7nUEb0CSQXTuYNFi7xNok0OfLcv0qjQ9aZ3Nm/pKk0RjRWdxZcT3ASkYX1TrJNQeolKj4VW7a+fijzdrqAKZm5fz88Z0jDjiofUmAu27y8TrIdWAvGKcpbBidLVIcIlvELM7eBZxCN9AZKyFJMUsi6li5/inXphw0848EWyuSBDZnC5rCjNHgaC5ozqIVjO7CZiINlxQyrzjVRKagtgfOlglkkyz1BpuoM/870EMZ5FEAK7pk2igc3xPSwk6g8SlapiK1SkZrDZ3IVSL56jLzHYsngG4UxUUCRdKVAqVCO51yvVlJpjM3YTY+9C1WOAmD5yOFsDEgr918+9hwmTZYRJ9znGszr1SsYYE1VOpmBaWAWkXHNb4eXdckxwYLkxsW8YddH9tpYB/MJc7z2HeA5bHDqnXroARvESsyoqQsknQlsoATmGmsyNIkR/qORynIXN5Eb89U6vgtS1mpS8UiA+XYMFNFzz7jTNB4LXZaqDrqRJ0GLhTfxndrcem6nmYLLqM/5w3wBCn/1uaNLnUs0AQSx9rQCVCNnpvA5TIJ64plkgtcShVbgBXzapnimhVMkxRiodBJGDbFHAhBDTRXig43ugx3DaBjZ/w5qLHT8cRmE9sCSVJRJt0A6OiWqIyvGUnFlllgHteD4W4EVfHfrDJzQ3mjg406mboF60a8JmGyBIWbfiZObGHgwcaWBmXmHEnR0cVa2w8zsopV5z8ATW9LFj0QUFJVLBUWZtBzNwbkTRLA8Z9e14ns06feFNAIgJVcZliXEQcGdEErHBuqopin0O8UJUAH13U0EfD4RLaQ47Zw7UCWKk+AcXxHpk7gG9bON5wgH0DT2IkAbuBxAuNE0y/xGSDUoDUa1ASmlGbLBIJXl7G9bFqRFPdAkTy6Iq0VCXXFjQDYxBux1YVZ6ehdNddExC6UCE6LfShQ16Qz9vbN0sRnKwc0fkSvmekZG+62jN6ttcrnSfLQK8UTvIWVpirLWeyq9yRjK+rIUAoyGKINLmJ7g9cZE9rgRQLNYM2USaGGr0uRoHWTkaoSMd2sobZogY6ibyoj0YdKoMHSTfZIwmF5nzFnOTpTNGcGnWGV+26GGtq/h9Fxk7MSUmlsQiiAgSH6CPobEMlRqFSnyYdgIh3lLoqSyy0dDBY8SL+FrKI19b4jj1kaOp8RzDtTdElvUYH7jRbaWKxYVv1hIMmR5EzDcIZ6dX/00EAJ6aospTJo2HgUoc0KG8QMKhVdjLHCA9Jy7zOEIkR4b3U0KCAmfGf3kb7QnInUE/k7qNrVunhqZOSSmhVVs/b7eiWrwYuGkKBrqppxREaiEitN0TtqMEwEd3cVNyR4+lYu9YsrV/b6DJ37EV/PkVkFphRBM+AP1I8+BrQFek/N78wIqsPnPGTqJMRbwMju5hbB4m6zmmJFVjMmWBA/mLk7QX/tnviEWRiQDPGC40rArN9lBXNc6ybu4QbuvX7te/aUvh13s6emCbefXzxi7NuDyCLWNN2t8yosiz7SWwO3YsxdMMU06hGB1A6uew8TqgUfmXgJ3XMTjgOH/rmaGqTol4pqs6dp9/HZyvfvle9UBhjL41Z1ErvvkWryTnfdKftwchhBbGzn79ChXb8O7jzm7P/D8w3tYpfntVCAtcO8AVZDvCTee7KwfVzmWFPk0rUbbNDgVjWn5H9xGnxFMwq+wVwq174+SEaEsEaaUhh3hvfPq1JYaEwmGO876DDtlhag9rZMQyoFE9D2IV1SVTCnbkyFdLukG8zB1ozTJUWcrilHWGu2FO7g2nn9YdaHlswnlN+w/h5On59k0rPFrBLsS0X7YxJx+PJ18D2uY+JxU1BqjYbl7kISKQSF3Aq0YWY1JigQClSGNBq7okeVF93btLDkBHnSPFFcLhnBHFkMRkwfwOK02MFSI2MaT0e7crXVYfQ66Wwb2ctqjf3AY86wzlYyuU3gjLjGXINZKu1QIysVuyN4wv0AkLs0Flt40/wgFsIpVrM3XEtriO/ct3MIlqNf/S9m6I3YNv8aQDdgy2thEM5nRBZlZagKi+Ekbny7sXTm2Tf9s4AZizsHwsw/q5ff//AXa/ued46jptg3QbQ9n2ZxI2Z3ddzgLVXoXxufnH7h0QDkwrc+dv1Pep4XLc47XL/3PI5MXj4k2570B6bYdWbo/W8fL+zeqaLOeQL+0pxpomiJBdlardKrZ7yfC4KAQs/Rx3ev0aUwP758ji7fn1/812v06VKYVz+hp5vVFgnKzIoqRFZS+1FpUilKDHzrh1f/+/979iRIEWpWCWVcnx4gU2cFDo/j0Ym5757X/Nrx4mWNVPiK548L6a5sOoD5kQ3j7vzAh/DtKaatdfKZKVNhjt6+eR9E9k8paDpf1nGc8X+koLMwbS26X40IhY0cFp5wBI/xDd5zDkts6AafYEQ6cPcVepPnCvy0jstD6DRPLynKY+OcD42FXJ69u3Kv0mh4rMB6wujHjlPJaar+7UaXVxaVEe+XpeGRkyCi0NCuPU7DWhPL3HStaQVEB12c58x+GfM2YNuZ5R9+5yZkAGsSwgWX/oaf77LAAJU21zqJXnfXJw2j9x7DK6lMI5IHQjeHABscADPbw5JXT0x7tx8mlvVjUm/r3RjhBQ3ZjVN5cT12YPlirSVhVuV0fqOBjoOsXFZYLOmsMZ2IFAu2rBTN0XwLMKnIIWsoLGfKI1sPDIpGR7Tl4KKLBP0OeETdv1vCFd0BoGghDc18Znf8PKP4pM2FznDmUvETgC6NSgN8kYAlFgmqhXmK65Cq/0mZgKg4z2pPXDq1vG/B233M+qt1nQkn0GAvzIoqQQ36uC3pc/SpfsbeggPsR3RVO8AGL8FvY5paPapnAmVixDSukfZ+8ecIcx5UJsr2i5DghhUk5q2psm8gE0YibeAxZwJ9uhwVKAQSZJPJq+gi2wKVZYKxbxawojp2Rq8Fm6DExb2IsVPRwd+eAFs3WiHjVCyjT4oEnK3ykVALHdFAncqDeScAIxCBdIIFwugXqTZY5cM53Qi9WUKyl0LY3vhbyKWbU7OhVIRVz8hdE+8b45YG826oziGDoGU8ZEYMdsiEz3OFtISCGSuW/IiN8BbXHIsp4vh3cFDWCSIdF+Vgg7suyzaSsrYW7BIM2N2XJ3akkhLoQrCO1w/ubhF7rAwjFccKQb9oVCPx9OL29Vu5lItFePo7JZlZ0eTHu4PsR7ugu40dvC8s3hbdN5VZUWF8svgo2rqK2Tnhbgk9bslx1D9pqkYRlpUhclpK+yXHEb6uCKFaj+AMncePa452XOIJ4IWsiruUaosChQkD3KYQTjs40h6OVipBgE+XUth3xcqtkHLY/BANFKXdXa3j9aMbeTcxcl1LoWaAM5o3+/F+mJ4+zATSzFQB+YmguIB6Ee2hrrBGOJelfV3MijKF5Ea0R+YIZ/CtFLIYyauFmRyauRb10yoRVrlnIrfyRyrdEACjXxin6I1HbDYgw12cvaLZmLuTownjzf5Pkq4wSoJrn7UQlwqhPQYIEbPe/QGEcPl6175eIzYlxhNC5zJl9UBg83O6wmsmK9AuiSxKJQs2kqFIp0buQuA5hyKyBTrbjxsT60bsJESyj+GO1omCCOxgGHW4zBEIBtZv8Et9up1Xtr1vo2zXlllWwvTL2WJr9DmUgWfkGLP+TloQvMdLKqhipN4SEAQS/fqpBcys4KkNzXZDHtkZ+WGmjRoPftZ7Oqbt1sn29HL/nrx64dZKuK+gadoY4YYVVFu57rQ9RUs6GkTypxCtKcTBg4DGgw88BnVH1jqmd/fJWOvHu+3ph0xHG3J65615h/GhHQ72BjtuBcIdhMHXu7uXB3enJj07d9Gi7E0dPrlovVSnESAH5HgjQL5edvzx8JHFGm0wzZHdTT6qSSVIzDt2B/kxKTvG3NuAGRulHkrQen7q6JU7lVllBTUreYIoCd7xJCOHhv/a6IFDLyUlk3qd9kR1Pkju/bUWkT18mcgT8l+zn7//Hj19e/7m6hk6Z9owsayYXtEcSuGDuHC5lMn7Au2LhEG27MLh4Y8ZvjiSMaZkYq/ivvpPe6ohDJobAx75aEOf73NdCKT9N3W/Hccf4BSKmWIRapPeZophHqs7XW8jH3DOKu1WQFIhzQrGsXLiyYpNe4cIvOvh8iq455rlU3Ya6WbKf7KMUHsRe30x20uers7ijdh31yGs4SsNO/5f7ySCTwa84B03tFOWkYddmVKlTAwYhGyA1FItsWB/7smqFulY4a7EPoLSXZ4aIfeCqWAtaaKuP7/Y5eC1cC2+XO+inazmXynmZkWwoqhUNJcFEzhYcNcRT1fYMCqMPpgez/GUu32LT7pZ1/qRlokY116dJ1ZwlVgZaIbUbnW/WJ2w2ZEXNneRqAuaU4UNzbNoSWV7+MMKn1/qFZvg2ZWSa5Y3zcP893BZcq+pDhjDN/+xz9quThtWcNpNsnyiXTZL+l5/ZjuyzeDwUMicXDMXPV/1FfeRFnCN0hlzKPh9NU96CzpT50edSuhlYKNORwWNFWukjVRO4ltoBTUYVnsC35rZbz0J775gec7pdFLuHax3VzkXON6O3DtKztXjMabZ7pVfrdNhSGzr6OxzVHJsj8y+z1IhKojalmNefkiFnMCevEMGnWpsy1+lNugdJismRky6HCeSHN/0af1JQKZ/qagVH1Y/ck3O9Ay9zXGJPsM/nH6US+HqTv85fDzRCq+p1Zw4xQp9qajaIuhBqEspNK01qnBxqt1vBr+ZRl76HnjEQlas7gIp3PZdX75xPOstTYBqy0AffHPUu2IKU57SOsz6PF63lt5pYmRtQ//wMo1UJUTQjtXPm5fHRZ5dG6mRGjsPMfMWZvqDwGjDRC43GumSErZgxH7yPFQn6PNkhxfEbs/h2+bcoKfQEZYK0j5DELp81qEWqgS842/pEpMt+qR3G982EdiiX0gbPbvWrjCBwT7y2ndNLUAFatWAyeyLOKB40wcgUP2/U2kK5TxD8u1uO71CPdad16nXgR3DDoOM5n9zxGanyesd26rP8PWu91rWXcDWx7uADnczjcOuCRjsnk2bkOmOYXBC4YYUh4ufoWwg5kjA0Qo32HJOF0x4Xz0IJ+jqV+BypOkgYHdUoVgi3FoHTE/9iy0YG59t6r37XkojvSkbH7YxmKyKiVvgt6sCwdHAOuoeR5IhL3Mm4k0Qi3o37JahqDDt4xkQUt2yHTgW10a7Le8PTO0cYJ327TuAdYlVzVP2z8/brWxWbNBKHdnbYW1Zl/x+p+2Z6DNLXFsLqbbpDvyvusTibwc7xtSI7HZRr9Xz0NNkyfLXFwD9wN5OphINdlX3W9+/q1EuyKgwSpbHiI5cVvOBc+FOPO7XtNY2PVCOADi66o5p7+GZLEosts19hGsH4/SdvbKmyj5DGRMLGVYKsL5JXSN0QH70rMgasw1N2xV98SVVjsAvFedb9J8V5mzBaI7Ooe7ZOQeDqGzoPCNS3rATBd1/p3Pk1m/tZ8zHtPno3WbbcHhZGVC5jxxheviuf2iW8FN2vDva+eRn6OO2dFtvPQeWOO4Exw9P0UUWtZlsD22Lg3NEqCc61La2j8wUrrpGudzFznkWS6lqbz+EmD+8HTnyTq+cyOxU06JMO4doDynsygc99zWaSspEmsguUnYdex6oxCbsmiQiwzpmtL8DWPly+siQK8UjHnMHasRTaYzRrFKxvCEdmJqqDC/j2ZQt6OjP0y7oqOmPu6A91ycQLPTWUAGqVXzjxMKPxs2NordStJcqE1ujcktMUUu4I3M/wrKgXr3w/33mUXjh/8PnNYXc/phTFc7O89s5YfTcbaYbPAePa2fU2mA7uR+IZk0qJhZUqZG463Dfk+yrq/gfJH3QPTsBknVf4kXnGAJXCsLaMumVCiwxGftduLi9ZbuPkEGsun/6Bx0maI0P/GTliqpp/BFWZ/cZT0/PYPTjM3QG64dRo8pM1CxlhM5nVPnhn3QnC3NPc16aNHTcIWTnwO2iT3SnU/Tek2Z/HuuVvH9rlPBpo2v2Z9hbw24SyZTLf1wgQZfSMHeA5QrrkQlQmkzdVqhzlG7x8eGC9qiTTYAaJLj0eKxunF7X34QTUjRbTlFRsdvfqJl6+HF00LKVJkzrKrrSCZAhWSqdt+5hMRTAkCqV1Ac6OJSu9Lywi6NrCE7vk06TZEg0ncF9FPnpNaR27n+MOtLzOCTvLz334DguQrXm2Trli94PqXpHdhCZPLOsh6vobRp1KsDshnqLOlFzg2/acSXdBwlk609IQ7xOKnR5/eYf767QlX2n0G9iZPpKi22iSupjsP24kWFsQQyRFSU3+ign8t2EcNoeZKGhc02/zqZFGKSB+hGErRTco+VSxQZNIU+g5Do8mq4go0YD4GywqSab8NnFco05yx0jBpDoC8LJulrvE4RAsRu61X2xHYnz6wTSyLBXxpQ6YzCDNgloOMoUBCH4EdwmthR15YtUzGwP3CgiiyJpn7g74u3w8A6hcAn+hinK+5ZmbBfLhmORaX2qgbd2ZSfDf/e7rWu0gti6UuOslGyKtOoQwg4DBBgAUmFrAMhKVliIQeOM1O2m/KqAyEjMdqK2zc3D4mce/v72zXv/7r3oLd88KEaqvu8/es82pm+yteRVKgK8qec4Cz/nppmMXY/zrQQzGj11SOhn0K0DCnvribo98AiQDu6GV4mk2VuP6yfBjE8XmO0WHaypgkyBRcURkYLQ0lhD+dqd4Uh7hc0mpfR1hLcGez1C2yJaSmWQtPT99d/fhFJwg2SPzXdSLadPsOwXGOy4WOfYNTsJNor5+8VvV5dX6B2+LZjIm7He4WO1e5s8DXNniOLItvw2Brvbt61GfQqXLEZPz3ZVjtliuoLNUxfh11tOrnbsOMu8VL489116PRZ7MeTTHcqJewXUOy7+29cNN4U5Ih9qkrFvN/hLrAl9ouxGP64arPgmqFu44t7nSFeBFHWs0V+1UVIs/zbnmNxwpg3N//rC/+158ykTC0rCHy2YohvMg4oMnvPObxAWOdISjbClokumjdpay35KYVFis/LN+hscUB+HAZLglJoKTVcI7eq1iFSdLuSNPtlgToXp5KTUePuBjLNmmtqsd/nHcR/DO6cLXHGTwZ14jRaY75Qi72xpN4P/fSc5op4U2Y6Mb8vWjMKLBSMwSGBOqUByDn0jOg29mnPR+B6b6V/sA1sZ3vrGZWyxFonVyUKnbpM0IlEU3qCCao2Xvi8RkVZ+wwCzkCL5Vi7ROSUyHwn7eFjRfVSu53PEBKYewlNKIyjCtC+aXCAmtMHC1GiEbXzDjnrE8+E7FVTF4R4ya90aV+fUjidAK2vbwoTd35kRVOv69A9PQRB0TVW3QUWJlaboHTUYNHVfc9ss9fStXOoXVy6p9tkA/LlPB2vVCow+UCcsHIeLDpojnWToOokL52HR5kIv0yrP/ozf+Xt+ef6DD7i4tm+tdQ09AW4xMYjLpTuvYV8b2B1MsvbcAt/Tu3OH7O/9wc5GOWMA+ihOCXHGAPI4p4weyXraM3n5/85k/5nYVdMcyMOur5z/kQV7XT0a7NapQqUPQ03RlFmxDydbqvv/MMzA9ktXcP8w5HCVM5NBP+rHiN6u4fSIEFtFnKgbFTEmjkMsrcZUS47Hy2k5PWpYbFqyLSjNUxeBjIctum0TXSNJmg/0kIGS8DAroqeHDKAfsCLGqTh9nXl/MG6QfI5cg21GIh8KUPDe5CNTqNU+OtCo0arZv//TdteoPZOC2McBG/nYLdsRcQNN6hKKwy51z+wyLvmlc5/fyqUf6+qrGKCXnDVBFPWCarD1BbulOdIUJu3u/Hh3DT1usNSHMID9YIOlOYQB6HsdytATGN+/dBxjDvZ1D5rcjwYRWyzs4ctf67xSz5G8z5GaiqbzMJdLHWKbjg/p66EvO4bBBj8aJezl1fqnth/gyHXvE3eweyO/VuKuX6Um76v/e8mbuPbJ07gvF5wjrestyxFGS7amonGSfb2KgCXRcf6LtBZI/hiVv68jojHq0JDlNlP0S4Kz7gYP4YBh376Z34XvKXYFF+m592Yb7CqsCR5KkDmtk0c/XQrzwyskFfqFS2x+fLmb5kWkWLBlpcbzW9p9H6PufsX7hjDoYy2bBMt4gp4ZY9kxdTXR1+5gkGqDVZ5Mqds/qd4pJJ939D2MFOV4mJrmWqv6R9Sj7ZthAqfqtsuHVGzJBOb1b3a1lQN0SKV/7UmMuLz6/CpAAhTsJosikKDBaEjlGK9Py6hDxfHY12dFcZ6wvH7HtIOl0OX5Q6KkDt9usBTAHBcrfdRONk6y5H423OTgtooWXBRrupxJzqFv6tcogC31TpBzY3mOaUQc6erxcB1F9a0cjrMYJ/QjtPgKMn8sqmohtakL9+bbwaE1k7gsQM2Kkm/9OdkvQzIzxWSFNMspevo9MitVoZc///wMbbAfJVSvsocSj0J5vQMl/FydZKQgXw1XuKEqtU+h6btqr7IOQkBP8VyuaYcYLFyiU4s3bRTFxej9IV8N25yYVDRnRzVNOESob0KaY+NYYAvETN33B0T6C9cmtEZ6OM7qnwjqRbZUoZfoQhBc6orjplnZveR6CPoDgx+B3MrQKj++RP9mt/sc/fgj+jdEpLL6sus5UA9T+x/c/C/7RabRLlHC7S+EzOmjtXXFhmYEcz7H5CZ96VNOhTT1aDSwKywR65oXME3GptIBcyRvZgQsAw23MQeM3Rx7I5XVrMXWaR32g04zihBSCC1kJXL7wnAYyKChI8Ddkhd3b8QAcoxYoL8Oe8JGI6ew5RLnj+Wd8+ggzf6EYZSKkYDV4U3h7pfBFnbPfS2E7bOPTavRykV9bDP0q9zYoxnanEwgqawxZiS6obQ8QLRH8eJ9JURzgymydcqB5xe15IGxVG4+tYBJ/B27cM0UjEy9PN/1vYuAi6M70x2I4Xbhr/rlOVJWWmtwqAxni4xO/28okaye+eSU2J1HMpIvlyQUNBT8bfOrD9ANv5nRTBTFfhDQiKC0/6sDMV9B4MWvlOmSs9TdSx6tOa9ZqkLYB6ZIH9c06q78DrfOvgH1RCDPdbXV4p+Q/x4RRideBuOCJonRwwggqdDV2Zsrr/sSLCx5WFFK1dd4ETyRX10aRPU43B+f3FMFhnho1C0amvJV+5PWYHd6DljmM/Ty51doA3QvKBYIcx72FdTVzwvU+o/QhirqwGKDOMXaICl65SK7RDy5mvh1EzFwV1OEbT3tfpcqB8JBVhMlKyG5XG77gbgFUwMtFqGfEVlhhYlxRKTQvshi4Sa4o0r4nB6+4zMfraiNXdDtAvUpgwj7pi1Yi6KwSqYUdRhB4c2oTAPJ2lMrMQGN1cUohPc5SEIqVUPUBoscqxwJqQrM2Z+h/F6piiB9cp/lcDSJ7jYLbw+RWqwbZF5wtqCw44CBrymRIh9RsNvjzrSZoKF9aENMEFmUnJogA4w6UTEo8OONprXBypyIka/t2kF2HmPlXc4cZb9CiuidkPNBgsSDmx6I/ESEvxB5CrJbkH9KcaLuOfXqtYrp0ms/9ik8EFHJbvQbBMO4/Qhy3w63xi7flwcWON+HMtu2Pwr84SAVJVLlNE/3DvokG/9M6WbFWseoM22aL3bj68PXSsliBlArKMrXhAqsmHRqfVFxw74zjCqEy5LX1S9tL5sCC7wMleYixCG8U9uLDimHq0bMPNFIboSLjBlclH3PoMe4npo0vH1GI7Ji1rqROdUz9K7SBsykLlDXPWskLxcbeuQh7RVgi4XFe02n0ITgkOsFHe3c0DRBHENgq1rnbM1yq9kAP4QF2XUtyD72iBfe5G3J1GQ7bM/TxYJuLScyw7dus9oKPauvWaSAQff7RiMe+oFu37U8mw2WbLurVbElUBF9FGdD/9hXBTTILxWtJmMly92Oi1r5uMEw9rTqNuDqolkCcrFGPTREjagU7BA0gUxbFibB67ssUuBaZglQLbMU2nMZUxTtAo016qOFmkBX6rwipzEhe+Zj8I0ZPJf3enOOFZuH5NoxwYL2geh1Q4jtCMJkoMTHUKx1xU/UNF9WhsiCvnA4NMaLH+Ay4BAsPAl2DMgRBqFrqphJ3Rp0rPu0X90XAY6NJu25fCYe3OZe6abSxUKDuJMbdd8aPmHt1gVzxnqqeF05fTZT4AAaFyPLB5Nhm0mwQbxDU2QSHsLnXSu9awlKhX679qmxTNcJAX2/Gqxfn9BYlaQupWYRBcedeAvMaZG33YWbuzvahafiJkvXuuieokhUBVWM3FcWBfc20eTnO1SyNTfDiSV3vwdbW1ORw5zkg3JLzv84QfeaOrQrh9Npu4ilrwUfkBvmAe9FzEn6lL3qvhmdBOvFjPdyrXCTWyykQbiZpBZOoOVymdWJKicR6jUj3luoT9EzZUf2/R3SraBr9bDtd6P4S87IdoppOyNy4QoQ8M21Bd+OyOWKp8ybDhPwQ+Wb/4fFqRSG3qbWWBuELttRAXV1VZ5r+3/wqGJeIxRqAHPgcSYrLJY0E3STWhaMBS7pphPqByXEGMXmlaEdCTHM0dcOdautd5+/kaHEJY4m7BrK8cGEjkluDhiC/fwih0xXfwsYt1ABZglWNxzUbc6XWlM1Q9fUHUqlqZrhJYVW3j7TfSFVjcMAdg3G6e0Efo/c7zt9K6RCcyU39rP6r6Se42jNrtF+0pf5FVYmtpuuARzbo+LvlBxUh051pyTP2xmkia6ULKkPKKZ6i98IhDlVpskuUu2i/m8uvOXFR6cJACQhBRTmHAkpvlO0pGDJ7Mt+mGIuym4f/dA0FKfHvWAuwlaHfwY780M1WlmPzmHBOVSbCCTFd0tp/3vPSwBKShZQHBPuG3eCgS8AAYukXCCYMM+onqHrVqb0Bxt0K6vSYHzmyvkqbY0YVzLqkm1yL36baSaEV9rUDOn/MTgm+AnT9iR9TbT3b1jFFz4dV4Em137cDQtb9K4tUzql7Mkhw8tieQ5YIKy1JAz8pfY0gvYkHNhbdkNfdwYZwuDC56hUMBPlOaKGPAkryljhWAOrDwSxYClqqNKoxBq6eGlo5OCnScuisFJM7gTth6U11JC96p57D06l8XXOMMHD5MQ3kUVZDe9ggmPDaMNELjc+n9ZPm3zeZFKMEmOwzUXF+RZ9qTB3zs9cFpj5Qbyw73ohLkeerq7XM9EA+8FoOCZuaO5rgepEdKzBO+UNFPvJNw1qM5bvOzg+6AqRVNR1Jzs5t0QfgRq9365Phddvpfe8outhu54m6ExVwfqDnVK7WP2anTF5+zXtHyNr2gvG09/xZsu/wGrNNVY0rwhFdeSIht1tbqZ+FnhNkz0i1ztj/PvvY+cBtC/MqF+Akht9VMuBGB5jv7p96FZYr5obatXCQJVhRVYu87eusWnKDM9qSL0WYXYjzTIzrYj9VfPvYaUpsvJcIAY5d5UgnGJl/wSN8FrUfAFhPfm1Luw8HH1wwq8a9nl61C8WkcW8Gd+72HmwfNmousfrtWaq0lN7+rraCCAw7vGbJkAauBJnbnXXk3HcU+osuOkG1zov8+W5H8GNnvrGDfVsSlf0a3F7FtarnQP6VAP+vfv58rw737URE0PvwW5EzqUBui3MHBNZWbBhOmykrvU2ZS/73aiuL9B26sJeP7ZwxvfE447PmoXR5flBTTaWf+6AJmsReynyVqOdoTNXn+n7nXL3wX5tFhBUu9/44RvvjptXpqnclKZ5jCrBqXaUke5B2Ui0xorhOR9UAbqmDEygkuMRQaCp0En7o+wcaFdVdSvPrKSyGkZdX8jsOV+/uLzq69DIt4x1HoWxuuwjBwreuRayjbQ4JNGlMOiaLQUGYTHCoqVUKZvXPhnIL8ukV7XuJqGrI/ynRaRzl4HLchlgnPe/fURMEF7l1IozP8jW/nyGnl7c4qLk9DW6cg4RBxak9yzsF4HI3OSxTXBOtU9LGDOmb6zKfQRe9yjF67gx3/un4QPTN3tCrkax5ZKqdCPswiT73I0FeBxAO10pqleS55Z7nK0+Mml0J/Q+gWdhGHv3UvnpB6djPGuacVyeh8tI7hydJ7Ios4nzruBUfO4VjHF1/j1dzb+z6EgB9akLGDcj84qMWWleLT1R1lgX80ZaSgWdB6xcr/EbmRKHVb7B6jQZesOu+la6Yv8Q2U2MtEZ+aoUoRu8wqfsph5VbK4ImtWOk+K5WUNV+KeRszehDrRXFOnpusDbYVLEU58YfhRk/mdlhF5/LW8TyF+Pvl31ZqykwtBh9GjQ+dnfBYhG+uvU7lnj63oDJz4dz9455zpiQVawYZ6eORC+j3ykrSWM6HQYe2Z8iA07dmXGHJd5wbuUe0hUhVOtFxdGFXR8RmVNtWaJu9hu2LJjI6W1kAnCmzXGa5wNlCywMppiqkZhTBfHNAivGIYMn4MFz8XexRBiI+J39bXBnIgEfyrlrLnQijdivjp42+ZwlVbr0RbdOwgxI5lWENiG+7vD0bKTI0Lm5hu9x6oQSp3w1SV7eV+W+bT/ETGiUU4MZDzgZ5rIynd+NbE3yyXMza48tbvLYAI/xh9TQouTJsnneoJwusA8B+c6XdQzfZ2tarXhNFcdbKOQy0j+u6GngRtoPwOr2v6aLugrc+eq1YaaCxowouLHWNhg2bHrodY0axer4dwiOjWkCWUVkUdj7lIaNzhx0xDrJvqWSa5Y7/1ndRa6gejQRKpfk+EDj/b1lvzDeao2km5cXVg1uS0h6Oo2sr1dPK+v/kPMj/U5Hb+8/5NwHYMK3q2TpGueeQ0KxO/nrq0t0OVCoumgk61rrq0v2YxCxsKuphl1GNaTv4w/zudVh5d6JiGwu89QVX4OKu77S4XFBFpcR9WgVv1uCCxlMUHnecQH70mGXQNvEQ9iS5U0oZ8SJV8S2Ggdl4BFe/nhKXrPvskr5TNXTva8+ue45dSAKkjVuKam6XgSX+jWnofLWugvTvsSNCRwhQa94vusQaaor8RozjoeBDNS4whHUVy6oUiOTFtwdOsbXHy/u5o2VwjeAcgHYwZZ8uoFmy9mIRGRFNq/yfBvdP8OKLGodUAdupelxjc73eqniQ1RMRuxy0Cuxy3Q1RUEC093sVddzFVc5M01lXdsXzWMUGmzXVmw4UdKGF/Zv0mWJxabgejKr/OzzBXrqayU+V9zqynPGoYAD8sAubkup7Tefoe+GjgbRj8LcCLkRO4aQpqSCZhbrXegjkzYJnsAF108LPaur3N/70qS3dInJFn0aNdc4myt8iqJ8v/AOiZlABWZioXBB96ZjlFjB1N70fRJ2lMsrWBa9l7lLjm7bAnayzgJIoQPaF6QKWEKkspB2+8a9pxv0ayXAlHwnc8rRUybWs2+fIybJczS3/0ft/2GB+VYzPfs2HF80pMwWHA8m58fWoXY1/LMrBIuCrwvk5LYefiUXexs1GJkUU/fXucezboOgqbKMHERoXcSVuz3MPr/7HSuKProE4G+//fzu9zcfLr791uXcrrHCbJQnN1LdxCxZPnjBfq8X7EbYRp1gWMRWInzNTtwuJc1zgIl9LrYJTJiFVFRoRmIKkI4rKQHGRXwvSCA+EAtotsFsOJz4wd4B6H0eG6i9PrFL1HU1T3QpzDzXRsWufId67WQOse5bGu0drWs+0jlJjy12aQeDDVQaX2zS1r34ehcLYsFGHU31VpM5Yo/darAbUWCb/fKesFA+up/g/R0XFnmv/38YrtqqzG7y30lYLO/46D0ie5E8CXPUcdx9+Ek5QdLWzsl27NKnpslor7PsoE/mM3C7DTj3cGS6blnNpoiHQdHXAjNuaV03c7nyMuPyvFvbBp24rDlo6DLQwmA8q7DOuc6sinjEfo5JvIZ0a199dCaLohJ9T9QAO3Fc46aHYvee3pq/07BO3eCmj9OsH4rbNRb5v8tw1KzFzWDDjpEMD8ZuuPAOcrrSJSNMRssSncqCB+w3WIlh0OGxo65FUWYylTC+fv/uCv3m/KhtUmoYkS+TphJc/+db9KWiaqR3a8VFpmi/U2fa5IaOQ3SLPtRFZ8G0rkZLJxEf0i5QGXuMgAVaHuU4OgTVBIJjD4abxx/QgDlWRYLTsmATuBdwGbEAuQFa5dGm0u7AjNvtagd0jk1fK3wo3DkVZFVgFauspIG7LfFgfPGDo0+YDNKposDMVtF5gdBF3AKqBvBiCa2WEoCV8z8SQC1x9EkYruNUdPaCoHvGYj84vnNbQa3qGR1pkWECg1Hil59Y2FpENN47gOfLcv2TuDWr6O87ERkxKst11L7rHegW8nGRpzsAXnMcXWKIjIolExGLIoegU+RGi2yR6Q0zJLr8ENmCy43GRfzclS5sYdbpoCeIuhCRMZFSnDBRUlXMt9ES3gewS3KTBvga8xS8wsqsVNLILH5ICqCvf8rA4xgfNk92N7lcZnkKYlvA8fPfiMgKfJsZE8ttsAvYcjSnCR6FgolESDORDumS64zPeRY7LLoD+/uEwKN3Bu/Ajt0LsQs7dlVvF/bPCWG/Sgj7XxPC/p8JYf8lDWwjS47nNIVIaaDHN89EVlQclO/5NsE7WQMvbxLoJUXF2bIo02jfVsvEfBk7CclDZimUEk2/kPi+EZFpl5CY4AS1ImmsSQs4jTWpt7oqE8wiJaIpq05iqhpprOlBbxOIECONNcxSwQazJgnwSrBbgYXUlCRgwvUrS5VEj8L6lSzNiuI8gVtNFmVGeAIftgWcIEgCcNV8a+K7RS1knQRyWWUJYhpEMcMI5gkKiHSGl1SQbcSsqy5sgfn2T5rPU+C9zqANaBLIrh1MGqxdYm0S6PNluX6Vxgetszkzf0nSaIzoLO6suB5gJaOLap3kmgNUSlT8KjftfPzRZm11AFOzcn7++M4RBxzUviTAXTf5eB3kOrAXjNMUNozOFikOkS1iFmfvAk6hG+iMlZCkmCURdaxc/5RrUw6a+UeCrRVJApuzBU1hxmhwNBc0Z9EKRndhM5GGSwqZV5xqIlNQ2wNnywSySZZ6g03Umf8d6KEM8iiAFV0ybRSO7wlpYSfQ+BQtU5FaJaO1hk7kKpF8dZn5jsUTQDeK4iKBIulKgVKhnU653qwk05mbMBsf+hYrnITB85FC2BiQ126+fWy4TBssos85zrWZVyrWsMAaKnWzglJAraLjGl+PrmuSY4OFyQ2L+MOuj+00sA/mEud57DvA8thh1bp1UIK3iBUZUVIWSboSWcAJzDRWZGmSI33HoxRkLm+it2cqdfyWpazUpWKRgXJsmKmiZ59xJmi8FjstVB11ok4DF4pv47u1uHRdT7MFl9Gf8wZ4gpR/a/NGlzoWaAKJY23oBKhGz03gcpmEdcUyyQUupYotwIp5tUxxzQqmSQqxUOgkDJtiDoSgBporRYcbXYa7BtCxM/4c1NjpeGKziW2BJKkok24AdHRLVMbXjKRiyywwj+vBcDeCqvhvVpm5obzRwUadTN2CdSNekzBZgsJNPxMntjDwYGNLgzJzjqTo6GKt7YcZWcWq8x+Aprclix4IKKkqlgoLM+i5GwPyJgng+E+v60T26VNvCmgEwEouM6zLiAMDuqAVjg1VUcxT6HeKEqCD6zqaCHh8IlvIcVu4diBLlSfAOL4jUyfwDWvnG06QD6Bp7EQAN/A4gXGi6Zf4DBBq0BoNagJTSrNlAsGry9heNq1IinugSB5dkdaKhLriRgBs4o3Y6sKsdPSummsiYhdKBKfFPhSoa9IZe/tmaeKzlQMaP6LXzPSMDXdbRu/WWuXzJHnoleIJ3sJKU5XlLHbVe5KxFXVkKAUZDNEGF7G9weuMCW3wIoFmsGbKpFDD16VI0LrJSFWJmG7WUFu0QEfRN5WR6EMl0GDpJnsk4bC8z5izHJ0pmjODzrDKfTdDDe3fw+i4yVkJqTQ2IRTAwBB9BP0NiOQoVKrT5EMwkY5yF0XJ5ZYOBgsepN9CVtGaet+RxywNnc8I5p0puqS3qMD9RgttLFYsq/4wkORIcqZhOEO9uj96aKCEdFWWUhk0bDyK0GaFDWIGlYouxljhAWm59xlCESK8tzoaFBATvrP7SF9ozkTqifwdVO1qXTw1MnJJzYqqWft9vZLV4EVDSNA1Vc04IiNRiZWm6B01GCaCu7uKGxI8fSuX+sWVK3t9hs79iK/nyKwCU4qgGfAH6kcfA9oCvafmd2YE1eFzHjJ1EuItYGR3c4tgcbdZTbEiqxkTLIgfzNydoL92T3zCLAxIhnjBcSVg1u+ygjmudRP3cAP3Xr/2PXtK34672VPThNvPLx4x9u1BZBFrmu7WeRWWRR/prYFbMeYumGIa9YhAagfXvYcJ1YKPTLyE7rkJx4FD/1xNDVL0S0W12dO0+/hs5fv3yncqA4zlcas6id33SDV5p7vulH04OYwgNrbzd+jQrl8Hdx5z9v/h+YZ2scvzWijA2mHeAKshXhLvPVnYPi5zrCly6doNNmhwq5pT8r84Db6iGQXfYC6Va18fJCNCWCNNKYw7w/vnVSksNCYTjPcddJh2SwtQe1umIZWCCWj7kC6pKphTN6ZCul3SDeZga8bpkiJO15QjrDVbCndw7bz+MOtDS+YTym9Yfw+nz08y6dliVgn2paL9MYk4fPk6+B7XMfG4KSi1RsNydyGJFIJCbgXaMLMaExQIBSpDGo1d0aPKi+5tWlhygjxpnigul4xgjiwGI6YPYHFa7GCpkTGNp6NdudrqMHqddLaN7GW1xn7gMWdYZyuZ3CZwRlxjrsEslXaokZWK3RE84X4AyF0aiy28aX4QC+EUq9kbrqU1xHfu2zkEy9Gv/hcz9EZsm38NoBuw5bUwCOczIouyMlSFxXASN77dWDrz7Jv+WcCMxZ0DYeaf1cvvf/iLtX3PO8dRU+ybINqeT7O4EbO7Om7wlir0r41PTr/waABy4Vsfu/4nPc+LFucdrt97HkcmLx+SbU/6A1PsOjP0/rePF3bvVFHnPAF/ac40UbTEgmytVunVM97PBUFAoefo47vX6FKYH18+R5fvzy/+6zX6dCnMq5/Q081qiwRlZkUVIiup/ag0qRQlBr71w6v//f89exKkCDWrhDKuTw+QqbMCh8fx6MTcd89rfu148bJGKnzF88eFdFc2HcD8yIZxd37gQ/j2FNPWOvnMlKkwR2/fvA8i+6cUNJ0v6zjO+D9S0FmYthbdr0aEwkYOC084gsf4Bu85hyU2dINPMCIduPsKvclzBX5ax+UhdJqnlxTlsXHOh8ZCLs/eXblXaTQ8VmA9YfRjx6nkNFX/dqPLK4vKiPfL0vDISRBRaGjXHqdhrYllbrrWtAKigy7Oc2a/jHkbsO3M8g+/cxMygDUJ4YJLf8PPd1lggEqba51Er7vrk4bRe4/hlVSmEckDoZtDgA0OgJntYcmrJ6a92w8Ty/oxqbf1bozwgobsxqm8uB47sHyx1pIwq3I6v9FAx0FWLisslnTWmE5EigVbVormaL4FmFTkkDUUljPlka0HBkWjI9pycNFFgn4HPKLu3y3hiu4AULSQhmY+szt+nlF80uZCZzhzqfgJQJdGpQG+SMASiwTVwjzFdUjV/6RMQFScZ7UnLp1a3rfg7T5m/dW6zoQTaLAXZkWVoAZ93Jb0OfpUP2NvwQH2I7qqHWCDl+C3MU2tHtUzgTIxYhrXSHu/+HOEOQ8qE2X7RUhwwwoS89ZU2TeQCSORNvCYM4E+XY4KFAIJssnkVXSRbYHKMsHYNwtYUR07o9eCTVDi4l7E2Kno4G9PgK0brZBxKpbRJ0UCzlb5SKiFjmigTuXBvBOAEYhAOsECYfSLVBus8uGcboTeLCHZSyFsb/wt5NLNqdlQKsKqZ+SuifeNcUuDeTdU55BB0DIeMiMGO2TC57lCWkLBjBVLfsRGeItrjsUUcfw7OCjrBJGOi3KwwV2XZRtJWVsLdgkG7O7LEztSSQl0IVjH6wd3t4g9VoaRimOFoF80qpF4enH7+q1cysUiPP2dksysaPLj3UH2o13Q3cYO3hcWb4vum8qsqDA+WXwUbV3F7Jxwt4Qet+Q46p80VaMIy8oQOS2l/ZLjCF9XhFCtR3CGzuPHNUc7LvEE8EJWxV1KtUWBwoQBblMIpx0caQ9HK5UgwKdLKey7YuVWSDlsfogGitLurtbx+tGNvJsYua6lUDPAGc2b/Xg/TE8fZgJpZqqA/ERQXEC9iPZQV1gjnMvSvi5mRZlCciPaI3OEM/hWClmM5NXCTA7NXIv6aZUIq9wzkVv5I5VuCIDRL4xT9MYjNhuQ4S7OXtFszN3J0YTxZv8nSVcYJcG1z1qIS4XQHgOEiFnv/gBCuHy9a1+vEZsS4wmhc5myeiCw+Tld4TWTFWiXRBalkgUbyVCkUyN3IfCcQxHZAp3tx42JdSN2EiLZx3BH60RBBHYwjDpc5ggEA+s3+KU+3c4r2963UbZryywrYfrlbLE1+hzKwDNyjFl/Jy0I3uMlFVQxUm8JCAKJfv3UAmZW8NSGZrshj+yM/DDTRo0HP+s9HdN262R7erl/T169cGsl3FfQNG2McMMKqq1cd9qeoiUdDSL5U4jWFOLgQUDjwQceg7ojax3Tu/tkrPXj3fb0Q6ajDTm989a8w/jQDgd7gx23AuEOwuDr3d3Lg7tTk56du2hR9qYOn1y0XqrTCJADcrwRIF8vO/54+MhijTaY5sjuJh/VpBIk5h27g/yYlB1j7m3AjI1SDyVoPT919MqdyqyygpqVPEGUBO94kpFDw39t9MChl5KSSb1Oe6I6HyT3/lqLyB6+TOQJ+a/Zz99/j56+PX9z9QydM22YWFZMr2gOpfBBXLhcyuR9gfZFwiBbduHw8McMXxzJGFMysVdxX/2nPdUQBs2NAY98tKHP97kuBNL+m7rfjuMPcArFTLEItUlvM8Uwj9WdrreRDzhnlXYrIKmQZgXjWDnxZMWmvUME3vVweRXcc83yKTuNdDPlP1lGqL2Ivb6Y7SVPV2fxRuy76xDW8JWGHf+vdxLBJwNe8I4b2inLyMOuTKlSJgYMQjZAaqmWWLA/92RVi3SscFdiH0HpLk+NkHvBVLCWNFHXn1/scvBauBZfrnfRTlbzrxRzsyJYUVQqmsuCCRwsuOuIpytsGBVGH0yP53jK3b7FJ92sa/1Iy0SMa6/OEyu4SqwMNENqt7pfrE7Y7MgLm7tI1AXNqcKG5lm0pLI9/GGFzy/1ik3w7ErJNcub5mH+e7gsuddUB4zhm//YZ21Xpw0rOO0mWT7RLpslfa8/sx3ZZnB4KGROrpmLnq/6ivtIC7hG6Yw5FPy+mie9BZ2p86NOJfQysFGno4LGijXSRion8S20ghoMqz2Bb83st56Ed1+wPOd0Oin3Dta7q5wLHG9H7h0l5+rxGNNs98qv1ukwJLZ1dPY5Kjm2R2bfZ6kQFURtyzEvP6RCTmBP3iGDTjW25a9SG/QOkxUTIyZdjhNJjm/6tP4kINO/VNSKD6sfuSZneobe5rhEn+EfTj/KpXB1p/8cPp5ohdfUak6cYoW+VFRtEfQg1KUUmtYaVbg41e43g99MIy99DzxiIStWd4EUbvuuL984nvWWJkC1ZaAPvjnqXTGFKU9pHWZ9Hq9bS+80MbK2oX94mUaqEiJox+rnzcvjIs+ujdRIjZ2HmHkLM/1BYLRhIpcbjXRJCVswYj95HqoT9Hmywwtit+fwbXNu0FPoCEsFaZ8hCF0+61ALVQLe8bd0ickWfdK7jW+bCGzRL6SNnl1rV5jAYB957bumFqACtWrAZPZFHFC86QMQqP7fqTSFcp4h+Xa3nV6hHuvO69TrwI5hh0FG8785YrPT5PWObdVn+HrXey3rLmDr411Ah7uZxmHXBAx2z6ZNyHTHMDihcEOKw8XPUDYQcyTgaIUbbDmnCya8rx6EE3T1K3A50nQQsDuqUCwRbq0Dpqf+xRaMjc829d59L6WR3pSND9sYTFbFxC3w21WB4GhgHXWPI8mQlzkT8SaIRb0bdstQVJj28QwIqW7ZDhyLa6PdlvcHpnYOsE779h3AusSq5in75+ftVjYrNmiljuztsLasS36/0/ZM9Jklrq2FVNt0B/5XXWLxt4MdY2pEdruo1+p56GmyZPnrC4B+YG8nU4kGu6r7re/f1SgXZFQYJctjREcuq/nAuXAnHvdrWmubHihHABxddce09/BMFiUW2+Y+wrWDcfrOXllTZZ+hjImFDCsFWN+krhE6ID96VmSN2Yam7Yq++JIqR+CXivMt+s8Kc7ZgNEfnUPfsnINBVDZ0nhEpb9iJgu6/0zly67f2M+Zj2nz0brNtOLysDKjcR44wPXzXPzRL+Ck73h3tfPIz9HFbuq23ngNLHHeC44en6CKL2ky2h7bFwTki1BMdalvbR2YKV12jXO5i5zyLpVS1tx9CzB/ejhx5p1dOZHaqaVGmnUO0hxR25YOe+xpNJWUiTWQXKbuOPQ9UYhN2TRKRYR0z2t8BrHw5fWTIleIRj7kDNeKpNMZoVqlY3pAOTE1VhpfxbMoWdPTnaRd01PTHXdCe6xMIFnprqADVKr5xYuFH4+ZG0Vsp2kuVia1RuSWmqCXckbkfYVlQr174/z7zKLzw/+HzmkJuf8ypCmfn+e2cMHruNtMNnoPHtTNqbbCd3A9EsyYVEwuq1EjcdbjvSfbVVfwPkj7onp0Aybov8aJzDIErBWFtmfRKBZaYjP0uXNzest1HyCBW3T/9gw4TtMYHfrJyRdU0/girs/uMp6dnMPrxGTqD9cOoUWUmapYyQuczqvzwT7qThbmnOS9NGjruELJz4HbRJ7rTKXrvSbM/j/VK3r81Svi00TX7M+ytYTeJZMrlPy6QoEtpmDvAcoX1yAQoTaZuK9Q5Srf4+HBBe9TJJkANElx6PFY3Tq/rb8IJKZotp6io2O1v1Ew9/Dg6aNlKE6Z1FV3pBMiQLJXOW/ewGApgSJVK6gMdHEpXel7YxdE1BKf3SadJMiSazuA+ivz0GlI79z9GHel5HJL3l557cBwXoVrzbJ3yRe+HVL0jO4hMnlnWw1X0No06FWB2Q71Fnai5wTftuJLugwSy9SekIV4nFbq8fvOPd1foyr5T6DcxMn2lxTZRJfUx2H7cyDC2IIbIipIbfZQT+W5COG0PstDQuaZfZ9MiDNJA/QjCVgru0XKpYoOmkCdQch0eTVeQUaMBcDbYVJNN+Oxiucac5Y4RA0j0BeFkXa33CUKg2A3d6r7YjsT5dQJpZNgrY0qdMZhBmwQ0HGUKghD8CG4TW4q68kUqZrYHbhSRRZG0T9wd8XZ4eIdQuAR/wxTlfUsztotlw7HItD7VwFu7spPhv/vd1jVaQWxdqXFWSjZFWnUIYYcBAgwAqbA1AGQlKyzEoHFG6nZTflVAZCRmO1Hb5uZh8TMPf3/75r1/9170lm8eFCNV3/cfvWcb0zfZWvIqFQHe1HOchZ9z00zGrsf5VoIZjZ46JPQz6NYBhb31RN0eeARIB3fDq0TS7K3H9ZNgxqcLzHaLDtZUQabAouKISEFoaayhfO3OcKS9wmaTUvo6wluDvR6hbREtpTJIWvr++u9vQim4QbLH5jupltMnWPYLDHZcrHPsmp0EG8X8/eK3q8sr9A7fFkzkzVjv8LHavU2ehrkzRHFkW34bg93t21ajPoVLFqOnZ7sqx2wxXcHmqYvw6y0nVzt2nGVeKl+e+y69Hou9GPLpDuXEvQLqHRf/7euGm8IckQ81ydi3G/wl1oQ+UXajH1cNVnwT1C1cce9zpKtAijrW6K/aKCmWf5tzTG4404bmf33h//a8+ZSJBSXhjxZM0Q3mQUUGz3nnNwiLHGmJRthS0SXTRm2tZT+lsCixWflm/Q0OqI/DAElwSk2FpiuEdvVaRKpOF/JGn2wwp8Ko7b/8/wEAAP//sMlYiA==" + return "eJzsvW2TGzeSIPx9fwUefzhJDrlly7b2Rjc7F9ru9rh3JLlXLckbFxNRAaJAEm4UUAJQZNO//gkkUMV6QZFsEqhu7d18mLCaZCKRSCTyPb9Dt3TzGv1RCVZS9S8IGWY4fY3+w/0B/cen97/d/AtCOdVEsdIwKV6jv/0LQqj+DZozynN99i/I/9dr+NT+7zskcEFfI0HNWqrbMyYMVXNM6Jn9e/M1hOSKqrVihr5GRlXtT8ympK8tjmup8tbfczrHFTcZLPkazTHXtPPxAN36f+9xQZGcI7OkNWKoQQytl1RR+MwoPJ8zgpZYoxmlAsmZpmpF87PB/pTG99jMQsmqPHwrfaJulwWsBead7Y2vPrZ+aIntIoVedP6+e4XxAxucyscl0/Z7iGlUaZojIxHBpak8/RVeo4JqjRf239ggIguq7aal/bwHGqG3coEuKJE5sHFgIw4W6yN17HZquHRFhcns1iID9ggnpr4nuQaaEykMFUbb+8GENliYGg0dxNGw4hgEc2z6HwyxYw4nuwTCBq2XjCwRRppqzaRAS2Y0wug9Nb8zI6jW9emfDVij2axeyornSNAVVWhGG74rsdIUvaMGW9QwmitZtJZ6+lYu9ItrTG6p0c8G4C+YosTwzXNkPN4YfaBOWDgOFy00z4KE5HRF+RGU5FL072eHkhe0VJRg4zHJ6ZwJmiMpOKBl8IxTVOAyjFWhF1m0C7PjjN/5e3518QNaYV75G89yKgybM8+d9A4Tg7hcuPNSg4OA3TEL3nMLfM8eR4mVYaTiWMHv/cGejXLGAPRRnBLijAHkcU4ZPZLVtGfy8v+dye4zsaumOZDTrq+c/ZHBRvrH8miwW+FjhF5y1BTVslIk0dt7OtlS3f/TMNMGG1pQYR4jcrjKmckIx707/EjQo8KozWNEbGl1qseIGBPHIZZWY6olx+PltJziY6RHWrLNKc1j2lAjek3Izmx9sXYLWGwGeshASTjNiujpIQPoe6yIcSr2XCsTUVG0vCpB8jlyDbYZiXwoQMF7k49MoVZXgn2p6FaNVs3+/Z82XaP2XApiHwds5GO3bEfEzYqlFYdt6p7bZdicEdy+z2/lAl2uqDDoBoQzqkROlTVBFPWCarD1ObujOdLUWCCdH3fX0OMGS30IA9gnGyzNIQxA3+tQhp7A+P6l4xhzsK970OR+NFhKnUhfbfPlr1KbtojkfY7UVORMLOoPdYhtWj6kr4e+7BgGG/xolLBX16ufEM5zZWXl2HXvE3eweyO/VuKuXqUm76v/e8lrqZVeNvTlgnOktb1lOcJowVZUNE6yr1cRsCQ6zn+R1gLJH6Py93VENEYdGrLcZIp+SXDW7eAhHDDse7YBKl+6pdE1XKTn3pttMPq4KSkieChBZhRRZpZUoU9XwvzwCkmFfuESmx9fohnWwEV1gGzOFpUC1W/Pvo9Rd7/ifUMYNJ3xGcG/YH+9kKncbLus43rlr97BINUaqzyZUteSaK1ttyl5df25o+9hpCjH/SNFSG+0oYV/RD3aFtqSOk7Vjnj231KxBROY17/pait76JBK/9qRGHF1/flVgAQe/QElTidBg9GQyjFeny2jDhXHY1+fJcU5VZPErn+FpdDVxSlRUodvO1gKYI6LlT5qJxsnWXI/G64VrautogUXxZou55JzSoxUX6MAttR7gJwby3NMI+JIR3OLaUdRfSv7agvaQehHaPEVZPZYVNVCakh2K6RAs83g0BBS9EtFtbEANStKvvHnZL9sBT2imCyRZjlFT79HZqkq9PLnn5+hNdZIUyqaVXZQ4lEorwdQQpdSaJqOFOSr4QoiK2Ean0JVzJzQs1dZByGgp3gmV7RFDCaCmZW1eNNGUVyM3h/y1bDNA5OK5qzq62kxCPVNSHNsHAtsjpj5Z/Xy+x/+op1If1GCAK2R/udgN/+09uBbvKEKvUSXguBSV9xFVqxJeS+5HoJ+YvAjkFsZWuXHl+jf7Hafox9/RP+GiFRWX4Zd+EWfo//Bzf+yX2QadYnyTfAIhczpo7V1xZpmBHM+w+Q2rQbskBPSwLXBxtkVlohU5KVkwoBpYmg4wRmYI6NKyUT5aVt9UJeUMMwBY8BUG6msZi02TuuwH6wwZ7ljjBBSCM1lJXL7wnAKyDOx8MrR3uTF7o0YQI4RC/TXYUfYaOQUNlzi/LG8cx4dpNmfFBXUKEYCVoc3hdtfBlvYPfe1ELbPPjZbjVbO62M7Q7/KtT2aoc3JBJLKGmNGoltKyz1EexQv3ldCNCUJ1TpbsTzLU0VdL2vJs6CCKmzgkueWgi27cMWUqTC3RnvH9y4CLg5WMGt2Q6wciOF24a/61QVSVlprcKgA0bBaUNN8bS8ltEqU9PTglHCZcLspoZKEgoaC/+qi9r1+oIU0FN14fieKwkM724wJSvu/OhDzFQRe/EqZLjlLmdnwqM15zQZq/6PQzazMTcjvcOvsG+B5vea62mrxT8h/jwijEy9zxh8gRm9XtcbR9fmba6/7EiwseVhRStXXeBE8kV9dGkT1ONwfn9xTBYY4mO4hV2rXlK+2P9ka7E7PAcv8DL38+RVaA90LigXCnId9BeDUBzVp6z9Ca6qoA4sN4hRrg6TolYt0ifjgauLXTcTAXU0RtvW0+12qHAgHWU2ULIXkcrHpB+LmTA20WIR+RmSJFSbGEdFe6g3gD05zgSrhc3p4x2c+WlEbu6DbBepTBhF2xC7BoiiskilFHUZQeD0q00Cy9tRKTEBjdTEK4X0OkpBK1RC1wSLHKkdCqgJz9mcov1eqIkif3Gc5HE0iWc0GT9K9iLTFukHmBWdzCjsOGPiaEinyEQV7e9yZNin9LDs2xASRRcmpCTLAqBMVgwJvFOuJwVa9mTIPxMg3du0gO4+xcpczR9mvkMIsIx3Ttj41Vs7LNsspfyDCX4o8BdktyD+lSN1tYYdYtKvXKqZLr/3Yp/BARCW70W+QoXfGXz60okq3yinyXXlggfM9ldk2FMfa5rZMj0iV0zzdO+iTbPwzpZsVax2jzrRpvtiOrw9fKyWLM4BaQVG+JlRgxaRT64uKG/adYVQhXJa8rn7Z9rIpsMCLUGkuQhzCO7W96JByuGrEzBON5Fq4yJjBRdn3DHqM7WoWxeHtMxqRJbPWjcypPkPvKm3ATGoDtbcSm5G8XGzokYe0U4DN5xbvFZ1CE4JDrhd0tFN0ThUVxDEEtqp1zlYst5oN8ENYkN3Uguxjj3jhTd6VTE22w+15uljQneVEZvjGbVZboWf1NYsUMOhu32jEQx914Ty30riRZ2eDJZt0MlnFlkDFQJE7FWJD/9hXBTTILxWtJmMly92Oi7bycY01AiTyEb4B5H6ITdSISkGHoAlk2qIwCV7fRZEC1zJLgGqZpdCey5iiqAv0ZXSoCXSl1ivyMCZkz3wMvjGD5/Jeb86xYnOfXDsmWLB9IHrdEGI7gjAZKPExFGtd8dRhpxErSlaGyIK+cDg0xgtkZcv5gEOw8CToGJAjDEJXVDGTsnRkx8bq1X0RYCuys8vlk7Z4cdA70L3STaWLhQZxp5ISNmdbwyes3bpgzlhPFa8rp89mChxA42Jk+bZgonZR5T7IEsTbm81THcLnrpXetgSlQr/d+NRYpuuEgL5fDdavT2isSlKXUrOIguMg3gJzWuSuwxSk8td3d7QLT8VNlq510T1FkagKqhi5rywK7m2CKrYdG2tXsjU3w4kld78HW1tRkUvlE2Z37kzO/niA7jV1aFfO/qAkbEdbxNLXgg/IbSXobsScpE/Zq+6b4YX0Vf9ezHgv1xI3ucVCGoTR0ne8CCfQcrnI6kSVBxHqNSPeW6hP0TOlI/v+DulW0LUaxEdY8ZeckU3q27NDLlwDAr65tuCbEblc8ZR502ECfqg4BcTC4lQKQ+9Sa6wNQlfC+eu2/VBxnmv7f/CoYl4jFGoAs+dxJkssFjQTdJ1aFowFLum6FeoHJcQYxWaVoS0JMczR1w51q623n7+w6NAljibsGspxlqxt5S6igSHYzy9yyLT1t4BxCxVglmB1w0G9zflSK6rO0A11h1Jpqs7wgkIrb5/pPpeqxmEAuwbj9HYCv0fu962+FVKhmZJr+1n9V69rOrNrtJ/0VX6NlYntpmsAx/ao+DslB9WhU90pyfNGbUx1pWRJfUAx1Vv8RiDMqTJNdpHaLur/5sJbXny0mgBAElJAYc6RkOI7RUsKlsyu7AcwG6Z8ckillL0wjb0CJwl63AvmImx1+GewszUzS68sO1mPLmDBGVSbCCTFdwtp/3vHSwBKShZQHBPuG7eCgS8AAYuknCMrHQyj+gzdbGVKf7BBu7IqDcbnrpyv0taIcSWjLtkm9+LXEx4jwittaob0/xgcE/yEaXuSviba+zes4gufjqtAk2s/7oaFLXrXlimdUvZkn+FlsbwALBDWWhIG/lJ7GkF7Eg7sLbulrxFG5XKjGcEc5UzfPkelgpkozxE15ElYUcYKH1N7ec+H3tXZKFxQQ5VGJdbQxUtDIwfXi4DIorBSTHaC9sPSGmrITnXPvQcPpfG1zjDBw+TEN5FFWQ3vYIJjw2jNRC7XPp+WSEFoaZ43mRSjxBhsc15xvkFfKsyd8zOXBWbCSw3RWojLkaer7fWMpS7t2LpVCd8ycUtzXwtUJ6JjDd4pb6DYT75pUDtj+a6D44OuEElFXXuyk3NL9BGo0YORVg+C12+l97yim2G7niboTFXB+oOdUrtY/ZqAreP/3Zr2j5E17Tnj6e94s+VfYLXmGiuaV4SiOnJEw+42TRXDPAu8pskekRtYslab++9j6wG0L8yoX4CSW31Uy4EYHmO/un3ollgvmxtq1cJAlWFFli7zt66xacoMz2tIvRZhdiPNMmdaEfur5t/DSlNk5blADHLuKkE4xcr+CRrhbVHzBYTe26nqws790Qcn/Kphn6dH/WIRWcyYaPpmtx8sXzaq7vF6rZiq9NSevrY2AgiMe/ymCZAGrsS5W931ZBz3lDoLLrlrvCGf8zJfXaD3TtI89Y0bkJu254t+LW7Pwnq1c0A/hC+/5X6+ugCS+pK3RkwMvQfdiJxLA3RbOHNMZGXBmumwkbrSm5S97LtRXV+g7dSFnX5s4YzvCbnGkv68WRhdXezVZGP55/ZoshaxlyLfarRn6NzVZ/p+p9x9sFubBQRV9xs/fOPdcbPKNJWb0jSPUSU41Y4y0j0oa4lWWDE844MqQNeUgQlUcjwiCDQVOml/lM6BtlVVt/KZlVRWw6jrC5k955sXV9d9HRr5lrHOozBWl33kQMGDayG3kRaHJLoSBt2whcAgLEZYtJQqZfPaJwP5ZZn0utbdJHR1hP+0iLTuMnBZLgOM8/63j4gJwqucWnHmB9nan5+hp5d3uCg5fY2unUPEgQXpfRb2i0BkbvLYJjintk9LGDOmb63KfQRe9yjFa7kx3/un4QPTtztCrkaxxYKqdCPswiT73I4FeBxAO10qqpeS55Z7nK0+Mmm0E3qfwLMwjL17qfz0g9MxnjXNOK4uwmUkB0fniSzKbOK8KzgVn3sFY1ydf09Xs+8sOlJAfeocxs3IvCJjVppXSx8oa6yNeSMtpYLOA1au1/iNTInDKl9j9TAZesOu+la6Yv8Q2U2MtEZ+aoUoRu8wqfsph5VbK4ImtWOk+K5WUNVuKeRszehDrRXFOnpusDbYVLEU58YfhRl/MLPDLj6Td4jlL8bfL/uyVlNgaDH6NGh87O6CxSJ8det3LPH0vQGTXwzn7h3znDEhq1gxzlYdiV5Ev1NWksZ0Ogw8sj9FBpy6M2OHJd5wbuUe0hUhVOt5xdGlXR8RmVNtWaJu9hu2LJjI6V1kAnCmzXGa54myBRYGU0zVSMyogvhmgRXjkMET8OC5+LtYIAxE/M7+NrgzkYAP5cw1F3ogjdivjp42+ZwlVbr0RbdOwgxI5lWEbUJ83eHp2UiRoXNzDd/j1AklTvlqkry8r8p9236ImdAopwYzHnAyzGRlWr8b2Zrkk+dm1h5b3OSxAR7jD6mhRcmTZfO8QTmdYx8C8p0v6xi+z9a0WvGKKo43UMhlpH9c0dPAjbQfgNXtf03ndRW489Vrw0wFjRlRcGNb22DYsOnU6xo1itXy7xAcG9MEsorIorD3KQ0bnTvoiLWSfUslVyx3/rO6i1xB9WgiVC7J8YHG+3vLfmF8qzWSdl5eWDW4KyHp6WFkfb16Wln/h5wd6Xc6env/IWc+ABO+XSVL1zj3AhKK3cnfXF+hq4FC1UYjWddaX12yG4OIhV1NNewiqiF9H3+Yz60OK/dORGQzmaeu+BpU3PWVDo8LsriMqEfL+N0SXMhggsrzlgvYlw67BNomHsIWLG9COSNOvCK21TgoA4/w8sdT8pp9l1XKZ6qe7n39yXXPqQNRkKxxR0nV9iK41K8ZDZW31l2YdiVuTOAICXrF865DpKmuxCvMOB4GMlDjCkdQXzmnSo1MWnB36Bhff7y4mzdWCt8AygVgB1vy6QaaLc5GJCIrslmV55vo/hlWZFHrgFpwK02Pa3S+00sVH6JiMmKXg16JXaarKQoSmG5nr7qeq7jKmWkq67Z90TxGocF224oNJ0q24YXdm3RZYrEpuJrMKj//fIme+lqJzxW3uvKMcSjggDywy7tSavvNZ+i7oaNB9KMwt0KuRccQ0pRU0Mxi1YU+MmmT4AlccP200PO6yv29L016SxeYbNCnUXONs5nCD1GU7xfukJgJVGAm5goXdGc6RokVTO1N3yeho1xew7LovcxdcvS2LWAr6yyAFNqjfUGqgCVEKgup2zfuPV2jXysBpuQ7mVOOnjKxOvv2OWKSPEcz+3/U/h8WmG8002ffhuOLhpTZnOPB5PzYOlRXwz+/RrAo+LpATm7q4VdyvrNRg5FJMXV/nXk86zYImirLyEGEVkVcudvD7PO737Gi6KNLAP7228/vfn/z4fLbb13O7QorzEZ5ci3VbcyS5b0X7Pd6wXaEbdQJhkVsJcLX7MTtUtI8B5jY52KTwISZS0WFZiSmAGm5khJgXMT3ggTiA7GAZmvMhsOJT/YOQO/z2EDt9Yldoq6rWaJLYWa5Nip25TvUaydziLXf0mjvaF3zkc5Jemyxy3Yw2ECl8cUm27oXX+9iQczZqKOp3moyR+yxWw12Iwpss1/eExbKR/cTvL/jwiLv9f8Pw1W3KrOb/PcgLJa3fPQekZ1IPghz1HHcXfhJOUHSVudkW3bpU9NktNdZdtAn8xm43Qacuz8yXbesZlPEw6Doa44Zt7Sum7lce5lxddGubYNOXNYcNHQRaGEwnlVY51xnVkU8Yj/HJF5DurWvPjqXRVGJvidqgJ04rnHTqdi9p3fm7zSsUze46eM061Nxu8Ei/3cZjpptcTPYsGMkw8nYDRfuIKcrXTLCZLQs0akseMB+jZUYBh0eO+paFGUmUwnjm/fvrtFvzo+6TUoNI/Jl0lSCm/98i75UVI30bq24yBTtd+pMm9zQcohu0Ie66CyY1tVo6STiQ9oGKmOPEbBAy6McR/ugmkBw7GS4efwBDZhjVSQ4LQs2gXsBlxELkBugVR5tKm0HZtxuVx3QOTZ9rfBUuDMqyLLAKlZZSQN3U+LB+OKTo0+YDNKposDMltF5gdB53AKqBvB8Aa2WEoCVsz8SQC1x9EkYruNUdPaCoHvGYj84vnNbQa3qGR1pkWECg1Hil59Y2FpENN5bgGeLcvWTuDPL6O87ERkxKst11L7rLegW8nGRpwMArziOLjFERsWCiYhFkUPQKXKjRTbP9JoZEl1+iGzO5VrjIn7uShu2MKt00BNEXYjImEgpTpgoqSpmm2gJ7wPYJblNA3yFeQpeYWVWKmlkFj8kBdBXP2XgcYwPmye7m1wusjwFsS3g+PlvRGQFvsuMieU26AK2HM1pgkehYCIR0kykQ7rkOuMznsUOi3Zgf58QePTO4C3YsXshtmHHruptw/45IexXCWH/a0LY/zMh7L+kgW1kyfGMphApDfT45pnIioqD8j3bJHgna+DlbQK9pKg4WxRlGu3bapmYL2InIXnILIVSoukXEt83IjLtEhITnKBWJI01aQGnsSb1RldlglmkRDRl1UlMVSONNT3oXQIRYqSxhlkq2GDWJAFeCXYnsJCakgRMuHplqZLoUVi9kqVZUpwncKvJoswIT+DDtoATBEkArpptTHy3qIWsk0AuqyxBTIMoZhjBPEEBkc7wggqyiZh11YYtMN/8SfNZCrxXGbQBTQLZtYNJg7VLrE0CfbYoV6/S+KB1NmPmL0kajRGdxZ0V1wOsZHRRrZNcc4BKiYpf5aadjz/arK0WYGqWzs8f3znigIPalwS46yYfr4NcC/accZrChtHZPMUhsnnM4uwu4BS6gc5YCUmKWRJRx8rVT7k25aCZfyTYWpEksDmb0xRmjAZHc0FzFq1gtAubiTRcUsi84lQTmYLaHjhbJJBNstRrbKLO/G9BD2WQRwGs6IJpo3B8T8gWdgKNT9EyFalVMlpr6ESuEslXl5nvWDwBdKMoLhIokq4UKBXa6ZTr9VIynbkJs/Ghb7DCSRg8HymEjQF55ebbx4bLtMEi+pzjXJtZpWINC6yhUjcrKAXUKjqu8fXouiY5NliY3DCPP+z62E4Du2AucJ7HvgMsjx1WrVsHJXiLWJERJWWRpCuRBZzATGNFliY50nc8SkHm8jZ6e6ZSx29ZykpdKhYZKMeGmSp69hlngsZrsbOFqqNO1GngQvFtfLcWl67raTbnMvpz3gBPkPJvbd7oUscCTSBxrA2dANXouQlcLpKwrlgkucClVLEFWDGrFimuWcE0SSEWCp2EYVPMgRDUQHOl6HCjy3DXADp2xp+DGjsdT6zXsS2QJBVl0g2Ajm6JyviakVRskQXmcZ0Mdy2oiv9mlZkbyhsdbNTJ1FuwbsRrEiZLULjpZ+LEFgYebGxpUGbOkRQdXay1/TAjy1h1/gPQ9K5k0QMBJVXFQmFhBj13Y0BeJwEc/+l1ncg+fepNAY0AWMlFhnUZcWBAG7TCsaEqinkK/U5RAnRwXUcTAY9PZAs5bgvXFmSp8gQYx3dk6gS+Ye18wwnyATSNnQjgBh4nME40/RKfAUINWqNBTWBKabZIIHh1GdvLphVJcQ8UyaMr0lqRUFfcCIBNvBFbbZiVjt5Vc0VE7EKJ4LTYU4G6Jp2xt28WJj5bOaDxI3rNTM/YcDdl9G6tVT5LkodeKZ7gLaw0VVnOYle9JxlbUUeGUpDBEG1wEdsbvMqY0AbPE2gGK6ZMCjV8VYoErZuMVJWI6WYNtUULdBR9UxmJPlQCDZZuskcSDsv7jDnL0bmiOTPoHKvcdzPU0P49jI6bnJWQSmMTQgEMDNFH0N+ASI5CpTpNPgQT6Sh3WZRcbuhgsOBe+s1lFa2p94E8ZmnofEYw70zRBb1DBe43WtjGYsWi6g8DSY4kZxqGM9Sr+6OHBkpIV2UplUHDxqMIrZfYIGZQqeh8jBVOSMu9zxCKEOG91dGggJjwnd1H+kJzJlJP5G+haldr46mRkQtqllSdbb+vl7IavGgICbqiqhlHZCQqsdIUvaMGw0Rwd1dxQ4Knb+VCv7h2Za/P0IUf8fUcmWVgShE0A/5A/ehjQFug99T8zoygOnzOQ6ZOQrw5jOxubhEs7jarKVZkecYEC+IHM3cn6K/dE58wCwOSIV5wXAmY9buoYI5r3cQ93MC91699x57St+Nu9tQ04fbzi0eMfXsQWcSapsM6r8Ky6CO9M3ArxtwFU0yjHhFI28F172FCteAjEy+he27CceDQP1dTgxT9UlFtdjTtPj5b+f698p3KAGN53KpOYvc9Uk3eadedsgsnhxHExjp/hw7t+nVw5zFn/++fb2gXu7qohQKsHeYNsBriJfHek4Xt4zLDmiKXrt1ggwa3qjkl/4uHwVc0o+AbzKVy7euDZEQIa6QphXFnePe8KoWFxmSC8b6DDtNuaQFq75ZpSKVgAtoupEuqCubUjamQ3i7pBnOwFeN0QRGnK8oR1pothDu47bz+MOtDS+YHlN+w/g5Onz3IpGeLWSXYl4r2xyTi8OVr4Xtcx8TjpqDUGg3L3YUkUggKuRVozcxyTFAgFKgMaTR2RY8qL7q3aWHJCfKkeaK4XDCCObIYjJg+gMXDYgdLjYxpfDjalcuNDqPXSmdby15Wa+wHHnOGdbaUyW0CZ8Q15hrMUtkONbJSsT2CJ9wPALlLY7GFN80PYiGcYnX2hmtpDfHOfbuAYDn61f/iDL0Rm+ZfA+gGbHktDML5GZFFWRmqwmI4iRvfbiydefZN/yxgxmLnQJj5Z/Xy+x/+Ym3fi9Zx1BT7Joi259MsbsTsUMcN3lCF/rXxyekXHg1ALnzrY9f/pOd5scW5w/U7z+PI5OV9su1Jf2CKXecMvf/t46XdO1XUOU/AX5ozTRQtsSAbq1V69Yz3c0EQUOg5+vjuNboS5seXz9HV+4vL/3qNPl0J8+on9HS93CBBmVlShchSaj8qTSpFiYFv/fDqf/9/z54EKULNMqGM69MDZOpZgcPjeHRi7rvnNb9xvHhVIxW+4vnjQrotm/ZgfmTDuIMf+BC+PcV0a518ZspUmKO3b94Hkf1TCprOl3UcZ/wfKehZmLYW3a9GhMJG9gtPOILH+AbvOIcFNnSNH2BEOnD3NXqT5wr8tI7LQ+g0Ty8pymPjnKfGQq7O3127V2k0PFZgPWH0o+NUcpqqf7vR1bVFZcT7ZWl45CSIKDS0a4/TsNbEMjdda1oB0UIX5zmzX8Z8G7BtzfIPv3MTMoA1CeGCS3/DL7osMEBlm2udRK879EnD6L3H8Foq04jkgdDNIcAGB8DMZr/k1RPT3u2HiUX9mNTbejdGeEFDduNUXlyPHVi+WGtJmFU5nd9ooOMgK5cVFgt61phORIo5W1SK5mi2AZhU5JA1FJYz5ZGtBwZFoyPacnDReYJ+Bzyi7t8u4YruAFC0kIZmPrM7fp5RfNLmQmc4c6n4CUCXRqUBPk/AEvME1cI8xXVI1f+kTEBUnGe1Jy6dWt634O0+zvqrtZ0JD6DBXpolVYIa9HFT0ufoU/2MvQUH2I/ounaADV6C38Y0tXpUzwTKxIhpXCPt/eLPEeY8qEyU2y9CghtWkJi3osq+gUwYibSBx5wJ9OlqVKAQSJBNJq+ii2wLVJYJxr5ZwIrq2Bm9FmyCEhf3IsZORQd/ewJs3WiFjFOxiD4pEnC2ykdCLXREA3UqD+atAIxABNIJ5gijX6RaY5UP53Qj9GYByV4KYXvj7yCXbkbNmlIRVj0jd028b4xbGszboTqHDIKW8ZAZMdghEz7PFdISCmasWPIjNsJbXHEspojjH+CgrBNEWi7KwQa7LsttJGVlLdgFGLDdlyd2pJIS6EKwitcP7rCIPVaGkYpjhaBfNKqReHp59/qtXMj5PDz9nZLMLGny4+0g+9Eu6G5jC+9Li7dF901lllQYnyw+irauYnZOOCyhxy05jvonTdUowrIyRE5Lab/kOMI3FSFU6xGcofP4cc3Rjks8AbyQVXEXUm1QoDBhgNsUwqmDI+3haKUSBPh0KYV9V6zcCimHzQ/RQFHq7moVrx/dyLuJketaCjUDnNG82Y/3w/T0YSaQZqYKyE8ExQXUi2gPdYk1wrks7etilpQpJNdie2SOcAbfSSGLkbxamMmhmWtRP60SYZV7JnIrf6TSDQEw+oVxit54xM4GZDjE2Suajbk7OZow3uz/QdIVRklw47MW4lIhtMcAIWLWu59ACJevd+PrNWJTYjwhdCZTVg8ENj+jS7xisgLtksiiVLJgIxmKdGrkLgWecSgim6Pz3bgxsWrETkIk+xh2tE4URKCDYdThMkcgGFi/wS/16bZe2e19G2W7bZllJUy/nC22Rp9DGXhGjjHrD9KC4D1eUEEVI/WWgCCQ6NdPLWBmCU9taLYb8siekR/OtFHjwc96T8e03XqwPb3cvSevXri1Eu4raJo2RrhhBdVWrjttT9GSjgaR/ClEawqx9yCg8eCJx6AOZK1jenc/GGv9eNiefsh0tCGnB2/NO4z37XCwN9jxViAcIAy+3t293Ls7NenZuYsWZW9q/8lF66U6jQDZI8cbAfL1suOP+48s1miDaY7sMPmoJpUgMe/YAfJjUnaMubcBMzZKPZSg9fzU0St3KrPMCmqW8gGiJLjjSUYODf+10QOHXkpKJvU67YjqfJDc+2stIjv4MpEn5L/Ofv7+e/T07cWb62fogmnDxKJieklzKIUP4sLlQibvC7QrEgbZsnOHhz9m+OJIxpiSib2Ku+o/7amGMGhuDHjkow19vs91IZD239T9thx/gFMoZopFqE36NlMM81jd6Xob+YBzVmm3ApIKaVYwjpUTT1Zs2jtE4F0Pl1fBPdcsn7LTSDtT/pNlhNqL2OuLub3k6eos3ohddx3CGr7SsOX/9U4i+GTAC95xQ1tlGXnYlSlVysSAQcgGSC3VAgv2546sapGOFQ4l9hGUbvPUCLnnTAVrSRN1/fnFLgevhWvx5XoXdbKaf6WYmyXBiqJS0VwWTOBgwV1LPF1jw6gwem96PMdT7vYtftDNutaPtEzEuPbqPLGCq8TKQDOk7VZ3i9UJmx15YXOIRJ3TnCpsaJ5FSyrbwR9W+PxSr9gEz66VXLG8aR7mv4fLkntNdcAYvvmPfda6Om1YwdlukuUT7bJZ0vf6M5uRbQaHh0Lm5Iq56Pmyr7iPtIBrlM6YQ8Hvq3nSO9CZWj9qVUIvAht1OiporFgjbaRyEt9CK6jBsNoT+NaZ/daT8O4LluecTifl3sF6h8q5wPG25N5Rcq4ejzHNdq/9aq0OQ2JTR2efo5Jje2T2fZYKUUHUphzz8kMq5AT25AEZdKqxLX+V2qB3mCyZGDHpcpxIcnzTp/UnAZn+paJWfFj9yDU502fobY5L9Bn+4fSjXApXd/rP4eOJlnhFrebEKVboS0XVBkEPQl1KoWmtUYWLU+1+M/jNNPLS98AjFrJidRdI4bbv+vKN41lvaQJUtwz0wTdHPRRTmPKU1mHW5/G6tXSniZG1Df3DyzRSlRBBO1Y/b14eF3l2baRGauw8xMxbmOkPAqM1E7lca6RLSticEfvJ81CdoM+THV4Quz2H7zbnBj2FjrBUkO0zBKHLZy1qoUrAO/6WLjDZoE+62/i2icAW/ULa6Nm1doUJDPaR175tagEqUKsGTGZfxAHFmz4Ager/TqUplPMMydfddnqFeqw7r1OvAzuGHQYZzf/miM1Ok9c7tlWf4etd77Wsu4Stj3cBHe5mGoddEzDons02IdMdw+CEwg0p9hc/Q9lAzJGAoxVusOWczpnwvnoQTtDVr8DlSNNBwO6oQrFEuG0dMD31L7ZgbHy2qffueymN9KZsfNjGYLIsJm6Bv10VCI4G1lH7OJIMeZkxEW+CWNS7YbcMRYVpH8+AkGqX7cCxuDba2/L+wNTOAdZp3749WJdY1Txl//x8u5X1kg1aqSN7O6wt65LfD9qeiT6zxLW1kGqT7sD/qkss/ra3Y0yNSLeLeq2eh54mS5a/vgDoe/b2YCrRYFd1v/XduxrlgowKo2R5jOjIZTUbOBcO4nG/prW26Z5yBMDRVXdMew/PZVFisWnuI1w7GKfv7JUVVfYZypiYy7BSgPVt6hqhPfKjZ0XWmK1p2q7o8y+pcgR+qTjfoP+sMGdzRnN0AXXPzjkYRGVNZxmR8pY9UND9dzpDbv2t/Yz5mDYfvdvsNhxeVgZU7iNHmO6/6x+aJfyUHe+Odj75M/RxU7qtbz0HljjuBMcPT9F5FrWZbA9ti4NzRKgnOtS2to/MFK66RrnsYuc8i6VUtbcfQswf3o4ceatXTmR2qmlRpp1DtIMUduW9nvsaTSVlIk2ki5Rdx54HKrEJuyaJyLCOGe1vAVa+nD4y5ErxiMfcghrxVBpjNKtULG9IC6amKsOLeDblFnT056kLOmr6Yxe05/oEgoXeGSpAtYpvnFj40bi5UfSWivZSZWJrVG6JKWoJOzL3IywL6tUL/9/nHoUX/j98XlPI7Y85VeHsPL+dB4yeu820g+fgcW2NWhtsJ/cD0axJxcScKjUSdx3ue5J9tRX/vaQPumcnQLLuSzxvHUPgSkFYWya9UoElJmO/Sxe3t2z3ETKIVftP/6DDBK3xgZ+sXFI1jT/C6uw+4+npOYx+fIbOYf0walSZiZqljND5nCo//JN2sjB3NOelSUPHLUK2Dtwu+kS3OkXvPGn257Feyfu3RgmfNrphf4a9New2kUy5+sclEnQhDXMHWC6xHpkApcnUbYVaR+kWHx8uaI862QSoQYJLj8fqxul1/U04IUWzxRQVFd3+Rs3Uw4+jg5atNGFaV9GVToAMyVLpvHWnxVAAQ6pUUh/o4FDa0vPSLo5uIDi9SzpNkiHRdAb3UeSnN5DaufsxaknP45C8v/TcgeO4CNWaZ6uUL3o/pOod2UFk8syyHq6it2nUqQCzW+ot6kTNDb7ZjitpP0ggW39CGuJ1UqGrmzf/eHeNru07hX4TI9NXttgmqqQ+BtuPaxnGFsQQWVJyq49yIh8mhNP2IAsNnWv6dTYtwiAN1I8g3ErBHVouVWzQFPIBlFyHR9MVZNRoAJwNNtVkEz7bWK4wZ7ljxAASfUE4WVfrXYIQKHZLN7ovtiNxfp1AGhn20phSZwxm0CYBDUeZgiAEP4LbxBairnyRipnNnhtFZFEk7RN3IN4OD+8QCpfgr5mivG9pxnaxrDkWmdYPNfDWruxk+O9+t3WNVhBbV2qclZJNkVYdQthhgAADQCpsDQBZyRILMWickbrdlF8VEBmJ2U7Utrl5WPzMw9/fvnnv370XveWbB8VI1ff9R+/ZxvRttpK8SkWAN/UcZ+Hn3DSTsetxvpVgRqOnDgn9DLp1QGFvPVG3Bx4B0sHd8CqRNHvrcf0kmPHpAmfdooMVVZApMK84IlIQWhprKN+4Mxxpr7Bep5S+jvDWYK9HaFtES6kMkpa+v/77m1AKbpDssflOqsX0CZb9AoOOi3WGXbOTYKOYv1/+dn11jd7hu4KJvBnrHT5Wu7fJ0zA7QxRHtuW3Mdjdrm016lO4ZDF6erarcszm0xVsPnQRfr3l5GpHx1nmpfLVhe/S67HYiSGf7lAeuFdAvePiv33dcFOYI/KhJhn7doO/xJrQD5Td6MdVgxXfBHULV9z7HOkqkKKONfqrNkqKxd9mHJNbzrSh+V9f+L89bz5lYk5J+KM5U3SNeVCRwTPe+g3CIkdaohG2VHTBtFEba9lPKSxKbJa+WX+DA+rjMEASnFJToekKoV29FpGq1YW80ScbzKkwrZyUGm8/kPGsmaZ21rv847iP4Z3TOa64yeBOvEZzzDulyJ0tdTP437eSI+pJkduR8duyNaPwfM4IDBKYUSqQnEHfiFZDr+ZcNL7HZvoXe89Whre+cRlbrEVidbLQqdskjUgUhdeooFrjhe9LRKSV3zDALKRIvpULdEGJzEfCPh5WdB+V6/kcMYGph/CU0giKMO2LJueICW2wMDUaYRvfsKMe8Xz4TgVVcbiHzFq3xtU5bccToKW1bWHC7u/MCKp1ffr7pyAIuqKq3aCixEpT9I4aDJq6r7ltlnr6Vi70i2uXVPtsAP7Cp4Nt1QqMPlAnLByHixaaI51k6CqJC+e0aHOhF2mVZ3/G7/w9v7r4wQdcXNu3rXUNPQHuMDGIy4U7r2FfG9gdTLL23ALf0925Q/b3/mDPRjljAPooTglxxgDyOKeMHslq2jN5+f/OZPeZ2FXTHMhp11fO/siCva4eDXarVKHS01BTNGVW7OlkS3X/T8MMbL90BfenIYernJkM+lE/RvS6htMjQmwZcaJuVMSYOA6xtBpTLTkeL6fl9KhhsWnJNqc0T10EMh62aLdNdI0kaT7QQwZKwmlWRE8PGUDfY0WMU3H6OvP+YNwg+Ry5BtuMRD4UoOC9yUemUKt9dKBRo1Wzf/+nTdeoPZeC2McBG/nYLdsRcQNN6hKKwzZ1z+0yLvmldZ/fyoUf6+qrGKCXnDVBFPWCarD1ObujOdIUJu12ftxdQ48bLPUhDGCfbLA0hzAAfa9DGXoC4/uXjmPMwb7uQZP70SBii4UdfPlrnVfqOZL3OVJT0XQe5nKhQ2zT8iF9PfRlxzDY4EejhL26Xv207Qc4ct37xB3s3sivlbirV6nJ++r/XvImrn3yNO7LBedIa3vLcoTRgq2oaJxkX68iYEl0nP8irQWSP0bl7+uIaIw6NGS5yRT9kuCs28FDOGDYt2/md+l7il3DRXruvdkGuwprgocSZEbr5NFPV8L88ApJhX7hEpsfX3bTvIgUc7ao1Hh+y3bfx6i7X/G+IQz6WMsmwTKeoGfGWHZMXU30tTsYpFpjlSdT6nZPqncKyeeOvoeRohwPU9Nca1X/iHq0fTNM4FS97fIhFVswgXn9m662socOqfSvHYkRV9efXwVIgILdZFEEEjQYDakc4/XZMupQcTz29VlSnCcsr++YdrAUuro4JUrq8G0HSwHMcbHSR+1k4yRL7mfDTQ7uVtGCi2JNl3PJOfRN/RoFsKXeA+TcWJ5jGhFHuno8XEtRfSuH4yzGCf0ILb6CzB6LqlpIberCvdlmcGjNJC4LULOi5Bt/TvbLkMxMMVkizXKKnn6PzFJV6OXPPz9Da+xHCdWr7KDEo1BeD6CEn6uTjBTkq+EKN1Sl9ik0fVftVdZBCOgpnskVbRGDhUt0avGmjaK4GL0/5KthmwcmFc3ZUU0T9hHqm5Dm2DgW2BwxU/f9AZH+wrUJrZEejrP6J4J6kQ1V6CW6FASXuuK4aVZ2L7kegn5i8COQWxla5ceX6N/sdp+jH39E/4aIVFZfdj0H6mFq/4Ob/2W/yDTqEiXc/kLInD5aW1esaUYw5zNMbtOXPuVUSFOPRgO7whKxrnkB02RsKh0wR/JmRsAy0HAbc8DYzbE3UlnNWmyc1mE/aDWjCCGF0FxWIrcvDIeBDBo6AhyWvNi9EQPIMWKB/jrsCBuNnMKGS5w/lnfOo4M0+xOGUSpGAlaHN4XbXwZb2D33tRC2zz42W41WzutjO0O/yrU9mqHNyQSSyhpjRqJbSss9RHsUL95XQjQ3mCJbpRx4fllLHhhL5eZTC5jE37ILV0zByNSri67vXQRcHO2Z7kAMtwt/1a8ukLLSWoNDZThbZHT6f0OJZPXMD06J7jySkXy5JKGgoeDfNr/6AN3wmxnNRFHsBwGNCEr7vzoQ8xUEXvxKmS45S9295NGa85qlKoQ9MUX6uKZRh/I73Dr7BtQTgTzX1VaLf0L+e0QYnXgZjAuaJEYPI4CkQtfnb6697kuwsORhRSlVX+NF8ER+dWkQ1eNwf3xyTxUY4qFRt2hoylfbn2wNdqfngGV+hl7+/Aqtge4FxQJhzsO+grr6eY62/iO0poo6sNggTrE2SIpeuUiXiA+uJn7dRAzc1RRhW0+736XKgXCQ1UTJUkguF5t+IG7O1ECLRehnRJZYYWIcESm0L7JYuAnuqBI+p4d3fOajFbWxC7pdoD5lEGHXtAVrURRWyZSiDiMovB6VaSBZe2olJqCxuhiF8D4HSUilaojaYJFjlSMhVYE5+zOU3ytVEaRP7rMcjibRYbPwdhBpi3WDzAvO5hR2HDDwNSVS5CMK9va4M20maGgf2hATRBYlpybIAKNOVAwK/HijaW2wMg/EyDd27SA7j7FylzNH2a+QInon5HyQIHFy0wORPxDhL0WeguwW5J9SPFD3nHr1WsV06bUf+xQeiKhkN/oNgmHcfgS5b4dbY5fvygMLnO+pzLbpjwI/HaSiRKqc5uneQZ9k458p3axY6xh1pk3zxXZ8ffhaKVmcAdQKivI1oQIrJp1aX1TcsO8MowrhsuR19cu2l02BBV6ESnMR4hDeqe1Fh5TDVSNmnmgk18JFxgwuyr5n0GNcT00a3j6jEVkya93InOoz9K7SBsykNlDXPWskLxcbeuQh7RRg87nFe0Wn0ITgkOsFHe3c0DRBHENgq1rnbMVyq9kAP4QF2U0tyD72iBfe5F3J1GQ73J6niwXdWU5khm/cZrUVelZfs0gBg+72jUY89D3dvmt5djZYcttdrYotgYroozgb+se+KqBBfqloNRkrWe52XLSVj2sMY0+rdgOuNpolIBdr1END1IhKQYegCWTaojAJXt9FkQLXMkuAapml0J7LmKKoCzTWqI8t1AS6UusVeRgTsmc+Bt+YwXN5rzfnWLG5T64dEyzYPhC9bgixHUGYDJT4GIq1rvgDNc2XlSGyoC8cDo3x4ge4DDgEC0+CjgE5wiB0RRUzqVuDjnWf9qv7IsCx0aQ9l8/Eg9vcK91UulhoEHdyo+63hk9Yu3XBnLGeKl5XTp/NFDiAxsXI8sFk2GYSbBDv0BSZhIfwuWulty1BqdBvNz41luk6IaDvV4P16xMaq5LUpdQsouA4iLfAnBb5trtwc3dHu/BU3GTpWhfdUxSJqqCKkfvKouDeJpr8fEAlW3MznFhy93uwtRUVOcxJ3iu35OyPB+heU4d25XA6bRux9LXgA3LDPOCdiDlJn7JX3Tejk2C9mPFeriVucouFNAg3k9TCCbRcLrI6UeVBhHrNiPcW6lP0TOnIvr9DuhV0rR62/W4Uf8kZ2UwxbWdELlwDAr65tuCbEblc8ZR502ECfqh88/+wOJXC0LvUGmuD0NV2VEBdXZXn2v4fPKqY1wiFGsDseZzJEosFzQRdp5YFY4FLum6F+kEJMUaxWWVoS0IMc/S1Q91q6+3nb2QocYmjCbuGcnwwoWOSmwOGYD+/yCHT1t8Cxi1UgFmC1Q0H9TbnS62oOkM31B1Kpak6wwsKrbx9pvtcqhqHAewajNPbCfweud+3+lZIhWZKru1n9V9JPcfRml2j/aSv8musTGw3XQM4tkfF3yk5qA6d6k5Jnm9nkCa6UrKkPqCY6i1+IxDmVJkmu0htF/V/c+EtLz5aTQAgCSmgMOdISPGdoiUFS2ZX9sMUc1G6ffRD01CcHveCuQhbHf4Z7MwP1djKenQBC86g2kQgKb5bSPvfO14CUFKygOKYcN+4FQx8AQhYJOUcwYR5RvUZutnKlP5gg3ZlVRqMz105X6WtEeNKRl2yTe7FbzPNhPBKm5oh/T8GxwQ/YdqepK+J9v4Nq/jCp+Mq0OTaj7thYYvetWVKp5Q92Wd4WSwvAAuEtZaEgb/UnkbQnoQDe8tu6evWIEMYXPgclQpmojxH1JAnYUUZKxxrYPWeIBYsRQ1VGpVYQxcvDY0c/DRpWRRWislO0H5YWkMN2anuuffgoTS+1hkmeJic+CayKKvhHUxwbBitmcjl2ufT+mmTz5tMilFiDLY5rzjfoC8V5s75mcsCMz+IF/ZdL8TlyNPV9nomGmA/GA3HxC3NfS1QnYiONXinvIFiP/mmQe2M5bsOjg+6QiQVde3JTs4t0UegRu+3m4fC67fSe17RzbBdTxN0pqpg/cFOqV2sfs3WmLzdmvaPkTXtOePp73iz5V9gteYaK5pXhKI6ckTD7jY3Uz8LvKbJHpGbzhj//vvYegDtCzPqF6DkVh/VciCGx9ivbh+6JdbL5oZatTBQZViRpcv8rWtsmjLD8xpSr0WY3UizzJlWxP6q+few0hRZeS4Qg5y7ShBOsbJ/gkZ4W9R8AWE9+bUu7NwffXDCrxr2eXrULxaRxawZ3zvvPFi+bFTd4/VaMVXpqT19bW0EEBj3+E0TIA1ciXO3uuvJOO4pdRbcdINrnZf56sKP4EZPfeOGejalK/q1uD0L69XOAf1QA/69+/nqoj3ftRETQ+9BNyLn0gDdFs4cE1lZsGY6bKSu9CZlL/tuVNcXaDt1YacfWzjje+Jxx+fNwujqYq8mG8s/t0eTtYi9FPlWoz1D564+0/c75e6D3dosIKi63/jhG++Om1WmqdyUpnmMKsGpdpSR7kFZS7TCiuEZH1QBuqYMTKCS4xFBoKnQSfujdA60raq6lc+spLIaRl1fyOw537y4uu7r0Mi3jHUehbG67CMHCh5cC7mNtDgk0ZUw6IYtBAZhMcKipVQpm9c+Gcgvy6TXte4moasj/KdFpHWXgctyGWCc9799REwQXuXUijM/yNb+/Aw9vbzDRcnpa3TtHCIOLEjvs7BfBCJzk8c2wTm1fVrCmDF9a1XuI/C6Ryley4353j8NH5i+3RFyNYotFlSlG2EXJtnndizA4wDa6VJRvZQ8t9zjbPWRSaOd0PsEnoVh7N1L5acfnI7xrGnGcXURLiM5ODpPZFFmE+ddwan43CsY4+r8e7qafWfRkQLqU+cwbkbmFRmz0rxa+kBZY23MG2kpFXQesHK9xm9kShxW+Rqrh8nQG3bVt9IV+4fIbmKkNfJTK0QxeodJ3U85rNxaETSpHSPFd7WCqnZLIWdrRh9qrSjW0XODtcGmiqU4N/4ozPiDmR128Zm8Qyx/Mf5+2Ze1mgJDi9GnQeNjdxcsFuGrW79jiafvDZj8Yjh375jnjAlZxYpxtupI9CL6nbKSNKbTYeCR/Sky4NSdGTss8YZzK/eQrgihWs8rji7t+ojInGrLEnWz37BlwURO7yITgDNtjtM8T5QtsDCYYqpGYkYVxDcLrBiHDJ6AB8/F38UCYSDid/a3wZ2JBHwoZ6650ANpxH519LTJ5yyp0qUvunUSZkAyryJsE+LrDk/PRooMnZtr+B6nTihxyleT5OV9Ve7b9kPMhEY5NZjxgJNhJivT+t3I1iSfPDez9tjiJo8N8Bh/SA0tSp4sm+cNyukc+xCQ73xZx/B9tqbVildUcbyBQi4j/eOKngZupP0ArG7/azqvq8Cdr14bZipozIiCG9vaBsOGTade16hRrJZ/h+DYmCaQVUQWhb1Padjo3EFHrJXsWyq5Yrnzn9Vd5AqqRxOhckmODzTe31v2C+NbrZG08/LCqsFdCUlPDyPr69XTyvo/5OxIv9PR2/sPOfMBmPDtKlm6xrkXkFDsTv7m+gpdDRSqNhrJutb66pLdGEQs7GqqYRdRDen7+MN8bnVYuXciIpvJPHXF16Dirq90eFyQxWVEPVrG75bgQgYTVJ63XMC+dNgl0DbxELZgeRPKGXHiFbGtxkEZeISXP56S1+y7rFI+U/V07+tPrntOHYiCZI07Sqq2F8Glfs1oqLy17sK0K3FjAkdI0Cuedx0iTXUlXmHG8TCQgRpXOIL6yjlVamTSgrtDx/j648XdvLFS+AZQLgA72JJPN9BscTYiEVmRzao830T3z7Aii1oH1IJbaXpco/OdXqr4EBWTEbsc9ErsMl1NUZDAdDt71fVcxVXOTFNZt+2L5jEKDbbbVmw4UbINL+zepMsSi03B1WRW+fnnS/TU10p8rrjVlWeMQwEH5IFd3pVS228+Q98NHQ2iH4W5FXItOoaQpqSCZharLvSRSZsET+CC66eFntdV7u99adJbusBkgz6NmmuczRR+iKJ8v3CHxEygAjMxV7igO9MxSqxgam/6Pgkd5fIalkXvZe6So7dtAVtZZwGk0B7tC1IFLCFSWUjdvnHv6Rr9WgkwJd/JnHL0lInV2bfPEZPkOZrZ/6P2/7DAfKOZPvs2HF80pMzmHA8m58fWoboa/vk1gkXB1wVyclMPv5LznY0ajEyKqfvrzONZt0HQVFlGDiK0KuLK3R5mn9/9jhVFH10C8Lfffn73+5sPl99+63JuV1hhNsqTa6luY5Ys771gv9cLtiNso04wLGIrEb5mJ26XkuY5wMQ+F5sEJsxcKio0IzEFSMuVlADjIr4XJBAfiAU0W2M2HE58sncAep/HBmqvT+wSdV3NEl0KM8u1UbEr36FeO5lDrP2WRntH65qPdE7SY4tdtoPBBiqNLzbZ1r34ehcLYs5GHU31VpM5Yo/darAbUWCb/fKesFA+up/g/R0XFnmv/38YrrpVmd3kvwdhsbzlo/eI7ETyQZijjuPuwk/KCZK2Oifbskufmiajvc6ygz6Zz8DtNuDc/ZHpumU1myIeBkVfc8y4pXXdzOXay4yri3ZtG3TisuagoYtAC4PxrMI65zqzKuIR+zkm8RrSrX310bksikr0PVED7MRxjZtOxe49vTN/p2GdusFNH6dZn4rbDRb5v8tw1GyLm8GGHSMZTsZuuHAHOV3pkhEmo2WJTmXBA/ZrrMQw6PDYUdeiKDOZShjfvH93jX5zftRtUmoYkS+TphLc/Odb9KWiaqR3a8VFpmi/U2fa5IaWQ3SDPtRFZ8G0rkZLJxEf0jZQGXuMgAVaHuU42gfVBIJjJ8PN4w9owByrIsFpWbAJ3Au4jFiA3ACt8mhTaTsw43a76oDOselrhafCnVFBlgVWscpKGribEg/GF58cfcJkkE4VBWa2jM4LhM7jFlA1gOcLaLWUAKyc/ZEAaomjT8JwHaeisxcE3TMW+8HxndsKalXP6EiLDBMYjBK//MTC1iKi8d4CPFuUq5/EnVlGf9+JyIhRWa6j9l1vQbeQj4s8HQB4xXF0iSEyKhZMRCyKHIJOkRstsnmm18yQ6PJDZHMu1xoX8XNX2rCFWaWDniDqQkTGREpxwkRJVTHbREt4H8AuyW0a4CvMU/AKK7NSSSOz+CEpgL76KQOPY3zYPNnd5HKR5SmIbQHHz38jIivwXWZMLLdBF7DlaE4TPAoFE4mQZiId0iXXGZ/xLHZYtAP7+4TAo3cGb8GO3QuxDTt2VW8b9s8JYb9KCPtfE8L+nwlh/yUNbCNLjmc0hUhpoMc3z0RWVByU79kmwTtZAy9vE+glRcXZoijTaN9Wy8R8ETsJyUNmKZQSTb+Q+L4RkWmXkJjgBLUiaaxJCziNNak3uioTzCIloimrTmKqGmms6UHvEogQI401zFLBBrMmCfBKsDuBhdSUJGDC1StLlUSPwuqVLM2S4jyBW00WZUZ4Ah+2BZwgSAJw1Wxj4rtFLWSdBHJZZQliGkQxwwjmCQqIdIYXVJBNxKyrNmyB+eZPms9S4L3KoA1oEsiuHUwarF1ibRLos0W5epXGB62zGTN/SdJojOgs7qy4HmAlo4tqneSaA1RKVPwqN+18/NFmbbUAU7N0fv74zhEHHNS+JMBdN/l4HeRasOeM0xQ2jM7mKQ6RzWMWZ3cBp9ANdMZKSFLMkog6Vq5+yrUpB838I8HWiiSBzdmcpjBjNDiaC5qzaAWjXdhMpOGSQuYVp5rIFNT2wNkigWySpV5jE3Xmfwt6KIM8CmBFF0wbheN7QrawE2h8ipapSK2S0VpDJ3KVSL66zHzH4gmgG0VxkUCRdKVAqdBOp1yvl5LpzE2YjQ99gxVOwuD5SCFsDMgrN98+NlymDRbR5xzn2swqFWtYYA2VullBKaBW0XGNr0fXNcmxwcLkhnn8YdfHdhrYBXOB8zz2HWB57LBq3ToowVvEiowoKYskXYks4ARmGiuyNMmRvuNRCjKXt9HbM5U6fstSVupSschAOTbMVNGzzzgTNF6LnS1UHXWiTgMXim/ju7W4dF1PszmX0Z/zBniClH9r80aXOhZoAoljbegEqEbPTeBykYR1xSLJBS6lii3Ailm1SHHNCqZJCrFQ6CQMm2IOhKAGmitFhxtdhrsG0LEz/hzU2Ol4Yr2ObYEkqSiTbgB0dEtUxteMpGKLLDCP62S4a0FV/DerzNxQ3uhgo06m3oJ1I16TMFmCwk0/Eye2MPBgY0uDMnOOpOjoYq3thxlZxqrzH4CmdyWLHggoqSoWCgsz6LkbA/I6CeD4T6/rRPbpU28KaATASi4yrMuIAwPaoBWODVVRzFPod4oSoIPrOpoIeHwiW8hxW7i2IEuVJ8A4viNTJ/ANa+cbTpAPoGnsRAA38DiBcaLpl/gMEGrQGg1qAlNKs0UCwavL2F42rUiKe6BIHl2R1oqEuuJGAGzijdhqw6x09K6aKyJiF0oEp8WeCtQ16Yy9fbMw8dnKAY0f0WtmesaGuymjd2ut8lmSPPRK8QRvYaWpynIWu+o9ydiKOjKUggyGaIOL2N7gVcaENnieQDNYMWVSqOGrUiRo3WSkqkRMN2uoLVqgo+ibykj0oRJosHSTPZJwWN5nzFmOzhXNmUHnWOW+m6GG9u9hdNzkrIRUGpsQCmBgiD6C/gZEchQq1WnyIZhIR7nLouRyQweDBffSby6raE29D+QxS0PnM4J5Z4ou6B0qcL/RwjYWKxZVfxhIciQ50zCcoV7dHz00UEK6KkupDBo2HkVovcQGMYNKRedjrHBCWu59hlCECO+tjgYFxITv7D7SF5ozkXoifwtVu1obT42MXFCzpOps+329lNXgRUNI0BVVzTgiI1GJlaboHTUYJoK7u4obEjx9Kxf6xbUre32GLvyIr+fILANTiqAZ8AfqRx8D2gK9p+Z3ZgTV4XMeMnUS4s1hZHdzi2Bxt1lNsSLLMyZYED+YuTtBf+2e+IRZGJAM8YLjSsCs30UFc1zrJu7hBu69fu079pS+HXezp6YJt59fPGLs24PIItY0HdZ5FZZFH+mdgVsx5i6YYhr1iEDaDq57DxOqBR+ZeAndcxOOA4f+uZoapOiXimqzo2n38dnK9++V71QGGMvjVnUSu++RavJOu+6UXTg5jCA21vk7dGjXr4M7jzn7f/98Q7vY1UUtFGDtMG+A1RAvifeeLGwflxnWFLl07QYbNLhVzSn5XzwMvqIZBd9gLpVrXx8kI0JYI00pjDvDu+dVKSw0JhOM9x10mHZLC1B7t0xDKgUT0HYhXVJVMKduTIX0dkk3mIOtGKcLijhdUY6w1mwh3MFt5/WHWR9aMj+g/Ib1d3D67EEmPVvMKsG+VLQ/JhGHL18L3+M6Jh43BaXWaFjuLiSRQlDIrUBrZpZjggKhQGVIo7ErelR50b1NC0tOkCfNE8XlghHMkcVgxPQBLB4WO1hqZEzjw9GuXG50GL1WOtta9rJaYz/wmDOss6VMbhM4I64x12CWynaokZWK7RE84X4AyF0aiy28aX4QC+EUq7M3XEtriHfu2wUEy9Gv/hdn6I3YNP8aQDdgy2thEM7PiCzKylAVFsNJ3Ph2Y+nMs2/6ZwEzFjsHwsw/q5ff//AXa/tetI6jptg3QbQ9n2ZxI2aHOm7whir0r41PTr/waABy4Vsfu/4nPc+LLc4drt95HkcmL++TbU/6A1PsOmfo/W8fL+3eqaLOeQL+0pxpomiJBdlYrdKrZ7yfC4KAQs/Rx3ev0ZUwP758jq7eX1z+12v06UqYVz+hp+vlBgnKzJIqRJZS+1FpUilKDHzrh1f/+/979iRIEWqWCWVcnx4gU88KHB7HoxNz3z2v+Y3jxasaqfAVzx8X0m3ZtAfzIxvGHfzAh/DtKaZb6+QzU6bCHL198z6I7J9S0HS+rOM44/9IQc/CtLXofjUiFDayX3jCETzGN3jHOSywoWv8ACPSgbuv0Zs8V+CndVweQqd5eklRHhvnPDUWcnX+7tq9SqPhsQLrCaMfHaeS01T9242uri0qI94vS8MjJ0FEoaFde5yGtSaWuela0wqIFro4z5n9MubbgG1rln/4nZuQAaxJCBdc+ht+0WWBASrbXOsket2hTxpG7z2G11KZRiQPhG4OATY4AGY2+yWvnpj2bj9MLOrHpN7WuzHCCxqyG6fy4nrswPLFWkvCrMrp/EYDHQdZuaywWNCzxnQiUszZolI0R7MNwKQih6yhsJwpj2w9MCgaHdGWg4vOE/Q74BF1/3YJV3QHgKKFNDTzmd3x84zikzYXOsOZS8VPALo0Kg3weQKWmCeoFuYprkOq/idlAqLiPKs9cenU8r4Fb/dx1l+t7Ux4AA320iypEtSgj5uSPkef6mfsLTjAfkTXtQNs8BL8Nqap1aN6JlAmRkzjGmnvF3+OMOdBZaLcfhES3LCCxLwVVfYNZMJIpA085kygT1ejAoVAgmwyeRVdZFugskww9s0CVlTHzui1YBOUuLgXMXYqOvjbE2DrRitknIpF9EmRgLNVPhJqoSMaqFN5MG8FYAQikE4wRxj9ItUaq3w4pxuhNwtI9lII2xt/B7l0M2rWlIqw6hm5a+J9Y9zSYN4O1TlkELSMh8yIwQ6Z8HmukJZQMGPFkh+xEd7iimMxRRz/AAdlnSDSclEONth1WW4jKStrwS7AgO2+PLEjlZRAF4JVvH5wh0XssTKMVBwrBP2iUY3E08u712/lQs7n4envlGRmSZMfbwfZj3ZBdxtbeF9avC26byqzpML4ZPFRtHUVs3PCYQk9bslx1D9pqkYRlpUhclpK+yXHEb6pCKFaj+AMncePa452XOIJ4IWsiruQaoMChQkD3KYQTh0caQ9HK5UgwKdLKey7YuVWSDlsfogGilJ3V6t4/ehG3k2MXNdSqBngjObNfrwfpqcPM4E0M1VAfiIoLqBeRHuoS6wRzmVpXxezpEwhuRbbI3OEM/hOClmM5NXCTA7NXIv6aZUIq9wzkVv5I5VuCIDRL4xT9MYjdjYgwyHOXtFszN3J0YTxZv8Pkq4wSoIbn7UQlwqhPQYIEbPe/QRCuHy9G1+vEZsS4wmhM5myeiCw+Rld4hWTFWiXRBalkgUbyVCkUyN3KfCMQxHZHJ3vxo2JVSN2EiLZx7CjdaIgAh0Mow6XOQLBwPoNfqlPt/XKbu/bKNttyywrYfrlbLE1+hzKwDNyjFl/kBYE7/GCCqoYqbcEBIFEv35qATNLeGpDs92QR/aM/HCmjRoPftZ7Oqbt1oPt6eXuPXn1wq2VcF9B07Qxwg0rqLZy3Wl7ipZ0NIjkTyFaU4i9BwGNB088BnUgax3Tu/vBWOvHw/b0Q6ajDTk9eGveYbxvh4O9wY63AuEAYfD17u7l3t2pSc/OXbQoe1P7Ty5aL9VpBMgeOd4IkK+XHX/cf2SxRhtMc2SHyUc1qQSJeccOkB+TsmPMvQ2YsVHqoQSt56eOXrlTmWVWULOUDxAlwR1PMnJo+K+NHjj0UlIyqddpR1Tng+TeX2sR2cGXiTwh/3X28/ffo6dvL95cP0MXTBsmFhXTS5pDKXwQFy4XMnlfoF2RMMiWnTs8/DHDF0cyxpRM7FXcVf9pTzWEQXNjwCMfbejzfa4LgbT/pu635fgDnEIxUyxCbdK3mWKYx+pO19vIB5yzSrsVkFRIs4JxrJx4smLT3iEC73q4vAruuWb5lJ1G2pnynywj1F7EXl/M7SVPV2fxRuy66xDW8JWGLf+vdxLBJwNe8I4b2irLyMOuTKlSJgYMQjZAaqkWWLA/d2RVi3SscCixj6B0m6dGyD1nKlhLmqjrzy92OXgtXIsv17uok9X8K8XcLAlWFJWK5rJgAgcL7lri6RobRoXRe9PjOZ5yt2/xg27WtX6kZSLGtVfniRVcJVYGmiFtt7pbrE7Y7MgLm0Mk6pzmVGFD8yxaUtkO/rDC55d6xSZ4dq3kiuVN8zD/PVyW3GuqA8bwzX/ss9bVacMKznaTLJ9ol82Svtef2YxsMzg8FDInV8xFz5d9xX2kBVyjdMYcCn5fzZPegc7U+lGrEnoR2KjTUUFjxRppI5WT+BZaQQ2G1Z7At87st56Ed1+wPOd0Oin3DtY7VM4Fjrcl946Sc/V4jGm2e+1Xa3UYEps6OvsclRzbI7Pvs1SICqI25ZiXH1IhJ7AnD8igU41t+avUBr3DZMnEiEmX40SS45s+rT8JyPQvFbXiw+pHrsmZPkNvc1yiz/APpx/lUri6038OH0+0xCtqNSdOsUJfKqo2CHoQ6lIKTWuNKlycavebwW+mkZe+Bx6xkBWru0AKt33Xl28cz3pLE6C6ZaAPvjnqoZjClKe0DrM+j9etpTtNjKxt6B9eppGqhAjasfp58/K4yLNrIzVSY+chZt7CTH8QGK2ZyOVaI11SwuaM2E+eh+oEfZ7s8ILY7Tl8tzk36Cl0hKWCbJ8hCF0+a1ELVQLe8bd0gckGfdLdxrdNBLboF9JGz661K0xgsI+89m1TC1CBWjVgMvsiDije9AEIVP93Kk2hnGdIvu620yvUY915nXod2DHsMMho/jdHbHaavN6xrfoMX+96r2XdJWx9vAvocDfTOOyagEH3bLYJme4YBicUbkixv/gZygZijgQcrXCDLed0zoT31YNwgq5+BS5Hmg4CdkcViiXCbeuA6al/sQVj47NNvXffS2mkN2XjwzYGk2UxcQv87apAcDSwjtrHkWTIy4yJeBPEot4Nu2UoKkz7eAaEVLtsB47FtdHelvcHpnYOsE779u3BusSq5in75+fbrayXbNBKHdnbYW1Zl/x+0PZM9Jklrq2FVJt0B/5XXWLxt70dY2pEul3Ua/U89DRZsvz1BUDfs7cHU4kGu6r7re/e1SgXZFQYJctjREcuq9nAuXAQj/s1rbVN95QjAI6uumPae3guixKLTXMf4drBOH1nr6yoss9QxsRchpUCrG9T1wjtkR89K7LGbE3TdkWff0mVI/BLxfkG/WeFOZszmqMLqHt2zsEgKms6y4iUt+yBgu6/0xly62/tZ8zHtPno3Wa34fCyMqByHznCdP9d/9As4afseHe088mfoY+b0m196zmwxHEnOH54is6zqM1ke2hbHJwjQj3Roba1fWSmcNU1ymUXO+dZLKWqvf0QYv7wduTIW71yIrNTTYsy7RyiHaSwK+/13NdoKikTaSJdpOw69jxQiU3YNUlEhnXMaH8LsPLl9JEhV4pHPOYW1Iin0hijWaVieUNaMDVVGV7Esym3oKM/T13QUdMfu6A91ycQLPTOUAGqVXzjxMKPxs2NordUtJcqE1ujcktMUUvYkbkfYVlQr174/z73KLzw/+HzmkJuf8ypCmfn+e08YPTcbaYdPAePa2vU2mA7uR+IZk0qJuZUqZG463Dfk+yrrfjvJX3QPTsBknVf4nnrGAJXCsLaMumVCiwxGftduri9ZbuPkEGs2n/6Bx0maI0P/GTlkqpp/BFWZ/cZT0/PYfTjM3QO64dRo8pM1CxlhM7nVPnhn7SThbmjOS9NGjpuEbJ14HbRJ7rVKXrnSbM/j/VK3r81Svi00Q37M+ytYbeJZMrVPy6RoAtpmDvAcon1yAQoTaZuK9Q6Srf4+HBBe9TJJkANElx6PFY3Tq/rb8IJKZotpqio6PY3aqYefhwdtGylCdO6iq50AmRIlkrnrTsthgIYUqWS+kAHh9KWnpd2cXQDweld0mmSDImmM7iPIj+9gdTO3Y9RS3oeh+T9pecOHMdFqNY8W6V80fshVe/IDiKTZ5b1cBW9TaNOBZjdUm9RJ2pu8M12XEn7QQLZ+hPSEK+TCl3dvPnHu2t0bd8p9JsYmb6yxTZRJfUx2H5cyzC2IIbIkpJbfZQT+TAhnLYHWWjoXNOvs2kRBmmgfgThVgru0HKpYoOmkA+g5Do8mq4go0YD4GywqSab8NnGcoU5yx0jBpDoC8LJulrvEoRAsVu60X2xHYnz6wTSyLCXxpQ6YzCDNgloOMoUBCH4EdwmthB15YtUzGz23CgiiyJpn7gD8XZ4eIdQuAR/zRTlfUsztotlzbHItH6ogbd2ZSfDf/e7rWu0gti6UuOslGyKtOoQwg4DBBgAUmFrAMhKlliIQeOM1O2m/KqAyEjMdqK2zc3D4mce/v72zXv/7r3oLd88KEaqvu8/es82pm+zleRVKgK8qec4Cz/nppmMXY/zrQQzGj11SOhn0K0DCnvribo98AiQDu6GV4mk2VuP6yfBjE8XOOsWHayogkyBecURkYLQ0lhD+cad4Uh7hfU6pfR1hLcGez1C2yJaSmWQtPT99d/fhFJwg2SPzXdSLaZPsOwXGHRcrDPsmp0EG8X8/fK366tr9A7fFUzkzVjv8LHavU2ehtkZojiyLb+Nwe52batRn8Ili9HTs12VYzafrmDzoYvw6y0nVzs6zjIvla8ufJdej8VODPl0h/LAvQLqHRf/7euGm8IckQ81ydi3G/wl1oR+oOxGP64arPgmqFu44t7nSFeBFHWs0V+1UVIs/jbjmNxypg3N//rC/+158ykTc0rCH82ZomvMg4oMnvHWbxAWOdISjbClogumjdpYy35KYVFis/TN+hscUB+HAZLglJoKTVcI7eq1iFStLuSNPtlgToVp5aTUeP9RCVZSdabV3b/0UeqzuTXPsKav0YyatuGf0zmuuMngErxGc8w7tcfju+/srpvM/07mFadw/0ustDXwPapa3SG90Vwu2i/2rguoKNYDi/9gqv9twMA9eGFXgxTCDQ7NDO5bciesvYWL2nCDONRVyAFxfgIGdWVwB2pwfYFNlooOAuZk3IMWimQWH1VxGgqcnkIQRQAdCxp1QO/HJPLRtDHZfz45BFOT0CTX5j406WASlyYdTPbTpJn7PFBMT8BhO7k537O65IxsIlPAAT1g7z6nLmN59mM/0nWSwHAtl1iOWmD3YJBi+d1ry8rMZCXyLJyh7TAIt+3ZdwAOoEteJLxjcexGBWa1xUPEjX47GA0mpiBIr+PTTkzS0eMQLCjHpaZ5ZtjI9cyHOv4eDDxI1AEZXHy8/9cJdyMENPyUU2sAZEmQcLAPx2UkCncCBgOIYTVS8hHmO06L7IALM1ywc9RJqw5B7uO2sXz2OGw3HHyzFx9dzRLjpKvZEXiRJVaYGKqYNoxE5JQOuUYWGXlOSaUoVIKUSt5t6iFZsRVgWAat6QzBMs2Tu1/xg0zLFK++BXzw0++wAD9yhgPJvc0j0690OQgJ55/uw92LSGAO+ylPbguVDuRxPFpBg/hUaUckDidNG6UE9GkjtZ9IdUJSPKYdQAzfakWylZpnC9Un/Gmm4wBocHVrqkVfPQQ0rAiSohyXXkedvAV5iKQKtm44zSiERAJoXAiNmrAfiIkKqjs91EaenplKYbpbuIfb7aQMejxPOI/7rO+j6Znr1hPZbq5D9Q74Yb4DaIQR2Xx3UA9YX8nKMLHImNAGi0Hh2Em6KkBGA8hhPOJ7cQ703lQlZ+I2M3exLUUHGJk71AW8CwuVCgt1EBZy9kdEC0nxbr18eOODuu4Tl+z1Rdh16+ItPGfcBIZwBBePb4f41Q8zP+oOUVGXp/vvmaFFKRVWmyw+BjtgB3GJu/r+9aDCJ+s/0ScvHAa7A4PBlPAIy3dghrWOYbuy07QNst/hU7vPo76pXYg7143/oLtowAH3LKpmt1+fcvNIs1DT4hOeLQcVdaGGuStQlH9SoBYW7kINLuzvXWRV2kM9gPB1wT9dUdWfuXbambseCgPAIybF1psVl+fbLqz9bA+dOoNt2U5BAYAesDoTOb2Lt24X3C7ui8p4eLH3GSklWUYNZliAB4QyXPgn43Ix5vI7Iapkzba9Dj96V0oVSD6cZvU8lzpLd9cs+HteuFaWxpKZTA2P/gTKtNI0lsygDvCwMGQFzTSRUd8+VlDUhTlGCUPvTBoyQBftw2hQ4wHOlYTYuBrKe5xLZN0AzuUAzQDWLqlig05Zpy7eA7r/NOIxZecQDsMgrqioETjAt1RxSmdYp3DsANwDcFhRlTMy0hbpBBw83H43/J04uCKmeKxY49CDG8QBnIxJPA/0QL+DxkXJaaaX+OXPr+Jh4MCiHtiwyoT5Gis6bOx7mt7koKIO1PB95K58IRwEuW9IzEFr/ywsBKnAoZqJk7wtFuRelcVKSm3woNXfsariEF542X5q+kmW0B6eDlXan8LMXXija8YMxJu9bzjIjiXWy4xLeVvFi+GB9LCAUQ/wOBpRX5IDYyTO35Tl1AxHshy/uIOKelDDR54ie+XwhJU5pXlkwlM/onb3wpKQSkXWHgHmQdpjzNRzHw+0ll7j4MGL527aQ7D+tBXT3dYs/Mv/HwAA///ei04u" } diff --git a/x-pack/filebeat/module/juniper/netscreen/config/pipeline.js b/x-pack/filebeat/module/juniper/netscreen/config/pipeline.js index 4f4110c94a8..a35f5d2a21f 100644 --- a/x-pack/filebeat/module/juniper/netscreen/config/pipeline.js +++ b/x-pack/filebeat/module/juniper/netscreen/config/pipeline.js @@ -49,14 +49,11 @@ var dup4 = setf("msg","$MSG"); var dup5 = setf("severity","hseverity"); -var dup6 = // "Pattern{Constant('Address '), Field(group_object,true), Constant(' for '), Field(p0,false)}" -match("MESSAGE#2:00001:02/0", "nwparser.payload", "Address %{group_object->} for %{p0}"); +var dup6 = match("MESSAGE#2:00001:02/0", "nwparser.payload", "Address %{group_object->} for %{p0}"); -var dup7 = // "Pattern{Constant('domain address '), Field(domain,true), Constant(' in zone '), Field(p0,false)}" -match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); +var dup7 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); -var dup8 = // "Pattern{Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); +var dup8 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); var dup9 = date_time({ dest: "event_time", @@ -66,26 +63,19 @@ var dup9 = date_time({ ], }); -var dup10 = // "Pattern{Constant('('), Field(fld1,false), Constant(')')}" -match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); +var dup10 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); -var dup11 = // "Pattern{Field(fld1,false)}" -match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); +var dup11 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); -var dup12 = // "Pattern{Constant('Address '), Field(p0,false)}" -match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); +var dup12 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); -var dup13 = // "Pattern{Constant('MIP('), Field(interface,false), Constant(') '), Field(p0,false)}" -match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); +var dup13 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); -var dup14 = // "Pattern{Field(group_object,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); +var dup14 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); -var dup15 = // "Pattern{Constant('admin '), Field(p0,false)}" -match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); +var dup15 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); -var dup16 = // "Pattern{Field(p0,false)}" -match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); +var dup16 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); var dup17 = setc("eventcategory","1502000000"); @@ -93,25 +83,19 @@ var dup18 = setc("eventcategory","1703000000"); var dup19 = setc("eventcategory","1603000000"); -var dup20 = // "Pattern{Constant('from host '), Field(saddr,true), Constant(' ')}" -match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); +var dup20 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); -var dup21 = // "Pattern{}" -match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); +var dup21 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); var dup22 = setc("eventcategory","1502050000"); -var dup23 = // "Pattern{Constant(''), Field(p0,false)}" -match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); +var dup23 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); -var dup24 = // "Pattern{Constant('password '), Field(p0,false)}" -match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); +var dup24 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); -var dup25 = // "Pattern{Constant('name '), Field(p0,false)}" -match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); +var dup25 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); -var dup26 = // "Pattern{Field(administrator,false)}" -match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); +var dup26 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); var dup27 = setc("eventcategory","1801010000"); @@ -131,8 +115,7 @@ var dup34 = setc("ec_activity","Logoff"); var dup35 = setc("eventcategory","1303000000"); -var dup36 = // "Pattern{Field(disposition,false)}" -match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); +var dup36 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); var dup37 = setc("eventcategory","1402020200"); @@ -140,11 +123,9 @@ var dup38 = setc("ec_theme","UserGroup"); var dup39 = setc("ec_outcome","Error"); -var dup40 = // "Pattern{Constant('via '), Field(p0,false)}" -match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); +var dup40 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); -var dup41 = // "Pattern{Field(fld1,false), Constant(')')}" -match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); +var dup41 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); var dup42 = setc("eventcategory","1402020300"); @@ -152,40 +133,31 @@ var dup43 = setc("ec_activity","Modify"); var dup44 = setc("eventcategory","1605000000"); -var dup45 = // "Pattern{Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(p0,false)}" -match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); +var dup45 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); -var dup46 = // "Pattern{Constant('admin '), Field(administrator,true), Constant(' via '), Field(p0,false)}" -match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); +var dup46 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); -var dup47 = // "Pattern{Field(username,true), Constant(' via '), Field(p0,false)}" -match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); +var dup47 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); -var dup48 = // "Pattern{Constant('NSRP Peer . ('), Field(p0,false)}" -match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); +var dup48 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); -var dup49 = // "Pattern{Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); +var dup49 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); var dup50 = setc("eventcategory","1701020000"); var dup51 = setc("ec_theme","Configuration"); -var dup52 = // "Pattern{Constant('changed'), Field(p0,false)}" -match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); +var dup52 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); var dup53 = setc("eventcategory","1301000000"); var dup54 = setc("ec_outcome","Failure"); -var dup55 = // "Pattern{Constant('The '), Field(p0,false)}" -match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); +var dup55 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); -var dup56 = // "Pattern{Constant('interface'), Field(p0,false)}" -match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); +var dup56 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); -var dup57 = // "Pattern{Constant('Interface'), Field(p0,false)}" -match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); +var dup57 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); var dup58 = setc("eventcategory","1001000000"); @@ -215,68 +187,47 @@ var dup61 = call({ var dup62 = setc("eventcategory","1608010000"); -var dup63 = // "Pattern{Constant('DNS entries have been '), Field(p0,false)}" -match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); +var dup63 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); -var dup64 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(p0,false)}" -match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); +var dup64 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); -var dup65 = // "Pattern{Field(zone,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); +var dup65 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); -var dup66 = // "Pattern{Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); +var dup66 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); -var dup67 = // "Pattern{Constant('int '), Field(interface,false), Constant(').'), Field(space,false), Constant('Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); +var dup67 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); -var dup68 = // "Pattern{Field(dport,false), Constant(','), Field(p0,false)}" -match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); +var dup68 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); -var dup69 = // "Pattern{Field(dport,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); +var dup69 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); -var dup70 = // "Pattern{Field(space,false), Constant('using protocol '), Field(p0,false)}" -match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); +var dup70 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); -var dup71 = // "Pattern{Field(protocol,false), Constant(','), Field(p0,false)}" -match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); +var dup71 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); -var dup72 = // "Pattern{Field(protocol,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); +var dup72 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); -var dup73 = // "Pattern{Constant('. '), Field(p0,false)}" -match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); +var dup73 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); -var dup74 = // "Pattern{Field(fld2,false), Constant(': SYN '), Field(p0,false)}" -match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); +var dup74 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); -var dup75 = // "Pattern{Constant('SYN '), Field(p0,false)}" -match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); +var dup75 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); -var dup76 = // "Pattern{Constant('timeout value '), Field(p0,false)}" -match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); +var dup76 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); -var dup77 = // "Pattern{Constant('destination '), Field(p0,false)}" -match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); +var dup77 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); -var dup78 = // "Pattern{Constant('source '), Field(p0,false)}" -match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); +var dup78 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); -var dup79 = // "Pattern{Constant('A '), Field(p0,false)}" -match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); +var dup79 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); -var dup80 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); +var dup80 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); -var dup81 = // "Pattern{Constant(', int '), Field(p0,false)}" -match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); +var dup81 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); -var dup82 = // "Pattern{Constant('int '), Field(p0,false)}" -match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); +var dup82 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); -var dup83 = // "Pattern{Constant(''), Field(interface,false), Constant(').'), Field(space,false), Constant('Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); +var dup83 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); var dup84 = setc("eventcategory","1002020000"); @@ -284,176 +235,123 @@ var dup85 = setc("eventcategory","1002000000"); var dup86 = setc("eventcategory","1603110000"); -var dup87 = // "Pattern{Constant('HA '), Field(p0,false)}" -match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); +var dup87 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); -var dup88 = // "Pattern{Constant('encryption '), Field(p0,false)}" -match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); +var dup88 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); -var dup89 = // "Pattern{Constant('authentication '), Field(p0,false)}" -match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); +var dup89 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); -var dup90 = // "Pattern{Constant('key '), Field(p0,false)}" -match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); +var dup90 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); var dup91 = setc("eventcategory","1613040200"); -var dup92 = // "Pattern{Constant('disabled'), Field(,false)}" -match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); +var dup92 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); -var dup93 = // "Pattern{Constant('set to '), Field(trigger_val,false)}" -match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); +var dup93 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); -var dup94 = // "Pattern{Constant('up'), Field(,false)}" -match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); +var dup94 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); -var dup95 = // "Pattern{Constant('down'), Field(,false)}" -match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); +var dup95 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); -var dup96 = // "Pattern{Constant(' '), Field(p0,false)}" -match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); +var dup96 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); var dup97 = setc("eventcategory","1613050200"); -var dup98 = // "Pattern{Constant('set'), Field(,false)}" -match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); +var dup98 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); -var dup99 = // "Pattern{Constant('unset'), Field(,false)}" -match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); +var dup99 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); -var dup100 = // "Pattern{Constant('undefined '), Field(p0,false)}" -match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); +var dup100 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); -var dup101 = // "Pattern{Constant('set '), Field(p0,false)}" -match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); +var dup101 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); -var dup102 = // "Pattern{Constant('active '), Field(p0,false)}" -match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); +var dup102 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); -var dup103 = // "Pattern{Constant('to '), Field(p0,false)}" -match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); +var dup103 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); -var dup104 = // "Pattern{Constant('created '), Field(p0,false)}" -match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); +var dup104 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); -var dup105 = // "Pattern{Constant(', '), Field(p0,false)}" -match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); +var dup105 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); -var dup106 = // "Pattern{Constant('is '), Field(p0,false)}" -match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); +var dup106 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); -var dup107 = // "Pattern{Constant('was '), Field(p0,false)}" -match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); +var dup107 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); -var dup108 = // "Pattern{Constant(''), Field(fld2,false)}" -match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); +var dup108 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); -var dup109 = // "Pattern{Constant('threshold '), Field(p0,false)}" -match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); +var dup109 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); -var dup110 = // "Pattern{Constant('interval '), Field(p0,false)}" -match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); +var dup110 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); -var dup111 = // "Pattern{Constant('of '), Field(p0,false)}" -match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); +var dup111 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); -var dup112 = // "Pattern{Constant('that '), Field(p0,false)}" -match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); +var dup112 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); -var dup113 = // "Pattern{Constant('Zone '), Field(p0,false)}" -match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); +var dup113 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); -var dup114 = // "Pattern{Constant('Interface '), Field(p0,false)}" -match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); +var dup114 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); -var dup115 = // "Pattern{Constant('n '), Field(p0,false)}" -match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); +var dup115 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); -var dup116 = // "Pattern{Constant('.'), Field(,false)}" -match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); +var dup116 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); var dup117 = setc("eventcategory","1603090000"); -var dup118 = // "Pattern{Constant('for '), Field(p0,false)}" -match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); +var dup118 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); -var dup119 = // "Pattern{Constant('the '), Field(p0,false)}" -match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); +var dup119 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); -var dup120 = // "Pattern{Constant('removed '), Field(p0,false)}" -match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); +var dup120 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); var dup121 = setc("eventcategory","1603030000"); -var dup122 = // "Pattern{Constant('interface '), Field(p0,false)}" -match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); +var dup122 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); -var dup123 = // "Pattern{Constant('the interface '), Field(p0,false)}" -match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); +var dup123 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); -var dup124 = // "Pattern{Field(interface,false)}" -match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); +var dup124 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); -var dup125 = // "Pattern{Constant('s '), Field(p0,false)}" -match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); +var dup125 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); -var dup126 = // "Pattern{Constant('on interface '), Field(interface,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); +var dup126 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); -var dup127 = // "Pattern{Constant('has been '), Field(p0,false)}" -match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); +var dup127 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); -var dup128 = // "Pattern{Constant(''), Field(disposition,false), Constant('.')}" -match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); +var dup128 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); -var dup129 = // "Pattern{Constant('removed from '), Field(p0,false)}" -match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); +var dup129 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); -var dup130 = // "Pattern{Constant('added to '), Field(p0,false)}" -match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); +var dup130 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); -var dup131 = // "Pattern{Constant(''), Field(interface,false), Constant('). Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); +var dup131 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); -var dup132 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); +var dup132 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); -var dup133 = // "Pattern{Constant('Interface '), Field(p0,false)}" -match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); +var dup133 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); -var dup134 = // "Pattern{Constant('set to '), Field(fld2,false)}" -match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); +var dup134 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); -var dup135 = // "Pattern{Constant('gateway '), Field(p0,false)}" -match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); +var dup135 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); -var dup136 = // "Pattern{Field(,true), Constant(' '), Field(disposition,false)}" -match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); +var dup136 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); -var dup137 = // "Pattern{Constant('port number '), Field(p0,false)}" -match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); +var dup137 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); -var dup138 = // "Pattern{Constant('has been '), Field(disposition,false)}" -match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); +var dup138 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); -var dup139 = // "Pattern{Constant('IP '), Field(p0,false)}" -match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); +var dup139 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); -var dup140 = // "Pattern{Constant('port '), Field(p0,false)}" -match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); +var dup140 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); var dup141 = setc("eventcategory","1702030000"); -var dup142 = // "Pattern{Constant('up '), Field(p0,false)}" -match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); +var dup142 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); -var dup143 = // "Pattern{Constant('down '), Field(p0,false)}" -match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); +var dup143 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); var dup144 = setc("eventcategory","1601000000"); -var dup145 = // "Pattern{Constant('('), Field(fld1,false), Constant(') ')}" -match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); +var dup145 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); var dup146 = date_time({ dest: "event_time", @@ -473,360 +371,251 @@ var dup150 = setc("ec_theme","TEV"); var dup151 = setc("eventcategory","1103010000"); -var dup152 = // "Pattern{Constant(': '), Field(p0,false)}" -match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); +var dup152 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); -var dup153 = // "Pattern{Constant('IP '), Field(p0,false)}" -match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); +var dup153 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); -var dup154 = // "Pattern{Constant('address pool '), Field(p0,false)}" -match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); +var dup154 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); -var dup155 = // "Pattern{Constant('pool '), Field(p0,false)}" -match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); +var dup155 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); -var dup156 = // "Pattern{Constant('enabled '), Field(p0,false)}" -match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); +var dup156 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); -var dup157 = // "Pattern{Constant('disabled '), Field(p0,false)}" -match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); +var dup157 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); -var dup158 = // "Pattern{Constant('AH '), Field(p0,false)}" -match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); +var dup158 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); -var dup159 = // "Pattern{Constant('ESP '), Field(p0,false)}" -match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); +var dup159 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); -var dup160 = // "Pattern{Constant('’'), Field(p0,false)}" -match("MESSAGE#347:00018:02/1_0", "nwparser.p0", "’%{p0}"); +var dup160 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); -var dup161 = // "Pattern{Constant('&'), Field(p0,false)}" -match("MESSAGE#347:00018:02/1_1", "nwparser.p0", "\u0026%{p0}"); +var dup161 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); -var dup162 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); +var dup162 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); -var dup163 = // "Pattern{Constant('Source'), Field(p0,false)}" -match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); +var dup163 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); -var dup164 = // "Pattern{Constant('Destination'), Field(p0,false)}" -match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); +var dup164 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); -var dup165 = // "Pattern{Constant('from '), Field(p0,false)}" -match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); +var dup165 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); -var dup166 = // "Pattern{Constant('policy ID '), Field(policy_id,true), Constant(' by admin '), Field(administrator,true), Constant(' via NSRP Peer . ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); +var dup166 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); -var dup167 = // "Pattern{Constant('Attempt to enable '), Field(p0,false)}" -match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); +var dup167 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); -var dup168 = // "Pattern{Constant('traffic logging via syslog '), Field(p0,false)}" -match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); +var dup168 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); -var dup169 = // "Pattern{Constant('syslog '), Field(p0,false)}" -match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); +var dup169 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); -var dup170 = // "Pattern{Constant('Syslog '), Field(p0,false)}" -match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); +var dup170 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); -var dup171 = // "Pattern{Constant('host '), Field(p0,false)}" -match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); +var dup171 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); -var dup172 = // "Pattern{Constant('domain name '), Field(p0,false)}" -match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); +var dup172 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); -var dup173 = // "Pattern{Constant('has been changed to '), Field(fld2,false)}" -match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); +var dup173 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); -var dup174 = // "Pattern{Constant('security facility '), Field(p0,false)}" -match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); +var dup174 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); -var dup175 = // "Pattern{Constant('facility '), Field(p0,false)}" -match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); +var dup175 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); -var dup176 = // "Pattern{Constant('local0'), Field(,false)}" -match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); +var dup176 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); -var dup177 = // "Pattern{Constant('local1'), Field(,false)}" -match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); +var dup177 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); -var dup178 = // "Pattern{Constant('local2'), Field(,false)}" -match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); +var dup178 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); -var dup179 = // "Pattern{Constant('local3'), Field(,false)}" -match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); +var dup179 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); -var dup180 = // "Pattern{Constant('local4'), Field(,false)}" -match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); +var dup180 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); -var dup181 = // "Pattern{Constant('local5'), Field(,false)}" -match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); +var dup181 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); -var dup182 = // "Pattern{Constant('local6'), Field(,false)}" -match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); +var dup182 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); -var dup183 = // "Pattern{Constant('local7'), Field(,false)}" -match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); +var dup183 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); -var dup184 = // "Pattern{Constant('auth/sec'), Field(,false)}" -match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); +var dup184 = setc("eventcategory","1603020000"); -var dup185 = // "Pattern{Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); +var dup185 = setc("eventcategory","1803000000"); -var dup186 = setc("eventcategory","1603020000"); +var dup186 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); -var dup187 = setc("eventcategory","1803000000"); +var dup187 = setc("eventcategory","1603010000"); -var dup188 = // "Pattern{Constant('All '), Field(p0,false)}" -match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); +var dup188 = setc("eventcategory","1603100000"); -var dup189 = setc("eventcategory","1603010000"); +var dup189 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); -var dup190 = setc("eventcategory","1603100000"); +var dup190 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); -var dup191 = // "Pattern{Constant('primary '), Field(p0,false)}" -match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); +var dup191 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); -var dup192 = // "Pattern{Constant('secondary '), Field(p0,false)}" -match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); +var dup192 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); -var dup193 = // "Pattern{Constant('t '), Field(p0,false)}" -match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); +var dup193 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); -var dup194 = // "Pattern{Constant('w '), Field(p0,false)}" -match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); +var dup194 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); -var dup195 = // "Pattern{Constant('server '), Field(p0,false)}" -match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); +var dup195 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); -var dup196 = // "Pattern{Constant('has '), Field(p0,false)}" -match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); +var dup196 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); -var dup197 = // "Pattern{Constant('SCS'), Field(p0,false)}" -match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); +var dup197 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); -var dup198 = // "Pattern{Constant('bound to '), Field(p0,false)}" -match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); +var dup198 = setc("eventcategory","1801030000"); -var dup199 = // "Pattern{Constant('unbound from '), Field(p0,false)}" -match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); +var dup199 = setc("eventcategory","1302010200"); -var dup200 = setc("eventcategory","1801030000"); +var dup200 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); -var dup201 = setc("eventcategory","1302010200"); +var dup201 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); -var dup202 = // "Pattern{Constant('PKA RSA '), Field(p0,false)}" -match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); +var dup202 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); -var dup203 = // "Pattern{Constant('unbind '), Field(p0,false)}" -match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); +var dup203 = setc("eventcategory","1304000000"); -var dup204 = // "Pattern{Constant('PKA key '), Field(p0,false)}" -match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); +var dup204 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); -var dup205 = setc("eventcategory","1304000000"); +var dup205 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); -var dup206 = // "Pattern{Constant('Multiple login failures '), Field(p0,false)}" -match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); +var dup206 = setc("eventcategory","1401030000"); -var dup207 = // "Pattern{Constant('occurred for '), Field(p0,false)}" -match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); +var dup207 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); -var dup208 = setc("eventcategory","1401030000"); +var dup208 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); -var dup209 = // "Pattern{Constant('aborted'), Field(,false)}" -match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); +var dup209 = setc("eventcategory","1605020000"); -var dup210 = // "Pattern{Constant('performed'), Field(,false)}" -match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); +var dup210 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); -var dup211 = setc("eventcategory","1605020000"); +var dup211 = setc("ec_subject","Certificate"); -var dup212 = // "Pattern{Constant('IP pool of DHCP server on '), Field(p0,false)}" -match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); +var dup212 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); -var dup213 = setc("ec_subject","Certificate"); +var dup213 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); -var dup214 = // "Pattern{Constant('certificate '), Field(p0,false)}" -match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); +var dup214 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); -var dup215 = // "Pattern{Constant('CRL '), Field(p0,false)}" -match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); +var dup215 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); -var dup216 = // "Pattern{Constant('auto '), Field(p0,false)}" -match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); +var dup216 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); -var dup217 = // "Pattern{Constant('RSA '), Field(p0,false)}" -match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); +var dup217 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); -var dup218 = // "Pattern{Constant('DSA '), Field(p0,false)}" -match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); +var dup218 = setc("ec_subject","CryptoKey"); -var dup219 = // "Pattern{Constant('key pair.'), Field(,false)}" -match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); +var dup219 = setc("ec_subject","Configuration"); -var dup220 = setc("ec_subject","CryptoKey"); +var dup220 = setc("ec_activity","Request"); -var dup221 = setc("ec_subject","Configuration"); +var dup221 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); -var dup222 = setc("ec_activity","Request"); +var dup222 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); -var dup223 = // "Pattern{Constant('FIPS test for '), Field(p0,false)}" -match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); +var dup223 = setc("eventcategory","1612000000"); -var dup224 = // "Pattern{Constant('ECDSA '), Field(p0,false)}" -match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); +var dup224 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); -var dup225 = setc("eventcategory","1612000000"); +var dup225 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); -var dup226 = // "Pattern{Constant('yes '), Field(p0,false)}" -match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); +var dup226 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); -var dup227 = // "Pattern{Constant('no '), Field(p0,false)}" -match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); +var dup227 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); -var dup228 = // "Pattern{Constant('location '), Field(p0,false)}" -match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); +var dup228 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); -var dup229 = // "Pattern{Field(,true), Constant(' '), Field(interface,false)}" -match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); +var dup229 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); -var dup230 = // "Pattern{Constant('arp re'), Field(p0,false)}" -match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); +var dup230 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); -var dup231 = // "Pattern{Constant('q '), Field(p0,false)}" -match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); +var dup231 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); -var dup232 = // "Pattern{Constant('ply '), Field(p0,false)}" -match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); +var dup232 = setc("eventcategory","1201000000"); -var dup233 = // "Pattern{Field(interface,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); +var dup233 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); -var dup234 = setc("eventcategory","1201000000"); +var dup234 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); -var dup235 = // "Pattern{Constant('Global PRO '), Field(p0,false)}" -match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); +var dup235 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); -var dup236 = // "Pattern{Field(fld3,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); +var dup236 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); -var dup237 = // "Pattern{Constant('NACN Policy Manager '), Field(p0,false)}" -match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); +var dup237 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); -var dup238 = // "Pattern{Constant('1 '), Field(p0,false)}" -match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); +var dup238 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); -var dup239 = // "Pattern{Constant('2 '), Field(p0,false)}" -match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); +var dup239 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); -var dup240 = // "Pattern{Constant('unset '), Field(p0,false)}" -match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); +var dup240 = setc("eventcategory","1401000000"); -var dup241 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); +var dup241 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); -var dup242 = setc("eventcategory","1401000000"); +var dup242 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); -var dup243 = // "Pattern{Constant('SSH '), Field(p0,false)}" -match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); +var dup243 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); -var dup244 = // "Pattern{Constant('SCS: NetScreen '), Field(p0,false)}" -match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); +var dup244 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); -var dup245 = // "Pattern{Constant('NetScreen '), Field(p0,false)}" -match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); +var dup245 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); -var dup246 = // "Pattern{Constant('S'), Field(p0,false)}" -match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); +var dup246 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); -var dup247 = // "Pattern{Constant('CS: SSH'), Field(p0,false)}" -match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); +var dup247 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); -var dup248 = // "Pattern{Constant('SH'), Field(p0,false)}" -match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); +var dup248 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); -var dup249 = // "Pattern{Constant('the root system '), Field(p0,false)}" -match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); +var dup249 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); -var dup250 = // "Pattern{Constant('vsys '), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); +var dup250 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); -var dup251 = // "Pattern{Constant('CS: SSH '), Field(p0,false)}" -match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); +var dup251 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); -var dup252 = // "Pattern{Constant('SH '), Field(p0,false)}" -match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); +var dup252 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); -var dup253 = // "Pattern{Constant('a '), Field(p0,false)}" -match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); +var dup253 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); -var dup254 = // "Pattern{Constant('ert '), Field(p0,false)}" -match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); +var dup254 = setc("eventcategory","1608000000"); -var dup255 = // "Pattern{Constant('SSL '), Field(p0,false)}" -match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); +var dup255 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); -var dup256 = setc("eventcategory","1608000000"); +var dup256 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); -var dup257 = // "Pattern{Constant('id: '), Field(p0,false)}" -match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); +var dup257 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); -var dup258 = // "Pattern{Constant('ID '), Field(p0,false)}" -match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); +var dup258 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); -var dup259 = // "Pattern{Constant('permit '), Field(p0,false)}" -match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); +var dup259 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); -var dup260 = // "Pattern{Constant('IGMP '), Field(p0,false)}" -match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); +var dup260 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); -var dup261 = // "Pattern{Constant('IGMP will '), Field(p0,false)}" -match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); +var dup261 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); -var dup262 = // "Pattern{Constant('not do '), Field(p0,false)}" -match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); +var dup262 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); -var dup263 = // "Pattern{Constant('do '), Field(p0,false)}" -match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); +var dup263 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); -var dup264 = // "Pattern{Constant('shut down '), Field(p0,false)}" -match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); +var dup264 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); -var dup265 = // "Pattern{Constant('NSRP: '), Field(p0,false)}" -match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); +var dup265 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); -var dup266 = // "Pattern{Constant('Unit '), Field(p0,false)}" -match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); +var dup266 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); -var dup267 = // "Pattern{Constant('local unit= '), Field(p0,false)}" -match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); +var dup267 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); -var dup268 = // "Pattern{Field(fld2,true), Constant(' of VSD group '), Field(group,true), Constant(' '), Field(info,false)}" -match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); +var dup268 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); -var dup269 = // "Pattern{Constant('The local device '), Field(fld2,true), Constant(' in the Virtual Sec'), Field(p0,false)}" -match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); +var dup269 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); -var dup270 = // "Pattern{Constant('ruity'), Field(p0,false)}" -match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); +var dup270 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); -var dup271 = // "Pattern{Constant('urity'), Field(p0,false)}" -match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); +var dup271 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); -var dup272 = // "Pattern{Field(,false), Constant('Device group '), Field(group,true), Constant(' changed state')}" -match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); +var dup272 = setc("eventcategory","1805010000"); -var dup273 = // "Pattern{Constant(''), Field(fld2,true), Constant(' of VSD group '), Field(group,true), Constant(' '), Field(info,false)}" -match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); +var dup273 = setc("eventcategory","1805000000"); -var dup274 = setc("eventcategory","1805010000"); - -var dup275 = setc("eventcategory","1805000000"); - -var dup276 = date_time({ +var dup274 = date_time({ dest: "starttime", args: ["fld2"], fmts: [ @@ -834,7 +623,7 @@ var dup276 = date_time({ ], }); -var dup277 = call({ +var dup275 = call({ dest: "nwparser.bytes", fn: CALC, args: [ @@ -844,13 +633,13 @@ var dup277 = call({ ], }); -var dup278 = setc("action","Deny"); +var dup276 = setc("action","Deny"); -var dup279 = setc("disposition","Deny"); +var dup277 = setc("disposition","Deny"); -var dup280 = setc("direction","outgoing"); +var dup278 = setc("direction","outgoing"); -var dup281 = call({ +var dup279 = call({ dest: "nwparser.inout", fn: DIRCHK, args: [ @@ -862,36 +651,29 @@ var dup281 = call({ ], }); -var dup282 = setc("direction","incoming"); +var dup280 = setc("direction","incoming"); -var dup283 = setc("eventcategory","1801000000"); +var dup281 = setc("eventcategory","1801000000"); -var dup284 = setf("action","disposition"); +var dup282 = setf("action","disposition"); -var dup285 = // "Pattern{Constant('start_time='), Field(p0,false)}" -match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); +var dup283 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); -var dup286 = // "Pattern{Constant('\"'), Field(fld2,false), Constant('\"'), Field(p0,false)}" -match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); +var dup284 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); -var dup287 = // "Pattern{Constant(' "'), Field(fld2,false), Constant('" '), Field(p0,false)}" -match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); +var dup285 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); -var dup288 = // "Pattern{Field(daddr,false)}" -match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); +var dup286 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); -var dup289 = // "Pattern{Constant('Admin '), Field(p0,false)}" -match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); +var dup287 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); -var dup290 = // "Pattern{Constant('Vsys admin '), Field(p0,false)}" -match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); +var dup288 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); -var dup291 = // "Pattern{Constant('Telnet '), Field(p0,false)}" -match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); +var dup289 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); -var dup292 = setc("eventcategory","1401050200"); +var dup290 = setc("eventcategory","1401050200"); -var dup293 = call({ +var dup291 = call({ dest: "nwparser.inout", fn: DIRCHK, args: [ @@ -901,7 +683,7 @@ var dup293 = call({ ], }); -var dup294 = call({ +var dup292 = call({ dest: "nwparser.inout", fn: DIRCHK, args: [ @@ -913,117 +695,85 @@ var dup294 = call({ ], }); -var dup295 = // "Pattern{Constant(''), Field(interface,false), Constant('). Occurred '), Field(dclass_counter1,true), Constant(' times.')}" -match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); +var dup293 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); -var dup296 = // "Pattern{Constant(''), Field(interface,false), Constant(').'), Field(space,false), Constant('Occurred '), Field(dclass_counter1,true), Constant(' times.')}" -match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); +var dup294 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); -var dup297 = // "Pattern{Constant(''), Field(interface,false), Constant(').'), Field(space,false), Constant('Occurred '), Field(dclass_counter1,true), Constant(' times.'), Field(p0,false)}" -match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); +var dup295 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); -var dup298 = // "Pattern{Field(obj_type,true), Constant(' '), Field(disposition,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); +var dup296 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); -var dup299 = setc("eventcategory","1204000000"); +var dup297 = setc("eventcategory","1204000000"); -var dup300 = // "Pattern{Field(signame,true), Constant(' '), Field(disposition,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); +var dup298 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); -var dup301 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(p0,false)}" -match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); +var dup299 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); -var dup302 = // "Pattern{Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); +var dup300 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); -var dup303 = setc("eventcategory","1801020000"); +var dup301 = setc("eventcategory","1801020000"); -var dup304 = setc("disposition","failed"); +var dup302 = setc("disposition","failed"); -var dup305 = // "Pattern{Constant('ut '), Field(p0,false)}" -match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); +var dup303 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); -var dup306 = // "Pattern{Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); +var dup304 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); -var dup307 = // "Pattern{Constant('user '), Field(p0,false)}" -match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); +var dup305 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); -var dup308 = // "Pattern{Constant('the '), Field(logon_type,false)}" -match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); +var dup306 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); -var dup309 = // "Pattern{Constant('WebAuth user '), Field(p0,false)}" -match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); +var dup307 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); -var dup310 = // "Pattern{Constant('backup1 '), Field(p0,false)}" -match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); +var dup308 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); -var dup311 = // "Pattern{Constant('backup2 '), Field(p0,false)}" -match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); +var dup309 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); -var dup312 = // "Pattern{Constant(','), Field(p0,false)}" -match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); +var dup310 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); -var dup313 = // "Pattern{Constant('assigned '), Field(p0,false)}" -match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); +var dup311 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); -var dup314 = // "Pattern{Constant('assigned to '), Field(p0,false)}" -match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); +var dup312 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); -var dup315 = setc("eventcategory","1803020000"); +var dup313 = setc("eventcategory","1803020000"); -var dup316 = setc("eventcategory","1613030000"); +var dup314 = setc("eventcategory","1613030000"); -var dup317 = // "Pattern{Constant('''), Field(administrator,false), Constant('' '), Field(p0,false)}" -match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); +var dup315 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); -var dup318 = // "Pattern{Constant('SSH: P'), Field(p0,false)}" -match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); +var dup316 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); -var dup319 = // "Pattern{Constant('KA '), Field(p0,false)}" -match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); +var dup317 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); -var dup320 = // "Pattern{Constant('assword '), Field(p0,false)}" -match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); +var dup318 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); -var dup321 = // "Pattern{Constant('\''), Field(administrator,false), Constant('\' '), Field(p0,false)}" -match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); +var dup319 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); -var dup322 = // "Pattern{Constant('at host '), Field(saddr,false)}" -match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); +var dup320 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); -var dup323 = // "Pattern{Field(,false), Constant('S'), Field(p0,false)}" -match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); +var dup321 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); -var dup324 = // "Pattern{Constant('CS '), Field(p0,false)}" -match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); +var dup322 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); -var dup325 = setc("event_description","Cannot connect to NSM server"); +var dup323 = setc("event_description","Cannot connect to NSM server"); -var dup326 = setc("eventcategory","1603040000"); +var dup324 = setc("eventcategory","1603040000"); -var dup327 = // "Pattern{Constant('from server.ini file.'), Field(,false)}" -match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); +var dup325 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); -var dup328 = // "Pattern{Constant('pattern '), Field(p0,false)}" -match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); +var dup326 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); -var dup329 = // "Pattern{Constant('server.ini '), Field(p0,false)}" -match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); +var dup327 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); -var dup330 = // "Pattern{Constant('file.'), Field(,false)}" -match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); +var dup328 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); -var dup331 = // "Pattern{Constant('AV pattern '), Field(p0,false)}" -match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); +var dup329 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); -var dup332 = // "Pattern{Constant('added into '), Field(p0,false)}" -match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); +var dup330 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); -var dup333 = // "Pattern{Constant('loader '), Field(p0,false)}" -match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); +var dup331 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); -var dup334 = call({ +var dup332 = call({ dest: "nwparser.inout", fn: DIRCHK, args: [ @@ -1035,13 +785,12 @@ var dup334 = call({ ], }); -var dup335 = linear_select([ +var dup333 = linear_select([ dup10, dup11, ]); -var dup336 = // "Pattern{Constant('Policy ID='), Field(policy_id,true), Constant(' Rate='), Field(fld2,true), Constant(' exceeds threshold')}" -match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ +var dup334 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ dup1, dup2, dup3, @@ -1049,38 +798,37 @@ match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=% dup5, ])); -var dup337 = linear_select([ +var dup335 = linear_select([ dup13, dup14, ]); -var dup338 = linear_select([ +var dup336 = linear_select([ dup15, dup16, ]); -var dup339 = linear_select([ +var dup337 = linear_select([ dup56, dup57, ]); -var dup340 = linear_select([ +var dup338 = linear_select([ dup65, dup66, ]); -var dup341 = linear_select([ +var dup339 = linear_select([ dup68, dup69, ]); -var dup342 = linear_select([ +var dup340 = linear_select([ dup71, dup72, ]); -var dup343 = // "Pattern{Field(signame,true), Constant(' from '), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,true), Constant(' protocol '), Field(protocol,true), Constant(' ('), Field(interface,false), Constant(')')}" -match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ +var dup341 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ dup58, dup2, dup3, @@ -1089,138 +837,135 @@ match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{s dup61, ])); -var dup344 = linear_select([ +var dup342 = linear_select([ dup74, dup75, ]); -var dup345 = linear_select([ +var dup343 = linear_select([ dup81, dup82, ]); -var dup346 = linear_select([ +var dup344 = linear_select([ dup24, dup90, ]); -var dup347 = linear_select([ +var dup345 = linear_select([ dup94, dup95, ]); -var dup348 = linear_select([ +var dup346 = linear_select([ dup98, dup99, ]); -var dup349 = linear_select([ +var dup347 = linear_select([ dup100, dup101, dup102, ]); -var dup350 = linear_select([ +var dup348 = linear_select([ dup113, dup114, ]); -var dup351 = linear_select([ +var dup349 = linear_select([ dup111, dup16, ]); -var dup352 = linear_select([ +var dup350 = linear_select([ dup127, dup107, ]); -var dup353 = linear_select([ +var dup351 = linear_select([ dup8, dup21, ]); -var dup354 = linear_select([ +var dup352 = linear_select([ dup122, dup133, ]); -var dup355 = linear_select([ +var dup353 = linear_select([ dup142, dup143, ]); -var dup356 = linear_select([ +var dup354 = linear_select([ dup145, dup21, ]); -var dup357 = linear_select([ +var dup355 = linear_select([ dup127, dup106, ]); -var dup358 = linear_select([ +var dup356 = linear_select([ dup152, dup96, ]); -var dup359 = linear_select([ +var dup357 = linear_select([ dup154, dup155, ]); -var dup360 = linear_select([ +var dup358 = linear_select([ dup156, dup157, ]); -var dup361 = linear_select([ +var dup359 = linear_select([ dup99, dup134, ]); -var dup362 = linear_select([ +var dup360 = linear_select([ dup158, dup159, ]); -var dup363 = linear_select([ - dup160, +var dup361 = linear_select([ dup161, + dup162, ]); -var dup364 = linear_select([ +var dup362 = linear_select([ dup163, - dup164, -]); - -var dup365 = linear_select([ - dup165, dup103, ]); -var dup366 = linear_select([ - dup164, - dup163, +var dup363 = linear_select([ + dup162, + dup161, ]); -var dup367 = linear_select([ +var dup364 = linear_select([ dup46, dup47, ]); -var dup368 = linear_select([ - dup168, - dup169, +var dup365 = linear_select([ + dup166, + dup167, ]); -var dup369 = linear_select([ - dup174, - dup175, +var dup366 = linear_select([ + dup172, + dup173, ]); -var dup370 = linear_select([ +var dup367 = linear_select([ + dup174, + dup175, dup176, dup177, dup178, @@ -1228,47 +973,44 @@ var dup370 = linear_select([ dup180, dup181, dup182, - dup183, - dup184, ]); -var dup371 = linear_select([ +var dup368 = linear_select([ dup49, dup21, ]); -var dup372 = linear_select([ - dup191, - dup192, +var dup369 = linear_select([ + dup189, + dup190, ]); -var dup373 = linear_select([ +var dup370 = linear_select([ dup96, dup152, ]); -var dup374 = linear_select([ - dup198, - dup199, +var dup371 = linear_select([ + dup196, + dup197, ]); -var dup375 = linear_select([ +var dup372 = linear_select([ dup24, - dup202, + dup200, ]); -var dup376 = linear_select([ +var dup373 = linear_select([ dup103, - dup165, + dup163, ]); -var dup377 = linear_select([ - dup207, +var dup374 = linear_select([ + dup205, dup118, ]); -var dup378 = // "Pattern{Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ +var dup375 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -1276,88 +1018,87 @@ match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has bee dup5, ])); -var dup379 = linear_select([ - dup214, +var dup376 = linear_select([ + dup212, + dup213, +]); + +var dup377 = linear_select([ dup215, + dup216, ]); -var dup380 = linear_select([ - dup217, - dup218, +var dup378 = linear_select([ + dup222, + dup215, ]); -var dup381 = linear_select([ +var dup379 = linear_select([ dup224, - dup217, + dup225, ]); -var dup382 = linear_select([ - dup226, - dup227, +var dup380 = linear_select([ + dup231, + dup124, ]); -var dup383 = linear_select([ - dup233, - dup124, +var dup381 = linear_select([ + dup229, + dup230, ]); -var dup384 = linear_select([ - dup231, - dup232, +var dup382 = linear_select([ + dup233, + dup234, ]); -var dup385 = linear_select([ - dup235, +var dup383 = linear_select([ dup236, + dup237, ]); -var dup386 = linear_select([ - dup238, - dup239, +var dup384 = linear_select([ + dup242, + dup243, ]); -var dup387 = linear_select([ - dup244, +var dup385 = linear_select([ dup245, + dup246, ]); -var dup388 = linear_select([ +var dup386 = linear_select([ dup247, dup248, ]); -var dup389 = linear_select([ +var dup387 = linear_select([ dup249, dup250, ]); -var dup390 = linear_select([ +var dup388 = linear_select([ dup251, dup252, ]); -var dup391 = linear_select([ - dup253, - dup254, -]); - -var dup392 = linear_select([ - dup262, - dup263, +var dup389 = linear_select([ + dup260, + dup261, ]); -var dup393 = linear_select([ - dup266, - dup267, +var dup390 = linear_select([ + dup264, + dup265, ]); -var dup394 = linear_select([ - dup270, - dup271, +var dup391 = linear_select([ + dup268, + dup269, ]); -var dup395 = // "Pattern{Constant('The local device '), Field(fld2,true), Constant(' in the Virtual Security Device group '), Field(group,true), Constant(' '), Field(info,false)}" -match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ +var dup392 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ dup1, dup2, dup3, @@ -1365,18 +1106,17 @@ match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in th dup5, ])); -var dup396 = linear_select([ - dup286, - dup287, +var dup393 = linear_select([ + dup284, + dup285, ]); -var dup397 = linear_select([ - dup289, - dup290, +var dup394 = linear_select([ + dup287, + dup288, ]); -var dup398 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times.')}" -match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ +var dup395 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ dup58, dup2, dup59, @@ -1386,8 +1126,7 @@ match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to dup60, ])); -var dup399 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to zone '), Field(zone,false), Constant(', proto '), Field(protocol,true), Constant(' (int '), Field(interface,false), Constant('). Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ +var dup396 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ dup58, dup4, dup59, @@ -1398,116 +1137,112 @@ match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to dup60, ])); -var dup400 = linear_select([ - dup302, +var dup397 = linear_select([ + dup300, dup26, ]); -var dup401 = linear_select([ +var dup398 = linear_select([ dup115, - dup305, + dup303, ]); -var dup402 = linear_select([ +var dup399 = linear_select([ dup125, dup96, ]); -var dup403 = linear_select([ - dup191, - dup310, - dup311, +var dup400 = linear_select([ + dup189, + dup308, + dup309, ]); -var dup404 = linear_select([ - dup312, +var dup401 = linear_select([ + dup310, dup16, ]); -var dup405 = linear_select([ - dup319, - dup320, +var dup402 = linear_select([ + dup317, + dup318, ]); -var dup406 = linear_select([ - dup321, - dup317, +var dup403 = linear_select([ + dup319, + dup315, ]); -var dup407 = linear_select([ - dup324, - dup252, +var dup404 = linear_select([ + dup322, + dup250, ]); -var dup408 = linear_select([ +var dup405 = linear_select([ + dup327, dup329, - dup331, ]); -var dup409 = linear_select([ - dup332, +var dup406 = linear_select([ + dup330, dup129, ]); -var dup410 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,false)}" -match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup283, +var dup407 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup281, dup2, dup4, dup5, - dup276, + dup274, dup3, - dup277, + dup275, dup60, - dup284, + dup282, ])); -var dup411 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,false)}" -match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup187, +var dup408 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup185, dup2, dup4, dup5, - dup276, + dup274, dup3, + dup275, + dup276, dup277, - dup278, - dup279, dup60, ])); -var dup412 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,false)}" -match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup283, +var dup409 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup281, dup2, dup4, dup5, - dup276, + dup274, dup3, - dup277, + dup275, dup60, - dup284, + dup282, ])); -var dup413 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' ('), Field(fld3,false), Constant(') proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup187, +var dup410 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, dup2, dup4, dup5, - dup276, + dup274, dup3, + dup275, + dup276, dup277, - dup278, - dup279, dup61, ])); -var dup414 = all_match({ +var dup411 = all_match({ processors: [ - dup265, - dup393, - dup268, + dup263, + dup390, + dup266, ], on_success: processor_chain([ dup1, @@ -1518,11 +1253,11 @@ var dup414 = all_match({ ]), }); -var dup415 = all_match({ +var dup412 = all_match({ processors: [ - dup269, - dup394, - dup272, + dup267, + dup391, + dup270, ], on_success: processor_chain([ dup1, @@ -1533,11 +1268,11 @@ var dup415 = all_match({ ]), }); -var dup416 = all_match({ +var dup413 = all_match({ processors: [ dup80, - dup345, - dup295, + dup343, + dup293, ], on_success: processor_chain([ dup58, @@ -1550,14 +1285,14 @@ var dup416 = all_match({ ]), }); -var dup417 = all_match({ +var dup414 = all_match({ processors: [ - dup298, - dup345, + dup296, + dup343, dup131, ], on_success: processor_chain([ - dup299, + dup297, dup2, dup3, dup9, @@ -1568,14 +1303,14 @@ var dup417 = all_match({ ]), }); -var dup418 = all_match({ +var dup415 = all_match({ processors: [ - dup300, - dup345, + dup298, + dup343, dup131, ], on_success: processor_chain([ - dup299, + dup297, dup2, dup3, dup9, @@ -1586,32 +1321,25 @@ var dup418 = all_match({ ]), }); -var hdr1 = // "Pattern{Field(hfld1,false), Constant(': NetScreen device_id='), Field(hfld2,true), Constant(' [No Name]system-'), Field(hseverity,false), Constant('-'), Field(messageid,false), Constant('('), Field(hfld3,false), Constant('): '), Field(payload,false)}" -match("HEADER#0:0001", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [No Name]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [No Name]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ setc("header_id","0001"), ])); -var hdr2 = // "Pattern{Field(hfld1,false), Constant(': NetScreen device_id='), Field(hfld2,true), Constant(' ['), Field(hvsys,false), Constant(']system-'), Field(hseverity,false), Constant('-'), Field(messageid,false), Constant('('), Field(hfld3,false), Constant('): '), Field(payload,false)}" -match("HEADER#1:0003", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [%{hvsys}]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0003", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [%{hvsys}]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ setc("header_id","0003"), ])); -var hdr3 = // "Pattern{Field(hfld1,false), Constant(': NetScreen device_id='), Field(hfld2,true), Constant(' system-'), Field(hseverity,false), Constant('-'), Field(messageid,false), Constant('('), Field(hfld3,false), Constant('): '), Field(payload,false)}" -match("HEADER#2:0004", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ +var hdr3 = match("HEADER#2:0004", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ setc("header_id","0004"), ])); -var hdr4 = // "Pattern{Field(hfld1,false), Constant(': NetScreen device_id='), Field(hfld2,true), Constant(' '), Field(p0,false)}" -match("HEADER#3:0002/0", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} %{p0}"); +var hdr4 = match("HEADER#3:0002/0", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} %{p0}"); -var part1 = // "Pattern{Constant('[No Name]system'), Field(p0,false)}" -match("HEADER#3:0002/1_0", "nwparser.p0", "[No Name]system%{p0}"); +var part1 = match("HEADER#3:0002/1_0", "nwparser.p0", "[No Name]system%{p0}"); -var part2 = // "Pattern{Constant('['), Field(hvsys,false), Constant(']system'), Field(p0,false)}" -match("HEADER#3:0002/1_1", "nwparser.p0", "[%{hvsys}]system%{p0}"); +var part2 = match("HEADER#3:0002/1_1", "nwparser.p0", "[%{hvsys}]system%{p0}"); -var part3 = // "Pattern{Constant('system'), Field(p0,false)}" -match("HEADER#3:0002/1_2", "nwparser.p0", "system%{p0}"); +var part3 = match("HEADER#3:0002/1_2", "nwparser.p0", "system%{p0}"); var select1 = linear_select([ part1, @@ -1619,8 +1347,7 @@ var select1 = linear_select([ part3, ]); -var part4 = // "Pattern{Constant('-'), Field(hseverity,false), Constant('-'), Field(messageid,false), Constant(': '), Field(payload,false)}" -match("HEADER#3:0002/2", "nwparser.p0", "-%{hseverity}-%{messageid}: %{payload}"); +var part4 = match("HEADER#3:0002/2", "nwparser.p0", "-%{hseverity}-%{messageid}: %{payload}"); var all1 = all_match({ processors: [ @@ -1640,8 +1367,7 @@ var select2 = linear_select([ all1, ]); -var part5 = // "Pattern{Field(zone,true), Constant(' address '), Field(interface,true), Constant(' with ip address '), Field(hostip,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#0:00001", "nwparser.payload", "%{zone->} address %{interface->} with ip address %{hostip->} has been %{disposition}", processor_chain([ +var part5 = match("MESSAGE#0:00001", "nwparser.payload", "%{zone->} address %{interface->} with ip address %{hostip->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -1651,8 +1377,7 @@ match("MESSAGE#0:00001", "nwparser.payload", "%{zone->} address %{interface->} w var msg1 = msg("00001", part5); -var part6 = // "Pattern{Field(zone,true), Constant(' address '), Field(interface,true), Constant(' with domain name '), Field(domain,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#1:00001:01", "nwparser.payload", "%{zone->} address %{interface->} with domain name %{domain->} has been %{disposition}", processor_chain([ +var part6 = match("MESSAGE#1:00001:01", "nwparser.payload", "%{zone->} address %{interface->} with domain name %{domain->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -1662,16 +1387,14 @@ match("MESSAGE#1:00001:01", "nwparser.payload", "%{zone->} address %{interface-> var msg2 = msg("00001:01", part6); -var part7 = // "Pattern{Constant('ip address '), Field(hostip,true), Constant(' in zone '), Field(p0,false)}" -match("MESSAGE#2:00001:02/1_0", "nwparser.p0", "ip address %{hostip->} in zone %{p0}"); +var part7 = match("MESSAGE#2:00001:02/1_0", "nwparser.p0", "ip address %{hostip->} in zone %{p0}"); var select3 = linear_select([ part7, dup7, ]); -var part8 = // "Pattern{Field(zone,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#2:00001:02/2", "nwparser.p0", "%{zone->} has been %{disposition}"); +var part8 = match("MESSAGE#2:00001:02/2", "nwparser.p0", "%{zone->} has been %{disposition}"); var all2 = all_match({ processors: [ @@ -1690,8 +1413,7 @@ var all2 = all_match({ var msg3 = msg("00001:02", all2); -var part9 = // "Pattern{Constant('arp entry '), Field(hostip,true), Constant(' interface changed!')}" -match("MESSAGE#3:00001:03", "nwparser.payload", "arp entry %{hostip->} interface changed!", processor_chain([ +var part9 = match("MESSAGE#3:00001:03", "nwparser.payload", "arp entry %{hostip->} interface changed!", processor_chain([ dup1, dup2, dup3, @@ -1701,19 +1423,16 @@ match("MESSAGE#3:00001:03", "nwparser.payload", "arp entry %{hostip->} interface var msg4 = msg("00001:03", part9); -var part10 = // "Pattern{Constant('IP address '), Field(hostip,true), Constant(' in zone '), Field(p0,false)}" -match("MESSAGE#4:00001:04/1_0", "nwparser.p0", "IP address %{hostip->} in zone %{p0}"); +var part10 = match("MESSAGE#4:00001:04/1_0", "nwparser.p0", "IP address %{hostip->} in zone %{p0}"); var select4 = linear_select([ part10, dup7, ]); -var part11 = // "Pattern{Field(zone,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' session'), Field(p0,false)}" -match("MESSAGE#4:00001:04/2", "nwparser.p0", "%{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} session%{p0}"); +var part11 = match("MESSAGE#4:00001:04/2", "nwparser.p0", "%{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} session%{p0}"); -var part12 = // "Pattern{Constant('.'), Field(fld1,false)}" -match("MESSAGE#4:00001:04/3_1", "nwparser.p0", ".%{fld1}"); +var part12 = match("MESSAGE#4:00001:04/3_1", "nwparser.p0", ".%{fld1}"); var select5 = linear_select([ dup8, @@ -1739,13 +1458,12 @@ var all3 = all_match({ var msg5 = msg("00001:04", all3); -var part13 = // "Pattern{Field(fld2,false), Constant(': Address '), Field(group_object,true), Constant(' for ip address '), Field(hostip,true), Constant(' in zone '), Field(zone,true), Constant(' has been '), Field(disposition,true), Constant(' from host '), Field(saddr,true), Constant(' session '), Field(p0,false)}" -match("MESSAGE#5:00001:05/0", "nwparser.payload", "%{fld2}: Address %{group_object->} for ip address %{hostip->} in zone %{zone->} has been %{disposition->} from host %{saddr->} session %{p0}"); +var part13 = match("MESSAGE#5:00001:05/0", "nwparser.payload", "%{fld2}: Address %{group_object->} for ip address %{hostip->} in zone %{zone->} has been %{disposition->} from host %{saddr->} session %{p0}"); var all4 = all_match({ processors: [ part13, - dup335, + dup333, ], on_success: processor_chain([ dup1, @@ -1759,8 +1477,7 @@ var all4 = all_match({ var msg6 = msg("00001:05", all4); -var part14 = // "Pattern{Constant('Address group '), Field(group_object,true), Constant(' '), Field(info,false)}" -match("MESSAGE#6:00001:06", "nwparser.payload", "Address group %{group_object->} %{info}", processor_chain([ +var part14 = match("MESSAGE#6:00001:06", "nwparser.payload", "Address group %{group_object->} %{info}", processor_chain([ dup1, dup2, dup3, @@ -1770,20 +1487,18 @@ match("MESSAGE#6:00001:06", "nwparser.payload", "Address group %{group_object->} var msg7 = msg("00001:06", part14); -var msg8 = msg("00001:07", dup336); +var msg8 = msg("00001:07", dup334); -var part15 = // "Pattern{Constant('for IP address '), Field(hostip,false), Constant('/'), Field(mask,true), Constant(' in zone '), Field(zone,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(p0,false)}" -match("MESSAGE#8:00001:08/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{p0}"); +var part15 = match("MESSAGE#8:00001:08/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{p0}"); -var part16 = // "Pattern{Field(,true), Constant(' '), Field(username,false), Constant('via NSRP Peer session. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#8:00001:08/4", "nwparser.p0", "%{} %{username}via NSRP Peer session. (%{fld1})"); +var part16 = match("MESSAGE#8:00001:08/4", "nwparser.p0", "%{} %{username}via NSRP Peer session. (%{fld1})"); var all5 = all_match({ processors: [ dup12, - dup337, + dup335, part15, - dup338, + dup336, part16, ], on_success: processor_chain([ @@ -1798,13 +1513,12 @@ var all5 = all_match({ var msg9 = msg("00001:08", all5); -var part17 = // "Pattern{Constant('for IP address '), Field(hostip,false), Constant('/'), Field(mask,true), Constant(' in zone '), Field(zone,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' session. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#9:00001:09/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} session. (%{fld1})"); +var part17 = match("MESSAGE#9:00001:09/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} session. (%{fld1})"); var all6 = all_match({ processors: [ dup12, - dup337, + dup335, part17, ], on_success: processor_chain([ @@ -1832,8 +1546,7 @@ var select6 = linear_select([ msg10, ]); -var part18 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#10:00002:03", "nwparser.payload", "Admin user %{administrator->} has been %{disposition}", processor_chain([ +var part18 = match("MESSAGE#10:00002:03", "nwparser.payload", "Admin user %{administrator->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -1843,8 +1556,7 @@ match("MESSAGE#10:00002:03", "nwparser.payload", "Admin user %{administrator->} var msg11 = msg("00002:03", part18); -var part19 = // "Pattern{Constant('E-mail address '), Field(user_address,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#11:00002:04", "nwparser.payload", "E-mail address %{user_address->} has been %{disposition}", processor_chain([ +var part19 = match("MESSAGE#11:00002:04", "nwparser.payload", "E-mail address %{user_address->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -1854,8 +1566,7 @@ match("MESSAGE#11:00002:04", "nwparser.payload", "E-mail address %{user_address- var msg12 = msg("00002:04", part19); -var part20 = // "Pattern{Constant('E-mail notification has been '), Field(disposition,false)}" -match("MESSAGE#12:00002:05", "nwparser.payload", "E-mail notification has been %{disposition}", processor_chain([ +var part20 = match("MESSAGE#12:00002:05", "nwparser.payload", "E-mail notification has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -1865,8 +1576,7 @@ match("MESSAGE#12:00002:05", "nwparser.payload", "E-mail notification has been % var msg13 = msg("00002:05", part20); -var part21 = // "Pattern{Constant('Inclusion of traffic logs with e-mail notification of event alarms has been '), Field(disposition,false)}" -match("MESSAGE#13:00002:06", "nwparser.payload", "Inclusion of traffic logs with e-mail notification of event alarms has been %{disposition}", processor_chain([ +var part21 = match("MESSAGE#13:00002:06", "nwparser.payload", "Inclusion of traffic logs with e-mail notification of event alarms has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -1876,8 +1586,7 @@ match("MESSAGE#13:00002:06", "nwparser.payload", "Inclusion of traffic logs with var msg14 = msg("00002:06", part21); -var part22 = // "Pattern{Constant('LCD display has been '), Field(action,true), Constant(' and the LCD control keys have been '), Field(disposition,false)}" -match("MESSAGE#14:00002:07", "nwparser.payload", "LCD display has been %{action->} and the LCD control keys have been %{disposition}", processor_chain([ +var part22 = match("MESSAGE#14:00002:07", "nwparser.payload", "LCD display has been %{action->} and the LCD control keys have been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -1887,8 +1596,7 @@ match("MESSAGE#14:00002:07", "nwparser.payload", "LCD display has been %{action- var msg15 = msg("00002:07", part22); -var part23 = // "Pattern{Constant('HTTP component blocking for '), Field(fld2,true), Constant(' is '), Field(disposition,true), Constant(' on zone '), Field(zone,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#15:00002:55", "nwparser.payload", "HTTP component blocking for %{fld2->} is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ +var part23 = match("MESSAGE#15:00002:55", "nwparser.payload", "HTTP component blocking for %{fld2->} is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ dup1, dup2, dup4, @@ -1898,8 +1606,7 @@ match("MESSAGE#15:00002:55", "nwparser.payload", "HTTP component blocking for %{ var msg16 = msg("00002:55", part23); -var part24 = // "Pattern{Constant('LCD display has been '), Field(disposition,false)}" -match("MESSAGE#16:00002:08", "nwparser.payload", "LCD display has been %{disposition}", processor_chain([ +var part24 = match("MESSAGE#16:00002:08", "nwparser.payload", "LCD display has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -1909,8 +1616,7 @@ match("MESSAGE#16:00002:08", "nwparser.payload", "LCD display has been %{disposi var msg17 = msg("00002:08", part24); -var part25 = // "Pattern{Constant('LCD control keys have been '), Field(disposition,false)}" -match("MESSAGE#17:00002:09", "nwparser.payload", "LCD control keys have been %{disposition}", processor_chain([ +var part25 = match("MESSAGE#17:00002:09", "nwparser.payload", "LCD control keys have been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -1920,8 +1626,7 @@ match("MESSAGE#17:00002:09", "nwparser.payload", "LCD control keys have been %{d var msg18 = msg("00002:09", part25); -var part26 = // "Pattern{Constant('Mail server '), Field(hostip,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#18:00002:10", "nwparser.payload", "Mail server %{hostip->} has been %{disposition}", processor_chain([ +var part26 = match("MESSAGE#18:00002:10", "nwparser.payload", "Mail server %{hostip->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -1931,8 +1636,7 @@ match("MESSAGE#18:00002:10", "nwparser.payload", "Mail server %{hostip->} has be var msg19 = msg("00002:10", part26); -var part27 = // "Pattern{Constant('Management restriction for '), Field(hostip,true), Constant(' '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#19:00002:11", "nwparser.payload", "Management restriction for %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ +var part27 = match("MESSAGE#19:00002:11", "nwparser.payload", "Management restriction for %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ dup17, dup2, dup3, @@ -1942,8 +1646,7 @@ match("MESSAGE#19:00002:11", "nwparser.payload", "Management restriction for %{h var msg20 = msg("00002:11", part27); -var part28 = // "Pattern{Field(change_attribute,true), Constant(' has been restored from '), Field(change_old,true), Constant(' to default port '), Field(change_new,false)}" -match("MESSAGE#20:00002:12", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}", processor_chain([ +var part28 = match("MESSAGE#20:00002:12", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -1953,8 +1656,7 @@ match("MESSAGE#20:00002:12", "nwparser.payload", "%{change_attribute->} has been var msg21 = msg("00002:12", part28); -var part29 = // "Pattern{Constant('System configuration has been '), Field(disposition,false)}" -match("MESSAGE#21:00002:15", "nwparser.payload", "System configuration has been %{disposition}", processor_chain([ +var part29 = match("MESSAGE#21:00002:15", "nwparser.payload", "System configuration has been %{disposition}", processor_chain([ dup18, dup2, dup3, @@ -1964,24 +1666,20 @@ match("MESSAGE#21:00002:15", "nwparser.payload", "System configuration has been var msg22 = msg("00002:15", part29); -var msg23 = msg("00002:17", dup336); +var msg23 = msg("00002:17", dup334); -var part30 = // "Pattern{Constant('Unexpected error from e'), Field(p0,false)}" -match("MESSAGE#23:00002:18/0", "nwparser.payload", "Unexpected error from e%{p0}"); +var part30 = match("MESSAGE#23:00002:18/0", "nwparser.payload", "Unexpected error from e%{p0}"); -var part31 = // "Pattern{Constant('-mail '), Field(p0,false)}" -match("MESSAGE#23:00002:18/1_0", "nwparser.p0", "-mail %{p0}"); +var part31 = match("MESSAGE#23:00002:18/1_0", "nwparser.p0", "-mail %{p0}"); -var part32 = // "Pattern{Constant('mail '), Field(p0,false)}" -match("MESSAGE#23:00002:18/1_1", "nwparser.p0", "mail %{p0}"); +var part32 = match("MESSAGE#23:00002:18/1_1", "nwparser.p0", "mail %{p0}"); var select7 = linear_select([ part31, part32, ]); -var part33 = // "Pattern{Constant('server('), Field(fld2,false), Constant('):')}" -match("MESSAGE#23:00002:18/2", "nwparser.p0", "server(%{fld2}):"); +var part33 = match("MESSAGE#23:00002:18/2", "nwparser.p0", "server(%{fld2}):"); var all7 = all_match({ processors: [ @@ -2000,8 +1698,7 @@ var all7 = all_match({ var msg24 = msg("00002:18", all7); -var part34 = // "Pattern{Constant('Web Admin '), Field(change_attribute,true), Constant(' value has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#24:00002:19", "nwparser.payload", "Web Admin %{change_attribute->} value has been changed from %{change_old->} to %{change_new}", processor_chain([ +var part34 = match("MESSAGE#24:00002:19", "nwparser.payload", "Web Admin %{change_attribute->} value has been changed from %{change_old->} to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -2011,11 +1708,9 @@ match("MESSAGE#24:00002:19", "nwparser.payload", "Web Admin %{change_attribute-> var msg25 = msg("00002:19", part34); -var part35 = // "Pattern{Constant('Root admin password restriction of minimum '), Field(fld2,true), Constant(' characters has been '), Field(disposition,true), Constant(' by admin '), Field(administrator,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#25:00002:20/0", "nwparser.payload", "Root admin password restriction of minimum %{fld2->} characters has been %{disposition->} by admin %{administrator->} %{p0}"); +var part35 = match("MESSAGE#25:00002:20/0", "nwparser.payload", "Root admin password restriction of minimum %{fld2->} characters has been %{disposition->} by admin %{administrator->} %{p0}"); -var part36 = // "Pattern{Constant('from Console '), Field(,false)}" -match("MESSAGE#25:00002:20/1_0", "nwparser.p0", "from Console %{}"); +var part36 = match("MESSAGE#25:00002:20/1_0", "nwparser.p0", "from Console %{}"); var select8 = linear_select([ part36, @@ -2039,11 +1734,9 @@ var all8 = all_match({ var msg26 = msg("00002:20", all8); -var part37 = // "Pattern{Constant('Root admin '), Field(p0,false)}" -match("MESSAGE#26:00002:21/0_0", "nwparser.payload", "Root admin %{p0}"); +var part37 = match("MESSAGE#26:00002:21/0_0", "nwparser.payload", "Root admin %{p0}"); -var part38 = // "Pattern{Field(fld2,true), Constant(' admin '), Field(p0,false)}" -match("MESSAGE#26:00002:21/0_1", "nwparser.payload", "%{fld2->} admin %{p0}"); +var part38 = match("MESSAGE#26:00002:21/0_1", "nwparser.payload", "%{fld2->} admin %{p0}"); var select9 = linear_select([ part37, @@ -2055,8 +1748,7 @@ var select10 = linear_select([ dup25, ]); -var part39 = // "Pattern{Constant('has been changed by admin '), Field(administrator,false)}" -match("MESSAGE#26:00002:21/3", "nwparser.p0", "has been changed by admin %{administrator}"); +var part39 = match("MESSAGE#26:00002:21/3", "nwparser.p0", "has been changed by admin %{administrator}"); var all9 = all_match({ processors: [ @@ -2076,14 +1768,11 @@ var all9 = all_match({ var msg27 = msg("00002:21", all9); -var part40 = // "Pattern{Field(change_attribute,true), Constant(' from '), Field(protocol,true), Constant(' before administrative session disconnects has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,true), Constant(' by admin '), Field(p0,false)}" -match("MESSAGE#27:00002:22/0", "nwparser.payload", "%{change_attribute->} from %{protocol->} before administrative session disconnects has been changed from %{change_old->} to %{change_new->} by admin %{p0}"); +var part40 = match("MESSAGE#27:00002:22/0", "nwparser.payload", "%{change_attribute->} from %{protocol->} before administrative session disconnects has been changed from %{change_old->} to %{change_new->} by admin %{p0}"); -var part41 = // "Pattern{Field(administrator,true), Constant(' from Console')}" -match("MESSAGE#27:00002:22/1_0", "nwparser.p0", "%{administrator->} from Console"); +var part41 = match("MESSAGE#27:00002:22/1_0", "nwparser.p0", "%{administrator->} from Console"); -var part42 = // "Pattern{Field(administrator,true), Constant(' from host '), Field(saddr,false)}" -match("MESSAGE#27:00002:22/1_1", "nwparser.p0", "%{administrator->} from host %{saddr}"); +var part42 = match("MESSAGE#27:00002:22/1_1", "nwparser.p0", "%{administrator->} from host %{saddr}"); var select11 = linear_select([ part41, @@ -2107,11 +1796,9 @@ var all10 = all_match({ var msg28 = msg("00002:22", all10); -var part43 = // "Pattern{Constant('Root admin access restriction through console only has been '), Field(disposition,true), Constant(' by admin '), Field(administrator,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#28:00002:23/0", "nwparser.payload", "Root admin access restriction through console only has been %{disposition->} by admin %{administrator->} %{p0}"); +var part43 = match("MESSAGE#28:00002:23/0", "nwparser.payload", "Root admin access restriction through console only has been %{disposition->} by admin %{administrator->} %{p0}"); -var part44 = // "Pattern{Constant('from Console'), Field(,false)}" -match("MESSAGE#28:00002:23/1_1", "nwparser.p0", "from Console%{}"); +var part44 = match("MESSAGE#28:00002:23/1_1", "nwparser.p0", "from Console%{}"); var select12 = linear_select([ dup20, @@ -2135,14 +1822,11 @@ var all11 = all_match({ var msg29 = msg("00002:23", all11); -var part45 = // "Pattern{Constant('Admin access restriction of '), Field(protocol,true), Constant(' administration through tunnel only has been '), Field(disposition,true), Constant(' by admin '), Field(administrator,true), Constant(' from '), Field(p0,false)}" -match("MESSAGE#29:00002:24/0", "nwparser.payload", "Admin access restriction of %{protocol->} administration through tunnel only has been %{disposition->} by admin %{administrator->} from %{p0}"); +var part45 = match("MESSAGE#29:00002:24/0", "nwparser.payload", "Admin access restriction of %{protocol->} administration through tunnel only has been %{disposition->} by admin %{administrator->} from %{p0}"); -var part46 = // "Pattern{Constant('host '), Field(saddr,false)}" -match("MESSAGE#29:00002:24/1_0", "nwparser.p0", "host %{saddr}"); +var part46 = match("MESSAGE#29:00002:24/1_0", "nwparser.p0", "host %{saddr}"); -var part47 = // "Pattern{Constant('Console'), Field(,false)}" -match("MESSAGE#29:00002:24/1_1", "nwparser.p0", "Console%{}"); +var part47 = match("MESSAGE#29:00002:24/1_1", "nwparser.p0", "Console%{}"); var select13 = linear_select([ part46, @@ -2165,8 +1849,7 @@ var all12 = all_match({ var msg30 = msg("00002:24", all12); -var part48 = // "Pattern{Constant('Admin AUTH: Local instance of an '), Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#30:00002:25", "nwparser.payload", "Admin AUTH: Local instance of an %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ +var part48 = match("MESSAGE#30:00002:25", "nwparser.payload", "Admin AUTH: Local instance of an %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ setc("eventcategory","1402000000"), dup2, dup3, @@ -2176,8 +1859,7 @@ match("MESSAGE#30:00002:25", "nwparser.payload", "Admin AUTH: Local instance of var msg31 = msg("00002:25", part48); -var part49 = // "Pattern{Constant('Cannot connect to e-mail server '), Field(hostip,false), Constant('.')}" -match("MESSAGE#31:00002:26", "nwparser.payload", "Cannot connect to e-mail server %{hostip}.", processor_chain([ +var part49 = match("MESSAGE#31:00002:26", "nwparser.payload", "Cannot connect to e-mail server %{hostip}.", processor_chain([ dup27, dup2, dup3, @@ -2187,8 +1869,7 @@ match("MESSAGE#31:00002:26", "nwparser.payload", "Cannot connect to e-mail serve var msg32 = msg("00002:26", part49); -var part50 = // "Pattern{Constant('Mail server is not configured.'), Field(,false)}" -match("MESSAGE#32:00002:27", "nwparser.payload", "Mail server is not configured.%{}", processor_chain([ +var part50 = match("MESSAGE#32:00002:27", "nwparser.payload", "Mail server is not configured.%{}", processor_chain([ dup18, dup2, dup3, @@ -2198,8 +1879,7 @@ match("MESSAGE#32:00002:27", "nwparser.payload", "Mail server is not configured. var msg33 = msg("00002:27", part50); -var part51 = // "Pattern{Constant('Mail recipients were not configured.'), Field(,false)}" -match("MESSAGE#33:00002:28", "nwparser.payload", "Mail recipients were not configured.%{}", processor_chain([ +var part51 = match("MESSAGE#33:00002:28", "nwparser.payload", "Mail recipients were not configured.%{}", processor_chain([ dup18, dup2, dup3, @@ -2209,8 +1889,7 @@ match("MESSAGE#33:00002:28", "nwparser.payload", "Mail recipients were not confi var msg34 = msg("00002:28", part51); -var part52 = // "Pattern{Constant('Single use password restriction for read-write administrators has been '), Field(disposition,true), Constant(' by admin '), Field(administrator,false)}" -match("MESSAGE#34:00002:29", "nwparser.payload", "Single use password restriction for read-write administrators has been %{disposition->} by admin %{administrator}", processor_chain([ +var part52 = match("MESSAGE#34:00002:29", "nwparser.payload", "Single use password restriction for read-write administrators has been %{disposition->} by admin %{administrator}", processor_chain([ dup1, dup2, dup3, @@ -2220,8 +1899,7 @@ match("MESSAGE#34:00002:29", "nwparser.payload", "Single use password restrictio var msg35 = msg("00002:29", part52); -var part53 = // "Pattern{Constant('Admin user "'), Field(administrator,false), Constant('" logged in for '), Field(logon_type,false), Constant('('), Field(network_service,false), Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#35:00002:30", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ +var part53 = match("MESSAGE#35:00002:30", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ dup28, dup29, dup30, @@ -2235,8 +1913,7 @@ match("MESSAGE#35:00002:30", "nwparser.payload", "Admin user \"%{administrator}\ var msg36 = msg("00002:30", part53); -var part54 = // "Pattern{Constant('Admin user "'), Field(administrator,false), Constant('" logged out for '), Field(logon_type,false), Constant('('), Field(network_service,false), Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#36:00002:41", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ +var part54 = match("MESSAGE#36:00002:41", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ dup33, dup29, dup34, @@ -2248,8 +1925,7 @@ match("MESSAGE#36:00002:41", "nwparser.payload", "Admin user \"%{administrator}\ var msg37 = msg("00002:41", part54); -var part55 = // "Pattern{Constant('Admin user "'), Field(administrator,false), Constant('" login attempt for '), Field(logon_type,true), Constant(' '), Field(space,true), Constant(' ('), Field(network_service,false), Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' '), Field(disposition,false)}" -match("MESSAGE#37:00002:31", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} %{space->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ +var part55 = match("MESSAGE#37:00002:31", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} %{space->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ dup35, dup29, dup30, @@ -2262,19 +1938,16 @@ match("MESSAGE#37:00002:31", "nwparser.payload", "Admin user \"%{administrator}\ var msg38 = msg("00002:31", part55); -var part56 = // "Pattern{Constant('E-mail notification '), Field(p0,false)}" -match("MESSAGE#38:00002:32/0_0", "nwparser.payload", "E-mail notification %{p0}"); +var part56 = match("MESSAGE#38:00002:32/0_0", "nwparser.payload", "E-mail notification %{p0}"); -var part57 = // "Pattern{Constant('Transparent virutal '), Field(p0,false)}" -match("MESSAGE#38:00002:32/0_1", "nwparser.payload", "Transparent virutal %{p0}"); +var part57 = match("MESSAGE#38:00002:32/0_1", "nwparser.payload", "Transparent virutal %{p0}"); var select14 = linear_select([ part56, part57, ]); -var part58 = // "Pattern{Constant('wire mode has been '), Field(disposition,false)}" -match("MESSAGE#38:00002:32/1", "nwparser.p0", "wire mode has been %{disposition}"); +var part58 = match("MESSAGE#38:00002:32/1", "nwparser.p0", "wire mode has been %{disposition}"); var all13 = all_match({ processors: [ @@ -2292,8 +1965,7 @@ var all13 = all_match({ var msg39 = msg("00002:32", all13); -var part59 = // "Pattern{Constant('Malicious URL '), Field(url,true), Constant(' has been '), Field(disposition,true), Constant(' for zone '), Field(zone,false)}" -match("MESSAGE#39:00002:35", "nwparser.payload", "Malicious URL %{url->} has been %{disposition->} for zone %{zone}", processor_chain([ +var part59 = match("MESSAGE#39:00002:35", "nwparser.payload", "Malicious URL %{url->} has been %{disposition->} for zone %{zone}", processor_chain([ dup1, dup2, dup3, @@ -2303,22 +1975,18 @@ match("MESSAGE#39:00002:35", "nwparser.payload", "Malicious URL %{url->} has bee var msg40 = msg("00002:35", part59); -var part60 = // "Pattern{Constant('Bypass'), Field(p0,false)}" -match("MESSAGE#40:00002:36/0", "nwparser.payload", "Bypass%{p0}"); +var part60 = match("MESSAGE#40:00002:36/0", "nwparser.payload", "Bypass%{p0}"); -var part61 = // "Pattern{Constant('-others-IPSec '), Field(p0,false)}" -match("MESSAGE#40:00002:36/1_0", "nwparser.p0", "-others-IPSec %{p0}"); +var part61 = match("MESSAGE#40:00002:36/1_0", "nwparser.p0", "-others-IPSec %{p0}"); -var part62 = // "Pattern{Constant(' non-IP traffic '), Field(p0,false)}" -match("MESSAGE#40:00002:36/1_1", "nwparser.p0", " non-IP traffic %{p0}"); +var part62 = match("MESSAGE#40:00002:36/1_1", "nwparser.p0", " non-IP traffic %{p0}"); var select15 = linear_select([ part61, part62, ]); -var part63 = // "Pattern{Constant('option has been '), Field(disposition,false)}" -match("MESSAGE#40:00002:36/2", "nwparser.p0", "option has been %{disposition}"); +var part63 = match("MESSAGE#40:00002:36/2", "nwparser.p0", "option has been %{disposition}"); var all14 = all_match({ processors: [ @@ -2337,20 +2005,15 @@ var all14 = all_match({ var msg41 = msg("00002:36", all14); -var part64 = // "Pattern{Constant('Logging of '), Field(p0,false)}" -match("MESSAGE#41:00002:37/0", "nwparser.payload", "Logging of %{p0}"); +var part64 = match("MESSAGE#41:00002:37/0", "nwparser.payload", "Logging of %{p0}"); -var part65 = // "Pattern{Constant('dropped '), Field(p0,false)}" -match("MESSAGE#41:00002:37/1_0", "nwparser.p0", "dropped %{p0}"); +var part65 = match("MESSAGE#41:00002:37/1_0", "nwparser.p0", "dropped %{p0}"); -var part66 = // "Pattern{Constant('IKE '), Field(p0,false)}" -match("MESSAGE#41:00002:37/1_1", "nwparser.p0", "IKE %{p0}"); +var part66 = match("MESSAGE#41:00002:37/1_1", "nwparser.p0", "IKE %{p0}"); -var part67 = // "Pattern{Constant('SNMP '), Field(p0,false)}" -match("MESSAGE#41:00002:37/1_2", "nwparser.p0", "SNMP %{p0}"); +var part67 = match("MESSAGE#41:00002:37/1_2", "nwparser.p0", "SNMP %{p0}"); -var part68 = // "Pattern{Constant('ICMP '), Field(p0,false)}" -match("MESSAGE#41:00002:37/1_3", "nwparser.p0", "ICMP %{p0}"); +var part68 = match("MESSAGE#41:00002:37/1_3", "nwparser.p0", "ICMP %{p0}"); var select16 = linear_select([ part65, @@ -2359,8 +2022,7 @@ var select16 = linear_select([ part68, ]); -var part69 = // "Pattern{Constant('traffic to self has been '), Field(disposition,false)}" -match("MESSAGE#41:00002:37/2", "nwparser.p0", "traffic to self has been %{disposition}"); +var part69 = match("MESSAGE#41:00002:37/2", "nwparser.p0", "traffic to self has been %{disposition}"); var all15 = all_match({ processors: [ @@ -2379,11 +2041,9 @@ var all15 = all_match({ var msg42 = msg("00002:37", all15); -var part70 = // "Pattern{Constant('Logging of dropped traffic to self (excluding multicast) has been '), Field(p0,false)}" -match("MESSAGE#42:00002:38/0", "nwparser.payload", "Logging of dropped traffic to self (excluding multicast) has been %{p0}"); +var part70 = match("MESSAGE#42:00002:38/0", "nwparser.payload", "Logging of dropped traffic to self (excluding multicast) has been %{p0}"); -var part71 = // "Pattern{Field(disposition,true), Constant(' on '), Field(zone,false)}" -match("MESSAGE#42:00002:38/1_0", "nwparser.p0", "%{disposition->} on %{zone}"); +var part71 = match("MESSAGE#42:00002:38/1_0", "nwparser.p0", "%{disposition->} on %{zone}"); var select17 = linear_select([ part71, @@ -2406,8 +2066,7 @@ var all16 = all_match({ var msg43 = msg("00002:38", all16); -var part72 = // "Pattern{Constant('Traffic shaping is '), Field(disposition,false)}" -match("MESSAGE#43:00002:39", "nwparser.payload", "Traffic shaping is %{disposition}", processor_chain([ +var part72 = match("MESSAGE#43:00002:39", "nwparser.payload", "Traffic shaping is %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -2417,8 +2076,7 @@ match("MESSAGE#43:00002:39", "nwparser.payload", "Traffic shaping is %{dispositi var msg44 = msg("00002:39", part72); -var part73 = // "Pattern{Constant('Admin account created for ''), Field(username,false), Constant('' by '), Field(administrator,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#44:00002:40", "nwparser.payload", "Admin account created for '%{username}' by %{administrator->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ +var part73 = match("MESSAGE#44:00002:40", "nwparser.payload", "Admin account created for '%{username}' by %{administrator->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ dup37, dup29, setc("ec_activity","Create"), @@ -2432,8 +2090,7 @@ match("MESSAGE#44:00002:40", "nwparser.payload", "Admin account created for '%{u var msg45 = msg("00002:40", part73); -var part74 = // "Pattern{Constant('ADMIN AUTH: Privilege requested for unknown user '), Field(username,false), Constant('. Possible HA syncronization problem.')}" -match("MESSAGE#45:00002:44", "nwparser.payload", "ADMIN AUTH: Privilege requested for unknown user %{username}. Possible HA syncronization problem.", processor_chain([ +var part74 = match("MESSAGE#45:00002:44", "nwparser.payload", "ADMIN AUTH: Privilege requested for unknown user %{username}. Possible HA syncronization problem.", processor_chain([ dup35, dup31, dup39, @@ -2445,25 +2102,20 @@ match("MESSAGE#45:00002:44", "nwparser.payload", "ADMIN AUTH: Privilege requeste var msg46 = msg("00002:44", part74); -var part75 = // "Pattern{Field(change_attribute,true), Constant(' for account ''), Field(change_old,false), Constant('' has been '), Field(disposition,true), Constant(' to ''), Field(change_new,false), Constant('' '), Field(p0,false)}" -match("MESSAGE#46:00002:42/0", "nwparser.payload", "%{change_attribute->} for account '%{change_old}' has been %{disposition->} to '%{change_new}' %{p0}"); +var part75 = match("MESSAGE#46:00002:42/0", "nwparser.payload", "%{change_attribute->} for account '%{change_old}' has been %{disposition->} to '%{change_new}' %{p0}"); -var part76 = // "Pattern{Constant('by '), Field(administrator,true), Constant(' via '), Field(p0,false)}" -match("MESSAGE#46:00002:42/1_0", "nwparser.p0", "by %{administrator->} via %{p0}"); +var part76 = match("MESSAGE#46:00002:42/1_0", "nwparser.p0", "by %{administrator->} via %{p0}"); var select18 = linear_select([ part76, dup40, ]); -var part77 = // "Pattern{Constant(''), Field(logon_type,true), Constant(' from host '), Field(p0,false)}" -match("MESSAGE#46:00002:42/2", "nwparser.p0", "%{logon_type->} from host %{p0}"); +var part77 = match("MESSAGE#46:00002:42/2", "nwparser.p0", "%{logon_type->} from host %{p0}"); -var part78 = // "Pattern{Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(p0,false)}" -match("MESSAGE#46:00002:42/3_0", "nwparser.p0", "%{saddr->} to %{daddr}:%{dport->} (%{p0}"); +var part78 = match("MESSAGE#46:00002:42/3_0", "nwparser.p0", "%{saddr->} to %{daddr}:%{dport->} (%{p0}"); -var part79 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(p0,false)}" -match("MESSAGE#46:00002:42/3_1", "nwparser.p0", "%{saddr}:%{sport->} (%{p0}"); +var part79 = match("MESSAGE#46:00002:42/3_1", "nwparser.p0", "%{saddr}:%{sport->} (%{p0}"); var select19 = linear_select([ part78, @@ -2492,22 +2144,18 @@ var all17 = all_match({ var msg47 = msg("00002:42", all17); -var part80 = // "Pattern{Constant('Admin account '), Field(disposition,true), Constant(' for '), Field(p0,false)}" -match("MESSAGE#47:00002:43/0", "nwparser.payload", "Admin account %{disposition->} for %{p0}"); +var part80 = match("MESSAGE#47:00002:43/0", "nwparser.payload", "Admin account %{disposition->} for %{p0}"); -var part81 = // "Pattern{Constant('''), Field(username,false), Constant('''), Field(p0,false)}" -match("MESSAGE#47:00002:43/1_0", "nwparser.p0", "'%{username}'%{p0}"); +var part81 = match("MESSAGE#47:00002:43/1_0", "nwparser.p0", "'%{username}'%{p0}"); -var part82 = // "Pattern{Constant('"'), Field(username,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#47:00002:43/1_1", "nwparser.p0", "\"%{username}\"%{p0}"); +var part82 = match("MESSAGE#47:00002:43/1_1", "nwparser.p0", "\"%{username}\"%{p0}"); var select20 = linear_select([ part81, part82, ]); -var part83 = // "Pattern{Field(,false), Constant('by '), Field(administrator,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#47:00002:43/2", "nwparser.p0", "%{}by %{administrator->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); +var part83 = match("MESSAGE#47:00002:43/2", "nwparser.p0", "%{}by %{administrator->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); var all18 = all_match({ processors: [ @@ -2530,8 +2178,7 @@ var all18 = all_match({ var msg48 = msg("00002:43", all18); -var part84 = // "Pattern{Constant('Admin account '), Field(disposition,true), Constant(' for "'), Field(username,false), Constant('" by '), Field(administrator,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#48:00002:50", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ +var part84 = match("MESSAGE#48:00002:50", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ dup42, dup29, dup43, @@ -2545,8 +2192,7 @@ match("MESSAGE#48:00002:50", "nwparser.payload", "Admin account %{disposition->} var msg49 = msg("00002:50", part84); -var part85 = // "Pattern{Constant('Admin account '), Field(disposition,true), Constant(' for "'), Field(username,false), Constant('" by '), Field(administrator,true), Constant(' '), Field(fld2,true), Constant(' via '), Field(logon_type,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#49:00002:51", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} %{fld2->} via %{logon_type->} (%{fld1})", processor_chain([ +var part85 = match("MESSAGE#49:00002:51", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} %{fld2->} via %{logon_type->} (%{fld1})", processor_chain([ dup42, dup29, dup43, @@ -2560,8 +2206,7 @@ match("MESSAGE#49:00002:51", "nwparser.payload", "Admin account %{disposition->} var msg50 = msg("00002:51", part85); -var part86 = // "Pattern{Constant('Extraneous exit is issued by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#50:00002:45", "nwparser.payload", "Extraneous exit is issued by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ +var part86 = match("MESSAGE#50:00002:45", "nwparser.payload", "Extraneous exit is issued by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -2572,20 +2217,15 @@ match("MESSAGE#50:00002:45", "nwparser.payload", "Extraneous exit is issued by % var msg51 = msg("00002:45", part86); -var part87 = // "Pattern{Constant('Ping of Death attack protection '), Field(p0,false)}" -match("MESSAGE#51:00002:47/0_0", "nwparser.payload", "Ping of Death attack protection %{p0}"); +var part87 = match("MESSAGE#51:00002:47/0_0", "nwparser.payload", "Ping of Death attack protection %{p0}"); -var part88 = // "Pattern{Constant('Src Route IP option filtering '), Field(p0,false)}" -match("MESSAGE#51:00002:47/0_1", "nwparser.payload", "Src Route IP option filtering %{p0}"); +var part88 = match("MESSAGE#51:00002:47/0_1", "nwparser.payload", "Src Route IP option filtering %{p0}"); -var part89 = // "Pattern{Constant('Teardrop attack protection '), Field(p0,false)}" -match("MESSAGE#51:00002:47/0_2", "nwparser.payload", "Teardrop attack protection %{p0}"); +var part89 = match("MESSAGE#51:00002:47/0_2", "nwparser.payload", "Teardrop attack protection %{p0}"); -var part90 = // "Pattern{Constant('Land attack protection '), Field(p0,false)}" -match("MESSAGE#51:00002:47/0_3", "nwparser.payload", "Land attack protection %{p0}"); +var part90 = match("MESSAGE#51:00002:47/0_3", "nwparser.payload", "Land attack protection %{p0}"); -var part91 = // "Pattern{Constant('SYN flood protection '), Field(p0,false)}" -match("MESSAGE#51:00002:47/0_4", "nwparser.payload", "SYN flood protection %{p0}"); +var part91 = match("MESSAGE#51:00002:47/0_4", "nwparser.payload", "SYN flood protection %{p0}"); var select21 = linear_select([ part87, @@ -2595,8 +2235,7 @@ var select21 = linear_select([ part91, ]); -var part92 = // "Pattern{Constant('is '), Field(disposition,true), Constant(' on zone '), Field(zone,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#51:00002:47/1", "nwparser.p0", "is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})"); +var part92 = match("MESSAGE#51:00002:47/1", "nwparser.p0", "is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})"); var all19 = all_match({ processors: [ @@ -2615,25 +2254,20 @@ var all19 = all_match({ var msg52 = msg("00002:47", all19); -var part93 = // "Pattern{Constant('Dropping pkts if not '), Field(p0,false)}" -match("MESSAGE#52:00002:48/0", "nwparser.payload", "Dropping pkts if not %{p0}"); +var part93 = match("MESSAGE#52:00002:48/0", "nwparser.payload", "Dropping pkts if not %{p0}"); -var part94 = // "Pattern{Constant('exactly same with incoming if '), Field(p0,false)}" -match("MESSAGE#52:00002:48/1_0", "nwparser.p0", "exactly same with incoming if %{p0}"); +var part94 = match("MESSAGE#52:00002:48/1_0", "nwparser.p0", "exactly same with incoming if %{p0}"); -var part95 = // "Pattern{Constant('in route table '), Field(p0,false)}" -match("MESSAGE#52:00002:48/1_1", "nwparser.p0", "in route table %{p0}"); +var part95 = match("MESSAGE#52:00002:48/1_1", "nwparser.p0", "in route table %{p0}"); var select22 = linear_select([ part94, part95, ]); -var part96 = // "Pattern{Constant('(IP spoof protection) is '), Field(disposition,true), Constant(' on zone '), Field(zone,true), Constant(' by '), Field(username,true), Constant(' via '), Field(p0,false)}" -match("MESSAGE#52:00002:48/2", "nwparser.p0", "(IP spoof protection) is %{disposition->} on zone %{zone->} by %{username->} via %{p0}"); +var part96 = match("MESSAGE#52:00002:48/2", "nwparser.p0", "(IP spoof protection) is %{disposition->} on zone %{zone->} by %{username->} via %{p0}"); -var part97 = // "Pattern{Constant('NSRP Peer. ('), Field(p0,false)}" -match("MESSAGE#52:00002:48/3_0", "nwparser.p0", "NSRP Peer. (%{p0}"); +var part97 = match("MESSAGE#52:00002:48/3_0", "nwparser.p0", "NSRP Peer. (%{p0}"); var select23 = linear_select([ part97, @@ -2660,20 +2294,15 @@ var all20 = all_match({ var msg53 = msg("00002:48", all20); -var part98 = // "Pattern{Field(signame,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#53:00002:52/0", "nwparser.payload", "%{signame->} %{p0}"); +var part98 = match("MESSAGE#53:00002:52/0", "nwparser.payload", "%{signame->} %{p0}"); -var part99 = // "Pattern{Constant('protection'), Field(p0,false)}" -match("MESSAGE#53:00002:52/1_0", "nwparser.p0", "protection%{p0}"); +var part99 = match("MESSAGE#53:00002:52/1_0", "nwparser.p0", "protection%{p0}"); -var part100 = // "Pattern{Constant('limiting'), Field(p0,false)}" -match("MESSAGE#53:00002:52/1_1", "nwparser.p0", "limiting%{p0}"); +var part100 = match("MESSAGE#53:00002:52/1_1", "nwparser.p0", "limiting%{p0}"); -var part101 = // "Pattern{Constant('detection'), Field(p0,false)}" -match("MESSAGE#53:00002:52/1_2", "nwparser.p0", "detection%{p0}"); +var part101 = match("MESSAGE#53:00002:52/1_2", "nwparser.p0", "detection%{p0}"); -var part102 = // "Pattern{Constant('filtering '), Field(p0,false)}" -match("MESSAGE#53:00002:52/1_3", "nwparser.p0", "filtering %{p0}"); +var part102 = match("MESSAGE#53:00002:52/1_3", "nwparser.p0", "filtering %{p0}"); var select24 = linear_select([ part99, @@ -2682,11 +2311,9 @@ var select24 = linear_select([ part102, ]); -var part103 = // "Pattern{Field(,false), Constant('is '), Field(disposition,true), Constant(' on zone '), Field(zone,true), Constant(' by '), Field(p0,false)}" -match("MESSAGE#53:00002:52/2", "nwparser.p0", "%{}is %{disposition->} on zone %{zone->} by %{p0}"); +var part103 = match("MESSAGE#53:00002:52/2", "nwparser.p0", "%{}is %{disposition->} on zone %{zone->} by %{p0}"); -var part104 = // "Pattern{Constant('admin via '), Field(p0,false)}" -match("MESSAGE#53:00002:52/3_1", "nwparser.p0", "admin via %{p0}"); +var part104 = match("MESSAGE#53:00002:52/3_1", "nwparser.p0", "admin via %{p0}"); var select25 = linear_select([ dup46, @@ -2720,8 +2347,7 @@ var all21 = all_match({ var msg54 = msg("00002:52", all21); -var part105 = // "Pattern{Constant('Admin password for account "'), Field(username,false), Constant('" has been '), Field(disposition,true), Constant(' by '), Field(administrator,true), Constant(' via '), Field(logon_type,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#54:00002:53", "nwparser.payload", "Admin password for account \"%{username}\" has been %{disposition->} by %{administrator->} via %{logon_type->} (%{fld1})", processor_chain([ +var part105 = match("MESSAGE#54:00002:53", "nwparser.payload", "Admin password for account \"%{username}\" has been %{disposition->} by %{administrator->} via %{logon_type->} (%{fld1})", processor_chain([ dup42, dup43, dup38, @@ -2734,14 +2360,11 @@ match("MESSAGE#54:00002:53", "nwparser.payload", "Admin password for account \"% var msg55 = msg("00002:53", part105); -var part106 = // "Pattern{Constant('Traffic shaping clearing DSCP selector is turned O'), Field(p0,false)}" -match("MESSAGE#55:00002:54/0", "nwparser.payload", "Traffic shaping clearing DSCP selector is turned O%{p0}"); +var part106 = match("MESSAGE#55:00002:54/0", "nwparser.payload", "Traffic shaping clearing DSCP selector is turned O%{p0}"); -var part107 = // "Pattern{Constant('FF'), Field(p0,false)}" -match("MESSAGE#55:00002:54/1_0", "nwparser.p0", "FF%{p0}"); +var part107 = match("MESSAGE#55:00002:54/1_0", "nwparser.p0", "FF%{p0}"); -var part108 = // "Pattern{Constant('N'), Field(p0,false)}" -match("MESSAGE#55:00002:54/1_1", "nwparser.p0", "N%{p0}"); +var part108 = match("MESSAGE#55:00002:54/1_1", "nwparser.p0", "N%{p0}"); var select27 = linear_select([ part107, @@ -2768,19 +2391,16 @@ var all22 = all_match({ var msg56 = msg("00002:54", all22); -var part109 = // "Pattern{Field(change_attribute,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#56:00002/0", "nwparser.payload", "%{change_attribute->} %{p0}"); +var part109 = match("MESSAGE#56:00002/0", "nwparser.payload", "%{change_attribute->} %{p0}"); -var part110 = // "Pattern{Constant('has been changed'), Field(p0,false)}" -match("MESSAGE#56:00002/1_0", "nwparser.p0", "has been changed%{p0}"); +var part110 = match("MESSAGE#56:00002/1_0", "nwparser.p0", "has been changed%{p0}"); var select28 = linear_select([ part110, dup52, ]); -var part111 = // "Pattern{Field(,false), Constant('from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#56:00002/2", "nwparser.p0", "%{}from %{change_old->} to %{change_new}"); +var part111 = match("MESSAGE#56:00002/2", "nwparser.p0", "%{}from %{change_old->} to %{change_new}"); var all23 = all_match({ processors: [ @@ -2799,8 +2419,7 @@ var all23 = all_match({ var msg57 = msg("00002", all23); -var part112 = // "Pattern{Constant('Admin user "'), Field(administrator,false), Constant('" login attempt for '), Field(logon_type,false), Constant('('), Field(network_service,false), Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' failed. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1215:00002:56", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed. (%{fld1})", processor_chain([ +var part112 = match("MESSAGE#1215:00002:56", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed. (%{fld1})", processor_chain([ dup53, dup9, dup2, @@ -2862,8 +2481,7 @@ var select29 = linear_select([ msg58, ]); -var part113 = // "Pattern{Constant('Multiple authentication failures have been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false)}" -match("MESSAGE#57:00003", "nwparser.payload", "Multiple authentication failures have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ +var part113 = match("MESSAGE#57:00003", "nwparser.payload", "Multiple authentication failures have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ dup53, dup31, dup54, @@ -2875,8 +2493,7 @@ match("MESSAGE#57:00003", "nwparser.payload", "Multiple authentication failures var msg59 = msg("00003", part113); -var part114 = // "Pattern{Constant('Multiple authentication failures have been detected!'), Field(,false)}" -match("MESSAGE#58:00003:01", "nwparser.payload", "Multiple authentication failures have been detected!%{}", processor_chain([ +var part114 = match("MESSAGE#58:00003:01", "nwparser.payload", "Multiple authentication failures have been detected!%{}", processor_chain([ dup53, dup31, dup54, @@ -2888,8 +2505,7 @@ match("MESSAGE#58:00003:01", "nwparser.payload", "Multiple authentication failur var msg60 = msg("00003:01", part114); -var part115 = // "Pattern{Constant('The console debug buffer has been '), Field(disposition,false)}" -match("MESSAGE#59:00003:02", "nwparser.payload", "The console debug buffer has been %{disposition}", processor_chain([ +var part115 = match("MESSAGE#59:00003:02", "nwparser.payload", "The console debug buffer has been %{disposition}", processor_chain([ dup44, dup2, dup3, @@ -2899,8 +2515,7 @@ match("MESSAGE#59:00003:02", "nwparser.payload", "The console debug buffer has b var msg61 = msg("00003:02", part115); -var part116 = // "Pattern{Field(change_attribute,true), Constant(' changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false), Constant('.')}" -match("MESSAGE#60:00003:03", "nwparser.payload", "%{change_attribute->} changed from %{change_old->} to %{change_new}.", processor_chain([ +var part116 = match("MESSAGE#60:00003:03", "nwparser.payload", "%{change_attribute->} changed from %{change_old->} to %{change_new}.", processor_chain([ dup44, dup2, dup3, @@ -2910,19 +2525,16 @@ match("MESSAGE#60:00003:03", "nwparser.payload", "%{change_attribute->} changed var msg62 = msg("00003:03", part116); -var part117 = // "Pattern{Constant('serial'), Field(p0,false)}" -match("MESSAGE#61:00003:05/1_0", "nwparser.p0", "serial%{p0}"); +var part117 = match("MESSAGE#61:00003:05/1_0", "nwparser.p0", "serial%{p0}"); -var part118 = // "Pattern{Constant('local'), Field(p0,false)}" -match("MESSAGE#61:00003:05/1_1", "nwparser.p0", "local%{p0}"); +var part118 = match("MESSAGE#61:00003:05/1_1", "nwparser.p0", "local%{p0}"); var select30 = linear_select([ part117, part118, ]); -var part119 = // "Pattern{Field(,false), Constant('console has been '), Field(disposition,true), Constant(' by admin '), Field(administrator,false), Constant('.')}" -match("MESSAGE#61:00003:05/2", "nwparser.p0", "%{}console has been %{disposition->} by admin %{administrator}."); +var part119 = match("MESSAGE#61:00003:05/2", "nwparser.p0", "%{}console has been %{disposition->} by admin %{administrator}."); var all24 = all_match({ processors: [ @@ -2949,8 +2561,7 @@ var select31 = linear_select([ msg63, ]); -var part120 = // "Pattern{Field(info,false), Constant('DNS server IP has been changed')}" -match("MESSAGE#62:00004", "nwparser.payload", "%{info}DNS server IP has been changed", processor_chain([ +var part120 = match("MESSAGE#62:00004", "nwparser.payload", "%{info}DNS server IP has been changed", processor_chain([ dup44, dup2, dup3, @@ -2960,8 +2571,7 @@ match("MESSAGE#62:00004", "nwparser.payload", "%{info}DNS server IP has been cha var msg64 = msg("00004", part120); -var part121 = // "Pattern{Constant('DNS cache table has been '), Field(disposition,false)}" -match("MESSAGE#63:00004:01", "nwparser.payload", "DNS cache table has been %{disposition}", processor_chain([ +var part121 = match("MESSAGE#63:00004:01", "nwparser.payload", "DNS cache table has been %{disposition}", processor_chain([ dup44, dup2, dup3, @@ -2971,8 +2581,7 @@ match("MESSAGE#63:00004:01", "nwparser.payload", "DNS cache table has been %{dis var msg65 = msg("00004:01", part121); -var part122 = // "Pattern{Constant('Daily DNS lookup has been '), Field(disposition,false)}" -match("MESSAGE#64:00004:02", "nwparser.payload", "Daily DNS lookup has been %{disposition}", processor_chain([ +var part122 = match("MESSAGE#64:00004:02", "nwparser.payload", "Daily DNS lookup has been %{disposition}", processor_chain([ dup44, dup2, dup3, @@ -2982,8 +2591,7 @@ match("MESSAGE#64:00004:02", "nwparser.payload", "Daily DNS lookup has been %{di var msg66 = msg("00004:02", part122); -var part123 = // "Pattern{Constant('Daily DNS lookup time has been '), Field(disposition,false)}" -match("MESSAGE#65:00004:03", "nwparser.payload", "Daily DNS lookup time has been %{disposition}", processor_chain([ +var part123 = match("MESSAGE#65:00004:03", "nwparser.payload", "Daily DNS lookup time has been %{disposition}", processor_chain([ dup44, dup2, dup3, @@ -2993,16 +2601,14 @@ match("MESSAGE#65:00004:03", "nwparser.payload", "Daily DNS lookup time has been var msg67 = msg("00004:03", part123); -var part124 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,true), Constant(' to '), Field(daddr,true), Constant(' using protocol '), Field(protocol,true), Constant(' on '), Field(p0,false)}" -match("MESSAGE#66:00004:04/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on %{p0}"); +var part124 = match("MESSAGE#66:00004:04/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on %{p0}"); -var part125 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' '), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#66:00004:04/2", "nwparser.p0", "%{} %{interface->} %{space}The attack occurred %{dclass_counter1->} times"); +var part125 = match("MESSAGE#66:00004:04/2", "nwparser.p0", "%{} %{interface->} %{space}The attack occurred %{dclass_counter1->} times"); var all25 = all_match({ processors: [ part124, - dup339, + dup337, part125, ], on_success: processor_chain([ @@ -3018,8 +2624,7 @@ var all25 = all_match({ var msg68 = msg("00004:04", all25); -var part126 = // "Pattern{Field(signame,true), Constant(' from '), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,true), Constant(' protocol '), Field(protocol,false)}" -match("MESSAGE#67:00004:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol}", processor_chain([ +var part126 = match("MESSAGE#67:00004:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol}", processor_chain([ dup58, dup2, dup4, @@ -3030,8 +2635,7 @@ match("MESSAGE#67:00004:05", "nwparser.payload", "%{signame->} from %{saddr}/%{s var msg69 = msg("00004:05", part126); -var part127 = // "Pattern{Constant('DNS lookup time has been changed to start at '), Field(fld2,false), Constant(':'), Field(fld3,true), Constant(' with an interval of '), Field(fld4,false)}" -match("MESSAGE#68:00004:06", "nwparser.payload", "DNS lookup time has been changed to start at %{fld2}:%{fld3->} with an interval of %{fld4}", processor_chain([ +var part127 = match("MESSAGE#68:00004:06", "nwparser.payload", "DNS lookup time has been changed to start at %{fld2}:%{fld3->} with an interval of %{fld4}", processor_chain([ dup1, dup2, dup3, @@ -3041,8 +2645,7 @@ match("MESSAGE#68:00004:06", "nwparser.payload", "DNS lookup time has been chang var msg70 = msg("00004:06", part127); -var part128 = // "Pattern{Constant('DNS cache table entries have been refreshed as result of external event.'), Field(,false)}" -match("MESSAGE#69:00004:07", "nwparser.payload", "DNS cache table entries have been refreshed as result of external event.%{}", processor_chain([ +var part128 = match("MESSAGE#69:00004:07", "nwparser.payload", "DNS cache table entries have been refreshed as result of external event.%{}", processor_chain([ dup44, dup2, dup3, @@ -3052,8 +2655,7 @@ match("MESSAGE#69:00004:07", "nwparser.payload", "DNS cache table entries have b var msg71 = msg("00004:07", part128); -var part129 = // "Pattern{Constant('DNS Proxy module has been '), Field(disposition,false), Constant('.')}" -match("MESSAGE#70:00004:08", "nwparser.payload", "DNS Proxy module has been %{disposition}.", processor_chain([ +var part129 = match("MESSAGE#70:00004:08", "nwparser.payload", "DNS Proxy module has been %{disposition}.", processor_chain([ dup1, dup2, dup3, @@ -3063,8 +2665,7 @@ match("MESSAGE#70:00004:08", "nwparser.payload", "DNS Proxy module has been %{di var msg72 = msg("00004:08", part129); -var part130 = // "Pattern{Constant('DNS Proxy module has more concurrent client requests than allowed.'), Field(,false)}" -match("MESSAGE#71:00004:09", "nwparser.payload", "DNS Proxy module has more concurrent client requests than allowed.%{}", processor_chain([ +var part130 = match("MESSAGE#71:00004:09", "nwparser.payload", "DNS Proxy module has more concurrent client requests than allowed.%{}", processor_chain([ dup62, dup2, dup3, @@ -3074,8 +2675,7 @@ match("MESSAGE#71:00004:09", "nwparser.payload", "DNS Proxy module has more conc var msg73 = msg("00004:09", part130); -var part131 = // "Pattern{Constant('DNS Proxy server select table entries exceeded maximum limit.'), Field(,false)}" -match("MESSAGE#72:00004:10", "nwparser.payload", "DNS Proxy server select table entries exceeded maximum limit.%{}", processor_chain([ +var part131 = match("MESSAGE#72:00004:10", "nwparser.payload", "DNS Proxy server select table entries exceeded maximum limit.%{}", processor_chain([ dup62, dup2, dup3, @@ -3085,8 +2685,7 @@ match("MESSAGE#72:00004:10", "nwparser.payload", "DNS Proxy server select table var msg74 = msg("00004:10", part131); -var part132 = // "Pattern{Constant('Proxy server select table added with domain '), Field(domain,false), Constant(', interface '), Field(interface,false), Constant(', primary-ip '), Field(fld2,false), Constant(', secondary-ip '), Field(fld3,false), Constant(', tertiary-ip '), Field(fld4,false), Constant(', failover '), Field(disposition,false)}" -match("MESSAGE#73:00004:11", "nwparser.payload", "Proxy server select table added with domain %{domain}, interface %{interface}, primary-ip %{fld2}, secondary-ip %{fld3}, tertiary-ip %{fld4}, failover %{disposition}", processor_chain([ +var part132 = match("MESSAGE#73:00004:11", "nwparser.payload", "Proxy server select table added with domain %{domain}, interface %{interface}, primary-ip %{fld2}, secondary-ip %{fld3}, tertiary-ip %{fld4}, failover %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -3096,8 +2695,7 @@ match("MESSAGE#73:00004:11", "nwparser.payload", "Proxy server select table adde var msg75 = msg("00004:11", part132); -var part133 = // "Pattern{Constant('DNS Proxy server select table entry '), Field(disposition,true), Constant(' with domain '), Field(domain,false)}" -match("MESSAGE#74:00004:12", "nwparser.payload", "DNS Proxy server select table entry %{disposition->} with domain %{domain}", processor_chain([ +var part133 = match("MESSAGE#74:00004:12", "nwparser.payload", "DNS Proxy server select table entry %{disposition->} with domain %{domain}", processor_chain([ dup1, dup2, dup3, @@ -3107,8 +2705,7 @@ match("MESSAGE#74:00004:12", "nwparser.payload", "DNS Proxy server select table var msg76 = msg("00004:12", part133); -var part134 = // "Pattern{Constant('DDNS server '), Field(domain,true), Constant(' returned incorrect ip '), Field(fld2,false), Constant(', local-ip should be '), Field(fld3,false)}" -match("MESSAGE#75:00004:13", "nwparser.payload", "DDNS server %{domain->} returned incorrect ip %{fld2}, local-ip should be %{fld3}", processor_chain([ +var part134 = match("MESSAGE#75:00004:13", "nwparser.payload", "DDNS server %{domain->} returned incorrect ip %{fld2}, local-ip should be %{fld3}", processor_chain([ dup19, dup2, dup3, @@ -3118,11 +2715,9 @@ match("MESSAGE#75:00004:13", "nwparser.payload", "DDNS server %{domain->} return var msg77 = msg("00004:13", part134); -var part135 = // "Pattern{Constant('automatically refreshed '), Field(p0,false)}" -match("MESSAGE#76:00004:14/1_0", "nwparser.p0", "automatically refreshed %{p0}"); +var part135 = match("MESSAGE#76:00004:14/1_0", "nwparser.p0", "automatically refreshed %{p0}"); -var part136 = // "Pattern{Constant('refreshed by HA '), Field(p0,false)}" -match("MESSAGE#76:00004:14/1_1", "nwparser.p0", "refreshed by HA %{p0}"); +var part136 = match("MESSAGE#76:00004:14/1_1", "nwparser.p0", "refreshed by HA %{p0}"); var select32 = linear_select([ part135, @@ -3147,8 +2742,7 @@ var all26 = all_match({ var msg78 = msg("00004:14", all26); -var part137 = // "Pattern{Constant('DNS entries have been refreshed as result of DNS server address change. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#77:00004:15", "nwparser.payload", "DNS entries have been refreshed as result of DNS server address change. (%{fld1})", processor_chain([ +var part137 = match("MESSAGE#77:00004:15", "nwparser.payload", "DNS entries have been refreshed as result of DNS server address change. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -3159,8 +2753,7 @@ match("MESSAGE#77:00004:15", "nwparser.payload", "DNS entries have been refreshe var msg79 = msg("00004:15", part137); -var part138 = // "Pattern{Constant('DNS entries have been manually refreshed. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#78:00004:16", "nwparser.payload", "DNS entries have been manually refreshed. (%{fld1})", processor_chain([ +var part138 = match("MESSAGE#78:00004:16", "nwparser.payload", "DNS entries have been manually refreshed. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -3174,7 +2767,7 @@ var msg80 = msg("00004:16", part138); var all27 = all_match({ processors: [ dup64, - dup340, + dup338, dup67, ], on_success: processor_chain([ @@ -3212,8 +2805,7 @@ var select33 = linear_select([ msg81, ]); -var part139 = // "Pattern{Field(signame,true), Constant(' alarm threshold from the same source has been changed to '), Field(trigger_val,false)}" -match("MESSAGE#80:00005", "nwparser.payload", "%{signame->} alarm threshold from the same source has been changed to %{trigger_val}", processor_chain([ +var part139 = match("MESSAGE#80:00005", "nwparser.payload", "%{signame->} alarm threshold from the same source has been changed to %{trigger_val}", processor_chain([ dup1, dup2, dup3, @@ -3223,8 +2815,7 @@ match("MESSAGE#80:00005", "nwparser.payload", "%{signame->} alarm threshold from var msg82 = msg("00005", part139); -var part140 = // "Pattern{Constant('Logging of '), Field(fld2,true), Constant(' traffic to self has been '), Field(disposition,false)}" -match("MESSAGE#81:00005:01", "nwparser.payload", "Logging of %{fld2->} traffic to self has been %{disposition}", processor_chain([ +var part140 = match("MESSAGE#81:00005:01", "nwparser.payload", "Logging of %{fld2->} traffic to self has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -3234,8 +2825,7 @@ match("MESSAGE#81:00005:01", "nwparser.payload", "Logging of %{fld2->} traffic t var msg83 = msg("00005:01", part140); -var part141 = // "Pattern{Constant('SYN flood '), Field(fld2,true), Constant(' has been changed to '), Field(fld3,false)}" -match("MESSAGE#82:00005:02", "nwparser.payload", "SYN flood %{fld2->} has been changed to %{fld3}", processor_chain([ +var part141 = match("MESSAGE#82:00005:02", "nwparser.payload", "SYN flood %{fld2->} has been changed to %{fld3}", processor_chain([ dup1, dup2, dup3, @@ -3245,29 +2835,25 @@ match("MESSAGE#82:00005:02", "nwparser.payload", "SYN flood %{fld2->} has been c var msg84 = msg("00005:02", part141); -var part142 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(p0,false)}" -match("MESSAGE#83:00005:03/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); +var part142 = match("MESSAGE#83:00005:03/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); -var part143 = // "Pattern{Field(fld99,false), Constant('interface '), Field(interface,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#83:00005:03/4", "nwparser.p0", "%{fld99}interface %{interface->} %{p0}"); +var part143 = match("MESSAGE#83:00005:03/4", "nwparser.p0", "%{fld99}interface %{interface->} %{p0}"); -var part144 = // "Pattern{Constant('in zone '), Field(zone,false), Constant('. '), Field(p0,false)}" -match("MESSAGE#83:00005:03/5_0", "nwparser.p0", "in zone %{zone}. %{p0}"); +var part144 = match("MESSAGE#83:00005:03/5_0", "nwparser.p0", "in zone %{zone}. %{p0}"); var select34 = linear_select([ part144, dup73, ]); -var part145 = // "Pattern{Constant(''), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#83:00005:03/6", "nwparser.p0", "%{space}The attack occurred %{dclass_counter1->} times"); +var part145 = match("MESSAGE#83:00005:03/6", "nwparser.p0", "%{space}The attack occurred %{dclass_counter1->} times"); var all28 = all_match({ processors: [ part142, - dup341, + dup339, dup70, - dup342, + dup340, part143, select34, part145, @@ -3285,10 +2871,9 @@ var all28 = all_match({ var msg85 = msg("00005:03", all28); -var msg86 = msg("00005:04", dup343); +var msg86 = msg("00005:04", dup341); -var part146 = // "Pattern{Constant('SYN flood drop pak in '), Field(fld2,true), Constant(' mode when receiving unknown dst mac has been '), Field(disposition,true), Constant(' on '), Field(zone,false), Constant('.')}" -match("MESSAGE#85:00005:05", "nwparser.payload", "SYN flood drop pak in %{fld2->} mode when receiving unknown dst mac has been %{disposition->} on %{zone}.", processor_chain([ +var part146 = match("MESSAGE#85:00005:05", "nwparser.payload", "SYN flood drop pak in %{fld2->} mode when receiving unknown dst mac has been %{disposition->} on %{zone}.", processor_chain([ setc("eventcategory","1001020100"), dup2, dup3, @@ -3298,12 +2883,11 @@ match("MESSAGE#85:00005:05", "nwparser.payload", "SYN flood drop pak in %{fld2-> var msg87 = msg("00005:05", part146); -var part147 = // "Pattern{Constant('flood timeout has been set to '), Field(trigger_val,true), Constant(' on '), Field(zone,false), Constant('.')}" -match("MESSAGE#86:00005:06/1", "nwparser.p0", "flood timeout has been set to %{trigger_val->} on %{zone}."); +var part147 = match("MESSAGE#86:00005:06/1", "nwparser.p0", "flood timeout has been set to %{trigger_val->} on %{zone}."); var all29 = all_match({ processors: [ - dup344, + dup342, part147, ], on_success: processor_chain([ @@ -3317,20 +2901,15 @@ var all29 = all_match({ var msg88 = msg("00005:06", all29); -var part148 = // "Pattern{Constant('SYN flood '), Field(p0,false)}" -match("MESSAGE#87:00005:07/0", "nwparser.payload", "SYN flood %{p0}"); +var part148 = match("MESSAGE#87:00005:07/0", "nwparser.payload", "SYN flood %{p0}"); -var part149 = // "Pattern{Constant('alarm threshold '), Field(p0,false)}" -match("MESSAGE#87:00005:07/1_0", "nwparser.p0", "alarm threshold %{p0}"); +var part149 = match("MESSAGE#87:00005:07/1_0", "nwparser.p0", "alarm threshold %{p0}"); -var part150 = // "Pattern{Constant('packet queue size '), Field(p0,false)}" -match("MESSAGE#87:00005:07/1_1", "nwparser.p0", "packet queue size %{p0}"); +var part150 = match("MESSAGE#87:00005:07/1_1", "nwparser.p0", "packet queue size %{p0}"); -var part151 = // "Pattern{Constant('attack threshold '), Field(p0,false)}" -match("MESSAGE#87:00005:07/1_3", "nwparser.p0", "attack threshold %{p0}"); +var part151 = match("MESSAGE#87:00005:07/1_3", "nwparser.p0", "attack threshold %{p0}"); -var part152 = // "Pattern{Constant('same source IP threshold '), Field(p0,false)}" -match("MESSAGE#87:00005:07/1_4", "nwparser.p0", "same source IP threshold %{p0}"); +var part152 = match("MESSAGE#87:00005:07/1_4", "nwparser.p0", "same source IP threshold %{p0}"); var select35 = linear_select([ part149, @@ -3340,8 +2919,7 @@ var select35 = linear_select([ part152, ]); -var part153 = // "Pattern{Constant('is set to '), Field(trigger_val,false), Constant('.')}" -match("MESSAGE#87:00005:07/2", "nwparser.p0", "is set to %{trigger_val}."); +var part153 = match("MESSAGE#87:00005:07/2", "nwparser.p0", "is set to %{trigger_val}."); var all30 = all_match({ processors: [ @@ -3360,20 +2938,18 @@ var all30 = all_match({ var msg89 = msg("00005:07", all30); -var part154 = // "Pattern{Constant('flood same '), Field(p0,false)}" -match("MESSAGE#88:00005:08/1", "nwparser.p0", "flood same %{p0}"); +var part154 = match("MESSAGE#88:00005:08/1", "nwparser.p0", "flood same %{p0}"); var select36 = linear_select([ dup77, dup78, ]); -var part155 = // "Pattern{Constant('ip threshold has been set to '), Field(trigger_val,true), Constant(' on '), Field(zone,false), Constant('.')}" -match("MESSAGE#88:00005:08/3", "nwparser.p0", "ip threshold has been set to %{trigger_val->} on %{zone}."); +var part155 = match("MESSAGE#88:00005:08/3", "nwparser.p0", "ip threshold has been set to %{trigger_val->} on %{zone}."); var all31 = all_match({ processors: [ - dup344, + dup342, part154, select36, part155, @@ -3389,8 +2965,7 @@ var all31 = all_match({ var msg90 = msg("00005:08", all31); -var part156 = // "Pattern{Constant('Screen service '), Field(service,true), Constant(' is '), Field(disposition,true), Constant(' on interface '), Field(interface,false), Constant('.')}" -match("MESSAGE#89:00005:09", "nwparser.payload", "Screen service %{service->} is %{disposition->} on interface %{interface}.", processor_chain([ +var part156 = match("MESSAGE#89:00005:09", "nwparser.payload", "Screen service %{service->} is %{disposition->} on interface %{interface}.", processor_chain([ dup1, dup2, dup3, @@ -3400,8 +2975,7 @@ match("MESSAGE#89:00005:09", "nwparser.payload", "Screen service %{service->} is var msg91 = msg("00005:09", part156); -var part157 = // "Pattern{Constant('Screen service '), Field(service,true), Constant(' is '), Field(disposition,true), Constant(' on '), Field(zone,false)}" -match("MESSAGE#90:00005:10", "nwparser.payload", "Screen service %{service->} is %{disposition->} on %{zone}", processor_chain([ +var part157 = match("MESSAGE#90:00005:10", "nwparser.payload", "Screen service %{service->} is %{disposition->} on %{zone}", processor_chain([ dup1, dup2, dup3, @@ -3411,23 +2985,17 @@ match("MESSAGE#90:00005:10", "nwparser.payload", "Screen service %{service->} is var msg92 = msg("00005:10", part157); -var part158 = // "Pattern{Constant('The SYN flood '), Field(p0,false)}" -match("MESSAGE#91:00005:11/0", "nwparser.payload", "The SYN flood %{p0}"); +var part158 = match("MESSAGE#91:00005:11/0", "nwparser.payload", "The SYN flood %{p0}"); -var part159 = // "Pattern{Constant('alarm threshold'), Field(,false)}" -match("MESSAGE#91:00005:11/1_0", "nwparser.p0", "alarm threshold%{}"); +var part159 = match("MESSAGE#91:00005:11/1_0", "nwparser.p0", "alarm threshold%{}"); -var part160 = // "Pattern{Constant('packet queue size'), Field(,false)}" -match("MESSAGE#91:00005:11/1_1", "nwparser.p0", "packet queue size%{}"); +var part160 = match("MESSAGE#91:00005:11/1_1", "nwparser.p0", "packet queue size%{}"); -var part161 = // "Pattern{Constant('timeout value'), Field(,false)}" -match("MESSAGE#91:00005:11/1_2", "nwparser.p0", "timeout value%{}"); +var part161 = match("MESSAGE#91:00005:11/1_2", "nwparser.p0", "timeout value%{}"); -var part162 = // "Pattern{Constant('attack threshold'), Field(,false)}" -match("MESSAGE#91:00005:11/1_3", "nwparser.p0", "attack threshold%{}"); +var part162 = match("MESSAGE#91:00005:11/1_3", "nwparser.p0", "attack threshold%{}"); -var part163 = // "Pattern{Constant('same source IP'), Field(,false)}" -match("MESSAGE#91:00005:11/1_4", "nwparser.p0", "same source IP%{}"); +var part163 = match("MESSAGE#91:00005:11/1_4", "nwparser.p0", "same source IP%{}"); var select37 = linear_select([ part159, @@ -3453,8 +3021,7 @@ var all32 = all_match({ var msg93 = msg("00005:11", all32); -var part164 = // "Pattern{Constant('The SYN-ACK-ACK proxy threshold value has been set to '), Field(trigger_val,true), Constant(' on '), Field(interface,false), Constant('.')}" -match("MESSAGE#92:00005:12", "nwparser.payload", "The SYN-ACK-ACK proxy threshold value has been set to %{trigger_val->} on %{interface}.", processor_chain([ +var part164 = match("MESSAGE#92:00005:12", "nwparser.payload", "The SYN-ACK-ACK proxy threshold value has been set to %{trigger_val->} on %{interface}.", processor_chain([ dup1, dup2, dup3, @@ -3464,8 +3031,7 @@ match("MESSAGE#92:00005:12", "nwparser.payload", "The SYN-ACK-ACK proxy threshol var msg94 = msg("00005:12", part164); -var part165 = // "Pattern{Constant('The session limit threshold has been set to '), Field(trigger_val,true), Constant(' on '), Field(zone,false), Constant('.')}" -match("MESSAGE#93:00005:13", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ +var part165 = match("MESSAGE#93:00005:13", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ dup1, dup2, dup3, @@ -3475,8 +3041,7 @@ match("MESSAGE#93:00005:13", "nwparser.payload", "The session limit threshold ha var msg95 = msg("00005:13", part165); -var part166 = // "Pattern{Constant('syn proxy drop packet with unknown mac!'), Field(,false)}" -match("MESSAGE#94:00005:14", "nwparser.payload", "syn proxy drop packet with unknown mac!%{}", processor_chain([ +var part166 = match("MESSAGE#94:00005:14", "nwparser.payload", "syn proxy drop packet with unknown mac!%{}", processor_chain([ dup19, dup2, dup3, @@ -3486,8 +3051,7 @@ match("MESSAGE#94:00005:14", "nwparser.payload", "syn proxy drop packet with unk var msg96 = msg("00005:14", part166); -var part167 = // "Pattern{Field(signame,true), Constant(' alarm threshold has been changed to '), Field(trigger_val,false)}" -match("MESSAGE#95:00005:15", "nwparser.payload", "%{signame->} alarm threshold has been changed to %{trigger_val}", processor_chain([ +var part167 = match("MESSAGE#95:00005:15", "nwparser.payload", "%{signame->} alarm threshold has been changed to %{trigger_val}", processor_chain([ dup1, dup2, dup3, @@ -3497,8 +3061,7 @@ match("MESSAGE#95:00005:15", "nwparser.payload", "%{signame->} alarm threshold h var msg97 = msg("00005:15", part167); -var part168 = // "Pattern{Field(signame,true), Constant(' threshold has been set to '), Field(trigger_val,true), Constant(' on '), Field(zone,false), Constant('.')}" -match("MESSAGE#96:00005:16", "nwparser.payload", "%{signame->} threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ +var part168 = match("MESSAGE#96:00005:16", "nwparser.payload", "%{signame->} threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ dup1, dup2, dup3, @@ -3508,19 +3071,16 @@ match("MESSAGE#96:00005:16", "nwparser.payload", "%{signame->} threshold has bee var msg98 = msg("00005:16", part168); -var part169 = // "Pattern{Constant('destination-based '), Field(p0,false)}" -match("MESSAGE#97:00005:17/1_0", "nwparser.p0", "destination-based %{p0}"); +var part169 = match("MESSAGE#97:00005:17/1_0", "nwparser.p0", "destination-based %{p0}"); -var part170 = // "Pattern{Constant('source-based '), Field(p0,false)}" -match("MESSAGE#97:00005:17/1_1", "nwparser.p0", "source-based %{p0}"); +var part170 = match("MESSAGE#97:00005:17/1_1", "nwparser.p0", "source-based %{p0}"); var select38 = linear_select([ part169, part170, ]); -var part171 = // "Pattern{Constant('session-limit threshold has been set at '), Field(trigger_val,true), Constant(' in zone '), Field(zone,false), Constant('.')}" -match("MESSAGE#97:00005:17/2", "nwparser.p0", "session-limit threshold has been set at %{trigger_val->} in zone %{zone}."); +var part171 = match("MESSAGE#97:00005:17/2", "nwparser.p0", "session-limit threshold has been set at %{trigger_val->} in zone %{zone}."); var all33 = all_match({ processors: [ @@ -3542,7 +3102,7 @@ var msg99 = msg("00005:17", all33); var all34 = all_match({ processors: [ dup80, - dup345, + dup343, dup83, ], on_success: processor_chain([ @@ -3559,8 +3119,7 @@ var all34 = all_match({ var msg100 = msg("00005:18", all34); -var part172 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.The attack occurred '), Field(dclass_counter1,true), Constant(' times.')}" -match("MESSAGE#99:00005:19", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times.", processor_chain([ +var part172 = match("MESSAGE#99:00005:19", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times.", processor_chain([ dup84, dup2, dup3, @@ -3572,8 +3131,7 @@ match("MESSAGE#99:00005:19", "nwparser.payload", "%{signame->} From %{saddr}:%{s var msg101 = msg("00005:19", part172); -var part173 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' int '), Field(interface,false), Constant(').'), Field(space,true), Constant(' Occurred '), Field(fld2,true), Constant(' times. ('), Field(fld1,false), Constant(')<<'), Field(fld6,false), Constant('>')}" -match("MESSAGE#100:00005:20", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} int %{interface}).%{space->} Occurred %{fld2->} times. (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ +var part173 = match("MESSAGE#100:00005:20", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} int %{interface}).%{space->} Occurred %{fld2->} times. (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ dup84, dup9, dup2, @@ -3608,8 +3166,7 @@ var select39 = linear_select([ msg102, ]); -var part174 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#101:00006", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part174 = match("MESSAGE#101:00006", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup85, dup2, dup3, @@ -3621,8 +3178,7 @@ match("MESSAGE#101:00006", "nwparser.payload", "%{signame->} has been detected! var msg103 = msg("00006", part174); -var part175 = // "Pattern{Constant('Hostname set to "'), Field(hostname,false), Constant('"')}" -match("MESSAGE#102:00006:01", "nwparser.payload", "Hostname set to \"%{hostname}\"", processor_chain([ +var part175 = match("MESSAGE#102:00006:01", "nwparser.payload", "Hostname set to \"%{hostname}\"", processor_chain([ dup1, dup2, dup3, @@ -3632,8 +3188,7 @@ match("MESSAGE#102:00006:01", "nwparser.payload", "Hostname set to \"%{hostname} var msg104 = msg("00006:01", part175); -var part176 = // "Pattern{Constant('Domain set to '), Field(domain,false)}" -match("MESSAGE#103:00006:02", "nwparser.payload", "Domain set to %{domain}", processor_chain([ +var part176 = match("MESSAGE#103:00006:02", "nwparser.payload", "Domain set to %{domain}", processor_chain([ dup1, dup2, dup3, @@ -3643,8 +3198,7 @@ match("MESSAGE#103:00006:02", "nwparser.payload", "Domain set to %{domain}", pro var msg105 = msg("00006:02", part176); -var part177 = // "Pattern{Constant('An optional ScreenOS feature has been activated via a software key.'), Field(,false)}" -match("MESSAGE#104:00006:03", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key.%{}", processor_chain([ +var part177 = match("MESSAGE#104:00006:03", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key.%{}", processor_chain([ dup1, dup2, dup3, @@ -3654,13 +3208,12 @@ match("MESSAGE#104:00006:03", "nwparser.payload", "An optional ScreenOS feature var msg106 = msg("00006:03", part177); -var part178 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(p0,false)}" -match("MESSAGE#105:00006:04/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); +var part178 = match("MESSAGE#105:00006:04/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); var all35 = all_match({ processors: [ part178, - dup340, + dup338, dup67, ], on_success: processor_chain([ @@ -3680,7 +3233,7 @@ var msg107 = msg("00006:04", all35); var all36 = all_match({ processors: [ dup64, - dup340, + dup338, dup67, ], on_success: processor_chain([ @@ -3706,8 +3259,7 @@ var select40 = linear_select([ msg108, ]); -var part179 = // "Pattern{Constant('HA cluster ID has been changed to '), Field(fld2,false)}" -match("MESSAGE#107:00007", "nwparser.payload", "HA cluster ID has been changed to %{fld2}", processor_chain([ +var part179 = match("MESSAGE#107:00007", "nwparser.payload", "HA cluster ID has been changed to %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -3717,8 +3269,7 @@ match("MESSAGE#107:00007", "nwparser.payload", "HA cluster ID has been changed t var msg109 = msg("00007", part179); -var part180 = // "Pattern{Field(change_attribute,true), Constant(' of the local NetScreen device has changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#108:00007:01", "nwparser.payload", "%{change_attribute->} of the local NetScreen device has changed from %{change_old->} to %{change_new}", processor_chain([ +var part180 = match("MESSAGE#108:00007:01", "nwparser.payload", "%{change_attribute->} of the local NetScreen device has changed from %{change_old->} to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -3728,14 +3279,11 @@ match("MESSAGE#108:00007:01", "nwparser.payload", "%{change_attribute->} of the var msg110 = msg("00007:01", part180); -var part181 = // "Pattern{Constant('HA state of the local device has changed to backup because a device with a '), Field(p0,false)}" -match("MESSAGE#109:00007:02/0", "nwparser.payload", "HA state of the local device has changed to backup because a device with a %{p0}"); +var part181 = match("MESSAGE#109:00007:02/0", "nwparser.payload", "HA state of the local device has changed to backup because a device with a %{p0}"); -var part182 = // "Pattern{Constant('higher priority has been detected'), Field(,false)}" -match("MESSAGE#109:00007:02/1_0", "nwparser.p0", "higher priority has been detected%{}"); +var part182 = match("MESSAGE#109:00007:02/1_0", "nwparser.p0", "higher priority has been detected%{}"); -var part183 = // "Pattern{Constant('lower MAC value has been detected'), Field(,false)}" -match("MESSAGE#109:00007:02/1_1", "nwparser.p0", "lower MAC value has been detected%{}"); +var part183 = match("MESSAGE#109:00007:02/1_1", "nwparser.p0", "lower MAC value has been detected%{}"); var select41 = linear_select([ part182, @@ -3758,8 +3306,7 @@ var all37 = all_match({ var msg111 = msg("00007:02", all37); -var part184 = // "Pattern{Constant('HA state of the local device has changed to init because IP tracking has failed'), Field(,false)}" -match("MESSAGE#110:00007:03", "nwparser.payload", "HA state of the local device has changed to init because IP tracking has failed%{}", processor_chain([ +var part184 = match("MESSAGE#110:00007:03", "nwparser.payload", "HA state of the local device has changed to init because IP tracking has failed%{}", processor_chain([ dup86, dup2, dup3, @@ -3774,15 +3321,14 @@ var select42 = linear_select([ dup89, ]); -var part185 = // "Pattern{Constant('has been changed'), Field(,false)}" -match("MESSAGE#111:00007:04/4", "nwparser.p0", "has been changed%{}"); +var part185 = match("MESSAGE#111:00007:04/4", "nwparser.p0", "has been changed%{}"); var all38 = all_match({ processors: [ dup87, select42, dup23, - dup346, + dup344, part185, ], on_success: processor_chain([ @@ -3796,8 +3342,7 @@ var all38 = all_match({ var msg113 = msg("00007:04", all38); -var part186 = // "Pattern{Constant('HA: Local NetScreen device has been elected backup because a master already exists'), Field(,false)}" -match("MESSAGE#112:00007:05", "nwparser.payload", "HA: Local NetScreen device has been elected backup because a master already exists%{}", processor_chain([ +var part186 = match("MESSAGE#112:00007:05", "nwparser.payload", "HA: Local NetScreen device has been elected backup because a master already exists%{}", processor_chain([ dup1, dup2, dup3, @@ -3807,8 +3352,7 @@ match("MESSAGE#112:00007:05", "nwparser.payload", "HA: Local NetScreen device ha var msg114 = msg("00007:05", part186); -var part187 = // "Pattern{Constant('HA: Local NetScreen device has been elected backup because its MAC value is higher than those of other devices in the cluster'), Field(,false)}" -match("MESSAGE#113:00007:06", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its MAC value is higher than those of other devices in the cluster%{}", processor_chain([ +var part187 = match("MESSAGE#113:00007:06", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its MAC value is higher than those of other devices in the cluster%{}", processor_chain([ dup1, dup2, dup3, @@ -3818,8 +3362,7 @@ match("MESSAGE#113:00007:06", "nwparser.payload", "HA: Local NetScreen device ha var msg115 = msg("00007:06", part187); -var part188 = // "Pattern{Constant('HA: Local NetScreen device has been elected backup because its priority value is higher than those of other devices in the cluster'), Field(,false)}" -match("MESSAGE#114:00007:07", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its priority value is higher than those of other devices in the cluster%{}", processor_chain([ +var part188 = match("MESSAGE#114:00007:07", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its priority value is higher than those of other devices in the cluster%{}", processor_chain([ dup1, dup2, dup3, @@ -3829,8 +3372,7 @@ match("MESSAGE#114:00007:07", "nwparser.payload", "HA: Local NetScreen device ha var msg116 = msg("00007:07", part188); -var part189 = // "Pattern{Constant('HA: Local device has been elected master because no other master exists'), Field(,false)}" -match("MESSAGE#115:00007:08", "nwparser.payload", "HA: Local device has been elected master because no other master exists%{}", processor_chain([ +var part189 = match("MESSAGE#115:00007:08", "nwparser.payload", "HA: Local device has been elected master because no other master exists%{}", processor_chain([ dup1, dup2, dup3, @@ -3840,8 +3382,7 @@ match("MESSAGE#115:00007:08", "nwparser.payload", "HA: Local device has been ele var msg117 = msg("00007:08", part189); -var part190 = // "Pattern{Constant('HA: Local device priority has been changed to '), Field(fld2,false)}" -match("MESSAGE#116:00007:09", "nwparser.payload", "HA: Local device priority has been changed to %{fld2}", processor_chain([ +var part190 = match("MESSAGE#116:00007:09", "nwparser.payload", "HA: Local device priority has been changed to %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -3851,8 +3392,7 @@ match("MESSAGE#116:00007:09", "nwparser.payload", "HA: Local device priority has var msg118 = msg("00007:09", part190); -var part191 = // "Pattern{Constant('HA: Previous master has promoted the local NetScreen device to master'), Field(,false)}" -match("MESSAGE#117:00007:10", "nwparser.payload", "HA: Previous master has promoted the local NetScreen device to master%{}", processor_chain([ +var part191 = match("MESSAGE#117:00007:10", "nwparser.payload", "HA: Previous master has promoted the local NetScreen device to master%{}", processor_chain([ dup1, dup2, dup3, @@ -3862,8 +3402,7 @@ match("MESSAGE#117:00007:10", "nwparser.payload", "HA: Previous master has promo var msg119 = msg("00007:10", part191); -var part192 = // "Pattern{Constant('IP tracking device failover threshold has been '), Field(p0,false)}" -match("MESSAGE#118:00007:11/0", "nwparser.payload", "IP tracking device failover threshold has been %{p0}"); +var part192 = match("MESSAGE#118:00007:11/0", "nwparser.payload", "IP tracking device failover threshold has been %{p0}"); var select43 = linear_select([ dup92, @@ -3886,8 +3425,7 @@ var all39 = all_match({ var msg120 = msg("00007:11", all39); -var part193 = // "Pattern{Constant('IP tracking has been '), Field(disposition,false)}" -match("MESSAGE#119:00007:12", "nwparser.payload", "IP tracking has been %{disposition}", processor_chain([ +var part193 = match("MESSAGE#119:00007:12", "nwparser.payload", "IP tracking has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -3897,8 +3435,7 @@ match("MESSAGE#119:00007:12", "nwparser.payload", "IP tracking has been %{dispos var msg121 = msg("00007:12", part193); -var part194 = // "Pattern{Constant('IP tracking to '), Field(hostip,true), Constant(' with interval '), Field(fld2,true), Constant(' threshold '), Field(trigger_val,true), Constant(' weight '), Field(fld4,true), Constant(' interface '), Field(interface,true), Constant(' method '), Field(fld5,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#120:00007:13", "nwparser.payload", "IP tracking to %{hostip->} with interval %{fld2->} threshold %{trigger_val->} weight %{fld4->} interface %{interface->} method %{fld5->} has been %{disposition}", processor_chain([ +var part194 = match("MESSAGE#120:00007:13", "nwparser.payload", "IP tracking to %{hostip->} with interval %{fld2->} threshold %{trigger_val->} weight %{fld4->} interface %{interface->} method %{fld5->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -3908,8 +3445,7 @@ match("MESSAGE#120:00007:13", "nwparser.payload", "IP tracking to %{hostip->} wi var msg122 = msg("00007:13", part194); -var part195 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,true), Constant(' using protocol '), Field(protocol,true), Constant(' on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#121:00007:14", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part195 = match("MESSAGE#121:00007:14", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup85, dup2, dup3, @@ -3921,8 +3457,7 @@ match("MESSAGE#121:00007:14", "nwparser.payload", "%{signame->} From %{saddr->} var msg123 = msg("00007:14", part195); -var part196 = // "Pattern{Constant('Primary HA interface has been changed to '), Field(interface,false)}" -match("MESSAGE#122:00007:15", "nwparser.payload", "Primary HA interface has been changed to %{interface}", processor_chain([ +var part196 = match("MESSAGE#122:00007:15", "nwparser.payload", "Primary HA interface has been changed to %{interface}", processor_chain([ dup1, dup2, dup3, @@ -3932,8 +3467,7 @@ match("MESSAGE#122:00007:15", "nwparser.payload", "Primary HA interface has been var msg124 = msg("00007:15", part196); -var part197 = // "Pattern{Constant('Reporting of HA configuration and status changes to NetScreen-Global Manager has been '), Field(disposition,false)}" -match("MESSAGE#123:00007:16", "nwparser.payload", "Reporting of HA configuration and status changes to NetScreen-Global Manager has been %{disposition}", processor_chain([ +var part197 = match("MESSAGE#123:00007:16", "nwparser.payload", "Reporting of HA configuration and status changes to NetScreen-Global Manager has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -3943,8 +3477,7 @@ match("MESSAGE#123:00007:16", "nwparser.payload", "Reporting of HA configuration var msg125 = msg("00007:16", part197); -var part198 = // "Pattern{Constant('Tracked IP '), Field(hostip,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#124:00007:17", "nwparser.payload", "Tracked IP %{hostip->} has been %{disposition}", processor_chain([ +var part198 = match("MESSAGE#124:00007:17", "nwparser.payload", "Tracked IP %{hostip->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -3954,28 +3487,22 @@ match("MESSAGE#124:00007:17", "nwparser.payload", "Tracked IP %{hostip->} has be var msg126 = msg("00007:17", part198); -var part199 = // "Pattern{Constant('Tracked IP '), Field(hostip,true), Constant(' options have been changed from int '), Field(fld2,true), Constant(' thr '), Field(fld3,true), Constant(' wgt '), Field(fld4,true), Constant(' inf '), Field(fld5,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#125:00007:18/0", "nwparser.payload", "Tracked IP %{hostip->} options have been changed from int %{fld2->} thr %{fld3->} wgt %{fld4->} inf %{fld5->} %{p0}"); +var part199 = match("MESSAGE#125:00007:18/0", "nwparser.payload", "Tracked IP %{hostip->} options have been changed from int %{fld2->} thr %{fld3->} wgt %{fld4->} inf %{fld5->} %{p0}"); -var part200 = // "Pattern{Constant('ping '), Field(p0,false)}" -match("MESSAGE#125:00007:18/1_0", "nwparser.p0", "ping %{p0}"); +var part200 = match("MESSAGE#125:00007:18/1_0", "nwparser.p0", "ping %{p0}"); -var part201 = // "Pattern{Constant('ARP '), Field(p0,false)}" -match("MESSAGE#125:00007:18/1_1", "nwparser.p0", "ARP %{p0}"); +var part201 = match("MESSAGE#125:00007:18/1_1", "nwparser.p0", "ARP %{p0}"); var select44 = linear_select([ part200, part201, ]); -var part202 = // "Pattern{Constant('to '), Field(fld6,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#125:00007:18/2", "nwparser.p0", "to %{fld6->} %{p0}"); +var part202 = match("MESSAGE#125:00007:18/2", "nwparser.p0", "to %{fld6->} %{p0}"); -var part203 = // "Pattern{Constant('ping'), Field(,false)}" -match("MESSAGE#125:00007:18/3_0", "nwparser.p0", "ping%{}"); +var part203 = match("MESSAGE#125:00007:18/3_0", "nwparser.p0", "ping%{}"); -var part204 = // "Pattern{Constant('ARP'), Field(,false)}" -match("MESSAGE#125:00007:18/3_1", "nwparser.p0", "ARP%{}"); +var part204 = match("MESSAGE#125:00007:18/3_1", "nwparser.p0", "ARP%{}"); var select45 = linear_select([ part203, @@ -4000,8 +3527,7 @@ var all40 = all_match({ var msg127 = msg("00007:18", all40); -var part205 = // "Pattern{Constant('Change '), Field(change_attribute,true), Constant(' path from '), Field(change_old,true), Constant(' to '), Field(change_new,false), Constant('.')}" -match("MESSAGE#126:00007:20", "nwparser.payload", "Change %{change_attribute->} path from %{change_old->} to %{change_new}.", processor_chain([ +var part205 = match("MESSAGE#126:00007:20", "nwparser.payload", "Change %{change_attribute->} path from %{change_old->} to %{change_new}.", processor_chain([ dup1, dup2, dup3, @@ -4011,13 +3537,12 @@ match("MESSAGE#126:00007:20", "nwparser.payload", "Change %{change_attribute->} var msg128 = msg("00007:20", part205); -var part206 = // "Pattern{Constant('HA Slave is '), Field(p0,false)}" -match("MESSAGE#127:00007:21/0", "nwparser.payload", "HA Slave is %{p0}"); +var part206 = match("MESSAGE#127:00007:21/0", "nwparser.payload", "HA Slave is %{p0}"); var all41 = all_match({ processors: [ part206, - dup347, + dup345, ], on_success: processor_chain([ dup44, @@ -4030,8 +3555,7 @@ var all41 = all_match({ var msg129 = msg("00007:21", all41); -var part207 = // "Pattern{Constant('HA change group id to '), Field(groupid,false)}" -match("MESSAGE#128:00007:22", "nwparser.payload", "HA change group id to %{groupid}", processor_chain([ +var part207 = match("MESSAGE#128:00007:22", "nwparser.payload", "HA change group id to %{groupid}", processor_chain([ dup1, dup2, dup3, @@ -4041,8 +3565,7 @@ match("MESSAGE#128:00007:22", "nwparser.payload", "HA change group id to %{group var msg130 = msg("00007:22", part207); -var part208 = // "Pattern{Constant('HA change priority to '), Field(fld2,false)}" -match("MESSAGE#129:00007:23", "nwparser.payload", "HA change priority to %{fld2}", processor_chain([ +var part208 = match("MESSAGE#129:00007:23", "nwparser.payload", "HA change priority to %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -4052,8 +3575,7 @@ match("MESSAGE#129:00007:23", "nwparser.payload", "HA change priority to %{fld2} var msg131 = msg("00007:23", part208); -var part209 = // "Pattern{Constant('HA change state to init'), Field(,false)}" -match("MESSAGE#130:00007:24", "nwparser.payload", "HA change state to init%{}", processor_chain([ +var part209 = match("MESSAGE#130:00007:24", "nwparser.payload", "HA change state to init%{}", processor_chain([ dup1, dup2, dup3, @@ -4063,8 +3585,7 @@ match("MESSAGE#130:00007:24", "nwparser.payload", "HA change state to init%{}", var msg132 = msg("00007:24", part209); -var part210 = // "Pattern{Constant('HA: Change state to initial state.'), Field(,false)}" -match("MESSAGE#131:00007:25", "nwparser.payload", "HA: Change state to initial state.%{}", processor_chain([ +var part210 = match("MESSAGE#131:00007:25", "nwparser.payload", "HA: Change state to initial state.%{}", processor_chain([ dup1, dup2, dup3, @@ -4074,14 +3595,11 @@ match("MESSAGE#131:00007:25", "nwparser.payload", "HA: Change state to initial s var msg133 = msg("00007:25", part210); -var part211 = // "Pattern{Constant('HA: Change state to slave for '), Field(p0,false)}" -match("MESSAGE#132:00007:26/0", "nwparser.payload", "HA: Change state to slave for %{p0}"); +var part211 = match("MESSAGE#132:00007:26/0", "nwparser.payload", "HA: Change state to slave for %{p0}"); -var part212 = // "Pattern{Constant('tracking ip failed'), Field(,false)}" -match("MESSAGE#132:00007:26/1_0", "nwparser.p0", "tracking ip failed%{}"); +var part212 = match("MESSAGE#132:00007:26/1_0", "nwparser.p0", "tracking ip failed%{}"); -var part213 = // "Pattern{Constant('linkdown'), Field(,false)}" -match("MESSAGE#132:00007:26/1_1", "nwparser.p0", "linkdown%{}"); +var part213 = match("MESSAGE#132:00007:26/1_1", "nwparser.p0", "linkdown%{}"); var select46 = linear_select([ part212, @@ -4104,8 +3622,7 @@ var all42 = all_match({ var msg134 = msg("00007:26", all42); -var part214 = // "Pattern{Constant('HA: Change to master command issued from original master to change state'), Field(,false)}" -match("MESSAGE#133:00007:27", "nwparser.payload", "HA: Change to master command issued from original master to change state%{}", processor_chain([ +var part214 = match("MESSAGE#133:00007:27", "nwparser.payload", "HA: Change to master command issued from original master to change state%{}", processor_chain([ dup1, dup2, dup3, @@ -4115,8 +3632,7 @@ match("MESSAGE#133:00007:27", "nwparser.payload", "HA: Change to master command var msg135 = msg("00007:27", part214); -var part215 = // "Pattern{Constant('HA: Elected master no other master'), Field(,false)}" -match("MESSAGE#134:00007:28", "nwparser.payload", "HA: Elected master no other master%{}", processor_chain([ +var part215 = match("MESSAGE#134:00007:28", "nwparser.payload", "HA: Elected master no other master%{}", processor_chain([ dup1, dup2, dup3, @@ -4126,23 +3642,17 @@ match("MESSAGE#134:00007:28", "nwparser.payload", "HA: Elected master no other m var msg136 = msg("00007:28", part215); -var part216 = // "Pattern{Constant('HA: Elected slave '), Field(p0,false)}" -match("MESSAGE#135:00007:29/0", "nwparser.payload", "HA: Elected slave %{p0}"); +var part216 = match("MESSAGE#135:00007:29/0", "nwparser.payload", "HA: Elected slave %{p0}"); -var part217 = // "Pattern{Constant('lower priority'), Field(,false)}" -match("MESSAGE#135:00007:29/1_0", "nwparser.p0", "lower priority%{}"); +var part217 = match("MESSAGE#135:00007:29/1_0", "nwparser.p0", "lower priority%{}"); -var part218 = // "Pattern{Constant('MAC value is larger'), Field(,false)}" -match("MESSAGE#135:00007:29/1_1", "nwparser.p0", "MAC value is larger%{}"); +var part218 = match("MESSAGE#135:00007:29/1_1", "nwparser.p0", "MAC value is larger%{}"); -var part219 = // "Pattern{Constant('master already exists'), Field(,false)}" -match("MESSAGE#135:00007:29/1_2", "nwparser.p0", "master already exists%{}"); +var part219 = match("MESSAGE#135:00007:29/1_2", "nwparser.p0", "master already exists%{}"); -var part220 = // "Pattern{Constant('detect new master with higher priority'), Field(,false)}" -match("MESSAGE#135:00007:29/1_3", "nwparser.p0", "detect new master with higher priority%{}"); +var part220 = match("MESSAGE#135:00007:29/1_3", "nwparser.p0", "detect new master with higher priority%{}"); -var part221 = // "Pattern{Constant('detect new master with smaller MAC value'), Field(,false)}" -match("MESSAGE#135:00007:29/1_4", "nwparser.p0", "detect new master with smaller MAC value%{}"); +var part221 = match("MESSAGE#135:00007:29/1_4", "nwparser.p0", "detect new master with smaller MAC value%{}"); var select47 = linear_select([ part217, @@ -4168,8 +3678,7 @@ var all43 = all_match({ var msg137 = msg("00007:29", all43); -var part222 = // "Pattern{Constant('HA: Promoted master command issued from original master to change state'), Field(,false)}" -match("MESSAGE#136:00007:30", "nwparser.payload", "HA: Promoted master command issued from original master to change state%{}", processor_chain([ +var part222 = match("MESSAGE#136:00007:30", "nwparser.payload", "HA: Promoted master command issued from original master to change state%{}", processor_chain([ dup1, dup2, dup3, @@ -4179,13 +3688,12 @@ match("MESSAGE#136:00007:30", "nwparser.payload", "HA: Promoted master command i var msg138 = msg("00007:30", part222); -var part223 = // "Pattern{Constant('HA: ha link '), Field(p0,false)}" -match("MESSAGE#137:00007:31/0", "nwparser.payload", "HA: ha link %{p0}"); +var part223 = match("MESSAGE#137:00007:31/0", "nwparser.payload", "HA: ha link %{p0}"); var all44 = all_match({ processors: [ part223, - dup347, + dup345, ], on_success: processor_chain([ dup44, @@ -4198,23 +3706,21 @@ var all44 = all_match({ var msg139 = msg("00007:31", all44); -var part224 = // "Pattern{Constant('NSRP '), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#138:00007:32/0", "nwparser.payload", "NSRP %{fld2->} %{p0}"); +var part224 = match("MESSAGE#138:00007:32/0", "nwparser.payload", "NSRP %{fld2->} %{p0}"); var select48 = linear_select([ dup89, dup88, ]); -var part225 = // "Pattern{Constant('changed.'), Field(,false)}" -match("MESSAGE#138:00007:32/4", "nwparser.p0", "changed.%{}"); +var part225 = match("MESSAGE#138:00007:32/4", "nwparser.p0", "changed.%{}"); var all45 = all_match({ processors: [ part224, select48, dup23, - dup346, + dup344, part225, ], on_success: processor_chain([ @@ -4228,30 +3734,25 @@ var all45 = all_match({ var msg140 = msg("00007:32", all45); -var part226 = // "Pattern{Constant('NSRP: VSD '), Field(p0,false)}" -match("MESSAGE#139:00007:33/0_0", "nwparser.payload", "NSRP: VSD %{p0}"); +var part226 = match("MESSAGE#139:00007:33/0_0", "nwparser.payload", "NSRP: VSD %{p0}"); -var part227 = // "Pattern{Constant('Virtual Security Device group '), Field(p0,false)}" -match("MESSAGE#139:00007:33/0_1", "nwparser.payload", "Virtual Security Device group %{p0}"); +var part227 = match("MESSAGE#139:00007:33/0_1", "nwparser.payload", "Virtual Security Device group %{p0}"); var select49 = linear_select([ part226, part227, ]); -var part228 = // "Pattern{Constant(''), Field(fld2,true), Constant(' change'), Field(p0,false)}" -match("MESSAGE#139:00007:33/1", "nwparser.p0", "%{fld2->} change%{p0}"); +var part228 = match("MESSAGE#139:00007:33/1", "nwparser.p0", "%{fld2->} change%{p0}"); -var part229 = // "Pattern{Constant('d '), Field(p0,false)}" -match("MESSAGE#139:00007:33/2_0", "nwparser.p0", "d %{p0}"); +var part229 = match("MESSAGE#139:00007:33/2_0", "nwparser.p0", "d %{p0}"); var select50 = linear_select([ part229, dup96, ]); -var part230 = // "Pattern{Constant('to '), Field(fld3,true), Constant(' mode.')}" -match("MESSAGE#139:00007:33/3", "nwparser.p0", "to %{fld3->} mode."); +var part230 = match("MESSAGE#139:00007:33/3", "nwparser.p0", "to %{fld3->} mode."); var all46 = all_match({ processors: [ @@ -4271,8 +3772,7 @@ var all46 = all_match({ var msg141 = msg("00007:33", all46); -var part231 = // "Pattern{Constant('NSRP: message '), Field(fld2,true), Constant(' dropped: invalid encryption password.')}" -match("MESSAGE#140:00007:34", "nwparser.payload", "NSRP: message %{fld2->} dropped: invalid encryption password.", processor_chain([ +var part231 = match("MESSAGE#140:00007:34", "nwparser.payload", "NSRP: message %{fld2->} dropped: invalid encryption password.", processor_chain([ dup97, dup2, dup3, @@ -4282,8 +3782,7 @@ match("MESSAGE#140:00007:34", "nwparser.payload", "NSRP: message %{fld2->} dropp var msg142 = msg("00007:34", part231); -var part232 = // "Pattern{Constant('NSRP: nsrp interface change to '), Field(interface,false), Constant('.')}" -match("MESSAGE#141:00007:35", "nwparser.payload", "NSRP: nsrp interface change to %{interface}.", processor_chain([ +var part232 = match("MESSAGE#141:00007:35", "nwparser.payload", "NSRP: nsrp interface change to %{interface}.", processor_chain([ dup44, dup2, dup3, @@ -4293,8 +3792,7 @@ match("MESSAGE#141:00007:35", "nwparser.payload", "NSRP: nsrp interface change t var msg143 = msg("00007:35", part232); -var part233 = // "Pattern{Constant('RTO mirror group id='), Field(groupid,true), Constant(' direction= '), Field(direction,true), Constant(' local unit='), Field(fld3,true), Constant(' duplicate from unit='), Field(fld4,false)}" -match("MESSAGE#142:00007:36", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} local unit=%{fld3->} duplicate from unit=%{fld4}", processor_chain([ +var part233 = match("MESSAGE#142:00007:36", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} local unit=%{fld3->} duplicate from unit=%{fld4}", processor_chain([ dup44, dup2, dup3, @@ -4304,13 +3802,12 @@ match("MESSAGE#142:00007:36", "nwparser.payload", "RTO mirror group id=%{groupid var msg144 = msg("00007:36", part233); -var part234 = // "Pattern{Constant('RTO mirror group id='), Field(groupid,true), Constant(' direction= '), Field(direction,true), Constant(' is '), Field(p0,false)}" -match("MESSAGE#143:00007:37/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} is %{p0}"); +var part234 = match("MESSAGE#143:00007:37/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} is %{p0}"); var all47 = all_match({ processors: [ part234, - dup348, + dup346, ], on_success: processor_chain([ dup44, @@ -4323,17 +3820,13 @@ var all47 = all_match({ var msg145 = msg("00007:37", all47); -var part235 = // "Pattern{Constant('RTO mirror group id='), Field(groupid,true), Constant(' direction= '), Field(direction,true), Constant(' peer='), Field(fld3,true), Constant(' from '), Field(p0,false)}" -match("MESSAGE#144:00007:38/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} peer=%{fld3->} from %{p0}"); +var part235 = match("MESSAGE#144:00007:38/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} peer=%{fld3->} from %{p0}"); -var part236 = // "Pattern{Constant('state '), Field(p0,false)}" -match("MESSAGE#144:00007:38/4", "nwparser.p0", "state %{p0}"); +var part236 = match("MESSAGE#144:00007:38/4", "nwparser.p0", "state %{p0}"); -var part237 = // "Pattern{Constant('missed heartbeat'), Field(,false)}" -match("MESSAGE#144:00007:38/5_0", "nwparser.p0", "missed heartbeat%{}"); +var part237 = match("MESSAGE#144:00007:38/5_0", "nwparser.p0", "missed heartbeat%{}"); -var part238 = // "Pattern{Constant('group detached'), Field(,false)}" -match("MESSAGE#144:00007:38/5_1", "nwparser.p0", "group detached%{}"); +var part238 = match("MESSAGE#144:00007:38/5_1", "nwparser.p0", "group detached%{}"); var select51 = linear_select([ part237, @@ -4343,9 +3836,9 @@ var select51 = linear_select([ var all48 = all_match({ processors: [ part235, - dup349, + dup347, dup103, - dup349, + dup347, part236, select51, ], @@ -4360,13 +3853,12 @@ var all48 = all_match({ var msg146 = msg("00007:38", all48); -var part239 = // "Pattern{Constant('RTO mirror group id='), Field(groupid,true), Constant(' is '), Field(p0,false)}" -match("MESSAGE#145:00007:39/0", "nwparser.payload", "RTO mirror group id=%{groupid->} is %{p0}"); +var part239 = match("MESSAGE#145:00007:39/0", "nwparser.payload", "RTO mirror group id=%{groupid->} is %{p0}"); var all49 = all_match({ processors: [ part239, - dup348, + dup346, ], on_success: processor_chain([ dup44, @@ -4379,8 +3871,7 @@ var all49 = all_match({ var msg147 = msg("00007:39", all49); -var part240 = // "Pattern{Constant('Remove pathname '), Field(fld2,true), Constant(' (ifnum='), Field(fld3,false), Constant(') as secondary HA path')}" -match("MESSAGE#146:00007:40", "nwparser.payload", "Remove pathname %{fld2->} (ifnum=%{fld3}) as secondary HA path", processor_chain([ +var part240 = match("MESSAGE#146:00007:40", "nwparser.payload", "Remove pathname %{fld2->} (ifnum=%{fld3}) as secondary HA path", processor_chain([ dup44, dup2, dup3, @@ -4390,8 +3881,7 @@ match("MESSAGE#146:00007:40", "nwparser.payload", "Remove pathname %{fld2->} (if var msg148 = msg("00007:40", part240); -var part241 = // "Pattern{Constant('Session sync ended by unit='), Field(fld2,false)}" -match("MESSAGE#147:00007:41", "nwparser.payload", "Session sync ended by unit=%{fld2}", processor_chain([ +var part241 = match("MESSAGE#147:00007:41", "nwparser.payload", "Session sync ended by unit=%{fld2}", processor_chain([ dup44, dup2, dup3, @@ -4401,8 +3891,7 @@ match("MESSAGE#147:00007:41", "nwparser.payload", "Session sync ended by unit=%{ var msg149 = msg("00007:41", part241); -var part242 = // "Pattern{Constant('Set secondary HA path to '), Field(fld2,true), Constant(' (ifnum='), Field(fld3,false), Constant(')')}" -match("MESSAGE#148:00007:42", "nwparser.payload", "Set secondary HA path to %{fld2->} (ifnum=%{fld3})", processor_chain([ +var part242 = match("MESSAGE#148:00007:42", "nwparser.payload", "Set secondary HA path to %{fld2->} (ifnum=%{fld3})", processor_chain([ dup1, dup2, dup3, @@ -4412,8 +3901,7 @@ match("MESSAGE#148:00007:42", "nwparser.payload", "Set secondary HA path to %{fl var msg150 = msg("00007:42", part242); -var part243 = // "Pattern{Constant('VSD '), Field(change_attribute,true), Constant(' changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#149:00007:43", "nwparser.payload", "VSD %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ +var part243 = match("MESSAGE#149:00007:43", "nwparser.payload", "VSD %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -4423,8 +3911,7 @@ match("MESSAGE#149:00007:43", "nwparser.payload", "VSD %{change_attribute->} cha var msg151 = msg("00007:43", part243); -var part244 = // "Pattern{Constant('vsd group id='), Field(groupid,true), Constant(' is '), Field(disposition,true), Constant(' total number='), Field(fld3,false)}" -match("MESSAGE#150:00007:44", "nwparser.payload", "vsd group id=%{groupid->} is %{disposition->} total number=%{fld3}", processor_chain([ +var part244 = match("MESSAGE#150:00007:44", "nwparser.payload", "vsd group id=%{groupid->} is %{disposition->} total number=%{fld3}", processor_chain([ dup1, dup2, dup3, @@ -4434,8 +3921,7 @@ match("MESSAGE#150:00007:44", "nwparser.payload", "vsd group id=%{groupid->} is var msg152 = msg("00007:44", part244); -var part245 = // "Pattern{Constant('vsd group '), Field(group,true), Constant(' local unit '), Field(change_attribute,true), Constant(' changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#151:00007:45", "nwparser.payload", "vsd group %{group->} local unit %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ +var part245 = match("MESSAGE#151:00007:45", "nwparser.payload", "vsd group %{group->} local unit %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -4445,8 +3931,7 @@ match("MESSAGE#151:00007:45", "nwparser.payload", "vsd group %{group->} local un var msg153 = msg("00007:45", part245); -var part246 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,true), Constant(' to '), Field(daddr,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#152:00007:46", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part246 = match("MESSAGE#152:00007:46", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup85, dup2, dup3, @@ -4458,8 +3943,7 @@ match("MESSAGE#152:00007:46", "nwparser.payload", "%{signame->} has been detecte var msg154 = msg("00007:46", part246); -var part247 = // "Pattern{Constant('The HA channel changed to interface '), Field(interface,false)}" -match("MESSAGE#153:00007:47", "nwparser.payload", "The HA channel changed to interface %{interface}", processor_chain([ +var part247 = match("MESSAGE#153:00007:47", "nwparser.payload", "The HA channel changed to interface %{interface}", processor_chain([ dup1, dup2, dup3, @@ -4469,8 +3953,7 @@ match("MESSAGE#153:00007:47", "nwparser.payload", "The HA channel changed to int var msg155 = msg("00007:47", part247); -var part248 = // "Pattern{Constant('Message '), Field(fld2,true), Constant(' was dropped because it contained an invalid encryption password.')}" -match("MESSAGE#154:00007:48", "nwparser.payload", "Message %{fld2->} was dropped because it contained an invalid encryption password.", processor_chain([ +var part248 = match("MESSAGE#154:00007:48", "nwparser.payload", "Message %{fld2->} was dropped because it contained an invalid encryption password.", processor_chain([ dup97, dup2, dup3, @@ -4481,8 +3964,7 @@ match("MESSAGE#154:00007:48", "nwparser.payload", "Message %{fld2->} was dropped var msg156 = msg("00007:48", part248); -var part249 = // "Pattern{Constant('The '), Field(change_attribute,true), Constant(' of all Virtual Security Device groups changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#155:00007:49", "nwparser.payload", "The %{change_attribute->} of all Virtual Security Device groups changed from %{change_old->} to %{change_new}", processor_chain([ +var part249 = match("MESSAGE#155:00007:49", "nwparser.payload", "The %{change_attribute->} of all Virtual Security Device groups changed from %{change_old->} to %{change_new}", processor_chain([ setc("eventcategory","1604000000"), dup2, dup3, @@ -4492,22 +3974,18 @@ match("MESSAGE#155:00007:49", "nwparser.payload", "The %{change_attribute->} of var msg157 = msg("00007:49", part249); -var part250 = // "Pattern{Constant('Device '), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#156:00007:50/0", "nwparser.payload", "Device %{fld2->} %{p0}"); +var part250 = match("MESSAGE#156:00007:50/0", "nwparser.payload", "Device %{fld2->} %{p0}"); -var part251 = // "Pattern{Constant('has joined '), Field(p0,false)}" -match("MESSAGE#156:00007:50/1_0", "nwparser.p0", "has joined %{p0}"); +var part251 = match("MESSAGE#156:00007:50/1_0", "nwparser.p0", "has joined %{p0}"); -var part252 = // "Pattern{Constant('quit current '), Field(p0,false)}" -match("MESSAGE#156:00007:50/1_1", "nwparser.p0", "quit current %{p0}"); +var part252 = match("MESSAGE#156:00007:50/1_1", "nwparser.p0", "quit current %{p0}"); var select52 = linear_select([ part251, part252, ]); -var part253 = // "Pattern{Constant('NSRP cluster '), Field(fld3,false)}" -match("MESSAGE#156:00007:50/2", "nwparser.p0", "NSRP cluster %{fld3}"); +var part253 = match("MESSAGE#156:00007:50/2", "nwparser.p0", "NSRP cluster %{fld3}"); var all50 = all_match({ processors: [ @@ -4526,11 +4004,9 @@ var all50 = all_match({ var msg158 = msg("00007:50", all50); -var part254 = // "Pattern{Constant('Virtual Security Device group '), Field(group,true), Constant(' was '), Field(p0,false)}" -match("MESSAGE#157:00007:51/0", "nwparser.payload", "Virtual Security Device group %{group->} was %{p0}"); +var part254 = match("MESSAGE#157:00007:51/0", "nwparser.payload", "Virtual Security Device group %{group->} was %{p0}"); -var part255 = // "Pattern{Constant('deleted '), Field(p0,false)}" -match("MESSAGE#157:00007:51/1_1", "nwparser.p0", "deleted %{p0}"); +var part255 = match("MESSAGE#157:00007:51/1_1", "nwparser.p0", "deleted %{p0}"); var select53 = linear_select([ dup104, @@ -4542,8 +4018,7 @@ var select54 = linear_select([ dup73, ]); -var part256 = // "Pattern{Constant('The total number of members in the group '), Field(p0,false)}" -match("MESSAGE#157:00007:51/4", "nwparser.p0", "The total number of members in the group %{p0}"); +var part256 = match("MESSAGE#157:00007:51/4", "nwparser.p0", "The total number of members in the group %{p0}"); var select55 = linear_select([ dup106, @@ -4571,8 +4046,7 @@ var all51 = all_match({ var msg159 = msg("00007:51", all51); -var part257 = // "Pattern{Constant('Virtual Security Device group '), Field(group,true), Constant(' '), Field(change_attribute,true), Constant(' changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#158:00007:52", "nwparser.payload", "Virtual Security Device group %{group->} %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ +var part257 = match("MESSAGE#158:00007:52", "nwparser.payload", "Virtual Security Device group %{group->} %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -4582,8 +4056,7 @@ match("MESSAGE#158:00007:52", "nwparser.payload", "Virtual Security Device group var msg160 = msg("00007:52", part257); -var part258 = // "Pattern{Constant('The secondary HA path of the devices was set to interface '), Field(interface,true), Constant(' with ifnum '), Field(fld2,false)}" -match("MESSAGE#159:00007:53", "nwparser.payload", "The secondary HA path of the devices was set to interface %{interface->} with ifnum %{fld2}", processor_chain([ +var part258 = match("MESSAGE#159:00007:53", "nwparser.payload", "The secondary HA path of the devices was set to interface %{interface->} with ifnum %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -4593,8 +4066,7 @@ match("MESSAGE#159:00007:53", "nwparser.payload", "The secondary HA path of the var msg161 = msg("00007:53", part258); -var part259 = // "Pattern{Constant('The '), Field(change_attribute,true), Constant(' of the devices changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#160:00007:54", "nwparser.payload", "The %{change_attribute->} of the devices changed from %{change_old->} to %{change_new}", processor_chain([ +var part259 = match("MESSAGE#160:00007:54", "nwparser.payload", "The %{change_attribute->} of the devices changed from %{change_old->} to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -4604,8 +4076,7 @@ match("MESSAGE#160:00007:54", "nwparser.payload", "The %{change_attribute->} of var msg162 = msg("00007:54", part259); -var part260 = // "Pattern{Constant('The interface '), Field(interface,true), Constant(' with ifnum '), Field(fld2,true), Constant(' was removed from the secondary HA path of the devices.')}" -match("MESSAGE#161:00007:55", "nwparser.payload", "The interface %{interface->} with ifnum %{fld2->} was removed from the secondary HA path of the devices.", processor_chain([ +var part260 = match("MESSAGE#161:00007:55", "nwparser.payload", "The interface %{interface->} with ifnum %{fld2->} was removed from the secondary HA path of the devices.", processor_chain([ dup1, dup2, dup3, @@ -4615,8 +4086,7 @@ match("MESSAGE#161:00007:55", "nwparser.payload", "The interface %{interface->} var msg163 = msg("00007:55", part260); -var part261 = // "Pattern{Constant('The probe that detects the status of High Availability link '), Field(fld2,true), Constant(' was '), Field(disposition,false)}" -match("MESSAGE#162:00007:56", "nwparser.payload", "The probe that detects the status of High Availability link %{fld2->} was %{disposition}", processor_chain([ +var part261 = match("MESSAGE#162:00007:56", "nwparser.payload", "The probe that detects the status of High Availability link %{fld2->} was %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -4636,8 +4106,7 @@ var select57 = linear_select([ dup112, ]); -var part262 = // "Pattern{Constant('the probe detecting the status of High Availability link '), Field(fld2,true), Constant(' was set to '), Field(fld3,false)}" -match("MESSAGE#163:00007:57/4", "nwparser.p0", "the probe detecting the status of High Availability link %{fld2->} was set to %{fld3}"); +var part262 = match("MESSAGE#163:00007:57/4", "nwparser.p0", "the probe detecting the status of High Availability link %{fld2->} was set to %{fld3}"); var all52 = all_match({ processors: [ @@ -4658,8 +4127,7 @@ var all52 = all_match({ var msg165 = msg("00007:57", all52); -var part263 = // "Pattern{Constant('A request by device '), Field(fld2,true), Constant(' for session synchronization(s) was accepted.')}" -match("MESSAGE#164:00007:58", "nwparser.payload", "A request by device %{fld2->} for session synchronization(s) was accepted.", processor_chain([ +var part263 = match("MESSAGE#164:00007:58", "nwparser.payload", "A request by device %{fld2->} for session synchronization(s) was accepted.", processor_chain([ dup44, dup2, dup3, @@ -4669,8 +4137,7 @@ match("MESSAGE#164:00007:58", "nwparser.payload", "A request by device %{fld2->} var msg166 = msg("00007:58", part263); -var part264 = // "Pattern{Constant('The current session synchronization by device '), Field(fld2,true), Constant(' completed.')}" -match("MESSAGE#165:00007:59", "nwparser.payload", "The current session synchronization by device %{fld2->} completed.", processor_chain([ +var part264 = match("MESSAGE#165:00007:59", "nwparser.payload", "The current session synchronization by device %{fld2->} completed.", processor_chain([ dup1, dup2, dup3, @@ -4680,8 +4147,7 @@ match("MESSAGE#165:00007:59", "nwparser.payload", "The current session synchroni var msg167 = msg("00007:59", part264); -var part265 = // "Pattern{Constant('Run Time Object mirror group '), Field(group,true), Constant(' direction was set to '), Field(direction,false)}" -match("MESSAGE#166:00007:60", "nwparser.payload", "Run Time Object mirror group %{group->} direction was set to %{direction}", processor_chain([ +var part265 = match("MESSAGE#166:00007:60", "nwparser.payload", "Run Time Object mirror group %{group->} direction was set to %{direction}", processor_chain([ dup1, dup2, dup3, @@ -4691,8 +4157,7 @@ match("MESSAGE#166:00007:60", "nwparser.payload", "Run Time Object mirror group var msg168 = msg("00007:60", part265); -var part266 = // "Pattern{Constant('Run Time Object mirror group '), Field(group,true), Constant(' was set.')}" -match("MESSAGE#167:00007:61", "nwparser.payload", "Run Time Object mirror group %{group->} was set.", processor_chain([ +var part266 = match("MESSAGE#167:00007:61", "nwparser.payload", "Run Time Object mirror group %{group->} was set.", processor_chain([ dup1, dup2, dup3, @@ -4702,8 +4167,7 @@ match("MESSAGE#167:00007:61", "nwparser.payload", "Run Time Object mirror group var msg169 = msg("00007:61", part266); -var part267 = // "Pattern{Constant('Run Time Object mirror group '), Field(group,true), Constant(' with direction '), Field(direction,true), Constant(' was unset.')}" -match("MESSAGE#168:00007:62", "nwparser.payload", "Run Time Object mirror group %{group->} with direction %{direction->} was unset.", processor_chain([ +var part267 = match("MESSAGE#168:00007:62", "nwparser.payload", "Run Time Object mirror group %{group->} with direction %{direction->} was unset.", processor_chain([ dup1, dup2, dup3, @@ -4713,8 +4177,7 @@ match("MESSAGE#168:00007:62", "nwparser.payload", "Run Time Object mirror group var msg170 = msg("00007:62", part267); -var part268 = // "Pattern{Constant('RTO mirror group '), Field(group,true), Constant(' was unset.')}" -match("MESSAGE#169:00007:63", "nwparser.payload", "RTO mirror group %{group->} was unset.", processor_chain([ +var part268 = match("MESSAGE#169:00007:63", "nwparser.payload", "RTO mirror group %{group->} was unset.", processor_chain([ dup1, dup2, dup3, @@ -4724,17 +4187,15 @@ match("MESSAGE#169:00007:63", "nwparser.payload", "RTO mirror group %{group->} w var msg171 = msg("00007:63", part268); -var part269 = // "Pattern{Constant(''), Field(fld2,true), Constant(' was removed from the monitoring list '), Field(p0,false)}" -match("MESSAGE#170:00007:64/1", "nwparser.p0", "%{fld2->} was removed from the monitoring list %{p0}"); +var part269 = match("MESSAGE#170:00007:64/1", "nwparser.p0", "%{fld2->} was removed from the monitoring list %{p0}"); -var part270 = // "Pattern{Constant(''), Field(fld3,false)}" -match("MESSAGE#170:00007:64/3", "nwparser.p0", "%{fld3}"); +var part270 = match("MESSAGE#170:00007:64/3", "nwparser.p0", "%{fld3}"); var all53 = all_match({ processors: [ - dup350, + dup348, part269, - dup351, + dup349, part270, ], on_success: processor_chain([ @@ -4748,33 +4209,28 @@ var all53 = all_match({ var msg172 = msg("00007:64", all53); -var part271 = // "Pattern{Constant(''), Field(fld2,true), Constant(' with weight '), Field(fld3,true), Constant(' was added'), Field(p0,false)}" -match("MESSAGE#171:00007:65/1", "nwparser.p0", "%{fld2->} with weight %{fld3->} was added%{p0}"); +var part271 = match("MESSAGE#171:00007:65/1", "nwparser.p0", "%{fld2->} with weight %{fld3->} was added%{p0}"); -var part272 = // "Pattern{Constant(' to or updated on '), Field(p0,false)}" -match("MESSAGE#171:00007:65/2_0", "nwparser.p0", " to or updated on %{p0}"); +var part272 = match("MESSAGE#171:00007:65/2_0", "nwparser.p0", " to or updated on %{p0}"); -var part273 = // "Pattern{Constant('/updated to '), Field(p0,false)}" -match("MESSAGE#171:00007:65/2_1", "nwparser.p0", "/updated to %{p0}"); +var part273 = match("MESSAGE#171:00007:65/2_1", "nwparser.p0", "/updated to %{p0}"); var select58 = linear_select([ part272, part273, ]); -var part274 = // "Pattern{Constant('the monitoring list '), Field(p0,false)}" -match("MESSAGE#171:00007:65/3", "nwparser.p0", "the monitoring list %{p0}"); +var part274 = match("MESSAGE#171:00007:65/3", "nwparser.p0", "the monitoring list %{p0}"); -var part275 = // "Pattern{Constant(''), Field(fld4,false)}" -match("MESSAGE#171:00007:65/5", "nwparser.p0", "%{fld4}"); +var part275 = match("MESSAGE#171:00007:65/5", "nwparser.p0", "%{fld4}"); var all54 = all_match({ processors: [ - dup350, + dup348, part271, select58, part274, - dup351, + dup349, part275, ], on_success: processor_chain([ @@ -4788,22 +4244,18 @@ var all54 = all_match({ var msg173 = msg("00007:65", all54); -var part276 = // "Pattern{Constant('The monitoring '), Field(p0,false)}" -match("MESSAGE#172:00007:66/0_0", "nwparser.payload", "The monitoring %{p0}"); +var part276 = match("MESSAGE#172:00007:66/0_0", "nwparser.payload", "The monitoring %{p0}"); -var part277 = // "Pattern{Constant('Monitoring '), Field(p0,false)}" -match("MESSAGE#172:00007:66/0_1", "nwparser.payload", "Monitoring %{p0}"); +var part277 = match("MESSAGE#172:00007:66/0_1", "nwparser.payload", "Monitoring %{p0}"); var select59 = linear_select([ part276, part277, ]); -var part278 = // "Pattern{Constant('threshold was modified to '), Field(trigger_val,true), Constant(' o'), Field(p0,false)}" -match("MESSAGE#172:00007:66/1", "nwparser.p0", "threshold was modified to %{trigger_val->} o%{p0}"); +var part278 = match("MESSAGE#172:00007:66/1", "nwparser.p0", "threshold was modified to %{trigger_val->} o%{p0}"); -var part279 = // "Pattern{Constant('f '), Field(p0,false)}" -match("MESSAGE#172:00007:66/2_0", "nwparser.p0", "f %{p0}"); +var part279 = match("MESSAGE#172:00007:66/2_0", "nwparser.p0", "f %{p0}"); var select60 = linear_select([ part279, @@ -4828,8 +4280,7 @@ var all55 = all_match({ var msg174 = msg("00007:66", all55); -var part280 = // "Pattern{Constant('NSRP data forwarding '), Field(disposition,false), Constant('.')}" -match("MESSAGE#173:00007:67", "nwparser.payload", "NSRP data forwarding %{disposition}.", processor_chain([ +var part280 = match("MESSAGE#173:00007:67", "nwparser.payload", "NSRP data forwarding %{disposition}.", processor_chain([ dup1, dup2, dup3, @@ -4839,28 +4290,22 @@ match("MESSAGE#173:00007:67", "nwparser.payload", "NSRP data forwarding %{dispos var msg175 = msg("00007:67", part280); -var part281 = // "Pattern{Constant('NSRP b'), Field(p0,false)}" -match("MESSAGE#174:00007:68/0", "nwparser.payload", "NSRP b%{p0}"); +var part281 = match("MESSAGE#174:00007:68/0", "nwparser.payload", "NSRP b%{p0}"); -var part282 = // "Pattern{Constant('lack '), Field(p0,false)}" -match("MESSAGE#174:00007:68/1_0", "nwparser.p0", "lack %{p0}"); +var part282 = match("MESSAGE#174:00007:68/1_0", "nwparser.p0", "lack %{p0}"); -var part283 = // "Pattern{Constant('ack '), Field(p0,false)}" -match("MESSAGE#174:00007:68/1_1", "nwparser.p0", "ack %{p0}"); +var part283 = match("MESSAGE#174:00007:68/1_1", "nwparser.p0", "ack %{p0}"); var select61 = linear_select([ part282, part283, ]); -var part284 = // "Pattern{Constant('hole prevention '), Field(disposition,false), Constant('. Master(s) of Virtual Security Device groups '), Field(p0,false)}" -match("MESSAGE#174:00007:68/2", "nwparser.p0", "hole prevention %{disposition}. Master(s) of Virtual Security Device groups %{p0}"); +var part284 = match("MESSAGE#174:00007:68/2", "nwparser.p0", "hole prevention %{disposition}. Master(s) of Virtual Security Device groups %{p0}"); -var part285 = // "Pattern{Constant('may not exist '), Field(p0,false)}" -match("MESSAGE#174:00007:68/3_0", "nwparser.p0", "may not exist %{p0}"); +var part285 = match("MESSAGE#174:00007:68/3_0", "nwparser.p0", "may not exist %{p0}"); -var part286 = // "Pattern{Constant('always exists '), Field(p0,false)}" -match("MESSAGE#174:00007:68/3_1", "nwparser.p0", "always exists %{p0}"); +var part286 = match("MESSAGE#174:00007:68/3_1", "nwparser.p0", "always exists %{p0}"); var select62 = linear_select([ part285, @@ -4886,8 +4331,7 @@ var all56 = all_match({ var msg176 = msg("00007:68", all56); -var part287 = // "Pattern{Constant('NSRP Run Time Object synchronization between devices was '), Field(disposition,false)}" -match("MESSAGE#175:00007:69", "nwparser.payload", "NSRP Run Time Object synchronization between devices was %{disposition}", processor_chain([ +var part287 = match("MESSAGE#175:00007:69", "nwparser.payload", "NSRP Run Time Object synchronization between devices was %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -4897,8 +4341,7 @@ match("MESSAGE#175:00007:69", "nwparser.payload", "NSRP Run Time Object synchron var msg177 = msg("00007:69", part287); -var part288 = // "Pattern{Constant('The NSRP encryption key was changed.'), Field(,false)}" -match("MESSAGE#176:00007:70", "nwparser.payload", "The NSRP encryption key was changed.%{}", processor_chain([ +var part288 = match("MESSAGE#176:00007:70", "nwparser.payload", "The NSRP encryption key was changed.%{}", processor_chain([ dup1, dup2, dup3, @@ -4908,8 +4351,7 @@ match("MESSAGE#176:00007:70", "nwparser.payload", "The NSRP encryption key was c var msg178 = msg("00007:70", part288); -var part289 = // "Pattern{Constant('NSRP transparent Active-Active mode was '), Field(disposition,false), Constant('.')}" -match("MESSAGE#177:00007:71", "nwparser.payload", "NSRP transparent Active-Active mode was %{disposition}.", processor_chain([ +var part289 = match("MESSAGE#177:00007:71", "nwparser.payload", "NSRP transparent Active-Active mode was %{disposition}.", processor_chain([ dup1, dup2, dup3, @@ -4919,8 +4361,7 @@ match("MESSAGE#177:00007:71", "nwparser.payload", "NSRP transparent Active-Activ var msg179 = msg("00007:71", part289); -var part290 = // "Pattern{Constant('NSRP: nsrp link probe enable on '), Field(interface,false)}" -match("MESSAGE#178:00007:72", "nwparser.payload", "NSRP: nsrp link probe enable on %{interface}", processor_chain([ +var part290 = match("MESSAGE#178:00007:72", "nwparser.payload", "NSRP: nsrp link probe enable on %{interface}", processor_chain([ dup1, dup2, dup3, @@ -5005,8 +4446,7 @@ var select63 = linear_select([ msg180, ]); -var part291 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#179:00008", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part291 = match("MESSAGE#179:00008", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup3, @@ -5018,10 +4458,9 @@ match("MESSAGE#179:00008", "nwparser.payload", "%{signame->} has been detected! var msg181 = msg("00008", part291); -var msg182 = msg("00008:01", dup343); +var msg182 = msg("00008:01", dup341); -var part292 = // "Pattern{Constant('NTP settings have been changed'), Field(,false)}" -match("MESSAGE#181:00008:02", "nwparser.payload", "NTP settings have been changed%{}", processor_chain([ +var part292 = match("MESSAGE#181:00008:02", "nwparser.payload", "NTP settings have been changed%{}", processor_chain([ dup1, dup2, dup3, @@ -5031,8 +4470,7 @@ match("MESSAGE#181:00008:02", "nwparser.payload", "NTP settings have been change var msg183 = msg("00008:02", part292); -var part293 = // "Pattern{Constant('The system clock has been updated through NTP'), Field(,false)}" -match("MESSAGE#182:00008:03", "nwparser.payload", "The system clock has been updated through NTP%{}", processor_chain([ +var part293 = match("MESSAGE#182:00008:03", "nwparser.payload", "The system clock has been updated through NTP%{}", processor_chain([ dup1, dup2, dup3, @@ -5042,17 +4480,13 @@ match("MESSAGE#182:00008:03", "nwparser.payload", "The system clock has been upd var msg184 = msg("00008:03", part293); -var part294 = // "Pattern{Constant('System clock '), Field(p0,false)}" -match("MESSAGE#183:00008:04/0", "nwparser.payload", "System clock %{p0}"); +var part294 = match("MESSAGE#183:00008:04/0", "nwparser.payload", "System clock %{p0}"); -var part295 = // "Pattern{Constant('configurations have been'), Field(p0,false)}" -match("MESSAGE#183:00008:04/1_0", "nwparser.p0", "configurations have been%{p0}"); +var part295 = match("MESSAGE#183:00008:04/1_0", "nwparser.p0", "configurations have been%{p0}"); -var part296 = // "Pattern{Constant('was'), Field(p0,false)}" -match("MESSAGE#183:00008:04/1_1", "nwparser.p0", "was%{p0}"); +var part296 = match("MESSAGE#183:00008:04/1_1", "nwparser.p0", "was%{p0}"); -var part297 = // "Pattern{Constant('is'), Field(p0,false)}" -match("MESSAGE#183:00008:04/1_2", "nwparser.p0", "is%{p0}"); +var part297 = match("MESSAGE#183:00008:04/1_2", "nwparser.p0", "is%{p0}"); var select64 = linear_select([ part295, @@ -5060,23 +4494,17 @@ var select64 = linear_select([ part297, ]); -var part298 = // "Pattern{Field(,false), Constant('changed'), Field(p0,false)}" -match("MESSAGE#183:00008:04/2", "nwparser.p0", "%{}changed%{p0}"); +var part298 = match("MESSAGE#183:00008:04/2", "nwparser.p0", "%{}changed%{p0}"); -var part299 = // "Pattern{Constant(' by admin '), Field(administrator,false)}" -match("MESSAGE#183:00008:04/3_0", "nwparser.p0", " by admin %{administrator}"); +var part299 = match("MESSAGE#183:00008:04/3_0", "nwparser.p0", " by admin %{administrator}"); -var part300 = // "Pattern{Constant(' by '), Field(username,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#183:00008:04/3_1", "nwparser.p0", " by %{username->} (%{fld1})"); +var part300 = match("MESSAGE#183:00008:04/3_1", "nwparser.p0", " by %{username->} (%{fld1})"); -var part301 = // "Pattern{Constant(' by '), Field(username,false)}" -match("MESSAGE#183:00008:04/3_2", "nwparser.p0", " by %{username}"); +var part301 = match("MESSAGE#183:00008:04/3_2", "nwparser.p0", " by %{username}"); -var part302 = // "Pattern{Constant(' manually.'), Field(,false)}" -match("MESSAGE#183:00008:04/3_3", "nwparser.p0", " manually.%{}"); +var part302 = match("MESSAGE#183:00008:04/3_3", "nwparser.p0", " manually.%{}"); -var part303 = // "Pattern{Constant(' manually'), Field(,false)}" -match("MESSAGE#183:00008:04/3_4", "nwparser.p0", " manually%{}"); +var part303 = match("MESSAGE#183:00008:04/3_4", "nwparser.p0", " manually%{}"); var select65 = linear_select([ part299, @@ -5106,8 +4534,7 @@ var all57 = all_match({ var msg185 = msg("00008:04", all57); -var part304 = // "Pattern{Constant('failed to get clock through NTP'), Field(,false)}" -match("MESSAGE#184:00008:05", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ +var part304 = match("MESSAGE#184:00008:05", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ dup117, dup2, dup3, @@ -5117,8 +4544,7 @@ match("MESSAGE#184:00008:05", "nwparser.payload", "failed to get clock through N var msg186 = msg("00008:05", part304); -var part305 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#185:00008:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part305 = match("MESSAGE#185:00008:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup3, @@ -5130,8 +4556,7 @@ match("MESSAGE#185:00008:06", "nwparser.payload", "%{signame->} has been detecte var msg187 = msg("00008:06", part305); -var part306 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#186:00008:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part306 = match("MESSAGE#186:00008:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup3, @@ -5143,8 +4568,7 @@ match("MESSAGE#186:00008:07", "nwparser.payload", "%{signame->} has been detecte var msg188 = msg("00008:07", part306); -var part307 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times.')}" -match("MESSAGE#187:00008:08", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ +var part307 = match("MESSAGE#187:00008:08", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ dup58, dup2, dup3, @@ -5156,8 +4580,7 @@ match("MESSAGE#187:00008:08", "nwparser.payload", "%{signame->} From %{saddr->} var msg189 = msg("00008:08", part307); -var part308 = // "Pattern{Constant('system clock is changed manually'), Field(,false)}" -match("MESSAGE#188:00008:09", "nwparser.payload", "system clock is changed manually%{}", processor_chain([ +var part308 = match("MESSAGE#188:00008:09", "nwparser.payload", "system clock is changed manually%{}", processor_chain([ dup1, dup2, dup3, @@ -5167,13 +4590,12 @@ match("MESSAGE#188:00008:09", "nwparser.payload", "system clock is changed manua var msg190 = msg("00008:09", part308); -var part309 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,false), Constant('(zone '), Field(p0,false)}" -match("MESSAGE#189:00008:10/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol}(zone %{p0}"); +var part309 = match("MESSAGE#189:00008:10/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol}(zone %{p0}"); var all58 = all_match({ processors: [ part309, - dup340, + dup338, dup67, ], on_success: processor_chain([ @@ -5204,8 +4626,7 @@ var select66 = linear_select([ msg191, ]); -var part310 = // "Pattern{Constant('802.1Q VLAN trunking for the interface '), Field(interface,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#190:00009", "nwparser.payload", "802.1Q VLAN trunking for the interface %{interface->} has been %{disposition}", processor_chain([ +var part310 = match("MESSAGE#190:00009", "nwparser.payload", "802.1Q VLAN trunking for the interface %{interface->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -5215,8 +4636,7 @@ match("MESSAGE#190:00009", "nwparser.payload", "802.1Q VLAN trunking for the int var msg192 = msg("00009", part310); -var part311 = // "Pattern{Constant('802.1Q VLAN tag '), Field(fld1,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#191:00009:01", "nwparser.payload", "802.1Q VLAN tag %{fld1->} has been %{disposition}", processor_chain([ +var part311 = match("MESSAGE#191:00009:01", "nwparser.payload", "802.1Q VLAN tag %{fld1->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -5226,8 +4646,7 @@ match("MESSAGE#191:00009:01", "nwparser.payload", "802.1Q VLAN tag %{fld1->} has var msg193 = msg("00009:01", part311); -var part312 = // "Pattern{Constant('DHCP on the interface '), Field(interface,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#192:00009:02", "nwparser.payload", "DHCP on the interface %{interface->} has been %{disposition}", processor_chain([ +var part312 = match("MESSAGE#192:00009:02", "nwparser.payload", "DHCP on the interface %{interface->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -5237,8 +4656,7 @@ match("MESSAGE#192:00009:02", "nwparser.payload", "DHCP on the interface %{inter var msg194 = msg("00009:02", part312); -var part313 = // "Pattern{Field(change_attribute,true), Constant(' for interface '), Field(interface,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#193:00009:03", "nwparser.payload", "%{change_attribute->} for interface %{interface->} has been changed from %{change_old->} to %{change_new}", processor_chain([ +var part313 = match("MESSAGE#193:00009:03", "nwparser.payload", "%{change_attribute->} for interface %{interface->} has been changed from %{change_old->} to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -5248,8 +4666,7 @@ match("MESSAGE#193:00009:03", "nwparser.payload", "%{change_attribute->} for int var msg195 = msg("00009:03", part313); -var part314 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#194:00009:05", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part314 = match("MESSAGE#194:00009:05", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup3, @@ -5261,11 +4678,9 @@ match("MESSAGE#194:00009:05", "nwparser.payload", "%{signame->} has been detecte var msg196 = msg("00009:05", part314); -var part315 = // "Pattern{Field(fld2,false), Constant(': The 802.1Q tag '), Field(p0,false)}" -match("MESSAGE#195:00009:06/0_0", "nwparser.payload", "%{fld2}: The 802.1Q tag %{p0}"); +var part315 = match("MESSAGE#195:00009:06/0_0", "nwparser.payload", "%{fld2}: The 802.1Q tag %{p0}"); -var part316 = // "Pattern{Constant('The 802.1Q tag '), Field(p0,false)}" -match("MESSAGE#195:00009:06/0_1", "nwparser.payload", "The 802.1Q tag %{p0}"); +var part316 = match("MESSAGE#195:00009:06/0_1", "nwparser.payload", "The 802.1Q tag %{p0}"); var select67 = linear_select([ part315, @@ -5277,22 +4692,18 @@ var select68 = linear_select([ dup16, ]); -var part317 = // "Pattern{Constant('interface '), Field(interface,true), Constant(' has been '), Field(p0,false)}" -match("MESSAGE#195:00009:06/3", "nwparser.p0", "interface %{interface->} has been %{p0}"); +var part317 = match("MESSAGE#195:00009:06/3", "nwparser.p0", "interface %{interface->} has been %{p0}"); -var part318 = // "Pattern{Constant('changed to '), Field(p0,false)}" -match("MESSAGE#195:00009:06/4_1", "nwparser.p0", "changed to %{p0}"); +var part318 = match("MESSAGE#195:00009:06/4_1", "nwparser.p0", "changed to %{p0}"); var select69 = linear_select([ dup120, part318, ]); -var part319 = // "Pattern{Field(info,true), Constant(' from host '), Field(saddr,false)}" -match("MESSAGE#195:00009:06/6_0", "nwparser.p0", "%{info->} from host %{saddr}"); +var part319 = match("MESSAGE#195:00009:06/6_0", "nwparser.p0", "%{info->} from host %{saddr}"); -var part320 = // "Pattern{Field(info,false)}" -match_copy("MESSAGE#195:00009:06/6_1", "nwparser.p0", "info"); +var part320 = match_copy("MESSAGE#195:00009:06/6_1", "nwparser.p0", "info"); var select70 = linear_select([ part319, @@ -5320,30 +4731,25 @@ var all59 = all_match({ var msg197 = msg("00009:06", all59); -var part321 = // "Pattern{Constant('Maximum bandwidth '), Field(fld2,true), Constant(' on '), Field(p0,false)}" -match("MESSAGE#196:00009:07/0", "nwparser.payload", "Maximum bandwidth %{fld2->} on %{p0}"); +var part321 = match("MESSAGE#196:00009:07/0", "nwparser.payload", "Maximum bandwidth %{fld2->} on %{p0}"); -var part322 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' is less than t'), Field(p0,false)}" -match("MESSAGE#196:00009:07/2", "nwparser.p0", "%{} %{interface->} is less than t%{p0}"); +var part322 = match("MESSAGE#196:00009:07/2", "nwparser.p0", "%{} %{interface->} is less than t%{p0}"); -var part323 = // "Pattern{Constant('he total '), Field(p0,false)}" -match("MESSAGE#196:00009:07/3_0", "nwparser.p0", "he total %{p0}"); +var part323 = match("MESSAGE#196:00009:07/3_0", "nwparser.p0", "he total %{p0}"); -var part324 = // "Pattern{Constant('otal '), Field(p0,false)}" -match("MESSAGE#196:00009:07/3_1", "nwparser.p0", "otal %{p0}"); +var part324 = match("MESSAGE#196:00009:07/3_1", "nwparser.p0", "otal %{p0}"); var select71 = linear_select([ part323, part324, ]); -var part325 = // "Pattern{Constant('guaranteed bandwidth '), Field(fld3,false)}" -match("MESSAGE#196:00009:07/4", "nwparser.p0", "guaranteed bandwidth %{fld3}"); +var part325 = match("MESSAGE#196:00009:07/4", "nwparser.p0", "guaranteed bandwidth %{fld3}"); var all60 = all_match({ processors: [ part321, - dup339, + dup337, part322, select71, part325, @@ -5359,8 +4765,7 @@ var all60 = all_match({ var msg198 = msg("00009:07", all60); -var part326 = // "Pattern{Constant('The configured bandwidth setting on the interface '), Field(interface,true), Constant(' has been changed to '), Field(fld2,false)}" -match("MESSAGE#197:00009:09", "nwparser.payload", "The configured bandwidth setting on the interface %{interface->} has been changed to %{fld2}", processor_chain([ +var part326 = match("MESSAGE#197:00009:09", "nwparser.payload", "The configured bandwidth setting on the interface %{interface->} has been changed to %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -5370,14 +4775,11 @@ match("MESSAGE#197:00009:09", "nwparser.payload", "The configured bandwidth sett var msg199 = msg("00009:09", part326); -var part327 = // "Pattern{Constant('The operational mode for the interface '), Field(interface,true), Constant(' has been changed to '), Field(p0,false)}" -match("MESSAGE#198:00009:10/0", "nwparser.payload", "The operational mode for the interface %{interface->} has been changed to %{p0}"); +var part327 = match("MESSAGE#198:00009:10/0", "nwparser.payload", "The operational mode for the interface %{interface->} has been changed to %{p0}"); -var part328 = // "Pattern{Constant('Route'), Field(,false)}" -match("MESSAGE#198:00009:10/1_0", "nwparser.p0", "Route%{}"); +var part328 = match("MESSAGE#198:00009:10/1_0", "nwparser.p0", "Route%{}"); -var part329 = // "Pattern{Constant('NAT'), Field(,false)}" -match("MESSAGE#198:00009:10/1_1", "nwparser.p0", "NAT%{}"); +var part329 = match("MESSAGE#198:00009:10/1_1", "nwparser.p0", "NAT%{}"); var select72 = linear_select([ part328, @@ -5400,19 +4802,16 @@ var all61 = all_match({ var msg200 = msg("00009:10", all61); -var part330 = // "Pattern{Field(fld1,false), Constant(': VLAN '), Field(p0,false)}" -match("MESSAGE#199:00009:11/0_0", "nwparser.payload", "%{fld1}: VLAN %{p0}"); +var part330 = match("MESSAGE#199:00009:11/0_0", "nwparser.payload", "%{fld1}: VLAN %{p0}"); -var part331 = // "Pattern{Constant('VLAN '), Field(p0,false)}" -match("MESSAGE#199:00009:11/0_1", "nwparser.payload", "VLAN %{p0}"); +var part331 = match("MESSAGE#199:00009:11/0_1", "nwparser.payload", "VLAN %{p0}"); var select73 = linear_select([ part330, part331, ]); -var part332 = // "Pattern{Constant('tag '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#199:00009:11/1", "nwparser.p0", "tag %{fld2->} has been %{disposition}"); +var part332 = match("MESSAGE#199:00009:11/1", "nwparser.p0", "tag %{fld2->} has been %{disposition}"); var all62 = all_match({ processors: [ @@ -5430,8 +4829,7 @@ var all62 = all_match({ var msg201 = msg("00009:11", all62); -var part333 = // "Pattern{Constant('DHCP client has been '), Field(disposition,true), Constant(' on interface '), Field(interface,false)}" -match("MESSAGE#200:00009:12", "nwparser.payload", "DHCP client has been %{disposition->} on interface %{interface}", processor_chain([ +var part333 = match("MESSAGE#200:00009:12", "nwparser.payload", "DHCP client has been %{disposition->} on interface %{interface}", processor_chain([ dup1, dup2, dup3, @@ -5441,8 +4839,7 @@ match("MESSAGE#200:00009:12", "nwparser.payload", "DHCP client has been %{dispos var msg202 = msg("00009:12", part333); -var part334 = // "Pattern{Constant('DHCP relay agent settings on '), Field(interface,true), Constant(' have been '), Field(disposition,false)}" -match("MESSAGE#201:00009:13", "nwparser.payload", "DHCP relay agent settings on %{interface->} have been %{disposition}", processor_chain([ +var part334 = match("MESSAGE#201:00009:13", "nwparser.payload", "DHCP relay agent settings on %{interface->} have been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -5452,14 +4849,11 @@ match("MESSAGE#201:00009:13", "nwparser.payload", "DHCP relay agent settings on var msg203 = msg("00009:13", part334); -var part335 = // "Pattern{Constant('Global-PRO has been '), Field(p0,false)}" -match("MESSAGE#202:00009:14/0_0", "nwparser.payload", "Global-PRO has been %{p0}"); +var part335 = match("MESSAGE#202:00009:14/0_0", "nwparser.payload", "Global-PRO has been %{p0}"); -var part336 = // "Pattern{Constant('Global PRO has been '), Field(p0,false)}" -match("MESSAGE#202:00009:14/0_1", "nwparser.payload", "Global PRO has been %{p0}"); +var part336 = match("MESSAGE#202:00009:14/0_1", "nwparser.payload", "Global PRO has been %{p0}"); -var part337 = // "Pattern{Constant('DNS proxy was '), Field(p0,false)}" -match("MESSAGE#202:00009:14/0_2", "nwparser.payload", "DNS proxy was %{p0}"); +var part337 = match("MESSAGE#202:00009:14/0_2", "nwparser.payload", "DNS proxy was %{p0}"); var select74 = linear_select([ part335, @@ -5467,16 +4861,14 @@ var select74 = linear_select([ part337, ]); -var part338 = // "Pattern{Constant(''), Field(disposition,true), Constant(' on '), Field(p0,false)}" -match("MESSAGE#202:00009:14/1", "nwparser.p0", "%{disposition->} on %{p0}"); +var part338 = match("MESSAGE#202:00009:14/1", "nwparser.p0", "%{disposition->} on %{p0}"); var select75 = linear_select([ dup122, dup123, ]); -var part339 = // "Pattern{Field(interface,true), Constant(' ('), Field(fld2,false), Constant(')')}" -match("MESSAGE#202:00009:14/4_0", "nwparser.p0", "%{interface->} (%{fld2})"); +var part339 = match("MESSAGE#202:00009:14/4_0", "nwparser.p0", "%{interface->} (%{fld2})"); var select76 = linear_select([ part339, @@ -5502,11 +4894,9 @@ var all63 = all_match({ var msg204 = msg("00009:14", all63); -var part340 = // "Pattern{Constant('Route between secondary IP'), Field(p0,false)}" -match("MESSAGE#203:00009:15/0", "nwparser.payload", "Route between secondary IP%{p0}"); +var part340 = match("MESSAGE#203:00009:15/0", "nwparser.payload", "Route between secondary IP%{p0}"); -var part341 = // "Pattern{Constant(' addresses '), Field(p0,false)}" -match("MESSAGE#203:00009:15/1_0", "nwparser.p0", " addresses %{p0}"); +var part341 = match("MESSAGE#203:00009:15/1_0", "nwparser.p0", " addresses %{p0}"); var select77 = linear_select([ part341, @@ -5518,7 +4908,7 @@ var all64 = all_match({ part340, select77, dup126, - dup352, + dup350, dup128, ], on_success: processor_chain([ @@ -5532,11 +4922,9 @@ var all64 = all_match({ var msg205 = msg("00009:15", all64); -var part342 = // "Pattern{Constant('Secondary IP address '), Field(hostip,false), Constant('/'), Field(mask,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#204:00009:16/0", "nwparser.payload", "Secondary IP address %{hostip}/%{mask->} %{p0}"); +var part342 = match("MESSAGE#204:00009:16/0", "nwparser.payload", "Secondary IP address %{hostip}/%{mask->} %{p0}"); -var part343 = // "Pattern{Constant('deleted from '), Field(p0,false)}" -match("MESSAGE#204:00009:16/3_2", "nwparser.p0", "deleted from %{p0}"); +var part343 = match("MESSAGE#204:00009:16/3_2", "nwparser.p0", "deleted from %{p0}"); var select78 = linear_select([ dup129, @@ -5544,13 +4932,12 @@ var select78 = linear_select([ part343, ]); -var part344 = // "Pattern{Constant('interface '), Field(interface,false), Constant('.')}" -match("MESSAGE#204:00009:16/4", "nwparser.p0", "interface %{interface}."); +var part344 = match("MESSAGE#204:00009:16/4", "nwparser.p0", "interface %{interface}."); var all65 = all_match({ processors: [ part342, - dup352, + dup350, dup23, select78, part344, @@ -5566,22 +4953,18 @@ var all65 = all_match({ var msg206 = msg("00009:16", all65); -var part345 = // "Pattern{Constant('Secondary IP address '), Field(p0,false)}" -match("MESSAGE#205:00009:17/0", "nwparser.payload", "Secondary IP address %{p0}"); +var part345 = match("MESSAGE#205:00009:17/0", "nwparser.payload", "Secondary IP address %{p0}"); -var part346 = // "Pattern{Field(hostip,false), Constant('/'), Field(mask,true), Constant(' was added to interface '), Field(p0,false)}" -match("MESSAGE#205:00009:17/1_0", "nwparser.p0", "%{hostip}/%{mask->} was added to interface %{p0}"); +var part346 = match("MESSAGE#205:00009:17/1_0", "nwparser.p0", "%{hostip}/%{mask->} was added to interface %{p0}"); -var part347 = // "Pattern{Field(hostip,true), Constant(' was added to interface '), Field(p0,false)}" -match("MESSAGE#205:00009:17/1_1", "nwparser.p0", "%{hostip->} was added to interface %{p0}"); +var part347 = match("MESSAGE#205:00009:17/1_1", "nwparser.p0", "%{hostip->} was added to interface %{p0}"); var select79 = linear_select([ part346, part347, ]); -var part348 = // "Pattern{Field(interface,false), Constant('.')}" -match("MESSAGE#205:00009:17/2", "nwparser.p0", "%{interface}."); +var part348 = match("MESSAGE#205:00009:17/2", "nwparser.p0", "%{interface}."); var all66 = all_match({ processors: [ @@ -5600,8 +4983,7 @@ var all66 = all_match({ var msg207 = msg("00009:17", all66); -var part349 = // "Pattern{Constant('The configured bandwidth on the interface '), Field(interface,true), Constant(' has been changed to '), Field(fld2,false)}" -match("MESSAGE#206:00009:18", "nwparser.payload", "The configured bandwidth on the interface %{interface->} has been changed to %{fld2}", processor_chain([ +var part349 = match("MESSAGE#206:00009:18", "nwparser.payload", "The configured bandwidth on the interface %{interface->} has been changed to %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -5611,8 +4993,7 @@ match("MESSAGE#206:00009:18", "nwparser.payload", "The configured bandwidth on t var msg208 = msg("00009:18", part349); -var part350 = // "Pattern{Constant('interface '), Field(interface,true), Constant(' with IP '), Field(hostip,true), Constant(' '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#207:00009:19", "nwparser.payload", "interface %{interface->} with IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ +var part350 = match("MESSAGE#207:00009:19", "nwparser.payload", "interface %{interface->} with IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -5622,8 +5003,7 @@ match("MESSAGE#207:00009:19", "nwparser.payload", "interface %{interface->} with var msg209 = msg("00009:19", part350); -var part351 = // "Pattern{Constant('interface '), Field(interface,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#208:00009:27", "nwparser.payload", "interface %{interface->} has been %{disposition}", processor_chain([ +var part351 = match("MESSAGE#208:00009:27", "nwparser.payload", "interface %{interface->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -5633,31 +5013,24 @@ match("MESSAGE#208:00009:27", "nwparser.payload", "interface %{interface->} has var msg210 = msg("00009:27", part351); -var part352 = // "Pattern{Field(fld2,false), Constant(': '), Field(service,true), Constant(' has been '), Field(p0,false)}" -match("MESSAGE#209:00009:20/0_0", "nwparser.payload", "%{fld2}: %{service->} has been %{p0}"); +var part352 = match("MESSAGE#209:00009:20/0_0", "nwparser.payload", "%{fld2}: %{service->} has been %{p0}"); -var part353 = // "Pattern{Field(service,true), Constant(' has been '), Field(p0,false)}" -match("MESSAGE#209:00009:20/0_1", "nwparser.payload", "%{service->} has been %{p0}"); +var part353 = match("MESSAGE#209:00009:20/0_1", "nwparser.payload", "%{service->} has been %{p0}"); var select80 = linear_select([ part352, part353, ]); -var part354 = // "Pattern{Field(disposition,true), Constant(' on interface '), Field(interface,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#209:00009:20/1", "nwparser.p0", "%{disposition->} on interface %{interface->} %{p0}"); +var part354 = match("MESSAGE#209:00009:20/1", "nwparser.p0", "%{disposition->} on interface %{interface->} %{p0}"); -var part355 = // "Pattern{Constant('by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false)}" -match("MESSAGE#209:00009:20/2_0", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}"); +var part355 = match("MESSAGE#209:00009:20/2_0", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}"); -var part356 = // "Pattern{Constant('by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#209:00009:20/2_1", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}:%{sport}"); +var part356 = match("MESSAGE#209:00009:20/2_1", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}:%{sport}"); -var part357 = // "Pattern{Constant('by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false)}" -match("MESSAGE#209:00009:20/2_2", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}"); +var part357 = match("MESSAGE#209:00009:20/2_2", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}"); -var part358 = // "Pattern{Constant('from host '), Field(saddr,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#209:00009:20/2_3", "nwparser.p0", "from host %{saddr->} (%{fld1})"); +var part358 = match("MESSAGE#209:00009:20/2_3", "nwparser.p0", "from host %{saddr->} (%{fld1})"); var select81 = linear_select([ part355, @@ -5684,13 +5057,12 @@ var all67 = all_match({ var msg211 = msg("00009:20", all67); -var part359 = // "Pattern{Constant('Source Route IP option! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#210:00009:21/0", "nwparser.payload", "Source Route IP option! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); +var part359 = match("MESSAGE#210:00009:21/0", "nwparser.payload", "Source Route IP option! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); var all68 = all_match({ processors: [ part359, - dup345, + dup343, dup131, ], on_success: processor_chain([ @@ -5707,8 +5079,7 @@ var all68 = all_match({ var msg212 = msg("00009:21", all68); -var part360 = // "Pattern{Constant('MTU for interface '), Field(interface,true), Constant(' has been changed to '), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#211:00009:22", "nwparser.payload", "MTU for interface %{interface->} has been changed to %{fld2->} (%{fld1})", processor_chain([ +var part360 = match("MESSAGE#211:00009:22", "nwparser.payload", "MTU for interface %{interface->} has been changed to %{fld2->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -5719,8 +5090,7 @@ match("MESSAGE#211:00009:22", "nwparser.payload", "MTU for interface %{interface var msg213 = msg("00009:22", part360); -var part361 = // "Pattern{Constant('Secondary IP address '), Field(hostip,true), Constant(' has been added to interface '), Field(interface,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#212:00009:23", "nwparser.payload", "Secondary IP address %{hostip->} has been added to interface %{interface->} (%{fld1})", processor_chain([ +var part361 = match("MESSAGE#212:00009:23", "nwparser.payload", "Secondary IP address %{hostip->} has been added to interface %{interface->} (%{fld1})", processor_chain([ dup44, dup2, dup9, @@ -5731,22 +5101,18 @@ match("MESSAGE#212:00009:23", "nwparser.payload", "Secondary IP address %{hostip var msg214 = msg("00009:23", part361); -var part362 = // "Pattern{Constant('Web has been enabled on interface '), Field(interface,true), Constant(' by admin '), Field(administrator,true), Constant(' via '), Field(p0,false)}" -match("MESSAGE#213:00009:24/0", "nwparser.payload", "Web has been enabled on interface %{interface->} by admin %{administrator->} via %{p0}"); +var part362 = match("MESSAGE#213:00009:24/0", "nwparser.payload", "Web has been enabled on interface %{interface->} by admin %{administrator->} via %{p0}"); -var part363 = // "Pattern{Field(logon_type,true), Constant(' '), Field(space,false), Constant('('), Field(p0,false)}" -match("MESSAGE#213:00009:24/1_0", "nwparser.p0", "%{logon_type->} %{space}(%{p0}"); +var part363 = match("MESSAGE#213:00009:24/1_0", "nwparser.p0", "%{logon_type->} %{space}(%{p0}"); -var part364 = // "Pattern{Field(logon_type,false), Constant('. ('), Field(p0,false)}" -match("MESSAGE#213:00009:24/1_1", "nwparser.p0", "%{logon_type}. (%{p0}"); +var part364 = match("MESSAGE#213:00009:24/1_1", "nwparser.p0", "%{logon_type}. (%{p0}"); var select82 = linear_select([ part363, part364, ]); -var part365 = // "Pattern{Constant(')'), Field(fld1,false)}" -match("MESSAGE#213:00009:24/2", "nwparser.p0", ")%{fld1}"); +var part365 = match("MESSAGE#213:00009:24/2", "nwparser.p0", ")%{fld1}"); var all69 = all_match({ processors: [ @@ -5766,8 +5132,7 @@ var all69 = all_match({ var msg215 = msg("00009:24", all69); -var part366 = // "Pattern{Constant('Web has been enabled on interface '), Field(interface,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#214:00009:25", "nwparser.payload", "Web has been enabled on interface %{interface->} by %{username->} via %{logon_type}. (%{fld1})", processor_chain([ +var part366 = match("MESSAGE#214:00009:25", "nwparser.payload", "Web has been enabled on interface %{interface->} by %{username->} via %{logon_type}. (%{fld1})", processor_chain([ dup1, dup2, dup9, @@ -5778,13 +5143,12 @@ match("MESSAGE#214:00009:25", "nwparser.payload", "Web has been enabled on inter var msg216 = msg("00009:25", part366); -var part367 = // "Pattern{Field(protocol,true), Constant(' has been '), Field(disposition,true), Constant(' on interface '), Field(interface,true), Constant(' by '), Field(username,true), Constant(' via NSRP Peer . '), Field(p0,false)}" -match("MESSAGE#215:00009:26/0", "nwparser.payload", "%{protocol->} has been %{disposition->} on interface %{interface->} by %{username->} via NSRP Peer . %{p0}"); +var part367 = match("MESSAGE#215:00009:26/0", "nwparser.payload", "%{protocol->} has been %{disposition->} on interface %{interface->} by %{username->} via NSRP Peer . %{p0}"); var all70 = all_match({ processors: [ part367, - dup335, + dup333, ], on_success: processor_chain([ dup1, @@ -5827,28 +5191,22 @@ var select83 = linear_select([ msg217, ]); -var part368 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#216:00010/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} %{p0}"); +var part368 = match("MESSAGE#216:00010/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} %{p0}"); -var part369 = // "Pattern{Constant('using protocol '), Field(p0,false)}" -match("MESSAGE#216:00010/1_0", "nwparser.p0", "using protocol %{p0}"); +var part369 = match("MESSAGE#216:00010/1_0", "nwparser.p0", "using protocol %{p0}"); -var part370 = // "Pattern{Constant('proto '), Field(p0,false)}" -match("MESSAGE#216:00010/1_1", "nwparser.p0", "proto %{p0}"); +var part370 = match("MESSAGE#216:00010/1_1", "nwparser.p0", "proto %{p0}"); var select84 = linear_select([ part369, part370, ]); -var part371 = // "Pattern{Constant(''), Field(protocol,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#216:00010/2", "nwparser.p0", "%{protocol->} %{p0}"); +var part371 = match("MESSAGE#216:00010/2", "nwparser.p0", "%{protocol->} %{p0}"); -var part372 = // "Pattern{Constant('( zone '), Field(zone,false), Constant(', int '), Field(interface,false), Constant(') '), Field(p0,false)}" -match("MESSAGE#216:00010/3_0", "nwparser.p0", "( zone %{zone}, int %{interface}) %{p0}"); +var part372 = match("MESSAGE#216:00010/3_0", "nwparser.p0", "( zone %{zone}, int %{interface}) %{p0}"); -var part373 = // "Pattern{Constant('zone '), Field(zone,true), Constant(' int '), Field(interface,false), Constant(') '), Field(p0,false)}" -match("MESSAGE#216:00010/3_1", "nwparser.p0", "zone %{zone->} int %{interface}) %{p0}"); +var part373 = match("MESSAGE#216:00010/3_1", "nwparser.p0", "zone %{zone->} int %{interface}) %{p0}"); var select85 = linear_select([ part372, @@ -5856,8 +5214,7 @@ var select85 = linear_select([ dup126, ]); -var part374 = // "Pattern{Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times'), Field(p0,false)}" -match("MESSAGE#216:00010/4", "nwparser.p0", ".%{space}The attack occurred %{dclass_counter1->} times%{p0}"); +var part374 = match("MESSAGE#216:00010/4", "nwparser.p0", ".%{space}The attack occurred %{dclass_counter1->} times%{p0}"); var all71 = all_match({ processors: [ @@ -5866,7 +5223,7 @@ var all71 = all_match({ part371, select85, part374, - dup353, + dup351, ], on_success: processor_chain([ dup58, @@ -5882,8 +5239,7 @@ var all71 = all_match({ var msg218 = msg("00010", all71); -var part375 = // "Pattern{Constant('MIP '), Field(hostip,false), Constant('/'), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#217:00010:01", "nwparser.payload", "MIP %{hostip}/%{fld2->} has been %{disposition}", processor_chain([ +var part375 = match("MESSAGE#217:00010:01", "nwparser.payload", "MIP %{hostip}/%{fld2->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -5893,8 +5249,7 @@ match("MESSAGE#217:00010:01", "nwparser.payload", "MIP %{hostip}/%{fld2->} has b var msg219 = msg("00010:01", part375); -var part376 = // "Pattern{Constant('Mapped IP '), Field(hostip,true), Constant(' '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#218:00010:02", "nwparser.payload", "Mapped IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ +var part376 = match("MESSAGE#218:00010:02", "nwparser.payload", "Mapped IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -5907,7 +5262,7 @@ var msg220 = msg("00010:02", part376); var all72 = all_match({ processors: [ dup132, - dup345, + dup343, dup83, ], on_success: processor_chain([ @@ -5931,8 +5286,7 @@ var select86 = linear_select([ msg221, ]); -var part377 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#220:00011", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part377 = match("MESSAGE#220:00011", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup3, @@ -5944,16 +5298,14 @@ match("MESSAGE#220:00011", "nwparser.payload", "%{signame->} From %{saddr}:%{spo var msg222 = msg("00011", part377); -var part378 = // "Pattern{Constant('Route to '), Field(daddr,false), Constant('/'), Field(fld2,true), Constant(' [ '), Field(p0,false)}" -match("MESSAGE#221:00011:01/0", "nwparser.payload", "Route to %{daddr}/%{fld2->} [ %{p0}"); +var part378 = match("MESSAGE#221:00011:01/0", "nwparser.payload", "Route to %{daddr}/%{fld2->} [ %{p0}"); var select87 = linear_select([ dup57, dup56, ]); -var part379 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' gateway '), Field(fld3,true), Constant(' ] has been '), Field(disposition,false)}" -match("MESSAGE#221:00011:01/2", "nwparser.p0", "%{} %{interface->} gateway %{fld3->} ] has been %{disposition}"); +var part379 = match("MESSAGE#221:00011:01/2", "nwparser.p0", "%{} %{interface->} gateway %{fld3->} ] has been %{disposition}"); var all73 = all_match({ processors: [ @@ -5972,8 +5324,7 @@ var all73 = all_match({ var msg223 = msg("00011:01", all73); -var part380 = // "Pattern{Field(signame,true), Constant(' from '), Field(saddr,true), Constant(' to '), Field(daddr,true), Constant(' protocol '), Field(protocol,true), Constant(' ('), Field(fld2,false), Constant(')')}" -match("MESSAGE#222:00011:02", "nwparser.payload", "%{signame->} from %{saddr->} to %{daddr->} protocol %{protocol->} (%{fld2})", processor_chain([ +var part380 = match("MESSAGE#222:00011:02", "nwparser.payload", "%{signame->} from %{saddr->} to %{daddr->} protocol %{protocol->} (%{fld2})", processor_chain([ dup58, dup2, dup3, @@ -5983,28 +5334,22 @@ match("MESSAGE#222:00011:02", "nwparser.payload", "%{signame->} from %{saddr->} var msg224 = msg("00011:02", part380); -var part381 = // "Pattern{Constant('An '), Field(p0,false)}" -match("MESSAGE#223:00011:03/0", "nwparser.payload", "An %{p0}"); +var part381 = match("MESSAGE#223:00011:03/0", "nwparser.payload", "An %{p0}"); -var part382 = // "Pattern{Constant('import '), Field(p0,false)}" -match("MESSAGE#223:00011:03/1_0", "nwparser.p0", "import %{p0}"); +var part382 = match("MESSAGE#223:00011:03/1_0", "nwparser.p0", "import %{p0}"); -var part383 = // "Pattern{Constant('export '), Field(p0,false)}" -match("MESSAGE#223:00011:03/1_1", "nwparser.p0", "export %{p0}"); +var part383 = match("MESSAGE#223:00011:03/1_1", "nwparser.p0", "export %{p0}"); var select88 = linear_select([ part382, part383, ]); -var part384 = // "Pattern{Constant('rule in virtual router '), Field(node,true), Constant(' to virtual router '), Field(fld4,true), Constant(' with '), Field(p0,false)}" -match("MESSAGE#223:00011:03/2", "nwparser.p0", "rule in virtual router %{node->} to virtual router %{fld4->} with %{p0}"); +var part384 = match("MESSAGE#223:00011:03/2", "nwparser.p0", "rule in virtual router %{node->} to virtual router %{fld4->} with %{p0}"); -var part385 = // "Pattern{Constant('route-map '), Field(fld3,true), Constant(' and protocol '), Field(protocol,true), Constant(' has been '), Field(p0,false)}" -match("MESSAGE#223:00011:03/3_0", "nwparser.p0", "route-map %{fld3->} and protocol %{protocol->} has been %{p0}"); +var part385 = match("MESSAGE#223:00011:03/3_0", "nwparser.p0", "route-map %{fld3->} and protocol %{protocol->} has been %{p0}"); -var part386 = // "Pattern{Constant('IP-prefix '), Field(hostip,false), Constant('/'), Field(interface,true), Constant(' has been '), Field(p0,false)}" -match("MESSAGE#223:00011:03/3_1", "nwparser.p0", "IP-prefix %{hostip}/%{interface->} has been %{p0}"); +var part386 = match("MESSAGE#223:00011:03/3_1", "nwparser.p0", "IP-prefix %{hostip}/%{interface->} has been %{p0}"); var select89 = linear_select([ part385, @@ -6030,16 +5375,14 @@ var all74 = all_match({ var msg225 = msg("00011:03", all74); -var part387 = // "Pattern{Constant('A route in virtual router '), Field(node,true), Constant(' that has IP address '), Field(hostip,false), Constant('/'), Field(fld2,true), Constant(' through '), Field(p0,false)}" -match("MESSAGE#224:00011:04/0", "nwparser.payload", "A route in virtual router %{node->} that has IP address %{hostip}/%{fld2->} through %{p0}"); +var part387 = match("MESSAGE#224:00011:04/0", "nwparser.payload", "A route in virtual router %{node->} that has IP address %{hostip}/%{fld2->} through %{p0}"); -var part388 = // "Pattern{Constant(''), Field(interface,true), Constant(' and gateway '), Field(fld3,true), Constant(' with metric '), Field(fld4,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#224:00011:04/2", "nwparser.p0", "%{interface->} and gateway %{fld3->} with metric %{fld4->} has been %{disposition}"); +var part388 = match("MESSAGE#224:00011:04/2", "nwparser.p0", "%{interface->} and gateway %{fld3->} with metric %{fld4->} has been %{disposition}"); var all75 = all_match({ processors: [ part387, - dup354, + dup352, part388, ], on_success: processor_chain([ @@ -6053,19 +5396,16 @@ var all75 = all_match({ var msg226 = msg("00011:04", all75); -var part389 = // "Pattern{Constant('sharable virtual router using name'), Field(p0,false)}" -match("MESSAGE#225:00011:05/1_0", "nwparser.p0", "sharable virtual router using name%{p0}"); +var part389 = match("MESSAGE#225:00011:05/1_0", "nwparser.p0", "sharable virtual router using name%{p0}"); -var part390 = // "Pattern{Constant('virtual router with name'), Field(p0,false)}" -match("MESSAGE#225:00011:05/1_1", "nwparser.p0", "virtual router with name%{p0}"); +var part390 = match("MESSAGE#225:00011:05/1_1", "nwparser.p0", "virtual router with name%{p0}"); var select90 = linear_select([ part389, part390, ]); -var part391 = // "Pattern{Field(,true), Constant(' '), Field(node,true), Constant(' and id '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#225:00011:05/2", "nwparser.p0", "%{} %{node->} and id %{fld2->} has been %{disposition}"); +var part391 = match("MESSAGE#225:00011:05/2", "nwparser.p0", "%{} %{node->} and id %{fld2->} has been %{disposition}"); var all76 = all_match({ processors: [ @@ -6084,8 +5424,7 @@ var all76 = all_match({ var msg227 = msg("00011:05", all76); -var part392 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#226:00011:07", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part392 = match("MESSAGE#226:00011:07", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup4, @@ -6097,8 +5436,7 @@ match("MESSAGE#226:00011:07", "nwparser.payload", "%{signame->} From %{saddr->} var msg228 = msg("00011:07", part392); -var part393 = // "Pattern{Constant('Route(s) in virtual router '), Field(node,true), Constant(' with an IP address '), Field(hostip,true), Constant(' and gateway '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#227:00011:08", "nwparser.payload", "Route(s) in virtual router %{node->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ +var part393 = match("MESSAGE#227:00011:08", "nwparser.payload", "Route(s) in virtual router %{node->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -6108,8 +5446,7 @@ match("MESSAGE#227:00011:08", "nwparser.payload", "Route(s) in virtual router %{ var msg229 = msg("00011:08", part393); -var part394 = // "Pattern{Constant('The auto-route-export feature in virtual router '), Field(node,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#228:00011:09", "nwparser.payload", "The auto-route-export feature in virtual router %{node->} has been %{disposition}", processor_chain([ +var part394 = match("MESSAGE#228:00011:09", "nwparser.payload", "The auto-route-export feature in virtual router %{node->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -6119,8 +5456,7 @@ match("MESSAGE#228:00011:09", "nwparser.payload", "The auto-route-export feature var msg230 = msg("00011:09", part394); -var part395 = // "Pattern{Constant('The maximum number of routes that can be created in virtual router '), Field(node,true), Constant(' is '), Field(fld2,false)}" -match("MESSAGE#229:00011:10", "nwparser.payload", "The maximum number of routes that can be created in virtual router %{node->} is %{fld2}", processor_chain([ +var part395 = match("MESSAGE#229:00011:10", "nwparser.payload", "The maximum number of routes that can be created in virtual router %{node->} is %{fld2}", processor_chain([ dup44, dup2, dup3, @@ -6130,8 +5466,7 @@ match("MESSAGE#229:00011:10", "nwparser.payload", "The maximum number of routes var msg231 = msg("00011:10", part395); -var part396 = // "Pattern{Constant('The maximum routes limit in virtual router '), Field(node,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#230:00011:11", "nwparser.payload", "The maximum routes limit in virtual router %{node->} has been %{disposition}", processor_chain([ +var part396 = match("MESSAGE#230:00011:11", "nwparser.payload", "The maximum routes limit in virtual router %{node->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -6141,8 +5476,7 @@ match("MESSAGE#230:00011:11", "nwparser.payload", "The maximum routes limit in v var msg232 = msg("00011:11", part396); -var part397 = // "Pattern{Constant('The router-id of virtual router '), Field(node,true), Constant(' used by OSPF BGP routing instances id has been uninitialized')}" -match("MESSAGE#231:00011:12", "nwparser.payload", "The router-id of virtual router %{node->} used by OSPF BGP routing instances id has been uninitialized", processor_chain([ +var part397 = match("MESSAGE#231:00011:12", "nwparser.payload", "The router-id of virtual router %{node->} used by OSPF BGP routing instances id has been uninitialized", processor_chain([ dup1, dup2, dup3, @@ -6152,8 +5486,7 @@ match("MESSAGE#231:00011:12", "nwparser.payload", "The router-id of virtual rout var msg233 = msg("00011:12", part397); -var part398 = // "Pattern{Constant('The router-id that can be used by OSPF BGP routing instances in virtual router '), Field(node,true), Constant(' has been set to '), Field(fld2,false)}" -match("MESSAGE#232:00011:13", "nwparser.payload", "The router-id that can be used by OSPF BGP routing instances in virtual router %{node->} has been set to %{fld2}", processor_chain([ +var part398 = match("MESSAGE#232:00011:13", "nwparser.payload", "The router-id that can be used by OSPF BGP routing instances in virtual router %{node->} has been set to %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -6163,11 +5496,9 @@ match("MESSAGE#232:00011:13", "nwparser.payload", "The router-id that can be use var msg234 = msg("00011:13", part398); -var part399 = // "Pattern{Constant('The routing preference for protocol '), Field(protocol,true), Constant(' in virtual router '), Field(node,true), Constant(' has been '), Field(p0,false)}" -match("MESSAGE#233:00011:14/0", "nwparser.payload", "The routing preference for protocol %{protocol->} in virtual router %{node->} has been %{p0}"); +var part399 = match("MESSAGE#233:00011:14/0", "nwparser.payload", "The routing preference for protocol %{protocol->} in virtual router %{node->} has been %{p0}"); -var part400 = // "Pattern{Constant('reset'), Field(,false)}" -match("MESSAGE#233:00011:14/1_1", "nwparser.p0", "reset%{}"); +var part400 = match("MESSAGE#233:00011:14/1_1", "nwparser.p0", "reset%{}"); var select91 = linear_select([ dup134, @@ -6190,8 +5521,7 @@ var all77 = all_match({ var msg235 = msg("00011:14", all77); -var part401 = // "Pattern{Constant('The system default-route in virtual router '), Field(node,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#234:00011:15", "nwparser.payload", "The system default-route in virtual router %{node->} has been %{disposition}", processor_chain([ +var part401 = match("MESSAGE#234:00011:15", "nwparser.payload", "The system default-route in virtual router %{node->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -6201,8 +5531,7 @@ match("MESSAGE#234:00011:15", "nwparser.payload", "The system default-route in v var msg236 = msg("00011:15", part401); -var part402 = // "Pattern{Constant('The system default-route through virtual router '), Field(node,true), Constant(' has been added in virtual router '), Field(fld2,false)}" -match("MESSAGE#235:00011:16", "nwparser.payload", "The system default-route through virtual router %{node->} has been added in virtual router %{fld2}", processor_chain([ +var part402 = match("MESSAGE#235:00011:16", "nwparser.payload", "The system default-route through virtual router %{node->} has been added in virtual router %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -6212,17 +5541,13 @@ match("MESSAGE#235:00011:16", "nwparser.payload", "The system default-route thro var msg237 = msg("00011:16", part402); -var part403 = // "Pattern{Constant('The virtual router '), Field(node,true), Constant(' has been made '), Field(p0,false)}" -match("MESSAGE#236:00011:17/0", "nwparser.payload", "The virtual router %{node->} has been made %{p0}"); +var part403 = match("MESSAGE#236:00011:17/0", "nwparser.payload", "The virtual router %{node->} has been made %{p0}"); -var part404 = // "Pattern{Constant('sharable'), Field(,false)}" -match("MESSAGE#236:00011:17/1_0", "nwparser.p0", "sharable%{}"); +var part404 = match("MESSAGE#236:00011:17/1_0", "nwparser.p0", "sharable%{}"); -var part405 = // "Pattern{Constant('unsharable'), Field(,false)}" -match("MESSAGE#236:00011:17/1_1", "nwparser.p0", "unsharable%{}"); +var part405 = match("MESSAGE#236:00011:17/1_1", "nwparser.p0", "unsharable%{}"); -var part406 = // "Pattern{Constant('default virtual router for virtual system '), Field(fld2,false)}" -match("MESSAGE#236:00011:17/1_2", "nwparser.p0", "default virtual router for virtual system %{fld2}"); +var part406 = match("MESSAGE#236:00011:17/1_2", "nwparser.p0", "default virtual router for virtual system %{fld2}"); var select92 = linear_select([ part404, @@ -6246,44 +5571,36 @@ var all78 = all_match({ var msg238 = msg("00011:17", all78); -var part407 = // "Pattern{Constant('Source route(s) '), Field(p0,false)}" -match("MESSAGE#237:00011:18/0_0", "nwparser.payload", "Source route(s) %{p0}"); +var part407 = match("MESSAGE#237:00011:18/0_0", "nwparser.payload", "Source route(s) %{p0}"); -var part408 = // "Pattern{Constant('A source route '), Field(p0,false)}" -match("MESSAGE#237:00011:18/0_1", "nwparser.payload", "A source route %{p0}"); +var part408 = match("MESSAGE#237:00011:18/0_1", "nwparser.payload", "A source route %{p0}"); var select93 = linear_select([ part407, part408, ]); -var part409 = // "Pattern{Constant('in virtual router '), Field(node,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#237:00011:18/1", "nwparser.p0", "in virtual router %{node->} %{p0}"); +var part409 = match("MESSAGE#237:00011:18/1", "nwparser.p0", "in virtual router %{node->} %{p0}"); -var part410 = // "Pattern{Constant('with route addresses of '), Field(p0,false)}" -match("MESSAGE#237:00011:18/2_0", "nwparser.p0", "with route addresses of %{p0}"); +var part410 = match("MESSAGE#237:00011:18/2_0", "nwparser.p0", "with route addresses of %{p0}"); -var part411 = // "Pattern{Constant('that has IP address '), Field(p0,false)}" -match("MESSAGE#237:00011:18/2_1", "nwparser.p0", "that has IP address %{p0}"); +var part411 = match("MESSAGE#237:00011:18/2_1", "nwparser.p0", "that has IP address %{p0}"); var select94 = linear_select([ part410, part411, ]); -var part412 = // "Pattern{Constant(''), Field(hostip,false), Constant('/'), Field(fld2,true), Constant(' through interface '), Field(interface,true), Constant(' and '), Field(p0,false)}" -match("MESSAGE#237:00011:18/3", "nwparser.p0", "%{hostip}/%{fld2->} through interface %{interface->} and %{p0}"); +var part412 = match("MESSAGE#237:00011:18/3", "nwparser.p0", "%{hostip}/%{fld2->} through interface %{interface->} and %{p0}"); -var part413 = // "Pattern{Constant('a default gateway address '), Field(p0,false)}" -match("MESSAGE#237:00011:18/4_0", "nwparser.p0", "a default gateway address %{p0}"); +var part413 = match("MESSAGE#237:00011:18/4_0", "nwparser.p0", "a default gateway address %{p0}"); var select95 = linear_select([ part413, dup135, ]); -var part414 = // "Pattern{Constant(''), Field(fld3,true), Constant(' with metric '), Field(fld4,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#237:00011:18/5", "nwparser.p0", "%{fld3->} with metric %{fld4->} %{p0}"); +var part414 = match("MESSAGE#237:00011:18/5", "nwparser.p0", "%{fld3->} with metric %{fld4->} %{p0}"); var all79 = all_match({ processors: [ @@ -6293,7 +5610,7 @@ var all79 = all_match({ part412, select95, part414, - dup352, + dup350, dup128, ], on_success: processor_chain([ @@ -6307,36 +5624,29 @@ var all79 = all_match({ var msg239 = msg("00011:18", all79); -var part415 = // "Pattern{Constant('Source Route(s) in virtual router '), Field(node,true), Constant(' with '), Field(p0,false)}" -match("MESSAGE#238:00011:19/0", "nwparser.payload", "Source Route(s) in virtual router %{node->} with %{p0}"); +var part415 = match("MESSAGE#238:00011:19/0", "nwparser.payload", "Source Route(s) in virtual router %{node->} with %{p0}"); -var part416 = // "Pattern{Constant('route addresses of '), Field(p0,false)}" -match("MESSAGE#238:00011:19/1_0", "nwparser.p0", "route addresses of %{p0}"); +var part416 = match("MESSAGE#238:00011:19/1_0", "nwparser.p0", "route addresses of %{p0}"); -var part417 = // "Pattern{Constant('an IP address '), Field(p0,false)}" -match("MESSAGE#238:00011:19/1_1", "nwparser.p0", "an IP address %{p0}"); +var part417 = match("MESSAGE#238:00011:19/1_1", "nwparser.p0", "an IP address %{p0}"); var select96 = linear_select([ part416, part417, ]); -var part418 = // "Pattern{Constant(''), Field(hostip,false), Constant('/'), Field(fld3,true), Constant(' and '), Field(p0,false)}" -match("MESSAGE#238:00011:19/2", "nwparser.p0", "%{hostip}/%{fld3->} and %{p0}"); +var part418 = match("MESSAGE#238:00011:19/2", "nwparser.p0", "%{hostip}/%{fld3->} and %{p0}"); -var part419 = // "Pattern{Constant('a default gateway address of '), Field(p0,false)}" -match("MESSAGE#238:00011:19/3_0", "nwparser.p0", "a default gateway address of %{p0}"); +var part419 = match("MESSAGE#238:00011:19/3_0", "nwparser.p0", "a default gateway address of %{p0}"); var select97 = linear_select([ part419, dup135, ]); -var part420 = // "Pattern{Constant(''), Field(fld4,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#238:00011:19/4", "nwparser.p0", "%{fld4->} %{p0}"); +var part420 = match("MESSAGE#238:00011:19/4", "nwparser.p0", "%{fld4->} %{p0}"); -var part421 = // "Pattern{Constant('has been'), Field(p0,false)}" -match("MESSAGE#238:00011:19/5_1", "nwparser.p0", "has been%{p0}"); +var part421 = match("MESSAGE#238:00011:19/5_1", "nwparser.p0", "has been%{p0}"); var select98 = linear_select([ dup107, @@ -6364,16 +5674,14 @@ var all80 = all_match({ var msg240 = msg("00011:19", all80); -var part422 = // "Pattern{Field(fld2,false), Constant(': A '), Field(p0,false)}" -match("MESSAGE#239:00011:20/0_0", "nwparser.payload", "%{fld2}: A %{p0}"); +var part422 = match("MESSAGE#239:00011:20/0_0", "nwparser.payload", "%{fld2}: A %{p0}"); var select99 = linear_select([ part422, dup79, ]); -var part423 = // "Pattern{Constant('route has been created in virtual router "'), Field(node,false), Constant('"'), Field(space,false), Constant('with an IP address '), Field(hostip,true), Constant(' and next-hop as virtual router "'), Field(fld3,false), Constant('"')}" -match("MESSAGE#239:00011:20/1", "nwparser.p0", "route has been created in virtual router \"%{node}\"%{space}with an IP address %{hostip->} and next-hop as virtual router \"%{fld3}\""); +var part423 = match("MESSAGE#239:00011:20/1", "nwparser.p0", "route has been created in virtual router \"%{node}\"%{space}with an IP address %{hostip->} and next-hop as virtual router \"%{fld3}\""); var all81 = all_match({ processors: [ @@ -6391,8 +5699,7 @@ var all81 = all_match({ var msg241 = msg("00011:20", all81); -var part424 = // "Pattern{Constant('SIBR route(s) in virtual router '), Field(node,true), Constant(' for interface '), Field(interface,true), Constant(' with an IP address '), Field(hostip,true), Constant(' and gateway '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#240:00011:21", "nwparser.payload", "SIBR route(s) in virtual router %{node->} for interface %{interface->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ +var part424 = match("MESSAGE#240:00011:21", "nwparser.payload", "SIBR route(s) in virtual router %{node->} for interface %{interface->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -6402,8 +5709,7 @@ match("MESSAGE#240:00011:21", "nwparser.payload", "SIBR route(s) in virtual rout var msg242 = msg("00011:21", part424); -var part425 = // "Pattern{Constant('SIBR route in virtual router '), Field(node,true), Constant(' for interface '), Field(interface,true), Constant(' that has IP address '), Field(hostip,true), Constant(' through interface '), Field(fld3,true), Constant(' and gateway '), Field(fld4,true), Constant(' with metric '), Field(fld5,true), Constant(' was '), Field(disposition,false)}" -match("MESSAGE#241:00011:22", "nwparser.payload", "SIBR route in virtual router %{node->} for interface %{interface->} that has IP address %{hostip->} through interface %{fld3->} and gateway %{fld4->} with metric %{fld5->} was %{disposition}", processor_chain([ +var part425 = match("MESSAGE#241:00011:22", "nwparser.payload", "SIBR route in virtual router %{node->} for interface %{interface->} that has IP address %{hostip->} through interface %{fld3->} and gateway %{fld4->} with metric %{fld5->} was %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -6416,7 +5722,7 @@ var msg243 = msg("00011:22", part425); var all82 = all_match({ processors: [ dup132, - dup345, + dup343, dup131, ], on_success: processor_chain([ @@ -6441,8 +5747,7 @@ var all82 = all_match({ var msg244 = msg("00011:23", all82); -var part426 = // "Pattern{Constant('Route in virtual router "'), Field(node,false), Constant('" that has IP address '), Field(hostip,true), Constant(' through interface '), Field(interface,true), Constant(' and gateway '), Field(fld2,true), Constant(' with metric '), Field(fld3,true), Constant(' '), Field(disposition,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#243:00011:24", "nwparser.payload", "Route in virtual router \"%{node}\" that has IP address %{hostip->} through interface %{interface->} and gateway %{fld2->} with metric %{fld3->} %{disposition}. (%{fld1})", processor_chain([ +var part426 = match("MESSAGE#243:00011:24", "nwparser.payload", "Route in virtual router \"%{node}\" that has IP address %{hostip->} through interface %{interface->} and gateway %{fld2->} with metric %{fld3->} %{disposition}. (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -6453,8 +5758,7 @@ match("MESSAGE#243:00011:24", "nwparser.payload", "Route in virtual router \"%{n var msg245 = msg("00011:24", part426); -var part427 = // "Pattern{Constant('Route(s) in virtual router "'), Field(node,false), Constant('" with an IP address '), Field(hostip,false), Constant('/'), Field(fld2,true), Constant(' and gateway '), Field(fld3,true), Constant(' '), Field(disposition,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#244:00011:25", "nwparser.payload", "Route(s) in virtual router \"%{node}\" with an IP address %{hostip}/%{fld2->} and gateway %{fld3->} %{disposition}. (%{fld1})", processor_chain([ +var part427 = match("MESSAGE#244:00011:25", "nwparser.payload", "Route(s) in virtual router \"%{node}\" with an IP address %{hostip}/%{fld2->} and gateway %{fld3->} %{disposition}. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -6465,8 +5769,7 @@ match("MESSAGE#244:00011:25", "nwparser.payload", "Route(s) in virtual router \" var msg246 = msg("00011:25", part427); -var part428 = // "Pattern{Constant('Route in virtual router "'), Field(node,false), Constant('" with IP address '), Field(hostip,false), Constant('/'), Field(fld2,true), Constant(' and next-hop as virtual router "'), Field(fld3,false), Constant('" created. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#245:00011:26", "nwparser.payload", "Route in virtual router \"%{node}\" with IP address %{hostip}/%{fld2->} and next-hop as virtual router \"%{fld3}\" created. (%{fld1})", processor_chain([ +var part428 = match("MESSAGE#245:00011:26", "nwparser.payload", "Route in virtual router \"%{node}\" with IP address %{hostip}/%{fld2->} and next-hop as virtual router \"%{fld3}\" created. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -6506,8 +5809,7 @@ var select100 = linear_select([ msg247, ]); -var part429 = // "Pattern{Constant('Service group '), Field(group,true), Constant(' comments have been '), Field(disposition,false)}" -match("MESSAGE#246:00012:02", "nwparser.payload", "Service group %{group->} comments have been %{disposition}", processor_chain([ +var part429 = match("MESSAGE#246:00012:02", "nwparser.payload", "Service group %{group->} comments have been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -6517,8 +5819,7 @@ match("MESSAGE#246:00012:02", "nwparser.payload", "Service group %{group->} comm var msg248 = msg("00012:02", part429); -var part430 = // "Pattern{Constant('Service group '), Field(change_old,true), Constant(' '), Field(change_attribute,true), Constant(' has been changed to '), Field(change_new,false)}" -match("MESSAGE#247:00012:03", "nwparser.payload", "Service group %{change_old->} %{change_attribute->} has been changed to %{change_new}", processor_chain([ +var part430 = match("MESSAGE#247:00012:03", "nwparser.payload", "Service group %{change_old->} %{change_attribute->} has been changed to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -6528,8 +5829,7 @@ match("MESSAGE#247:00012:03", "nwparser.payload", "Service group %{change_old->} var msg249 = msg("00012:03", part430); -var part431 = // "Pattern{Field(fld2,true), Constant(' Service group '), Field(group,true), Constant(' has '), Field(disposition,true), Constant(' member '), Field(username,true), Constant(' from host '), Field(saddr,false)}" -match("MESSAGE#248:00012:04", "nwparser.payload", "%{fld2->} Service group %{group->} has %{disposition->} member %{username->} from host %{saddr}", processor_chain([ +var part431 = match("MESSAGE#248:00012:04", "nwparser.payload", "%{fld2->} Service group %{group->} has %{disposition->} member %{username->} from host %{saddr}", processor_chain([ dup1, dup2, dup3, @@ -6539,8 +5839,7 @@ match("MESSAGE#248:00012:04", "nwparser.payload", "%{fld2->} Service group %{gro var msg250 = msg("00012:04", part431); -var part432 = // "Pattern{Field(signame,true), Constant(' from '), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,true), Constant(' protocol '), Field(protocol,true), Constant(' ('), Field(fld2,false), Constant(') ('), Field(fld3,false), Constant(')')}" -match("MESSAGE#249:00012:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2}) (%{fld3})", processor_chain([ +var part432 = match("MESSAGE#249:00012:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2}) (%{fld3})", processor_chain([ dup58, dup2, dup3, @@ -6551,8 +5850,7 @@ match("MESSAGE#249:00012:05", "nwparser.payload", "%{signame->} from %{saddr}/%{ var msg251 = msg("00012:05", part432); -var part433 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#250:00012:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part433 = match("MESSAGE#250:00012:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup3, @@ -6564,8 +5862,7 @@ match("MESSAGE#250:00012:06", "nwparser.payload", "%{signame->} has been detecte var msg252 = msg("00012:06", part433); -var part434 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#251:00012:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part434 = match("MESSAGE#251:00012:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup3, @@ -6577,8 +5874,7 @@ match("MESSAGE#251:00012:07", "nwparser.payload", "%{signame->} has been detecte var msg253 = msg("00012:07", part434); -var part435 = // "Pattern{Field(fld2,false), Constant(': Service '), Field(service,true), Constant(' has been '), Field(disposition,true), Constant(' from host '), Field(saddr,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#252:00012:08", "nwparser.payload", "%{fld2}: Service %{service->} has been %{disposition->} from host %{saddr->} (%{fld1})", processor_chain([ +var part435 = match("MESSAGE#252:00012:08", "nwparser.payload", "%{fld2}: Service %{service->} has been %{disposition->} from host %{saddr->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -6592,7 +5888,7 @@ var msg254 = msg("00012:08", part435); var all83 = all_match({ processors: [ dup80, - dup345, + dup343, dup83, ], on_success: processor_chain([ @@ -6612,7 +5908,7 @@ var msg255 = msg("00012:09", all83); var all84 = all_match({ processors: [ dup132, - dup345, + dup343, dup83, ], on_success: processor_chain([ @@ -6629,8 +5925,7 @@ var all84 = all_match({ var msg256 = msg("00012:10", all84); -var part436 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.The attack occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#255:00012:11", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ +var part436 = match("MESSAGE#255:00012:11", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ dup58, dup2, dup3, @@ -6643,8 +5938,7 @@ match("MESSAGE#255:00012:11", "nwparser.payload", "%{signame->} From %{saddr}:%{ var msg257 = msg("00012:11", part436); -var part437 = // "Pattern{Field(signame,true), Constant(' from '), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,true), Constant(' protocol '), Field(protocol,true), Constant(' ('), Field(zone,false), Constant(') '), Field(info,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#256:00012:12", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{zone}) %{info->} (%{fld1})", processor_chain([ +var part437 = match("MESSAGE#256:00012:12", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{zone}) %{info->} (%{fld1})", processor_chain([ dup58, dup2, dup3, @@ -6655,8 +5949,7 @@ match("MESSAGE#256:00012:12", "nwparser.payload", "%{signame->} from %{saddr}/%{ var msg258 = msg("00012:12", part437); -var part438 = // "Pattern{Constant('Service group '), Field(group,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#257:00012", "nwparser.payload", "Service group %{group->} has been %{disposition}", processor_chain([ +var part438 = match("MESSAGE#257:00012", "nwparser.payload", "Service group %{group->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -6666,8 +5959,7 @@ match("MESSAGE#257:00012", "nwparser.payload", "Service group %{group->} has bee var msg259 = msg("00012", part438); -var part439 = // "Pattern{Constant('Service '), Field(service,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#258:00012:01", "nwparser.payload", "Service %{service->} has been %{disposition}", processor_chain([ +var part439 = match("MESSAGE#258:00012:01", "nwparser.payload", "Service %{service->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -6693,8 +5985,7 @@ var select101 = linear_select([ msg260, ]); -var part440 = // "Pattern{Constant('Global Manager error in decoding bytes has been detected'), Field(,false)}" -match("MESSAGE#259:00013", "nwparser.payload", "Global Manager error in decoding bytes has been detected%{}", processor_chain([ +var part440 = match("MESSAGE#259:00013", "nwparser.payload", "Global Manager error in decoding bytes has been detected%{}", processor_chain([ dup86, dup2, dup3, @@ -6704,8 +5995,7 @@ match("MESSAGE#259:00013", "nwparser.payload", "Global Manager error in decoding var msg261 = msg("00013", part440); -var part441 = // "Pattern{Constant('Intruder has attempted to connect to the NetScreen-Global Manager port! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' at interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#260:00013:01", "nwparser.payload", "Intruder has attempted to connect to the NetScreen-Global Manager port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part441 = match("MESSAGE#260:00013:01", "nwparser.payload", "Intruder has attempted to connect to the NetScreen-Global Manager port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup3, @@ -6718,8 +6008,7 @@ match("MESSAGE#260:00013:01", "nwparser.payload", "Intruder has attempted to con var msg262 = msg("00013:01", part441); -var part442 = // "Pattern{Constant('URL Filtering '), Field(fld2,true), Constant(' has been changed to '), Field(fld3,false)}" -match("MESSAGE#261:00013:02", "nwparser.payload", "URL Filtering %{fld2->} has been changed to %{fld3}", processor_chain([ +var part442 = match("MESSAGE#261:00013:02", "nwparser.payload", "URL Filtering %{fld2->} has been changed to %{fld3}", processor_chain([ dup1, dup2, dup3, @@ -6729,8 +6018,7 @@ match("MESSAGE#261:00013:02", "nwparser.payload", "URL Filtering %{fld2->} has b var msg263 = msg("00013:02", part442); -var part443 = // "Pattern{Constant('Web Filtering has been '), Field(disposition,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#262:00013:03", "nwparser.payload", "Web Filtering has been %{disposition->} (%{fld1})", processor_chain([ +var part443 = match("MESSAGE#262:00013:03", "nwparser.payload", "Web Filtering has been %{disposition->} (%{fld1})", processor_chain([ dup50, dup43, dup51, @@ -6749,8 +6037,7 @@ var select102 = linear_select([ msg264, ]); -var part444 = // "Pattern{Field(change_attribute,true), Constant(' in minutes has changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#263:00014", "nwparser.payload", "%{change_attribute->} in minutes has changed from %{change_old->} to %{change_new}", processor_chain([ +var part444 = match("MESSAGE#263:00014", "nwparser.payload", "%{change_attribute->} in minutes has changed from %{change_old->} to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -6760,14 +6047,11 @@ match("MESSAGE#263:00014", "nwparser.payload", "%{change_attribute->} in minutes var msg265 = msg("00014", part444); -var part445 = // "Pattern{Constant('The group member '), Field(username,true), Constant(' has been '), Field(disposition,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#264:00014:01/0", "nwparser.payload", "The group member %{username->} has been %{disposition->} %{p0}"); +var part445 = match("MESSAGE#264:00014:01/0", "nwparser.payload", "The group member %{username->} has been %{disposition->} %{p0}"); -var part446 = // "Pattern{Constant('to a group'), Field(,false)}" -match("MESSAGE#264:00014:01/1_0", "nwparser.p0", "to a group%{}"); +var part446 = match("MESSAGE#264:00014:01/1_0", "nwparser.p0", "to a group%{}"); -var part447 = // "Pattern{Constant('from a group'), Field(,false)}" -match("MESSAGE#264:00014:01/1_1", "nwparser.p0", "from a group%{}"); +var part447 = match("MESSAGE#264:00014:01/1_1", "nwparser.p0", "from a group%{}"); var select103 = linear_select([ part446, @@ -6790,8 +6074,7 @@ var all85 = all_match({ var msg266 = msg("00014:01", all85); -var part448 = // "Pattern{Constant('The user group '), Field(group,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(username,false)}" -match("MESSAGE#265:00014:02", "nwparser.payload", "The user group %{group->} has been %{disposition->} by %{username}", processor_chain([ +var part448 = match("MESSAGE#265:00014:02", "nwparser.payload", "The user group %{group->} has been %{disposition->} by %{username}", processor_chain([ dup1, dup2, dup3, @@ -6801,8 +6084,7 @@ match("MESSAGE#265:00014:02", "nwparser.payload", "The user group %{group->} has var msg267 = msg("00014:02", part448); -var part449 = // "Pattern{Constant('The user '), Field(username,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(administrator,false)}" -match("MESSAGE#266:00014:03", "nwparser.payload", "The user %{username->} has been %{disposition->} by %{administrator}", processor_chain([ +var part449 = match("MESSAGE#266:00014:03", "nwparser.payload", "The user %{username->} has been %{disposition->} by %{administrator}", processor_chain([ dup1, dup2, dup3, @@ -6812,8 +6094,7 @@ match("MESSAGE#266:00014:03", "nwparser.payload", "The user %{username->} has be var msg268 = msg("00014:03", part449); -var part450 = // "Pattern{Constant('Communication error with '), Field(hostname,true), Constant(' server { '), Field(hostip,true), Constant(' }: SrvErr ('), Field(fld2,false), Constant('), SockErr ('), Field(fld3,false), Constant('), Valid ('), Field(fld4,false), Constant('),Connected ('), Field(fld5,false), Constant(')')}" -match("MESSAGE#267:00014:04", "nwparser.payload", "Communication error with %{hostname->} server { %{hostip->} }: SrvErr (%{fld2}), SockErr (%{fld3}), Valid (%{fld4}),Connected (%{fld5})", processor_chain([ +var part450 = match("MESSAGE#267:00014:04", "nwparser.payload", "Communication error with %{hostname->} server { %{hostip->} }: SrvErr (%{fld2}), SockErr (%{fld3}), Valid (%{fld4}),Connected (%{fld5})", processor_chain([ dup19, dup2, dup3, @@ -6823,8 +6104,7 @@ match("MESSAGE#267:00014:04", "nwparser.payload", "Communication error with %{ho var msg269 = msg("00014:04", part450); -var part451 = // "Pattern{Constant('System clock configurations have been '), Field(disposition,true), Constant(' by admin '), Field(administrator,false)}" -match("MESSAGE#268:00014:05", "nwparser.payload", "System clock configurations have been %{disposition->} by admin %{administrator}", processor_chain([ +var part451 = match("MESSAGE#268:00014:05", "nwparser.payload", "System clock configurations have been %{disposition->} by admin %{administrator}", processor_chain([ dup1, dup2, dup3, @@ -6834,8 +6114,7 @@ match("MESSAGE#268:00014:05", "nwparser.payload", "System clock configurations h var msg270 = msg("00014:05", part451); -var part452 = // "Pattern{Constant('System clock is '), Field(disposition,true), Constant(' manually.')}" -match("MESSAGE#269:00014:06", "nwparser.payload", "System clock is %{disposition->} manually.", processor_chain([ +var part452 = match("MESSAGE#269:00014:06", "nwparser.payload", "System clock is %{disposition->} manually.", processor_chain([ dup1, dup2, dup3, @@ -6845,8 +6124,7 @@ match("MESSAGE#269:00014:06", "nwparser.payload", "System clock is %{disposition var msg271 = msg("00014:06", part452); -var part453 = // "Pattern{Constant('System up time is '), Field(disposition,true), Constant(' by '), Field(fld2,false)}" -match("MESSAGE#270:00014:07", "nwparser.payload", "System up time is %{disposition->} by %{fld2}", processor_chain([ +var part453 = match("MESSAGE#270:00014:07", "nwparser.payload", "System up time is %{disposition->} by %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -6856,8 +6134,7 @@ match("MESSAGE#270:00014:07", "nwparser.payload", "System up time is %{dispositi var msg272 = msg("00014:07", part453); -var part454 = // "Pattern{Constant('Communication error with '), Field(hostname,true), Constant(' server['), Field(hostip,false), Constant(']: SrvErr('), Field(fld2,false), Constant('),SockErr('), Field(fld3,false), Constant('),Valid('), Field(fld4,false), Constant('),Connected('), Field(fld5,false), Constant(') ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#271:00014:08", "nwparser.payload", "Communication error with %{hostname->} server[%{hostip}]: SrvErr(%{fld2}),SockErr(%{fld3}),Valid(%{fld4}),Connected(%{fld5}) (%{fld1})", processor_chain([ +var part454 = match("MESSAGE#271:00014:08", "nwparser.payload", "Communication error with %{hostname->} server[%{hostip}]: SrvErr(%{fld2}),SockErr(%{fld3}),Valid(%{fld4}),Connected(%{fld5}) (%{fld1})", processor_chain([ dup27, dup2, dup3, @@ -6880,8 +6157,7 @@ var select104 = linear_select([ msg273, ]); -var part455 = // "Pattern{Constant('Authentication type has been changed to '), Field(authmethod,false)}" -match("MESSAGE#272:00015", "nwparser.payload", "Authentication type has been changed to %{authmethod}", processor_chain([ +var part455 = match("MESSAGE#272:00015", "nwparser.payload", "Authentication type has been changed to %{authmethod}", processor_chain([ dup1, dup2, dup3, @@ -6891,8 +6167,7 @@ match("MESSAGE#272:00015", "nwparser.payload", "Authentication type has been cha var msg274 = msg("00015", part455); -var part456 = // "Pattern{Constant('IP tracking to '), Field(daddr,true), Constant(' has '), Field(disposition,false)}" -match("MESSAGE#273:00015:01", "nwparser.payload", "IP tracking to %{daddr->} has %{disposition}", processor_chain([ +var part456 = match("MESSAGE#273:00015:01", "nwparser.payload", "IP tracking to %{daddr->} has %{disposition}", processor_chain([ dup86, dup2, dup3, @@ -6902,17 +6177,13 @@ match("MESSAGE#273:00015:01", "nwparser.payload", "IP tracking to %{daddr->} has var msg275 = msg("00015:01", part456); -var part457 = // "Pattern{Constant('LDAP '), Field(p0,false)}" -match("MESSAGE#274:00015:02/0", "nwparser.payload", "LDAP %{p0}"); +var part457 = match("MESSAGE#274:00015:02/0", "nwparser.payload", "LDAP %{p0}"); -var part458 = // "Pattern{Constant('server name '), Field(p0,false)}" -match("MESSAGE#274:00015:02/1_0", "nwparser.p0", "server name %{p0}"); +var part458 = match("MESSAGE#274:00015:02/1_0", "nwparser.p0", "server name %{p0}"); -var part459 = // "Pattern{Constant('distinguished name '), Field(p0,false)}" -match("MESSAGE#274:00015:02/1_2", "nwparser.p0", "distinguished name %{p0}"); +var part459 = match("MESSAGE#274:00015:02/1_2", "nwparser.p0", "distinguished name %{p0}"); -var part460 = // "Pattern{Constant('common name '), Field(p0,false)}" -match("MESSAGE#274:00015:02/1_3", "nwparser.p0", "common name %{p0}"); +var part460 = match("MESSAGE#274:00015:02/1_3", "nwparser.p0", "common name %{p0}"); var select105 = linear_select([ part458, @@ -6938,8 +6209,7 @@ var all86 = all_match({ var msg276 = msg("00015:02", all86); -var part461 = // "Pattern{Constant('Primary HA link has gone down. Local NetScreen device has begun using the secondary HA link'), Field(,false)}" -match("MESSAGE#275:00015:03", "nwparser.payload", "Primary HA link has gone down. Local NetScreen device has begun using the secondary HA link%{}", processor_chain([ +var part461 = match("MESSAGE#275:00015:03", "nwparser.payload", "Primary HA link has gone down. Local NetScreen device has begun using the secondary HA link%{}", processor_chain([ dup44, dup2, dup3, @@ -6949,11 +6219,9 @@ match("MESSAGE#275:00015:03", "nwparser.payload", "Primary HA link has gone down var msg277 = msg("00015:03", part461); -var part462 = // "Pattern{Constant('RADIUS server '), Field(p0,false)}" -match("MESSAGE#276:00015:04/0", "nwparser.payload", "RADIUS server %{p0}"); +var part462 = match("MESSAGE#276:00015:04/0", "nwparser.payload", "RADIUS server %{p0}"); -var part463 = // "Pattern{Constant('secret '), Field(p0,false)}" -match("MESSAGE#276:00015:04/1_2", "nwparser.p0", "secret %{p0}"); +var part463 = match("MESSAGE#276:00015:04/1_2", "nwparser.p0", "secret %{p0}"); var select106 = linear_select([ dup139, @@ -6978,17 +6246,13 @@ var all87 = all_match({ var msg278 = msg("00015:04", all87); -var part464 = // "Pattern{Constant('SecurID '), Field(p0,false)}" -match("MESSAGE#277:00015:05/0", "nwparser.payload", "SecurID %{p0}"); +var part464 = match("MESSAGE#277:00015:05/0", "nwparser.payload", "SecurID %{p0}"); -var part465 = // "Pattern{Constant('authentication port '), Field(p0,false)}" -match("MESSAGE#277:00015:05/1_0", "nwparser.p0", "authentication port %{p0}"); +var part465 = match("MESSAGE#277:00015:05/1_0", "nwparser.p0", "authentication port %{p0}"); -var part466 = // "Pattern{Constant('duress mode '), Field(p0,false)}" -match("MESSAGE#277:00015:05/1_1", "nwparser.p0", "duress mode %{p0}"); +var part466 = match("MESSAGE#277:00015:05/1_1", "nwparser.p0", "duress mode %{p0}"); -var part467 = // "Pattern{Constant('number of retries value '), Field(p0,false)}" -match("MESSAGE#277:00015:05/1_3", "nwparser.p0", "number of retries value %{p0}"); +var part467 = match("MESSAGE#277:00015:05/1_3", "nwparser.p0", "number of retries value %{p0}"); var select107 = linear_select([ part465, @@ -7014,19 +6278,16 @@ var all88 = all_match({ var msg279 = msg("00015:05", all88); -var part468 = // "Pattern{Constant('Master '), Field(p0,false)}" -match("MESSAGE#278:00015:06/0_0", "nwparser.payload", "Master %{p0}"); +var part468 = match("MESSAGE#278:00015:06/0_0", "nwparser.payload", "Master %{p0}"); -var part469 = // "Pattern{Constant('Backup '), Field(p0,false)}" -match("MESSAGE#278:00015:06/0_1", "nwparser.payload", "Backup %{p0}"); +var part469 = match("MESSAGE#278:00015:06/0_1", "nwparser.payload", "Backup %{p0}"); var select108 = linear_select([ part468, part469, ]); -var part470 = // "Pattern{Constant('SecurID server IP address has been '), Field(disposition,false)}" -match("MESSAGE#278:00015:06/1", "nwparser.p0", "SecurID server IP address has been %{disposition}"); +var part470 = match("MESSAGE#278:00015:06/1", "nwparser.p0", "SecurID server IP address has been %{disposition}"); var all89 = all_match({ processors: [ @@ -7044,8 +6305,7 @@ var all89 = all_match({ var msg280 = msg("00015:06", all89); -var part471 = // "Pattern{Constant('HA change from slave to master'), Field(,false)}" -match("MESSAGE#279:00015:07", "nwparser.payload", "HA change from slave to master%{}", processor_chain([ +var part471 = match("MESSAGE#279:00015:07", "nwparser.payload", "HA change from slave to master%{}", processor_chain([ dup1, dup2, dup3, @@ -7055,8 +6315,7 @@ match("MESSAGE#279:00015:07", "nwparser.payload", "HA change from slave to maste var msg281 = msg("00015:07", part471); -var part472 = // "Pattern{Constant('inconsistent configuration between master and slave'), Field(,false)}" -match("MESSAGE#280:00015:08", "nwparser.payload", "inconsistent configuration between master and slave%{}", processor_chain([ +var part472 = match("MESSAGE#280:00015:08", "nwparser.payload", "inconsistent configuration between master and slave%{}", processor_chain([ dup141, dup2, dup3, @@ -7066,19 +6325,16 @@ match("MESSAGE#280:00015:08", "nwparser.payload", "inconsistent configuration be var msg282 = msg("00015:08", part472); -var part473 = // "Pattern{Constant('configuration '), Field(p0,false)}" -match("MESSAGE#281:00015:09/0_0", "nwparser.payload", "configuration %{p0}"); +var part473 = match("MESSAGE#281:00015:09/0_0", "nwparser.payload", "configuration %{p0}"); -var part474 = // "Pattern{Constant('Configuration '), Field(p0,false)}" -match("MESSAGE#281:00015:09/0_1", "nwparser.payload", "Configuration %{p0}"); +var part474 = match("MESSAGE#281:00015:09/0_1", "nwparser.payload", "Configuration %{p0}"); var select109 = linear_select([ part473, part474, ]); -var part475 = // "Pattern{Constant('out of sync between local unit and remote unit'), Field(,false)}" -match("MESSAGE#281:00015:09/1", "nwparser.p0", "out of sync between local unit and remote unit%{}"); +var part475 = match("MESSAGE#281:00015:09/1", "nwparser.p0", "out of sync between local unit and remote unit%{}"); var all90 = all_match({ processors: [ @@ -7096,8 +6352,7 @@ var all90 = all_match({ var msg283 = msg("00015:09", all90); -var part476 = // "Pattern{Constant('HA control channel change to '), Field(interface,false)}" -match("MESSAGE#282:00015:10", "nwparser.payload", "HA control channel change to %{interface}", processor_chain([ +var part476 = match("MESSAGE#282:00015:10", "nwparser.payload", "HA control channel change to %{interface}", processor_chain([ dup1, dup2, dup3, @@ -7107,8 +6362,7 @@ match("MESSAGE#282:00015:10", "nwparser.payload", "HA control channel change to var msg284 = msg("00015:10", part476); -var part477 = // "Pattern{Constant('HA data channel change to '), Field(interface,false)}" -match("MESSAGE#283:00015:11", "nwparser.payload", "HA data channel change to %{interface}", processor_chain([ +var part477 = match("MESSAGE#283:00015:11", "nwparser.payload", "HA data channel change to %{interface}", processor_chain([ dup1, dup2, dup3, @@ -7118,31 +6372,27 @@ match("MESSAGE#283:00015:11", "nwparser.payload", "HA data channel change to %{i var msg285 = msg("00015:11", part477); -var part478 = // "Pattern{Constant('control '), Field(p0,false)}" -match("MESSAGE#284:00015:12/1_0", "nwparser.p0", "control %{p0}"); +var part478 = match("MESSAGE#284:00015:12/1_0", "nwparser.p0", "control %{p0}"); -var part479 = // "Pattern{Constant('data '), Field(p0,false)}" -match("MESSAGE#284:00015:12/1_1", "nwparser.p0", "data %{p0}"); +var part479 = match("MESSAGE#284:00015:12/1_1", "nwparser.p0", "data %{p0}"); var select110 = linear_select([ part478, part479, ]); -var part480 = // "Pattern{Constant('channel moved from link '), Field(p0,false)}" -match("MESSAGE#284:00015:12/2", "nwparser.p0", "channel moved from link %{p0}"); +var part480 = match("MESSAGE#284:00015:12/2", "nwparser.p0", "channel moved from link %{p0}"); -var part481 = // "Pattern{Constant('('), Field(interface,false), Constant(')')}" -match("MESSAGE#284:00015:12/6", "nwparser.p0", "(%{interface})"); +var part481 = match("MESSAGE#284:00015:12/6", "nwparser.p0", "(%{interface})"); var all91 = all_match({ processors: [ dup87, select110, part480, - dup355, + dup353, dup103, - dup355, + dup353, part481, ], on_success: processor_chain([ @@ -7156,8 +6406,7 @@ var all91 = all_match({ var msg286 = msg("00015:12", all91); -var part482 = // "Pattern{Constant('HA: Slave is down'), Field(,false)}" -match("MESSAGE#285:00015:13", "nwparser.payload", "HA: Slave is down%{}", processor_chain([ +var part482 = match("MESSAGE#285:00015:13", "nwparser.payload", "HA: Slave is down%{}", processor_chain([ dup144, dup2, dup3, @@ -7167,13 +6416,12 @@ match("MESSAGE#285:00015:13", "nwparser.payload", "HA: Slave is down%{}", proces var msg287 = msg("00015:13", part482); -var part483 = // "Pattern{Constant('NSRP link '), Field(p0,false)}" -match("MESSAGE#286:00015:14/0", "nwparser.payload", "NSRP link %{p0}"); +var part483 = match("MESSAGE#286:00015:14/0", "nwparser.payload", "NSRP link %{p0}"); var all92 = all_match({ processors: [ part483, - dup355, + dup353, dup116, ], on_success: processor_chain([ @@ -7187,8 +6435,7 @@ var all92 = all_match({ var msg288 = msg("00015:14", all92); -var part484 = // "Pattern{Constant('no HA '), Field(fld2,true), Constant(' channel available ('), Field(fld3,true), Constant(' used by other channel)')}" -match("MESSAGE#287:00015:15", "nwparser.payload", "no HA %{fld2->} channel available (%{fld3->} used by other channel)", processor_chain([ +var part484 = match("MESSAGE#287:00015:15", "nwparser.payload", "no HA %{fld2->} channel available (%{fld3->} used by other channel)", processor_chain([ dup117, dup2, dup3, @@ -7198,8 +6445,7 @@ match("MESSAGE#287:00015:15", "nwparser.payload", "no HA %{fld2->} channel avail var msg289 = msg("00015:15", part484); -var part485 = // "Pattern{Constant('The NSRP configuration is out of synchronization between the local device and the peer device.'), Field(,false)}" -match("MESSAGE#288:00015:16", "nwparser.payload", "The NSRP configuration is out of synchronization between the local device and the peer device.%{}", processor_chain([ +var part485 = match("MESSAGE#288:00015:16", "nwparser.payload", "The NSRP configuration is out of synchronization between the local device and the peer device.%{}", processor_chain([ dup18, dup2, dup3, @@ -7209,8 +6455,7 @@ match("MESSAGE#288:00015:16", "nwparser.payload", "The NSRP configuration is out var msg290 = msg("00015:16", part485); -var part486 = // "Pattern{Constant('NSRP '), Field(change_attribute,true), Constant(' '), Field(change_old,true), Constant(' changed to link channel '), Field(change_new,false)}" -match("MESSAGE#289:00015:17", "nwparser.payload", "NSRP %{change_attribute->} %{change_old->} changed to link channel %{change_new}", processor_chain([ +var part486 = match("MESSAGE#289:00015:17", "nwparser.payload", "NSRP %{change_attribute->} %{change_old->} changed to link channel %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -7220,8 +6465,7 @@ match("MESSAGE#289:00015:17", "nwparser.payload", "NSRP %{change_attribute->} %{ var msg291 = msg("00015:17", part486); -var part487 = // "Pattern{Constant('RTO mirror group '), Field(group,true), Constant(' with direction '), Field(direction,true), Constant(' on peer device '), Field(fld2,true), Constant(' changed from '), Field(fld3,true), Constant(' to '), Field(fld4,true), Constant(' state.')}" -match("MESSAGE#290:00015:18", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on peer device %{fld2->} changed from %{fld3->} to %{fld4->} state.", processor_chain([ +var part487 = match("MESSAGE#290:00015:18", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on peer device %{fld2->} changed from %{fld3->} to %{fld4->} state.", processor_chain([ dup121, dup2, dup3, @@ -7232,8 +6476,7 @@ match("MESSAGE#290:00015:18", "nwparser.payload", "RTO mirror group %{group->} w var msg292 = msg("00015:18", part487); -var part488 = // "Pattern{Constant('RTO mirror group '), Field(group,true), Constant(' with direction '), Field(direction,true), Constant(' on local device '), Field(fld2,false), Constant(', detected a duplicate direction on the peer device '), Field(fld3,false)}" -match("MESSAGE#291:00015:19", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on local device %{fld2}, detected a duplicate direction on the peer device %{fld3}", processor_chain([ +var part488 = match("MESSAGE#291:00015:19", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on local device %{fld2}, detected a duplicate direction on the peer device %{fld3}", processor_chain([ dup18, dup2, dup3, @@ -7243,8 +6486,7 @@ match("MESSAGE#291:00015:19", "nwparser.payload", "RTO mirror group %{group->} w var msg293 = msg("00015:19", part488); -var part489 = // "Pattern{Constant('RTO mirror group '), Field(group,true), Constant(' with direction '), Field(direction,true), Constant(' changed on the local device from '), Field(fld2,true), Constant(' to up state, it had peer device '), Field(fld3,false)}" -match("MESSAGE#292:00015:20", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} changed on the local device from %{fld2->} to up state, it had peer device %{fld3}", processor_chain([ +var part489 = match("MESSAGE#292:00015:20", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} changed on the local device from %{fld2->} to up state, it had peer device %{fld3}", processor_chain([ dup44, dup2, dup3, @@ -7254,14 +6496,11 @@ match("MESSAGE#292:00015:20", "nwparser.payload", "RTO mirror group %{group->} w var msg294 = msg("00015:20", part489); -var part490 = // "Pattern{Constant('Peer device '), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#293:00015:21/0", "nwparser.payload", "Peer device %{fld2->} %{p0}"); +var part490 = match("MESSAGE#293:00015:21/0", "nwparser.payload", "Peer device %{fld2->} %{p0}"); -var part491 = // "Pattern{Constant('disappeared '), Field(p0,false)}" -match("MESSAGE#293:00015:21/1_0", "nwparser.p0", "disappeared %{p0}"); +var part491 = match("MESSAGE#293:00015:21/1_0", "nwparser.p0", "disappeared %{p0}"); -var part492 = // "Pattern{Constant('was discovered '), Field(p0,false)}" -match("MESSAGE#293:00015:21/1_1", "nwparser.p0", "was discovered %{p0}"); +var part492 = match("MESSAGE#293:00015:21/1_1", "nwparser.p0", "was discovered %{p0}"); var select111 = linear_select([ part491, @@ -7285,14 +6524,11 @@ var all93 = all_match({ var msg295 = msg("00015:21", all93); -var part493 = // "Pattern{Constant('The local '), Field(p0,false)}" -match("MESSAGE#294:00015:22/0_0", "nwparser.payload", "The local %{p0}"); +var part493 = match("MESSAGE#294:00015:22/0_0", "nwparser.payload", "The local %{p0}"); -var part494 = // "Pattern{Constant('The peer '), Field(p0,false)}" -match("MESSAGE#294:00015:22/0_1", "nwparser.payload", "The peer %{p0}"); +var part494 = match("MESSAGE#294:00015:22/0_1", "nwparser.payload", "The peer %{p0}"); -var part495 = // "Pattern{Constant('Peer '), Field(p0,false)}" -match("MESSAGE#294:00015:22/0_2", "nwparser.payload", "Peer %{p0}"); +var part495 = match("MESSAGE#294:00015:22/0_2", "nwparser.payload", "Peer %{p0}"); var select112 = linear_select([ part493, @@ -7300,14 +6536,13 @@ var select112 = linear_select([ part495, ]); -var part496 = // "Pattern{Constant('device '), Field(fld2,true), Constant(' in the Virtual Security Device group '), Field(group,true), Constant(' changed '), Field(change_attribute,true), Constant(' from '), Field(change_old,true), Constant(' to '), Field(change_new,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#294:00015:22/1", "nwparser.p0", "device %{fld2->} in the Virtual Security Device group %{group->} changed %{change_attribute->} from %{change_old->} to %{change_new->} %{p0}"); +var part496 = match("MESSAGE#294:00015:22/1", "nwparser.p0", "device %{fld2->} in the Virtual Security Device group %{group->} changed %{change_attribute->} from %{change_old->} to %{change_new->} %{p0}"); var all94 = all_match({ processors: [ select112, part496, - dup356, + dup354, ], on_success: processor_chain([ dup44, @@ -7321,8 +6556,7 @@ var all94 = all_match({ var msg296 = msg("00015:22", all94); -var part497 = // "Pattern{Constant('WebAuth is set to '), Field(fld2,false)}" -match("MESSAGE#295:00015:23", "nwparser.payload", "WebAuth is set to %{fld2}", processor_chain([ +var part497 = match("MESSAGE#295:00015:23", "nwparser.payload", "WebAuth is set to %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -7332,8 +6566,7 @@ match("MESSAGE#295:00015:23", "nwparser.payload", "WebAuth is set to %{fld2}", p var msg297 = msg("00015:23", part497); -var part498 = // "Pattern{Constant('Default firewall authentication server has been changed to '), Field(hostname,false)}" -match("MESSAGE#296:00015:24", "nwparser.payload", "Default firewall authentication server has been changed to %{hostname}", processor_chain([ +var part498 = match("MESSAGE#296:00015:24", "nwparser.payload", "Default firewall authentication server has been changed to %{hostname}", processor_chain([ dup1, dup2, dup3, @@ -7343,8 +6576,7 @@ match("MESSAGE#296:00015:24", "nwparser.payload", "Default firewall authenticati var msg298 = msg("00015:24", part498); -var part499 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' attempted to verify the encrypted password '), Field(fld2,false), Constant('. Verification was successful')}" -match("MESSAGE#297:00015:25", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification was successful", processor_chain([ +var part499 = match("MESSAGE#297:00015:25", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification was successful", processor_chain([ setc("eventcategory","1613050100"), dup2, dup3, @@ -7354,8 +6586,7 @@ match("MESSAGE#297:00015:25", "nwparser.payload", "Admin user %{administrator->} var msg299 = msg("00015:25", part499); -var part500 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' attempted to verify the encrypted password '), Field(fld2,false), Constant('. Verification failed')}" -match("MESSAGE#298:00015:29", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification failed", processor_chain([ +var part500 = match("MESSAGE#298:00015:29", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification failed", processor_chain([ dup97, dup2, dup3, @@ -7365,14 +6596,11 @@ match("MESSAGE#298:00015:29", "nwparser.payload", "Admin user %{administrator->} var msg300 = msg("00015:29", part500); -var part501 = // "Pattern{Constant('unit '), Field(fld2,true), Constant(' just dis'), Field(p0,false)}" -match("MESSAGE#299:00015:26/0", "nwparser.payload", "unit %{fld2->} just dis%{p0}"); +var part501 = match("MESSAGE#299:00015:26/0", "nwparser.payload", "unit %{fld2->} just dis%{p0}"); -var part502 = // "Pattern{Constant('appeared'), Field(,false)}" -match("MESSAGE#299:00015:26/1_0", "nwparser.p0", "appeared%{}"); +var part502 = match("MESSAGE#299:00015:26/1_0", "nwparser.p0", "appeared%{}"); -var part503 = // "Pattern{Constant('covered'), Field(,false)}" -match("MESSAGE#299:00015:26/1_1", "nwparser.p0", "covered%{}"); +var part503 = match("MESSAGE#299:00015:26/1_1", "nwparser.p0", "covered%{}"); var select113 = linear_select([ part502, @@ -7395,8 +6623,7 @@ var all95 = all_match({ var msg301 = msg("00015:26", all95); -var part504 = // "Pattern{Constant('NSRP: HA data channel change to '), Field(interface,false), Constant('. ('), Field(fld2,false), Constant(')')}" -match("MESSAGE#300:00015:33", "nwparser.payload", "NSRP: HA data channel change to %{interface}. (%{fld2})", processor_chain([ +var part504 = match("MESSAGE#300:00015:33", "nwparser.payload", "NSRP: HA data channel change to %{interface}. (%{fld2})", processor_chain([ dup44, dup2, dup3, @@ -7407,8 +6634,7 @@ match("MESSAGE#300:00015:33", "nwparser.payload", "NSRP: HA data channel change var msg302 = msg("00015:33", part504); -var part505 = // "Pattern{Constant('NSRP: '), Field(fld2,false)}" -match("MESSAGE#301:00015:27", "nwparser.payload", "NSRP: %{fld2}", processor_chain([ +var part505 = match("MESSAGE#301:00015:27", "nwparser.payload", "NSRP: %{fld2}", processor_chain([ dup44, dup2, dup3, @@ -7418,8 +6644,7 @@ match("MESSAGE#301:00015:27", "nwparser.payload", "NSRP: %{fld2}", processor_cha var msg303 = msg("00015:27", part505); -var part506 = // "Pattern{Constant('Auth server '), Field(hostname,true), Constant(' RADIUS retry timeout has been set to default of '), Field(fld2,false)}" -match("MESSAGE#302:00015:28", "nwparser.payload", "Auth server %{hostname->} RADIUS retry timeout has been set to default of %{fld2}", processor_chain([ +var part506 = match("MESSAGE#302:00015:28", "nwparser.payload", "Auth server %{hostname->} RADIUS retry timeout has been set to default of %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -7429,16 +6654,14 @@ match("MESSAGE#302:00015:28", "nwparser.payload", "Auth server %{hostname->} RAD var msg304 = msg("00015:28", part506); -var part507 = // "Pattern{Constant('Number of RADIUS retries for auth server '), Field(hostname,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#303:00015:30/0", "nwparser.payload", "Number of RADIUS retries for auth server %{hostname->} %{p0}"); +var part507 = match("MESSAGE#303:00015:30/0", "nwparser.payload", "Number of RADIUS retries for auth server %{hostname->} %{p0}"); -var part508 = // "Pattern{Constant('set to '), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#303:00015:30/2", "nwparser.p0", "set to %{fld2->} (%{fld1})"); +var part508 = match("MESSAGE#303:00015:30/2", "nwparser.p0", "set to %{fld2->} (%{fld1})"); var all96 = all_match({ processors: [ part507, - dup357, + dup355, part508, ], on_success: processor_chain([ @@ -7453,8 +6676,7 @@ var all96 = all_match({ var msg305 = msg("00015:30", all96); -var part509 = // "Pattern{Constant('Forced timeout for Auth server '), Field(hostname,true), Constant(' is unset to its default value, '), Field(info,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#304:00015:31", "nwparser.payload", "Forced timeout for Auth server %{hostname->} is unset to its default value, %{info->} (%{fld1})", processor_chain([ +var part509 = match("MESSAGE#304:00015:31", "nwparser.payload", "Forced timeout for Auth server %{hostname->} is unset to its default value, %{info->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -7465,8 +6687,7 @@ match("MESSAGE#304:00015:31", "nwparser.payload", "Forced timeout for Auth serve var msg306 = msg("00015:31", part509); -var part510 = // "Pattern{Constant('Accounting port of server RADIUS is set to '), Field(network_port,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#305:00015:32", "nwparser.payload", "Accounting port of server RADIUS is set to %{network_port}. (%{fld1})", processor_chain([ +var part510 = match("MESSAGE#305:00015:32", "nwparser.payload", "Accounting port of server RADIUS is set to %{network_port}. (%{fld1})", processor_chain([ dup50, dup43, dup51, @@ -7515,8 +6736,7 @@ var select114 = linear_select([ msg307, ]); -var part511 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#306:00016", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part511 = match("MESSAGE#306:00016", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup147, dup148, dup149, @@ -7531,8 +6751,7 @@ match("MESSAGE#306:00016", "nwparser.payload", "%{signame->} From %{saddr}:%{spo var msg308 = msg("00016", part511); -var part512 = // "Pattern{Constant('Address VIP ('), Field(fld2,false), Constant(') for '), Field(fld3,true), Constant(' has been '), Field(disposition,false), Constant('.')}" -match("MESSAGE#307:00016:01", "nwparser.payload", "Address VIP (%{fld2}) for %{fld3->} has been %{disposition}.", processor_chain([ +var part512 = match("MESSAGE#307:00016:01", "nwparser.payload", "Address VIP (%{fld2}) for %{fld3->} has been %{disposition}.", processor_chain([ dup1, dup148, dup149, @@ -7545,8 +6764,7 @@ match("MESSAGE#307:00016:01", "nwparser.payload", "Address VIP (%{fld2}) for %{f var msg309 = msg("00016:01", part512); -var part513 = // "Pattern{Constant('VIP ('), Field(fld2,false), Constant(') has been '), Field(disposition,false)}" -match("MESSAGE#308:00016:02", "nwparser.payload", "VIP (%{fld2}) has been %{disposition}", processor_chain([ +var part513 = match("MESSAGE#308:00016:02", "nwparser.payload", "VIP (%{fld2}) has been %{disposition}", processor_chain([ dup1, dup148, dup149, @@ -7559,8 +6777,7 @@ match("MESSAGE#308:00016:02", "nwparser.payload", "VIP (%{fld2}) has been %{disp var msg310 = msg("00016:02", part513); -var part514 = // "Pattern{Field(signame,true), Constant(' from '), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,true), Constant(' protocol '), Field(protocol,true), Constant(' ('), Field(fld2,false), Constant(')')}" -match("MESSAGE#309:00016:03", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2})", processor_chain([ +var part514 = match("MESSAGE#309:00016:03", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2})", processor_chain([ dup147, dup148, dup149, @@ -7573,8 +6790,7 @@ match("MESSAGE#309:00016:03", "nwparser.payload", "%{signame->} from %{saddr}/%{ var msg311 = msg("00016:03", part514); -var part515 = // "Pattern{Constant('VIP multi-port was '), Field(disposition,false)}" -match("MESSAGE#310:00016:05", "nwparser.payload", "VIP multi-port was %{disposition}", processor_chain([ +var part515 = match("MESSAGE#310:00016:05", "nwparser.payload", "VIP multi-port was %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -7584,8 +6800,7 @@ match("MESSAGE#310:00016:05", "nwparser.payload", "VIP multi-port was %{disposit var msg312 = msg("00016:05", part515); -var part516 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#311:00016:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part516 = match("MESSAGE#311:00016:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup147, dup148, dup149, @@ -7600,13 +6815,12 @@ match("MESSAGE#311:00016:06", "nwparser.payload", "%{signame->} has been detecte var msg313 = msg("00016:06", part516); -var part517 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' ( zone '), Field(p0,false)}" -match("MESSAGE#312:00016:07/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} ( zone %{p0}"); +var part517 = match("MESSAGE#312:00016:07/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} ( zone %{p0}"); var all97 = all_match({ processors: [ part517, - dup340, + dup338, dup67, ], on_success: processor_chain([ @@ -7626,8 +6840,7 @@ var all97 = all_match({ var msg314 = msg("00016:07", all97); -var part518 = // "Pattern{Constant('VIP ('), Field(fld2,false), Constant(':'), Field(fld3,true), Constant(' HTTP '), Field(fld4,false), Constant(') Modify by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#313:00016:08", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) Modify by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ +var part518 = match("MESSAGE#313:00016:08", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) Modify by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ setc("eventcategory","1001020305"), dup2, dup3, @@ -7638,8 +6851,7 @@ match("MESSAGE#313:00016:08", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP % var msg315 = msg("00016:08", part518); -var part519 = // "Pattern{Constant('VIP ('), Field(fld2,false), Constant(':'), Field(fld3,true), Constant(' HTTP '), Field(fld4,false), Constant(') New by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#314:00016:09", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) New by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ +var part519 = match("MESSAGE#314:00016:09", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) New by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ setc("eventcategory","1001030305"), dup2, dup3, @@ -7662,8 +6874,7 @@ var select115 = linear_select([ msg316, ]); -var part520 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#315:00017", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part520 = match("MESSAGE#315:00017", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup151, dup2, dup3, @@ -7674,22 +6885,18 @@ match("MESSAGE#315:00017", "nwparser.payload", "%{signame->} From %{saddr}:%{spo var msg317 = msg("00017", part520); -var part521 = // "Pattern{Constant('Gateway '), Field(fld2,true), Constant(' at '), Field(fld3,true), Constant(' in '), Field(fld5,true), Constant(' mode with ID '), Field(p0,false)}" -match("MESSAGE#316:00017:23/0", "nwparser.payload", "Gateway %{fld2->} at %{fld3->} in %{fld5->} mode with ID %{p0}"); +var part521 = match("MESSAGE#316:00017:23/0", "nwparser.payload", "Gateway %{fld2->} at %{fld3->} in %{fld5->} mode with ID %{p0}"); -var part522 = // "Pattern{Constant('['), Field(fld4,false), Constant('] '), Field(p0,false)}" -match("MESSAGE#316:00017:23/1_0", "nwparser.p0", "[%{fld4}] %{p0}"); +var part522 = match("MESSAGE#316:00017:23/1_0", "nwparser.p0", "[%{fld4}] %{p0}"); -var part523 = // "Pattern{Field(fld4,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#316:00017:23/1_1", "nwparser.p0", "%{fld4->} %{p0}"); +var part523 = match("MESSAGE#316:00017:23/1_1", "nwparser.p0", "%{fld4->} %{p0}"); var select116 = linear_select([ part522, part523, ]); -var part524 = // "Pattern{Constant('has been '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' '), Field(fld,false)}" -match("MESSAGE#316:00017:23/2", "nwparser.p0", "has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} %{fld}"); +var part524 = match("MESSAGE#316:00017:23/2", "nwparser.p0", "has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} %{fld}"); var all98 = all_match({ processors: [ @@ -7708,28 +6915,24 @@ var all98 = all_match({ var msg318 = msg("00017:23", all98); -var part525 = // "Pattern{Field(fld1,false), Constant(': Gateway '), Field(p0,false)}" -match("MESSAGE#317:00017:01/0_0", "nwparser.payload", "%{fld1}: Gateway %{p0}"); +var part525 = match("MESSAGE#317:00017:01/0_0", "nwparser.payload", "%{fld1}: Gateway %{p0}"); -var part526 = // "Pattern{Constant('Gateway '), Field(p0,false)}" -match("MESSAGE#317:00017:01/0_1", "nwparser.payload", "Gateway %{p0}"); +var part526 = match("MESSAGE#317:00017:01/0_1", "nwparser.payload", "Gateway %{p0}"); var select117 = linear_select([ part525, part526, ]); -var part527 = // "Pattern{Constant(''), Field(fld2,true), Constant(' at '), Field(fld3,true), Constant(' in '), Field(fld5,true), Constant(' mode with ID'), Field(p0,false)}" -match("MESSAGE#317:00017:01/1", "nwparser.p0", "%{fld2->} at %{fld3->} in %{fld5->} mode with ID%{p0}"); +var part527 = match("MESSAGE#317:00017:01/1", "nwparser.p0", "%{fld2->} at %{fld3->} in %{fld5->} mode with ID%{p0}"); -var part528 = // "Pattern{Constant(''), Field(fld4,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#317:00017:01/3", "nwparser.p0", "%{fld4->} has been %{disposition}"); +var part528 = match("MESSAGE#317:00017:01/3", "nwparser.p0", "%{fld4->} has been %{disposition}"); var all99 = all_match({ processors: [ select117, part527, - dup358, + dup356, part528, ], on_success: processor_chain([ @@ -7743,8 +6946,7 @@ var all99 = all_match({ var msg319 = msg("00017:01", all99); -var part529 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Gateway settings have been '), Field(disposition,false)}" -match("MESSAGE#318:00017:02", "nwparser.payload", "IKE %{hostip}: Gateway settings have been %{disposition}", processor_chain([ +var part529 = match("MESSAGE#318:00017:02", "nwparser.payload", "IKE %{hostip}: Gateway settings have been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -7754,8 +6956,7 @@ match("MESSAGE#318:00017:02", "nwparser.payload", "IKE %{hostip}: Gateway settin var msg320 = msg("00017:02", part529); -var part530 = // "Pattern{Constant('IKE key '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#319:00017:03", "nwparser.payload", "IKE key %{fld2->} has been %{disposition}", processor_chain([ +var part530 = match("MESSAGE#319:00017:03", "nwparser.payload", "IKE key %{fld2->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -7765,13 +6966,12 @@ match("MESSAGE#319:00017:03", "nwparser.payload", "IKE key %{fld2->} has been %{ var msg321 = msg("00017:03", part530); -var part531 = // "Pattern{Constant(''), Field(group_object,true), Constant(' with range '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#320:00017:04/2", "nwparser.p0", "%{group_object->} with range %{fld2->} has been %{disposition}"); +var part531 = match("MESSAGE#320:00017:04/2", "nwparser.p0", "%{group_object->} with range %{fld2->} has been %{disposition}"); var all100 = all_match({ processors: [ dup153, - dup359, + dup357, part531, ], on_success: processor_chain([ @@ -7785,8 +6985,7 @@ var all100 = all_match({ var msg322 = msg("00017:04", all100); -var part532 = // "Pattern{Constant('IPSec NAT-T for VPN '), Field(group,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#321:00017:05", "nwparser.payload", "IPSec NAT-T for VPN %{group->} has been %{disposition}", processor_chain([ +var part532 = match("MESSAGE#321:00017:05", "nwparser.payload", "IPSec NAT-T for VPN %{group->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -7796,14 +6995,11 @@ match("MESSAGE#321:00017:05", "nwparser.payload", "IPSec NAT-T for VPN %{group-> var msg323 = msg("00017:05", part532); -var part533 = // "Pattern{Constant('The DF-BIT for VPN '), Field(group,true), Constant(' has been set to '), Field(p0,false)}" -match("MESSAGE#322:00017:06/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been set to %{p0}"); +var part533 = match("MESSAGE#322:00017:06/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been set to %{p0}"); -var part534 = // "Pattern{Constant('clear '), Field(p0,false)}" -match("MESSAGE#322:00017:06/1_0", "nwparser.p0", "clear %{p0}"); +var part534 = match("MESSAGE#322:00017:06/1_0", "nwparser.p0", "clear %{p0}"); -var part535 = // "Pattern{Constant('copy '), Field(p0,false)}" -match("MESSAGE#322:00017:06/1_2", "nwparser.p0", "copy %{p0}"); +var part535 = match("MESSAGE#322:00017:06/1_2", "nwparser.p0", "copy %{p0}"); var select118 = linear_select([ part534, @@ -7828,20 +7024,15 @@ var all101 = all_match({ var msg324 = msg("00017:06", all101); -var part536 = // "Pattern{Constant('The DF-BIT for VPN '), Field(group,true), Constant(' has been '), Field(p0,false)}" -match("MESSAGE#323:00017:07/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been %{p0}"); +var part536 = match("MESSAGE#323:00017:07/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been %{p0}"); -var part537 = // "Pattern{Constant('clear'), Field(,false)}" -match("MESSAGE#323:00017:07/1_0", "nwparser.p0", "clear%{}"); +var part537 = match("MESSAGE#323:00017:07/1_0", "nwparser.p0", "clear%{}"); -var part538 = // "Pattern{Constant('cleared'), Field(,false)}" -match("MESSAGE#323:00017:07/1_1", "nwparser.p0", "cleared%{}"); +var part538 = match("MESSAGE#323:00017:07/1_1", "nwparser.p0", "cleared%{}"); -var part539 = // "Pattern{Constant('copy'), Field(,false)}" -match("MESSAGE#323:00017:07/1_3", "nwparser.p0", "copy%{}"); +var part539 = match("MESSAGE#323:00017:07/1_3", "nwparser.p0", "copy%{}"); -var part540 = // "Pattern{Constant('copied'), Field(,false)}" -match("MESSAGE#323:00017:07/1_4", "nwparser.p0", "copied%{}"); +var part540 = match("MESSAGE#323:00017:07/1_4", "nwparser.p0", "copied%{}"); var select119 = linear_select([ part537, @@ -7867,8 +7058,7 @@ var all102 = all_match({ var msg325 = msg("00017:07", all102); -var part541 = // "Pattern{Constant('VPN '), Field(group,true), Constant(' with gateway '), Field(fld2,true), Constant(' and SPI '), Field(fld3,false), Constant('/'), Field(fld4,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#324:00017:08", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and SPI %{fld3}/%{fld4->} has been %{disposition}", processor_chain([ +var part541 = match("MESSAGE#324:00017:08", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and SPI %{fld3}/%{fld4->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -7878,28 +7068,22 @@ match("MESSAGE#324:00017:08", "nwparser.payload", "VPN %{group->} with gateway % var msg326 = msg("00017:08", part541); -var part542 = // "Pattern{Field(fld1,false), Constant(': VPN '), Field(p0,false)}" -match("MESSAGE#325:00017:09/0_0", "nwparser.payload", "%{fld1}: VPN %{p0}"); +var part542 = match("MESSAGE#325:00017:09/0_0", "nwparser.payload", "%{fld1}: VPN %{p0}"); -var part543 = // "Pattern{Constant('VPN '), Field(p0,false)}" -match("MESSAGE#325:00017:09/0_1", "nwparser.payload", "VPN %{p0}"); +var part543 = match("MESSAGE#325:00017:09/0_1", "nwparser.payload", "VPN %{p0}"); var select120 = linear_select([ part542, part543, ]); -var part544 = // "Pattern{Constant(''), Field(group,true), Constant(' with gateway '), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#325:00017:09/1", "nwparser.p0", "%{group->} with gateway %{fld2->} %{p0}"); +var part544 = match("MESSAGE#325:00017:09/1", "nwparser.p0", "%{group->} with gateway %{fld2->} %{p0}"); -var part545 = // "Pattern{Constant('no-rekey '), Field(p0,false)}" -match("MESSAGE#325:00017:09/2_0", "nwparser.p0", "no-rekey %{p0}"); +var part545 = match("MESSAGE#325:00017:09/2_0", "nwparser.p0", "no-rekey %{p0}"); -var part546 = // "Pattern{Constant('rekey, '), Field(p0,false)}" -match("MESSAGE#325:00017:09/2_1", "nwparser.p0", "rekey, %{p0}"); +var part546 = match("MESSAGE#325:00017:09/2_1", "nwparser.p0", "rekey, %{p0}"); -var part547 = // "Pattern{Constant('rekey '), Field(p0,false)}" -match("MESSAGE#325:00017:09/2_2", "nwparser.p0", "rekey %{p0}"); +var part547 = match("MESSAGE#325:00017:09/2_2", "nwparser.p0", "rekey %{p0}"); var select121 = linear_select([ part545, @@ -7907,14 +7091,11 @@ var select121 = linear_select([ part547, ]); -var part548 = // "Pattern{Constant('and p2-proposal '), Field(fld3,true), Constant(' has been '), Field(p0,false)}" -match("MESSAGE#325:00017:09/3", "nwparser.p0", "and p2-proposal %{fld3->} has been %{p0}"); +var part548 = match("MESSAGE#325:00017:09/3", "nwparser.p0", "and p2-proposal %{fld3->} has been %{p0}"); -var part549 = // "Pattern{Field(disposition,true), Constant(' from peer unit')}" -match("MESSAGE#325:00017:09/4_0", "nwparser.p0", "%{disposition->} from peer unit"); +var part549 = match("MESSAGE#325:00017:09/4_0", "nwparser.p0", "%{disposition->} from peer unit"); -var part550 = // "Pattern{Field(disposition,true), Constant(' from host '), Field(saddr,false)}" -match("MESSAGE#325:00017:09/4_1", "nwparser.p0", "%{disposition->} from host %{saddr}"); +var part550 = match("MESSAGE#325:00017:09/4_1", "nwparser.p0", "%{disposition->} from host %{saddr}"); var select122 = linear_select([ part549, @@ -7941,13 +7122,12 @@ var all103 = all_match({ var msg327 = msg("00017:09", all103); -var part551 = // "Pattern{Constant('VPN monitoring for VPN '), Field(group,true), Constant(' has been '), Field(disposition,false), Constant('. Src IF '), Field(sinterface,true), Constant(' dst IP '), Field(daddr,true), Constant(' with rekeying '), Field(p0,false)}" -match("MESSAGE#326:00017:10/0", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}. Src IF %{sinterface->} dst IP %{daddr->} with rekeying %{p0}"); +var part551 = match("MESSAGE#326:00017:10/0", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}. Src IF %{sinterface->} dst IP %{daddr->} with rekeying %{p0}"); var all104 = all_match({ processors: [ part551, - dup360, + dup358, dup116, ], on_success: processor_chain([ @@ -7961,8 +7141,7 @@ var all104 = all_match({ var msg328 = msg("00017:10", all104); -var part552 = // "Pattern{Constant('VPN monitoring for VPN '), Field(group,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#327:00017:11", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}", processor_chain([ +var part552 = match("MESSAGE#327:00017:11", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -7972,11 +7151,9 @@ match("MESSAGE#327:00017:11", "nwparser.payload", "VPN monitoring for VPN %{grou var msg329 = msg("00017:11", part552); -var part553 = // "Pattern{Constant('VPN monitoring '), Field(p0,false)}" -match("MESSAGE#328:00017:12/0", "nwparser.payload", "VPN monitoring %{p0}"); +var part553 = match("MESSAGE#328:00017:12/0", "nwparser.payload", "VPN monitoring %{p0}"); -var part554 = // "Pattern{Constant('frequency '), Field(p0,false)}" -match("MESSAGE#328:00017:12/1_2", "nwparser.p0", "frequency %{p0}"); +var part554 = match("MESSAGE#328:00017:12/1_2", "nwparser.p0", "frequency %{p0}"); var select123 = linear_select([ dup109, @@ -7989,7 +7166,7 @@ var all105 = all_match({ part553, select123, dup127, - dup361, + dup359, ], on_success: processor_chain([ dup1, @@ -8002,8 +7179,7 @@ var all105 = all_match({ var msg330 = msg("00017:12", all105); -var part555 = // "Pattern{Constant('VPN '), Field(group,true), Constant(' with gateway '), Field(fld2,true), Constant(' and P2 proposal '), Field(fld3,true), Constant(' has been added by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#329:00017:26", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been added by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ +var part555 = match("MESSAGE#329:00017:26", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been added by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -8014,8 +7190,7 @@ match("MESSAGE#329:00017:26", "nwparser.payload", "VPN %{group->} with gateway % var msg331 = msg("00017:26", part555); -var part556 = // "Pattern{Constant('No IP pool has been assigned. You cannot allocate an IP address.'), Field(,false)}" -match("MESSAGE#330:00017:13", "nwparser.payload", "No IP pool has been assigned. You cannot allocate an IP address.%{}", processor_chain([ +var part556 = match("MESSAGE#330:00017:13", "nwparser.payload", "No IP pool has been assigned. You cannot allocate an IP address.%{}", processor_chain([ dup18, dup2, dup3, @@ -8025,8 +7200,7 @@ match("MESSAGE#330:00017:13", "nwparser.payload", "No IP pool has been assigned. var msg332 = msg("00017:13", part556); -var part557 = // "Pattern{Constant('P1 proposal '), Field(fld2,true), Constant(' with '), Field(protocol_detail,false), Constant(', DH group '), Field(group,false), Constant(', ESP '), Field(encryption_type,false), Constant(', auth '), Field(authmethod,false), Constant(', and lifetime '), Field(fld3,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#331:00017:14", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail}, DH group %{group}, ESP %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ +var part557 = match("MESSAGE#331:00017:14", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail}, DH group %{group}, ESP %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -8037,16 +7211,14 @@ match("MESSAGE#331:00017:14", "nwparser.payload", "P1 proposal %{fld2->} with %{ var msg333 = msg("00017:14", part557); -var part558 = // "Pattern{Constant('P2 proposal '), Field(fld2,true), Constant(' with DH group '), Field(group,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#332:00017:15/0", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group->} %{p0}"); +var part558 = match("MESSAGE#332:00017:15/0", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group->} %{p0}"); -var part559 = // "Pattern{Constant(''), Field(encryption_type,true), Constant(' auth '), Field(authmethod,true), Constant(' and lifetime ('), Field(fld3,false), Constant(') ('), Field(fld4,false), Constant(') has been '), Field(disposition,false), Constant('.')}" -match("MESSAGE#332:00017:15/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime (%{fld3}) (%{fld4}) has been %{disposition}."); +var part559 = match("MESSAGE#332:00017:15/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime (%{fld3}) (%{fld4}) has been %{disposition}."); var all106 = all_match({ processors: [ part558, - dup362, + dup360, part559, ], on_success: processor_chain([ @@ -8060,16 +7232,14 @@ var all106 = all_match({ var msg334 = msg("00017:15", all106); -var part560 = // "Pattern{Constant('P1 proposal '), Field(fld2,true), Constant(' with '), Field(protocol_detail,true), Constant(' DH group '), Field(group,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#333:00017:31/0", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail->} DH group %{group->} %{p0}"); +var part560 = match("MESSAGE#333:00017:31/0", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail->} DH group %{group->} %{p0}"); -var part561 = // "Pattern{Constant(''), Field(encryption_type,true), Constant(' auth '), Field(authmethod,true), Constant(' and lifetime '), Field(fld3,true), Constant(' has been '), Field(disposition,false), Constant('.')}" -match("MESSAGE#333:00017:31/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime %{fld3->} has been %{disposition}."); +var part561 = match("MESSAGE#333:00017:31/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime %{fld3->} has been %{disposition}."); var all107 = all_match({ processors: [ part560, - dup362, + dup360, part561, ], on_success: processor_chain([ @@ -8083,13 +7253,12 @@ var all107 = all_match({ var msg335 = msg("00017:31", all107); -var part562 = // "Pattern{Constant('vpnmonitor interval is '), Field(p0,false)}" -match("MESSAGE#334:00017:16/0", "nwparser.payload", "vpnmonitor interval is %{p0}"); +var part562 = match("MESSAGE#334:00017:16/0", "nwparser.payload", "vpnmonitor interval is %{p0}"); var all108 = all_match({ processors: [ part562, - dup361, + dup359, ], on_success: processor_chain([ dup1, @@ -8102,8 +7271,7 @@ var all108 = all_match({ var msg336 = msg("00017:16", all108); -var part563 = // "Pattern{Constant('vpnmonitor threshold is '), Field(p0,false)}" -match("MESSAGE#335:00017:17/0", "nwparser.payload", "vpnmonitor threshold is %{p0}"); +var part563 = match("MESSAGE#335:00017:17/0", "nwparser.payload", "vpnmonitor threshold is %{p0}"); var select124 = linear_select([ dup99, @@ -8126,13 +7294,12 @@ var all109 = all_match({ var msg337 = msg("00017:17", all109); -var part564 = // "Pattern{Constant(''), Field(group_object,true), Constant(' with range '), Field(fld2,true), Constant(' was '), Field(disposition,false)}" -match("MESSAGE#336:00017:18/2", "nwparser.p0", "%{group_object->} with range %{fld2->} was %{disposition}"); +var part564 = match("MESSAGE#336:00017:18/2", "nwparser.p0", "%{group_object->} with range %{fld2->} was %{disposition}"); var all110 = all_match({ processors: [ dup153, - dup359, + dup357, part564, ], on_success: processor_chain([ @@ -8148,16 +7315,14 @@ var all110 = all_match({ var msg338 = msg("00017:18", all110); -var part565 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at '), Field(p0,false)}" -match("MESSAGE#337:00017:19/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at %{p0}"); +var part565 = match("MESSAGE#337:00017:19/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at %{p0}"); -var part566 = // "Pattern{Field(,true), Constant(' '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#337:00017:19/2", "nwparser.p0", "%{} %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times"); +var part566 = match("MESSAGE#337:00017:19/2", "nwparser.p0", "%{} %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times"); var all111 = all_match({ processors: [ part565, - dup339, + dup337, part566, ], on_success: processor_chain([ @@ -8175,7 +7340,7 @@ var msg339 = msg("00017:19", all111); var all112 = all_match({ processors: [ dup64, - dup340, + dup338, dup67, ], on_success: processor_chain([ @@ -8191,8 +7356,7 @@ var all112 = all_match({ var msg340 = msg("00017:20", all112); -var part567 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#339:00017:21", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part567 = match("MESSAGE#339:00017:21", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup151, dup2, dup3, @@ -8203,8 +7367,7 @@ match("MESSAGE#339:00017:21", "nwparser.payload", "%{signame->} From %{saddr->} var msg341 = msg("00017:21", part567); -var part568 = // "Pattern{Constant('VPN '), Field(group,true), Constant(' with gateway '), Field(fld2,true), Constant(' and P2 proposal '), Field(fld3,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#340:00017:22", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ +var part568 = match("MESSAGE#340:00017:22", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -8215,8 +7378,7 @@ match("MESSAGE#340:00017:22", "nwparser.payload", "VPN %{group->} with gateway % var msg342 = msg("00017:22", part568); -var part569 = // "Pattern{Constant('VPN "'), Field(group,false), Constant('" has been bound to tunnel interface '), Field(interface,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#341:00017:24", "nwparser.payload", "VPN \"%{group}\" has been bound to tunnel interface %{interface}. (%{fld1})", processor_chain([ +var part569 = match("MESSAGE#341:00017:24", "nwparser.payload", "VPN \"%{group}\" has been bound to tunnel interface %{interface}. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -8227,8 +7389,7 @@ match("MESSAGE#341:00017:24", "nwparser.payload", "VPN \"%{group}\" has been bou var msg343 = msg("00017:24", part569); -var part570 = // "Pattern{Constant('VPN '), Field(group,true), Constant(' with gateway '), Field(fld2,true), Constant(' and P2 proposal standard has been added by admin '), Field(administrator,true), Constant(' via NSRP Peer ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#342:00017:25", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal standard has been added by admin %{administrator->} via NSRP Peer (%{fld1})", processor_chain([ +var part570 = match("MESSAGE#342:00017:25", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal standard has been added by admin %{administrator->} via NSRP Peer (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -8239,8 +7400,7 @@ match("MESSAGE#342:00017:25", "nwparser.payload", "VPN %{group->} with gateway % var msg344 = msg("00017:25", part570); -var part571 = // "Pattern{Constant('P2 proposal '), Field(fld2,true), Constant(' with DH group '), Field(group,false), Constant(', ESP, enc '), Field(encryption_type,false), Constant(', auth '), Field(authmethod,false), Constant(', and lifetime '), Field(fld3,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#343:00017:28", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group}, ESP, enc %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ +var part571 = match("MESSAGE#343:00017:28", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group}, ESP, enc %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -8251,8 +7411,7 @@ match("MESSAGE#343:00017:28", "nwparser.payload", "P2 proposal %{fld2->} with DH var msg345 = msg("00017:28", part571); -var part572 = // "Pattern{Constant('L2TP "'), Field(fld2,false), Constant('", all-L2TP-users secret "'), Field(fld3,false), Constant('" keepalive '), Field(fld4,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#344:00017:29", "nwparser.payload", "L2TP \"%{fld2}\", all-L2TP-users secret \"%{fld3}\" keepalive %{fld4->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ +var part572 = match("MESSAGE#344:00017:29", "nwparser.payload", "L2TP \"%{fld2}\", all-L2TP-users secret \"%{fld3}\" keepalive %{fld4->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ dup1, dup2, dup4, @@ -8295,8 +7454,7 @@ var select125 = linear_select([ msg346, ]); -var part573 = // "Pattern{Constant('Positions of policies '), Field(fld2,true), Constant(' and '), Field(fld3,true), Constant(' have been exchanged')}" -match("MESSAGE#345:00018", "nwparser.payload", "Positions of policies %{fld2->} and %{fld3->} have been exchanged", processor_chain([ +var part573 = match("MESSAGE#345:00018", "nwparser.payload", "Positions of policies %{fld2->} and %{fld3->} have been exchanged", processor_chain([ dup1, dup2, dup3, @@ -8306,8 +7464,7 @@ match("MESSAGE#345:00018", "nwparser.payload", "Positions of policies %{fld2->} var msg347 = msg("00018", part573); -var part574 = // "Pattern{Constant('Deny Policy Alarm'), Field(,false)}" -match("MESSAGE#346:00018:01", "nwparser.payload", "Deny Policy Alarm%{}", processor_chain([ +var part574 = match("MESSAGE#346:00018:01", "nwparser.payload", "Deny Policy Alarm%{}", processor_chain([ setc("eventcategory","1502010000"), dup2, dup4, @@ -8317,31 +7474,17 @@ match("MESSAGE#346:00018:01", "nwparser.payload", "Deny Policy Alarm%{}", proces var msg348 = msg("00018:01", part574); -var part575 = // "Pattern{Constant('Device'), Field(p0,false)}" -match("MESSAGE#347:00018:02/0", "nwparser.payload", "Device%{p0}"); - -var part576 = // "Pattern{Constant('s '), Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,true), Constant(' by admin '), Field(administrator,false)}" -match("MESSAGE#347:00018:02/2", "nwparser.p0", "s %{change_attribute->} has been changed from %{change_old->} to %{change_new->} by admin %{administrator}"); - -var all113 = all_match({ - processors: [ - part575, - dup363, - part576, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); +var part575 = match("MESSAGE#347:00018:02", "nwparser.payload", "Device%{quote}s %{change_attribute->} has been changed from %{change_old->} to %{change_new->} by admin %{administrator}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); -var msg349 = msg("00018:02", all113); +var msg349 = msg("00018:02", part575); -var part577 = // "Pattern{Field(fld2,true), Constant(' Policy ('), Field(policy_id,false), Constant(', '), Field(info,true), Constant(' ) was '), Field(disposition,true), Constant(' from host '), Field(saddr,true), Constant(' by admin '), Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#348:00018:04", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ +var part576 = match("MESSAGE#348:00018:04", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ dup17, dup2, dup3, @@ -8350,10 +7493,9 @@ match("MESSAGE#348:00018:04", "nwparser.payload", "%{fld2->} Policy (%{policy_id dup5, ])); -var msg350 = msg("00018:04", part577); +var msg350 = msg("00018:04", part576); -var part578 = // "Pattern{Field(fld2,true), Constant(' Policy ('), Field(policy_id,false), Constant(', '), Field(info,true), Constant(' ) was '), Field(disposition,true), Constant(' by admin '), Field(administrator,true), Constant(' via NSRP Peer')}" -match("MESSAGE#349:00018:16", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} by admin %{administrator->} via NSRP Peer", processor_chain([ +var part577 = match("MESSAGE#349:00018:16", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} by admin %{administrator->} via NSRP Peer", processor_chain([ dup17, dup2, dup3, @@ -8361,30 +7503,26 @@ match("MESSAGE#349:00018:16", "nwparser.payload", "%{fld2->} Policy (%{policy_id dup5, ])); -var msg351 = msg("00018:16", part578); +var msg351 = msg("00018:16", part577); -var part579 = // "Pattern{Field(fld2,true), Constant(' Policy '), Field(policy_id,true), Constant(' has been moved '), Field(p0,false)}" -match("MESSAGE#350:00018:06/0", "nwparser.payload", "%{fld2->} Policy %{policy_id->} has been moved %{p0}"); +var part578 = match("MESSAGE#350:00018:06/0", "nwparser.payload", "%{fld2->} Policy %{policy_id->} has been moved %{p0}"); -var part580 = // "Pattern{Constant('before '), Field(p0,false)}" -match("MESSAGE#350:00018:06/1_0", "nwparser.p0", "before %{p0}"); +var part579 = match("MESSAGE#350:00018:06/1_0", "nwparser.p0", "before %{p0}"); -var part581 = // "Pattern{Constant('after '), Field(p0,false)}" -match("MESSAGE#350:00018:06/1_1", "nwparser.p0", "after %{p0}"); +var part580 = match("MESSAGE#350:00018:06/1_1", "nwparser.p0", "after %{p0}"); var select126 = linear_select([ + part579, part580, - part581, ]); -var part582 = // "Pattern{Constant(''), Field(fld3,true), Constant(' by admin '), Field(administrator,false)}" -match("MESSAGE#350:00018:06/2", "nwparser.p0", "%{fld3->} by admin %{administrator}"); +var part581 = match("MESSAGE#350:00018:06/2", "nwparser.p0", "%{fld3->} by admin %{administrator}"); -var all114 = all_match({ +var all113 = all_match({ processors: [ - part579, + part578, select126, - part582, + part581, ], on_success: processor_chain([ dup17, @@ -8395,10 +7533,9 @@ var all114 = all_match({ ]), }); -var msg352 = msg("00018:06", all114); +var msg352 = msg("00018:06", all113); -var part583 = // "Pattern{Constant('Policy '), Field(policy_id,true), Constant(' application was modified to '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#351:00018:08", "nwparser.payload", "Policy %{policy_id->} application was modified to %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ +var part582 = match("MESSAGE#351:00018:08", "nwparser.payload", "Policy %{policy_id->} application was modified to %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ dup17, dup2, dup3, @@ -8407,10 +7544,9 @@ match("MESSAGE#351:00018:08", "nwparser.payload", "Policy %{policy_id->} applica dup5, ])); -var msg353 = msg("00018:08", part583); +var msg353 = msg("00018:08", part582); -var part584 = // "Pattern{Constant('Policy ('), Field(policy_id,false), Constant(', '), Field(info,false), Constant(') was '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#352:00018:09", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ +var part583 = match("MESSAGE#352:00018:09", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ dup17, dup3, dup2, @@ -8419,30 +7555,26 @@ match("MESSAGE#352:00018:09", "nwparser.payload", "Policy (%{policy_id}, %{info} dup5, ])); -var msg354 = msg("00018:09", part584); +var msg354 = msg("00018:09", part583); -var part585 = // "Pattern{Constant('Policy ('), Field(policy_id,false), Constant(', '), Field(info,false), Constant(') was '), Field(p0,false)}" -match("MESSAGE#353:00018:10/0", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{p0}"); +var part584 = match("MESSAGE#353:00018:10/0", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{p0}"); -var part586 = // "Pattern{Field(disposition,true), Constant(' from peer unit by '), Field(p0,false)}" -match("MESSAGE#353:00018:10/1_0", "nwparser.p0", "%{disposition->} from peer unit by %{p0}"); +var part585 = match("MESSAGE#353:00018:10/1_0", "nwparser.p0", "%{disposition->} from peer unit by %{p0}"); -var part587 = // "Pattern{Field(disposition,true), Constant(' by '), Field(p0,false)}" -match("MESSAGE#353:00018:10/1_1", "nwparser.p0", "%{disposition->} by %{p0}"); +var part586 = match("MESSAGE#353:00018:10/1_1", "nwparser.p0", "%{disposition->} by %{p0}"); var select127 = linear_select([ + part585, part586, - part587, ]); -var part588 = // "Pattern{Field(username,true), Constant(' via '), Field(interface,true), Constant(' from host '), Field(saddr,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#353:00018:10/2", "nwparser.p0", "%{username->} via %{interface->} from host %{saddr->} (%{fld1})"); +var part587 = match("MESSAGE#353:00018:10/2", "nwparser.p0", "%{username->} via %{interface->} from host %{saddr->} (%{fld1})"); -var all115 = all_match({ +var all114 = all_match({ processors: [ - part585, + part584, select127, - part588, + part587, ], on_success: processor_chain([ dup17, @@ -8454,35 +7586,31 @@ var all115 = all_match({ ]), }); -var msg355 = msg("00018:10", all115); +var msg355 = msg("00018:10", all114); -var part589 = // "Pattern{Constant('Service '), Field(service,true), Constant(' was '), Field(p0,false)}" -match("MESSAGE#354:00018:11/1_0", "nwparser.p0", "Service %{service->} was %{p0}"); +var part588 = match("MESSAGE#354:00018:11/1_0", "nwparser.p0", "Service %{service->} was %{p0}"); -var part590 = // "Pattern{Constant('Attack group '), Field(signame,true), Constant(' was '), Field(p0,false)}" -match("MESSAGE#354:00018:11/1_1", "nwparser.p0", "Attack group %{signame->} was %{p0}"); +var part589 = match("MESSAGE#354:00018:11/1_1", "nwparser.p0", "Attack group %{signame->} was %{p0}"); var select128 = linear_select([ + part588, part589, - part590, ]); -var part591 = // "Pattern{Field(disposition,true), Constant(' to policy ID '), Field(policy_id,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#354:00018:11/2", "nwparser.p0", "%{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} %{p0}"); +var part590 = match("MESSAGE#354:00018:11/2", "nwparser.p0", "%{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} %{p0}"); -var part592 = // "Pattern{Constant('to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. '), Field(p0,false)}" -match("MESSAGE#354:00018:11/3_0", "nwparser.p0", "to %{daddr}:%{dport}. %{p0}"); +var part591 = match("MESSAGE#354:00018:11/3_0", "nwparser.p0", "to %{daddr}:%{dport}. %{p0}"); var select129 = linear_select([ - part592, + part591, dup16, ]); -var all116 = all_match({ +var all115 = all_match({ processors: [ - dup162, + dup160, select128, - part591, + part590, select129, dup10, ], @@ -8496,34 +7624,29 @@ var all116 = all_match({ ]), }); -var msg356 = msg("00018:11", all116); +var msg356 = msg("00018:11", all115); -var part593 = // "Pattern{Constant('In policy '), Field(policy_id,false), Constant(', the '), Field(p0,false)}" -match("MESSAGE#355:00018:12/0", "nwparser.payload", "In policy %{policy_id}, the %{p0}"); +var part592 = match("MESSAGE#355:00018:12/0", "nwparser.payload", "In policy %{policy_id}, the %{p0}"); -var part594 = // "Pattern{Constant('application '), Field(p0,false)}" -match("MESSAGE#355:00018:12/1_0", "nwparser.p0", "application %{p0}"); +var part593 = match("MESSAGE#355:00018:12/1_0", "nwparser.p0", "application %{p0}"); -var part595 = // "Pattern{Constant('attack severity '), Field(p0,false)}" -match("MESSAGE#355:00018:12/1_1", "nwparser.p0", "attack severity %{p0}"); +var part594 = match("MESSAGE#355:00018:12/1_1", "nwparser.p0", "attack severity %{p0}"); -var part596 = // "Pattern{Constant('DI attack component '), Field(p0,false)}" -match("MESSAGE#355:00018:12/1_2", "nwparser.p0", "DI attack component %{p0}"); +var part595 = match("MESSAGE#355:00018:12/1_2", "nwparser.p0", "DI attack component %{p0}"); var select130 = linear_select([ + part593, part594, part595, - part596, ]); -var part597 = // "Pattern{Constant('was modified by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#355:00018:12/2", "nwparser.p0", "was modified by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); +var part596 = match("MESSAGE#355:00018:12/2", "nwparser.p0", "was modified by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); -var all117 = all_match({ +var all116 = all_match({ processors: [ - part593, + part592, select130, - part597, + part596, ], on_success: processor_chain([ dup17, @@ -8535,17 +7658,16 @@ var all117 = all_match({ ]), }); -var msg357 = msg("00018:12", all117); +var msg357 = msg("00018:12", all116); -var part598 = // "Pattern{Field(,false), Constant('address '), Field(dhost,false), Constant('('), Field(daddr,false), Constant(') was '), Field(disposition,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#356:00018:32/1", "nwparser.p0", "%{}address %{dhost}(%{daddr}) was %{disposition->} %{p0}"); +var part597 = match("MESSAGE#356:00018:32/1", "nwparser.p0", "%{}address %{dhost}(%{daddr}) was %{disposition->} %{p0}"); -var all118 = all_match({ +var all117 = all_match({ processors: [ - dup364, - part598, - dup365, - dup166, + dup361, + part597, + dup362, + dup164, ], on_success: processor_chain([ dup17, @@ -8557,17 +7679,16 @@ var all118 = all_match({ ]), }); -var msg358 = msg("00018:32", all118); +var msg358 = msg("00018:32", all117); -var part599 = // "Pattern{Field(,false), Constant('address '), Field(dhost,true), Constant(' was '), Field(disposition,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#357:00018:22/1", "nwparser.p0", "%{}address %{dhost->} was %{disposition->} %{p0}"); +var part598 = match("MESSAGE#357:00018:22/1", "nwparser.p0", "%{}address %{dhost->} was %{disposition->} %{p0}"); -var all119 = all_match({ +var all118 = all_match({ processors: [ - dup364, - part599, - dup365, - dup166, + dup361, + part598, + dup362, + dup164, ], on_success: processor_chain([ dup17, @@ -8579,24 +7700,22 @@ var all119 = all_match({ ]), }); -var msg359 = msg("00018:22", all119); +var msg359 = msg("00018:22", all118); -var part600 = // "Pattern{Field(agent,true), Constant(' was '), Field(disposition,true), Constant(' from policy '), Field(policy_id,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#358:00018:15/0", "nwparser.payload", "%{agent->} was %{disposition->} from policy %{policy_id->} %{p0}"); +var part599 = match("MESSAGE#358:00018:15/0", "nwparser.payload", "%{agent->} was %{disposition->} from policy %{policy_id->} %{p0}"); var select131 = linear_select([ dup78, dup77, ]); -var part601 = // "Pattern{Constant('address by admin '), Field(administrator,true), Constant(' via NSRP Peer')}" -match("MESSAGE#358:00018:15/2", "nwparser.p0", "address by admin %{administrator->} via NSRP Peer"); +var part600 = match("MESSAGE#358:00018:15/2", "nwparser.p0", "address by admin %{administrator->} via NSRP Peer"); -var all120 = all_match({ +var all119 = all_match({ processors: [ - part600, + part599, select131, - part601, + part600, ], on_success: processor_chain([ dup17, @@ -8607,50 +7726,42 @@ var all120 = all_match({ ]), }); -var msg360 = msg("00018:15", all120); +var msg360 = msg("00018:15", all119); -var part602 = // "Pattern{Field(agent,true), Constant(' was '), Field(disposition,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#359:00018:14/0", "nwparser.payload", "%{agent->} was %{disposition->} %{p0}"); +var part601 = match("MESSAGE#359:00018:14/0", "nwparser.payload", "%{agent->} was %{disposition->} %{p0}"); -var part603 = // "Pattern{Constant('to'), Field(p0,false)}" -match("MESSAGE#359:00018:14/1_0", "nwparser.p0", "to%{p0}"); +var part602 = match("MESSAGE#359:00018:14/1_0", "nwparser.p0", "to%{p0}"); -var part604 = // "Pattern{Constant('from'), Field(p0,false)}" -match("MESSAGE#359:00018:14/1_1", "nwparser.p0", "from%{p0}"); +var part603 = match("MESSAGE#359:00018:14/1_1", "nwparser.p0", "from%{p0}"); var select132 = linear_select([ + part602, part603, - part604, ]); -var part605 = // "Pattern{Field(,false), Constant('policy '), Field(policy_id,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#359:00018:14/2", "nwparser.p0", "%{}policy %{policy_id->} %{p0}"); +var part604 = match("MESSAGE#359:00018:14/2", "nwparser.p0", "%{}policy %{policy_id->} %{p0}"); -var part606 = // "Pattern{Constant('service '), Field(p0,false)}" -match("MESSAGE#359:00018:14/3_0", "nwparser.p0", "service %{p0}"); +var part605 = match("MESSAGE#359:00018:14/3_0", "nwparser.p0", "service %{p0}"); -var part607 = // "Pattern{Constant('source address '), Field(p0,false)}" -match("MESSAGE#359:00018:14/3_1", "nwparser.p0", "source address %{p0}"); +var part606 = match("MESSAGE#359:00018:14/3_1", "nwparser.p0", "source address %{p0}"); -var part608 = // "Pattern{Constant('destination address '), Field(p0,false)}" -match("MESSAGE#359:00018:14/3_2", "nwparser.p0", "destination address %{p0}"); +var part607 = match("MESSAGE#359:00018:14/3_2", "nwparser.p0", "destination address %{p0}"); var select133 = linear_select([ + part605, part606, part607, - part608, ]); -var part609 = // "Pattern{Constant('by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#359:00018:14/4", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); +var part608 = match("MESSAGE#359:00018:14/4", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); -var all121 = all_match({ +var all120 = all_match({ processors: [ - part602, + part601, select132, - part605, + part604, select133, - part609, + part608, ], on_success: processor_chain([ dup17, @@ -8662,10 +7773,9 @@ var all121 = all_match({ ]), }); -var msg361 = msg("00018:14", all121); +var msg361 = msg("00018:14", all120); -var part610 = // "Pattern{Constant('Service '), Field(service,true), Constant(' was '), Field(disposition,true), Constant(' to policy ID '), Field(policy_id,true), Constant(' by admin '), Field(administrator,true), Constant(' via NSRP Peer . ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#360:00018:29", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})", processor_chain([ +var part609 = match("MESSAGE#360:00018:29", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})", processor_chain([ dup17, dup2, dup3, @@ -8674,10 +7784,9 @@ match("MESSAGE#360:00018:29", "nwparser.payload", "Service %{service->} was %{di dup5, ])); -var msg362 = msg("00018:29", part610); +var msg362 = msg("00018:29", part609); -var part611 = // "Pattern{Field(agent,true), Constant(' was added to policy '), Field(policy_id,true), Constant(' '), Field(rule_group,true), Constant(' by admin '), Field(administrator,true), Constant(' via NSRP Peer '), Field(space,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#361:00018:07", "nwparser.payload", "%{agent->} was added to policy %{policy_id->} %{rule_group->} by admin %{administrator->} via NSRP Peer %{space->} (%{fld1})", processor_chain([ +var part610 = match("MESSAGE#361:00018:07", "nwparser.payload", "%{agent->} was added to policy %{policy_id->} %{rule_group->} by admin %{administrator->} via NSRP Peer %{space->} (%{fld1})", processor_chain([ dup17, dup2, dup3, @@ -8686,10 +7795,9 @@ match("MESSAGE#361:00018:07", "nwparser.payload", "%{agent->} was added to polic dup5, ])); -var msg363 = msg("00018:07", part611); +var msg363 = msg("00018:07", part610); -var part612 = // "Pattern{Constant('Service '), Field(service,true), Constant(' was '), Field(disposition,true), Constant(' to policy ID '), Field(policy_id,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#362:00018:18", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ +var part611 = match("MESSAGE#362:00018:18", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ dup17, dup2, dup3, @@ -8698,10 +7806,9 @@ match("MESSAGE#362:00018:18", "nwparser.payload", "Service %{service->} was %{di dup5, ])); -var msg364 = msg("00018:18", part612); +var msg364 = msg("00018:18", part611); -var part613 = // "Pattern{Constant('AntiSpam ns-profile was '), Field(disposition,true), Constant(' from policy ID '), Field(policy_id,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#363:00018:17", "nwparser.payload", "AntiSpam ns-profile was %{disposition->} from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ +var part612 = match("MESSAGE#363:00018:17", "nwparser.payload", "AntiSpam ns-profile was %{disposition->} from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ dup17, dup2, dup3, @@ -8710,10 +7817,9 @@ match("MESSAGE#363:00018:17", "nwparser.payload", "AntiSpam ns-profile was %{dis dup5, ])); -var msg365 = msg("00018:17", part613); +var msg365 = msg("00018:17", part612); -var part614 = // "Pattern{Constant('Source address Info '), Field(info,true), Constant(' was '), Field(disposition,true), Constant(' to policy ID '), Field(policy_id,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#364:00018:19", "nwparser.payload", "Source address Info %{info->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ +var part613 = match("MESSAGE#364:00018:19", "nwparser.payload", "Source address Info %{info->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ dup17, dup2, dup3, @@ -8722,52 +7828,45 @@ match("MESSAGE#364:00018:19", "nwparser.payload", "Source address Info %{info->} dup5, ])); -var msg366 = msg("00018:19", part614); +var msg366 = msg("00018:19", part613); -var part615 = // "Pattern{Constant('Destination '), Field(p0,false)}" -match("MESSAGE#365:00018:23/0_0", "nwparser.payload", "Destination %{p0}"); +var part614 = match("MESSAGE#365:00018:23/0_0", "nwparser.payload", "Destination %{p0}"); -var part616 = // "Pattern{Constant('Source '), Field(p0,false)}" -match("MESSAGE#365:00018:23/0_1", "nwparser.payload", "Source %{p0}"); +var part615 = match("MESSAGE#365:00018:23/0_1", "nwparser.payload", "Source %{p0}"); var select134 = linear_select([ + part614, part615, - part616, ]); -var part617 = // "Pattern{Constant('address '), Field(info,true), Constant(' was added to policy ID '), Field(policy_id,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#365:00018:23/1", "nwparser.p0", "address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} %{p0}"); +var part616 = match("MESSAGE#365:00018:23/1", "nwparser.p0", "address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} %{p0}"); -var part618 = // "Pattern{Constant('from host '), Field(p0,false)}" -match("MESSAGE#365:00018:23/2_0", "nwparser.p0", "from host %{p0}"); +var part617 = match("MESSAGE#365:00018:23/2_0", "nwparser.p0", "from host %{p0}"); var select135 = linear_select([ - part618, + part617, dup103, ]); -var part619 = // "Pattern{Field(saddr,true), Constant(' to '), Field(daddr,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#365:00018:23/4_0", "nwparser.p0", "%{saddr->} to %{daddr->} %{p0}"); +var part618 = match("MESSAGE#365:00018:23/4_0", "nwparser.p0", "%{saddr->} to %{daddr->} %{p0}"); -var part620 = // "Pattern{Field(daddr,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#365:00018:23/4_1", "nwparser.p0", "%{daddr->} %{p0}"); +var part619 = match("MESSAGE#365:00018:23/4_1", "nwparser.p0", "%{daddr->} %{p0}"); var select136 = linear_select([ + part618, part619, - part620, ]); -var part621 = // "Pattern{Field(dport,false), Constant(':('), Field(fld1,false), Constant(')')}" -match("MESSAGE#365:00018:23/5", "nwparser.p0", "%{dport}:(%{fld1})"); +var part620 = match("MESSAGE#365:00018:23/5", "nwparser.p0", "%{dport}:(%{fld1})"); -var all122 = all_match({ +var all121 = all_match({ processors: [ select134, - part617, + part616, select135, dup23, select136, - part621, + part620, ], on_success: processor_chain([ dup17, @@ -8779,10 +7878,9 @@ var all122 = all_match({ ]), }); -var msg367 = msg("00018:23", all122); +var msg367 = msg("00018:23", all121); -var part622 = // "Pattern{Constant('Service '), Field(service,true), Constant(' was deleted from policy ID '), Field(policy_id,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#366:00018:21", "nwparser.payload", "Service %{service->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ +var part621 = match("MESSAGE#366:00018:21", "nwparser.payload", "Service %{service->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ dup17, dup2, dup3, @@ -8791,10 +7889,9 @@ match("MESSAGE#366:00018:21", "nwparser.payload", "Service %{service->} was dele dup5, ])); -var msg368 = msg("00018:21", part622); +var msg368 = msg("00018:21", part621); -var part623 = // "Pattern{Constant('Policy ('), Field(policyname,false), Constant(') was '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#367:00018:24", "nwparser.payload", "Policy (%{policyname}) was %{disposition->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ +var part622 = match("MESSAGE#367:00018:24", "nwparser.payload", "Policy (%{policyname}) was %{disposition->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ dup17, dup2, dup3, @@ -8803,15 +7900,14 @@ match("MESSAGE#367:00018:24", "nwparser.payload", "Policy (%{policyname}) was %{ dup5, ])); -var msg369 = msg("00018:24", part623); +var msg369 = msg("00018:24", part622); -var part624 = // "Pattern{Field(,false), Constant('address '), Field(info,true), Constant(' was added to policy ID '), Field(policy_id,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#368:00018:25/1", "nwparser.p0", "%{}address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); +var part623 = match("MESSAGE#368:00018:25/1", "nwparser.p0", "%{}address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); -var all123 = all_match({ +var all122 = all_match({ processors: [ - dup366, - part624, + dup363, + part623, ], on_success: processor_chain([ dup17, @@ -8823,15 +7919,14 @@ var all123 = all_match({ ]), }); -var msg370 = msg("00018:25", all123); +var msg370 = msg("00018:25", all122); -var part625 = // "Pattern{Field(,false), Constant('address '), Field(info,true), Constant(' was deleted from policy ID '), Field(policy_id,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#369:00018:30/1", "nwparser.p0", "%{}address %{info->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); +var part624 = match("MESSAGE#369:00018:30/1", "nwparser.p0", "%{}address %{info->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); -var all124 = all_match({ +var all123 = all_match({ processors: [ - dup366, - part625, + dup363, + part624, ], on_success: processor_chain([ dup17, @@ -8843,23 +7938,21 @@ var all124 = all_match({ ]), }); -var msg371 = msg("00018:30", all124); +var msg371 = msg("00018:30", all123); -var part626 = // "Pattern{Constant('In policy '), Field(policy_id,false), Constant(', the application was modified to '), Field(disposition,true), Constant(' by '), Field(p0,false)}" -match("MESSAGE#370:00018:26/0", "nwparser.payload", "In policy %{policy_id}, the application was modified to %{disposition->} by %{p0}"); +var part625 = match("MESSAGE#370:00018:26/0", "nwparser.payload", "In policy %{policy_id}, the application was modified to %{disposition->} by %{p0}"); -var part627 = // "Pattern{Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant('. ('), Field(p0,false)}" -match("MESSAGE#370:00018:26/2_1", "nwparser.p0", "%{logon_type->} from host %{saddr}. (%{p0}"); +var part626 = match("MESSAGE#370:00018:26/2_1", "nwparser.p0", "%{logon_type->} from host %{saddr}. (%{p0}"); var select137 = linear_select([ dup48, - part627, + part626, ]); -var all125 = all_match({ +var all124 = all_match({ processors: [ - part626, - dup367, + part625, + dup364, select137, dup41, ], @@ -8873,10 +7966,9 @@ var all125 = all_match({ ]), }); -var msg372 = msg("00018:26", all125); +var msg372 = msg("00018:26", all124); -var part628 = // "Pattern{Constant('In policy '), Field(policy_id,false), Constant(', the DI attack component was modified by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#371:00018:27", "nwparser.payload", "In policy %{policy_id}, the DI attack component was modified by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ +var part627 = match("MESSAGE#371:00018:27", "nwparser.payload", "In policy %{policy_id}, the DI attack component was modified by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ dup17, dup2, dup4, @@ -8884,10 +7976,9 @@ match("MESSAGE#371:00018:27", "nwparser.payload", "In policy %{policy_id}, the D dup9, ])); -var msg373 = msg("00018:27", part628); +var msg373 = msg("00018:27", part627); -var part629 = // "Pattern{Constant('In policy '), Field(policyname,false), Constant(', the DI attack component was modified by admin '), Field(administrator,true), Constant(' via '), Field(logon_type,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#372:00018:28", "nwparser.payload", "In policy %{policyname}, the DI attack component was modified by admin %{administrator->} via %{logon_type}. (%{fld1})", processor_chain([ +var part628 = match("MESSAGE#372:00018:28", "nwparser.payload", "In policy %{policyname}, the DI attack component was modified by admin %{administrator->} via %{logon_type}. (%{fld1})", processor_chain([ dup17, dup2, dup4, @@ -8896,10 +7987,9 @@ match("MESSAGE#372:00018:28", "nwparser.payload", "In policy %{policyname}, the setc("info","the DI attack component was modified"), ])); -var msg374 = msg("00018:28", part629); +var msg374 = msg("00018:28", part628); -var part630 = // "Pattern{Constant('Policy ('), Field(policy_id,false), Constant(', '), Field(info,false), Constant(') was '), Field(disposition,false)}" -match("MESSAGE#373:00018:03", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition}", processor_chain([ +var part629 = match("MESSAGE#373:00018:03", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition}", processor_chain([ dup17, dup2, dup3, @@ -8907,10 +7997,9 @@ match("MESSAGE#373:00018:03", "nwparser.payload", "Policy (%{policy_id}, %{info} dup5, ])); -var msg375 = msg("00018:03", part630); +var msg375 = msg("00018:03", part629); -var part631 = // "Pattern{Constant('In policy '), Field(policy_id,false), Constant(', the option '), Field(fld2,true), Constant(' was '), Field(disposition,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1213:00018:31", "nwparser.payload", "In policy %{policy_id}, the option %{fld2->} was %{disposition}. (%{fld1})", processor_chain([ +var part630 = match("MESSAGE#1213:00018:31", "nwparser.payload", "In policy %{policy_id}, the option %{fld2->} was %{disposition}. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -8919,7 +8008,7 @@ match("MESSAGE#1213:00018:31", "nwparser.payload", "In policy %{policy_id}, the dup5, ])); -var msg376 = msg("00018:31", part631); +var msg376 = msg("00018:31", part630); var select138 = linear_select([ msg347, @@ -8954,8 +8043,7 @@ var select138 = linear_select([ msg376, ]); -var part632 = // "Pattern{Constant('Attempt to enable WebTrends has '), Field(disposition,true), Constant(' because WebTrends settings have not yet been configured')}" -match("MESSAGE#374:00019", "nwparser.payload", "Attempt to enable WebTrends has %{disposition->} because WebTrends settings have not yet been configured", processor_chain([ +var part631 = match("MESSAGE#374:00019", "nwparser.payload", "Attempt to enable WebTrends has %{disposition->} because WebTrends settings have not yet been configured", processor_chain([ dup18, dup2, dup3, @@ -8963,16 +8051,15 @@ match("MESSAGE#374:00019", "nwparser.payload", "Attempt to enable WebTrends has dup5, ])); -var msg377 = msg("00019", part632); +var msg377 = msg("00019", part631); -var part633 = // "Pattern{Constant('has '), Field(disposition,true), Constant(' because syslog settings have not yet been configured')}" -match("MESSAGE#375:00019:01/2", "nwparser.p0", "has %{disposition->} because syslog settings have not yet been configured"); +var part632 = match("MESSAGE#375:00019:01/2", "nwparser.p0", "has %{disposition->} because syslog settings have not yet been configured"); -var all126 = all_match({ +var all125 = all_match({ processors: [ - dup167, - dup368, - part633, + dup165, + dup365, + part632, ], on_success: processor_chain([ dup1, @@ -8983,25 +8070,22 @@ var all126 = all_match({ ]), }); -var msg378 = msg("00019:01", all126); +var msg378 = msg("00019:01", all125); -var part634 = // "Pattern{Constant('Socket cannot be assigned for '), Field(p0,false)}" -match("MESSAGE#376:00019:02/0", "nwparser.payload", "Socket cannot be assigned for %{p0}"); +var part633 = match("MESSAGE#376:00019:02/0", "nwparser.payload", "Socket cannot be assigned for %{p0}"); -var part635 = // "Pattern{Constant('WebTrends'), Field(,false)}" -match("MESSAGE#376:00019:02/1_0", "nwparser.p0", "WebTrends%{}"); +var part634 = match("MESSAGE#376:00019:02/1_0", "nwparser.p0", "WebTrends%{}"); -var part636 = // "Pattern{Constant('syslog'), Field(,false)}" -match("MESSAGE#376:00019:02/1_1", "nwparser.p0", "syslog%{}"); +var part635 = match("MESSAGE#376:00019:02/1_1", "nwparser.p0", "syslog%{}"); var select139 = linear_select([ + part634, part635, - part636, ]); -var all127 = all_match({ +var all126 = all_match({ processors: [ - part634, + part633, select139, ], on_success: processor_chain([ @@ -9013,10 +8097,9 @@ var all127 = all_match({ ]), }); -var msg379 = msg("00019:02", all127); +var msg379 = msg("00019:02", all126); -var part637 = // "Pattern{Constant('Syslog VPN encryption has been '), Field(disposition,false)}" -match("MESSAGE#377:00019:03", "nwparser.payload", "Syslog VPN encryption has been %{disposition}", processor_chain([ +var part636 = match("MESSAGE#377:00019:03", "nwparser.payload", "Syslog VPN encryption has been %{disposition}", processor_chain([ dup91, dup2, dup3, @@ -9024,27 +8107,27 @@ match("MESSAGE#377:00019:03", "nwparser.payload", "Syslog VPN encryption has bee dup5, ])); -var msg380 = msg("00019:03", part637); +var msg380 = msg("00019:03", part636); var select140 = linear_select([ - dup171, + dup169, dup78, ]); var select141 = linear_select([ dup139, - dup172, + dup170, dup137, dup122, ]); -var all128 = all_match({ +var all127 = all_match({ processors: [ - dup170, + dup168, select140, dup23, select141, - dup173, + dup171, ], on_success: processor_chain([ dup1, @@ -9055,36 +8138,28 @@ var all128 = all_match({ ]), }); -var msg381 = msg("00019:04", all128); +var msg381 = msg("00019:04", all127); -var part638 = // "Pattern{Constant('Syslog message level has been changed to '), Field(p0,false)}" -match("MESSAGE#379:00019:05/0", "nwparser.payload", "Syslog message level has been changed to %{p0}"); +var part637 = match("MESSAGE#379:00019:05/0", "nwparser.payload", "Syslog message level has been changed to %{p0}"); -var part639 = // "Pattern{Constant('debug'), Field(,false)}" -match("MESSAGE#379:00019:05/1_0", "nwparser.p0", "debug%{}"); +var part638 = match("MESSAGE#379:00019:05/1_0", "nwparser.p0", "debug%{}"); -var part640 = // "Pattern{Constant('information'), Field(,false)}" -match("MESSAGE#379:00019:05/1_1", "nwparser.p0", "information%{}"); +var part639 = match("MESSAGE#379:00019:05/1_1", "nwparser.p0", "information%{}"); -var part641 = // "Pattern{Constant('notification'), Field(,false)}" -match("MESSAGE#379:00019:05/1_2", "nwparser.p0", "notification%{}"); +var part640 = match("MESSAGE#379:00019:05/1_2", "nwparser.p0", "notification%{}"); -var part642 = // "Pattern{Constant('warning'), Field(,false)}" -match("MESSAGE#379:00019:05/1_3", "nwparser.p0", "warning%{}"); +var part641 = match("MESSAGE#379:00019:05/1_3", "nwparser.p0", "warning%{}"); -var part643 = // "Pattern{Constant('error'), Field(,false)}" -match("MESSAGE#379:00019:05/1_4", "nwparser.p0", "error%{}"); +var part642 = match("MESSAGE#379:00019:05/1_4", "nwparser.p0", "error%{}"); -var part644 = // "Pattern{Constant('critical'), Field(,false)}" -match("MESSAGE#379:00019:05/1_5", "nwparser.p0", "critical%{}"); +var part643 = match("MESSAGE#379:00019:05/1_5", "nwparser.p0", "critical%{}"); -var part645 = // "Pattern{Constant('alert'), Field(,false)}" -match("MESSAGE#379:00019:05/1_6", "nwparser.p0", "alert%{}"); +var part644 = match("MESSAGE#379:00019:05/1_6", "nwparser.p0", "alert%{}"); -var part646 = // "Pattern{Constant('emergency'), Field(,false)}" -match("MESSAGE#379:00019:05/1_7", "nwparser.p0", "emergency%{}"); +var part645 = match("MESSAGE#379:00019:05/1_7", "nwparser.p0", "emergency%{}"); var select142 = linear_select([ + part638, part639, part640, part641, @@ -9092,12 +8167,11 @@ var select142 = linear_select([ part643, part644, part645, - part646, ]); -var all129 = all_match({ +var all128 = all_match({ processors: [ - part638, + part637, select142, ], on_success: processor_chain([ @@ -9109,17 +8183,16 @@ var all129 = all_match({ ]), }); -var msg382 = msg("00019:05", all129); +var msg382 = msg("00019:05", all128); -var part647 = // "Pattern{Constant('has been changed to '), Field(p0,false)}" -match("MESSAGE#380:00019:06/2", "nwparser.p0", "has been changed to %{p0}"); +var part646 = match("MESSAGE#380:00019:06/2", "nwparser.p0", "has been changed to %{p0}"); -var all130 = all_match({ +var all129 = all_match({ processors: [ - dup170, - dup369, - part647, - dup370, + dup168, + dup366, + part646, + dup367, ], on_success: processor_chain([ dup1, @@ -9130,10 +8203,9 @@ var all130 = all_match({ ]), }); -var msg383 = msg("00019:06", all130); +var msg383 = msg("00019:06", all129); -var part648 = // "Pattern{Constant('WebTrends VPN encryption has been '), Field(disposition,false)}" -match("MESSAGE#381:00019:07", "nwparser.payload", "WebTrends VPN encryption has been %{disposition}", processor_chain([ +var part647 = match("MESSAGE#381:00019:07", "nwparser.payload", "WebTrends VPN encryption has been %{disposition}", processor_chain([ dup91, dup2, dup3, @@ -9141,10 +8213,9 @@ match("MESSAGE#381:00019:07", "nwparser.payload", "WebTrends VPN encryption has dup5, ])); -var msg384 = msg("00019:07", part648); +var msg384 = msg("00019:07", part647); -var part649 = // "Pattern{Constant('WebTrends has been '), Field(disposition,false)}" -match("MESSAGE#382:00019:08", "nwparser.payload", "WebTrends has been %{disposition}", processor_chain([ +var part648 = match("MESSAGE#382:00019:08", "nwparser.payload", "WebTrends has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -9152,22 +8223,21 @@ match("MESSAGE#382:00019:08", "nwparser.payload", "WebTrends has been %{disposit dup5, ])); -var msg385 = msg("00019:08", part649); +var msg385 = msg("00019:08", part648); -var part650 = // "Pattern{Constant('WebTrends host '), Field(p0,false)}" -match("MESSAGE#383:00019:09/0", "nwparser.payload", "WebTrends host %{p0}"); +var part649 = match("MESSAGE#383:00019:09/0", "nwparser.payload", "WebTrends host %{p0}"); var select143 = linear_select([ dup139, - dup172, + dup170, dup137, ]); -var all131 = all_match({ +var all130 = all_match({ processors: [ - part650, + part649, select143, - dup173, + dup171, ], on_success: processor_chain([ dup1, @@ -9178,22 +8248,20 @@ var all131 = all_match({ ]), }); -var msg386 = msg("00019:09", all131); +var msg386 = msg("00019:09", all130); -var part651 = // "Pattern{Constant('Traffic logging via syslog '), Field(p0,false)}" -match("MESSAGE#384:00019:10/1_0", "nwparser.p0", "Traffic logging via syslog %{p0}"); +var part650 = match("MESSAGE#384:00019:10/1_0", "nwparser.p0", "Traffic logging via syslog %{p0}"); -var part652 = // "Pattern{Constant('Syslog '), Field(p0,false)}" -match("MESSAGE#384:00019:10/1_1", "nwparser.p0", "Syslog %{p0}"); +var part651 = match("MESSAGE#384:00019:10/1_1", "nwparser.p0", "Syslog %{p0}"); var select144 = linear_select([ + part650, part651, - part652, ]); -var all132 = all_match({ +var all131 = all_match({ processors: [ - dup185, + dup183, select144, dup138, ], @@ -9206,16 +8274,15 @@ var all132 = all_match({ ]), }); -var msg387 = msg("00019:10", all132); +var msg387 = msg("00019:10", all131); -var part653 = // "Pattern{Constant('has '), Field(disposition,true), Constant(' because there is no syslog server defined')}" -match("MESSAGE#385:00019:11/2", "nwparser.p0", "has %{disposition->} because there is no syslog server defined"); +var part652 = match("MESSAGE#385:00019:11/2", "nwparser.p0", "has %{disposition->} because there is no syslog server defined"); -var all133 = all_match({ +var all132 = all_match({ processors: [ - dup167, - dup368, - part653, + dup165, + dup365, + part652, ], on_success: processor_chain([ dup18, @@ -9226,10 +8293,9 @@ var all133 = all_match({ ]), }); -var msg388 = msg("00019:11", all133); +var msg388 = msg("00019:11", all132); -var part654 = // "Pattern{Constant('Removing all syslog servers'), Field(,false)}" -match("MESSAGE#386:00019:12", "nwparser.payload", "Removing all syslog servers%{}", processor_chain([ +var part653 = match("MESSAGE#386:00019:12", "nwparser.payload", "Removing all syslog servers%{}", processor_chain([ dup1, dup2, dup3, @@ -9237,24 +8303,22 @@ match("MESSAGE#386:00019:12", "nwparser.payload", "Removing all syslog servers%{ dup5, ])); -var msg389 = msg("00019:12", part654); +var msg389 = msg("00019:12", part653); -var part655 = // "Pattern{Constant('Syslog server '), Field(hostip,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#387:00019:13/0", "nwparser.payload", "Syslog server %{hostip->} %{p0}"); +var part654 = match("MESSAGE#387:00019:13/0", "nwparser.payload", "Syslog server %{hostip->} %{p0}"); var select145 = linear_select([ dup107, dup106, ]); -var part656 = // "Pattern{Constant(''), Field(disposition,false)}" -match("MESSAGE#387:00019:13/2", "nwparser.p0", "%{disposition}"); +var part655 = match("MESSAGE#387:00019:13/2", "nwparser.p0", "%{disposition}"); -var all134 = all_match({ +var all133 = all_match({ processors: [ - part655, + part654, select145, - part656, + part655, ], on_success: processor_chain([ dup1, @@ -9265,17 +8329,16 @@ var all134 = all_match({ ]), }); -var msg390 = msg("00019:13", all134); +var msg390 = msg("00019:13", all133); -var part657 = // "Pattern{Constant('for '), Field(hostip,true), Constant(' has been changed to '), Field(p0,false)}" -match("MESSAGE#388:00019:14/2", "nwparser.p0", "for %{hostip->} has been changed to %{p0}"); +var part656 = match("MESSAGE#388:00019:14/2", "nwparser.p0", "for %{hostip->} has been changed to %{p0}"); -var all135 = all_match({ +var all134 = all_match({ processors: [ - dup170, - dup369, - part657, - dup370, + dup168, + dup366, + part656, + dup367, ], on_success: processor_chain([ dup50, @@ -9288,10 +8351,9 @@ var all135 = all_match({ ]), }); -var msg391 = msg("00019:14", all135); +var msg391 = msg("00019:14", all134); -var part658 = // "Pattern{Constant('Syslog cannot connect to the TCP server '), Field(hostip,false), Constant('; the connection is closed.')}" -match("MESSAGE#389:00019:15", "nwparser.payload", "Syslog cannot connect to the TCP server %{hostip}; the connection is closed.", processor_chain([ +var part657 = match("MESSAGE#389:00019:15", "nwparser.payload", "Syslog cannot connect to the TCP server %{hostip}; the connection is closed.", processor_chain([ dup27, dup2, dup3, @@ -9299,10 +8361,9 @@ match("MESSAGE#389:00019:15", "nwparser.payload", "Syslog cannot connect to the dup5, ])); -var msg392 = msg("00019:15", part658); +var msg392 = msg("00019:15", part657); -var part659 = // "Pattern{Constant('All syslog servers were removed.'), Field(,false)}" -match("MESSAGE#390:00019:16", "nwparser.payload", "All syslog servers were removed.%{}", processor_chain([ +var part658 = match("MESSAGE#390:00019:16", "nwparser.payload", "All syslog servers were removed.%{}", processor_chain([ setc("eventcategory","1701030000"), setc("ec_activity","Delete"), dup51, @@ -9312,10 +8373,9 @@ match("MESSAGE#390:00019:16", "nwparser.payload", "All syslog servers were remov dup5, ])); -var msg393 = msg("00019:16", part659); +var msg393 = msg("00019:16", part658); -var part660 = // "Pattern{Constant('Syslog server '), Field(hostip,true), Constant(' host port number has been changed to '), Field(network_port,true), Constant(' '), Field(fld5,false)}" -match("MESSAGE#391:00019:17", "nwparser.payload", "Syslog server %{hostip->} host port number has been changed to %{network_port->} %{fld5}", processor_chain([ +var part659 = match("MESSAGE#391:00019:17", "nwparser.payload", "Syslog server %{hostip->} host port number has been changed to %{network_port->} %{fld5}", processor_chain([ dup50, dup43, dup51, @@ -9325,25 +8385,22 @@ match("MESSAGE#391:00019:17", "nwparser.payload", "Syslog server %{hostip->} hos dup5, ])); -var msg394 = msg("00019:17", part660); +var msg394 = msg("00019:17", part659); -var part661 = // "Pattern{Constant('Traffic logging '), Field(p0,false)}" -match("MESSAGE#392:00019:18/0", "nwparser.payload", "Traffic logging %{p0}"); +var part660 = match("MESSAGE#392:00019:18/0", "nwparser.payload", "Traffic logging %{p0}"); -var part662 = // "Pattern{Constant('via syslog '), Field(p0,false)}" -match("MESSAGE#392:00019:18/1_0", "nwparser.p0", "via syslog %{p0}"); +var part661 = match("MESSAGE#392:00019:18/1_0", "nwparser.p0", "via syslog %{p0}"); -var part663 = // "Pattern{Constant('for syslog server '), Field(hostip,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#392:00019:18/1_1", "nwparser.p0", "for syslog server %{hostip->} %{p0}"); +var part662 = match("MESSAGE#392:00019:18/1_1", "nwparser.p0", "for syslog server %{hostip->} %{p0}"); var select146 = linear_select([ + part661, part662, - part663, ]); -var all136 = all_match({ +var all135 = all_match({ processors: [ - part661, + part660, select146, dup138, ], @@ -9356,10 +8413,9 @@ var all136 = all_match({ ]), }); -var msg395 = msg("00019:18", all136); +var msg395 = msg("00019:18", all135); -var part664 = // "Pattern{Constant('Transport protocol for syslog server '), Field(hostip,true), Constant(' was changed to udp')}" -match("MESSAGE#393:00019:19", "nwparser.payload", "Transport protocol for syslog server %{hostip->} was changed to udp", processor_chain([ +var part663 = match("MESSAGE#393:00019:19", "nwparser.payload", "Transport protocol for syslog server %{hostip->} was changed to udp", processor_chain([ dup50, dup43, dup51, @@ -9369,10 +8425,9 @@ match("MESSAGE#393:00019:19", "nwparser.payload", "Transport protocol for syslog dup5, ])); -var msg396 = msg("00019:19", part664); +var msg396 = msg("00019:19", part663); -var part665 = // "Pattern{Constant('The traffic/IDP syslog is enabled on backup device by netscreen via web from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#394:00019:20", "nwparser.payload", "The traffic/IDP syslog is enabled on backup device by netscreen via web from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ +var part664 = match("MESSAGE#394:00019:20", "nwparser.payload", "The traffic/IDP syslog is enabled on backup device by netscreen via web from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ dup50, dup43, dup51, @@ -9382,7 +8437,7 @@ match("MESSAGE#394:00019:20", "nwparser.payload", "The traffic/IDP syslog is ena dup5, ])); -var msg397 = msg("00019:20", part665); +var msg397 = msg("00019:20", part664); var select147 = linear_select([ msg377, @@ -9408,8 +8463,7 @@ var select147 = linear_select([ msg397, ]); -var part666 = // "Pattern{Constant('Schedule '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#395:00020", "nwparser.payload", "Schedule %{fld2->} has been %{disposition}", processor_chain([ +var part665 = match("MESSAGE#395:00020", "nwparser.payload", "Schedule %{fld2->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -9417,42 +8471,37 @@ match("MESSAGE#395:00020", "nwparser.payload", "Schedule %{fld2->} has been %{di dup5, ])); -var msg398 = msg("00020", part666); +var msg398 = msg("00020", part665); -var part667 = // "Pattern{Constant('System memory is low '), Field(p0,false)}" -match("MESSAGE#396:00020:01/0", "nwparser.payload", "System memory is low %{p0}"); +var part666 = match("MESSAGE#396:00020:01/0", "nwparser.payload", "System memory is low %{p0}"); -var part668 = // "Pattern{Constant('( '), Field(p0,false)}" -match("MESSAGE#396:00020:01/1_1", "nwparser.p0", "( %{p0}"); +var part667 = match("MESSAGE#396:00020:01/1_1", "nwparser.p0", "( %{p0}"); var select148 = linear_select([ dup152, - part668, + part667, ]); -var part669 = // "Pattern{Constant(''), Field(fld2,true), Constant(' bytes allocated out of '), Field(p0,false)}" -match("MESSAGE#396:00020:01/2", "nwparser.p0", "%{fld2->} bytes allocated out of %{p0}"); +var part668 = match("MESSAGE#396:00020:01/2", "nwparser.p0", "%{fld2->} bytes allocated out of %{p0}"); -var part670 = // "Pattern{Constant('total '), Field(fld3,true), Constant(' bytes')}" -match("MESSAGE#396:00020:01/3_0", "nwparser.p0", "total %{fld3->} bytes"); +var part669 = match("MESSAGE#396:00020:01/3_0", "nwparser.p0", "total %{fld3->} bytes"); -var part671 = // "Pattern{Field(fld4,true), Constant(' bytes total')}" -match("MESSAGE#396:00020:01/3_1", "nwparser.p0", "%{fld4->} bytes total"); +var part670 = match("MESSAGE#396:00020:01/3_1", "nwparser.p0", "%{fld4->} bytes total"); var select149 = linear_select([ + part669, part670, - part671, ]); -var all137 = all_match({ +var all136 = all_match({ processors: [ - part667, + part666, select148, - part669, + part668, select149, ], on_success: processor_chain([ - dup186, + dup184, dup2, dup3, dup4, @@ -9460,18 +8509,17 @@ var all137 = all_match({ ]), }); -var msg399 = msg("00020:01", all137); +var msg399 = msg("00020:01", all136); -var part672 = // "Pattern{Constant('System memory is low ('), Field(fld2,true), Constant(' allocated out of '), Field(fld3,true), Constant(' ) '), Field(fld4,true), Constant(' times in '), Field(fld5,false)}" -match("MESSAGE#397:00020:02", "nwparser.payload", "System memory is low (%{fld2->} allocated out of %{fld3->} ) %{fld4->} times in %{fld5}", processor_chain([ - dup186, +var part671 = match("MESSAGE#397:00020:02", "nwparser.payload", "System memory is low (%{fld2->} allocated out of %{fld3->} ) %{fld4->} times in %{fld5}", processor_chain([ + dup184, dup2, dup3, dup4, dup5, ])); -var msg400 = msg("00020:02", part672); +var msg400 = msg("00020:02", part671); var select150 = linear_select([ msg398, @@ -9479,8 +8527,7 @@ var select150 = linear_select([ msg400, ]); -var part673 = // "Pattern{Constant('DIP '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#398:00021", "nwparser.payload", "DIP %{fld2->} has been %{disposition}", processor_chain([ +var part672 = match("MESSAGE#398:00021", "nwparser.payload", "DIP %{fld2->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -9488,10 +8535,9 @@ match("MESSAGE#398:00021", "nwparser.payload", "DIP %{fld2->} has been %{disposi dup5, ])); -var msg401 = msg("00021", part673); +var msg401 = msg("00021", part672); -var part674 = // "Pattern{Constant('IP pool '), Field(fld2,true), Constant(' with range '), Field(info,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#399:00021:01", "nwparser.payload", "IP pool %{fld2->} with range %{info->} has been %{disposition}", processor_chain([ +var part673 = match("MESSAGE#399:00021:01", "nwparser.payload", "IP pool %{fld2->} with range %{info->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -9499,10 +8545,9 @@ match("MESSAGE#399:00021:01", "nwparser.payload", "IP pool %{fld2->} with range dup5, ])); -var msg402 = msg("00021:01", part674); +var msg402 = msg("00021:01", part673); -var part675 = // "Pattern{Constant('DNS server is not configured'), Field(,false)}" -match("MESSAGE#400:00021:02", "nwparser.payload", "DNS server is not configured%{}", processor_chain([ +var part674 = match("MESSAGE#400:00021:02", "nwparser.payload", "DNS server is not configured%{}", processor_chain([ dup18, dup2, dup3, @@ -9510,21 +8555,19 @@ match("MESSAGE#400:00021:02", "nwparser.payload", "DNS server is not configured% dup5, ])); -var msg403 = msg("00021:02", part675); +var msg403 = msg("00021:02", part674); -var part676 = // "Pattern{Constant('Connection refused by the DNS server'), Field(,false)}" -match("MESSAGE#401:00021:03", "nwparser.payload", "Connection refused by the DNS server%{}", processor_chain([ - dup187, +var part675 = match("MESSAGE#401:00021:03", "nwparser.payload", "Connection refused by the DNS server%{}", processor_chain([ + dup185, dup2, dup3, dup4, dup5, ])); -var msg404 = msg("00021:03", part676); +var msg404 = msg("00021:03", part675); -var part677 = // "Pattern{Constant('Unknown DNS error'), Field(,false)}" -match("MESSAGE#402:00021:04", "nwparser.payload", "Unknown DNS error%{}", processor_chain([ +var part676 = match("MESSAGE#402:00021:04", "nwparser.payload", "Unknown DNS error%{}", processor_chain([ dup117, dup2, dup3, @@ -9532,10 +8575,9 @@ match("MESSAGE#402:00021:04", "nwparser.payload", "Unknown DNS error%{}", proces dup5, ])); -var msg405 = msg("00021:04", part677); +var msg405 = msg("00021:04", part676); -var part678 = // "Pattern{Constant('DIP port-translatation stickiness was '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#403:00021:05", "nwparser.payload", "DIP port-translatation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ +var part677 = match("MESSAGE#403:00021:05", "nwparser.payload", "DIP port-translatation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -9544,10 +8586,9 @@ match("MESSAGE#403:00021:05", "nwparser.payload", "DIP port-translatation sticki dup5, ])); -var msg406 = msg("00021:05", part678); +var msg406 = msg("00021:05", part677); -var part679 = // "Pattern{Constant('DIP port-translation stickiness was '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#404:00021:06", "nwparser.payload", "DIP port-translation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ +var part678 = match("MESSAGE#404:00021:06", "nwparser.payload", "DIP port-translation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ dup1, dup2, dup4, @@ -9556,7 +8597,7 @@ match("MESSAGE#404:00021:06", "nwparser.payload", "DIP port-translation stickine setc("info","DIP port-translation stickiness was modified"), ])); -var msg407 = msg("00021:06", part679); +var msg407 = msg("00021:06", part678); var select151 = linear_select([ msg401, @@ -9568,25 +8609,22 @@ var select151 = linear_select([ msg407, ]); -var part680 = // "Pattern{Constant('power supplies '), Field(p0,false)}" -match("MESSAGE#405:00022/1_0", "nwparser.p0", "power supplies %{p0}"); +var part679 = match("MESSAGE#405:00022/1_0", "nwparser.p0", "power supplies %{p0}"); -var part681 = // "Pattern{Constant('fans '), Field(p0,false)}" -match("MESSAGE#405:00022/1_1", "nwparser.p0", "fans %{p0}"); +var part680 = match("MESSAGE#405:00022/1_1", "nwparser.p0", "fans %{p0}"); var select152 = linear_select([ + part679, part680, - part681, ]); -var part682 = // "Pattern{Constant('are '), Field(fld2,true), Constant(' functioning properly')}" -match("MESSAGE#405:00022/2", "nwparser.p0", "are %{fld2->} functioning properly"); +var part681 = match("MESSAGE#405:00022/2", "nwparser.p0", "are %{fld2->} functioning properly"); -var all138 = all_match({ +var all137 = all_match({ processors: [ - dup188, + dup186, select152, - part682, + part681, ], on_success: processor_chain([ dup44, @@ -9597,34 +8635,30 @@ var all138 = all_match({ ]), }); -var msg408 = msg("00022", all138); +var msg408 = msg("00022", all137); -var part683 = // "Pattern{Constant('At least one power supply '), Field(p0,false)}" -match("MESSAGE#406:00022:01/0_0", "nwparser.payload", "At least one power supply %{p0}"); +var part682 = match("MESSAGE#406:00022:01/0_0", "nwparser.payload", "At least one power supply %{p0}"); -var part684 = // "Pattern{Constant('The power supply '), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#406:00022:01/0_1", "nwparser.payload", "The power supply %{fld2->} %{p0}"); +var part683 = match("MESSAGE#406:00022:01/0_1", "nwparser.payload", "The power supply %{fld2->} %{p0}"); -var part685 = // "Pattern{Constant('At least one fan '), Field(p0,false)}" -match("MESSAGE#406:00022:01/0_2", "nwparser.payload", "At least one fan %{p0}"); +var part684 = match("MESSAGE#406:00022:01/0_2", "nwparser.payload", "At least one fan %{p0}"); var select153 = linear_select([ + part682, part683, part684, - part685, ]); -var part686 = // "Pattern{Constant('is not functioning properly'), Field(p0,false)}" -match("MESSAGE#406:00022:01/1", "nwparser.p0", "is not functioning properly%{p0}"); +var part685 = match("MESSAGE#406:00022:01/1", "nwparser.p0", "is not functioning properly%{p0}"); -var all139 = all_match({ +var all138 = all_match({ processors: [ select153, - part686, - dup371, + part685, + dup368, ], on_success: processor_chain([ - dup189, + dup187, dup2, dup3, dup9, @@ -9633,10 +8667,9 @@ var all139 = all_match({ ]), }); -var msg409 = msg("00022:01", all139); +var msg409 = msg("00022:01", all138); -var part687 = // "Pattern{Constant('Global Manager VPN management tunnel has been '), Field(disposition,false)}" -match("MESSAGE#407:00022:02", "nwparser.payload", "Global Manager VPN management tunnel has been %{disposition}", processor_chain([ +var part686 = match("MESSAGE#407:00022:02", "nwparser.payload", "Global Manager VPN management tunnel has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -9644,10 +8677,9 @@ match("MESSAGE#407:00022:02", "nwparser.payload", "Global Manager VPN management dup5, ])); -var msg410 = msg("00022:02", part687); +var msg410 = msg("00022:02", part686); -var part688 = // "Pattern{Constant('Global Manager domain name has been defined as '), Field(domain,false)}" -match("MESSAGE#408:00022:03", "nwparser.payload", "Global Manager domain name has been defined as %{domain}", processor_chain([ +var part687 = match("MESSAGE#408:00022:03", "nwparser.payload", "Global Manager domain name has been defined as %{domain}", processor_chain([ dup1, dup2, dup3, @@ -9655,38 +8687,32 @@ match("MESSAGE#408:00022:03", "nwparser.payload", "Global Manager domain name ha dup5, ])); -var msg411 = msg("00022:03", part688); +var msg411 = msg("00022:03", part687); -var part689 = // "Pattern{Constant('Reporting of the '), Field(p0,false)}" -match("MESSAGE#409:00022:04/0", "nwparser.payload", "Reporting of the %{p0}"); +var part688 = match("MESSAGE#409:00022:04/0", "nwparser.payload", "Reporting of the %{p0}"); -var part690 = // "Pattern{Constant('network activities '), Field(p0,false)}" -match("MESSAGE#409:00022:04/1_0", "nwparser.p0", "network activities %{p0}"); +var part689 = match("MESSAGE#409:00022:04/1_0", "nwparser.p0", "network activities %{p0}"); -var part691 = // "Pattern{Constant('device resources '), Field(p0,false)}" -match("MESSAGE#409:00022:04/1_1", "nwparser.p0", "device resources %{p0}"); +var part690 = match("MESSAGE#409:00022:04/1_1", "nwparser.p0", "device resources %{p0}"); -var part692 = // "Pattern{Constant('event logs '), Field(p0,false)}" -match("MESSAGE#409:00022:04/1_2", "nwparser.p0", "event logs %{p0}"); +var part691 = match("MESSAGE#409:00022:04/1_2", "nwparser.p0", "event logs %{p0}"); -var part693 = // "Pattern{Constant('summary logs '), Field(p0,false)}" -match("MESSAGE#409:00022:04/1_3", "nwparser.p0", "summary logs %{p0}"); +var part692 = match("MESSAGE#409:00022:04/1_3", "nwparser.p0", "summary logs %{p0}"); var select154 = linear_select([ + part689, part690, part691, part692, - part693, ]); -var part694 = // "Pattern{Constant('to Global Manager has been '), Field(disposition,false)}" -match("MESSAGE#409:00022:04/2", "nwparser.p0", "to Global Manager has been %{disposition}"); +var part693 = match("MESSAGE#409:00022:04/2", "nwparser.p0", "to Global Manager has been %{disposition}"); -var all140 = all_match({ +var all139 = all_match({ processors: [ - part689, + part688, select154, - part694, + part693, ], on_success: processor_chain([ dup1, @@ -9697,10 +8723,9 @@ var all140 = all_match({ ]), }); -var msg412 = msg("00022:04", all140); +var msg412 = msg("00022:04", all139); -var part695 = // "Pattern{Constant('Global Manager has been '), Field(disposition,false)}" -match("MESSAGE#410:00022:05", "nwparser.payload", "Global Manager has been %{disposition}", processor_chain([ +var part694 = match("MESSAGE#410:00022:05", "nwparser.payload", "Global Manager has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -9708,30 +8733,26 @@ match("MESSAGE#410:00022:05", "nwparser.payload", "Global Manager has been %{dis dup5, ])); -var msg413 = msg("00022:05", part695); +var msg413 = msg("00022:05", part694); -var part696 = // "Pattern{Constant('Global Manager '), Field(p0,false)}" -match("MESSAGE#411:00022:06/0", "nwparser.payload", "Global Manager %{p0}"); +var part695 = match("MESSAGE#411:00022:06/0", "nwparser.payload", "Global Manager %{p0}"); -var part697 = // "Pattern{Constant('report '), Field(p0,false)}" -match("MESSAGE#411:00022:06/1_0", "nwparser.p0", "report %{p0}"); +var part696 = match("MESSAGE#411:00022:06/1_0", "nwparser.p0", "report %{p0}"); -var part698 = // "Pattern{Constant('listen '), Field(p0,false)}" -match("MESSAGE#411:00022:06/1_1", "nwparser.p0", "listen %{p0}"); +var part697 = match("MESSAGE#411:00022:06/1_1", "nwparser.p0", "listen %{p0}"); var select155 = linear_select([ + part696, part697, - part698, ]); -var part699 = // "Pattern{Constant('port has been set to '), Field(interface,false)}" -match("MESSAGE#411:00022:06/2", "nwparser.p0", "port has been set to %{interface}"); +var part698 = match("MESSAGE#411:00022:06/2", "nwparser.p0", "port has been set to %{interface}"); -var all141 = all_match({ +var all140 = all_match({ processors: [ - part696, + part695, select155, - part699, + part698, ], on_success: processor_chain([ dup1, @@ -9742,10 +8763,9 @@ var all141 = all_match({ ]), }); -var msg414 = msg("00022:06", all141); +var msg414 = msg("00022:06", all140); -var part700 = // "Pattern{Constant('The Global Manager keep-alive value has been changed to '), Field(fld2,false)}" -match("MESSAGE#412:00022:07", "nwparser.payload", "The Global Manager keep-alive value has been changed to %{fld2}", processor_chain([ +var part699 = match("MESSAGE#412:00022:07", "nwparser.payload", "The Global Manager keep-alive value has been changed to %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -9753,59 +8773,51 @@ match("MESSAGE#412:00022:07", "nwparser.payload", "The Global Manager keep-alive dup5, ])); -var msg415 = msg("00022:07", part700); +var msg415 = msg("00022:07", part699); -var part701 = // "Pattern{Constant('System temperature '), Field(p0,false)}" -match("MESSAGE#413:00022:08/0_0", "nwparser.payload", "System temperature %{p0}"); +var part700 = match("MESSAGE#413:00022:08/0_0", "nwparser.payload", "System temperature %{p0}"); -var part702 = // "Pattern{Constant('System's temperature: '), Field(p0,false)}" -match("MESSAGE#413:00022:08/0_1", "nwparser.payload", "System's temperature: %{p0}"); +var part701 = match("MESSAGE#413:00022:08/0_1", "nwparser.payload", "System's temperature: %{p0}"); -var part703 = // "Pattern{Constant('The system temperature '), Field(p0,false)}" -match("MESSAGE#413:00022:08/0_2", "nwparser.payload", "The system temperature %{p0}"); +var part702 = match("MESSAGE#413:00022:08/0_2", "nwparser.payload", "The system temperature %{p0}"); var select156 = linear_select([ + part700, part701, part702, - part703, ]); -var part704 = // "Pattern{Constant('('), Field(fld2,true), Constant(' C'), Field(p0,false)}" -match("MESSAGE#413:00022:08/1", "nwparser.p0", "(%{fld2->} C%{p0}"); +var part703 = match("MESSAGE#413:00022:08/1", "nwparser.p0", "(%{fld2->} C%{p0}"); -var part705 = // "Pattern{Constant('entigrade, '), Field(p0,false)}" -match("MESSAGE#413:00022:08/2_0", "nwparser.p0", "entigrade, %{p0}"); +var part704 = match("MESSAGE#413:00022:08/2_0", "nwparser.p0", "entigrade, %{p0}"); var select157 = linear_select([ - part705, + part704, dup96, ]); -var part706 = // "Pattern{Constant(''), Field(fld3,true), Constant(' F'), Field(p0,false)}" -match("MESSAGE#413:00022:08/3", "nwparser.p0", "%{fld3->} F%{p0}"); +var part705 = match("MESSAGE#413:00022:08/3", "nwparser.p0", "%{fld3->} F%{p0}"); -var part707 = // "Pattern{Constant('ahrenheit '), Field(p0,false)}" -match("MESSAGE#413:00022:08/4_0", "nwparser.p0", "ahrenheit %{p0}"); +var part706 = match("MESSAGE#413:00022:08/4_0", "nwparser.p0", "ahrenheit %{p0}"); var select158 = linear_select([ - part707, + part706, dup96, ]); -var part708 = // "Pattern{Constant(') is too high'), Field(,false)}" -match("MESSAGE#413:00022:08/5", "nwparser.p0", ") is too high%{}"); +var part707 = match("MESSAGE#413:00022:08/5", "nwparser.p0", ") is too high%{}"); -var all142 = all_match({ +var all141 = all_match({ processors: [ select156, - part704, + part703, select157, - part706, + part705, select158, - part708, + part707, ], on_success: processor_chain([ - dup190, + dup188, dup2, dup3, dup4, @@ -9813,29 +8825,27 @@ var all142 = all_match({ ]), }); -var msg416 = msg("00022:08", all142); +var msg416 = msg("00022:08", all141); -var part709 = // "Pattern{Constant('power supply is no'), Field(p0,false)}" -match("MESSAGE#414:00022:09/2", "nwparser.p0", "power supply is no%{p0}"); +var part708 = match("MESSAGE#414:00022:09/2", "nwparser.p0", "power supply is no%{p0}"); var select159 = linear_select([ - dup193, - dup194, + dup191, + dup192, ]); -var part710 = // "Pattern{Constant('functioning properly'), Field(,false)}" -match("MESSAGE#414:00022:09/4", "nwparser.p0", "functioning properly%{}"); +var part709 = match("MESSAGE#414:00022:09/4", "nwparser.p0", "functioning properly%{}"); -var all143 = all_match({ +var all142 = all_match({ processors: [ dup55, - dup372, - part709, + dup369, + part708, select159, - part710, + part709, ], on_success: processor_chain([ - dup190, + dup188, dup2, dup3, dup4, @@ -9843,25 +8853,22 @@ var all143 = all_match({ ]), }); -var msg417 = msg("00022:09", all143); +var msg417 = msg("00022:09", all142); -var part711 = // "Pattern{Constant('The NetScreen device was unable to upgrade the file system'), Field(p0,false)}" -match("MESSAGE#415:00022:10/0", "nwparser.payload", "The NetScreen device was unable to upgrade the file system%{p0}"); +var part710 = match("MESSAGE#415:00022:10/0", "nwparser.payload", "The NetScreen device was unable to upgrade the file system%{p0}"); -var part712 = // "Pattern{Constant(' due to an internal conflict'), Field(,false)}" -match("MESSAGE#415:00022:10/1_0", "nwparser.p0", " due to an internal conflict%{}"); +var part711 = match("MESSAGE#415:00022:10/1_0", "nwparser.p0", " due to an internal conflict%{}"); -var part713 = // "Pattern{Constant(', but the old file system is intact'), Field(,false)}" -match("MESSAGE#415:00022:10/1_1", "nwparser.p0", ", but the old file system is intact%{}"); +var part712 = match("MESSAGE#415:00022:10/1_1", "nwparser.p0", ", but the old file system is intact%{}"); var select160 = linear_select([ + part711, part712, - part713, ]); -var all144 = all_match({ +var all143 = all_match({ processors: [ - part711, + part710, select160, ], on_success: processor_chain([ @@ -9873,25 +8880,22 @@ var all144 = all_match({ ]), }); -var msg418 = msg("00022:10", all144); +var msg418 = msg("00022:10", all143); -var part714 = // "Pattern{Constant('The NetScreen device was unable to upgrade '), Field(p0,false)}" -match("MESSAGE#416:00022:11/0", "nwparser.payload", "The NetScreen device was unable to upgrade %{p0}"); +var part713 = match("MESSAGE#416:00022:11/0", "nwparser.payload", "The NetScreen device was unable to upgrade %{p0}"); -var part715 = // "Pattern{Constant('due to an internal conflict'), Field(,false)}" -match("MESSAGE#416:00022:11/1_0", "nwparser.p0", "due to an internal conflict%{}"); +var part714 = match("MESSAGE#416:00022:11/1_0", "nwparser.p0", "due to an internal conflict%{}"); -var part716 = // "Pattern{Constant('the loader, but the loader is intact'), Field(,false)}" -match("MESSAGE#416:00022:11/1_1", "nwparser.p0", "the loader, but the loader is intact%{}"); +var part715 = match("MESSAGE#416:00022:11/1_1", "nwparser.p0", "the loader, but the loader is intact%{}"); var select161 = linear_select([ + part714, part715, - part716, ]); -var all145 = all_match({ +var all144 = all_match({ processors: [ - part714, + part713, select161, ], on_success: processor_chain([ @@ -9903,27 +8907,25 @@ var all145 = all_match({ ]), }); -var msg419 = msg("00022:11", all145); +var msg419 = msg("00022:11", all144); -var part717 = // "Pattern{Constant('Battery is no'), Field(p0,false)}" -match("MESSAGE#417:00022:12/0", "nwparser.payload", "Battery is no%{p0}"); +var part716 = match("MESSAGE#417:00022:12/0", "nwparser.payload", "Battery is no%{p0}"); var select162 = linear_select([ - dup194, - dup193, + dup192, + dup191, ]); -var part718 = // "Pattern{Constant('functioning properly.'), Field(,false)}" -match("MESSAGE#417:00022:12/2", "nwparser.p0", "functioning properly.%{}"); +var part717 = match("MESSAGE#417:00022:12/2", "nwparser.p0", "functioning properly.%{}"); -var all146 = all_match({ +var all145 = all_match({ processors: [ - part717, + part716, select162, - part718, + part717, ], on_success: processor_chain([ - dup190, + dup188, dup2, dup3, dup4, @@ -9931,10 +8933,9 @@ var all146 = all_match({ ]), }); -var msg420 = msg("00022:12", all146); +var msg420 = msg("00022:12", all145); -var part719 = // "Pattern{Constant('System's temperature ('), Field(fld2,true), Constant(' Centigrade, '), Field(fld3,true), Constant(' Fahrenheit) is OK now.')}" -match("MESSAGE#418:00022:13", "nwparser.payload", "System's temperature (%{fld2->} Centigrade, %{fld3->} Fahrenheit) is OK now.", processor_chain([ +var part718 = match("MESSAGE#418:00022:13", "nwparser.payload", "System's temperature (%{fld2->} Centigrade, %{fld3->} Fahrenheit) is OK now.", processor_chain([ dup44, dup2, dup3, @@ -9942,10 +8943,9 @@ match("MESSAGE#418:00022:13", "nwparser.payload", "System's temperature (%{fld2- dup5, ])); -var msg421 = msg("00022:13", part719); +var msg421 = msg("00022:13", part718); -var part720 = // "Pattern{Constant('The power supply '), Field(fld2,true), Constant(' is functioning properly. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#419:00022:14", "nwparser.payload", "The power supply %{fld2->} is functioning properly. (%{fld1})", processor_chain([ +var part719 = match("MESSAGE#419:00022:14", "nwparser.payload", "The power supply %{fld2->} is functioning properly. (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -9954,7 +8954,7 @@ match("MESSAGE#419:00022:14", "nwparser.payload", "The power supply %{fld2->} is dup5, ])); -var msg422 = msg("00022:14", part720); +var msg422 = msg("00022:14", part719); var select163 = linear_select([ msg408, @@ -9974,38 +8974,35 @@ var select163 = linear_select([ msg422, ]); -var part721 = // "Pattern{Constant('VIP server '), Field(hostip,true), Constant(' is not responding')}" -match("MESSAGE#420:00023", "nwparser.payload", "VIP server %{hostip->} is not responding", processor_chain([ - dup189, +var part720 = match("MESSAGE#420:00023", "nwparser.payload", "VIP server %{hostip->} is not responding", processor_chain([ + dup187, dup2, dup3, dup4, dup5, ])); -var msg423 = msg("00023", part721); +var msg423 = msg("00023", part720); -var part722 = // "Pattern{Constant('VIP/load balance server '), Field(hostip,true), Constant(' cannot be contacted')}" -match("MESSAGE#421:00023:01", "nwparser.payload", "VIP/load balance server %{hostip->} cannot be contacted", processor_chain([ - dup189, +var part721 = match("MESSAGE#421:00023:01", "nwparser.payload", "VIP/load balance server %{hostip->} cannot be contacted", processor_chain([ + dup187, dup2, dup3, dup4, dup5, ])); -var msg424 = msg("00023:01", part722); +var msg424 = msg("00023:01", part721); -var part723 = // "Pattern{Constant('VIP server '), Field(hostip,true), Constant(' cannot be contacted')}" -match("MESSAGE#422:00023:02", "nwparser.payload", "VIP server %{hostip->} cannot be contacted", processor_chain([ - dup189, +var part722 = match("MESSAGE#422:00023:02", "nwparser.payload", "VIP server %{hostip->} cannot be contacted", processor_chain([ + dup187, dup2, dup3, dup4, dup5, ])); -var msg425 = msg("00023:02", part723); +var msg425 = msg("00023:02", part722); var select164 = linear_select([ msg423, @@ -10013,35 +9010,31 @@ var select164 = linear_select([ msg425, ]); -var part724 = // "Pattern{Constant('The DHCP '), Field(p0,false)}" -match("MESSAGE#423:00024/0_0", "nwparser.payload", "The DHCP %{p0}"); +var part723 = match("MESSAGE#423:00024/0_0", "nwparser.payload", "The DHCP %{p0}"); -var part725 = // "Pattern{Constant(' DHCP '), Field(p0,false)}" -match("MESSAGE#423:00024/0_1", "nwparser.payload", " DHCP %{p0}"); +var part724 = match("MESSAGE#423:00024/0_1", "nwparser.payload", " DHCP %{p0}"); var select165 = linear_select([ + part723, part724, - part725, ]); -var part726 = // "Pattern{Constant('IP address pool has '), Field(p0,false)}" -match("MESSAGE#423:00024/2_0", "nwparser.p0", "IP address pool has %{p0}"); +var part725 = match("MESSAGE#423:00024/2_0", "nwparser.p0", "IP address pool has %{p0}"); -var part727 = // "Pattern{Constant('options have been '), Field(p0,false)}" -match("MESSAGE#423:00024/2_1", "nwparser.p0", "options have been %{p0}"); +var part726 = match("MESSAGE#423:00024/2_1", "nwparser.p0", "options have been %{p0}"); var select166 = linear_select([ + part725, part726, - part727, ]); -var all147 = all_match({ +var all146 = all_match({ processors: [ select165, - dup195, + dup193, select166, dup52, - dup371, + dup368, ], on_success: processor_chain([ dup1, @@ -10053,38 +9046,32 @@ var all147 = all_match({ ]), }); -var msg426 = msg("00024", all147); +var msg426 = msg("00024", all146); -var part728 = // "Pattern{Constant('Traffic log '), Field(p0,false)}" -match("MESSAGE#424:00024:01/0_0", "nwparser.payload", "Traffic log %{p0}"); +var part727 = match("MESSAGE#424:00024:01/0_0", "nwparser.payload", "Traffic log %{p0}"); -var part729 = // "Pattern{Constant('Alarm log '), Field(p0,false)}" -match("MESSAGE#424:00024:01/0_1", "nwparser.payload", "Alarm log %{p0}"); +var part728 = match("MESSAGE#424:00024:01/0_1", "nwparser.payload", "Alarm log %{p0}"); -var part730 = // "Pattern{Constant('Event log '), Field(p0,false)}" -match("MESSAGE#424:00024:01/0_2", "nwparser.payload", "Event log %{p0}"); +var part729 = match("MESSAGE#424:00024:01/0_2", "nwparser.payload", "Event log %{p0}"); -var part731 = // "Pattern{Constant('Self log '), Field(p0,false)}" -match("MESSAGE#424:00024:01/0_3", "nwparser.payload", "Self log %{p0}"); +var part730 = match("MESSAGE#424:00024:01/0_3", "nwparser.payload", "Self log %{p0}"); -var part732 = // "Pattern{Constant('Asset Recovery log '), Field(p0,false)}" -match("MESSAGE#424:00024:01/0_4", "nwparser.payload", "Asset Recovery log %{p0}"); +var part731 = match("MESSAGE#424:00024:01/0_4", "nwparser.payload", "Asset Recovery log %{p0}"); var select167 = linear_select([ + part727, part728, part729, part730, part731, - part732, ]); -var part733 = // "Pattern{Constant('has overflowed'), Field(,false)}" -match("MESSAGE#424:00024:01/1", "nwparser.p0", "has overflowed%{}"); +var part732 = match("MESSAGE#424:00024:01/1", "nwparser.p0", "has overflowed%{}"); -var all148 = all_match({ +var all147 = all_match({ processors: [ select167, - part733, + part732, ], on_success: processor_chain([ dup117, @@ -10095,30 +9082,26 @@ var all148 = all_match({ ]), }); -var msg427 = msg("00024:01", all148); +var msg427 = msg("00024:01", all147); -var part734 = // "Pattern{Constant('DHCP relay agent settings on '), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#425:00024:02/0", "nwparser.payload", "DHCP relay agent settings on %{fld2->} %{p0}"); +var part733 = match("MESSAGE#425:00024:02/0", "nwparser.payload", "DHCP relay agent settings on %{fld2->} %{p0}"); -var part735 = // "Pattern{Constant('are '), Field(p0,false)}" -match("MESSAGE#425:00024:02/1_0", "nwparser.p0", "are %{p0}"); +var part734 = match("MESSAGE#425:00024:02/1_0", "nwparser.p0", "are %{p0}"); -var part736 = // "Pattern{Constant('have been '), Field(p0,false)}" -match("MESSAGE#425:00024:02/1_1", "nwparser.p0", "have been %{p0}"); +var part735 = match("MESSAGE#425:00024:02/1_1", "nwparser.p0", "have been %{p0}"); var select168 = linear_select([ + part734, part735, - part736, ]); -var part737 = // "Pattern{Constant(''), Field(disposition,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#425:00024:02/2", "nwparser.p0", "%{disposition->} (%{fld1})"); +var part736 = match("MESSAGE#425:00024:02/2", "nwparser.p0", "%{disposition->} (%{fld1})"); -var all149 = all_match({ +var all148 = all_match({ processors: [ - part734, + part733, select168, - part737, + part736, ], on_success: processor_chain([ dup1, @@ -10130,24 +9113,22 @@ var all149 = all_match({ ]), }); -var msg428 = msg("00024:02", all149); +var msg428 = msg("00024:02", all148); -var part738 = // "Pattern{Constant('DHCP server IP address pool '), Field(p0,false)}" -match("MESSAGE#426:00024:03/0", "nwparser.payload", "DHCP server IP address pool %{p0}"); +var part737 = match("MESSAGE#426:00024:03/0", "nwparser.payload", "DHCP server IP address pool %{p0}"); var select169 = linear_select([ - dup196, + dup194, dup106, ]); -var part739 = // "Pattern{Constant('changed. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#426:00024:03/2", "nwparser.p0", "changed. (%{fld1})"); +var part738 = match("MESSAGE#426:00024:03/2", "nwparser.p0", "changed. (%{fld1})"); -var all150 = all_match({ +var all149 = all_match({ processors: [ - part738, + part737, select169, - part739, + part738, ], on_success: processor_chain([ dup1, @@ -10159,7 +9140,7 @@ var all150 = all_match({ ]), }); -var msg429 = msg("00024:03", all150); +var msg429 = msg("00024:03", all149); var select170 = linear_select([ msg426, @@ -10168,8 +9149,7 @@ var select170 = linear_select([ msg429, ]); -var part740 = // "Pattern{Constant('The DHCP server IP address pool has changed'), Field(,false)}" -match("MESSAGE#427:00025", "nwparser.payload", "The DHCP server IP address pool has changed%{}", processor_chain([ +var part739 = match("MESSAGE#427:00025", "nwparser.payload", "The DHCP server IP address pool has changed%{}", processor_chain([ dup1, dup2, dup3, @@ -10177,10 +9157,9 @@ match("MESSAGE#427:00025", "nwparser.payload", "The DHCP server IP address pool dup5, ])); -var msg430 = msg("00025", part740); +var msg430 = msg("00025", part739); -var part741 = // "Pattern{Constant('PKI: The current device '), Field(disposition,true), Constant(' to save the certificate authority configuration.')}" -match("MESSAGE#428:00025:01", "nwparser.payload", "PKI: The current device %{disposition->} to save the certificate authority configuration.", processor_chain([ +var part740 = match("MESSAGE#428:00025:01", "nwparser.payload", "PKI: The current device %{disposition->} to save the certificate authority configuration.", processor_chain([ dup86, dup2, dup3, @@ -10188,10 +9167,9 @@ match("MESSAGE#428:00025:01", "nwparser.payload", "PKI: The current device %{dis dup5, ])); -var msg431 = msg("00025:01", part741); +var msg431 = msg("00025:01", part740); -var part742 = // "Pattern{Field(disposition,true), Constant(' to send the X509 request file via e-mail')}" -match("MESSAGE#429:00025:02", "nwparser.payload", "%{disposition->} to send the X509 request file via e-mail", processor_chain([ +var part741 = match("MESSAGE#429:00025:02", "nwparser.payload", "%{disposition->} to send the X509 request file via e-mail", processor_chain([ dup86, dup2, dup3, @@ -10199,10 +9177,9 @@ match("MESSAGE#429:00025:02", "nwparser.payload", "%{disposition->} to send the dup5, ])); -var msg432 = msg("00025:02", part742); +var msg432 = msg("00025:02", part741); -var part743 = // "Pattern{Field(disposition,true), Constant(' to save the CA configuration')}" -match("MESSAGE#430:00025:03", "nwparser.payload", "%{disposition->} to save the CA configuration", processor_chain([ +var part742 = match("MESSAGE#430:00025:03", "nwparser.payload", "%{disposition->} to save the CA configuration", processor_chain([ dup86, dup2, dup3, @@ -10210,10 +9187,9 @@ match("MESSAGE#430:00025:03", "nwparser.payload", "%{disposition->} to save the dup5, ])); -var msg433 = msg("00025:03", part743); +var msg433 = msg("00025:03", part742); -var part744 = // "Pattern{Constant('Cannot load more X509 certificates. The '), Field(result,false)}" -match("MESSAGE#431:00025:04", "nwparser.payload", "Cannot load more X509 certificates. The %{result}", processor_chain([ +var part743 = match("MESSAGE#431:00025:04", "nwparser.payload", "Cannot load more X509 certificates. The %{result}", processor_chain([ dup86, dup2, dup3, @@ -10221,7 +9197,7 @@ match("MESSAGE#431:00025:04", "nwparser.payload", "Cannot load more X509 certifi dup5, ])); -var msg434 = msg("00025:04", part744); +var msg434 = msg("00025:04", part743); var select171 = linear_select([ msg430, @@ -10231,8 +9207,7 @@ var select171 = linear_select([ msg434, ]); -var part745 = // "Pattern{Field(signame,true), Constant(' have been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#432:00026", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part744 = match("MESSAGE#432:00026", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup3, @@ -10242,10 +9217,9 @@ match("MESSAGE#432:00026", "nwparser.payload", "%{signame->} have been detected! dup61, ])); -var msg435 = msg("00026", part745); +var msg435 = msg("00026", part744); -var part746 = // "Pattern{Field(signame,true), Constant(' have been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', on interface '), Field(interface,false)}" -match("MESSAGE#433:00026:13", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on interface %{interface}", processor_chain([ +var part745 = match("MESSAGE#433:00026:13", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on interface %{interface}", processor_chain([ dup58, dup2, dup3, @@ -10254,21 +9228,19 @@ match("MESSAGE#433:00026:13", "nwparser.payload", "%{signame->} have been detect dup61, ])); -var msg436 = msg("00026:13", part746); +var msg436 = msg("00026:13", part745); -var part747 = // "Pattern{Constant('PKA key has been '), Field(p0,false)}" -match("MESSAGE#434:00026:01/2", "nwparser.p0", "PKA key has been %{p0}"); +var part746 = match("MESSAGE#434:00026:01/2", "nwparser.p0", "PKA key has been %{p0}"); -var part748 = // "Pattern{Constant('admin user '), Field(administrator,false), Constant('. (Key ID = '), Field(fld2,false), Constant(')')}" -match("MESSAGE#434:00026:01/4", "nwparser.p0", "admin user %{administrator}. (Key ID = %{fld2})"); +var part747 = match("MESSAGE#434:00026:01/4", "nwparser.p0", "admin user %{administrator}. (Key ID = %{fld2})"); -var all151 = all_match({ +var all150 = all_match({ processors: [ - dup197, - dup373, + dup195, + dup370, + part746, + dup371, part747, - dup374, - part748, ], on_success: processor_chain([ dup1, @@ -10279,35 +9251,31 @@ var all151 = all_match({ ]), }); -var msg437 = msg("00026:01", all151); +var msg437 = msg("00026:01", all150); -var part749 = // "Pattern{Constant(': SCS '), Field(p0,false)}" -match("MESSAGE#435:00026:02/1_0", "nwparser.p0", ": SCS %{p0}"); +var part748 = match("MESSAGE#435:00026:02/1_0", "nwparser.p0", ": SCS %{p0}"); var select172 = linear_select([ - part749, + part748, dup96, ]); -var part750 = // "Pattern{Constant('has been '), Field(disposition,true), Constant(' for '), Field(p0,false)}" -match("MESSAGE#435:00026:02/2", "nwparser.p0", "has been %{disposition->} for %{p0}"); +var part749 = match("MESSAGE#435:00026:02/2", "nwparser.p0", "has been %{disposition->} for %{p0}"); -var part751 = // "Pattern{Constant('root system '), Field(p0,false)}" -match("MESSAGE#435:00026:02/3_0", "nwparser.p0", "root system %{p0}"); +var part750 = match("MESSAGE#435:00026:02/3_0", "nwparser.p0", "root system %{p0}"); -var part752 = // "Pattern{Field(interface,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#435:00026:02/3_1", "nwparser.p0", "%{interface->} %{p0}"); +var part751 = match("MESSAGE#435:00026:02/3_1", "nwparser.p0", "%{interface->} %{p0}"); var select173 = linear_select([ + part750, part751, - part752, ]); -var all152 = all_match({ +var all151 = all_match({ processors: [ - dup197, + dup195, select172, - part750, + part749, select173, dup116, ], @@ -10320,16 +9288,15 @@ var all152 = all_match({ ]), }); -var msg438 = msg("00026:02", all152); +var msg438 = msg("00026:02", all151); -var part753 = // "Pattern{Constant(''), Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#436:00026:03/2", "nwparser.p0", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}"); +var part752 = match("MESSAGE#436:00026:03/2", "nwparser.p0", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}"); -var all153 = all_match({ +var all152 = all_match({ processors: [ - dup197, - dup373, - part753, + dup195, + dup370, + part752, ], on_success: processor_chain([ dup1, @@ -10340,33 +9307,30 @@ var all153 = all_match({ ]), }); -var msg439 = msg("00026:03", all153); +var msg439 = msg("00026:03", all152); -var part754 = // "Pattern{Constant('SCS: Connection has been terminated for admin user '), Field(administrator,true), Constant(' at '), Field(hostip,false), Constant(':'), Field(network_port,false)}" -match("MESSAGE#437:00026:04", "nwparser.payload", "SCS: Connection has been terminated for admin user %{administrator->} at %{hostip}:%{network_port}", processor_chain([ - dup200, +var part753 = match("MESSAGE#437:00026:04", "nwparser.payload", "SCS: Connection has been terminated for admin user %{administrator->} at %{hostip}:%{network_port}", processor_chain([ + dup198, dup2, dup4, dup5, dup3, ])); -var msg440 = msg("00026:04", part754); +var msg440 = msg("00026:04", part753); -var part755 = // "Pattern{Constant('SCS: Host client has requested NO cipher from '), Field(interface,false)}" -match("MESSAGE#438:00026:05", "nwparser.payload", "SCS: Host client has requested NO cipher from %{interface}", processor_chain([ - dup200, +var part754 = match("MESSAGE#438:00026:05", "nwparser.payload", "SCS: Host client has requested NO cipher from %{interface}", processor_chain([ + dup198, dup2, dup3, dup4, dup5, ])); -var msg441 = msg("00026:05", part755); +var msg441 = msg("00026:05", part754); -var part756 = // "Pattern{Constant('SCS: SSH user '), Field(username,true), Constant(' has been authenticated using PKA RSA from '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('. (key-ID='), Field(fld2,false)}" -match("MESSAGE#439:00026:06", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using PKA RSA from %{saddr}:%{sport}. (key-ID=%{fld2}", processor_chain([ - dup201, +var part755 = match("MESSAGE#439:00026:06", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using PKA RSA from %{saddr}:%{sport}. (key-ID=%{fld2}", processor_chain([ + dup199, dup29, dup30, dup31, @@ -10377,11 +9341,10 @@ match("MESSAGE#439:00026:06", "nwparser.payload", "SCS: SSH user %{username->} h dup5, ])); -var msg442 = msg("00026:06", part756); +var msg442 = msg("00026:06", part755); -var part757 = // "Pattern{Constant('SCS: SSH user '), Field(username,true), Constant(' has been authenticated using password from '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('.')}" -match("MESSAGE#440:00026:07", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using password from %{saddr}:%{sport}.", processor_chain([ - dup201, +var part756 = match("MESSAGE#440:00026:07", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using password from %{saddr}:%{sport}.", processor_chain([ + dup199, dup29, dup30, dup31, @@ -10392,22 +9355,20 @@ match("MESSAGE#440:00026:07", "nwparser.payload", "SCS: SSH user %{username->} h dup5, ])); -var msg443 = msg("00026:07", part757); +var msg443 = msg("00026:07", part756); -var part758 = // "Pattern{Constant('SSH user '), Field(username,true), Constant(' has been authenticated using '), Field(p0,false)}" -match("MESSAGE#441:00026:08/0", "nwparser.payload", "SSH user %{username->} has been authenticated using %{p0}"); +var part757 = match("MESSAGE#441:00026:08/0", "nwparser.payload", "SSH user %{username->} has been authenticated using %{p0}"); -var part759 = // "Pattern{Constant('from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' [ with key ID '), Field(fld2,true), Constant(' ]')}" -match("MESSAGE#441:00026:08/2", "nwparser.p0", "from %{saddr}:%{sport->} [ with key ID %{fld2->} ]"); +var part758 = match("MESSAGE#441:00026:08/2", "nwparser.p0", "from %{saddr}:%{sport->} [ with key ID %{fld2->} ]"); -var all154 = all_match({ +var all153 = all_match({ processors: [ + part757, + dup372, part758, - dup375, - part759, ], on_success: processor_chain([ - dup201, + dup199, dup29, dup30, dup31, @@ -10419,10 +9380,9 @@ var all154 = all_match({ ]), }); -var msg444 = msg("00026:08", all154); +var msg444 = msg("00026:08", all153); -var part760 = // "Pattern{Constant('IPSec tunnel on int '), Field(interface,true), Constant(' with tunnel ID '), Field(fld2,true), Constant(' received a packet with a bad SPI.')}" -match("MESSAGE#442:00026:09", "nwparser.payload", "IPSec tunnel on int %{interface->} with tunnel ID %{fld2->} received a packet with a bad SPI.", processor_chain([ +var part759 = match("MESSAGE#442:00026:09", "nwparser.payload", "IPSec tunnel on int %{interface->} with tunnel ID %{fld2->} received a packet with a bad SPI.", processor_chain([ dup19, dup2, dup3, @@ -10430,45 +9390,40 @@ match("MESSAGE#442:00026:09", "nwparser.payload", "IPSec tunnel on int %{interfa dup5, ])); -var msg445 = msg("00026:09", part760); +var msg445 = msg("00026:09", part759); -var part761 = // "Pattern{Constant('SSH: '), Field(p0,false)}" -match("MESSAGE#443:00026:10/0", "nwparser.payload", "SSH: %{p0}"); +var part760 = match("MESSAGE#443:00026:10/0", "nwparser.payload", "SSH: %{p0}"); -var part762 = // "Pattern{Constant('Failed '), Field(p0,false)}" -match("MESSAGE#443:00026:10/1_0", "nwparser.p0", "Failed %{p0}"); +var part761 = match("MESSAGE#443:00026:10/1_0", "nwparser.p0", "Failed %{p0}"); -var part763 = // "Pattern{Constant('Attempt '), Field(p0,false)}" -match("MESSAGE#443:00026:10/1_1", "nwparser.p0", "Attempt %{p0}"); +var part762 = match("MESSAGE#443:00026:10/1_1", "nwparser.p0", "Attempt %{p0}"); var select174 = linear_select([ + part761, part762, - part763, ]); -var part764 = // "Pattern{Constant('bind duplicate '), Field(p0,false)}" -match("MESSAGE#443:00026:10/3_0", "nwparser.p0", "bind duplicate %{p0}"); +var part763 = match("MESSAGE#443:00026:10/3_0", "nwparser.p0", "bind duplicate %{p0}"); var select175 = linear_select([ - part764, - dup203, + part763, + dup201, ]); -var part765 = // "Pattern{Constant('admin user ''), Field(administrator,false), Constant('' (Key ID '), Field(fld2,false), Constant(')')}" -match("MESSAGE#443:00026:10/6", "nwparser.p0", "admin user '%{administrator}' (Key ID %{fld2})"); +var part764 = match("MESSAGE#443:00026:10/6", "nwparser.p0", "admin user '%{administrator}' (Key ID %{fld2})"); -var all155 = all_match({ +var all154 = all_match({ processors: [ - part761, + part760, select174, dup103, select175, - dup204, - dup376, - part765, + dup202, + dup373, + part764, ], on_success: processor_chain([ - dup205, + dup203, dup2, dup3, dup4, @@ -10476,10 +9431,9 @@ var all155 = all_match({ ]), }); -var msg446 = msg("00026:10", all155); +var msg446 = msg("00026:10", all154); -var part766 = // "Pattern{Constant('SSH: Maximum number of PKA keys ('), Field(fld2,false), Constant(') has been bound to user ''), Field(username,false), Constant('' Key not bound. (Key ID '), Field(fld3,false), Constant(')')}" -match("MESSAGE#444:00026:11", "nwparser.payload", "SSH: Maximum number of PKA keys (%{fld2}) has been bound to user '%{username}' Key not bound. (Key ID %{fld3})", processor_chain([ +var part765 = match("MESSAGE#444:00026:11", "nwparser.payload", "SSH: Maximum number of PKA keys (%{fld2}) has been bound to user '%{username}' Key not bound. (Key ID %{fld3})", processor_chain([ dup44, dup2, dup3, @@ -10487,10 +9441,9 @@ match("MESSAGE#444:00026:11", "nwparser.payload", "SSH: Maximum number of PKA ke dup5, ])); -var msg447 = msg("00026:11", part766); +var msg447 = msg("00026:11", part765); -var part767 = // "Pattern{Constant('IKE '), Field(fld2,false), Constant(': Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed')}" -match("MESSAGE#445:00026:12", "nwparser.payload", "IKE %{fld2}: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", processor_chain([ +var part766 = match("MESSAGE#445:00026:12", "nwparser.payload", "IKE %{fld2}: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", processor_chain([ dup44, dup2, dup3, @@ -10498,7 +9451,7 @@ match("MESSAGE#445:00026:12", "nwparser.payload", "IKE %{fld2}: Missing heartbea dup5, ])); -var msg448 = msg("00026:12", part767); +var msg448 = msg("00026:12", part766); var select176 = linear_select([ msg435, @@ -10517,33 +9470,29 @@ var select176 = linear_select([ msg448, ]); -var part768 = // "Pattern{Constant('user '), Field(username,true), Constant(' from '), Field(p0,false)}" -match("MESSAGE#446:00027/2", "nwparser.p0", "user %{username->} from %{p0}"); +var part767 = match("MESSAGE#446:00027/2", "nwparser.p0", "user %{username->} from %{p0}"); -var part769 = // "Pattern{Constant('IP address '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#446:00027/3_0", "nwparser.p0", "IP address %{saddr}:%{sport}"); +var part768 = match("MESSAGE#446:00027/3_0", "nwparser.p0", "IP address %{saddr}:%{sport}"); -var part770 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#446:00027/3_1", "nwparser.p0", "%{saddr}:%{sport}"); +var part769 = match("MESSAGE#446:00027/3_1", "nwparser.p0", "%{saddr}:%{sport}"); -var part771 = // "Pattern{Constant('console'), Field(,false)}" -match("MESSAGE#446:00027/3_2", "nwparser.p0", "console%{}"); +var part770 = match("MESSAGE#446:00027/3_2", "nwparser.p0", "console%{}"); var select177 = linear_select([ + part768, part769, part770, - part771, ]); -var all156 = all_match({ +var all155 = all_match({ processors: [ - dup206, - dup377, - part768, + dup204, + dup374, + part767, select177, ], on_success: processor_chain([ - dup208, + dup206, dup30, dup31, dup54, @@ -10554,10 +9503,9 @@ var all156 = all_match({ ]), }); -var msg449 = msg("00027", all156); +var msg449 = msg("00027", all155); -var part772 = // "Pattern{Field(change_attribute,true), Constant(' has been restored from '), Field(change_old,true), Constant(' to default port '), Field(change_new,false), Constant('. '), Field(info,false)}" -match("MESSAGE#447:00027:01", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}. %{info}", processor_chain([ +var part771 = match("MESSAGE#447:00027:01", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}. %{info}", processor_chain([ dup1, dup2, dup3, @@ -10565,10 +9513,9 @@ match("MESSAGE#447:00027:01", "nwparser.payload", "%{change_attribute->} has bee dup5, ])); -var msg450 = msg("00027:01", part772); +var msg450 = msg("00027:01", part771); -var part773 = // "Pattern{Field(change_attribute,true), Constant(' has been restored from '), Field(change_old,true), Constant(' to '), Field(change_new,false), Constant('. '), Field(info,false)}" -match("MESSAGE#448:00027:02", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to %{change_new}. %{info}", processor_chain([ +var part772 = match("MESSAGE#448:00027:02", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to %{change_new}. %{info}", processor_chain([ dup1, dup2, dup3, @@ -10576,10 +9523,9 @@ match("MESSAGE#448:00027:02", "nwparser.payload", "%{change_attribute->} has bee dup5, ])); -var msg451 = msg("00027:02", part773); +var msg451 = msg("00027:02", part772); -var part774 = // "Pattern{Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to port '), Field(change_new,false), Constant('. '), Field(info,false)}" -match("MESSAGE#449:00027:03", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}. %{info}", processor_chain([ +var part773 = match("MESSAGE#449:00027:03", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}. %{info}", processor_chain([ dup1, dup2, dup3, @@ -10587,10 +9533,9 @@ match("MESSAGE#449:00027:03", "nwparser.payload", "%{change_attribute->} has bee dup5, ])); -var msg452 = msg("00027:03", part774); +var msg452 = msg("00027:03", part773); -var part775 = // "Pattern{Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to port '), Field(change_new,false)}" -match("MESSAGE#450:00027:04", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}", processor_chain([ +var part774 = match("MESSAGE#450:00027:04", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -10598,43 +9543,38 @@ match("MESSAGE#450:00027:04", "nwparser.payload", "%{change_attribute->} has bee dup5, ])); -var msg453 = msg("00027:04", part775); +var msg453 = msg("00027:04", part774); -var part776 = // "Pattern{Constant('ScreenOS '), Field(version,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#451:00027:05/0", "nwparser.payload", "ScreenOS %{version->} %{p0}"); +var part775 = match("MESSAGE#451:00027:05/0", "nwparser.payload", "ScreenOS %{version->} %{p0}"); -var part777 = // "Pattern{Constant('Serial '), Field(p0,false)}" -match("MESSAGE#451:00027:05/1_0", "nwparser.p0", "Serial %{p0}"); +var part776 = match("MESSAGE#451:00027:05/1_0", "nwparser.p0", "Serial %{p0}"); -var part778 = // "Pattern{Constant('serial '), Field(p0,false)}" -match("MESSAGE#451:00027:05/1_1", "nwparser.p0", "serial %{p0}"); +var part777 = match("MESSAGE#451:00027:05/1_1", "nwparser.p0", "serial %{p0}"); var select178 = linear_select([ + part776, part777, - part778, ]); -var part779 = // "Pattern{Constant('# '), Field(fld2,false), Constant(': Asset recovery '), Field(p0,false)}" -match("MESSAGE#451:00027:05/2", "nwparser.p0", "# %{fld2}: Asset recovery %{p0}"); +var part778 = match("MESSAGE#451:00027:05/2", "nwparser.p0", "# %{fld2}: Asset recovery %{p0}"); -var part780 = // "Pattern{Constant('performed '), Field(p0,false)}" -match("MESSAGE#451:00027:05/3_0", "nwparser.p0", "performed %{p0}"); +var part779 = match("MESSAGE#451:00027:05/3_0", "nwparser.p0", "performed %{p0}"); var select179 = linear_select([ - part780, + part779, dup127, ]); var select180 = linear_select([ - dup209, - dup210, + dup207, + dup208, ]); -var all157 = all_match({ +var all156 = all_match({ processors: [ - part776, + part775, select178, - part779, + part778, select179, dup23, select180, @@ -10648,19 +9588,18 @@ var all157 = all_match({ ]), }); -var msg454 = msg("00027:05", all157); +var msg454 = msg("00027:05", all156); -var part781 = // "Pattern{Constant('Device Reset (Asset Recovery) has been '), Field(p0,false)}" -match("MESSAGE#452:00027:06/0", "nwparser.payload", "Device Reset (Asset Recovery) has been %{p0}"); +var part780 = match("MESSAGE#452:00027:06/0", "nwparser.payload", "Device Reset (Asset Recovery) has been %{p0}"); var select181 = linear_select([ - dup210, - dup209, + dup208, + dup207, ]); -var all158 = all_match({ +var all157 = all_match({ processors: [ - part781, + part780, select181, ], on_success: processor_chain([ @@ -10672,10 +9611,9 @@ var all158 = all_match({ ]), }); -var msg455 = msg("00027:06", all158); +var msg455 = msg("00027:06", all157); -var part782 = // "Pattern{Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false), Constant('. '), Field(info,false)}" -match("MESSAGE#453:00027:07", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}. %{info}", processor_chain([ +var part781 = match("MESSAGE#453:00027:07", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}. %{info}", processor_chain([ dup1, dup2, dup3, @@ -10683,10 +9621,9 @@ match("MESSAGE#453:00027:07", "nwparser.payload", "%{change_attribute->} has bee dup5, ])); -var msg456 = msg("00027:07", part782); +var msg456 = msg("00027:07", part781); -var part783 = // "Pattern{Constant('System configuration has been erased'), Field(,false)}" -match("MESSAGE#454:00027:08", "nwparser.payload", "System configuration has been erased%{}", processor_chain([ +var part782 = match("MESSAGE#454:00027:08", "nwparser.payload", "System configuration has been erased%{}", processor_chain([ dup1, dup2, dup3, @@ -10694,10 +9631,9 @@ match("MESSAGE#454:00027:08", "nwparser.payload", "System configuration has been dup5, ])); -var msg457 = msg("00027:08", part783); +var msg457 = msg("00027:08", part782); -var part784 = // "Pattern{Constant('License key '), Field(fld2,true), Constant(' is due to expire in '), Field(fld3,false), Constant('.')}" -match("MESSAGE#455:00027:09", "nwparser.payload", "License key %{fld2->} is due to expire in %{fld3}.", processor_chain([ +var part783 = match("MESSAGE#455:00027:09", "nwparser.payload", "License key %{fld2->} is due to expire in %{fld3}.", processor_chain([ dup44, dup2, dup3, @@ -10705,10 +9641,9 @@ match("MESSAGE#455:00027:09", "nwparser.payload", "License key %{fld2->} is due dup5, ])); -var msg458 = msg("00027:09", part784); +var msg458 = msg("00027:09", part783); -var part785 = // "Pattern{Constant('License key '), Field(fld2,true), Constant(' has expired.')}" -match("MESSAGE#456:00027:10", "nwparser.payload", "License key %{fld2->} has expired.", processor_chain([ +var part784 = match("MESSAGE#456:00027:10", "nwparser.payload", "License key %{fld2->} has expired.", processor_chain([ dup44, dup2, dup3, @@ -10716,10 +9651,9 @@ match("MESSAGE#456:00027:10", "nwparser.payload", "License key %{fld2->} has exp dup5, ])); -var msg459 = msg("00027:10", part785); +var msg459 = msg("00027:10", part784); -var part786 = // "Pattern{Constant('License key '), Field(fld2,true), Constant(' expired after 30-day grace period.')}" -match("MESSAGE#457:00027:11", "nwparser.payload", "License key %{fld2->} expired after 30-day grace period.", processor_chain([ +var part785 = match("MESSAGE#457:00027:11", "nwparser.payload", "License key %{fld2->} expired after 30-day grace period.", processor_chain([ dup44, dup2, dup3, @@ -10727,27 +9661,24 @@ match("MESSAGE#457:00027:11", "nwparser.payload", "License key %{fld2->} expired dup5, ])); -var msg460 = msg("00027:11", part786); +var msg460 = msg("00027:11", part785); -var part787 = // "Pattern{Constant('Request to retrieve license key failed to reach '), Field(p0,false)}" -match("MESSAGE#458:00027:12/0", "nwparser.payload", "Request to retrieve license key failed to reach %{p0}"); +var part786 = match("MESSAGE#458:00027:12/0", "nwparser.payload", "Request to retrieve license key failed to reach %{p0}"); -var part788 = // "Pattern{Constant('the server '), Field(p0,false)}" -match("MESSAGE#458:00027:12/1_0", "nwparser.p0", "the server %{p0}"); +var part787 = match("MESSAGE#458:00027:12/1_0", "nwparser.p0", "the server %{p0}"); var select182 = linear_select([ - part788, - dup195, + part787, + dup193, ]); -var part789 = // "Pattern{Constant('by '), Field(fld2,false), Constant('. Server url: '), Field(url,false)}" -match("MESSAGE#458:00027:12/2", "nwparser.p0", "by %{fld2}. Server url: %{url}"); +var part788 = match("MESSAGE#458:00027:12/2", "nwparser.p0", "by %{fld2}. Server url: %{url}"); -var all159 = all_match({ +var all158 = all_match({ processors: [ - part787, + part786, select182, - part789, + part788, ], on_success: processor_chain([ dup19, @@ -10758,19 +9689,18 @@ var all159 = all_match({ ]), }); -var msg461 = msg("00027:12", all159); +var msg461 = msg("00027:12", all158); -var part790 = // "Pattern{Constant('user '), Field(username,false)}" -match("MESSAGE#459:00027:13/2", "nwparser.p0", "user %{username}"); +var part789 = match("MESSAGE#459:00027:13/2", "nwparser.p0", "user %{username}"); -var all160 = all_match({ +var all159 = all_match({ processors: [ - dup206, - dup377, - part790, + dup204, + dup374, + part789, ], on_success: processor_chain([ - dup208, + dup206, dup30, dup31, dup54, @@ -10781,30 +9711,26 @@ var all160 = all_match({ ]), }); -var msg462 = msg("00027:13", all160); +var msg462 = msg("00027:13", all159); -var part791 = // "Pattern{Constant('Configuration Erasure Process '), Field(p0,false)}" -match("MESSAGE#460:00027:14/0", "nwparser.payload", "Configuration Erasure Process %{p0}"); +var part790 = match("MESSAGE#460:00027:14/0", "nwparser.payload", "Configuration Erasure Process %{p0}"); -var part792 = // "Pattern{Constant('has been initiated '), Field(p0,false)}" -match("MESSAGE#460:00027:14/1_0", "nwparser.p0", "has been initiated %{p0}"); +var part791 = match("MESSAGE#460:00027:14/1_0", "nwparser.p0", "has been initiated %{p0}"); -var part793 = // "Pattern{Constant('aborted '), Field(p0,false)}" -match("MESSAGE#460:00027:14/1_1", "nwparser.p0", "aborted %{p0}"); +var part792 = match("MESSAGE#460:00027:14/1_1", "nwparser.p0", "aborted %{p0}"); var select183 = linear_select([ + part791, part792, - part793, ]); -var part794 = // "Pattern{Constant('.'), Field(space,false), Constant('('), Field(fld1,false), Constant(')')}" -match("MESSAGE#460:00027:14/2", "nwparser.p0", ".%{space}(%{fld1})"); +var part793 = match("MESSAGE#460:00027:14/2", "nwparser.p0", ".%{space}(%{fld1})"); -var all161 = all_match({ +var all160 = all_match({ processors: [ - part791, + part790, select183, - part794, + part793, ], on_success: processor_chain([ dup1, @@ -10816,10 +9742,9 @@ var all161 = all_match({ ]), }); -var msg463 = msg("00027:14", all161); +var msg463 = msg("00027:14", all160); -var part795 = // "Pattern{Constant('Waiting for 2nd confirmation. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#461:00027:15", "nwparser.payload", "Waiting for 2nd confirmation. (%{fld1})", processor_chain([ +var part794 = match("MESSAGE#461:00027:15", "nwparser.payload", "Waiting for 2nd confirmation. (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -10828,10 +9753,9 @@ match("MESSAGE#461:00027:15", "nwparser.payload", "Waiting for 2nd confirmation. dup5, ])); -var msg464 = msg("00027:15", part795); +var msg464 = msg("00027:15", part794); -var part796 = // "Pattern{Constant('Admin '), Field(fld3,true), Constant(' policy id '), Field(policy_id,true), Constant(' name "'), Field(fld2,true), Constant(' has been re-enabled by NetScreen system after being locked due to excessive failed login attempts ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1220:00027:16", "nwparser.payload", "Admin %{fld3->} policy id %{policy_id->} name \"%{fld2->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ +var part795 = match("MESSAGE#1220:00027:16", "nwparser.payload", "Admin %{fld3->} policy id %{policy_id->} name \"%{fld2->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -10840,10 +9764,9 @@ match("MESSAGE#1220:00027:16", "nwparser.payload", "Admin %{fld3->} policy id %{ dup5, ])); -var msg465 = msg("00027:16", part796); +var msg465 = msg("00027:16", part795); -var part797 = // "Pattern{Constant('Admin '), Field(username,true), Constant(' is locked and will be unlocked after '), Field(duration,true), Constant(' minutes ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1225:00027:17", "nwparser.payload", "Admin %{username->} is locked and will be unlocked after %{duration->} minutes (%{fld1})", processor_chain([ +var part796 = match("MESSAGE#1225:00027:17", "nwparser.payload", "Admin %{username->} is locked and will be unlocked after %{duration->} minutes (%{fld1})", processor_chain([ dup44, dup2, dup4, @@ -10851,10 +9774,9 @@ match("MESSAGE#1225:00027:17", "nwparser.payload", "Admin %{username->} is locke dup9, ])); -var msg466 = msg("00027:17", part797); +var msg466 = msg("00027:17", part796); -var part798 = // "Pattern{Constant('Login attempt by admin '), Field(username,true), Constant(' from '), Field(saddr,true), Constant(' is refused as this account is locked ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1226:00027:18", "nwparser.payload", "Login attempt by admin %{username->} from %{saddr->} is refused as this account is locked (%{fld1})", processor_chain([ +var part797 = match("MESSAGE#1226:00027:18", "nwparser.payload", "Login attempt by admin %{username->} from %{saddr->} is refused as this account is locked (%{fld1})", processor_chain([ dup44, dup2, dup4, @@ -10862,10 +9784,9 @@ match("MESSAGE#1226:00027:18", "nwparser.payload", "Login attempt by admin %{use dup9, ])); -var msg467 = msg("00027:18", part798); +var msg467 = msg("00027:18", part797); -var part799 = // "Pattern{Constant('Admin '), Field(username,true), Constant(' has been re-enabled by NetScreen system after being locked due to excessive failed login attempts ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1227:00027:19", "nwparser.payload", "Admin %{username->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ +var part798 = match("MESSAGE#1227:00027:19", "nwparser.payload", "Admin %{username->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ dup44, dup2, dup4, @@ -10873,7 +9794,7 @@ match("MESSAGE#1227:00027:19", "nwparser.payload", "Admin %{username->} has been dup9, ])); -var msg468 = msg("00027:19", part799); +var msg468 = msg("00027:19", part798); var select184 = linear_select([ msg449, @@ -10898,28 +9819,24 @@ var select184 = linear_select([ msg468, ]); -var part800 = // "Pattern{Constant('An Intruder'), Field(p0,false)}" -match("MESSAGE#462:00028/0_0", "nwparser.payload", "An Intruder%{p0}"); +var part799 = match("MESSAGE#462:00028/0_0", "nwparser.payload", "An Intruder%{p0}"); -var part801 = // "Pattern{Constant('Intruder'), Field(p0,false)}" -match("MESSAGE#462:00028/0_1", "nwparser.payload", "Intruder%{p0}"); +var part800 = match("MESSAGE#462:00028/0_1", "nwparser.payload", "Intruder%{p0}"); -var part802 = // "Pattern{Constant('An intruter'), Field(p0,false)}" -match("MESSAGE#462:00028/0_2", "nwparser.payload", "An intruter%{p0}"); +var part801 = match("MESSAGE#462:00028/0_2", "nwparser.payload", "An intruter%{p0}"); var select185 = linear_select([ + part799, part800, part801, - part802, ]); -var part803 = // "Pattern{Field(,false), Constant('has attempted to connect to the NetScreen-Global PRO port! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' at interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#462:00028/1", "nwparser.p0", "%{}has attempted to connect to the NetScreen-Global PRO port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); +var part802 = match("MESSAGE#462:00028/1", "nwparser.p0", "%{}has attempted to connect to the NetScreen-Global PRO port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); -var all162 = all_match({ +var all161 = all_match({ processors: [ select185, - part803, + part802, ], on_success: processor_chain([ dup58, @@ -10933,52 +9850,46 @@ var all162 = all_match({ ]), }); -var msg469 = msg("00028", all162); +var msg469 = msg("00028", all161); -var part804 = // "Pattern{Constant('DNS has been refreshed'), Field(,false)}" -match("MESSAGE#463:00029", "nwparser.payload", "DNS has been refreshed%{}", processor_chain([ - dup211, +var part803 = match("MESSAGE#463:00029", "nwparser.payload", "DNS has been refreshed%{}", processor_chain([ + dup209, dup2, dup3, dup4, dup5, ])); -var msg470 = msg("00029", part804); +var msg470 = msg("00029", part803); -var part805 = // "Pattern{Constant('DHCP file write: out of memory.'), Field(,false)}" -match("MESSAGE#464:00029:01", "nwparser.payload", "DHCP file write: out of memory.%{}", processor_chain([ - dup186, +var part804 = match("MESSAGE#464:00029:01", "nwparser.payload", "DHCP file write: out of memory.%{}", processor_chain([ + dup184, dup2, dup3, dup4, dup5, ])); -var msg471 = msg("00029:01", part805); +var msg471 = msg("00029:01", part804); -var part806 = // "Pattern{Constant('The DHCP process cannot open file '), Field(fld2,true), Constant(' to '), Field(p0,false)}" -match("MESSAGE#465:00029:02/0", "nwparser.payload", "The DHCP process cannot open file %{fld2->} to %{p0}"); +var part805 = match("MESSAGE#465:00029:02/0", "nwparser.payload", "The DHCP process cannot open file %{fld2->} to %{p0}"); -var part807 = // "Pattern{Constant('read '), Field(p0,false)}" -match("MESSAGE#465:00029:02/1_0", "nwparser.p0", "read %{p0}"); +var part806 = match("MESSAGE#465:00029:02/1_0", "nwparser.p0", "read %{p0}"); -var part808 = // "Pattern{Constant('write '), Field(p0,false)}" -match("MESSAGE#465:00029:02/1_1", "nwparser.p0", "write %{p0}"); +var part807 = match("MESSAGE#465:00029:02/1_1", "nwparser.p0", "write %{p0}"); var select186 = linear_select([ + part806, part807, - part808, ]); -var part809 = // "Pattern{Constant('data.'), Field(,false)}" -match("MESSAGE#465:00029:02/2", "nwparser.p0", "data.%{}"); +var part808 = match("MESSAGE#465:00029:02/2", "nwparser.p0", "data.%{}"); -var all163 = all_match({ +var all162 = all_match({ processors: [ - part806, + part805, select186, - part809, + part808, ], on_success: processor_chain([ dup117, @@ -10989,32 +9900,28 @@ var all163 = all_match({ ]), }); -var msg472 = msg("00029:02", all163); +var msg472 = msg("00029:02", all162); -var part810 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' is full. Unable to '), Field(p0,false)}" -match("MESSAGE#466:00029:03/2", "nwparser.p0", "%{} %{interface->} is full. Unable to %{p0}"); +var part809 = match("MESSAGE#466:00029:03/2", "nwparser.p0", "%{} %{interface->} is full. Unable to %{p0}"); -var part811 = // "Pattern{Constant('commit '), Field(p0,false)}" -match("MESSAGE#466:00029:03/3_0", "nwparser.p0", "commit %{p0}"); +var part810 = match("MESSAGE#466:00029:03/3_0", "nwparser.p0", "commit %{p0}"); -var part812 = // "Pattern{Constant('offer '), Field(p0,false)}" -match("MESSAGE#466:00029:03/3_1", "nwparser.p0", "offer %{p0}"); +var part811 = match("MESSAGE#466:00029:03/3_1", "nwparser.p0", "offer %{p0}"); var select187 = linear_select([ + part810, part811, - part812, ]); -var part813 = // "Pattern{Constant('IP address to client at '), Field(fld2,false)}" -match("MESSAGE#466:00029:03/4", "nwparser.p0", "IP address to client at %{fld2}"); +var part812 = match("MESSAGE#466:00029:03/4", "nwparser.p0", "IP address to client at %{fld2}"); -var all164 = all_match({ +var all163 = all_match({ processors: [ - dup212, - dup339, - part810, + dup210, + dup337, + part809, select187, - part813, + part812, ], on_success: processor_chain([ dup117, @@ -11025,10 +9932,9 @@ var all164 = all_match({ ]), }); -var msg473 = msg("00029:03", all164); +var msg473 = msg("00029:03", all163); -var part814 = // "Pattern{Constant('DHCP server set to OFF on '), Field(interface,true), Constant(' (another server found on '), Field(hostip,false), Constant(').')}" -match("MESSAGE#467:00029:04", "nwparser.payload", "DHCP server set to OFF on %{interface->} (another server found on %{hostip}).", processor_chain([ +var part813 = match("MESSAGE#467:00029:04", "nwparser.payload", "DHCP server set to OFF on %{interface->} (another server found on %{hostip}).", processor_chain([ dup44, dup2, dup3, @@ -11036,7 +9942,7 @@ match("MESSAGE#467:00029:04", "nwparser.payload", "DHCP server set to OFF on %{i dup5, ])); -var msg474 = msg("00029:04", part814); +var msg474 = msg("00029:04", part813); var select188 = linear_select([ msg470, @@ -11046,8 +9952,7 @@ var select188 = linear_select([ msg474, ]); -var part815 = // "Pattern{Constant('CA configuration is invalid'), Field(,false)}" -match("MESSAGE#468:00030", "nwparser.payload", "CA configuration is invalid%{}", processor_chain([ +var part814 = match("MESSAGE#468:00030", "nwparser.payload", "CA configuration is invalid%{}", processor_chain([ dup18, dup2, dup3, @@ -11055,25 +9960,22 @@ match("MESSAGE#468:00030", "nwparser.payload", "CA configuration is invalid%{}", dup5, ])); -var msg475 = msg("00030", part815); +var msg475 = msg("00030", part814); -var part816 = // "Pattern{Constant('DSS checking of CRLs has been changed from '), Field(p0,false)}" -match("MESSAGE#469:00030:01/0", "nwparser.payload", "DSS checking of CRLs has been changed from %{p0}"); +var part815 = match("MESSAGE#469:00030:01/0", "nwparser.payload", "DSS checking of CRLs has been changed from %{p0}"); -var part817 = // "Pattern{Constant('0 to 1'), Field(,false)}" -match("MESSAGE#469:00030:01/1_0", "nwparser.p0", "0 to 1%{}"); +var part816 = match("MESSAGE#469:00030:01/1_0", "nwparser.p0", "0 to 1%{}"); -var part818 = // "Pattern{Constant('1 to 0'), Field(,false)}" -match("MESSAGE#469:00030:01/1_1", "nwparser.p0", "1 to 0%{}"); +var part817 = match("MESSAGE#469:00030:01/1_1", "nwparser.p0", "1 to 0%{}"); var select189 = linear_select([ + part816, part817, - part818, ]); -var all165 = all_match({ +var all164 = all_match({ processors: [ - part816, + part815, select189, ], on_success: processor_chain([ @@ -11085,10 +9987,9 @@ var all165 = all_match({ ]), }); -var msg476 = msg("00030:01", all165); +var msg476 = msg("00030:01", all164); -var part819 = // "Pattern{Constant('For the X509 certificate '), Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#470:00030:05", "nwparser.payload", "For the X509 certificate %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ +var part818 = match("MESSAGE#470:00030:05", "nwparser.payload", "For the X509 certificate %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -11096,10 +9997,9 @@ match("MESSAGE#470:00030:05", "nwparser.payload", "For the X509 certificate %{ch dup5, ])); -var msg477 = msg("00030:05", part819); +var msg477 = msg("00030:05", part818); -var part820 = // "Pattern{Constant('In the X509 certificate request the '), Field(fld2,true), Constant(' field has been changed from '), Field(fld3,false)}" -match("MESSAGE#471:00030:06", "nwparser.payload", "In the X509 certificate request the %{fld2->} field has been changed from %{fld3}", processor_chain([ +var part819 = match("MESSAGE#471:00030:06", "nwparser.payload", "In the X509 certificate request the %{fld2->} field has been changed from %{fld3}", processor_chain([ dup1, dup2, dup3, @@ -11107,10 +10007,9 @@ match("MESSAGE#471:00030:06", "nwparser.payload", "In the X509 certificate reque dup5, ])); -var msg478 = msg("00030:06", part820); +var msg478 = msg("00030:06", part819); -var part821 = // "Pattern{Constant('RA X509 certificate cannot be loaded'), Field(,false)}" -match("MESSAGE#472:00030:07", "nwparser.payload", "RA X509 certificate cannot be loaded%{}", processor_chain([ +var part820 = match("MESSAGE#472:00030:07", "nwparser.payload", "RA X509 certificate cannot be loaded%{}", processor_chain([ dup19, dup2, dup3, @@ -11118,10 +10017,9 @@ match("MESSAGE#472:00030:07", "nwparser.payload", "RA X509 certificate cannot be dup5, ])); -var msg479 = msg("00030:07", part821); +var msg479 = msg("00030:07", part820); -var part822 = // "Pattern{Constant('Self-signed X509 certificate cannot be generated'), Field(,false)}" -match("MESSAGE#473:00030:10", "nwparser.payload", "Self-signed X509 certificate cannot be generated%{}", processor_chain([ +var part821 = match("MESSAGE#473:00030:10", "nwparser.payload", "Self-signed X509 certificate cannot be generated%{}", processor_chain([ dup86, dup2, dup3, @@ -11129,10 +10027,9 @@ match("MESSAGE#473:00030:10", "nwparser.payload", "Self-signed X509 certificate dup5, ])); -var msg480 = msg("00030:10", part822); +var msg480 = msg("00030:10", part821); -var part823 = // "Pattern{Constant('The public key for ScreenOS image has successfully been updated'), Field(,false)}" -match("MESSAGE#474:00030:12", "nwparser.payload", "The public key for ScreenOS image has successfully been updated%{}", processor_chain([ +var part822 = match("MESSAGE#474:00030:12", "nwparser.payload", "The public key for ScreenOS image has successfully been updated%{}", processor_chain([ dup1, dup2, dup3, @@ -11140,25 +10037,22 @@ match("MESSAGE#474:00030:12", "nwparser.payload", "The public key for ScreenOS i dup5, ])); -var msg481 = msg("00030:12", part823); +var msg481 = msg("00030:12", part822); -var part824 = // "Pattern{Constant('The public key used for ScreenOS image authentication cannot be '), Field(p0,false)}" -match("MESSAGE#475:00030:13/0", "nwparser.payload", "The public key used for ScreenOS image authentication cannot be %{p0}"); +var part823 = match("MESSAGE#475:00030:13/0", "nwparser.payload", "The public key used for ScreenOS image authentication cannot be %{p0}"); -var part825 = // "Pattern{Constant('decoded'), Field(,false)}" -match("MESSAGE#475:00030:13/1_0", "nwparser.p0", "decoded%{}"); +var part824 = match("MESSAGE#475:00030:13/1_0", "nwparser.p0", "decoded%{}"); -var part826 = // "Pattern{Constant('loaded'), Field(,false)}" -match("MESSAGE#475:00030:13/1_1", "nwparser.p0", "loaded%{}"); +var part825 = match("MESSAGE#475:00030:13/1_1", "nwparser.p0", "loaded%{}"); var select190 = linear_select([ + part824, part825, - part826, ]); -var all166 = all_match({ +var all165 = all_match({ processors: [ - part824, + part823, select190, ], on_success: processor_chain([ @@ -11172,48 +10066,41 @@ var all166 = all_match({ ]), }); -var msg482 = msg("00030:13", all166); +var msg482 = msg("00030:13", all165); -var part827 = // "Pattern{Constant('CA IDENT '), Field(p0,false)}" -match("MESSAGE#476:00030:14/1_0", "nwparser.p0", "CA IDENT %{p0}"); +var part826 = match("MESSAGE#476:00030:14/1_0", "nwparser.p0", "CA IDENT %{p0}"); -var part828 = // "Pattern{Constant('Challenge password '), Field(p0,false)}" -match("MESSAGE#476:00030:14/1_1", "nwparser.p0", "Challenge password %{p0}"); +var part827 = match("MESSAGE#476:00030:14/1_1", "nwparser.p0", "Challenge password %{p0}"); -var part829 = // "Pattern{Constant('CA CGI URL '), Field(p0,false)}" -match("MESSAGE#476:00030:14/1_2", "nwparser.p0", "CA CGI URL %{p0}"); +var part828 = match("MESSAGE#476:00030:14/1_2", "nwparser.p0", "CA CGI URL %{p0}"); -var part830 = // "Pattern{Constant('RA CGI URL '), Field(p0,false)}" -match("MESSAGE#476:00030:14/1_3", "nwparser.p0", "RA CGI URL %{p0}"); +var part829 = match("MESSAGE#476:00030:14/1_3", "nwparser.p0", "RA CGI URL %{p0}"); var select191 = linear_select([ + part826, part827, part828, part829, - part830, ]); -var part831 = // "Pattern{Constant('for SCEP '), Field(p0,false)}" -match("MESSAGE#476:00030:14/2", "nwparser.p0", "for SCEP %{p0}"); +var part830 = match("MESSAGE#476:00030:14/2", "nwparser.p0", "for SCEP %{p0}"); -var part832 = // "Pattern{Constant('requests '), Field(p0,false)}" -match("MESSAGE#476:00030:14/3_0", "nwparser.p0", "requests %{p0}"); +var part831 = match("MESSAGE#476:00030:14/3_0", "nwparser.p0", "requests %{p0}"); var select192 = linear_select([ - part832, + part831, dup16, ]); -var part833 = // "Pattern{Constant('has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#476:00030:14/4", "nwparser.p0", "has been changed from %{change_old->} to %{change_new}"); +var part832 = match("MESSAGE#476:00030:14/4", "nwparser.p0", "has been changed from %{change_old->} to %{change_new}"); -var all167 = all_match({ +var all166 = all_match({ processors: [ dup55, select191, - part831, + part830, select192, - part833, + part832, ], on_success: processor_chain([ dup1, @@ -11224,14 +10111,13 @@ var all167 = all_match({ ]), }); -var msg483 = msg("00030:14", all167); +var msg483 = msg("00030:14", all166); -var msg484 = msg("00030:02", dup378); +var msg484 = msg("00030:02", dup375); -var part834 = // "Pattern{Constant('X509 certificate for ScreenOS image authentication is invalid'), Field(,false)}" -match("MESSAGE#478:00030:15", "nwparser.payload", "X509 certificate for ScreenOS image authentication is invalid%{}", processor_chain([ +var part833 = match("MESSAGE#478:00030:15", "nwparser.payload", "X509 certificate for ScreenOS image authentication is invalid%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11240,10 +10126,9 @@ match("MESSAGE#478:00030:15", "nwparser.payload", "X509 certificate for ScreenOS dup5, ])); -var msg485 = msg("00030:15", part834); +var msg485 = msg("00030:15", part833); -var part835 = // "Pattern{Constant('X509 certificate has been deleted'), Field(,false)}" -match("MESSAGE#479:00030:16", "nwparser.payload", "X509 certificate has been deleted%{}", processor_chain([ +var part834 = match("MESSAGE#479:00030:16", "nwparser.payload", "X509 certificate has been deleted%{}", processor_chain([ dup1, dup2, dup3, @@ -11251,10 +10136,9 @@ match("MESSAGE#479:00030:16", "nwparser.payload", "X509 certificate has been del dup5, ])); -var msg486 = msg("00030:16", part835); +var msg486 = msg("00030:16", part834); -var part836 = // "Pattern{Constant('PKI CRL: no revoke info accept per config DN '), Field(interface,false), Constant('.')}" -match("MESSAGE#480:00030:18", "nwparser.payload", "PKI CRL: no revoke info accept per config DN %{interface}.", processor_chain([ +var part835 = match("MESSAGE#480:00030:18", "nwparser.payload", "PKI CRL: no revoke info accept per config DN %{interface}.", processor_chain([ dup1, dup2, dup3, @@ -11262,30 +10146,26 @@ match("MESSAGE#480:00030:18", "nwparser.payload", "PKI CRL: no revoke info accep dup5, ])); -var msg487 = msg("00030:18", part836); +var msg487 = msg("00030:18", part835); -var part837 = // "Pattern{Constant('PKI: A configurable item '), Field(change_attribute,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#481:00030:19/0", "nwparser.payload", "PKI: A configurable item %{change_attribute->} %{p0}"); +var part836 = match("MESSAGE#481:00030:19/0", "nwparser.payload", "PKI: A configurable item %{change_attribute->} %{p0}"); -var part838 = // "Pattern{Constant('mode '), Field(p0,false)}" -match("MESSAGE#481:00030:19/1_0", "nwparser.p0", "mode %{p0}"); +var part837 = match("MESSAGE#481:00030:19/1_0", "nwparser.p0", "mode %{p0}"); -var part839 = // "Pattern{Constant('field'), Field(p0,false)}" -match("MESSAGE#481:00030:19/1_1", "nwparser.p0", "field%{p0}"); +var part838 = match("MESSAGE#481:00030:19/1_1", "nwparser.p0", "field%{p0}"); var select193 = linear_select([ + part837, part838, - part839, ]); -var part840 = // "Pattern{Field(,false), Constant('has changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#481:00030:19/2", "nwparser.p0", "%{}has changed from %{change_old->} to %{change_new}"); +var part839 = match("MESSAGE#481:00030:19/2", "nwparser.p0", "%{}has changed from %{change_old->} to %{change_new}"); -var all168 = all_match({ +var all167 = all_match({ processors: [ - part837, + part836, select193, - part840, + part839, ], on_success: processor_chain([ dup1, @@ -11296,10 +10176,9 @@ var all168 = all_match({ ]), }); -var msg488 = msg("00030:19", all168); +var msg488 = msg("00030:19", all167); -var part841 = // "Pattern{Constant('PKI: NSRP cold sync start for total of '), Field(fld2,true), Constant(' items.')}" -match("MESSAGE#482:00030:30", "nwparser.payload", "PKI: NSRP cold sync start for total of %{fld2->} items.", processor_chain([ +var part840 = match("MESSAGE#482:00030:30", "nwparser.payload", "PKI: NSRP cold sync start for total of %{fld2->} items.", processor_chain([ dup44, dup2, dup3, @@ -11307,10 +10186,9 @@ match("MESSAGE#482:00030:30", "nwparser.payload", "PKI: NSRP cold sync start for dup5, ])); -var msg489 = msg("00030:30", part841); +var msg489 = msg("00030:30", part840); -var part842 = // "Pattern{Constant('PKI: NSRP sync received cold sync item '), Field(fld2,true), Constant(' out of order expect '), Field(fld3,true), Constant(' of '), Field(fld4,false), Constant('.')}" -match("MESSAGE#483:00030:31", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} out of order expect %{fld3->} of %{fld4}.", processor_chain([ +var part841 = match("MESSAGE#483:00030:31", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} out of order expect %{fld3->} of %{fld4}.", processor_chain([ dup86, dup2, dup3, @@ -11318,10 +10196,9 @@ match("MESSAGE#483:00030:31", "nwparser.payload", "PKI: NSRP sync received cold dup5, ])); -var msg490 = msg("00030:31", part842); +var msg490 = msg("00030:31", part841); -var part843 = // "Pattern{Constant('PKI: NSRP sync received cold sync item '), Field(fld2,true), Constant(' without first item.')}" -match("MESSAGE#484:00030:32", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} without first item.", processor_chain([ +var part842 = match("MESSAGE#484:00030:32", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} without first item.", processor_chain([ dup86, dup2, dup3, @@ -11329,10 +10206,9 @@ match("MESSAGE#484:00030:32", "nwparser.payload", "PKI: NSRP sync received cold dup5, ])); -var msg491 = msg("00030:32", part843); +var msg491 = msg("00030:32", part842); -var part844 = // "Pattern{Constant('PKI: NSRP sync received normal item during cold sync.'), Field(,false)}" -match("MESSAGE#485:00030:33", "nwparser.payload", "PKI: NSRP sync received normal item during cold sync.%{}", processor_chain([ +var part843 = match("MESSAGE#485:00030:33", "nwparser.payload", "PKI: NSRP sync received normal item during cold sync.%{}", processor_chain([ dup44, dup2, dup3, @@ -11340,10 +10216,9 @@ match("MESSAGE#485:00030:33", "nwparser.payload", "PKI: NSRP sync received norma dup5, ])); -var msg492 = msg("00030:33", part844); +var msg492 = msg("00030:33", part843); -var part845 = // "Pattern{Constant('PKI: The CRL '), Field(policy_id,true), Constant(' is deleted.')}" -match("MESSAGE#486:00030:34", "nwparser.payload", "PKI: The CRL %{policy_id->} is deleted.", processor_chain([ +var part844 = match("MESSAGE#486:00030:34", "nwparser.payload", "PKI: The CRL %{policy_id->} is deleted.", processor_chain([ dup1, dup2, dup3, @@ -11351,10 +10226,9 @@ match("MESSAGE#486:00030:34", "nwparser.payload", "PKI: The CRL %{policy_id->} i dup5, ])); -var msg493 = msg("00030:34", part845); +var msg493 = msg("00030:34", part844); -var part846 = // "Pattern{Constant('PKI: The NSRP high availability synchronization '), Field(fld2,true), Constant(' failed.')}" -match("MESSAGE#487:00030:35", "nwparser.payload", "PKI: The NSRP high availability synchronization %{fld2->} failed.", processor_chain([ +var part845 = match("MESSAGE#487:00030:35", "nwparser.payload", "PKI: The NSRP high availability synchronization %{fld2->} failed.", processor_chain([ dup86, dup2, dup3, @@ -11362,10 +10236,9 @@ match("MESSAGE#487:00030:35", "nwparser.payload", "PKI: The NSRP high availabili dup5, ])); -var msg494 = msg("00030:35", part846); +var msg494 = msg("00030:35", part845); -var part847 = // "Pattern{Constant('PKI: The '), Field(change_attribute,true), Constant(' has changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false), Constant('.')}" -match("MESSAGE#488:00030:36", "nwparser.payload", "PKI: The %{change_attribute->} has changed from %{change_old->} to %{change_new}.", processor_chain([ +var part846 = match("MESSAGE#488:00030:36", "nwparser.payload", "PKI: The %{change_attribute->} has changed from %{change_old->} to %{change_new}.", processor_chain([ dup1, dup2, dup3, @@ -11373,12 +10246,11 @@ match("MESSAGE#488:00030:36", "nwparser.payload", "PKI: The %{change_attribute-> dup5, ])); -var msg495 = msg("00030:36", part847); +var msg495 = msg("00030:36", part846); -var part848 = // "Pattern{Constant('PKI: The X.509 certificate for the ScreenOS image authentication is invalid.'), Field(,false)}" -match("MESSAGE#489:00030:37", "nwparser.payload", "PKI: The X.509 certificate for the ScreenOS image authentication is invalid.%{}", processor_chain([ +var part847 = match("MESSAGE#489:00030:37", "nwparser.payload", "PKI: The X.509 certificate for the ScreenOS image authentication is invalid.%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11387,12 +10259,11 @@ match("MESSAGE#489:00030:37", "nwparser.payload", "PKI: The X.509 certificate fo dup5, ])); -var msg496 = msg("00030:37", part848); +var msg496 = msg("00030:37", part847); -var part849 = // "Pattern{Constant('PKI: The X.509 local certificate cannot be sync to vsd member.'), Field(,false)}" -match("MESSAGE#490:00030:38", "nwparser.payload", "PKI: The X.509 local certificate cannot be sync to vsd member.%{}", processor_chain([ +var part848 = match("MESSAGE#490:00030:38", "nwparser.payload", "PKI: The X.509 local certificate cannot be sync to vsd member.%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11401,31 +10272,28 @@ match("MESSAGE#490:00030:38", "nwparser.payload", "PKI: The X.509 local certific dup5, ])); -var msg497 = msg("00030:38", part849); +var msg497 = msg("00030:38", part848); -var part850 = // "Pattern{Constant('PKI: The X.509 certificate '), Field(p0,false)}" -match("MESSAGE#491:00030:39/0", "nwparser.payload", "PKI: The X.509 certificate %{p0}"); +var part849 = match("MESSAGE#491:00030:39/0", "nwparser.payload", "PKI: The X.509 certificate %{p0}"); -var part851 = // "Pattern{Constant('revocation list '), Field(p0,false)}" -match("MESSAGE#491:00030:39/1_0", "nwparser.p0", "revocation list %{p0}"); +var part850 = match("MESSAGE#491:00030:39/1_0", "nwparser.p0", "revocation list %{p0}"); var select194 = linear_select([ - part851, + part850, dup16, ]); -var part852 = // "Pattern{Constant('cannot be loaded during NSRP synchronization.'), Field(,false)}" -match("MESSAGE#491:00030:39/2", "nwparser.p0", "cannot be loaded during NSRP synchronization.%{}"); +var part851 = match("MESSAGE#491:00030:39/2", "nwparser.p0", "cannot be loaded during NSRP synchronization.%{}"); -var all169 = all_match({ +var all168 = all_match({ processors: [ - part850, + part849, select194, - part852, + part851, ], on_success: processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11435,23 +10303,21 @@ var all169 = all_match({ ]), }); -var msg498 = msg("00030:39", all169); +var msg498 = msg("00030:39", all168); -var part853 = // "Pattern{Constant('X509 '), Field(p0,false)}" -match("MESSAGE#492:00030:17/0", "nwparser.payload", "X509 %{p0}"); +var part852 = match("MESSAGE#492:00030:17/0", "nwparser.payload", "X509 %{p0}"); -var part854 = // "Pattern{Constant('cannot be loaded'), Field(,false)}" -match("MESSAGE#492:00030:17/2", "nwparser.p0", "cannot be loaded%{}"); +var part853 = match("MESSAGE#492:00030:17/2", "nwparser.p0", "cannot be loaded%{}"); -var all170 = all_match({ +var all169 = all_match({ processors: [ + part852, + dup376, part853, - dup379, - part854, ], on_success: processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11461,31 +10327,28 @@ var all170 = all_match({ ]), }); -var msg499 = msg("00030:17", all170); +var msg499 = msg("00030:17", all169); -var part855 = // "Pattern{Constant('PKI: The certificate '), Field(fld2,true), Constant(' will expire '), Field(p0,false)}" -match("MESSAGE#493:00030:40/0", "nwparser.payload", "PKI: The certificate %{fld2->} will expire %{p0}"); +var part854 = match("MESSAGE#493:00030:40/0", "nwparser.payload", "PKI: The certificate %{fld2->} will expire %{p0}"); -var part856 = // "Pattern{Constant('please '), Field(p0,false)}" -match("MESSAGE#493:00030:40/1_1", "nwparser.p0", "please %{p0}"); +var part855 = match("MESSAGE#493:00030:40/1_1", "nwparser.p0", "please %{p0}"); var select195 = linear_select([ - dup216, - part856, + dup214, + part855, ]); -var part857 = // "Pattern{Constant('renew.'), Field(,false)}" -match("MESSAGE#493:00030:40/2", "nwparser.p0", "renew.%{}"); +var part856 = match("MESSAGE#493:00030:40/2", "nwparser.p0", "renew.%{}"); -var all171 = all_match({ +var all170 = all_match({ processors: [ - part855, + part854, select195, - part857, + part856, ], on_success: processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11495,12 +10358,11 @@ var all171 = all_match({ ]), }); -var msg500 = msg("00030:40", all171); +var msg500 = msg("00030:40", all170); -var part858 = // "Pattern{Constant('PKI: The certificate revocation list has expired issued by certificate authority '), Field(fld2,false), Constant('.')}" -match("MESSAGE#494:00030:41", "nwparser.payload", "PKI: The certificate revocation list has expired issued by certificate authority %{fld2}.", processor_chain([ +var part857 = match("MESSAGE#494:00030:41", "nwparser.payload", "PKI: The certificate revocation list has expired issued by certificate authority %{fld2}.", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11509,12 +10371,11 @@ match("MESSAGE#494:00030:41", "nwparser.payload", "PKI: The certificate revocati dup5, ])); -var msg501 = msg("00030:41", part858); +var msg501 = msg("00030:41", part857); -var part859 = // "Pattern{Constant('PKI: The configuration content of certificate authority '), Field(fld2,true), Constant(' is not valid.')}" -match("MESSAGE#495:00030:42", "nwparser.payload", "PKI: The configuration content of certificate authority %{fld2->} is not valid.", processor_chain([ +var part858 = match("MESSAGE#495:00030:42", "nwparser.payload", "PKI: The configuration content of certificate authority %{fld2->} is not valid.", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11523,12 +10384,11 @@ match("MESSAGE#495:00030:42", "nwparser.payload", "PKI: The configuration conten dup5, ])); -var msg502 = msg("00030:42", part859); +var msg502 = msg("00030:42", part858); -var part860 = // "Pattern{Constant('PKI: The device cannot allocate this object id number '), Field(fld2,false), Constant('.')}" -match("MESSAGE#496:00030:43", "nwparser.payload", "PKI: The device cannot allocate this object id number %{fld2}.", processor_chain([ +var part859 = match("MESSAGE#496:00030:43", "nwparser.payload", "PKI: The device cannot allocate this object id number %{fld2}.", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11537,12 +10397,11 @@ match("MESSAGE#496:00030:43", "nwparser.payload", "PKI: The device cannot alloca dup5, ])); -var msg503 = msg("00030:43", part860); +var msg503 = msg("00030:43", part859); -var part861 = // "Pattern{Constant('PKI: The device cannot extract the X.509 certificate revocation list [ (CRL) ].'), Field(,false)}" -match("MESSAGE#497:00030:44", "nwparser.payload", "PKI: The device cannot extract the X.509 certificate revocation list [ (CRL) ].%{}", processor_chain([ +var part860 = match("MESSAGE#497:00030:44", "nwparser.payload", "PKI: The device cannot extract the X.509 certificate revocation list [ (CRL) ].%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11551,12 +10410,11 @@ match("MESSAGE#497:00030:44", "nwparser.payload", "PKI: The device cannot extrac dup5, ])); -var msg504 = msg("00030:44", part861); +var msg504 = msg("00030:44", part860); -var part862 = // "Pattern{Constant('PKI: The device cannot find the PKI object '), Field(fld2,true), Constant(' during cold sync.')}" -match("MESSAGE#498:00030:45", "nwparser.payload", "PKI: The device cannot find the PKI object %{fld2->} during cold sync.", processor_chain([ +var part861 = match("MESSAGE#498:00030:45", "nwparser.payload", "PKI: The device cannot find the PKI object %{fld2->} during cold sync.", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11565,12 +10423,11 @@ match("MESSAGE#498:00030:45", "nwparser.payload", "PKI: The device cannot find t dup5, ])); -var msg505 = msg("00030:45", part862); +var msg505 = msg("00030:45", part861); -var part863 = // "Pattern{Constant('PKI: The device cannot load X.509 certificate onto the device certificate '), Field(fld2,false), Constant('.')}" -match("MESSAGE#499:00030:46", "nwparser.payload", "PKI: The device cannot load X.509 certificate onto the device certificate %{fld2}.", processor_chain([ +var part862 = match("MESSAGE#499:00030:46", "nwparser.payload", "PKI: The device cannot load X.509 certificate onto the device certificate %{fld2}.", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11579,12 +10436,11 @@ match("MESSAGE#499:00030:46", "nwparser.payload", "PKI: The device cannot load X dup5, ])); -var msg506 = msg("00030:46", part863); +var msg506 = msg("00030:46", part862); -var part864 = // "Pattern{Constant('PKI: The device cannot load a certificate pending SCEP completion.'), Field(,false)}" -match("MESSAGE#500:00030:47", "nwparser.payload", "PKI: The device cannot load a certificate pending SCEP completion.%{}", processor_chain([ +var part863 = match("MESSAGE#500:00030:47", "nwparser.payload", "PKI: The device cannot load a certificate pending SCEP completion.%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11593,12 +10449,11 @@ match("MESSAGE#500:00030:47", "nwparser.payload", "PKI: The device cannot load a dup5, ])); -var msg507 = msg("00030:47", part864); +var msg507 = msg("00030:47", part863); -var part865 = // "Pattern{Constant('PKI: The device cannot load an X.509 certificate revocation list (CRL).'), Field(,false)}" -match("MESSAGE#501:00030:48", "nwparser.payload", "PKI: The device cannot load an X.509 certificate revocation list (CRL).%{}", processor_chain([ +var part864 = match("MESSAGE#501:00030:48", "nwparser.payload", "PKI: The device cannot load an X.509 certificate revocation list (CRL).%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11607,12 +10462,11 @@ match("MESSAGE#501:00030:48", "nwparser.payload", "PKI: The device cannot load a dup5, ])); -var msg508 = msg("00030:48", part865); +var msg508 = msg("00030:48", part864); -var part866 = // "Pattern{Constant('PKI: The device cannot load the CA certificate received through SCEP.'), Field(,false)}" -match("MESSAGE#502:00030:49", "nwparser.payload", "PKI: The device cannot load the CA certificate received through SCEP.%{}", processor_chain([ +var part865 = match("MESSAGE#502:00030:49", "nwparser.payload", "PKI: The device cannot load the CA certificate received through SCEP.%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11621,12 +10475,11 @@ match("MESSAGE#502:00030:49", "nwparser.payload", "PKI: The device cannot load t dup5, ])); -var msg509 = msg("00030:49", part866); +var msg509 = msg("00030:49", part865); -var part867 = // "Pattern{Constant('PKI: The device cannot load the X.509 certificate revocation list (CRL) from the file.'), Field(,false)}" -match("MESSAGE#503:00030:50", "nwparser.payload", "PKI: The device cannot load the X.509 certificate revocation list (CRL) from the file.%{}", processor_chain([ +var part866 = match("MESSAGE#503:00030:50", "nwparser.payload", "PKI: The device cannot load the X.509 certificate revocation list (CRL) from the file.%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11635,12 +10488,11 @@ match("MESSAGE#503:00030:50", "nwparser.payload", "PKI: The device cannot load t dup5, ])); -var msg510 = msg("00030:50", part867); +var msg510 = msg("00030:50", part866); -var part868 = // "Pattern{Constant('PKI: The device cannot load the X.509 local certificate received through SCEP.'), Field(,false)}" -match("MESSAGE#504:00030:51", "nwparser.payload", "PKI: The device cannot load the X.509 local certificate received through SCEP.%{}", processor_chain([ +var part867 = match("MESSAGE#504:00030:51", "nwparser.payload", "PKI: The device cannot load the X.509 local certificate received through SCEP.%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11649,12 +10501,11 @@ match("MESSAGE#504:00030:51", "nwparser.payload", "PKI: The device cannot load t dup5, ])); -var msg511 = msg("00030:51", part868); +var msg511 = msg("00030:51", part867); -var part869 = // "Pattern{Constant('PKI: The device cannot load the X.509 '), Field(product,true), Constant(' during boot.')}" -match("MESSAGE#505:00030:52", "nwparser.payload", "PKI: The device cannot load the X.509 %{product->} during boot.", processor_chain([ +var part868 = match("MESSAGE#505:00030:52", "nwparser.payload", "PKI: The device cannot load the X.509 %{product->} during boot.", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11663,12 +10514,11 @@ match("MESSAGE#505:00030:52", "nwparser.payload", "PKI: The device cannot load t dup5, ])); -var msg512 = msg("00030:52", part869); +var msg512 = msg("00030:52", part868); -var part870 = // "Pattern{Constant('PKI: The device cannot load the X.509 certificate file.'), Field(,false)}" -match("MESSAGE#506:00030:53", "nwparser.payload", "PKI: The device cannot load the X.509 certificate file.%{}", processor_chain([ +var part869 = match("MESSAGE#506:00030:53", "nwparser.payload", "PKI: The device cannot load the X.509 certificate file.%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11677,12 +10527,11 @@ match("MESSAGE#506:00030:53", "nwparser.payload", "PKI: The device cannot load t dup5, ])); -var msg513 = msg("00030:53", part870); +var msg513 = msg("00030:53", part869); -var part871 = // "Pattern{Constant('PKI: The device completed the coldsync of the PKI object at '), Field(fld2,true), Constant(' attempt.')}" -match("MESSAGE#507:00030:54", "nwparser.payload", "PKI: The device completed the coldsync of the PKI object at %{fld2->} attempt.", processor_chain([ +var part870 = match("MESSAGE#507:00030:54", "nwparser.payload", "PKI: The device completed the coldsync of the PKI object at %{fld2->} attempt.", processor_chain([ dup44, - dup213, + dup211, dup31, dup2, dup3, @@ -11690,20 +10539,19 @@ match("MESSAGE#507:00030:54", "nwparser.payload", "PKI: The device completed the dup5, ])); -var msg514 = msg("00030:54", part871); +var msg514 = msg("00030:54", part870); -var part872 = // "Pattern{Constant('PKI: The device could not generate '), Field(p0,false)}" -match("MESSAGE#508:00030:55/0", "nwparser.payload", "PKI: The device could not generate %{p0}"); +var part871 = match("MESSAGE#508:00030:55/0", "nwparser.payload", "PKI: The device could not generate %{p0}"); -var all172 = all_match({ +var all171 = all_match({ processors: [ - part872, - dup380, - dup219, + part871, + dup377, + dup217, ], on_success: processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11713,12 +10561,11 @@ var all172 = all_match({ ]), }); -var msg515 = msg("00030:55", all172); +var msg515 = msg("00030:55", all171); -var part873 = // "Pattern{Constant('PKI: The device detected an invalid RSA key.'), Field(,false)}" -match("MESSAGE#509:00030:56", "nwparser.payload", "PKI: The device detected an invalid RSA key.%{}", processor_chain([ +var part872 = match("MESSAGE#509:00030:56", "nwparser.payload", "PKI: The device detected an invalid RSA key.%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11727,12 +10574,11 @@ match("MESSAGE#509:00030:56", "nwparser.payload", "PKI: The device detected an i dup5, ])); -var msg516 = msg("00030:56", part873); +var msg516 = msg("00030:56", part872); -var part874 = // "Pattern{Constant('PKI: The device detected an invalid digital signature algorithm (DSA) key.'), Field(,false)}" -match("MESSAGE#510:00030:57", "nwparser.payload", "PKI: The device detected an invalid digital signature algorithm (DSA) key.%{}", processor_chain([ +var part873 = match("MESSAGE#510:00030:57", "nwparser.payload", "PKI: The device detected an invalid digital signature algorithm (DSA) key.%{}", processor_chain([ dup35, - dup220, + dup218, dup31, dup39, dup2, @@ -11741,12 +10587,11 @@ match("MESSAGE#510:00030:57", "nwparser.payload", "PKI: The device detected an i dup5, ])); -var msg517 = msg("00030:57", part874); +var msg517 = msg("00030:57", part873); -var part875 = // "Pattern{Constant('PKI: The device failed to coldsync the PKI object at '), Field(fld2,true), Constant(' attempt.')}" -match("MESSAGE#511:00030:58", "nwparser.payload", "PKI: The device failed to coldsync the PKI object at %{fld2->} attempt.", processor_chain([ +var part874 = match("MESSAGE#511:00030:58", "nwparser.payload", "PKI: The device failed to coldsync the PKI object at %{fld2->} attempt.", processor_chain([ dup86, - dup220, + dup218, dup31, dup54, dup2, @@ -11755,38 +10600,24 @@ match("MESSAGE#511:00030:58", "nwparser.payload", "PKI: The device failed to col dup5, ])); -var msg518 = msg("00030:58", part875); - -var part876 = // "Pattern{Constant('PKI: The device failed to decode the public key of the image'), Field(p0,false)}" -match("MESSAGE#512:00030:59/0", "nwparser.payload", "PKI: The device failed to decode the public key of the image%{p0}"); +var msg518 = msg("00030:58", part874); -var part877 = // "Pattern{Constant('s signer certificate.'), Field(,false)}" -match("MESSAGE#512:00030:59/2", "nwparser.p0", "s signer certificate.%{}"); - -var all173 = all_match({ - processors: [ - part876, - dup363, - part877, - ], - on_success: processor_chain([ - dup35, - dup220, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ]), -}); +var part875 = match("MESSAGE#512:00030:59", "nwparser.payload", "PKI: The device failed to decode the public key of the image%{quote}s signer certificate.", processor_chain([ + dup35, + dup218, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, +])); -var msg519 = msg("00030:59", all173); +var msg519 = msg("00030:59", part875); -var part878 = // "Pattern{Constant('PKI: The device failed to install the RSA key.'), Field(,false)}" -match("MESSAGE#513:00030:60", "nwparser.payload", "PKI: The device failed to install the RSA key.%{}", processor_chain([ +var part876 = match("MESSAGE#513:00030:60", "nwparser.payload", "PKI: The device failed to install the RSA key.%{}", processor_chain([ dup35, - dup220, + dup218, dup31, dup54, dup2, @@ -11795,12 +10626,11 @@ match("MESSAGE#513:00030:60", "nwparser.payload", "PKI: The device failed to ins dup5, ])); -var msg520 = msg("00030:60", part878); +var msg520 = msg("00030:60", part876); -var part879 = // "Pattern{Constant('PKI: The device failed to retrieve the pending certificate '), Field(fld2,false), Constant('.')}" -match("MESSAGE#514:00030:61", "nwparser.payload", "PKI: The device failed to retrieve the pending certificate %{fld2}.", processor_chain([ +var part877 = match("MESSAGE#514:00030:61", "nwparser.payload", "PKI: The device failed to retrieve the pending certificate %{fld2}.", processor_chain([ dup35, - dup213, + dup211, dup31, dup54, dup2, @@ -11809,12 +10639,11 @@ match("MESSAGE#514:00030:61", "nwparser.payload", "PKI: The device failed to ret dup5, ])); -var msg521 = msg("00030:61", part879); +var msg521 = msg("00030:61", part877); -var part880 = // "Pattern{Constant('PKI: The device failed to save the certificate authority related configuration.'), Field(,false)}" -match("MESSAGE#515:00030:62", "nwparser.payload", "PKI: The device failed to save the certificate authority related configuration.%{}", processor_chain([ +var part878 = match("MESSAGE#515:00030:62", "nwparser.payload", "PKI: The device failed to save the certificate authority related configuration.%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup54, dup2, @@ -11823,12 +10652,11 @@ match("MESSAGE#515:00030:62", "nwparser.payload", "PKI: The device failed to sav dup5, ])); -var msg522 = msg("00030:62", part880); +var msg522 = msg("00030:62", part878); -var part881 = // "Pattern{Constant('PKI: The device failed to store the authority configuration.'), Field(,false)}" -match("MESSAGE#516:00030:63", "nwparser.payload", "PKI: The device failed to store the authority configuration.%{}", processor_chain([ +var part879 = match("MESSAGE#516:00030:63", "nwparser.payload", "PKI: The device failed to store the authority configuration.%{}", processor_chain([ dup18, - dup221, + dup219, dup51, dup54, dup2, @@ -11837,12 +10665,11 @@ match("MESSAGE#516:00030:63", "nwparser.payload", "PKI: The device failed to sto dup5, ])); -var msg523 = msg("00030:63", part881); +var msg523 = msg("00030:63", part879); -var part882 = // "Pattern{Constant('PKI: The device failed to synchronize new DSA/RSA key pair to NSRP peer.'), Field(,false)}" -match("MESSAGE#517:00030:64", "nwparser.payload", "PKI: The device failed to synchronize new DSA/RSA key pair to NSRP peer.%{}", processor_chain([ +var part880 = match("MESSAGE#517:00030:64", "nwparser.payload", "PKI: The device failed to synchronize new DSA/RSA key pair to NSRP peer.%{}", processor_chain([ dup18, - dup220, + dup218, dup51, dup54, dup2, @@ -11851,12 +10678,11 @@ match("MESSAGE#517:00030:64", "nwparser.payload", "PKI: The device failed to syn dup5, ])); -var msg524 = msg("00030:64", part882); +var msg524 = msg("00030:64", part880); -var part883 = // "Pattern{Constant('PKI: The device failed to synchronize DSA/RSA key pair to NSRP peer.'), Field(,false)}" -match("MESSAGE#518:00030:65", "nwparser.payload", "PKI: The device failed to synchronize DSA/RSA key pair to NSRP peer.%{}", processor_chain([ +var part881 = match("MESSAGE#518:00030:65", "nwparser.payload", "PKI: The device failed to synchronize DSA/RSA key pair to NSRP peer.%{}", processor_chain([ dup18, - dup220, + dup218, dup51, dup54, dup2, @@ -11865,12 +10691,11 @@ match("MESSAGE#518:00030:65", "nwparser.payload", "PKI: The device failed to syn dup5, ])); -var msg525 = msg("00030:65", part883); +var msg525 = msg("00030:65", part881); -var part884 = // "Pattern{Constant('PKI: The device has detected an invalid X.509 object attribute '), Field(fld2,false), Constant('.')}" -match("MESSAGE#519:00030:66", "nwparser.payload", "PKI: The device has detected an invalid X.509 object attribute %{fld2}.", processor_chain([ +var part882 = match("MESSAGE#519:00030:66", "nwparser.payload", "PKI: The device has detected an invalid X.509 object attribute %{fld2}.", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11879,12 +10704,11 @@ match("MESSAGE#519:00030:66", "nwparser.payload", "PKI: The device has detected dup5, ])); -var msg526 = msg("00030:66", part884); +var msg526 = msg("00030:66", part882); -var part885 = // "Pattern{Constant('PKI: The device has detected invalid X.509 object content.'), Field(,false)}" -match("MESSAGE#520:00030:67", "nwparser.payload", "PKI: The device has detected invalid X.509 object content.%{}", processor_chain([ +var part883 = match("MESSAGE#520:00030:67", "nwparser.payload", "PKI: The device has detected invalid X.509 object content.%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11893,12 +10717,11 @@ match("MESSAGE#520:00030:67", "nwparser.payload", "PKI: The device has detected dup5, ])); -var msg527 = msg("00030:67", part885); +var msg527 = msg("00030:67", part883); -var part886 = // "Pattern{Constant('PKI: The device has failed to load an invalid X.509 object.'), Field(,false)}" -match("MESSAGE#521:00030:68", "nwparser.payload", "PKI: The device has failed to load an invalid X.509 object.%{}", processor_chain([ +var part884 = match("MESSAGE#521:00030:68", "nwparser.payload", "PKI: The device has failed to load an invalid X.509 object.%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11907,10 +10730,9 @@ match("MESSAGE#521:00030:68", "nwparser.payload", "PKI: The device has failed to dup5, ])); -var msg528 = msg("00030:68", part886); +var msg528 = msg("00030:68", part884); -var part887 = // "Pattern{Constant('PKI: The device is loading the version 0 PKI data.'), Field(,false)}" -match("MESSAGE#522:00030:69", "nwparser.payload", "PKI: The device is loading the version 0 PKI data.%{}", processor_chain([ +var part885 = match("MESSAGE#522:00030:69", "nwparser.payload", "PKI: The device is loading the version 0 PKI data.%{}", processor_chain([ dup44, dup2, dup3, @@ -11918,16 +10740,15 @@ match("MESSAGE#522:00030:69", "nwparser.payload", "PKI: The device is loading th dup5, ])); -var msg529 = msg("00030:69", part887); +var msg529 = msg("00030:69", part885); -var part888 = // "Pattern{Constant('PKI: The device successfully generated a new '), Field(p0,false)}" -match("MESSAGE#523:00030:70/0", "nwparser.payload", "PKI: The device successfully generated a new %{p0}"); +var part886 = match("MESSAGE#523:00030:70/0", "nwparser.payload", "PKI: The device successfully generated a new %{p0}"); -var all174 = all_match({ +var all172 = all_match({ processors: [ - part888, - dup380, - dup219, + part886, + dup377, + dup217, ], on_success: processor_chain([ dup44, @@ -11938,87 +10759,56 @@ var all174 = all_match({ ]), }); -var msg530 = msg("00030:70", all174); +var msg530 = msg("00030:70", all172); -var part889 = // "Pattern{Constant('PKI: The public key of image'), Field(p0,false)}" -match("MESSAGE#524:00030:71/0", "nwparser.payload", "PKI: The public key of image%{p0}"); +var part887 = match("MESSAGE#524:00030:71", "nwparser.payload", "PKI: The public key of image%{quote}s signer has been loaded successfully, for future image authentication.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); -var part890 = // "Pattern{Constant('s signer has been loaded successfully, for future image authentication.'), Field(,false)}" -match("MESSAGE#524:00030:71/2", "nwparser.p0", "s signer has been loaded successfully, for future image authentication.%{}"); +var msg531 = msg("00030:71", part887); -var all175 = all_match({ - processors: [ - part889, - dup363, - part890, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); +var part888 = match("MESSAGE#525:00030:72", "nwparser.payload", "PKI: The signature of the image%{quote}s signer certificate cannot be verified.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); -var msg531 = msg("00030:71", all175); +var msg532 = msg("00030:72", part888); -var part891 = // "Pattern{Constant('PKI: The signature of the image'), Field(p0,false)}" -match("MESSAGE#525:00030:72/0", "nwparser.payload", "PKI: The signature of the image%{p0}"); +var part889 = match("MESSAGE#526:00030:73/0", "nwparser.payload", "PKI: The %{p0}"); -var part892 = // "Pattern{Constant('s signer certificate cannot be verified.'), Field(,false)}" -match("MESSAGE#525:00030:72/2", "nwparser.p0", "s signer certificate cannot be verified.%{}"); +var part890 = match("MESSAGE#526:00030:73/1_0", "nwparser.p0", "file name %{p0}"); -var all176 = all_match({ - processors: [ - part891, - dup363, - part892, - ], - on_success: processor_chain([ - dup35, - dup213, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg532 = msg("00030:72", all176); - -var part893 = // "Pattern{Constant('PKI: The '), Field(p0,false)}" -match("MESSAGE#526:00030:73/0", "nwparser.payload", "PKI: The %{p0}"); +var part891 = match("MESSAGE#526:00030:73/1_1", "nwparser.p0", "friendly name of a certificate %{p0}"); -var part894 = // "Pattern{Constant('file name '), Field(p0,false)}" -match("MESSAGE#526:00030:73/1_0", "nwparser.p0", "file name %{p0}"); - -var part895 = // "Pattern{Constant('friendly name of a certificate '), Field(p0,false)}" -match("MESSAGE#526:00030:73/1_1", "nwparser.p0", "friendly name of a certificate %{p0}"); - -var part896 = // "Pattern{Constant('vsys name '), Field(p0,false)}" -match("MESSAGE#526:00030:73/1_2", "nwparser.p0", "vsys name %{p0}"); +var part892 = match("MESSAGE#526:00030:73/1_2", "nwparser.p0", "vsys name %{p0}"); var select196 = linear_select([ - part894, - part895, - part896, + part890, + part891, + part892, ]); -var part897 = // "Pattern{Constant('is too long '), Field(fld2,true), Constant(' to do NSRP synchronization allowed '), Field(fld3,false), Constant('.')}" -match("MESSAGE#526:00030:73/2", "nwparser.p0", "is too long %{fld2->} to do NSRP synchronization allowed %{fld3}."); +var part893 = match("MESSAGE#526:00030:73/2", "nwparser.p0", "is too long %{fld2->} to do NSRP synchronization allowed %{fld3}."); -var all177 = all_match({ +var all173 = all_match({ processors: [ - part893, + part889, select196, - part897, + part893, ], on_success: processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -12028,10 +10818,9 @@ var all177 = all_match({ ]), }); -var msg533 = msg("00030:73", all177); +var msg533 = msg("00030:73", all173); -var part898 = // "Pattern{Constant('PKI: Upgrade from earlier version save to file.'), Field(,false)}" -match("MESSAGE#527:00030:74", "nwparser.payload", "PKI: Upgrade from earlier version save to file.%{}", processor_chain([ +var part894 = match("MESSAGE#527:00030:74", "nwparser.payload", "PKI: Upgrade from earlier version save to file.%{}", processor_chain([ dup44, dup2, dup3, @@ -12039,10 +10828,9 @@ match("MESSAGE#527:00030:74", "nwparser.payload", "PKI: Upgrade from earlier ver dup5, ])); -var msg534 = msg("00030:74", part898); +var msg534 = msg("00030:74", part894); -var part899 = // "Pattern{Constant('PKI: X.509 certificate has been deleted distinguished name '), Field(username,false), Constant('.')}" -match("MESSAGE#528:00030:75", "nwparser.payload", "PKI: X.509 certificate has been deleted distinguished name %{username}.", processor_chain([ +var part895 = match("MESSAGE#528:00030:75", "nwparser.payload", "PKI: X.509 certificate has been deleted distinguished name %{username}.", processor_chain([ dup44, dup2, dup3, @@ -12050,19 +10838,17 @@ match("MESSAGE#528:00030:75", "nwparser.payload", "PKI: X.509 certificate has be dup5, ])); -var msg535 = msg("00030:75", part899); +var msg535 = msg("00030:75", part895); -var part900 = // "Pattern{Constant('PKI: X.509 '), Field(p0,false)}" -match("MESSAGE#529:00030:76/0", "nwparser.payload", "PKI: X.509 %{p0}"); +var part896 = match("MESSAGE#529:00030:76/0", "nwparser.payload", "PKI: X.509 %{p0}"); -var part901 = // "Pattern{Constant('file has been loaded successfully filename '), Field(fld2,false), Constant('.')}" -match("MESSAGE#529:00030:76/2", "nwparser.p0", "file has been loaded successfully filename %{fld2}."); +var part897 = match("MESSAGE#529:00030:76/2", "nwparser.p0", "file has been loaded successfully filename %{fld2}."); -var all178 = all_match({ +var all174 = all_match({ processors: [ - part900, - dup379, - part901, + part896, + dup376, + part897, ], on_success: processor_chain([ dup44, @@ -12073,12 +10859,11 @@ var all178 = all_match({ ]), }); -var msg536 = msg("00030:76", all178); +var msg536 = msg("00030:76", all174); -var part902 = // "Pattern{Constant('PKI: failed to install DSA key.'), Field(,false)}" -match("MESSAGE#530:00030:77", "nwparser.payload", "PKI: failed to install DSA key.%{}", processor_chain([ +var part898 = match("MESSAGE#530:00030:77", "nwparser.payload", "PKI: failed to install DSA key.%{}", processor_chain([ dup18, - dup220, + dup218, dup51, dup54, dup2, @@ -12087,13 +10872,12 @@ match("MESSAGE#530:00030:77", "nwparser.payload", "PKI: failed to install DSA ke dup5, ])); -var msg537 = msg("00030:77", part902); +var msg537 = msg("00030:77", part898); -var part903 = // "Pattern{Constant('PKI: no FQDN available when requesting certificate.'), Field(,false)}" -match("MESSAGE#531:00030:78", "nwparser.payload", "PKI: no FQDN available when requesting certificate.%{}", processor_chain([ +var part899 = match("MESSAGE#531:00030:78", "nwparser.payload", "PKI: no FQDN available when requesting certificate.%{}", processor_chain([ dup35, - dup213, - dup222, + dup211, + dup220, dup31, dup39, dup2, @@ -12102,13 +10886,12 @@ match("MESSAGE#531:00030:78", "nwparser.payload", "PKI: no FQDN available when r dup5, ])); -var msg538 = msg("00030:78", part903); +var msg538 = msg("00030:78", part899); -var part904 = // "Pattern{Constant('PKI: no cert revocation check per config DN '), Field(username,false), Constant('.')}" -match("MESSAGE#532:00030:79", "nwparser.payload", "PKI: no cert revocation check per config DN %{username}.", processor_chain([ +var part900 = match("MESSAGE#532:00030:79", "nwparser.payload", "PKI: no cert revocation check per config DN %{username}.", processor_chain([ dup35, - dup213, - dup222, + dup211, + dup220, dup31, dup39, dup2, @@ -12117,10 +10900,9 @@ match("MESSAGE#532:00030:79", "nwparser.payload", "PKI: no cert revocation check dup5, ])); -var msg539 = msg("00030:79", part904); +var msg539 = msg("00030:79", part900); -var part905 = // "Pattern{Constant('PKI: no nsrp sync for pre 2.5 objects.'), Field(,false)}" -match("MESSAGE#533:00030:80", "nwparser.payload", "PKI: no nsrp sync for pre 2.5 objects.%{}", processor_chain([ +var part901 = match("MESSAGE#533:00030:80", "nwparser.payload", "PKI: no nsrp sync for pre 2.5 objects.%{}", processor_chain([ dup44, dup2, dup3, @@ -12128,10 +10910,9 @@ match("MESSAGE#533:00030:80", "nwparser.payload", "PKI: no nsrp sync for pre 2.5 dup5, ])); -var msg540 = msg("00030:80", part905); +var msg540 = msg("00030:80", part901); -var part906 = // "Pattern{Constant('X509 certificate with subject name '), Field(fld2,true), Constant(' is deleted.')}" -match("MESSAGE#534:00030:81", "nwparser.payload", "X509 certificate with subject name %{fld2->} is deleted.", processor_chain([ +var part902 = match("MESSAGE#534:00030:81", "nwparser.payload", "X509 certificate with subject name %{fld2->} is deleted.", processor_chain([ dup44, dup2, dup3, @@ -12139,10 +10920,9 @@ match("MESSAGE#534:00030:81", "nwparser.payload", "X509 certificate with subject dup5, ])); -var msg541 = msg("00030:81", part906); +var msg541 = msg("00030:81", part902); -var part907 = // "Pattern{Constant('create new authcfg for CA '), Field(fld2,false)}" -match("MESSAGE#535:00030:82", "nwparser.payload", "create new authcfg for CA %{fld2}", processor_chain([ +var part903 = match("MESSAGE#535:00030:82", "nwparser.payload", "create new authcfg for CA %{fld2}", processor_chain([ dup44, dup2, dup3, @@ -12150,12 +10930,11 @@ match("MESSAGE#535:00030:82", "nwparser.payload", "create new authcfg for CA %{f dup5, ])); -var msg542 = msg("00030:82", part907); +var msg542 = msg("00030:82", part903); -var part908 = // "Pattern{Constant('loadCert: Cannot acquire authcfg for this CA cert '), Field(fld2,false), Constant('.')}" -match("MESSAGE#536:00030:83", "nwparser.payload", "loadCert: Cannot acquire authcfg for this CA cert %{fld2}.", processor_chain([ +var part904 = match("MESSAGE#536:00030:83", "nwparser.payload", "loadCert: Cannot acquire authcfg for this CA cert %{fld2}.", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -12164,10 +10943,9 @@ match("MESSAGE#536:00030:83", "nwparser.payload", "loadCert: Cannot acquire auth dup5, ])); -var msg543 = msg("00030:83", part908); +var msg543 = msg("00030:83", part904); -var part909 = // "Pattern{Constant('upgrade to 4.0 copy authcfg from global.'), Field(,false)}" -match("MESSAGE#537:00030:84", "nwparser.payload", "upgrade to 4.0 copy authcfg from global.%{}", processor_chain([ +var part905 = match("MESSAGE#537:00030:84", "nwparser.payload", "upgrade to 4.0 copy authcfg from global.%{}", processor_chain([ dup44, dup2, dup3, @@ -12175,10 +10953,9 @@ match("MESSAGE#537:00030:84", "nwparser.payload", "upgrade to 4.0 copy authcfg f dup5, ])); -var msg544 = msg("00030:84", part909); +var msg544 = msg("00030:84", part905); -var part910 = // "Pattern{Constant('System CPU utilization is high ('), Field(fld2,true), Constant(' alarm threshold: '), Field(trigger_val,false), Constant(') '), Field(info,false)}" -match("MESSAGE#538:00030:85", "nwparser.payload", "System CPU utilization is high (%{fld2->} alarm threshold: %{trigger_val}) %{info}", processor_chain([ +var part906 = match("MESSAGE#538:00030:85", "nwparser.payload", "System CPU utilization is high (%{fld2->} alarm threshold: %{trigger_val}) %{info}", processor_chain([ setc("eventcategory","1603080000"), dup2, dup3, @@ -12186,19 +10963,18 @@ match("MESSAGE#538:00030:85", "nwparser.payload", "System CPU utilization is hig dup5, ])); -var msg545 = msg("00030:85", part910); +var msg545 = msg("00030:85", part906); -var part911 = // "Pattern{Constant('Pair-wise invoked by started after key generation. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#539:00030:86/2", "nwparser.p0", "Pair-wise invoked by started after key generation. (%{fld1})"); +var part907 = match("MESSAGE#539:00030:86/2", "nwparser.p0", "Pair-wise invoked by started after key generation. (%{fld1})"); -var all179 = all_match({ +var all175 = all_match({ processors: [ - dup223, - dup381, - part911, + dup221, + dup378, + part907, ], on_success: processor_chain([ - dup225, + dup223, dup2, dup4, dup5, @@ -12206,11 +10982,10 @@ var all179 = all_match({ ]), }); -var msg546 = msg("00030:86", all179); +var msg546 = msg("00030:86", all175); -var part912 = // "Pattern{Constant('SYSTEM CPU utilization is high ('), Field(fld2,true), Constant(' > '), Field(fld3,true), Constant(' ) '), Field(fld4,true), Constant(' times in '), Field(fld5,true), Constant(' minute ('), Field(fld1,false), Constant(')<<'), Field(fld6,false), Constant('>')}" -match("MESSAGE#1214:00030:87", "nwparser.payload", "SYSTEM CPU utilization is high (%{fld2->} > %{fld3->} ) %{fld4->} times in %{fld5->} minute (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ - dup211, +var part908 = match("MESSAGE#1214:00030:87", "nwparser.payload", "SYSTEM CPU utilization is high (%{fld2->} > %{fld3->} ) %{fld4->} times in %{fld5->} minute (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ + dup209, dup2, dup3, dup4, @@ -12218,19 +10993,18 @@ match("MESSAGE#1214:00030:87", "nwparser.payload", "SYSTEM CPU utilization is hi dup9, ])); -var msg547 = msg("00030:87", part912); +var msg547 = msg("00030:87", part908); -var part913 = // "Pattern{Constant('Pair-wise invoked by passed. ('), Field(fld1,false), Constant(')<<'), Field(fld6,false), Constant('>')}" -match("MESSAGE#1217:00030:88/2", "nwparser.p0", "Pair-wise invoked by passed. (%{fld1})\u003c\u003c%{fld6}>"); +var part909 = match("MESSAGE#1217:00030:88/2", "nwparser.p0", "Pair-wise invoked by passed. (%{fld1})\u003c\u003c%{fld6}>"); -var all180 = all_match({ +var all176 = all_match({ processors: [ - dup223, - dup381, - part913, + dup221, + dup378, + part909, ], on_success: processor_chain([ - dup225, + dup223, dup2, dup4, dup5, @@ -12238,7 +11012,7 @@ var all180 = all_match({ ]), }); -var msg548 = msg("00030:88", all180); +var msg548 = msg("00030:88", all176); var select197 = linear_select([ msg475, @@ -12317,8 +11091,7 @@ var select197 = linear_select([ msg548, ]); -var part914 = // "Pattern{Constant('ARP detected IP conflict: IP address '), Field(hostip,true), Constant(' changed from '), Field(sinterface,true), Constant(' to interface '), Field(dinterface,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#540:00031:13", "nwparser.payload", "ARP detected IP conflict: IP address %{hostip->} changed from %{sinterface->} to interface %{dinterface->} (%{fld1})", processor_chain([ +var part910 = match("MESSAGE#540:00031:13", "nwparser.payload", "ARP detected IP conflict: IP address %{hostip->} changed from %{sinterface->} to interface %{dinterface->} (%{fld1})", processor_chain([ dup121, dup2, dup3, @@ -12327,10 +11100,9 @@ match("MESSAGE#540:00031:13", "nwparser.payload", "ARP detected IP conflict: IP dup5, ])); -var msg549 = msg("00031:13", part914); +var msg549 = msg("00031:13", part910); -var part915 = // "Pattern{Constant('SNMP AuthenTraps have been '), Field(disposition,false)}" -match("MESSAGE#541:00031", "nwparser.payload", "SNMP AuthenTraps have been %{disposition}", processor_chain([ +var part911 = match("MESSAGE#541:00031", "nwparser.payload", "SNMP AuthenTraps have been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -12338,10 +11110,9 @@ match("MESSAGE#541:00031", "nwparser.payload", "SNMP AuthenTraps have been %{dis dup5, ])); -var msg550 = msg("00031", part915); +var msg550 = msg("00031", part911); -var part916 = // "Pattern{Constant('SNMP VPN has been '), Field(disposition,false)}" -match("MESSAGE#542:00031:01", "nwparser.payload", "SNMP VPN has been %{disposition}", processor_chain([ +var part912 = match("MESSAGE#542:00031:01", "nwparser.payload", "SNMP VPN has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -12349,29 +11120,25 @@ match("MESSAGE#542:00031:01", "nwparser.payload", "SNMP VPN has been %{dispositi dup5, ])); -var msg551 = msg("00031:01", part916); +var msg551 = msg("00031:01", part912); -var part917 = // "Pattern{Constant('SNMP community '), Field(fld2,true), Constant(' attributes-write access '), Field(p0,false)}" -match("MESSAGE#543:00031:02/0", "nwparser.payload", "SNMP community %{fld2->} attributes-write access %{p0}"); +var part913 = match("MESSAGE#543:00031:02/0", "nwparser.payload", "SNMP community %{fld2->} attributes-write access %{p0}"); -var part918 = // "Pattern{Constant('; receive traps '), Field(p0,false)}" -match("MESSAGE#543:00031:02/2", "nwparser.p0", "; receive traps %{p0}"); +var part914 = match("MESSAGE#543:00031:02/2", "nwparser.p0", "; receive traps %{p0}"); -var part919 = // "Pattern{Constant('; receive traffic alarms '), Field(p0,false)}" -match("MESSAGE#543:00031:02/4", "nwparser.p0", "; receive traffic alarms %{p0}"); +var part915 = match("MESSAGE#543:00031:02/4", "nwparser.p0", "; receive traffic alarms %{p0}"); -var part920 = // "Pattern{Constant('-have been modified'), Field(,false)}" -match("MESSAGE#543:00031:02/6", "nwparser.p0", "-have been modified%{}"); +var part916 = match("MESSAGE#543:00031:02/6", "nwparser.p0", "-have been modified%{}"); -var all181 = all_match({ +var all177 = all_match({ processors: [ - part917, - dup382, - part918, - dup382, - part919, - dup382, - part920, + part913, + dup379, + part914, + dup379, + part915, + dup379, + part916, ], on_success: processor_chain([ dup1, @@ -12382,24 +11149,22 @@ var all181 = all_match({ ]), }); -var msg552 = msg("00031:02", all181); +var msg552 = msg("00031:02", all177); -var part921 = // "Pattern{Field(fld2,true), Constant(' SNMP host '), Field(hostip,true), Constant(' has been '), Field(p0,false)}" -match("MESSAGE#544:00031:03/0", "nwparser.payload", "%{fld2->} SNMP host %{hostip->} has been %{p0}"); +var part917 = match("MESSAGE#544:00031:03/0", "nwparser.payload", "%{fld2->} SNMP host %{hostip->} has been %{p0}"); var select198 = linear_select([ dup130, dup129, ]); -var part922 = // "Pattern{Constant('SNMP community '), Field(fld3,false)}" -match("MESSAGE#544:00031:03/2", "nwparser.p0", "SNMP community %{fld3}"); +var part918 = match("MESSAGE#544:00031:03/2", "nwparser.p0", "SNMP community %{fld3}"); -var all182 = all_match({ +var all178 = all_match({ processors: [ - part921, + part917, select198, - part922, + part918, ], on_success: processor_chain([ dup1, @@ -12410,27 +11175,24 @@ var all182 = all_match({ ]), }); -var msg553 = msg("00031:03", all182); +var msg553 = msg("00031:03", all178); -var part923 = // "Pattern{Constant('SNMP '), Field(p0,false)}" -match("MESSAGE#545:00031:04/0", "nwparser.payload", "SNMP %{p0}"); +var part919 = match("MESSAGE#545:00031:04/0", "nwparser.payload", "SNMP %{p0}"); -var part924 = // "Pattern{Constant('contact '), Field(p0,false)}" -match("MESSAGE#545:00031:04/1_0", "nwparser.p0", "contact %{p0}"); +var part920 = match("MESSAGE#545:00031:04/1_0", "nwparser.p0", "contact %{p0}"); var select199 = linear_select([ - part924, - dup228, + part920, + dup226, ]); -var part925 = // "Pattern{Constant('description has been modified'), Field(,false)}" -match("MESSAGE#545:00031:04/2", "nwparser.p0", "description has been modified%{}"); +var part921 = match("MESSAGE#545:00031:04/2", "nwparser.p0", "description has been modified%{}"); -var all183 = all_match({ +var all179 = all_match({ processors: [ - part923, + part919, select199, - part925, + part921, ], on_success: processor_chain([ dup1, @@ -12441,24 +11203,22 @@ var all183 = all_match({ ]), }); -var msg554 = msg("00031:04", all183); +var msg554 = msg("00031:04", all179); -var part926 = // "Pattern{Constant('SNMP system '), Field(p0,false)}" -match("MESSAGE#546:00031:11/0", "nwparser.payload", "SNMP system %{p0}"); +var part922 = match("MESSAGE#546:00031:11/0", "nwparser.payload", "SNMP system %{p0}"); var select200 = linear_select([ - dup228, + dup226, dup25, ]); -var part927 = // "Pattern{Constant('has been changed to '), Field(fld2,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#546:00031:11/2", "nwparser.p0", "has been changed to %{fld2}. (%{fld1})"); +var part923 = match("MESSAGE#546:00031:11/2", "nwparser.p0", "has been changed to %{fld2}. (%{fld1})"); -var all184 = all_match({ +var all180 = all_match({ processors: [ - part926, + part922, select200, - part927, + part923, ], on_success: processor_chain([ dup1, @@ -12470,58 +11230,49 @@ var all184 = all_match({ ]), }); -var msg555 = msg("00031:11", all184); +var msg555 = msg("00031:11", all180); -var part928 = // "Pattern{Field(fld2,false), Constant(': SNMP community name "'), Field(fld3,false), Constant('" '), Field(p0,false)}" -match("MESSAGE#547:00031:08/0", "nwparser.payload", "%{fld2}: SNMP community name \"%{fld3}\" %{p0}"); +var part924 = match("MESSAGE#547:00031:08/0", "nwparser.payload", "%{fld2}: SNMP community name \"%{fld3}\" %{p0}"); -var part929 = // "Pattern{Constant('attributes -- '), Field(p0,false)}" -match("MESSAGE#547:00031:08/1_0", "nwparser.p0", "attributes -- %{p0}"); +var part925 = match("MESSAGE#547:00031:08/1_0", "nwparser.p0", "attributes -- %{p0}"); -var part930 = // "Pattern{Constant('-- '), Field(p0,false)}" -match("MESSAGE#547:00031:08/1_1", "nwparser.p0", "-- %{p0}"); +var part926 = match("MESSAGE#547:00031:08/1_1", "nwparser.p0", "-- %{p0}"); var select201 = linear_select([ - part929, - part930, + part925, + part926, ]); -var part931 = // "Pattern{Constant('write access, '), Field(p0,false)}" -match("MESSAGE#547:00031:08/2", "nwparser.p0", "write access, %{p0}"); +var part927 = match("MESSAGE#547:00031:08/2", "nwparser.p0", "write access, %{p0}"); -var part932 = // "Pattern{Constant('; receive traps, '), Field(p0,false)}" -match("MESSAGE#547:00031:08/4", "nwparser.p0", "; receive traps, %{p0}"); +var part928 = match("MESSAGE#547:00031:08/4", "nwparser.p0", "; receive traps, %{p0}"); -var part933 = // "Pattern{Constant('; receive traffic alarms, '), Field(p0,false)}" -match("MESSAGE#547:00031:08/6", "nwparser.p0", "; receive traffic alarms, %{p0}"); +var part929 = match("MESSAGE#547:00031:08/6", "nwparser.p0", "; receive traffic alarms, %{p0}"); -var part934 = // "Pattern{Constant('-'), Field(p0,false)}" -match("MESSAGE#547:00031:08/8", "nwparser.p0", "-%{p0}"); +var part930 = match("MESSAGE#547:00031:08/8", "nwparser.p0", "-%{p0}"); -var part935 = // "Pattern{Constant('- '), Field(p0,false)}" -match("MESSAGE#547:00031:08/9_0", "nwparser.p0", "- %{p0}"); +var part931 = match("MESSAGE#547:00031:08/9_0", "nwparser.p0", "- %{p0}"); var select202 = linear_select([ - part935, + part931, dup96, ]); -var part936 = // "Pattern{Constant('have been modified'), Field(,false)}" -match("MESSAGE#547:00031:08/10", "nwparser.p0", "have been modified%{}"); +var part932 = match("MESSAGE#547:00031:08/10", "nwparser.p0", "have been modified%{}"); -var all185 = all_match({ +var all181 = all_match({ processors: [ - part928, + part924, select201, - part931, - dup382, - part932, - dup382, - part933, - dup382, - part934, + part927, + dup379, + part928, + dup379, + part929, + dup379, + part930, select202, - part936, + part932, ], on_success: processor_chain([ dup1, @@ -12532,16 +11283,15 @@ var all185 = all_match({ ]), }); -var msg556 = msg("00031:08", all185); +var msg556 = msg("00031:08", all181); -var part937 = // "Pattern{Constant('Detect IP conflict ('), Field(fld2,false), Constant(') on '), Field(p0,false)}" -match("MESSAGE#548:00031:05/0", "nwparser.payload", "Detect IP conflict (%{fld2}) on %{p0}"); +var part933 = match("MESSAGE#548:00031:05/0", "nwparser.payload", "Detect IP conflict (%{fld2}) on %{p0}"); -var all186 = all_match({ +var all182 = all_match({ processors: [ - part937, - dup339, - dup229, + part933, + dup337, + dup227, ], on_success: processor_chain([ dup121, @@ -12552,43 +11302,39 @@ var all186 = all_match({ ]), }); -var msg557 = msg("00031:05", all186); +var msg557 = msg("00031:05", all182); -var part938 = // "Pattern{Constant('q, '), Field(p0,false)}" -match("MESSAGE#549:00031:06/1_0", "nwparser.p0", "q, %{p0}"); +var part934 = match("MESSAGE#549:00031:06/1_0", "nwparser.p0", "q, %{p0}"); var select203 = linear_select([ - part938, - dup231, - dup232, + part934, + dup229, + dup230, ]); -var part939 = // "Pattern{Constant('detect IP conflict ( '), Field(hostip,true), Constant(' )'), Field(p0,false)}" -match("MESSAGE#549:00031:06/2", "nwparser.p0", "detect IP conflict ( %{hostip->} )%{p0}"); +var part935 = match("MESSAGE#549:00031:06/2", "nwparser.p0", "detect IP conflict ( %{hostip->} )%{p0}"); var select204 = linear_select([ dup105, dup96, ]); -var part940 = // "Pattern{Constant('mac'), Field(p0,false)}" -match("MESSAGE#549:00031:06/4", "nwparser.p0", "mac%{p0}"); +var part936 = match("MESSAGE#549:00031:06/4", "nwparser.p0", "mac%{p0}"); -var part941 = // "Pattern{Constant(''), Field(macaddr,true), Constant(' on '), Field(p0,false)}" -match("MESSAGE#549:00031:06/6", "nwparser.p0", "%{macaddr->} on %{p0}"); +var part937 = match("MESSAGE#549:00031:06/6", "nwparser.p0", "%{macaddr->} on %{p0}"); -var all187 = all_match({ +var all183 = all_match({ processors: [ - dup230, + dup228, select203, - part939, + part935, select204, - part940, - dup358, - part941, - dup354, + part936, + dup356, + part937, + dup352, dup23, - dup383, + dup380, ], on_success: processor_chain([ dup121, @@ -12600,18 +11346,17 @@ var all187 = all_match({ ]), }); -var msg558 = msg("00031:06", all187); +var msg558 = msg("00031:06", all183); -var part942 = // "Pattern{Constant('detects a duplicate virtual security device group master IP address '), Field(hostip,false), Constant(', MAC address '), Field(macaddr,true), Constant(' on '), Field(p0,false)}" -match("MESSAGE#550:00031:07/2", "nwparser.p0", "detects a duplicate virtual security device group master IP address %{hostip}, MAC address %{macaddr->} on %{p0}"); +var part938 = match("MESSAGE#550:00031:07/2", "nwparser.p0", "detects a duplicate virtual security device group master IP address %{hostip}, MAC address %{macaddr->} on %{p0}"); -var all188 = all_match({ +var all184 = all_match({ processors: [ - dup230, - dup384, - part942, - dup339, - dup229, + dup228, + dup381, + part938, + dup337, + dup227, ], on_success: processor_chain([ dup121, @@ -12622,17 +11367,16 @@ var all188 = all_match({ ]), }); -var msg559 = msg("00031:07", all188); +var msg559 = msg("00031:07", all184); -var part943 = // "Pattern{Constant('detected an IP conflict (IP '), Field(hostip,false), Constant(', MAC '), Field(macaddr,false), Constant(') on interface '), Field(p0,false)}" -match("MESSAGE#551:00031:09/2", "nwparser.p0", "detected an IP conflict (IP %{hostip}, MAC %{macaddr}) on interface %{p0}"); +var part939 = match("MESSAGE#551:00031:09/2", "nwparser.p0", "detected an IP conflict (IP %{hostip}, MAC %{macaddr}) on interface %{p0}"); -var all189 = all_match({ +var all185 = all_match({ processors: [ - dup230, - dup384, - part943, - dup383, + dup228, + dup381, + part939, + dup380, ], on_success: processor_chain([ dup121, @@ -12644,10 +11388,9 @@ var all189 = all_match({ ]), }); -var msg560 = msg("00031:09", all189); +var msg560 = msg("00031:09", all185); -var part944 = // "Pattern{Field(fld2,false), Constant(': SNMP community "'), Field(fld3,false), Constant('" has been moved. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#552:00031:10", "nwparser.payload", "%{fld2}: SNMP community \"%{fld3}\" has been moved. (%{fld1})", processor_chain([ +var part940 = match("MESSAGE#552:00031:10", "nwparser.payload", "%{fld2}: SNMP community \"%{fld3}\" has been moved. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -12656,10 +11399,9 @@ match("MESSAGE#552:00031:10", "nwparser.payload", "%{fld2}: SNMP community \"%{f dup5, ])); -var msg561 = msg("00031:10", part944); +var msg561 = msg("00031:10", part940); -var part945 = // "Pattern{Field(fld2,true), Constant(' system contact has been changed to '), Field(fld3,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#553:00031:12", "nwparser.payload", "%{fld2->} system contact has been changed to %{fld3}. (%{fld1})", processor_chain([ +var part941 = match("MESSAGE#553:00031:12", "nwparser.payload", "%{fld2->} system contact has been changed to %{fld3}. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -12668,7 +11410,7 @@ match("MESSAGE#553:00031:12", "nwparser.payload", "%{fld2->} system contact has dup5, ])); -var msg562 = msg("00031:12", part945); +var msg562 = msg("00031:12", part941); var select205 = linear_select([ msg549, @@ -12687,9 +11429,8 @@ var select205 = linear_select([ msg562, ]); -var part946 = // "Pattern{Field(signame,true), Constant(' has been detected and blocked! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#554:00032", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup234, +var part942 = match("MESSAGE#554:00032", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup232, dup2, dup3, dup59, @@ -12698,11 +11439,10 @@ match("MESSAGE#554:00032", "nwparser.payload", "%{signame->} has been detected a dup61, ])); -var msg563 = msg("00032", part946); +var msg563 = msg("00032", part942); -var part947 = // "Pattern{Field(signame,true), Constant(' has been detected and blocked! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false)}" -match("MESSAGE#555:00032:01", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ - dup234, +var part943 = match("MESSAGE#555:00032:01", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ + dup232, dup2, dup3, dup4, @@ -12710,33 +11450,28 @@ match("MESSAGE#555:00032:01", "nwparser.payload", "%{signame->} has been detecte dup61, ])); -var msg564 = msg("00032:01", part947); +var msg564 = msg("00032:01", part943); -var part948 = // "Pattern{Constant('Vsys '), Field(fld2,true), Constant(' has been '), Field(p0,false)}" -match("MESSAGE#556:00032:03/0", "nwparser.payload", "Vsys %{fld2->} has been %{p0}"); +var part944 = match("MESSAGE#556:00032:03/0", "nwparser.payload", "Vsys %{fld2->} has been %{p0}"); -var part949 = // "Pattern{Constant('changed to '), Field(fld3,false)}" -match("MESSAGE#556:00032:03/1_0", "nwparser.p0", "changed to %{fld3}"); +var part945 = match("MESSAGE#556:00032:03/1_0", "nwparser.p0", "changed to %{fld3}"); -var part950 = // "Pattern{Constant('created'), Field(,false)}" -match("MESSAGE#556:00032:03/1_1", "nwparser.p0", "created%{}"); +var part946 = match("MESSAGE#556:00032:03/1_1", "nwparser.p0", "created%{}"); -var part951 = // "Pattern{Constant('deleted'), Field(,false)}" -match("MESSAGE#556:00032:03/1_2", "nwparser.p0", "deleted%{}"); +var part947 = match("MESSAGE#556:00032:03/1_2", "nwparser.p0", "deleted%{}"); -var part952 = // "Pattern{Constant('removed'), Field(,false)}" -match("MESSAGE#556:00032:03/1_3", "nwparser.p0", "removed%{}"); +var part948 = match("MESSAGE#556:00032:03/1_3", "nwparser.p0", "removed%{}"); var select206 = linear_select([ - part949, - part950, - part951, - part952, + part945, + part946, + part947, + part948, ]); -var all190 = all_match({ +var all186 = all_match({ processors: [ - part948, + part944, select206, ], on_success: processor_chain([ @@ -12748,11 +11483,10 @@ var all190 = all_match({ ]), }); -var msg565 = msg("00032:03", all190); +var msg565 = msg("00032:03", all186); -var part953 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#557:00032:04", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup234, +var part949 = match("MESSAGE#557:00032:04", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup232, dup2, dup3, dup4, @@ -12761,10 +11495,9 @@ match("MESSAGE#557:00032:04", "nwparser.payload", "%{signame->} From %{saddr}:%{ dup61, ])); -var msg566 = msg("00032:04", part953); +var msg566 = msg("00032:04", part949); -var part954 = // "Pattern{Field(change_attribute,true), Constant(' for vsys '), Field(fld2,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#558:00032:05", "nwparser.payload", "%{change_attribute->} for vsys %{fld2->} has been changed from %{change_old->} to %{change_new}", processor_chain([ +var part950 = match("MESSAGE#558:00032:05", "nwparser.payload", "%{change_attribute->} for vsys %{fld2->} has been changed from %{change_old->} to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -12772,9 +11505,9 @@ match("MESSAGE#558:00032:05", "nwparser.payload", "%{change_attribute->} for vsy dup5, ])); -var msg567 = msg("00032:05", part954); +var msg567 = msg("00032:05", part950); -var msg568 = msg("00032:02", dup378); +var msg568 = msg("00032:02", dup375); var select207 = linear_select([ msg563, @@ -12785,8 +11518,7 @@ var select207 = linear_select([ msg568, ]); -var part955 = // "Pattern{Constant('NSM has been '), Field(disposition,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#560:00033:25", "nwparser.payload", "NSM has been %{disposition}. (%{fld1})", processor_chain([ +var part951 = match("MESSAGE#560:00033:25", "nwparser.payload", "NSM has been %{disposition}. (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -12796,28 +11528,25 @@ match("MESSAGE#560:00033:25", "nwparser.payload", "NSM has been %{disposition}. setc("agent","NSM"), ])); -var msg569 = msg("00033:25", part955); +var msg569 = msg("00033:25", part951); -var part956 = // "Pattern{Constant('timeout value has been '), Field(p0,false)}" -match("MESSAGE#561:00033/1", "nwparser.p0", "timeout value has been %{p0}"); +var part952 = match("MESSAGE#561:00033/1", "nwparser.p0", "timeout value has been %{p0}"); -var part957 = // "Pattern{Constant('returned'), Field(p0,false)}" -match("MESSAGE#561:00033/2_1", "nwparser.p0", "returned%{p0}"); +var part953 = match("MESSAGE#561:00033/2_1", "nwparser.p0", "returned%{p0}"); var select208 = linear_select([ dup52, - part957, + part953, ]); -var part958 = // "Pattern{Field(,false), Constant('to '), Field(fld2,false)}" -match("MESSAGE#561:00033/3", "nwparser.p0", "%{}to %{fld2}"); +var part954 = match("MESSAGE#561:00033/3", "nwparser.p0", "%{}to %{fld2}"); -var all191 = all_match({ +var all187 = all_match({ processors: [ - dup385, - part956, + dup382, + part952, select208, - part958, + part954, ], on_success: processor_chain([ dup1, @@ -12828,29 +11557,26 @@ var all191 = all_match({ ]), }); -var msg570 = msg("00033", all191); +var msg570 = msg("00033", all187); -var part959 = // "Pattern{Constant('Global PRO '), Field(p0,false)}" -match("MESSAGE#562:00033:03/1_0", "nwparser.p0", "Global PRO %{p0}"); +var part955 = match("MESSAGE#562:00033:03/1_0", "nwparser.p0", "Global PRO %{p0}"); -var part960 = // "Pattern{Field(fld3,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#562:00033:03/1_1", "nwparser.p0", "%{fld3->} %{p0}"); +var part956 = match("MESSAGE#562:00033:03/1_1", "nwparser.p0", "%{fld3->} %{p0}"); var select209 = linear_select([ - part959, - part960, + part955, + part956, ]); -var part961 = // "Pattern{Constant('host has been set to '), Field(fld4,false)}" -match("MESSAGE#562:00033:03/4", "nwparser.p0", "host has been set to %{fld4}"); +var part957 = match("MESSAGE#562:00033:03/4", "nwparser.p0", "host has been set to %{fld4}"); -var all192 = all_match({ +var all188 = all_match({ processors: [ - dup162, + dup160, select209, dup23, - dup372, - part961, + dup369, + part957, ], on_success: processor_chain([ dup1, @@ -12861,17 +11587,16 @@ var all192 = all_match({ ]), }); -var msg571 = msg("00033:03", all192); +var msg571 = msg("00033:03", all188); -var part962 = // "Pattern{Constant('host has been '), Field(disposition,false)}" -match("MESSAGE#563:00033:02/3", "nwparser.p0", "host has been %{disposition}"); +var part958 = match("MESSAGE#563:00033:02/3", "nwparser.p0", "host has been %{disposition}"); -var all193 = all_match({ +var all189 = all_match({ processors: [ - dup385, + dup382, dup23, - dup372, - part962, + dup369, + part958, ], on_success: processor_chain([ dup1, @@ -12882,10 +11607,9 @@ var all193 = all_match({ ]), }); -var msg572 = msg("00033:02", all193); +var msg572 = msg("00033:02", all189); -var part963 = // "Pattern{Constant('Reporting of '), Field(fld2,true), Constant(' to '), Field(fld3,true), Constant(' has been '), Field(disposition,false), Constant('.')}" -match("MESSAGE#564:00033:04", "nwparser.payload", "Reporting of %{fld2->} to %{fld3->} has been %{disposition}.", processor_chain([ +var part959 = match("MESSAGE#564:00033:04", "nwparser.payload", "Reporting of %{fld2->} to %{fld3->} has been %{disposition}.", processor_chain([ dup1, dup2, dup3, @@ -12893,10 +11617,9 @@ match("MESSAGE#564:00033:04", "nwparser.payload", "Reporting of %{fld2->} to %{f dup5, ])); -var msg573 = msg("00033:04", part963); +var msg573 = msg("00033:04", part959); -var part964 = // "Pattern{Constant('Global PRO has been '), Field(disposition,false)}" -match("MESSAGE#565:00033:05", "nwparser.payload", "Global PRO has been %{disposition}", processor_chain([ +var part960 = match("MESSAGE#565:00033:05", "nwparser.payload", "Global PRO has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -12904,10 +11627,9 @@ match("MESSAGE#565:00033:05", "nwparser.payload", "Global PRO has been %{disposi dup5, ])); -var msg574 = msg("00033:05", part964); +var msg574 = msg("00033:05", part960); -var part965 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' and arriving at interface '), Field(interface,false), Constant('. The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#566:00033:06", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The attack occurred %{dclass_counter1->} times", processor_chain([ +var part961 = match("MESSAGE#566:00033:06", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The attack occurred %{dclass_counter1->} times", processor_chain([ dup27, dup2, dup3, @@ -12917,10 +11639,9 @@ match("MESSAGE#566:00033:06", "nwparser.payload", "%{signame}! From %{saddr}:%{s dup61, ])); -var msg575 = msg("00033:06", part965); +var msg575 = msg("00033:06", part961); -var part966 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' and arriving at interface '), Field(interface,false), Constant('. The threshold was exceeded '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#567:00033:01", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The threshold was exceeded %{dclass_counter1->} times", processor_chain([ +var part962 = match("MESSAGE#567:00033:01", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The threshold was exceeded %{dclass_counter1->} times", processor_chain([ dup27, dup2, dup3, @@ -12930,10 +11651,9 @@ match("MESSAGE#567:00033:01", "nwparser.payload", "%{signame}! From %{saddr}:%{s dup61, ])); -var msg576 = msg("00033:01", part966); +var msg576 = msg("00033:01", part962); -var part967 = // "Pattern{Constant('User-defined service '), Field(service,true), Constant(' has been '), Field(disposition,true), Constant(' from '), Field(fld2,true), Constant(' distribution')}" -match("MESSAGE#568:00033:07", "nwparser.payload", "User-defined service %{service->} has been %{disposition->} from %{fld2->} distribution", processor_chain([ +var part963 = match("MESSAGE#568:00033:07", "nwparser.payload", "User-defined service %{service->} has been %{disposition->} from %{fld2->} distribution", processor_chain([ dup1, dup2, dup3, @@ -12941,16 +11661,15 @@ match("MESSAGE#568:00033:07", "nwparser.payload", "User-defined service %{servic dup5, ])); -var msg577 = msg("00033:07", part967); +var msg577 = msg("00033:07", part963); -var part968 = // "Pattern{Constant('?s CA certificate field has not been specified.'), Field(,false)}" -match("MESSAGE#569:00033:08/2", "nwparser.p0", "?s CA certificate field has not been specified.%{}"); +var part964 = match("MESSAGE#569:00033:08/2", "nwparser.p0", "?s CA certificate field has not been specified.%{}"); -var all194 = all_match({ +var all190 = all_match({ processors: [ - dup237, - dup386, - part968, + dup235, + dup383, + part964, ], on_success: processor_chain([ dup1, @@ -12961,16 +11680,15 @@ var all194 = all_match({ ]), }); -var msg578 = msg("00033:08", all194); +var msg578 = msg("00033:08", all190); -var part969 = // "Pattern{Constant('?s Cert-Subject field has not been specified.'), Field(,false)}" -match("MESSAGE#570:00033:09/2", "nwparser.p0", "?s Cert-Subject field has not been specified.%{}"); +var part965 = match("MESSAGE#570:00033:09/2", "nwparser.p0", "?s Cert-Subject field has not been specified.%{}"); -var all195 = all_match({ +var all191 = all_match({ processors: [ - dup237, - dup386, - part969, + dup235, + dup383, + part965, ], on_success: processor_chain([ dup1, @@ -12981,24 +11699,22 @@ var all195 = all_match({ ]), }); -var msg579 = msg("00033:09", all195); +var msg579 = msg("00033:09", all191); -var part970 = // "Pattern{Constant('?s host field has been '), Field(p0,false)}" -match("MESSAGE#571:00033:10/2", "nwparser.p0", "?s host field has been %{p0}"); +var part966 = match("MESSAGE#571:00033:10/2", "nwparser.p0", "?s host field has been %{p0}"); -var part971 = // "Pattern{Constant('set to '), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#571:00033:10/3_0", "nwparser.p0", "set to %{fld2->} %{p0}"); +var part967 = match("MESSAGE#571:00033:10/3_0", "nwparser.p0", "set to %{fld2->} %{p0}"); var select210 = linear_select([ - part971, - dup240, + part967, + dup238, ]); -var all196 = all_match({ +var all192 = all_match({ processors: [ - dup237, - dup386, - part970, + dup235, + dup383, + part966, select210, dup116, ], @@ -13011,21 +11727,19 @@ var all196 = all_match({ ]), }); -var msg580 = msg("00033:10", all196); +var msg580 = msg("00033:10", all192); -var part972 = // "Pattern{Constant('?s outgoing interface used to report NACN to Policy Manager '), Field(p0,false)}" -match("MESSAGE#572:00033:11/2", "nwparser.p0", "?s outgoing interface used to report NACN to Policy Manager %{p0}"); +var part968 = match("MESSAGE#572:00033:11/2", "nwparser.p0", "?s outgoing interface used to report NACN to Policy Manager %{p0}"); -var part973 = // "Pattern{Constant('has not been specified.'), Field(,false)}" -match("MESSAGE#572:00033:11/4", "nwparser.p0", "has not been specified.%{}"); +var part969 = match("MESSAGE#572:00033:11/4", "nwparser.p0", "has not been specified.%{}"); -var all197 = all_match({ +var all193 = all_match({ processors: [ - dup237, - dup386, - part972, - dup386, - part973, + dup235, + dup383, + part968, + dup383, + part969, ], on_success: processor_chain([ dup1, @@ -13036,21 +11750,20 @@ var all197 = all_match({ ]), }); -var msg581 = msg("00033:11", all197); +var msg581 = msg("00033:11", all193); -var part974 = // "Pattern{Constant('?s password field has been '), Field(p0,false)}" -match("MESSAGE#573:00033:12/2", "nwparser.p0", "?s password field has been %{p0}"); +var part970 = match("MESSAGE#573:00033:12/2", "nwparser.p0", "?s password field has been %{p0}"); var select211 = linear_select([ dup101, - dup240, + dup238, ]); -var all198 = all_match({ +var all194 = all_match({ processors: [ - dup237, - dup386, - part974, + dup235, + dup383, + part970, select211, dup116, ], @@ -13063,27 +11776,24 @@ var all198 = all_match({ ]), }); -var msg582 = msg("00033:12", all198); +var msg582 = msg("00033:12", all194); -var part975 = // "Pattern{Constant('?s policy-domain field has been '), Field(p0,false)}" -match("MESSAGE#574:00033:13/2", "nwparser.p0", "?s policy-domain field has been %{p0}"); +var part971 = match("MESSAGE#574:00033:13/2", "nwparser.p0", "?s policy-domain field has been %{p0}"); -var part976 = // "Pattern{Constant('unset .'), Field(,false)}" -match("MESSAGE#574:00033:13/3_0", "nwparser.p0", "unset .%{}"); +var part972 = match("MESSAGE#574:00033:13/3_0", "nwparser.p0", "unset .%{}"); -var part977 = // "Pattern{Constant('set to '), Field(domain,false), Constant('.')}" -match("MESSAGE#574:00033:13/3_1", "nwparser.p0", "set to %{domain}."); +var part973 = match("MESSAGE#574:00033:13/3_1", "nwparser.p0", "set to %{domain}."); var select212 = linear_select([ - part976, - part977, + part972, + part973, ]); -var all199 = all_match({ +var all195 = all_match({ processors: [ - dup237, - dup386, - part975, + dup235, + dup383, + part971, select212, ], on_success: processor_chain([ @@ -13095,16 +11805,15 @@ var all199 = all_match({ ]), }); -var msg583 = msg("00033:13", all199); +var msg583 = msg("00033:13", all195); -var part978 = // "Pattern{Constant('?s CA certificate field has been set to '), Field(fld2,false), Constant('.')}" -match("MESSAGE#575:00033:14/2", "nwparser.p0", "?s CA certificate field has been set to %{fld2}."); +var part974 = match("MESSAGE#575:00033:14/2", "nwparser.p0", "?s CA certificate field has been set to %{fld2}."); -var all200 = all_match({ +var all196 = all_match({ processors: [ - dup237, - dup386, - part978, + dup235, + dup383, + part974, ], on_success: processor_chain([ dup1, @@ -13115,16 +11824,15 @@ var all200 = all_match({ ]), }); -var msg584 = msg("00033:14", all200); +var msg584 = msg("00033:14", all196); -var part979 = // "Pattern{Constant('?s Cert-Subject field has been set to '), Field(fld2,false), Constant('.')}" -match("MESSAGE#576:00033:15/2", "nwparser.p0", "?s Cert-Subject field has been set to %{fld2}."); +var part975 = match("MESSAGE#576:00033:15/2", "nwparser.p0", "?s Cert-Subject field has been set to %{fld2}."); -var all201 = all_match({ +var all197 = all_match({ processors: [ - dup237, - dup386, - part979, + dup235, + dup383, + part975, ], on_success: processor_chain([ dup1, @@ -13135,16 +11843,15 @@ var all201 = all_match({ ]), }); -var msg585 = msg("00033:15", all201); +var msg585 = msg("00033:15", all197); -var part980 = // "Pattern{Constant('?s outgoing-interface field has been set to '), Field(interface,false), Constant('.')}" -match("MESSAGE#577:00033:16/2", "nwparser.p0", "?s outgoing-interface field has been set to %{interface}."); +var part976 = match("MESSAGE#577:00033:16/2", "nwparser.p0", "?s outgoing-interface field has been set to %{interface}."); -var all202 = all_match({ +var all198 = all_match({ processors: [ - dup237, - dup386, - part980, + dup235, + dup383, + part976, ], on_success: processor_chain([ dup1, @@ -13155,27 +11862,24 @@ var all202 = all_match({ ]), }); -var msg586 = msg("00033:16", all202); +var msg586 = msg("00033:16", all198); -var part981 = // "Pattern{Constant('?s port field has been '), Field(p0,false)}" -match("MESSAGE#578:00033:17/2", "nwparser.p0", "?s port field has been %{p0}"); +var part977 = match("MESSAGE#578:00033:17/2", "nwparser.p0", "?s port field has been %{p0}"); -var part982 = // "Pattern{Constant('set to '), Field(network_port,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#578:00033:17/3_0", "nwparser.p0", "set to %{network_port->} %{p0}"); +var part978 = match("MESSAGE#578:00033:17/3_0", "nwparser.p0", "set to %{network_port->} %{p0}"); -var part983 = // "Pattern{Constant('reset to the default value '), Field(p0,false)}" -match("MESSAGE#578:00033:17/3_1", "nwparser.p0", "reset to the default value %{p0}"); +var part979 = match("MESSAGE#578:00033:17/3_1", "nwparser.p0", "reset to the default value %{p0}"); var select213 = linear_select([ - part982, - part983, + part978, + part979, ]); -var all203 = all_match({ +var all199 = all_match({ processors: [ - dup237, - dup386, - part981, + dup235, + dup383, + part977, select213, dup116, ], @@ -13188,21 +11892,19 @@ var all203 = all_match({ ]), }); -var msg587 = msg("00033:17", all203); +var msg587 = msg("00033:17", all199); -var part984 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(p0,false)}" -match("MESSAGE#579:00033:19/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); +var part980 = match("MESSAGE#579:00033:19/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); -var part985 = // "Pattern{Field(fld99,false), Constant('arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' time.')}" -match("MESSAGE#579:00033:19/4", "nwparser.p0", "%{fld99}arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time."); +var part981 = match("MESSAGE#579:00033:19/4", "nwparser.p0", "%{fld99}arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time."); -var all204 = all_match({ +var all200 = all_match({ processors: [ - part984, - dup341, + part980, + dup339, dup70, - dup342, - part985, + dup340, + part981, ], on_success: processor_chain([ dup27, @@ -13215,10 +11917,9 @@ var all204 = all_match({ ]), }); -var msg588 = msg("00033:19", all204); +var msg588 = msg("00033:19", all200); -var part986 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' time.')}" -match("MESSAGE#580:00033:20", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time.", processor_chain([ +var part982 = match("MESSAGE#580:00033:20", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time.", processor_chain([ dup27, dup2, dup4, @@ -13228,12 +11929,12 @@ match("MESSAGE#580:00033:20", "nwparser.payload", "%{signame}! From %{saddr->} t dup60, ])); -var msg589 = msg("00033:20", part986); +var msg589 = msg("00033:20", part982); -var all205 = all_match({ +var all201 = all_match({ processors: [ - dup241, - dup345, + dup239, + dup343, dup83, ], on_success: processor_chain([ @@ -13248,15 +11949,14 @@ var all205 = all_match({ ]), }); -var msg590 = msg("00033:21", all205); +var msg590 = msg("00033:21", all201); -var part987 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#582:00033:22/0", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); +var part983 = match("MESSAGE#582:00033:22/0", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); -var all206 = all_match({ +var all202 = all_match({ processors: [ - part987, - dup345, + part983, + dup343, dup83, ], on_success: processor_chain([ @@ -13271,10 +11971,9 @@ var all206 = all_match({ ]), }); -var msg591 = msg("00033:22", all206); +var msg591 = msg("00033:22", all202); -var part988 = // "Pattern{Constant('NSM primary server with name '), Field(hostname,true), Constant(' was set: addr '), Field(hostip,false), Constant(', port '), Field(network_port,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#583:00033:23", "nwparser.payload", "NSM primary server with name %{hostname->} was set: addr %{hostip}, port %{network_port}. (%{fld1})", processor_chain([ +var part984 = match("MESSAGE#583:00033:23", "nwparser.payload", "NSM primary server with name %{hostname->} was set: addr %{hostip}, port %{network_port}. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -13283,10 +11982,9 @@ match("MESSAGE#583:00033:23", "nwparser.payload", "NSM primary server with name dup5, ])); -var msg592 = msg("00033:23", part988); +var msg592 = msg("00033:23", part984); -var part989 = // "Pattern{Constant('session threshold From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.'), Field(info,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#584:00033:24", "nwparser.payload", "session threshold From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{info}. (%{fld1})", processor_chain([ +var part985 = match("MESSAGE#584:00033:24", "nwparser.payload", "session threshold From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{info}. (%{fld1})", processor_chain([ setc("eventcategory","1001030500"), dup2, dup3, @@ -13295,7 +11993,7 @@ match("MESSAGE#584:00033:24", "nwparser.payload", "session threshold From %{sadd dup5, ])); -var msg593 = msg("00033:24", part989); +var msg593 = msg("00033:24", part985); var select214 = linear_select([ msg569, @@ -13325,49 +12023,44 @@ var select214 = linear_select([ msg593, ]); -var part990 = // "Pattern{Constant('SCS: Failed '), Field(p0,false)}" -match("MESSAGE#585:00034/0_0", "nwparser.payload", "SCS: Failed %{p0}"); +var part986 = match("MESSAGE#585:00034/0_0", "nwparser.payload", "SCS: Failed %{p0}"); -var part991 = // "Pattern{Constant('Failed '), Field(p0,false)}" -match("MESSAGE#585:00034/0_1", "nwparser.payload", "Failed %{p0}"); +var part987 = match("MESSAGE#585:00034/0_1", "nwparser.payload", "Failed %{p0}"); var select215 = linear_select([ - part990, - part991, + part986, + part987, ]); -var part992 = // "Pattern{Constant('bind '), Field(p0,false)}" -match("MESSAGE#585:00034/2_0", "nwparser.p0", "bind %{p0}"); +var part988 = match("MESSAGE#585:00034/2_0", "nwparser.p0", "bind %{p0}"); -var part993 = // "Pattern{Constant('retrieve '), Field(p0,false)}" -match("MESSAGE#585:00034/2_2", "nwparser.p0", "retrieve %{p0}"); +var part989 = match("MESSAGE#585:00034/2_2", "nwparser.p0", "retrieve %{p0}"); var select216 = linear_select([ - part992, - dup203, - part993, + part988, + dup201, + part989, ]); var select217 = linear_select([ - dup198, + dup196, dup103, - dup165, + dup163, ]); -var part994 = // "Pattern{Constant('SSH user '), Field(username,false), Constant('. (Key ID='), Field(fld2,false), Constant(')')}" -match("MESSAGE#585:00034/5", "nwparser.p0", "SSH user %{username}. (Key ID=%{fld2})"); +var part990 = match("MESSAGE#585:00034/5", "nwparser.p0", "SSH user %{username}. (Key ID=%{fld2})"); -var all207 = all_match({ +var all203 = all_match({ processors: [ select215, dup103, select216, - dup204, + dup202, select217, - part994, + part990, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -13375,42 +12068,37 @@ var all207 = all_match({ ]), }); -var msg594 = msg("00034", all207); +var msg594 = msg("00034", all203); -var part995 = // "Pattern{Constant('SCS: Incompatible '), Field(p0,false)}" -match("MESSAGE#586:00034:01/0_0", "nwparser.payload", "SCS: Incompatible %{p0}"); +var part991 = match("MESSAGE#586:00034:01/0_0", "nwparser.payload", "SCS: Incompatible %{p0}"); -var part996 = // "Pattern{Constant('Incompatible '), Field(p0,false)}" -match("MESSAGE#586:00034:01/0_1", "nwparser.payload", "Incompatible %{p0}"); +var part992 = match("MESSAGE#586:00034:01/0_1", "nwparser.payload", "Incompatible %{p0}"); var select218 = linear_select([ - part995, - part996, + part991, + part992, ]); -var part997 = // "Pattern{Constant('SSH version '), Field(version,true), Constant(' has been received from '), Field(p0,false)}" -match("MESSAGE#586:00034:01/1", "nwparser.p0", "SSH version %{version->} has been received from %{p0}"); +var part993 = match("MESSAGE#586:00034:01/1", "nwparser.p0", "SSH version %{version->} has been received from %{p0}"); -var part998 = // "Pattern{Constant('the SSH '), Field(p0,false)}" -match("MESSAGE#586:00034:01/2_0", "nwparser.p0", "the SSH %{p0}"); +var part994 = match("MESSAGE#586:00034:01/2_0", "nwparser.p0", "the SSH %{p0}"); var select219 = linear_select([ - part998, - dup243, + part994, + dup241, ]); -var part999 = // "Pattern{Constant('client at '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#586:00034:01/3", "nwparser.p0", "client at %{saddr}:%{sport}"); +var part995 = match("MESSAGE#586:00034:01/3", "nwparser.p0", "client at %{saddr}:%{sport}"); -var all208 = all_match({ +var all204 = all_match({ processors: [ select218, - part997, + part993, select219, - part999, + part995, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -13418,29 +12106,27 @@ var all208 = all_match({ ]), }); -var msg595 = msg("00034:01", all208); +var msg595 = msg("00034:01", all204); -var part1000 = // "Pattern{Constant('Maximum number of SCS sessions '), Field(fld2,true), Constant(' has been reached. Connection request from SSH user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#587:00034:02", "nwparser.payload", "Maximum number of SCS sessions %{fld2->} has been reached. Connection request from SSH user %{username->} at %{saddr}:%{sport->} has been %{disposition}", processor_chain([ - dup242, +var part996 = match("MESSAGE#587:00034:02", "nwparser.payload", "Maximum number of SCS sessions %{fld2->} has been reached. Connection request from SSH user %{username->} at %{saddr}:%{sport->} has been %{disposition}", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg596 = msg("00034:02", part1000); +var msg596 = msg("00034:02", part996); -var part1001 = // "Pattern{Constant('device failed to authenticate the SSH client at '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#588:00034:03/1", "nwparser.p0", "device failed to authenticate the SSH client at %{saddr}:%{sport}"); +var part997 = match("MESSAGE#588:00034:03/1", "nwparser.p0", "device failed to authenticate the SSH client at %{saddr}:%{sport}"); -var all209 = all_match({ +var all205 = all_match({ processors: [ - dup387, - part1001, + dup384, + part997, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -13448,56 +12134,50 @@ var all209 = all_match({ ]), }); -var msg597 = msg("00034:03", all209); +var msg597 = msg("00034:03", all205); -var part1002 = // "Pattern{Constant('SCS: NetScreen device failed to generate a PKA RSA challenge for SSH user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('. (Key ID='), Field(fld2,false), Constant(')')}" -match("MESSAGE#589:00034:04", "nwparser.payload", "SCS: NetScreen device failed to generate a PKA RSA challenge for SSH user %{username->} at %{saddr}:%{sport}. (Key ID=%{fld2})", processor_chain([ - dup242, +var part998 = match("MESSAGE#589:00034:04", "nwparser.payload", "SCS: NetScreen device failed to generate a PKA RSA challenge for SSH user %{username->} at %{saddr}:%{sport}. (Key ID=%{fld2})", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg598 = msg("00034:04", part1002); +var msg598 = msg("00034:04", part998); -var part1003 = // "Pattern{Constant('NetScreen device failed to generate a PKA RSA challenge for SSH user '), Field(username,false), Constant('. (Key ID='), Field(fld2,false), Constant(')')}" -match("MESSAGE#590:00034:05", "nwparser.payload", "NetScreen device failed to generate a PKA RSA challenge for SSH user %{username}. (Key ID=%{fld2})", processor_chain([ - dup242, +var part999 = match("MESSAGE#590:00034:05", "nwparser.payload", "NetScreen device failed to generate a PKA RSA challenge for SSH user %{username}. (Key ID=%{fld2})", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg599 = msg("00034:05", part1003); +var msg599 = msg("00034:05", part999); -var part1004 = // "Pattern{Constant('device failed to '), Field(p0,false)}" -match("MESSAGE#591:00034:06/1", "nwparser.p0", "device failed to %{p0}"); +var part1000 = match("MESSAGE#591:00034:06/1", "nwparser.p0", "device failed to %{p0}"); -var part1005 = // "Pattern{Constant('identify itself '), Field(p0,false)}" -match("MESSAGE#591:00034:06/2_0", "nwparser.p0", "identify itself %{p0}"); +var part1001 = match("MESSAGE#591:00034:06/2_0", "nwparser.p0", "identify itself %{p0}"); -var part1006 = // "Pattern{Constant('send the identification string '), Field(p0,false)}" -match("MESSAGE#591:00034:06/2_1", "nwparser.p0", "send the identification string %{p0}"); +var part1002 = match("MESSAGE#591:00034:06/2_1", "nwparser.p0", "send the identification string %{p0}"); var select220 = linear_select([ - part1005, - part1006, + part1001, + part1002, ]); -var part1007 = // "Pattern{Constant('to the SSH client at '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#591:00034:06/3", "nwparser.p0", "to the SSH client at %{saddr}:%{sport}"); +var part1003 = match("MESSAGE#591:00034:06/3", "nwparser.p0", "to the SSH client at %{saddr}:%{sport}"); -var all210 = all_match({ +var all206 = all_match({ processors: [ - dup387, - part1004, + dup384, + part1000, select220, - part1007, + part1003, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -13505,73 +12185,65 @@ var all210 = all_match({ ]), }); -var msg600 = msg("00034:06", all210); +var msg600 = msg("00034:06", all206); -var part1008 = // "Pattern{Constant('SCS connection has been terminated for admin user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#592:00034:07", "nwparser.payload", "SCS connection has been terminated for admin user %{username->} at %{saddr}:%{sport}", processor_chain([ - dup242, +var part1004 = match("MESSAGE#592:00034:07", "nwparser.payload", "SCS connection has been terminated for admin user %{username->} at %{saddr}:%{sport}", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg601 = msg("00034:07", part1008); +var msg601 = msg("00034:07", part1004); -var part1009 = // "Pattern{Constant('SCS: SCS has been '), Field(disposition,true), Constant(' for '), Field(username,true), Constant(' with '), Field(fld2,true), Constant(' existing PKA keys already bound to '), Field(fld3,true), Constant(' SSH users.')}" -match("MESSAGE#593:00034:08", "nwparser.payload", "SCS: SCS has been %{disposition->} for %{username->} with %{fld2->} existing PKA keys already bound to %{fld3->} SSH users.", processor_chain([ - dup242, +var part1005 = match("MESSAGE#593:00034:08", "nwparser.payload", "SCS: SCS has been %{disposition->} for %{username->} with %{fld2->} existing PKA keys already bound to %{fld3->} SSH users.", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg602 = msg("00034:08", part1009); +var msg602 = msg("00034:08", part1005); -var part1010 = // "Pattern{Constant('SCS has been '), Field(disposition,true), Constant(' for '), Field(username,true), Constant(' with '), Field(fld2,true), Constant(' PKA keys already bound to '), Field(fld3,true), Constant(' SSH users')}" -match("MESSAGE#594:00034:09", "nwparser.payload", "SCS has been %{disposition->} for %{username->} with %{fld2->} PKA keys already bound to %{fld3->} SSH users", processor_chain([ - dup242, +var part1006 = match("MESSAGE#594:00034:09", "nwparser.payload", "SCS has been %{disposition->} for %{username->} with %{fld2->} PKA keys already bound to %{fld3->} SSH users", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg603 = msg("00034:09", part1010); +var msg603 = msg("00034:09", part1006); -var part1011 = // "Pattern{Field(,false), Constant('client at '), Field(saddr,true), Constant(' has attempted to make an SCS connection to '), Field(p0,false)}" -match("MESSAGE#595:00034:10/2", "nwparser.p0", "%{}client at %{saddr->} has attempted to make an SCS connection to %{p0}"); +var part1007 = match("MESSAGE#595:00034:10/2", "nwparser.p0", "%{}client at %{saddr->} has attempted to make an SCS connection to %{p0}"); -var part1012 = // "Pattern{Constant(''), Field(interface,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#595:00034:10/4", "nwparser.p0", "%{interface->} %{p0}"); +var part1008 = match("MESSAGE#595:00034:10/4", "nwparser.p0", "%{interface->} %{p0}"); -var part1013 = // "Pattern{Constant('with'), Field(p0,false)}" -match("MESSAGE#595:00034:10/5_0", "nwparser.p0", "with%{p0}"); +var part1009 = match("MESSAGE#595:00034:10/5_0", "nwparser.p0", "with%{p0}"); -var part1014 = // "Pattern{Constant('at'), Field(p0,false)}" -match("MESSAGE#595:00034:10/5_1", "nwparser.p0", "at%{p0}"); +var part1010 = match("MESSAGE#595:00034:10/5_1", "nwparser.p0", "at%{p0}"); var select221 = linear_select([ - part1013, - part1014, + part1009, + part1010, ]); -var part1015 = // "Pattern{Field(,false), Constant('IP '), Field(hostip,true), Constant(' but '), Field(disposition,true), Constant(' because '), Field(result,false)}" -match("MESSAGE#595:00034:10/6", "nwparser.p0", "%{}IP %{hostip->} but %{disposition->} because %{result}"); +var part1011 = match("MESSAGE#595:00034:10/6", "nwparser.p0", "%{}IP %{hostip->} but %{disposition->} because %{result}"); -var all211 = all_match({ +var all207 = all_match({ processors: [ - dup246, - dup388, - part1011, - dup354, - part1012, + dup244, + dup385, + part1007, + dup352, + part1008, select221, - part1015, + part1011, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -13579,24 +12251,22 @@ var all211 = all_match({ ]), }); -var msg604 = msg("00034:10", all211); +var msg604 = msg("00034:10", all207); -var part1016 = // "Pattern{Field(,false), Constant('client at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has attempted to make an SCS connection to '), Field(p0,false)}" -match("MESSAGE#596:00034:12/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has attempted to make an SCS connection to %{p0}"); +var part1012 = match("MESSAGE#596:00034:12/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has attempted to make an SCS connection to %{p0}"); -var part1017 = // "Pattern{Constant('but '), Field(disposition,true), Constant(' because '), Field(result,false)}" -match("MESSAGE#596:00034:12/4", "nwparser.p0", "but %{disposition->} because %{result}"); +var part1013 = match("MESSAGE#596:00034:12/4", "nwparser.p0", "but %{disposition->} because %{result}"); -var all212 = all_match({ +var all208 = all_match({ processors: [ - dup246, - dup388, - part1016, - dup389, - part1017, + dup244, + dup385, + part1012, + dup386, + part1013, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -13604,24 +12274,22 @@ var all212 = all_match({ ]), }); -var msg605 = msg("00034:12", all212); +var msg605 = msg("00034:12", all208); -var part1018 = // "Pattern{Field(,false), Constant('client at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has '), Field(disposition,true), Constant(' to make an SCS connection to '), Field(p0,false)}" -match("MESSAGE#597:00034:11/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to %{p0}"); +var part1014 = match("MESSAGE#597:00034:11/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to %{p0}"); -var part1019 = // "Pattern{Constant('because '), Field(result,false)}" -match("MESSAGE#597:00034:11/4", "nwparser.p0", "because %{result}"); +var part1015 = match("MESSAGE#597:00034:11/4", "nwparser.p0", "because %{result}"); -var all213 = all_match({ +var all209 = all_match({ processors: [ - dup246, - dup388, - part1018, - dup389, - part1019, + dup244, + dup385, + part1014, + dup386, + part1015, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -13629,30 +12297,28 @@ var all213 = all_match({ ]), }); -var msg606 = msg("00034:11", all213); +var msg606 = msg("00034:11", all209); -var part1020 = // "Pattern{Constant('SSH client at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has '), Field(disposition,true), Constant(' to make an SCS connection because '), Field(result,false)}" -match("MESSAGE#598:00034:15", "nwparser.payload", "SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection because %{result}", processor_chain([ - dup242, +var part1016 = match("MESSAGE#598:00034:15", "nwparser.payload", "SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection because %{result}", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg607 = msg("00034:15", part1020); +var msg607 = msg("00034:15", part1016); -var part1021 = // "Pattern{Constant('user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' cannot log in via SCS to '), Field(service,true), Constant(' using the shared '), Field(interface,true), Constant(' interface because '), Field(result,false)}" -match("MESSAGE#599:00034:18/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} cannot log in via SCS to %{service->} using the shared %{interface->} interface because %{result}"); +var part1017 = match("MESSAGE#599:00034:18/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} cannot log in via SCS to %{service->} using the shared %{interface->} interface because %{result}"); -var all214 = all_match({ +var all210 = all_match({ processors: [ - dup246, - dup390, - part1021, + dup244, + dup387, + part1017, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -13660,19 +12326,18 @@ var all214 = all_match({ ]), }); -var msg608 = msg("00034:18", all214); +var msg608 = msg("00034:18", all210); -var part1022 = // "Pattern{Constant('user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has '), Field(disposition,true), Constant(' the PKA RSA challenge')}" -match("MESSAGE#600:00034:20/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has %{disposition->} the PKA RSA challenge"); +var part1018 = match("MESSAGE#600:00034:20/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has %{disposition->} the PKA RSA challenge"); -var all215 = all_match({ +var all211 = all_match({ processors: [ - dup246, - dup390, - part1022, + dup244, + dup387, + part1018, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -13680,49 +12345,43 @@ var all215 = all_match({ ]), }); -var msg609 = msg("00034:20", all215); +var msg609 = msg("00034:20", all211); -var part1023 = // "Pattern{Constant('user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has requested '), Field(p0,false)}" -match("MESSAGE#601:00034:21/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has requested %{p0}"); +var part1019 = match("MESSAGE#601:00034:21/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has requested %{p0}"); -var part1024 = // "Pattern{Constant('authentication which is not '), Field(p0,false)}" -match("MESSAGE#601:00034:21/4", "nwparser.p0", "authentication which is not %{p0}"); +var part1020 = match("MESSAGE#601:00034:21/4", "nwparser.p0", "authentication which is not %{p0}"); -var part1025 = // "Pattern{Constant('supported '), Field(p0,false)}" -match("MESSAGE#601:00034:21/5_0", "nwparser.p0", "supported %{p0}"); +var part1021 = match("MESSAGE#601:00034:21/5_0", "nwparser.p0", "supported %{p0}"); var select222 = linear_select([ - part1025, + part1021, dup156, ]); -var part1026 = // "Pattern{Constant('for that '), Field(p0,false)}" -match("MESSAGE#601:00034:21/6", "nwparser.p0", "for that %{p0}"); +var part1022 = match("MESSAGE#601:00034:21/6", "nwparser.p0", "for that %{p0}"); -var part1027 = // "Pattern{Constant('client'), Field(,false)}" -match("MESSAGE#601:00034:21/7_0", "nwparser.p0", "client%{}"); +var part1023 = match("MESSAGE#601:00034:21/7_0", "nwparser.p0", "client%{}"); -var part1028 = // "Pattern{Constant('user'), Field(,false)}" -match("MESSAGE#601:00034:21/7_1", "nwparser.p0", "user%{}"); +var part1024 = match("MESSAGE#601:00034:21/7_1", "nwparser.p0", "user%{}"); var select223 = linear_select([ - part1027, - part1028, + part1023, + part1024, ]); -var all216 = all_match({ +var all212 = all_match({ processors: [ - dup246, - dup390, - part1023, - dup375, - part1024, + dup244, + dup387, + part1019, + dup372, + part1020, select222, - part1026, + part1022, select223, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -13730,41 +12389,37 @@ var all216 = all_match({ ]), }); -var msg610 = msg("00034:21", all216); +var msg610 = msg("00034:21", all212); -var part1029 = // "Pattern{Constant('SSH user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has unsuccessfully attempted to log in via SCS to vsys '), Field(fld2,true), Constant(' using the shared untrusted interface')}" -match("MESSAGE#602:00034:22", "nwparser.payload", "SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to vsys %{fld2->} using the shared untrusted interface", processor_chain([ - dup242, +var part1025 = match("MESSAGE#602:00034:22", "nwparser.payload", "SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to vsys %{fld2->} using the shared untrusted interface", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg611 = msg("00034:22", part1029); +var msg611 = msg("00034:22", part1025); -var part1030 = // "Pattern{Constant('SCS: Unable '), Field(p0,false)}" -match("MESSAGE#603:00034:23/1_0", "nwparser.p0", "SCS: Unable %{p0}"); +var part1026 = match("MESSAGE#603:00034:23/1_0", "nwparser.p0", "SCS: Unable %{p0}"); -var part1031 = // "Pattern{Constant('Unable '), Field(p0,false)}" -match("MESSAGE#603:00034:23/1_1", "nwparser.p0", "Unable %{p0}"); +var part1027 = match("MESSAGE#603:00034:23/1_1", "nwparser.p0", "Unable %{p0}"); var select224 = linear_select([ - part1030, - part1031, + part1026, + part1027, ]); -var part1032 = // "Pattern{Constant('to validate cookie from the SSH client at '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#603:00034:23/2", "nwparser.p0", "to validate cookie from the SSH client at %{saddr}:%{sport}"); +var part1028 = match("MESSAGE#603:00034:23/2", "nwparser.p0", "to validate cookie from the SSH client at %{saddr}:%{sport}"); -var all217 = all_match({ +var all213 = all_match({ processors: [ - dup162, + dup160, select224, - part1032, + part1028, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -13772,32 +12427,29 @@ var all217 = all_match({ ]), }); -var msg612 = msg("00034:23", all217); +var msg612 = msg("00034:23", all213); -var part1033 = // "Pattern{Constant('AC '), Field(username,true), Constant(' is advertising URL '), Field(fld2,false)}" -match("MESSAGE#604:00034:24", "nwparser.payload", "AC %{username->} is advertising URL %{fld2}", processor_chain([ - dup242, +var part1029 = match("MESSAGE#604:00034:24", "nwparser.payload", "AC %{username->} is advertising URL %{fld2}", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg613 = msg("00034:24", part1033); +var msg613 = msg("00034:24", part1029); -var part1034 = // "Pattern{Constant('Message from AC '), Field(username,false), Constant(': '), Field(fld2,false)}" -match("MESSAGE#605:00034:25", "nwparser.payload", "Message from AC %{username}: %{fld2}", processor_chain([ - dup242, +var part1030 = match("MESSAGE#605:00034:25", "nwparser.payload", "Message from AC %{username}: %{fld2}", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg614 = msg("00034:25", part1034); +var msg614 = msg("00034:25", part1030); -var part1035 = // "Pattern{Constant('PPPoE Settings changed'), Field(,false)}" -match("MESSAGE#606:00034:26", "nwparser.payload", "PPPoE Settings changed%{}", processor_chain([ +var part1031 = match("MESSAGE#606:00034:26", "nwparser.payload", "PPPoE Settings changed%{}", processor_chain([ dup1, dup2, dup3, @@ -13805,10 +12457,9 @@ match("MESSAGE#606:00034:26", "nwparser.payload", "PPPoE Settings changed%{}", p dup5, ])); -var msg615 = msg("00034:26", part1035); +var msg615 = msg("00034:26", part1031); -var part1036 = // "Pattern{Constant('PPPoE is '), Field(disposition,true), Constant(' on '), Field(interface,true), Constant(' interface')}" -match("MESSAGE#607:00034:27", "nwparser.payload", "PPPoE is %{disposition->} on %{interface->} interface", processor_chain([ +var part1032 = match("MESSAGE#607:00034:27", "nwparser.payload", "PPPoE is %{disposition->} on %{interface->} interface", processor_chain([ dup1, dup2, dup3, @@ -13816,121 +12467,99 @@ match("MESSAGE#607:00034:27", "nwparser.payload", "PPPoE is %{disposition->} on dup5, ])); -var msg616 = msg("00034:27", part1036); - -var part1037 = // "Pattern{Constant('PPPoE'), Field(p0,false)}" -match("MESSAGE#608:00034:28/0", "nwparser.payload", "PPPoE%{p0}"); +var msg616 = msg("00034:27", part1032); -var part1038 = // "Pattern{Constant('s session closed by AC'), Field(,false)}" -match("MESSAGE#608:00034:28/2", "nwparser.p0", "s session closed by AC%{}"); - -var all218 = all_match({ - processors: [ - part1037, - dup363, - part1038, - ], - on_success: processor_chain([ - dup211, - dup2, - dup3, - dup4, - dup5, - ]), -}); +var part1033 = match("MESSAGE#608:00034:28", "nwparser.payload", "PPPoE%{quote}s session closed by AC", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, +])); -var msg617 = msg("00034:28", all218); +var msg617 = msg("00034:28", part1033); -var part1039 = // "Pattern{Constant('SCS: Disabled for '), Field(username,false), Constant('. Attempted connection '), Field(disposition,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#609:00034:29", "nwparser.payload", "SCS: Disabled for %{username}. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup242, +var part1034 = match("MESSAGE#609:00034:29", "nwparser.payload", "SCS: Disabled for %{username}. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg618 = msg("00034:29", part1039); +var msg618 = msg("00034:29", part1034); -var part1040 = // "Pattern{Constant('SCS: '), Field(disposition,true), Constant(' to remove PKA key removed.')}" -match("MESSAGE#610:00034:30", "nwparser.payload", "SCS: %{disposition->} to remove PKA key removed.", processor_chain([ - dup242, +var part1035 = match("MESSAGE#610:00034:30", "nwparser.payload", "SCS: %{disposition->} to remove PKA key removed.", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg619 = msg("00034:30", part1040); +var msg619 = msg("00034:30", part1035); -var part1041 = // "Pattern{Constant('SCS: '), Field(disposition,true), Constant(' to retrieve host key')}" -match("MESSAGE#611:00034:31", "nwparser.payload", "SCS: %{disposition->} to retrieve host key", processor_chain([ - dup242, +var part1036 = match("MESSAGE#611:00034:31", "nwparser.payload", "SCS: %{disposition->} to retrieve host key", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg620 = msg("00034:31", part1041); +var msg620 = msg("00034:31", part1036); -var part1042 = // "Pattern{Constant('SCS: '), Field(disposition,true), Constant(' to send identification string to client host at '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('.')}" -match("MESSAGE#612:00034:32", "nwparser.payload", "SCS: %{disposition->} to send identification string to client host at %{saddr}:%{sport}.", processor_chain([ - dup242, +var part1037 = match("MESSAGE#612:00034:32", "nwparser.payload", "SCS: %{disposition->} to send identification string to client host at %{saddr}:%{sport}.", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg621 = msg("00034:32", part1042); +var msg621 = msg("00034:32", part1037); -var part1043 = // "Pattern{Constant('SCS: Max '), Field(fld2,true), Constant(' sessions reached unabel to accept connection : '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#613:00034:33", "nwparser.payload", "SCS: Max %{fld2->} sessions reached unabel to accept connection : %{saddr}:%{sport}", processor_chain([ - dup242, +var part1038 = match("MESSAGE#613:00034:33", "nwparser.payload", "SCS: Max %{fld2->} sessions reached unabel to accept connection : %{saddr}:%{sport}", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg622 = msg("00034:33", part1043); +var msg622 = msg("00034:33", part1038); -var part1044 = // "Pattern{Constant('SCS: Maximum number for SCS sessions '), Field(fld2,true), Constant(' has been reached. Connection request from SSH user at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has been '), Field(disposition,false), Constant('.')}" -match("MESSAGE#614:00034:34", "nwparser.payload", "SCS: Maximum number for SCS sessions %{fld2->} has been reached. Connection request from SSH user at %{saddr}:%{sport->} has been %{disposition}.", processor_chain([ - dup242, +var part1039 = match("MESSAGE#614:00034:34", "nwparser.payload", "SCS: Maximum number for SCS sessions %{fld2->} has been reached. Connection request from SSH user at %{saddr}:%{sport->} has been %{disposition}.", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg623 = msg("00034:34", part1044); +var msg623 = msg("00034:34", part1039); -var part1045 = // "Pattern{Constant('SCS: SSH user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has unsuccessfully attempted to log in via SCS to '), Field(service,true), Constant(' using the shared untrusted interface because SCS is disabled on that interface.')}" -match("MESSAGE#615:00034:35", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to %{service->} using the shared untrusted interface because SCS is disabled on that interface.", processor_chain([ - dup242, +var part1040 = match("MESSAGE#615:00034:35", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to %{service->} using the shared untrusted interface because SCS is disabled on that interface.", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg624 = msg("00034:35", part1045); +var msg624 = msg("00034:35", part1040); -var part1046 = // "Pattern{Constant('SCS: Unsupported cipher type '), Field(fld2,true), Constant(' requested from: '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#616:00034:36", "nwparser.payload", "SCS: Unsupported cipher type %{fld2->} requested from: %{saddr}:%{sport}", processor_chain([ - dup242, +var part1041 = match("MESSAGE#616:00034:36", "nwparser.payload", "SCS: Unsupported cipher type %{fld2->} requested from: %{saddr}:%{sport}", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg625 = msg("00034:36", part1046); +var msg625 = msg("00034:36", part1041); -var part1047 = // "Pattern{Constant('The Point-to-Point Protocol over Ethernet (PPPoE) protocol settings changed'), Field(,false)}" -match("MESSAGE#617:00034:37", "nwparser.payload", "The Point-to-Point Protocol over Ethernet (PPPoE) protocol settings changed%{}", processor_chain([ +var part1042 = match("MESSAGE#617:00034:37", "nwparser.payload", "The Point-to-Point Protocol over Ethernet (PPPoE) protocol settings changed%{}", processor_chain([ dup1, dup2, dup3, @@ -13938,21 +12567,19 @@ match("MESSAGE#617:00034:37", "nwparser.payload", "The Point-to-Point Protocol o dup5, ])); -var msg626 = msg("00034:37", part1047); +var msg626 = msg("00034:37", part1042); -var part1048 = // "Pattern{Constant('SSH: '), Field(disposition,true), Constant(' to retreive PKA key bound to SSH user '), Field(username,true), Constant(' (Key ID '), Field(fld2,false), Constant(')')}" -match("MESSAGE#618:00034:38", "nwparser.payload", "SSH: %{disposition->} to retreive PKA key bound to SSH user %{username->} (Key ID %{fld2})", processor_chain([ - dup242, +var part1043 = match("MESSAGE#618:00034:38", "nwparser.payload", "SSH: %{disposition->} to retreive PKA key bound to SSH user %{username->} (Key ID %{fld2})", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg627 = msg("00034:38", part1048); +var msg627 = msg("00034:38", part1043); -var part1049 = // "Pattern{Constant('SSH: Error processing packet from host '), Field(saddr,true), Constant(' (Code '), Field(fld2,false), Constant(')')}" -match("MESSAGE#619:00034:39", "nwparser.payload", "SSH: Error processing packet from host %{saddr->} (Code %{fld2})", processor_chain([ +var part1044 = match("MESSAGE#619:00034:39", "nwparser.payload", "SSH: Error processing packet from host %{saddr->} (Code %{fld2})", processor_chain([ dup19, dup2, dup3, @@ -13960,10 +12587,9 @@ match("MESSAGE#619:00034:39", "nwparser.payload", "SSH: Error processing packet dup5, ])); -var msg628 = msg("00034:39", part1049); +var msg628 = msg("00034:39", part1044); -var part1050 = // "Pattern{Constant('SSH: Device failed to send initialization string to client at '), Field(saddr,false)}" -match("MESSAGE#620:00034:40", "nwparser.payload", "SSH: Device failed to send initialization string to client at %{saddr}", processor_chain([ +var part1045 = match("MESSAGE#620:00034:40", "nwparser.payload", "SSH: Device failed to send initialization string to client at %{saddr}", processor_chain([ dup19, dup2, dup3, @@ -13971,22 +12597,20 @@ match("MESSAGE#620:00034:40", "nwparser.payload", "SSH: Device failed to send in dup5, ])); -var msg629 = msg("00034:40", part1050); +var msg629 = msg("00034:40", part1045); -var part1051 = // "Pattern{Constant('SCP: Admin user ''), Field(administrator,false), Constant('' attempted to transfer file '), Field(p0,false)}" -match("MESSAGE#621:00034:41/0", "nwparser.payload", "SCP: Admin user '%{administrator}' attempted to transfer file %{p0}"); +var part1046 = match("MESSAGE#621:00034:41/0", "nwparser.payload", "SCP: Admin user '%{administrator}' attempted to transfer file %{p0}"); -var part1052 = // "Pattern{Constant('the device with insufficient privilege.'), Field(,false)}" -match("MESSAGE#621:00034:41/2", "nwparser.p0", "the device with insufficient privilege.%{}"); +var part1047 = match("MESSAGE#621:00034:41/2", "nwparser.p0", "the device with insufficient privilege.%{}"); -var all219 = all_match({ +var all214 = all_match({ processors: [ - part1051, - dup376, - part1052, + part1046, + dup373, + part1047, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -13994,21 +12618,19 @@ var all219 = all_match({ ]), }); -var msg630 = msg("00034:41", all219); +var msg630 = msg("00034:41", all214); -var part1053 = // "Pattern{Constant('SSH: Maximum number of SSH sessions ('), Field(fld2,false), Constant(') exceeded. Connection request from SSH user '), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' denied.')}" -match("MESSAGE#622:00034:42", "nwparser.payload", "SSH: Maximum number of SSH sessions (%{fld2}) exceeded. Connection request from SSH user %{username->} at %{saddr->} denied.", processor_chain([ - dup242, +var part1048 = match("MESSAGE#622:00034:42", "nwparser.payload", "SSH: Maximum number of SSH sessions (%{fld2}) exceeded. Connection request from SSH user %{username->} at %{saddr->} denied.", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg631 = msg("00034:42", part1053); +var msg631 = msg("00034:42", part1048); -var part1054 = // "Pattern{Constant('Ethernet driver ran out of rx bd (port '), Field(network_port,false), Constant(')')}" -match("MESSAGE#623:00034:43", "nwparser.payload", "Ethernet driver ran out of rx bd (port %{network_port})", processor_chain([ +var part1049 = match("MESSAGE#623:00034:43", "nwparser.payload", "Ethernet driver ran out of rx bd (port %{network_port})", processor_chain([ dup19, dup2, dup3, @@ -14016,10 +12638,9 @@ match("MESSAGE#623:00034:43", "nwparser.payload", "Ethernet driver ran out of rx dup5, ])); -var msg632 = msg("00034:43", part1054); +var msg632 = msg("00034:43", part1049); -var part1055 = // "Pattern{Constant('Potential replay attack detected on SSH connection initiated from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1224:00034:44", "nwparser.payload", "Potential replay attack detected on SSH connection initiated from %{saddr}:%{sport->} (%{fld1})", processor_chain([ +var part1050 = match("MESSAGE#1224:00034:44", "nwparser.payload", "Potential replay attack detected on SSH connection initiated from %{saddr}:%{sport->} (%{fld1})", processor_chain([ dup44, dup2, dup4, @@ -14027,7 +12648,7 @@ match("MESSAGE#1224:00034:44", "nwparser.payload", "Potential replay attack dete dup9, ])); -var msg633 = msg("00034:44", part1055); +var msg633 = msg("00034:44", part1050); var select225 = linear_select([ msg594, @@ -14072,8 +12693,7 @@ var select225 = linear_select([ msg633, ]); -var part1056 = // "Pattern{Constant('PKI Verify Error: '), Field(resultcode,false), Constant(':'), Field(result,false)}" -match("MESSAGE#624:00035", "nwparser.payload", "PKI Verify Error: %{resultcode}:%{result}", processor_chain([ +var part1051 = match("MESSAGE#624:00035", "nwparser.payload", "PKI Verify Error: %{resultcode}:%{result}", processor_chain([ dup117, dup2, dup3, @@ -14081,10 +12701,9 @@ match("MESSAGE#624:00035", "nwparser.payload", "PKI Verify Error: %{resultcode}: dup5, ])); -var msg634 = msg("00035", part1056); +var msg634 = msg("00035", part1051); -var part1057 = // "Pattern{Constant('SSL - Error MessageID in incoming mail - '), Field(fld2,false)}" -match("MESSAGE#625:00035:01", "nwparser.payload", "SSL - Error MessageID in incoming mail - %{fld2}", processor_chain([ +var part1052 = match("MESSAGE#625:00035:01", "nwparser.payload", "SSL - Error MessageID in incoming mail - %{fld2}", processor_chain([ dup117, dup2, dup3, @@ -14092,10 +12711,9 @@ match("MESSAGE#625:00035:01", "nwparser.payload", "SSL - Error MessageID in inco dup5, ])); -var msg635 = msg("00035:01", part1057); +var msg635 = msg("00035:01", part1052); -var part1058 = // "Pattern{Constant('SSL - cipher type '), Field(fld2,true), Constant(' is not allowed in export or firewall only system')}" -match("MESSAGE#626:00035:02", "nwparser.payload", "SSL - cipher type %{fld2->} is not allowed in export or firewall only system", processor_chain([ +var part1053 = match("MESSAGE#626:00035:02", "nwparser.payload", "SSL - cipher type %{fld2->} is not allowed in export or firewall only system", processor_chain([ dup117, dup2, dup3, @@ -14103,10 +12721,9 @@ match("MESSAGE#626:00035:02", "nwparser.payload", "SSL - cipher type %{fld2->} i dup5, ])); -var msg636 = msg("00035:02", part1058); +var msg636 = msg("00035:02", part1053); -var part1059 = // "Pattern{Constant('SSL CA changed'), Field(,false)}" -match("MESSAGE#627:00035:03", "nwparser.payload", "SSL CA changed%{}", processor_chain([ +var part1054 = match("MESSAGE#627:00035:03", "nwparser.payload", "SSL CA changed%{}", processor_chain([ dup1, dup2, dup3, @@ -14114,34 +12731,29 @@ match("MESSAGE#627:00035:03", "nwparser.payload", "SSL CA changed%{}", processor dup5, ])); -var msg637 = msg("00035:03", part1059); +var msg637 = msg("00035:03", part1054); -var part1060 = // "Pattern{Constant('SSL Error when retrieve local c'), Field(p0,false)}" -match("MESSAGE#628:00035:04/0", "nwparser.payload", "SSL Error when retrieve local c%{p0}"); +var part1055 = match("MESSAGE#628:00035:04/0", "nwparser.payload", "SSL Error when retrieve local c%{p0}"); -var part1061 = // "Pattern{Constant('a(verify) '), Field(p0,false)}" -match("MESSAGE#628:00035:04/1_0", "nwparser.p0", "a(verify) %{p0}"); +var part1056 = match("MESSAGE#628:00035:04/1_0", "nwparser.p0", "a(verify) %{p0}"); -var part1062 = // "Pattern{Constant('ert(verify) '), Field(p0,false)}" -match("MESSAGE#628:00035:04/1_1", "nwparser.p0", "ert(verify) %{p0}"); +var part1057 = match("MESSAGE#628:00035:04/1_1", "nwparser.p0", "ert(verify) %{p0}"); -var part1063 = // "Pattern{Constant('ert(all) '), Field(p0,false)}" -match("MESSAGE#628:00035:04/1_2", "nwparser.p0", "ert(all) %{p0}"); +var part1058 = match("MESSAGE#628:00035:04/1_2", "nwparser.p0", "ert(all) %{p0}"); var select226 = linear_select([ - part1061, - part1062, - part1063, + part1056, + part1057, + part1058, ]); -var part1064 = // "Pattern{Constant(': '), Field(fld2,false)}" -match("MESSAGE#628:00035:04/2", "nwparser.p0", ": %{fld2}"); +var part1059 = match("MESSAGE#628:00035:04/2", "nwparser.p0", ": %{fld2}"); -var all220 = all_match({ +var all215 = all_match({ processors: [ - part1060, + part1055, select226, - part1064, + part1059, ], on_success: processor_chain([ dup117, @@ -14152,10 +12764,9 @@ var all220 = all_match({ ]), }); -var msg638 = msg("00035:04", all220); +var msg638 = msg("00035:04", all215); -var part1065 = // "Pattern{Constant('SSL No ssl context. Not ready for connections.'), Field(,false)}" -match("MESSAGE#629:00035:05", "nwparser.payload", "SSL No ssl context. Not ready for connections.%{}", processor_chain([ +var part1060 = match("MESSAGE#629:00035:05", "nwparser.payload", "SSL No ssl context. Not ready for connections.%{}", processor_chain([ dup117, dup2, dup3, @@ -14163,19 +12774,17 @@ match("MESSAGE#629:00035:05", "nwparser.payload", "SSL No ssl context. Not ready dup5, ])); -var msg639 = msg("00035:05", part1065); +var msg639 = msg("00035:05", part1060); -var part1066 = // "Pattern{Constant('SSL c'), Field(p0,false)}" -match("MESSAGE#630:00035:06/0", "nwparser.payload", "SSL c%{p0}"); +var part1061 = match("MESSAGE#630:00035:06/0", "nwparser.payload", "SSL c%{p0}"); -var part1067 = // "Pattern{Constant('changed to none'), Field(,false)}" -match("MESSAGE#630:00035:06/2", "nwparser.p0", "changed to none%{}"); +var part1062 = match("MESSAGE#630:00035:06/2", "nwparser.p0", "changed to none%{}"); -var all221 = all_match({ +var all216 = all_match({ processors: [ - part1066, - dup391, - part1067, + part1061, + dup388, + part1062, ], on_success: processor_chain([ dup1, @@ -14186,10 +12795,9 @@ var all221 = all_match({ ]), }); -var msg640 = msg("00035:06", all221); +var msg640 = msg("00035:06", all216); -var part1068 = // "Pattern{Constant('SSL cert subject mismatch: '), Field(fld2,true), Constant(' recieved '), Field(fld3,true), Constant(' is expected')}" -match("MESSAGE#631:00035:07", "nwparser.payload", "SSL cert subject mismatch: %{fld2->} recieved %{fld3->} is expected", processor_chain([ +var part1063 = match("MESSAGE#631:00035:07", "nwparser.payload", "SSL cert subject mismatch: %{fld2->} recieved %{fld3->} is expected", processor_chain([ dup19, dup2, dup3, @@ -14197,10 +12805,9 @@ match("MESSAGE#631:00035:07", "nwparser.payload", "SSL cert subject mismatch: %{ dup5, ])); -var msg641 = msg("00035:07", part1068); +var msg641 = msg("00035:07", part1063); -var part1069 = // "Pattern{Constant('SSL certificate changed'), Field(,false)}" -match("MESSAGE#632:00035:08", "nwparser.payload", "SSL certificate changed%{}", processor_chain([ +var part1064 = match("MESSAGE#632:00035:08", "nwparser.payload", "SSL certificate changed%{}", processor_chain([ dup1, dup2, dup3, @@ -14208,19 +12815,18 @@ match("MESSAGE#632:00035:08", "nwparser.payload", "SSL certificate changed%{}", dup5, ])); -var msg642 = msg("00035:08", part1069); +var msg642 = msg("00035:08", part1064); -var part1070 = // "Pattern{Constant('enabled'), Field(,false)}" -match("MESSAGE#633:00035:09/1_0", "nwparser.p0", "enabled%{}"); +var part1065 = match("MESSAGE#633:00035:09/1_0", "nwparser.p0", "enabled%{}"); var select227 = linear_select([ - part1070, + part1065, dup92, ]); -var all222 = all_match({ +var all217 = all_match({ processors: [ - dup255, + dup253, select227, ], on_success: processor_chain([ @@ -14232,29 +12838,26 @@ var all222 = all_match({ ]), }); -var msg643 = msg("00035:09", all222); +var msg643 = msg("00035:09", all217); -var part1071 = // "Pattern{Constant('SSL memory allocation fails in process_c'), Field(p0,false)}" -match("MESSAGE#634:00035:10/0", "nwparser.payload", "SSL memory allocation fails in process_c%{p0}"); +var part1066 = match("MESSAGE#634:00035:10/0", "nwparser.payload", "SSL memory allocation fails in process_c%{p0}"); -var part1072 = // "Pattern{Constant('a()'), Field(,false)}" -match("MESSAGE#634:00035:10/1_0", "nwparser.p0", "a()%{}"); +var part1067 = match("MESSAGE#634:00035:10/1_0", "nwparser.p0", "a()%{}"); -var part1073 = // "Pattern{Constant('ert()'), Field(,false)}" -match("MESSAGE#634:00035:10/1_1", "nwparser.p0", "ert()%{}"); +var part1068 = match("MESSAGE#634:00035:10/1_1", "nwparser.p0", "ert()%{}"); var select228 = linear_select([ - part1072, - part1073, + part1067, + part1068, ]); -var all223 = all_match({ +var all218 = all_match({ processors: [ - part1071, + part1066, select228, ], on_success: processor_chain([ - dup186, + dup184, dup2, dup3, dup4, @@ -14262,25 +12865,22 @@ var all223 = all_match({ ]), }); -var msg644 = msg("00035:10", all223); +var msg644 = msg("00035:10", all218); -var part1074 = // "Pattern{Constant('SSL no ssl c'), Field(p0,false)}" -match("MESSAGE#635:00035:11/0", "nwparser.payload", "SSL no ssl c%{p0}"); +var part1069 = match("MESSAGE#635:00035:11/0", "nwparser.payload", "SSL no ssl c%{p0}"); -var part1075 = // "Pattern{Constant('a'), Field(,false)}" -match("MESSAGE#635:00035:11/1_0", "nwparser.p0", "a%{}"); +var part1070 = match("MESSAGE#635:00035:11/1_0", "nwparser.p0", "a%{}"); -var part1076 = // "Pattern{Constant('ert'), Field(,false)}" -match("MESSAGE#635:00035:11/1_1", "nwparser.p0", "ert%{}"); +var part1071 = match("MESSAGE#635:00035:11/1_1", "nwparser.p0", "ert%{}"); var select229 = linear_select([ - part1075, - part1076, + part1070, + part1071, ]); -var all224 = all_match({ +var all219 = all_match({ processors: [ - part1074, + part1069, select229, ], on_success: processor_chain([ @@ -14292,19 +12892,17 @@ var all224 = all_match({ ]), }); -var msg645 = msg("00035:11", all224); +var msg645 = msg("00035:11", all219); -var part1077 = // "Pattern{Constant('SSL set c'), Field(p0,false)}" -match("MESSAGE#636:00035:12/0", "nwparser.payload", "SSL set c%{p0}"); +var part1072 = match("MESSAGE#636:00035:12/0", "nwparser.payload", "SSL set c%{p0}"); -var part1078 = // "Pattern{Constant('id is invalid '), Field(fld2,false)}" -match("MESSAGE#636:00035:12/2", "nwparser.p0", "id is invalid %{fld2}"); +var part1073 = match("MESSAGE#636:00035:12/2", "nwparser.p0", "id is invalid %{fld2}"); -var all225 = all_match({ +var all220 = all_match({ processors: [ - part1077, - dup391, - part1078, + part1072, + dup388, + part1073, ], on_success: processor_chain([ dup19, @@ -14315,24 +12913,22 @@ var all225 = all_match({ ]), }); -var msg646 = msg("00035:12", all225); +var msg646 = msg("00035:12", all220); -var part1079 = // "Pattern{Constant('verify '), Field(p0,false)}" -match("MESSAGE#637:00035:13/1_1", "nwparser.p0", "verify %{p0}"); +var part1074 = match("MESSAGE#637:00035:13/1_1", "nwparser.p0", "verify %{p0}"); var select230 = linear_select([ dup101, - part1079, + part1074, ]); -var part1080 = // "Pattern{Constant('cert failed. Key type is not RSA'), Field(,false)}" -match("MESSAGE#637:00035:13/2", "nwparser.p0", "cert failed. Key type is not RSA%{}"); +var part1075 = match("MESSAGE#637:00035:13/2", "nwparser.p0", "cert failed. Key type is not RSA%{}"); -var all226 = all_match({ +var all221 = all_match({ processors: [ - dup255, + dup253, select230, - part1080, + part1075, ], on_success: processor_chain([ dup19, @@ -14343,10 +12939,9 @@ var all226 = all_match({ ]), }); -var msg647 = msg("00035:13", all226); +var msg647 = msg("00035:13", all221); -var part1081 = // "Pattern{Constant('SSL ssl context init failed'), Field(,false)}" -match("MESSAGE#638:00035:14", "nwparser.payload", "SSL ssl context init failed%{}", processor_chain([ +var part1076 = match("MESSAGE#638:00035:14", "nwparser.payload", "SSL ssl context init failed%{}", processor_chain([ dup19, dup2, dup3, @@ -14354,29 +12949,26 @@ match("MESSAGE#638:00035:14", "nwparser.payload", "SSL ssl context init failed%{ dup5, ])); -var msg648 = msg("00035:14", part1081); +var msg648 = msg("00035:14", part1076); -var part1082 = // "Pattern{Field(change_attribute,true), Constant(' has been changed '), Field(p0,false)}" -match("MESSAGE#639:00035:15/0", "nwparser.payload", "%{change_attribute->} has been changed %{p0}"); +var part1077 = match("MESSAGE#639:00035:15/0", "nwparser.payload", "%{change_attribute->} has been changed %{p0}"); -var part1083 = // "Pattern{Constant('from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#639:00035:15/1_0", "nwparser.p0", "from %{change_old->} to %{change_new}"); +var part1078 = match("MESSAGE#639:00035:15/1_0", "nwparser.p0", "from %{change_old->} to %{change_new}"); -var part1084 = // "Pattern{Constant('to '), Field(fld2,false)}" -match("MESSAGE#639:00035:15/1_1", "nwparser.p0", "to %{fld2}"); +var part1079 = match("MESSAGE#639:00035:15/1_1", "nwparser.p0", "to %{fld2}"); var select231 = linear_select([ - part1083, - part1084, + part1078, + part1079, ]); -var all227 = all_match({ +var all222 = all_match({ processors: [ - part1082, + part1077, select231, ], on_success: processor_chain([ - dup186, + dup184, dup2, dup3, dup4, @@ -14384,10 +12976,9 @@ var all227 = all_match({ ]), }); -var msg649 = msg("00035:15", all227); +var msg649 = msg("00035:15", all222); -var part1085 = // "Pattern{Constant('web SSL certificate changed to by '), Field(username,true), Constant(' via web from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' '), Field(fld5,false)}" -match("MESSAGE#640:00035:16", "nwparser.payload", "web SSL certificate changed to by %{username->} via web from host %{saddr->} to %{daddr}:%{dport->} %{fld5}", processor_chain([ +var part1080 = match("MESSAGE#640:00035:16", "nwparser.payload", "web SSL certificate changed to by %{username->} via web from host %{saddr->} to %{daddr}:%{dport->} %{fld5}", processor_chain([ dup1, dup2, dup3, @@ -14395,7 +12986,7 @@ match("MESSAGE#640:00035:16", "nwparser.payload", "web SSL certificate changed t dup5, ])); -var msg650 = msg("00035:16", part1085); +var msg650 = msg("00035:16", part1080); var select232 = linear_select([ msg634, @@ -14417,39 +13008,35 @@ var select232 = linear_select([ msg650, ]); -var part1086 = // "Pattern{Constant('An optional ScreenOS feature has been activated via a software key'), Field(,false)}" -match("MESSAGE#641:00036", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key%{}", processor_chain([ - dup211, +var part1081 = match("MESSAGE#641:00036", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key%{}", processor_chain([ + dup209, dup2, dup3, dup4, dup5, ])); -var msg651 = msg("00036", part1086); +var msg651 = msg("00036", part1081); -var part1087 = // "Pattern{Field(fld2,true), Constant(' license keys were updated successfully by '), Field(p0,false)}" -match("MESSAGE#642:00036:01/0", "nwparser.payload", "%{fld2->} license keys were updated successfully by %{p0}"); +var part1082 = match("MESSAGE#642:00036:01/0", "nwparser.payload", "%{fld2->} license keys were updated successfully by %{p0}"); -var part1088 = // "Pattern{Constant('manual '), Field(p0,false)}" -match("MESSAGE#642:00036:01/1_1", "nwparser.p0", "manual %{p0}"); +var part1083 = match("MESSAGE#642:00036:01/1_1", "nwparser.p0", "manual %{p0}"); var select233 = linear_select([ - dup216, - part1088, + dup214, + part1083, ]); -var part1089 = // "Pattern{Constant('retrieval'), Field(,false)}" -match("MESSAGE#642:00036:01/2", "nwparser.p0", "retrieval%{}"); +var part1084 = match("MESSAGE#642:00036:01/2", "nwparser.p0", "retrieval%{}"); -var all228 = all_match({ +var all223 = all_match({ processors: [ - part1087, + part1082, select233, - part1089, + part1084, ], on_success: processor_chain([ - dup256, + dup254, dup2, dup3, dup4, @@ -14457,30 +13044,27 @@ var all228 = all_match({ ]), }); -var msg652 = msg("00036:01", all228); +var msg652 = msg("00036:01", all223); var select234 = linear_select([ msg651, msg652, ]); -var part1090 = // "Pattern{Constant('Intra-zone block for zone '), Field(zone,true), Constant(' was set to o'), Field(p0,false)}" -match("MESSAGE#643:00037/0", "nwparser.payload", "Intra-zone block for zone %{zone->} was set to o%{p0}"); +var part1085 = match("MESSAGE#643:00037/0", "nwparser.payload", "Intra-zone block for zone %{zone->} was set to o%{p0}"); -var part1091 = // "Pattern{Constant('n'), Field(,false)}" -match("MESSAGE#643:00037/1_0", "nwparser.p0", "n%{}"); +var part1086 = match("MESSAGE#643:00037/1_0", "nwparser.p0", "n%{}"); -var part1092 = // "Pattern{Constant('ff'), Field(,false)}" -match("MESSAGE#643:00037/1_1", "nwparser.p0", "ff%{}"); +var part1087 = match("MESSAGE#643:00037/1_1", "nwparser.p0", "ff%{}"); var select235 = linear_select([ - part1091, - part1092, + part1086, + part1087, ]); -var all229 = all_match({ +var all224 = all_match({ processors: [ - part1090, + part1085, select235, ], on_success: processor_chain([ @@ -14492,25 +13076,23 @@ var all229 = all_match({ ]), }); -var msg653 = msg("00037", all229); +var msg653 = msg("00037", all224); -var part1093 = // "Pattern{Constant('New zone '), Field(zone,true), Constant(' ( '), Field(p0,false)}" -match("MESSAGE#644:00037:01/0", "nwparser.payload", "New zone %{zone->} ( %{p0}"); +var part1088 = match("MESSAGE#644:00037:01/0", "nwparser.payload", "New zone %{zone->} ( %{p0}"); var select236 = linear_select([ - dup257, - dup258, + dup255, + dup256, ]); -var part1094 = // "Pattern{Constant(''), Field(fld2,false), Constant(') was created.'), Field(p0,false)}" -match("MESSAGE#644:00037:01/2", "nwparser.p0", "%{fld2}) was created.%{p0}"); +var part1089 = match("MESSAGE#644:00037:01/2", "nwparser.p0", "%{fld2}) was created.%{p0}"); -var all230 = all_match({ +var all225 = all_match({ processors: [ - part1093, + part1088, select236, - part1094, - dup353, + part1089, + dup351, ], on_success: processor_chain([ dup1, @@ -14522,10 +13104,9 @@ var all230 = all_match({ ]), }); -var msg654 = msg("00037:01", all230); +var msg654 = msg("00037:01", all225); -var part1095 = // "Pattern{Constant('Tunnel zone '), Field(src_zone,true), Constant(' was bound to out zone '), Field(dst_zone,false), Constant('.')}" -match("MESSAGE#645:00037:02", "nwparser.payload", "Tunnel zone %{src_zone->} was bound to out zone %{dst_zone}.", processor_chain([ +var part1090 = match("MESSAGE#645:00037:02", "nwparser.payload", "Tunnel zone %{src_zone->} was bound to out zone %{dst_zone}.", processor_chain([ dup1, dup2, dup3, @@ -14533,39 +13114,34 @@ match("MESSAGE#645:00037:02", "nwparser.payload", "Tunnel zone %{src_zone->} was dup5, ])); -var msg655 = msg("00037:02", part1095); +var msg655 = msg("00037:02", part1090); -var part1096 = // "Pattern{Constant('was was '), Field(p0,false)}" -match("MESSAGE#646:00037:03/1_0", "nwparser.p0", "was was %{p0}"); +var part1091 = match("MESSAGE#646:00037:03/1_0", "nwparser.p0", "was was %{p0}"); -var part1097 = // "Pattern{Field(zone,true), Constant(' was '), Field(p0,false)}" -match("MESSAGE#646:00037:03/1_1", "nwparser.p0", "%{zone->} was %{p0}"); +var part1092 = match("MESSAGE#646:00037:03/1_1", "nwparser.p0", "%{zone->} was %{p0}"); var select237 = linear_select([ - part1096, - part1097, + part1091, + part1092, ]); -var part1098 = // "Pattern{Constant('virtual router '), Field(p0,false)}" -match("MESSAGE#646:00037:03/3", "nwparser.p0", "virtual router %{p0}"); +var part1093 = match("MESSAGE#646:00037:03/3", "nwparser.p0", "virtual router %{p0}"); -var part1099 = // "Pattern{Field(node,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#646:00037:03/4_0", "nwparser.p0", "%{node->} (%{fld1})"); +var part1094 = match("MESSAGE#646:00037:03/4_0", "nwparser.p0", "%{node->} (%{fld1})"); -var part1100 = // "Pattern{Field(node,false), Constant('.')}" -match("MESSAGE#646:00037:03/4_1", "nwparser.p0", "%{node}."); +var part1095 = match("MESSAGE#646:00037:03/4_1", "nwparser.p0", "%{node}."); var select238 = linear_select([ - part1099, - part1100, + part1094, + part1095, ]); -var all231 = all_match({ +var all226 = all_match({ processors: [ dup113, select237, - dup374, - part1098, + dup371, + part1093, select238, ], on_success: processor_chain([ @@ -14578,10 +13154,9 @@ var all231 = all_match({ ]), }); -var msg656 = msg("00037:03", all231); +var msg656 = msg("00037:03", all226); -var part1101 = // "Pattern{Constant('Zone '), Field(zone,true), Constant(' was changed to non-shared.')}" -match("MESSAGE#647:00037:04", "nwparser.payload", "Zone %{zone->} was changed to non-shared.", processor_chain([ +var part1096 = match("MESSAGE#647:00037:04", "nwparser.payload", "Zone %{zone->} was changed to non-shared.", processor_chain([ dup1, dup2, dup3, @@ -14589,32 +13164,29 @@ match("MESSAGE#647:00037:04", "nwparser.payload", "Zone %{zone->} was changed to dup5, ])); -var msg657 = msg("00037:04", part1101); +var msg657 = msg("00037:04", part1096); -var part1102 = // "Pattern{Constant('Zone '), Field(zone,true), Constant(' ( '), Field(p0,false)}" -match("MESSAGE#648:00037:05/0", "nwparser.payload", "Zone %{zone->} ( %{p0}"); +var part1097 = match("MESSAGE#648:00037:05/0", "nwparser.payload", "Zone %{zone->} ( %{p0}"); var select239 = linear_select([ - dup258, - dup257, + dup256, + dup255, ]); -var part1103 = // "Pattern{Constant(''), Field(fld2,false), Constant(') was deleted. '), Field(p0,false)}" -match("MESSAGE#648:00037:05/2", "nwparser.p0", "%{fld2}) was deleted. %{p0}"); +var part1098 = match("MESSAGE#648:00037:05/2", "nwparser.p0", "%{fld2}) was deleted. %{p0}"); -var part1104 = // "Pattern{Field(space,false)}" -match_copy("MESSAGE#648:00037:05/3_1", "nwparser.p0", "space"); +var part1099 = match_copy("MESSAGE#648:00037:05/3_1", "nwparser.p0", "space"); var select240 = linear_select([ dup10, - part1104, + part1099, ]); -var all232 = all_match({ +var all227 = all_match({ processors: [ - part1102, + part1097, select239, - part1103, + part1098, select240, ], on_success: processor_chain([ @@ -14627,10 +13199,9 @@ var all232 = all_match({ ]), }); -var msg658 = msg("00037:05", all232); +var msg658 = msg("00037:05", all227); -var part1105 = // "Pattern{Constant('IP/TCP reassembly for ALG was '), Field(disposition,true), Constant(' on zone '), Field(zone,false), Constant('.')}" -match("MESSAGE#649:00037:06", "nwparser.payload", "IP/TCP reassembly for ALG was %{disposition->} on zone %{zone}.", processor_chain([ +var part1100 = match("MESSAGE#649:00037:06", "nwparser.payload", "IP/TCP reassembly for ALG was %{disposition->} on zone %{zone}.", processor_chain([ dup1, dup2, dup3, @@ -14638,7 +13209,7 @@ match("MESSAGE#649:00037:06", "nwparser.payload", "IP/TCP reassembly for ALG was dup5, ])); -var msg659 = msg("00037:06", part1105); +var msg659 = msg("00037:06", part1100); var select241 = linear_select([ msg653, @@ -14650,23 +13221,20 @@ var select241 = linear_select([ msg659, ]); -var part1106 = // "Pattern{Constant('OSPF routing instance in vrouter '), Field(p0,false)}" -match("MESSAGE#650:00038/0", "nwparser.payload", "OSPF routing instance in vrouter %{p0}"); +var part1101 = match("MESSAGE#650:00038/0", "nwparser.payload", "OSPF routing instance in vrouter %{p0}"); -var part1107 = // "Pattern{Field(node,true), Constant(' is '), Field(p0,false)}" -match("MESSAGE#650:00038/1_0", "nwparser.p0", "%{node->} is %{p0}"); +var part1102 = match("MESSAGE#650:00038/1_0", "nwparser.p0", "%{node->} is %{p0}"); -var part1108 = // "Pattern{Field(node,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#650:00038/1_1", "nwparser.p0", "%{node->} %{p0}"); +var part1103 = match("MESSAGE#650:00038/1_1", "nwparser.p0", "%{node->} %{p0}"); var select242 = linear_select([ - part1107, - part1108, + part1102, + part1103, ]); -var all233 = all_match({ +var all228 = all_match({ processors: [ - part1106, + part1101, select242, dup36, ], @@ -14679,10 +13247,9 @@ var all233 = all_match({ ]), }); -var msg660 = msg("00038", all233); +var msg660 = msg("00038", all228); -var part1109 = // "Pattern{Constant('BGP instance name created for vr '), Field(node,false)}" -match("MESSAGE#651:00039", "nwparser.payload", "BGP instance name created for vr %{node}", processor_chain([ +var part1104 = match("MESSAGE#651:00039", "nwparser.payload", "BGP instance name created for vr %{node}", processor_chain([ dup1, dup2, dup3, @@ -14690,26 +13257,23 @@ match("MESSAGE#651:00039", "nwparser.payload", "BGP instance name created for vr dup5, ])); -var msg661 = msg("00039", part1109); +var msg661 = msg("00039", part1104); -var part1110 = // "Pattern{Constant('Low watermark'), Field(p0,false)}" -match("MESSAGE#652:00040/0_0", "nwparser.payload", "Low watermark%{p0}"); +var part1105 = match("MESSAGE#652:00040/0_0", "nwparser.payload", "Low watermark%{p0}"); -var part1111 = // "Pattern{Constant('High watermark'), Field(p0,false)}" -match("MESSAGE#652:00040/0_1", "nwparser.payload", "High watermark%{p0}"); +var part1106 = match("MESSAGE#652:00040/0_1", "nwparser.payload", "High watermark%{p0}"); var select243 = linear_select([ - part1110, - part1111, + part1105, + part1106, ]); -var part1112 = // "Pattern{Field(,false), Constant('for early aging has been changed to the default '), Field(fld2,false)}" -match("MESSAGE#652:00040/1", "nwparser.p0", "%{}for early aging has been changed to the default %{fld2}"); +var part1107 = match("MESSAGE#652:00040/1", "nwparser.p0", "%{}for early aging has been changed to the default %{fld2}"); -var all234 = all_match({ +var all229 = all_match({ processors: [ select243, - part1112, + part1107, ], on_success: processor_chain([ dup1, @@ -14720,10 +13284,9 @@ var all234 = all_match({ ]), }); -var msg662 = msg("00040", all234); +var msg662 = msg("00040", all229); -var part1113 = // "Pattern{Constant('VPN ''), Field(group,false), Constant('' from '), Field(daddr,true), Constant(' is '), Field(disposition,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#653:00040:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ +var part1108 = match("MESSAGE#653:00040:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -14732,15 +13295,14 @@ match("MESSAGE#653:00040:01", "nwparser.payload", "VPN '%{group}' from %{daddr-> dup5, ])); -var msg663 = msg("00040:01", part1113); +var msg663 = msg("00040:01", part1108); var select244 = linear_select([ msg662, msg663, ]); -var part1114 = // "Pattern{Constant('A route-map name in virtual router '), Field(node,true), Constant(' has been removed')}" -match("MESSAGE#654:00041", "nwparser.payload", "A route-map name in virtual router %{node->} has been removed", processor_chain([ +var part1109 = match("MESSAGE#654:00041", "nwparser.payload", "A route-map name in virtual router %{node->} has been removed", processor_chain([ dup1, dup2, dup3, @@ -14748,10 +13310,9 @@ match("MESSAGE#654:00041", "nwparser.payload", "A route-map name in virtual rout dup5, ])); -var msg664 = msg("00041", part1114); +var msg664 = msg("00041", part1109); -var part1115 = // "Pattern{Constant('VPN ''), Field(group,false), Constant('' from '), Field(daddr,true), Constant(' is '), Field(disposition,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#655:00041:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ +var part1110 = match("MESSAGE#655:00041:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -14760,15 +13321,14 @@ match("MESSAGE#655:00041:01", "nwparser.payload", "VPN '%{group}' from %{daddr-> dup5, ])); -var msg665 = msg("00041:01", part1115); +var msg665 = msg("00041:01", part1110); var select245 = linear_select([ msg664, msg665, ]); -var part1116 = // "Pattern{Constant('Replay packet detected on IPSec tunnel on '), Field(interface,true), Constant(' with tunnel ID '), Field(fld2,false), Constant('! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,false), Constant(', '), Field(info,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#656:00042", "nwparser.payload", "Replay packet detected on IPSec tunnel on %{interface->} with tunnel ID %{fld2}! From %{saddr->} to %{daddr}/%{dport}, %{info->} (%{fld1})", processor_chain([ +var part1111 = match("MESSAGE#656:00042", "nwparser.payload", "Replay packet detected on IPSec tunnel on %{interface->} with tunnel ID %{fld2}! From %{saddr->} to %{daddr}/%{dport}, %{info->} (%{fld1})", processor_chain([ dup58, dup2, dup3, @@ -14777,10 +13337,9 @@ match("MESSAGE#656:00042", "nwparser.payload", "Replay packet detected on IPSec dup5, ])); -var msg666 = msg("00042", part1116); +var msg666 = msg("00042", part1111); -var part1117 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.The attack occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#657:00042:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ +var part1112 = match("MESSAGE#657:00042:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ dup58, dup2, dup3, @@ -14791,15 +13350,14 @@ match("MESSAGE#657:00042:01", "nwparser.payload", "%{signame->} From %{saddr->} dup60, ])); -var msg667 = msg("00042:01", part1117); +var msg667 = msg("00042:01", part1112); var select246 = linear_select([ msg666, msg667, ]); -var part1118 = // "Pattern{Constant('Receive StopCCN_msg, remove l2tp tunnel ('), Field(fld2,false), Constant('-'), Field(fld3,false), Constant('), Result code '), Field(resultcode,true), Constant(' ('), Field(result,false), Constant('). ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#658:00043", "nwparser.payload", "Receive StopCCN_msg, remove l2tp tunnel (%{fld2}-%{fld3}), Result code %{resultcode->} (%{result}). (%{fld1})", processor_chain([ +var part1113 = match("MESSAGE#658:00043", "nwparser.payload", "Receive StopCCN_msg, remove l2tp tunnel (%{fld2}-%{fld3}), Result code %{resultcode->} (%{result}). (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -14808,27 +13366,24 @@ match("MESSAGE#658:00043", "nwparser.payload", "Receive StopCCN_msg, remove l2tp dup5, ])); -var msg668 = msg("00043", part1118); +var msg668 = msg("00043", part1113); -var part1119 = // "Pattern{Constant('access list '), Field(listnum,true), Constant(' sequence number '), Field(fld3,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#659:00044/0", "nwparser.payload", "access list %{listnum->} sequence number %{fld3->} %{p0}"); +var part1114 = match("MESSAGE#659:00044/0", "nwparser.payload", "access list %{listnum->} sequence number %{fld3->} %{p0}"); -var part1120 = // "Pattern{Constant('deny '), Field(p0,false)}" -match("MESSAGE#659:00044/1_1", "nwparser.p0", "deny %{p0}"); +var part1115 = match("MESSAGE#659:00044/1_1", "nwparser.p0", "deny %{p0}"); var select247 = linear_select([ - dup259, - part1120, + dup257, + part1115, ]); -var part1121 = // "Pattern{Constant('ip '), Field(hostip,false), Constant('/'), Field(mask,true), Constant(' '), Field(disposition,true), Constant(' in vrouter '), Field(node,false)}" -match("MESSAGE#659:00044/2", "nwparser.p0", "ip %{hostip}/%{mask->} %{disposition->} in vrouter %{node}"); +var part1116 = match("MESSAGE#659:00044/2", "nwparser.p0", "ip %{hostip}/%{mask->} %{disposition->} in vrouter %{node}"); -var all235 = all_match({ +var all230 = all_match({ processors: [ - part1119, + part1114, select247, - part1121, + part1116, ], on_success: processor_chain([ dup1, @@ -14839,10 +13394,9 @@ var all235 = all_match({ ]), }); -var msg669 = msg("00044", all235); +var msg669 = msg("00044", all230); -var part1122 = // "Pattern{Constant('access list '), Field(listnum,true), Constant(' '), Field(disposition,true), Constant(' in vrouter '), Field(node,false), Constant('.')}" -match("MESSAGE#660:00044:01", "nwparser.payload", "access list %{listnum->} %{disposition->} in vrouter %{node}.", processor_chain([ +var part1117 = match("MESSAGE#660:00044:01", "nwparser.payload", "access list %{listnum->} %{disposition->} in vrouter %{node}.", processor_chain([ dup1, dup2, dup3, @@ -14850,15 +13404,14 @@ match("MESSAGE#660:00044:01", "nwparser.payload", "access list %{listnum->} %{di dup5, ])); -var msg670 = msg("00044:01", part1122); +var msg670 = msg("00044:01", part1117); var select248 = linear_select([ msg669, msg670, ]); -var part1123 = // "Pattern{Constant('RIP instance in virtual router '), Field(node,true), Constant(' was '), Field(disposition,false), Constant('.')}" -match("MESSAGE#661:00045", "nwparser.payload", "RIP instance in virtual router %{node->} was %{disposition}.", processor_chain([ +var part1118 = match("MESSAGE#661:00045", "nwparser.payload", "RIP instance in virtual router %{node->} was %{disposition}.", processor_chain([ dup1, dup2, dup3, @@ -14866,27 +13419,24 @@ match("MESSAGE#661:00045", "nwparser.payload", "RIP instance in virtual router % dup5, ])); -var msg671 = msg("00045", part1123); +var msg671 = msg("00045", part1118); -var part1124 = // "Pattern{Constant('remove '), Field(p0,false)}" -match("MESSAGE#662:00047/1_0", "nwparser.p0", "remove %{p0}"); +var part1119 = match("MESSAGE#662:00047/1_0", "nwparser.p0", "remove %{p0}"); -var part1125 = // "Pattern{Constant('add '), Field(p0,false)}" -match("MESSAGE#662:00047/1_1", "nwparser.p0", "add %{p0}"); +var part1120 = match("MESSAGE#662:00047/1_1", "nwparser.p0", "add %{p0}"); var select249 = linear_select([ - part1124, - part1125, + part1119, + part1120, ]); -var part1126 = // "Pattern{Constant('multicast policy from '), Field(src_zone,true), Constant(' '), Field(fld4,true), Constant(' to '), Field(dst_zone,true), Constant(' '), Field(fld3,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#662:00047/2", "nwparser.p0", "multicast policy from %{src_zone->} %{fld4->} to %{dst_zone->} %{fld3->} (%{fld1})"); +var part1121 = match("MESSAGE#662:00047/2", "nwparser.p0", "multicast policy from %{src_zone->} %{fld4->} to %{dst_zone->} %{fld3->} (%{fld1})"); -var all236 = all_match({ +var all231 = all_match({ processors: [ - dup185, + dup183, select249, - part1126, + part1121, ], on_success: processor_chain([ dup1, @@ -14898,79 +13448,68 @@ var all236 = all_match({ ]), }); -var msg672 = msg("00047", all236); +var msg672 = msg("00047", all231); -var part1127 = // "Pattern{Constant('Access list entry '), Field(listnum,true), Constant(' with '), Field(p0,false)}" -match("MESSAGE#663:00048/0", "nwparser.payload", "Access list entry %{listnum->} with %{p0}"); +var part1122 = match("MESSAGE#663:00048/0", "nwparser.payload", "Access list entry %{listnum->} with %{p0}"); -var part1128 = // "Pattern{Constant('a sequence '), Field(p0,false)}" -match("MESSAGE#663:00048/1_0", "nwparser.p0", "a sequence %{p0}"); +var part1123 = match("MESSAGE#663:00048/1_0", "nwparser.p0", "a sequence %{p0}"); -var part1129 = // "Pattern{Constant('sequence '), Field(p0,false)}" -match("MESSAGE#663:00048/1_1", "nwparser.p0", "sequence %{p0}"); +var part1124 = match("MESSAGE#663:00048/1_1", "nwparser.p0", "sequence %{p0}"); var select250 = linear_select([ - part1128, - part1129, + part1123, + part1124, ]); -var part1130 = // "Pattern{Constant('number '), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#663:00048/2", "nwparser.p0", "number %{fld2->} %{p0}"); +var part1125 = match("MESSAGE#663:00048/2", "nwparser.p0", "number %{fld2->} %{p0}"); -var part1131 = // "Pattern{Constant('with an action of '), Field(p0,false)}" -match("MESSAGE#663:00048/3_0", "nwparser.p0", "with an action of %{p0}"); +var part1126 = match("MESSAGE#663:00048/3_0", "nwparser.p0", "with an action of %{p0}"); var select251 = linear_select([ - part1131, + part1126, dup112, ]); -var part1132 = // "Pattern{Constant('with an IP '), Field(p0,false)}" -match("MESSAGE#663:00048/5_0", "nwparser.p0", "with an IP %{p0}"); +var part1127 = match("MESSAGE#663:00048/5_0", "nwparser.p0", "with an IP %{p0}"); var select252 = linear_select([ - part1132, + part1127, dup139, ]); -var part1133 = // "Pattern{Constant('address '), Field(p0,false)}" -match("MESSAGE#663:00048/6", "nwparser.p0", "address %{p0}"); +var part1128 = match("MESSAGE#663:00048/6", "nwparser.p0", "address %{p0}"); -var part1134 = // "Pattern{Constant('and subnetwork mask of '), Field(p0,false)}" -match("MESSAGE#663:00048/7_0", "nwparser.p0", "and subnetwork mask of %{p0}"); +var part1129 = match("MESSAGE#663:00048/7_0", "nwparser.p0", "and subnetwork mask of %{p0}"); var select253 = linear_select([ - part1134, + part1129, dup16, ]); -var part1135 = // "Pattern{Field(,true), Constant(' '), Field(fld3,false), Constant('was '), Field(p0,false)}" -match("MESSAGE#663:00048/8", "nwparser.p0", "%{} %{fld3}was %{p0}"); +var part1130 = match("MESSAGE#663:00048/8", "nwparser.p0", "%{} %{fld3}was %{p0}"); -var part1136 = // "Pattern{Constant('created on '), Field(p0,false)}" -match("MESSAGE#663:00048/9_0", "nwparser.p0", "created on %{p0}"); +var part1131 = match("MESSAGE#663:00048/9_0", "nwparser.p0", "created on %{p0}"); var select254 = linear_select([ - part1136, + part1131, dup129, ]); -var part1137 = // "Pattern{Constant('virtual router '), Field(node,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#663:00048/10", "nwparser.p0", "virtual router %{node->} (%{fld1})"); +var part1132 = match("MESSAGE#663:00048/10", "nwparser.p0", "virtual router %{node->} (%{fld1})"); -var all237 = all_match({ +var all232 = all_match({ processors: [ - part1127, + part1122, select250, - part1130, + part1125, select251, - dup259, + dup257, select252, - part1133, + part1128, select253, - part1135, + part1130, select254, - part1137, + part1132, ], on_success: processor_chain([ setc("eventcategory","1501000000"), @@ -14982,43 +13521,37 @@ var all237 = all_match({ ]), }); -var msg673 = msg("00048", all237); +var msg673 = msg("00048", all232); -var part1138 = // "Pattern{Constant('Route '), Field(p0,false)}" -match("MESSAGE#664:00048:01/0", "nwparser.payload", "Route %{p0}"); +var part1133 = match("MESSAGE#664:00048:01/0", "nwparser.payload", "Route %{p0}"); -var part1139 = // "Pattern{Constant('map entry '), Field(p0,false)}" -match("MESSAGE#664:00048:01/1_0", "nwparser.p0", "map entry %{p0}"); +var part1134 = match("MESSAGE#664:00048:01/1_0", "nwparser.p0", "map entry %{p0}"); -var part1140 = // "Pattern{Constant('entry '), Field(p0,false)}" -match("MESSAGE#664:00048:01/1_1", "nwparser.p0", "entry %{p0}"); +var part1135 = match("MESSAGE#664:00048:01/1_1", "nwparser.p0", "entry %{p0}"); var select255 = linear_select([ - part1139, - part1140, + part1134, + part1135, ]); -var part1141 = // "Pattern{Constant('with sequence number '), Field(fld2,true), Constant(' in route map binck-ospf'), Field(p0,false)}" -match("MESSAGE#664:00048:01/2", "nwparser.p0", "with sequence number %{fld2->} in route map binck-ospf%{p0}"); +var part1136 = match("MESSAGE#664:00048:01/2", "nwparser.p0", "with sequence number %{fld2->} in route map binck-ospf%{p0}"); -var part1142 = // "Pattern{Constant(' in '), Field(p0,false)}" -match("MESSAGE#664:00048:01/3_0", "nwparser.p0", " in %{p0}"); +var part1137 = match("MESSAGE#664:00048:01/3_0", "nwparser.p0", " in %{p0}"); var select256 = linear_select([ - part1142, + part1137, dup105, ]); -var part1143 = // "Pattern{Constant('virtual router '), Field(node,true), Constant(' was '), Field(disposition,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#664:00048:01/4", "nwparser.p0", "virtual router %{node->} was %{disposition->} (%{fld1})"); +var part1138 = match("MESSAGE#664:00048:01/4", "nwparser.p0", "virtual router %{node->} was %{disposition->} (%{fld1})"); -var all238 = all_match({ +var all233 = all_match({ processors: [ - part1138, + part1133, select255, - part1141, + part1136, select256, - part1143, + part1138, ], on_success: processor_chain([ dup1, @@ -15030,11 +13563,10 @@ var all238 = all_match({ ]), }); -var msg674 = msg("00048:01", all238); +var msg674 = msg("00048:01", all233); -var part1144 = // "Pattern{Field(space,false), Constant('set match interface '), Field(interface,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#665:00048:02", "nwparser.payload", "%{space}set match interface %{interface->} (%{fld1})", processor_chain([ - dup211, +var part1139 = match("MESSAGE#665:00048:02", "nwparser.payload", "%{space}set match interface %{interface->} (%{fld1})", processor_chain([ + dup209, dup2, dup3, dup9, @@ -15042,7 +13574,7 @@ match("MESSAGE#665:00048:02", "nwparser.payload", "%{space}set match interface % dup5, ])); -var msg675 = msg("00048:02", part1144); +var msg675 = msg("00048:02", part1139); var select257 = linear_select([ msg673, @@ -15050,8 +13582,7 @@ var select257 = linear_select([ msg675, ]); -var part1145 = // "Pattern{Constant('Route-lookup preference changed to '), Field(fld8,true), Constant(' ('), Field(fld2,false), Constant(') => '), Field(fld3,true), Constant(' ('), Field(fld4,false), Constant(') => '), Field(fld5,true), Constant(' ('), Field(fld6,false), Constant(') in virtual router ('), Field(node,false), Constant(')')}" -match("MESSAGE#666:00049", "nwparser.payload", "Route-lookup preference changed to %{fld8->} (%{fld2}) => %{fld3->} (%{fld4}) => %{fld5->} (%{fld6}) in virtual router (%{node})", processor_chain([ +var part1140 = match("MESSAGE#666:00049", "nwparser.payload", "Route-lookup preference changed to %{fld8->} (%{fld2}) => %{fld3->} (%{fld4}) => %{fld5->} (%{fld6}) in virtual router (%{node})", processor_chain([ dup1, dup2, dup3, @@ -15059,10 +13590,9 @@ match("MESSAGE#666:00049", "nwparser.payload", "Route-lookup preference changed dup5, ])); -var msg676 = msg("00049", part1145); +var msg676 = msg("00049", part1140); -var part1146 = // "Pattern{Constant('SIBR routing '), Field(disposition,true), Constant(' in virtual router '), Field(node,false)}" -match("MESSAGE#667:00049:01", "nwparser.payload", "SIBR routing %{disposition->} in virtual router %{node}", processor_chain([ +var part1141 = match("MESSAGE#667:00049:01", "nwparser.payload", "SIBR routing %{disposition->} in virtual router %{node}", processor_chain([ dup1, dup2, dup3, @@ -15070,10 +13600,9 @@ match("MESSAGE#667:00049:01", "nwparser.payload", "SIBR routing %{disposition->} dup5, ])); -var msg677 = msg("00049:01", part1146); +var msg677 = msg("00049:01", part1141); -var part1147 = // "Pattern{Constant('A virtual router with name '), Field(node,true), Constant(' and ID '), Field(fld2,true), Constant(' has been removed')}" -match("MESSAGE#668:00049:02", "nwparser.payload", "A virtual router with name %{node->} and ID %{fld2->} has been removed", processor_chain([ +var part1142 = match("MESSAGE#668:00049:02", "nwparser.payload", "A virtual router with name %{node->} and ID %{fld2->} has been removed", processor_chain([ dup1, dup2, dup3, @@ -15081,10 +13610,9 @@ match("MESSAGE#668:00049:02", "nwparser.payload", "A virtual router with name %{ dup5, ])); -var msg678 = msg("00049:02", part1147); +var msg678 = msg("00049:02", part1142); -var part1148 = // "Pattern{Constant('The router-id of virtual router "'), Field(node,false), Constant('" used by OSPF, BGP routing instances id has been uninitialized. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#669:00049:03", "nwparser.payload", "The router-id of virtual router \"%{node}\" used by OSPF, BGP routing instances id has been uninitialized. (%{fld1})", processor_chain([ +var part1143 = match("MESSAGE#669:00049:03", "nwparser.payload", "The router-id of virtual router \"%{node}\" used by OSPF, BGP routing instances id has been uninitialized. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -15092,10 +13620,9 @@ match("MESSAGE#669:00049:03", "nwparser.payload", "The router-id of virtual rout dup5, ])); -var msg679 = msg("00049:03", part1148); +var msg679 = msg("00049:03", part1143); -var part1149 = // "Pattern{Constant('The system default-route through virtual router "'), Field(node,false), Constant('" has been added in virtual router "'), Field(fld4,false), Constant('" ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#670:00049:04", "nwparser.payload", "The system default-route through virtual router \"%{node}\" has been added in virtual router \"%{fld4}\" (%{fld1})", processor_chain([ +var part1144 = match("MESSAGE#670:00049:04", "nwparser.payload", "The system default-route through virtual router \"%{node}\" has been added in virtual router \"%{fld4}\" (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -15103,10 +13630,9 @@ match("MESSAGE#670:00049:04", "nwparser.payload", "The system default-route thro dup5, ])); -var msg680 = msg("00049:04", part1149); +var msg680 = msg("00049:04", part1144); -var part1150 = // "Pattern{Constant('Subnetwork conflict checking for interfaces in virtual router ('), Field(node,false), Constant(') has been enabled. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#671:00049:05", "nwparser.payload", "Subnetwork conflict checking for interfaces in virtual router (%{node}) has been enabled. (%{fld1})", processor_chain([ +var part1145 = match("MESSAGE#671:00049:05", "nwparser.payload", "Subnetwork conflict checking for interfaces in virtual router (%{node}) has been enabled. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -15114,7 +13640,7 @@ match("MESSAGE#671:00049:05", "nwparser.payload", "Subnetwork conflict checking dup5, ])); -var msg681 = msg("00049:05", part1150); +var msg681 = msg("00049:05", part1145); var select258 = linear_select([ msg676, @@ -15125,8 +13651,7 @@ var select258 = linear_select([ msg681, ]); -var part1151 = // "Pattern{Constant('Track IP enabled ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#672:00050", "nwparser.payload", "Track IP enabled (%{fld1})", processor_chain([ +var part1146 = match("MESSAGE#672:00050", "nwparser.payload", "Track IP enabled (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -15135,10 +13660,9 @@ match("MESSAGE#672:00050", "nwparser.payload", "Track IP enabled (%{fld1})", pro dup5, ])); -var msg682 = msg("00050", part1151); +var msg682 = msg("00050", part1146); -var part1152 = // "Pattern{Constant('Session utilization has reached '), Field(fld2,false), Constant(', which is '), Field(fld3,true), Constant(' of the system capacity!')}" -match("MESSAGE#673:00051", "nwparser.payload", "Session utilization has reached %{fld2}, which is %{fld3->} of the system capacity!", processor_chain([ +var part1147 = match("MESSAGE#673:00051", "nwparser.payload", "Session utilization has reached %{fld2}, which is %{fld3->} of the system capacity!", processor_chain([ dup117, dup2, dup3, @@ -15146,10 +13670,9 @@ match("MESSAGE#673:00051", "nwparser.payload", "Session utilization has reached dup5, ])); -var msg683 = msg("00051", part1152); +var msg683 = msg("00051", part1147); -var part1153 = // "Pattern{Constant('AV: Suspicious client '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('->'), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' used '), Field(fld2,true), Constant(' percent of AV resources, which exceeded the max of '), Field(fld3,true), Constant(' percent.')}" -match("MESSAGE#674:00052", "nwparser.payload", "AV: Suspicious client %{saddr}:%{sport}->%{daddr}:%{dport->} used %{fld2->} percent of AV resources, which exceeded the max of %{fld3->} percent.", processor_chain([ +var part1148 = match("MESSAGE#674:00052", "nwparser.payload", "AV: Suspicious client %{saddr}:%{sport}->%{daddr}:%{dport->} used %{fld2->} percent of AV resources, which exceeded the max of %{fld3->} percent.", processor_chain([ dup117, dup2, dup3, @@ -15157,24 +13680,22 @@ match("MESSAGE#674:00052", "nwparser.payload", "AV: Suspicious client %{saddr}:% dup5, ])); -var msg684 = msg("00052", part1153); +var msg684 = msg("00052", part1148); -var part1154 = // "Pattern{Constant('router '), Field(p0,false)}" -match("MESSAGE#675:00055/1_1", "nwparser.p0", "router %{p0}"); +var part1149 = match("MESSAGE#675:00055/1_1", "nwparser.p0", "router %{p0}"); var select259 = linear_select([ - dup171, - part1154, + dup169, + part1149, ]); -var part1155 = // "Pattern{Constant('instance was '), Field(disposition,true), Constant(' on interface '), Field(interface,false), Constant('.')}" -match("MESSAGE#675:00055/2", "nwparser.p0", "instance was %{disposition->} on interface %{interface}."); +var part1150 = match("MESSAGE#675:00055/2", "nwparser.p0", "instance was %{disposition->} on interface %{interface}."); -var all239 = all_match({ +var all234 = all_match({ processors: [ - dup260, + dup258, select259, - part1155, + part1150, ], on_success: processor_chain([ dup1, @@ -15185,27 +13706,24 @@ var all239 = all_match({ ]), }); -var msg685 = msg("00055", all239); +var msg685 = msg("00055", all234); -var part1156 = // "Pattern{Constant('proxy '), Field(p0,false)}" -match("MESSAGE#676:00055:01/1_0", "nwparser.p0", "proxy %{p0}"); +var part1151 = match("MESSAGE#676:00055:01/1_0", "nwparser.p0", "proxy %{p0}"); -var part1157 = // "Pattern{Constant('function '), Field(p0,false)}" -match("MESSAGE#676:00055:01/1_1", "nwparser.p0", "function %{p0}"); +var part1152 = match("MESSAGE#676:00055:01/1_1", "nwparser.p0", "function %{p0}"); var select260 = linear_select([ - part1156, - part1157, + part1151, + part1152, ]); -var part1158 = // "Pattern{Constant('was '), Field(disposition,true), Constant(' on interface '), Field(interface,false), Constant('.')}" -match("MESSAGE#676:00055:01/2", "nwparser.p0", "was %{disposition->} on interface %{interface}."); +var part1153 = match("MESSAGE#676:00055:01/2", "nwparser.p0", "was %{disposition->} on interface %{interface}."); -var all240 = all_match({ +var all235 = all_match({ processors: [ - dup260, + dup258, select260, - part1158, + part1153, ], on_success: processor_chain([ dup1, @@ -15216,16 +13734,15 @@ var all240 = all_match({ ]), }); -var msg686 = msg("00055:01", all240); +var msg686 = msg("00055:01", all235); -var part1159 = // "Pattern{Constant('same subnet check on interface '), Field(interface,false), Constant('.')}" -match("MESSAGE#677:00055:02/2", "nwparser.p0", "same subnet check on interface %{interface}."); +var part1154 = match("MESSAGE#677:00055:02/2", "nwparser.p0", "same subnet check on interface %{interface}."); -var all241 = all_match({ +var all236 = all_match({ processors: [ - dup261, - dup392, - part1159, + dup259, + dup389, + part1154, ], on_success: processor_chain([ dup19, @@ -15236,16 +13753,15 @@ var all241 = all_match({ ]), }); -var msg687 = msg("00055:02", all241); +var msg687 = msg("00055:02", all236); -var part1160 = // "Pattern{Constant('router alert IP option check on interface '), Field(interface,false), Constant('.')}" -match("MESSAGE#678:00055:03/2", "nwparser.p0", "router alert IP option check on interface %{interface}."); +var part1155 = match("MESSAGE#678:00055:03/2", "nwparser.p0", "router alert IP option check on interface %{interface}."); -var all242 = all_match({ +var all237 = all_match({ processors: [ - dup261, - dup392, - part1160, + dup259, + dup389, + part1155, ], on_success: processor_chain([ dup44, @@ -15256,10 +13772,9 @@ var all242 = all_match({ ]), }); -var msg688 = msg("00055:03", all242); +var msg688 = msg("00055:03", all237); -var part1161 = // "Pattern{Constant('IGMP version was changed to '), Field(version,true), Constant(' on interface '), Field(interface,false)}" -match("MESSAGE#679:00055:04", "nwparser.payload", "IGMP version was changed to %{version->} on interface %{interface}", processor_chain([ +var part1156 = match("MESSAGE#679:00055:04", "nwparser.payload", "IGMP version was changed to %{version->} on interface %{interface}", processor_chain([ dup1, dup2, dup3, @@ -15267,27 +13782,24 @@ match("MESSAGE#679:00055:04", "nwparser.payload", "IGMP version was changed to % dup5, ])); -var msg689 = msg("00055:04", part1161); +var msg689 = msg("00055:04", part1156); -var part1162 = // "Pattern{Constant('IGMP query '), Field(p0,false)}" -match("MESSAGE#680:00055:05/0", "nwparser.payload", "IGMP query %{p0}"); +var part1157 = match("MESSAGE#680:00055:05/0", "nwparser.payload", "IGMP query %{p0}"); -var part1163 = // "Pattern{Constant('max response time '), Field(p0,false)}" -match("MESSAGE#680:00055:05/1_1", "nwparser.p0", "max response time %{p0}"); +var part1158 = match("MESSAGE#680:00055:05/1_1", "nwparser.p0", "max response time %{p0}"); var select261 = linear_select([ dup110, - part1163, + part1158, ]); -var part1164 = // "Pattern{Constant('was changed to '), Field(fld2,true), Constant(' on interface '), Field(interface,false)}" -match("MESSAGE#680:00055:05/2", "nwparser.p0", "was changed to %{fld2->} on interface %{interface}"); +var part1159 = match("MESSAGE#680:00055:05/2", "nwparser.p0", "was changed to %{fld2->} on interface %{interface}"); -var all243 = all_match({ +var all238 = all_match({ processors: [ - part1162, + part1157, select261, - part1164, + part1159, ], on_success: processor_chain([ dup1, @@ -15298,30 +13810,26 @@ var all243 = all_match({ ]), }); -var msg690 = msg("00055:05", all243); +var msg690 = msg("00055:05", all238); -var part1165 = // "Pattern{Constant('IGMP l'), Field(p0,false)}" -match("MESSAGE#681:00055:06/0", "nwparser.payload", "IGMP l%{p0}"); +var part1160 = match("MESSAGE#681:00055:06/0", "nwparser.payload", "IGMP l%{p0}"); -var part1166 = // "Pattern{Constant('eave '), Field(p0,false)}" -match("MESSAGE#681:00055:06/1_0", "nwparser.p0", "eave %{p0}"); +var part1161 = match("MESSAGE#681:00055:06/1_0", "nwparser.p0", "eave %{p0}"); -var part1167 = // "Pattern{Constant('ast member query '), Field(p0,false)}" -match("MESSAGE#681:00055:06/1_1", "nwparser.p0", "ast member query %{p0}"); +var part1162 = match("MESSAGE#681:00055:06/1_1", "nwparser.p0", "ast member query %{p0}"); var select262 = linear_select([ - part1166, - part1167, + part1161, + part1162, ]); -var part1168 = // "Pattern{Constant('interval was changed to '), Field(fld2,true), Constant(' on interface '), Field(interface,false), Constant('.')}" -match("MESSAGE#681:00055:06/2", "nwparser.p0", "interval was changed to %{fld2->} on interface %{interface}."); +var part1163 = match("MESSAGE#681:00055:06/2", "nwparser.p0", "interval was changed to %{fld2->} on interface %{interface}."); -var all244 = all_match({ +var all239 = all_match({ processors: [ - part1165, + part1160, select262, - part1168, + part1163, ], on_success: processor_chain([ dup1, @@ -15332,31 +13840,27 @@ var all244 = all_match({ ]), }); -var msg691 = msg("00055:06", all244); +var msg691 = msg("00055:06", all239); -var part1169 = // "Pattern{Constant('routers '), Field(p0,false)}" -match("MESSAGE#682:00055:07/1_0", "nwparser.p0", "routers %{p0}"); +var part1164 = match("MESSAGE#682:00055:07/1_0", "nwparser.p0", "routers %{p0}"); -var part1170 = // "Pattern{Constant('hosts '), Field(p0,false)}" -match("MESSAGE#682:00055:07/1_1", "nwparser.p0", "hosts %{p0}"); +var part1165 = match("MESSAGE#682:00055:07/1_1", "nwparser.p0", "hosts %{p0}"); -var part1171 = // "Pattern{Constant('groups '), Field(p0,false)}" -match("MESSAGE#682:00055:07/1_2", "nwparser.p0", "groups %{p0}"); +var part1166 = match("MESSAGE#682:00055:07/1_2", "nwparser.p0", "groups %{p0}"); var select263 = linear_select([ - part1169, - part1170, - part1171, + part1164, + part1165, + part1166, ]); -var part1172 = // "Pattern{Constant('accept list ID was changed to '), Field(fld2,true), Constant(' on interface '), Field(interface,false), Constant('.')}" -match("MESSAGE#682:00055:07/2", "nwparser.p0", "accept list ID was changed to %{fld2->} on interface %{interface}."); +var part1167 = match("MESSAGE#682:00055:07/2", "nwparser.p0", "accept list ID was changed to %{fld2->} on interface %{interface}."); -var all245 = all_match({ +var all240 = all_match({ processors: [ - dup260, + dup258, select263, - part1172, + part1167, ], on_success: processor_chain([ dup1, @@ -15367,27 +13871,24 @@ var all245 = all_match({ ]), }); -var msg692 = msg("00055:07", all245); +var msg692 = msg("00055:07", all240); -var part1173 = // "Pattern{Constant('all groups '), Field(p0,false)}" -match("MESSAGE#683:00055:08/1_0", "nwparser.p0", "all groups %{p0}"); +var part1168 = match("MESSAGE#683:00055:08/1_0", "nwparser.p0", "all groups %{p0}"); -var part1174 = // "Pattern{Constant('group '), Field(p0,false)}" -match("MESSAGE#683:00055:08/1_1", "nwparser.p0", "group %{p0}"); +var part1169 = match("MESSAGE#683:00055:08/1_1", "nwparser.p0", "group %{p0}"); var select264 = linear_select([ - part1173, - part1174, + part1168, + part1169, ]); -var part1175 = // "Pattern{Constant(''), Field(group,true), Constant(' static flag was '), Field(disposition,true), Constant(' on interface '), Field(interface,false), Constant('.')}" -match("MESSAGE#683:00055:08/2", "nwparser.p0", "%{group->} static flag was %{disposition->} on interface %{interface}."); +var part1170 = match("MESSAGE#683:00055:08/2", "nwparser.p0", "%{group->} static flag was %{disposition->} on interface %{interface}."); -var all246 = all_match({ +var all241 = all_match({ processors: [ - dup260, + dup258, select264, - part1175, + part1170, ], on_success: processor_chain([ dup1, @@ -15398,29 +13899,27 @@ var all246 = all_match({ ]), }); -var msg693 = msg("00055:08", all246); +var msg693 = msg("00055:08", all241); -var part1176 = // "Pattern{Constant('IGMP static group '), Field(group,true), Constant(' was added on interface '), Field(interface,false)}" -match("MESSAGE#684:00055:09", "nwparser.payload", "IGMP static group %{group->} was added on interface %{interface}", processor_chain([ - dup211, +var part1171 = match("MESSAGE#684:00055:09", "nwparser.payload", "IGMP static group %{group->} was added on interface %{interface}", processor_chain([ + dup209, dup2, dup3, dup4, dup5, ])); -var msg694 = msg("00055:09", part1176); +var msg694 = msg("00055:09", part1171); -var part1177 = // "Pattern{Constant('IGMP proxy always is '), Field(disposition,true), Constant(' on interface '), Field(interface,false), Constant('.')}" -match("MESSAGE#685:00055:10", "nwparser.payload", "IGMP proxy always is %{disposition->} on interface %{interface}.", processor_chain([ - dup211, +var part1172 = match("MESSAGE#685:00055:10", "nwparser.payload", "IGMP proxy always is %{disposition->} on interface %{interface}.", processor_chain([ + dup209, dup2, dup3, dup4, dup5, ])); -var msg695 = msg("00055:10", part1177); +var msg695 = msg("00055:10", part1172); var select265 = linear_select([ msg685, @@ -15436,8 +13935,7 @@ var select265 = linear_select([ msg695, ]); -var part1178 = // "Pattern{Constant('Remove multicast policy from '), Field(src_zone,true), Constant(' '), Field(saddr,true), Constant(' to '), Field(dst_zone,true), Constant(' '), Field(daddr,false)}" -match("MESSAGE#686:00056", "nwparser.payload", "Remove multicast policy from %{src_zone->} %{saddr->} to %{dst_zone->} %{daddr}", processor_chain([ +var part1173 = match("MESSAGE#686:00056", "nwparser.payload", "Remove multicast policy from %{src_zone->} %{saddr->} to %{dst_zone->} %{daddr}", processor_chain([ dup1, dup2, dup3, @@ -15445,10 +13943,9 @@ match("MESSAGE#686:00056", "nwparser.payload", "Remove multicast policy from %{s dup5, ])); -var msg696 = msg("00056", part1178); +var msg696 = msg("00056", part1173); -var part1179 = // "Pattern{Field(fld2,false), Constant(': static multicast route src='), Field(saddr,false), Constant(', grp='), Field(group,true), Constant(' input ifp = '), Field(sinterface,true), Constant(' output ifp = '), Field(dinterface,true), Constant(' added')}" -match("MESSAGE#687:00057", "nwparser.payload", "%{fld2}: static multicast route src=%{saddr}, grp=%{group->} input ifp = %{sinterface->} output ifp = %{dinterface->} added", processor_chain([ +var part1174 = match("MESSAGE#687:00057", "nwparser.payload", "%{fld2}: static multicast route src=%{saddr}, grp=%{group->} input ifp = %{sinterface->} output ifp = %{dinterface->} added", processor_chain([ dup1, dup2, dup3, @@ -15456,10 +13953,9 @@ match("MESSAGE#687:00057", "nwparser.payload", "%{fld2}: static multicast route dup5, ])); -var msg697 = msg("00057", part1179); +var msg697 = msg("00057", part1174); -var part1180 = // "Pattern{Constant('PIMSM protocol configured on interface '), Field(interface,false)}" -match("MESSAGE#688:00058", "nwparser.payload", "PIMSM protocol configured on interface %{interface}", processor_chain([ +var part1175 = match("MESSAGE#688:00058", "nwparser.payload", "PIMSM protocol configured on interface %{interface}", processor_chain([ dup19, dup2, dup3, @@ -15467,29 +13963,27 @@ match("MESSAGE#688:00058", "nwparser.payload", "PIMSM protocol configured on int dup5, ])); -var msg698 = msg("00058", part1180); +var msg698 = msg("00058", part1175); -var part1181 = // "Pattern{Constant('DDNS module is '), Field(p0,false)}" -match("MESSAGE#689:00059/0", "nwparser.payload", "DDNS module is %{p0}"); +var part1176 = match("MESSAGE#689:00059/0", "nwparser.payload", "DDNS module is %{p0}"); -var part1182 = // "Pattern{Constant('initialized '), Field(p0,false)}" -match("MESSAGE#689:00059/1_0", "nwparser.p0", "initialized %{p0}"); +var part1177 = match("MESSAGE#689:00059/1_0", "nwparser.p0", "initialized %{p0}"); var select266 = linear_select([ - part1182, - dup264, + part1177, + dup262, dup157, dup156, ]); -var all247 = all_match({ +var all242 = all_match({ processors: [ - part1181, + part1176, select266, dup116, ], on_success: processor_chain([ - dup211, + dup209, dup2, dup3, dup4, @@ -15497,33 +13991,29 @@ var all247 = all_match({ ]), }); -var msg699 = msg("00059", all247); +var msg699 = msg("00059", all242); -var part1183 = // "Pattern{Constant('DDNS entry with id '), Field(fld2,true), Constant(' is configured with server type "'), Field(fld3,false), Constant('" name "'), Field(hostname,false), Constant('" refresh-interval '), Field(fld5,true), Constant(' hours minimum update interval '), Field(fld6,true), Constant(' minutes with '), Field(p0,false)}" -match("MESSAGE#690:00059:02/0", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with server type \"%{fld3}\" name \"%{hostname}\" refresh-interval %{fld5->} hours minimum update interval %{fld6->} minutes with %{p0}"); +var part1178 = match("MESSAGE#690:00059:02/0", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with server type \"%{fld3}\" name \"%{hostname}\" refresh-interval %{fld5->} hours minimum update interval %{fld6->} minutes with %{p0}"); -var part1184 = // "Pattern{Constant('secure '), Field(p0,false)}" -match("MESSAGE#690:00059:02/1_0", "nwparser.p0", "secure %{p0}"); +var part1179 = match("MESSAGE#690:00059:02/1_0", "nwparser.p0", "secure %{p0}"); -var part1185 = // "Pattern{Constant('clear-text '), Field(p0,false)}" -match("MESSAGE#690:00059:02/1_1", "nwparser.p0", "clear-text %{p0}"); +var part1180 = match("MESSAGE#690:00059:02/1_1", "nwparser.p0", "clear-text %{p0}"); var select267 = linear_select([ - part1184, - part1185, + part1179, + part1180, ]); -var part1186 = // "Pattern{Constant('secure connection.'), Field(,false)}" -match("MESSAGE#690:00059:02/2", "nwparser.p0", "secure connection.%{}"); +var part1181 = match("MESSAGE#690:00059:02/2", "nwparser.p0", "secure connection.%{}"); -var all248 = all_match({ +var all243 = all_match({ processors: [ - part1183, + part1178, select267, - part1186, + part1181, ], on_success: processor_chain([ - dup211, + dup209, dup2, dup3, dup4, @@ -15531,59 +14021,52 @@ var all248 = all_match({ ]), }); -var msg700 = msg("00059:02", all248); +var msg700 = msg("00059:02", all243); -var part1187 = // "Pattern{Constant('DDNS entry with id '), Field(fld2,true), Constant(' is configured with user name "'), Field(username,false), Constant('" agent "'), Field(fld3,false), Constant('"')}" -match("MESSAGE#691:00059:03", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with user name \"%{username}\" agent \"%{fld3}\"", processor_chain([ - dup211, +var part1182 = match("MESSAGE#691:00059:03", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with user name \"%{username}\" agent \"%{fld3}\"", processor_chain([ + dup209, dup2, dup3, dup4, dup5, ])); -var msg701 = msg("00059:03", part1187); +var msg701 = msg("00059:03", part1182); -var part1188 = // "Pattern{Constant('DDNS entry with id '), Field(fld2,true), Constant(' is configured with interface "'), Field(interface,false), Constant('" host-name "'), Field(hostname,false), Constant('"')}" -match("MESSAGE#692:00059:04", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with interface \"%{interface}\" host-name \"%{hostname}\"", processor_chain([ - dup211, +var part1183 = match("MESSAGE#692:00059:04", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with interface \"%{interface}\" host-name \"%{hostname}\"", processor_chain([ + dup209, dup2, dup3, dup4, dup5, ])); -var msg702 = msg("00059:04", part1188); +var msg702 = msg("00059:04", part1183); -var part1189 = // "Pattern{Constant('Hostname '), Field(p0,false)}" -match("MESSAGE#693:00059:05/0_0", "nwparser.payload", "Hostname %{p0}"); +var part1184 = match("MESSAGE#693:00059:05/0_0", "nwparser.payload", "Hostname %{p0}"); -var part1190 = // "Pattern{Constant('Source interface '), Field(p0,false)}" -match("MESSAGE#693:00059:05/0_1", "nwparser.payload", "Source interface %{p0}"); +var part1185 = match("MESSAGE#693:00059:05/0_1", "nwparser.payload", "Source interface %{p0}"); -var part1191 = // "Pattern{Constant('Username and password '), Field(p0,false)}" -match("MESSAGE#693:00059:05/0_2", "nwparser.payload", "Username and password %{p0}"); +var part1186 = match("MESSAGE#693:00059:05/0_2", "nwparser.payload", "Username and password %{p0}"); -var part1192 = // "Pattern{Constant('Server '), Field(p0,false)}" -match("MESSAGE#693:00059:05/0_3", "nwparser.payload", "Server %{p0}"); +var part1187 = match("MESSAGE#693:00059:05/0_3", "nwparser.payload", "Server %{p0}"); var select268 = linear_select([ - part1189, - part1190, - part1191, - part1192, + part1184, + part1185, + part1186, + part1187, ]); -var part1193 = // "Pattern{Constant('of DDNS entry with id '), Field(fld2,true), Constant(' is cleared.')}" -match("MESSAGE#693:00059:05/1", "nwparser.p0", "of DDNS entry with id %{fld2->} is cleared."); +var part1188 = match("MESSAGE#693:00059:05/1", "nwparser.p0", "of DDNS entry with id %{fld2->} is cleared."); -var all249 = all_match({ +var all244 = all_match({ processors: [ select268, - part1193, + part1188, ], on_success: processor_chain([ - dup211, + dup209, dup2, dup3, dup4, @@ -15591,51 +14074,46 @@ var all249 = all_match({ ]), }); -var msg703 = msg("00059:05", all249); +var msg703 = msg("00059:05", all244); -var part1194 = // "Pattern{Constant('Agent of DDNS entry with id '), Field(fld2,true), Constant(' is reset to its default value.')}" -match("MESSAGE#694:00059:06", "nwparser.payload", "Agent of DDNS entry with id %{fld2->} is reset to its default value.", processor_chain([ - dup211, +var part1189 = match("MESSAGE#694:00059:06", "nwparser.payload", "Agent of DDNS entry with id %{fld2->} is reset to its default value.", processor_chain([ + dup209, dup2, dup3, dup4, dup5, ])); -var msg704 = msg("00059:06", part1194); +var msg704 = msg("00059:06", part1189); -var part1195 = // "Pattern{Constant('Updates for DDNS entry with id '), Field(fld2,true), Constant(' are set to be sent in secure ('), Field(protocol,false), Constant(') mode.')}" -match("MESSAGE#695:00059:07", "nwparser.payload", "Updates for DDNS entry with id %{fld2->} are set to be sent in secure (%{protocol}) mode.", processor_chain([ - dup211, +var part1190 = match("MESSAGE#695:00059:07", "nwparser.payload", "Updates for DDNS entry with id %{fld2->} are set to be sent in secure (%{protocol}) mode.", processor_chain([ + dup209, dup2, dup3, dup4, dup5, ])); -var msg705 = msg("00059:07", part1195); +var msg705 = msg("00059:07", part1190); -var part1196 = // "Pattern{Constant('Refresh '), Field(p0,false)}" -match("MESSAGE#696:00059:08/0_0", "nwparser.payload", "Refresh %{p0}"); +var part1191 = match("MESSAGE#696:00059:08/0_0", "nwparser.payload", "Refresh %{p0}"); -var part1197 = // "Pattern{Constant('Minimum update '), Field(p0,false)}" -match("MESSAGE#696:00059:08/0_1", "nwparser.payload", "Minimum update %{p0}"); +var part1192 = match("MESSAGE#696:00059:08/0_1", "nwparser.payload", "Minimum update %{p0}"); var select269 = linear_select([ - part1196, - part1197, + part1191, + part1192, ]); -var part1198 = // "Pattern{Constant('interval of DDNS entry with id '), Field(fld2,true), Constant(' is set to default value ('), Field(fld3,false), Constant(').')}" -match("MESSAGE#696:00059:08/1", "nwparser.p0", "interval of DDNS entry with id %{fld2->} is set to default value (%{fld3})."); +var part1193 = match("MESSAGE#696:00059:08/1", "nwparser.p0", "interval of DDNS entry with id %{fld2->} is set to default value (%{fld3})."); -var all250 = all_match({ +var all245 = all_match({ processors: [ select269, - part1198, + part1193, ], on_success: processor_chain([ - dup211, + dup209, dup2, dup3, dup4, @@ -15643,43 +14121,38 @@ var all250 = all_match({ ]), }); -var msg706 = msg("00059:08", all250); +var msg706 = msg("00059:08", all245); -var part1199 = // "Pattern{Constant('No-Change '), Field(p0,false)}" -match("MESSAGE#697:00059:09/1_0", "nwparser.p0", "No-Change %{p0}"); +var part1194 = match("MESSAGE#697:00059:09/1_0", "nwparser.p0", "No-Change %{p0}"); -var part1200 = // "Pattern{Constant('Error '), Field(p0,false)}" -match("MESSAGE#697:00059:09/1_1", "nwparser.p0", "Error %{p0}"); +var part1195 = match("MESSAGE#697:00059:09/1_1", "nwparser.p0", "Error %{p0}"); var select270 = linear_select([ - part1199, - part1200, + part1194, + part1195, ]); -var part1201 = // "Pattern{Constant('response received for DDNS entry update for id '), Field(fld2,true), Constant(' user "'), Field(username,false), Constant('" domain "'), Field(domain,false), Constant('" server type " d'), Field(p0,false)}" -match("MESSAGE#697:00059:09/2", "nwparser.p0", "response received for DDNS entry update for id %{fld2->} user \"%{username}\" domain \"%{domain}\" server type \" d%{p0}"); +var part1196 = match("MESSAGE#697:00059:09/2", "nwparser.p0", "response received for DDNS entry update for id %{fld2->} user \"%{username}\" domain \"%{domain}\" server type \" d%{p0}"); -var part1202 = // "Pattern{Constant('yndns '), Field(p0,false)}" -match("MESSAGE#697:00059:09/3_1", "nwparser.p0", "yndns %{p0}"); +var part1197 = match("MESSAGE#697:00059:09/3_1", "nwparser.p0", "yndns %{p0}"); var select271 = linear_select([ - dup263, - part1202, + dup261, + part1197, ]); -var part1203 = // "Pattern{Constant('", server name "'), Field(hostname,false), Constant('"')}" -match("MESSAGE#697:00059:09/4", "nwparser.p0", "\", server name \"%{hostname}\""); +var part1198 = match("MESSAGE#697:00059:09/4", "nwparser.p0", "\", server name \"%{hostname}\""); -var all251 = all_match({ +var all246 = all_match({ processors: [ - dup162, + dup160, select270, - part1201, + part1196, select271, - part1203, + part1198, ], on_success: processor_chain([ - dup211, + dup209, dup2, dup3, dup4, @@ -15687,18 +14160,17 @@ var all251 = all_match({ ]), }); -var msg707 = msg("00059:09", all251); +var msg707 = msg("00059:09", all246); -var part1204 = // "Pattern{Constant('DDNS entry with id '), Field(fld2,true), Constant(' is '), Field(disposition,false), Constant('.')}" -match("MESSAGE#698:00059:01", "nwparser.payload", "DDNS entry with id %{fld2->} is %{disposition}.", processor_chain([ - dup211, +var part1199 = match("MESSAGE#698:00059:01", "nwparser.payload", "DDNS entry with id %{fld2->} is %{disposition}.", processor_chain([ + dup209, dup2, dup3, dup4, dup5, ])); -var msg708 = msg("00059:01", part1204); +var msg708 = msg("00059:01", part1199); var select272 = linear_select([ msg699, @@ -15713,8 +14185,7 @@ var select272 = linear_select([ msg708, ]); -var part1205 = // "Pattern{Constant('Track IP IP address '), Field(hostip,true), Constant(' failed. ('), Field(event_time_string,false), Constant(')')}" -match("MESSAGE#699:00062:01", "nwparser.payload", "Track IP IP address %{hostip->} failed. (%{event_time_string})", processor_chain([ +var part1200 = match("MESSAGE#699:00062:01", "nwparser.payload", "Track IP IP address %{hostip->} failed. (%{event_time_string})", processor_chain([ dup19, dup2, dup3, @@ -15723,10 +14194,9 @@ match("MESSAGE#699:00062:01", "nwparser.payload", "Track IP IP address %{hostip- setc("event_description","Track IP failed"), ])); -var msg709 = msg("00062:01", part1205); +var msg709 = msg("00062:01", part1200); -var part1206 = // "Pattern{Constant('Track IP failure reached threshold. ('), Field(event_time_string,false), Constant(')')}" -match("MESSAGE#700:00062:02", "nwparser.payload", "Track IP failure reached threshold. (%{event_time_string})", processor_chain([ +var part1201 = match("MESSAGE#700:00062:02", "nwparser.payload", "Track IP failure reached threshold. (%{event_time_string})", processor_chain([ dup19, dup2, dup3, @@ -15735,10 +14205,9 @@ match("MESSAGE#700:00062:02", "nwparser.payload", "Track IP failure reached thre setc("event_description","Track IP failure reached threshold"), ])); -var msg710 = msg("00062:02", part1206); +var msg710 = msg("00062:02", part1201); -var part1207 = // "Pattern{Constant('Track IP IP address '), Field(hostip,true), Constant(' succeeded. ('), Field(event_time_string,false), Constant(')')}" -match("MESSAGE#701:00062:03", "nwparser.payload", "Track IP IP address %{hostip->} succeeded. (%{event_time_string})", processor_chain([ +var part1202 = match("MESSAGE#701:00062:03", "nwparser.payload", "Track IP IP address %{hostip->} succeeded. (%{event_time_string})", processor_chain([ dup44, dup2, dup3, @@ -15747,10 +14216,9 @@ match("MESSAGE#701:00062:03", "nwparser.payload", "Track IP IP address %{hostip- setc("event_description","Track IP succeeded"), ])); -var msg711 = msg("00062:03", part1207); +var msg711 = msg("00062:03", part1202); -var part1208 = // "Pattern{Constant('HA linkdown'), Field(,false)}" -match("MESSAGE#702:00062", "nwparser.payload", "HA linkdown%{}", processor_chain([ +var part1203 = match("MESSAGE#702:00062", "nwparser.payload", "HA linkdown%{}", processor_chain([ dup86, dup2, dup3, @@ -15758,7 +14226,7 @@ match("MESSAGE#702:00062", "nwparser.payload", "HA linkdown%{}", processor_chain dup5, ])); -var msg712 = msg("00062", part1208); +var msg712 = msg("00062", part1203); var select273 = linear_select([ msg709, @@ -15767,8 +14235,7 @@ var select273 = linear_select([ msg712, ]); -var part1209 = // "Pattern{Constant('nsrp track-ip ip '), Field(hostip,true), Constant(' '), Field(disposition,false), Constant('!')}" -match("MESSAGE#703:00063", "nwparser.payload", "nsrp track-ip ip %{hostip->} %{disposition}!", processor_chain([ +var part1204 = match("MESSAGE#703:00063", "nwparser.payload", "nsrp track-ip ip %{hostip->} %{disposition}!", processor_chain([ dup86, dup2, dup3, @@ -15776,10 +14243,9 @@ match("MESSAGE#703:00063", "nwparser.payload", "nsrp track-ip ip %{hostip->} %{d dup5, ])); -var msg713 = msg("00063", part1209); +var msg713 = msg("00063", part1204); -var part1210 = // "Pattern{Constant('Can not create track-ip list'), Field(,false)}" -match("MESSAGE#704:00064", "nwparser.payload", "Can not create track-ip list%{}", processor_chain([ +var part1205 = match("MESSAGE#704:00064", "nwparser.payload", "Can not create track-ip list%{}", processor_chain([ dup86, dup2, dup3, @@ -15787,10 +14253,9 @@ match("MESSAGE#704:00064", "nwparser.payload", "Can not create track-ip list%{}" dup5, ])); -var msg714 = msg("00064", part1210); +var msg714 = msg("00064", part1205); -var part1211 = // "Pattern{Constant('track ip fail reaches threshold system may fail over!'), Field(,false)}" -match("MESSAGE#705:00064:01", "nwparser.payload", "track ip fail reaches threshold system may fail over!%{}", processor_chain([ +var part1206 = match("MESSAGE#705:00064:01", "nwparser.payload", "track ip fail reaches threshold system may fail over!%{}", processor_chain([ dup86, dup2, dup3, @@ -15798,10 +14263,9 @@ match("MESSAGE#705:00064:01", "nwparser.payload", "track ip fail reaches thresho dup5, ])); -var msg715 = msg("00064:01", part1211); +var msg715 = msg("00064:01", part1206); -var part1212 = // "Pattern{Constant('Anti-Spam is detached from policy ID '), Field(policy_id,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#706:00064:02", "nwparser.payload", "Anti-Spam is detached from policy ID %{policy_id}. (%{fld1})", processor_chain([ +var part1207 = match("MESSAGE#706:00064:02", "nwparser.payload", "Anti-Spam is detached from policy ID %{policy_id}. (%{fld1})", processor_chain([ dup17, dup2, dup3, @@ -15810,7 +14274,7 @@ match("MESSAGE#706:00064:02", "nwparser.payload", "Anti-Spam is detached from po dup5, ])); -var msg716 = msg("00064:02", part1212); +var msg716 = msg("00064:02", part1207); var select274 = linear_select([ msg714, @@ -15818,27 +14282,24 @@ var select274 = linear_select([ msg716, ]); -var msg717 = msg("00070", dup414); +var msg717 = msg("00070", dup411); -var part1213 = // "Pattern{Field(,false), Constant('Device group '), Field(group,true), Constant(' changed state from '), Field(fld3,true), Constant(' to '), Field(p0,false)}" -match("MESSAGE#708:00070:01/2", "nwparser.p0", "%{}Device group %{group->} changed state from %{fld3->} to %{p0}"); +var part1208 = match("MESSAGE#708:00070:01/2", "nwparser.p0", "%{}Device group %{group->} changed state from %{fld3->} to %{p0}"); -var part1214 = // "Pattern{Constant('Init'), Field(,false)}" -match("MESSAGE#708:00070:01/3_0", "nwparser.p0", "Init%{}"); +var part1209 = match("MESSAGE#708:00070:01/3_0", "nwparser.p0", "Init%{}"); -var part1215 = // "Pattern{Constant('init. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#708:00070:01/3_1", "nwparser.p0", "init. (%{fld1})"); +var part1210 = match("MESSAGE#708:00070:01/3_1", "nwparser.p0", "init. (%{fld1})"); var select275 = linear_select([ - part1214, - part1215, + part1209, + part1210, ]); -var all252 = all_match({ +var all247 = all_match({ processors: [ - dup269, - dup394, - part1213, + dup267, + dup391, + part1208, select275, ], on_success: processor_chain([ @@ -15851,10 +14312,9 @@ var all252 = all_match({ ]), }); -var msg718 = msg("00070:01", all252); +var msg718 = msg("00070:01", all247); -var part1216 = // "Pattern{Constant('NSRP: nsrp control channel change to '), Field(interface,false)}" -match("MESSAGE#709:00070:02", "nwparser.payload", "NSRP: nsrp control channel change to %{interface}", processor_chain([ +var part1211 = match("MESSAGE#709:00070:02", "nwparser.payload", "NSRP: nsrp control channel change to %{interface}", processor_chain([ dup1, dup2, dup3, @@ -15862,7 +14322,7 @@ match("MESSAGE#709:00070:02", "nwparser.payload", "NSRP: nsrp control channel ch dup5, ])); -var msg719 = msg("00070:02", part1216); +var msg719 = msg("00070:02", part1211); var select276 = linear_select([ msg717, @@ -15870,10 +14330,9 @@ var select276 = linear_select([ msg719, ]); -var msg720 = msg("00071", dup414); +var msg720 = msg("00071", dup411); -var part1217 = // "Pattern{Constant('The local device '), Field(fld1,true), Constant(' in the Virtual Security Device group '), Field(group,true), Constant(' changed state')}" -match("MESSAGE#711:00071:01", "nwparser.payload", "The local device %{fld1->} in the Virtual Security Device group %{group->} changed state", processor_chain([ +var part1212 = match("MESSAGE#711:00071:01", "nwparser.payload", "The local device %{fld1->} in the Virtual Security Device group %{group->} changed state", processor_chain([ dup1, dup2, dup3, @@ -15881,38 +14340,38 @@ match("MESSAGE#711:00071:01", "nwparser.payload", "The local device %{fld1->} in dup5, ])); -var msg721 = msg("00071:01", part1217); +var msg721 = msg("00071:01", part1212); var select277 = linear_select([ msg720, msg721, ]); -var msg722 = msg("00072", dup414); +var msg722 = msg("00072", dup411); -var msg723 = msg("00072:01", dup415); +var msg723 = msg("00072:01", dup412); var select278 = linear_select([ msg722, msg723, ]); -var msg724 = msg("00073", dup414); +var msg724 = msg("00073", dup411); -var msg725 = msg("00073:01", dup415); +var msg725 = msg("00073:01", dup412); var select279 = linear_select([ msg724, msg725, ]); -var msg726 = msg("00074", dup395); +var msg726 = msg("00074", dup392); -var all253 = all_match({ +var all248 = all_match({ processors: [ - dup265, - dup393, - dup273, + dup263, + dup390, + dup271, ], on_success: processor_chain([ dup1, @@ -15923,10 +14382,9 @@ var all253 = all_match({ ]), }); -var msg727 = msg("00075", all253); +var msg727 = msg("00075", all248); -var part1218 = // "Pattern{Constant('The local device '), Field(hardware_id,true), Constant(' in the Virtual Security Device group '), Field(group,true), Constant(' changed state from '), Field(event_state,true), Constant(' to inoperable. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#718:00075:02", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} changed state from %{event_state->} to inoperable. (%{fld1})", processor_chain([ +var part1213 = match("MESSAGE#718:00075:02", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} changed state from %{event_state->} to inoperable. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -15936,10 +14394,9 @@ match("MESSAGE#718:00075:02", "nwparser.payload", "The local device %{hardware_i setc("event_description","local device in the Virtual Security Device group changed state to inoperable"), ])); -var msg728 = msg("00075:02", part1218); +var msg728 = msg("00075:02", part1213); -var part1219 = // "Pattern{Constant('The local device '), Field(hardware_id,true), Constant(' in the Virtual Security Device group '), Field(group,true), Constant(' '), Field(info,false)}" -match("MESSAGE#719:00075:01", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ +var part1214 = match("MESSAGE#719:00075:01", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ dup1, dup2, dup3, @@ -15947,7 +14404,7 @@ match("MESSAGE#719:00075:01", "nwparser.payload", "The local device %{hardware_i dup5, ])); -var msg729 = msg("00075:01", part1219); +var msg729 = msg("00075:01", part1214); var select280 = linear_select([ msg727, @@ -15955,16 +14412,15 @@ var select280 = linear_select([ msg729, ]); -var msg730 = msg("00076", dup395); +var msg730 = msg("00076", dup392); -var part1220 = // "Pattern{Field(fld2,true), Constant(' of VSD group '), Field(group,true), Constant(' send 2nd path request to unit='), Field(fld3,false)}" -match("MESSAGE#721:00076:01/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} send 2nd path request to unit=%{fld3}"); +var part1215 = match("MESSAGE#721:00076:01/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} send 2nd path request to unit=%{fld3}"); -var all254 = all_match({ +var all249 = all_match({ processors: [ - dup265, - dup393, - part1220, + dup263, + dup390, + part1215, ], on_success: processor_chain([ dup44, @@ -15975,15 +14431,14 @@ var all254 = all_match({ ]), }); -var msg731 = msg("00076:01", all254); +var msg731 = msg("00076:01", all249); var select281 = linear_select([ msg730, msg731, ]); -var part1221 = // "Pattern{Constant('HA link disconnect. Begin to use second path of HA'), Field(,false)}" -match("MESSAGE#722:00077", "nwparser.payload", "HA link disconnect. Begin to use second path of HA%{}", processor_chain([ +var part1216 = match("MESSAGE#722:00077", "nwparser.payload", "HA link disconnect. Begin to use second path of HA%{}", processor_chain([ dup144, dup2, dup3, @@ -15991,13 +14446,13 @@ match("MESSAGE#722:00077", "nwparser.payload", "HA link disconnect. Begin to use dup5, ])); -var msg732 = msg("00077", part1221); +var msg732 = msg("00077", part1216); -var all255 = all_match({ +var all250 = all_match({ processors: [ - dup265, - dup393, - dup273, + dup263, + dup390, + dup271, ], on_success: processor_chain([ dup44, @@ -16008,10 +14463,9 @@ var all255 = all_match({ ]), }); -var msg733 = msg("00077:01", all255); +var msg733 = msg("00077:01", all250); -var part1222 = // "Pattern{Constant('The local device '), Field(fld2,true), Constant(' in the Virtual Security Device group '), Field(group,false)}" -match("MESSAGE#724:00077:02", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group}", processor_chain([ +var part1217 = match("MESSAGE#724:00077:02", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group}", processor_chain([ setc("eventcategory","1607000000"), dup2, dup3, @@ -16019,7 +14473,7 @@ match("MESSAGE#724:00077:02", "nwparser.payload", "The local device %{fld2->} in dup5, ])); -var msg734 = msg("00077:02", part1222); +var msg734 = msg("00077:02", part1217); var select282 = linear_select([ msg732, @@ -16027,37 +14481,33 @@ var select282 = linear_select([ msg734, ]); -var part1223 = // "Pattern{Constant('RTSYNC: NSRP route synchronization is '), Field(disposition,false)}" -match("MESSAGE#725:00084", "nwparser.payload", "RTSYNC: NSRP route synchronization is %{disposition}", processor_chain([ - dup274, +var part1218 = match("MESSAGE#725:00084", "nwparser.payload", "RTSYNC: NSRP route synchronization is %{disposition}", processor_chain([ + dup272, dup2, dup3, dup4, dup5, ])); -var msg735 = msg("00084", part1223); +var msg735 = msg("00084", part1218); -var part1224 = // "Pattern{Constant('Failover '), Field(p0,false)}" -match("MESSAGE#726:00090/0_0", "nwparser.payload", "Failover %{p0}"); +var part1219 = match("MESSAGE#726:00090/0_0", "nwparser.payload", "Failover %{p0}"); -var part1225 = // "Pattern{Constant('Recovery '), Field(p0,false)}" -match("MESSAGE#726:00090/0_1", "nwparser.payload", "Recovery %{p0}"); +var part1220 = match("MESSAGE#726:00090/0_1", "nwparser.payload", "Recovery %{p0}"); var select283 = linear_select([ - part1224, - part1225, + part1219, + part1220, ]); -var part1226 = // "Pattern{Constant('untrust interface occurred.'), Field(,false)}" -match("MESSAGE#726:00090/3", "nwparser.p0", "untrust interface occurred.%{}"); +var part1221 = match("MESSAGE#726:00090/3", "nwparser.p0", "untrust interface occurred.%{}"); -var all256 = all_match({ +var all251 = all_match({ processors: [ select283, dup103, - dup372, - part1226, + dup369, + part1221, ], on_success: processor_chain([ dup44, @@ -16068,10 +14518,9 @@ var all256 = all_match({ ]), }); -var msg736 = msg("00090", all256); +var msg736 = msg("00090", all251); -var part1227 = // "Pattern{Constant('A new route cannot be added to the device because the maximum number of system route entries '), Field(fld2,true), Constant(' has been exceeded')}" -match("MESSAGE#727:00200", "nwparser.payload", "A new route cannot be added to the device because the maximum number of system route entries %{fld2->} has been exceeded", processor_chain([ +var part1222 = match("MESSAGE#727:00200", "nwparser.payload", "A new route cannot be added to the device because the maximum number of system route entries %{fld2->} has been exceeded", processor_chain([ dup117, dup2, dup3, @@ -16079,10 +14528,9 @@ match("MESSAGE#727:00200", "nwparser.payload", "A new route cannot be added to t dup5, ])); -var msg737 = msg("00200", part1227); +var msg737 = msg("00200", part1222); -var part1228 = // "Pattern{Constant('A route '), Field(hostip,false), Constant('/'), Field(fld2,true), Constant(' cannot be added to the virtual router '), Field(node,true), Constant(' because the number of route entries in the virtual router exceeds the maximum number of routes '), Field(fld3,true), Constant(' allowed')}" -match("MESSAGE#728:00201", "nwparser.payload", "A route %{hostip}/%{fld2->} cannot be added to the virtual router %{node->} because the number of route entries in the virtual router exceeds the maximum number of routes %{fld3->} allowed", processor_chain([ +var part1223 = match("MESSAGE#728:00201", "nwparser.payload", "A route %{hostip}/%{fld2->} cannot be added to the virtual router %{node->} because the number of route entries in the virtual router exceeds the maximum number of routes %{fld3->} allowed", processor_chain([ dup117, dup2, dup3, @@ -16090,55 +14538,49 @@ match("MESSAGE#728:00201", "nwparser.payload", "A route %{hostip}/%{fld2->} cann dup5, ])); -var msg738 = msg("00201", part1228); +var msg738 = msg("00201", part1223); -var part1229 = // "Pattern{Field(fld2,true), Constant(' hello-packet flood from neighbor (ip = '), Field(hostip,true), Constant(' router-id = '), Field(fld3,false), Constant(') on interface '), Field(interface,true), Constant(' packet is dropped')}" -match("MESSAGE#729:00202", "nwparser.payload", "%{fld2->} hello-packet flood from neighbor (ip = %{hostip->} router-id = %{fld3}) on interface %{interface->} packet is dropped", processor_chain([ - dup274, +var part1224 = match("MESSAGE#729:00202", "nwparser.payload", "%{fld2->} hello-packet flood from neighbor (ip = %{hostip->} router-id = %{fld3}) on interface %{interface->} packet is dropped", processor_chain([ + dup272, dup2, dup4, dup5, dup3, ])); -var msg739 = msg("00202", part1229); +var msg739 = msg("00202", part1224); -var part1230 = // "Pattern{Field(fld2,true), Constant(' lsa flood on interface '), Field(interface,true), Constant(' has dropped a packet.')}" -match("MESSAGE#730:00203", "nwparser.payload", "%{fld2->} lsa flood on interface %{interface->} has dropped a packet.", processor_chain([ - dup274, +var part1225 = match("MESSAGE#730:00203", "nwparser.payload", "%{fld2->} lsa flood on interface %{interface->} has dropped a packet.", processor_chain([ + dup272, dup2, dup4, dup5, dup3, ])); -var msg740 = msg("00203", part1230); +var msg740 = msg("00203", part1225); -var part1231 = // "Pattern{Constant('The total number of redistributed routes into '), Field(p0,false)}" -match("MESSAGE#731:00206/0", "nwparser.payload", "The total number of redistributed routes into %{p0}"); +var part1226 = match("MESSAGE#731:00206/0", "nwparser.payload", "The total number of redistributed routes into %{p0}"); -var part1232 = // "Pattern{Constant('BGP '), Field(p0,false)}" -match("MESSAGE#731:00206/1_0", "nwparser.p0", "BGP %{p0}"); +var part1227 = match("MESSAGE#731:00206/1_0", "nwparser.p0", "BGP %{p0}"); -var part1233 = // "Pattern{Constant('OSPF '), Field(p0,false)}" -match("MESSAGE#731:00206/1_1", "nwparser.p0", "OSPF %{p0}"); +var part1228 = match("MESSAGE#731:00206/1_1", "nwparser.p0", "OSPF %{p0}"); var select284 = linear_select([ - part1232, - part1233, + part1227, + part1228, ]); -var part1234 = // "Pattern{Constant('in vrouter '), Field(node,true), Constant(' exceeded system limit ('), Field(fld2,false), Constant(')')}" -match("MESSAGE#731:00206/2", "nwparser.p0", "in vrouter %{node->} exceeded system limit (%{fld2})"); +var part1229 = match("MESSAGE#731:00206/2", "nwparser.p0", "in vrouter %{node->} exceeded system limit (%{fld2})"); -var all257 = all_match({ +var all252 = all_match({ processors: [ - part1231, + part1226, select284, - part1234, + part1229, ], on_success: processor_chain([ - dup274, + dup272, dup2, dup3, dup4, @@ -16146,22 +14588,20 @@ var all257 = all_match({ ]), }); -var msg741 = msg("00206", all257); +var msg741 = msg("00206", all252); -var part1235 = // "Pattern{Constant('LSA flood in OSPF with router-id '), Field(fld2,true), Constant(' on '), Field(p0,false)}" -match("MESSAGE#732:00206:01/0", "nwparser.payload", "LSA flood in OSPF with router-id %{fld2->} on %{p0}"); +var part1230 = match("MESSAGE#732:00206:01/0", "nwparser.payload", "LSA flood in OSPF with router-id %{fld2->} on %{p0}"); -var part1236 = // "Pattern{Constant(''), Field(interface,true), Constant(' forced the interface to drop a packet.')}" -match("MESSAGE#732:00206:01/2", "nwparser.p0", "%{interface->} forced the interface to drop a packet."); +var part1231 = match("MESSAGE#732:00206:01/2", "nwparser.p0", "%{interface->} forced the interface to drop a packet."); -var all258 = all_match({ +var all253 = all_match({ processors: [ - part1235, - dup354, - part1236, + part1230, + dup352, + part1231, ], on_success: processor_chain([ - dup275, + dup273, dup2, dup3, dup4, @@ -16169,22 +14609,20 @@ var all258 = all_match({ ]), }); -var msg742 = msg("00206:01", all258); +var msg742 = msg("00206:01", all253); -var part1237 = // "Pattern{Constant('OSPF instance with router-id '), Field(fld3,true), Constant(' received a Hello packet flood from neighbor (IP address '), Field(hostip,false), Constant(', router ID '), Field(fld2,false), Constant(') on '), Field(p0,false)}" -match("MESSAGE#733:00206:02/0", "nwparser.payload", "OSPF instance with router-id %{fld3->} received a Hello packet flood from neighbor (IP address %{hostip}, router ID %{fld2}) on %{p0}"); +var part1232 = match("MESSAGE#733:00206:02/0", "nwparser.payload", "OSPF instance with router-id %{fld3->} received a Hello packet flood from neighbor (IP address %{hostip}, router ID %{fld2}) on %{p0}"); -var part1238 = // "Pattern{Constant(''), Field(interface,true), Constant(' forcing the interface to drop the packet.')}" -match("MESSAGE#733:00206:02/2", "nwparser.p0", "%{interface->} forcing the interface to drop the packet."); +var part1233 = match("MESSAGE#733:00206:02/2", "nwparser.p0", "%{interface->} forcing the interface to drop the packet."); -var all259 = all_match({ +var all254 = all_match({ processors: [ - part1237, - dup354, - part1238, + part1232, + dup352, + part1233, ], on_success: processor_chain([ - dup275, + dup273, dup2, dup3, dup4, @@ -16192,29 +14630,27 @@ var all259 = all_match({ ]), }); -var msg743 = msg("00206:02", all259); +var msg743 = msg("00206:02", all254); -var part1239 = // "Pattern{Constant('Link State Advertisement Id '), Field(fld2,false), Constant(', router ID '), Field(fld3,false), Constant(', type '), Field(fld4,true), Constant(' cannot be deleted from the real-time database in area '), Field(fld5,false)}" -match("MESSAGE#734:00206:03", "nwparser.payload", "Link State Advertisement Id %{fld2}, router ID %{fld3}, type %{fld4->} cannot be deleted from the real-time database in area %{fld5}", processor_chain([ - dup275, +var part1234 = match("MESSAGE#734:00206:03", "nwparser.payload", "Link State Advertisement Id %{fld2}, router ID %{fld3}, type %{fld4->} cannot be deleted from the real-time database in area %{fld5}", processor_chain([ + dup273, dup2, dup3, dup4, dup5, ])); -var msg744 = msg("00206:03", part1239); +var msg744 = msg("00206:03", part1234); -var part1240 = // "Pattern{Constant('Reject second OSPF neighbor ('), Field(fld2,false), Constant(') on interface ('), Field(interface,false), Constant(') since it_s configured as point-to-point interface')}" -match("MESSAGE#735:00206:04", "nwparser.payload", "Reject second OSPF neighbor (%{fld2}) on interface (%{interface}) since it_s configured as point-to-point interface", processor_chain([ - dup275, +var part1235 = match("MESSAGE#735:00206:04", "nwparser.payload", "Reject second OSPF neighbor (%{fld2}) on interface (%{interface}) since it_s configured as point-to-point interface", processor_chain([ + dup273, dup2, dup3, dup4, dup5, ])); -var msg745 = msg("00206:04", part1240); +var msg745 = msg("00206:04", part1235); var select285 = linear_select([ msg741, @@ -16224,49 +14660,45 @@ var select285 = linear_select([ msg745, ]); -var part1241 = // "Pattern{Constant('System wide RIP route limit exceeded, RIP route dropped.'), Field(,false)}" -match("MESSAGE#736:00207", "nwparser.payload", "System wide RIP route limit exceeded, RIP route dropped.%{}", processor_chain([ - dup275, +var part1236 = match("MESSAGE#736:00207", "nwparser.payload", "System wide RIP route limit exceeded, RIP route dropped.%{}", processor_chain([ + dup273, dup2, dup3, dup4, dup5, ])); -var msg746 = msg("00207", part1241); +var msg746 = msg("00207", part1236); -var part1242 = // "Pattern{Field(fld2,true), Constant(' RIP routes dropped from last system wide RIP route limit exceed.')}" -match("MESSAGE#737:00207:01", "nwparser.payload", "%{fld2->} RIP routes dropped from last system wide RIP route limit exceed.", processor_chain([ - dup275, +var part1237 = match("MESSAGE#737:00207:01", "nwparser.payload", "%{fld2->} RIP routes dropped from last system wide RIP route limit exceed.", processor_chain([ + dup273, dup2, dup3, dup4, dup5, ])); -var msg747 = msg("00207:01", part1242); +var msg747 = msg("00207:01", part1237); -var part1243 = // "Pattern{Constant('RIP database size limit exceeded for '), Field(fld2,false), Constant(', RIP route dropped.')}" -match("MESSAGE#738:00207:02", "nwparser.payload", "RIP database size limit exceeded for %{fld2}, RIP route dropped.", processor_chain([ - dup275, +var part1238 = match("MESSAGE#738:00207:02", "nwparser.payload", "RIP database size limit exceeded for %{fld2}, RIP route dropped.", processor_chain([ + dup273, dup2, dup3, dup4, dup5, ])); -var msg748 = msg("00207:02", part1243); +var msg748 = msg("00207:02", part1238); -var part1244 = // "Pattern{Field(fld2,true), Constant(' RIP routes dropped from the last database size exceed in vr '), Field(fld3,false), Constant('.')}" -match("MESSAGE#739:00207:03", "nwparser.payload", "%{fld2->} RIP routes dropped from the last database size exceed in vr %{fld3}.", processor_chain([ - dup275, +var part1239 = match("MESSAGE#739:00207:03", "nwparser.payload", "%{fld2->} RIP routes dropped from the last database size exceed in vr %{fld3}.", processor_chain([ + dup273, dup2, dup3, dup4, dup5, ])); -var msg749 = msg("00207:03", part1244); +var msg749 = msg("00207:03", part1239); var select286 = linear_select([ msg746, @@ -16275,423 +14707,396 @@ var select286 = linear_select([ msg749, ]); -var part1245 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction=outgoing action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,true), Constant(' translated ip='), Field(stransaddr,true), Constant(' port='), Field(stransport,false)}" -match("MESSAGE#740:00257", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup187, +var part1240 = match("MESSAGE#740:00257", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ + dup185, dup2, dup4, dup5, dup3, + dup274, + dup275, + dup61, dup276, dup277, - dup61, dup278, - dup279, - dup280, ])); -var msg750 = msg("00257", part1245); +var msg750 = msg("00257", part1240); -var part1246 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction=incoming action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,true), Constant(' translated ip='), Field(dtransaddr,true), Constant(' port='), Field(dtransport,false)}" -match("MESSAGE#741:00257:14", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ - dup187, +var part1241 = match("MESSAGE#741:00257:14", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ + dup185, dup2, dup4, dup5, dup3, + dup274, + dup275, + dup279, dup276, dup277, - dup281, - dup278, - dup279, - dup282, + dup280, ])); -var msg751 = msg("00257:14", part1246); +var msg751 = msg("00257:14", part1241); -var part1247 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction=outgoing action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,true), Constant(' translated ip='), Field(stransaddr,true), Constant(' port='), Field(stransport,false)}" -match("MESSAGE#742:00257:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup283, +var part1242 = match("MESSAGE#742:00257:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, - dup276, - dup277, + dup274, + dup275, dup61, - dup284, - dup280, + dup282, + dup278, ])); -var msg752 = msg("00257:01", part1247); +var msg752 = msg("00257:01", part1242); -var part1248 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction=incoming action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,true), Constant(' translated ip='), Field(dtransaddr,true), Constant(' port='), Field(dtransport,false)}" -match("MESSAGE#743:00257:15", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ - dup283, +var part1243 = match("MESSAGE#743:00257:15", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, - dup276, - dup277, - dup281, - dup284, + dup274, + dup275, + dup279, dup282, + dup280, ])); -var msg753 = msg("00257:15", part1248); +var msg753 = msg("00257:15", part1243); -var part1249 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#744:00257:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup187, +var part1244 = match("MESSAGE#744:00257:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, dup2, dup4, dup5, dup3, + dup274, + dup275, + dup61, dup276, dup277, - dup61, - dup278, - dup279, ])); -var msg754 = msg("00257:02", part1249); +var msg754 = msg("00257:02", part1244); -var part1250 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#745:00257:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup283, +var part1245 = match("MESSAGE#745:00257:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, - dup276, - dup277, + dup274, + dup275, dup61, - dup284, + dup282, ])); -var msg755 = msg("00257:03", part1250); +var msg755 = msg("00257:03", part1245); -var part1251 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,true), Constant(' src-xlated ip='), Field(stransaddr,true), Constant(' port='), Field(stransport,false)}" -match("MESSAGE#746:00257:04", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup187, +var part1246 = match("MESSAGE#746:00257:04", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport}", processor_chain([ + dup185, dup2, dup4, dup5, dup3, + dup274, + dup275, + dup61, dup276, dup277, - dup61, - dup278, - dup279, ])); -var msg756 = msg("00257:04", part1251); +var msg756 = msg("00257:04", part1246); -var part1252 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,true), Constant(' src-xlated ip='), Field(stransaddr,true), Constant(' port='), Field(stransport,true), Constant(' dst-xlated ip='), Field(dtransaddr,true), Constant(' port='), Field(dtransport,true), Constant(' session_id='), Field(sessionid,true), Constant(' reason='), Field(result,false)}" -match("MESSAGE#747:00257:05", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid->} reason=%{result}", processor_chain([ - dup283, +var part1247 = match("MESSAGE#747:00257:05", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid->} reason=%{result}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, - dup276, - dup277, + dup274, + dup275, dup61, - dup284, + dup282, ])); -var msg757 = msg("00257:05", part1252); +var msg757 = msg("00257:05", part1247); -var part1253 = // "Pattern{Field(,false), Constant('duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,true), Constant(' icmp code='), Field(icmpcode,true), Constant(' src-xlated ip='), Field(stransaddr,true), Constant(' dst-xlated ip='), Field(dtransaddr,true), Constant(' session_id='), Field(sessionid,true), Constant(' reason='), Field(result,false)}" -match("MESSAGE#748:00257:19/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} icmp code=%{icmpcode->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid->} reason=%{result}"); +var part1248 = match("MESSAGE#748:00257:19/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} icmp code=%{icmpcode->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid->} reason=%{result}"); -var all260 = all_match({ +var all255 = all_match({ processors: [ - dup285, - dup396, - part1253, + dup283, + dup393, + part1248, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, dup3, - dup276, - dup277, + dup274, + dup275, dup60, - dup284, + dup282, ]), }); -var msg758 = msg("00257:19", all260); +var msg758 = msg("00257:19", all255); -var part1254 = // "Pattern{Field(,false), Constant('duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,true), Constant(' src-xlated ip='), Field(stransaddr,true), Constant(' dst-xlated ip='), Field(dtransaddr,true), Constant(' session_id='), Field(sessionid,false)}" -match("MESSAGE#749:00257:16/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid}"); +var part1249 = match("MESSAGE#749:00257:16/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid}"); -var all261 = all_match({ +var all256 = all_match({ processors: [ - dup285, - dup396, - part1254, + dup283, + dup393, + part1249, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, dup3, - dup276, - dup277, + dup274, + dup275, dup60, - dup284, + dup282, ]), }); -var msg759 = msg("00257:16", all261); +var msg759 = msg("00257:16", all256); -var part1255 = // "Pattern{Field(,false), Constant('duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,true), Constant(' src-xlated ip='), Field(stransaddr,true), Constant(' port='), Field(stransport,true), Constant(' dst-xlated ip='), Field(dtransaddr,true), Constant(' port='), Field(dtransport,true), Constant(' session_id='), Field(sessionid,false)}" -match("MESSAGE#750:00257:17/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid}"); +var part1250 = match("MESSAGE#750:00257:17/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid}"); -var all262 = all_match({ +var all257 = all_match({ processors: [ - dup285, - dup396, - part1255, + dup283, + dup393, + part1250, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, dup3, - dup276, - dup277, + dup274, + dup275, dup61, - dup284, + dup282, ]), }); -var msg760 = msg("00257:17", all262); +var msg760 = msg("00257:17", all257); -var part1256 = // "Pattern{Field(,false), Constant('duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,true), Constant(' src-xlated ip='), Field(stransaddr,true), Constant(' port='), Field(stransport,true), Constant(' session_id='), Field(sessionid,false)}" -match("MESSAGE#751:00257:18/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} session_id=%{sessionid}"); +var part1251 = match("MESSAGE#751:00257:18/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} session_id=%{sessionid}"); -var all263 = all_match({ +var all258 = all_match({ processors: [ - dup285, - dup396, - part1256, + dup283, + dup393, + part1251, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, dup3, - dup276, - dup277, + dup274, + dup275, dup61, - dup284, + dup282, ]), }); -var msg761 = msg("00257:18", all263); +var msg761 = msg("00257:18", all258); -var part1257 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(p0,false)}" -match("MESSAGE#752:00257:06/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{p0}"); +var part1252 = match("MESSAGE#752:00257:06/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{p0}"); -var part1258 = // "Pattern{Field(dport,true), Constant(' session_id='), Field(sessionid,false)}" -match("MESSAGE#752:00257:06/1_0", "nwparser.p0", "%{dport->} session_id=%{sessionid}"); +var part1253 = match("MESSAGE#752:00257:06/1_0", "nwparser.p0", "%{dport->} session_id=%{sessionid}"); -var part1259 = // "Pattern{Field(dport,false)}" -match_copy("MESSAGE#752:00257:06/1_1", "nwparser.p0", "dport"); +var part1254 = match_copy("MESSAGE#752:00257:06/1_1", "nwparser.p0", "dport"); var select287 = linear_select([ - part1258, - part1259, + part1253, + part1254, ]); -var all264 = all_match({ +var all259 = all_match({ processors: [ - part1257, + part1252, select287, ], on_success: processor_chain([ - dup187, + dup185, dup2, dup4, dup5, dup3, + dup274, + dup275, + dup61, dup276, dup277, - dup61, - dup278, - dup279, ]), }); -var msg762 = msg("00257:06", all264); +var msg762 = msg("00257:06", all259); -var part1260 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#753:00257:07", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup283, +var part1255 = match("MESSAGE#753:00257:07", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, - dup276, - dup277, + dup274, + dup275, dup61, - dup284, + dup282, ])); -var msg763 = msg("00257:07", part1260); +var msg763 = msg("00257:07", part1255); -var part1261 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' tcp='), Field(icmptype,false)}" -match("MESSAGE#754:00257:08", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} tcp=%{icmptype}", processor_chain([ - dup187, +var part1256 = match("MESSAGE#754:00257:08", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} tcp=%{icmptype}", processor_chain([ + dup185, dup2, dup4, dup5, dup3, + dup274, + dup275, + dup60, dup276, dup277, - dup60, - dup278, - dup279, ])); -var msg764 = msg("00257:08", part1261); +var msg764 = msg("00257:08", part1256); -var part1262 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(p0,false)}" -match("MESSAGE#755:00257:09/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{p0}"); +var part1257 = match("MESSAGE#755:00257:09/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{p0}"); -var part1263 = // "Pattern{Field(icmptype,true), Constant(' icmp code='), Field(icmpcode,true), Constant(' session_id='), Field(sessionid,true), Constant(' reason='), Field(result,false)}" -match("MESSAGE#755:00257:09/1_0", "nwparser.p0", "%{icmptype->} icmp code=%{icmpcode->} session_id=%{sessionid->} reason=%{result}"); +var part1258 = match("MESSAGE#755:00257:09/1_0", "nwparser.p0", "%{icmptype->} icmp code=%{icmpcode->} session_id=%{sessionid->} reason=%{result}"); -var part1264 = // "Pattern{Field(icmptype,true), Constant(' session_id='), Field(sessionid,false)}" -match("MESSAGE#755:00257:09/1_1", "nwparser.p0", "%{icmptype->} session_id=%{sessionid}"); +var part1259 = match("MESSAGE#755:00257:09/1_1", "nwparser.p0", "%{icmptype->} session_id=%{sessionid}"); -var part1265 = // "Pattern{Field(icmptype,false)}" -match_copy("MESSAGE#755:00257:09/1_2", "nwparser.p0", "icmptype"); +var part1260 = match_copy("MESSAGE#755:00257:09/1_2", "nwparser.p0", "icmptype"); var select288 = linear_select([ - part1263, - part1264, - part1265, + part1258, + part1259, + part1260, ]); -var all265 = all_match({ +var all260 = all_match({ processors: [ - part1262, + part1257, select288, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, dup3, - dup276, - dup277, + dup274, + dup275, dup60, - dup284, + dup282, ]), }); -var msg765 = msg("00257:09", all265); +var msg765 = msg("00257:09", all260); -var part1266 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(p0,false)}" -match("MESSAGE#756:00257:10/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); +var part1261 = match("MESSAGE#756:00257:10/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); -var part1267 = // "Pattern{Field(daddr,true), Constant(' session_id='), Field(sessionid,false)}" -match("MESSAGE#756:00257:10/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid}"); +var part1262 = match("MESSAGE#756:00257:10/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid}"); var select289 = linear_select([ - part1267, - dup288, + part1262, + dup286, ]); -var all266 = all_match({ +var all261 = all_match({ processors: [ - part1266, + part1261, select289, ], on_success: processor_chain([ - dup187, + dup185, dup2, dup4, dup5, dup3, + dup274, + dup275, + dup60, dup276, dup277, - dup60, - dup278, - dup279, ]), }); -var msg766 = msg("00257:10", all266); +var msg766 = msg("00257:10", all261); -var part1268 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(p0,false)}" -match("MESSAGE#757:00257:11/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); +var part1263 = match("MESSAGE#757:00257:11/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); -var part1269 = // "Pattern{Field(daddr,true), Constant(' session_id='), Field(sessionid,true), Constant(' reason='), Field(result,false)}" -match("MESSAGE#757:00257:11/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid->} reason=%{result}"); +var part1264 = match("MESSAGE#757:00257:11/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid->} reason=%{result}"); var select290 = linear_select([ - part1269, - dup288, + part1264, + dup286, ]); -var all267 = all_match({ +var all262 = all_match({ processors: [ - part1268, + part1263, select290, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, dup3, - dup276, - dup277, + dup274, + dup275, dup60, - dup284, + dup282, ]), }); -var msg767 = msg("00257:11", all267); +var msg767 = msg("00257:11", all262); -var part1270 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' type='), Field(fld3,false)}" -match("MESSAGE#758:00257:12", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} type=%{fld3}", processor_chain([ - dup283, +var part1265 = match("MESSAGE#758:00257:12", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} type=%{fld3}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, - dup276, - dup277, + dup274, + dup275, dup60, - dup284, + dup282, ])); -var msg768 = msg("00257:12", part1270); +var msg768 = msg("00257:12", part1265); -var part1271 = // "Pattern{Constant('start_time="'), Field(fld2,false)}" -match("MESSAGE#759:00257:13", "nwparser.payload", "start_time=\"%{fld2}", processor_chain([ - dup283, +var part1266 = match("MESSAGE#759:00257:13", "nwparser.payload", "start_time=\"%{fld2}", processor_chain([ + dup281, dup2, dup3, - dup276, + dup274, dup4, dup5, ])); -var msg769 = msg("00257:13", part1271); +var msg769 = msg("00257:13", part1266); var select291 = linear_select([ msg750, @@ -16716,27 +15121,24 @@ var select291 = linear_select([ msg769, ]); -var part1272 = // "Pattern{Constant('user '), Field(username,true), Constant(' has logged on via '), Field(p0,false)}" -match("MESSAGE#760:00259/1", "nwparser.p0", "user %{username->} has logged on via %{p0}"); +var part1267 = match("MESSAGE#760:00259/1", "nwparser.p0", "user %{username->} has logged on via %{p0}"); -var part1273 = // "Pattern{Constant('the console '), Field(p0,false)}" -match("MESSAGE#760:00259/2_0", "nwparser.p0", "the console %{p0}"); +var part1268 = match("MESSAGE#760:00259/2_0", "nwparser.p0", "the console %{p0}"); var select292 = linear_select([ - part1273, - dup291, - dup243, + part1268, + dup289, + dup241, ]); -var part1274 = // "Pattern{Constant('from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#760:00259/3", "nwparser.p0", "from %{saddr}:%{sport}"); +var part1269 = match("MESSAGE#760:00259/3", "nwparser.p0", "from %{saddr}:%{sport}"); -var all268 = all_match({ +var all263 = all_match({ processors: [ - dup397, - part1272, + dup394, + part1267, select292, - part1274, + part1269, ], on_success: processor_chain([ dup28, @@ -16751,15 +15153,14 @@ var all268 = all_match({ ]), }); -var msg770 = msg("00259", all268); +var msg770 = msg("00259", all263); -var part1275 = // "Pattern{Constant('user '), Field(administrator,true), Constant(' has logged out via '), Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#761:00259:07/1", "nwparser.p0", "user %{administrator->} has logged out via %{logon_type->} from %{saddr}:%{sport}"); +var part1270 = match("MESSAGE#761:00259:07/1", "nwparser.p0", "user %{administrator->} has logged out via %{logon_type->} from %{saddr}:%{sport}"); -var all269 = all_match({ +var all264 = all_match({ processors: [ - dup397, - part1275, + dup394, + part1270, ], on_success: processor_chain([ dup33, @@ -16772,33 +15173,30 @@ var all269 = all_match({ ]), }); -var msg771 = msg("00259:07", all269); +var msg771 = msg("00259:07", all264); -var part1276 = // "Pattern{Constant('Management session via '), Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' for [vsys] admin '), Field(administrator,true), Constant(' has timed out')}" -match("MESSAGE#762:00259:01", "nwparser.payload", "Management session via %{logon_type->} from %{saddr}:%{sport->} for [vsys] admin %{administrator->} has timed out", processor_chain([ - dup292, +var part1271 = match("MESSAGE#762:00259:01", "nwparser.payload", "Management session via %{logon_type->} from %{saddr}:%{sport->} for [vsys] admin %{administrator->} has timed out", processor_chain([ + dup290, dup2, dup3, dup4, dup5, ])); -var msg772 = msg("00259:01", part1276); +var msg772 = msg("00259:01", part1271); -var part1277 = // "Pattern{Constant('Management session via '), Field(logon_type,true), Constant(' for [ vsys ] admin '), Field(administrator,true), Constant(' has timed out')}" -match("MESSAGE#763:00259:02", "nwparser.payload", "Management session via %{logon_type->} for [ vsys ] admin %{administrator->} has timed out", processor_chain([ - dup292, +var part1272 = match("MESSAGE#763:00259:02", "nwparser.payload", "Management session via %{logon_type->} for [ vsys ] admin %{administrator->} has timed out", processor_chain([ + dup290, dup2, dup3, dup4, dup5, ])); -var msg773 = msg("00259:02", part1277); +var msg773 = msg("00259:02", part1272); -var part1278 = // "Pattern{Constant('Login attempt to system by admin '), Field(administrator,true), Constant(' via the '), Field(logon_type,true), Constant(' has failed')}" -match("MESSAGE#764:00259:03", "nwparser.payload", "Login attempt to system by admin %{administrator->} via the %{logon_type->} has failed", processor_chain([ - dup208, +var part1273 = match("MESSAGE#764:00259:03", "nwparser.payload", "Login attempt to system by admin %{administrator->} via the %{logon_type->} has failed", processor_chain([ + dup206, dup29, dup30, dup31, @@ -16809,11 +15207,10 @@ match("MESSAGE#764:00259:03", "nwparser.payload", "Login attempt to system by ad dup5, ])); -var msg774 = msg("00259:03", part1278); +var msg774 = msg("00259:03", part1273); -var part1279 = // "Pattern{Constant('Login attempt to system by admin '), Field(administrator,true), Constant(' via '), Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has failed')}" -match("MESSAGE#765:00259:04", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{logon_type->} from %{saddr}:%{sport->} has failed", processor_chain([ - dup208, +var part1274 = match("MESSAGE#765:00259:04", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{logon_type->} from %{saddr}:%{sport->} has failed", processor_chain([ + dup206, dup29, dup30, dup31, @@ -16824,31 +15221,28 @@ match("MESSAGE#765:00259:04", "nwparser.payload", "Login attempt to system by ad dup5, ])); -var msg775 = msg("00259:04", part1279); +var msg775 = msg("00259:04", part1274); -var part1280 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' has been forced to log out of the '), Field(p0,false)}" -match("MESSAGE#766:00259:05/0", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the %{p0}"); +var part1275 = match("MESSAGE#766:00259:05/0", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the %{p0}"); -var part1281 = // "Pattern{Constant('Web '), Field(p0,false)}" -match("MESSAGE#766:00259:05/1_2", "nwparser.p0", "Web %{p0}"); +var part1276 = match("MESSAGE#766:00259:05/1_2", "nwparser.p0", "Web %{p0}"); var select293 = linear_select([ - dup243, - dup291, - part1281, + dup241, + dup289, + part1276, ]); -var part1282 = // "Pattern{Constant('session on host '), Field(daddr,false), Constant(':'), Field(dport,false)}" -match("MESSAGE#766:00259:05/2", "nwparser.p0", "session on host %{daddr}:%{dport}"); +var part1277 = match("MESSAGE#766:00259:05/2", "nwparser.p0", "session on host %{daddr}:%{dport}"); -var all270 = all_match({ +var all265 = all_match({ processors: [ - part1280, + part1275, select293, - part1282, + part1277, ], on_success: processor_chain([ - dup292, + dup290, dup2, dup3, dup4, @@ -16856,18 +15250,17 @@ var all270 = all_match({ ]), }); -var msg776 = msg("00259:05", all270); +var msg776 = msg("00259:05", all265); -var part1283 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' has been forced to log out of the serial console session.')}" -match("MESSAGE#767:00259:06", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the serial console session.", processor_chain([ - dup292, +var part1278 = match("MESSAGE#767:00259:06", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the serial console session.", processor_chain([ + dup290, dup2, dup3, dup4, dup5, ])); -var msg777 = msg("00259:06", part1283); +var msg777 = msg("00259:06", part1278); var select294 = linear_select([ msg770, @@ -16880,19 +15273,17 @@ var select294 = linear_select([ msg777, ]); -var part1284 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' has been rejected via the '), Field(logon_type,true), Constant(' server at '), Field(hostip,false)}" -match("MESSAGE#768:00262", "nwparser.payload", "Admin user %{administrator->} has been rejected via the %{logon_type->} server at %{hostip}", processor_chain([ - dup292, +var part1279 = match("MESSAGE#768:00262", "nwparser.payload", "Admin user %{administrator->} has been rejected via the %{logon_type->} server at %{hostip}", processor_chain([ + dup290, dup2, dup3, dup4, dup5, ])); -var msg778 = msg("00262", part1284); +var msg778 = msg("00262", part1279); -var part1285 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' has been accepted via the '), Field(logon_type,true), Constant(' server at '), Field(hostip,false)}" -match("MESSAGE#769:00263", "nwparser.payload", "Admin user %{administrator->} has been accepted via the %{logon_type->} server at %{hostip}", processor_chain([ +var part1280 = match("MESSAGE#769:00263", "nwparser.payload", "Admin user %{administrator->} has been accepted via the %{logon_type->} server at %{hostip}", processor_chain([ setc("eventcategory","1401050100"), dup2, dup3, @@ -16900,34 +15291,29 @@ match("MESSAGE#769:00263", "nwparser.payload", "Admin user %{administrator->} ha dup5, ])); -var msg779 = msg("00263", part1285); +var msg779 = msg("00263", part1280); -var part1286 = // "Pattern{Constant('ActiveX control '), Field(p0,false)}" -match("MESSAGE#770:00400/0_0", "nwparser.payload", "ActiveX control %{p0}"); +var part1281 = match("MESSAGE#770:00400/0_0", "nwparser.payload", "ActiveX control %{p0}"); -var part1287 = // "Pattern{Constant('JAVA applet '), Field(p0,false)}" -match("MESSAGE#770:00400/0_1", "nwparser.payload", "JAVA applet %{p0}"); +var part1282 = match("MESSAGE#770:00400/0_1", "nwparser.payload", "JAVA applet %{p0}"); -var part1288 = // "Pattern{Constant('EXE file '), Field(p0,false)}" -match("MESSAGE#770:00400/0_2", "nwparser.payload", "EXE file %{p0}"); +var part1283 = match("MESSAGE#770:00400/0_2", "nwparser.payload", "EXE file %{p0}"); -var part1289 = // "Pattern{Constant('ZIP file '), Field(p0,false)}" -match("MESSAGE#770:00400/0_3", "nwparser.payload", "ZIP file %{p0}"); +var part1284 = match("MESSAGE#770:00400/0_3", "nwparser.payload", "ZIP file %{p0}"); var select295 = linear_select([ - part1286, - part1287, - part1288, - part1289, + part1281, + part1282, + part1283, + part1284, ]); -var part1290 = // "Pattern{Constant('has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('. '), Field(info,false)}" -match("MESSAGE#770:00400/1", "nwparser.p0", "has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{dinterface->} in zone %{dst_zone}. %{info}"); +var part1285 = match("MESSAGE#770:00400/1", "nwparser.p0", "has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{dinterface->} in zone %{dst_zone}. %{info}"); -var all271 = all_match({ +var all266 = all_match({ processors: [ select295, - part1290, + part1285, ], on_success: processor_chain([ setc("eventcategory","1003000000"), @@ -16939,43 +15325,39 @@ var all271 = all_match({ ]), }); -var msg780 = msg("00400", all271); +var msg780 = msg("00400", all266); -var part1291 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,false), Constant(', int '), Field(interface,false), Constant('). '), Field(info,false)}" -match("MESSAGE#771:00401", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ +var part1286 = match("MESSAGE#771:00401", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ dup85, dup2, dup4, dup5, dup3, - dup293, + dup291, ])); -var msg781 = msg("00401", part1291); +var msg781 = msg("00401", part1286); -var part1292 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,false), Constant(', int '), Field(interface,false), Constant('). '), Field(info,false)}" -match("MESSAGE#772:00402", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ +var part1287 = match("MESSAGE#772:00402", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ dup85, dup2, dup4, dup5, dup3, - dup294, + dup292, ])); -var msg782 = msg("00402", part1292); +var msg782 = msg("00402", part1287); -var part1293 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at '), Field(p0,false)}" -match("MESSAGE#773:00402:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at %{p0}"); +var part1288 = match("MESSAGE#773:00402:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at %{p0}"); -var part1294 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' in zone '), Field(zone,false), Constant('. '), Field(info,false)}" -match("MESSAGE#773:00402:01/2", "nwparser.p0", "%{} %{interface->} in zone %{zone}. %{info}"); +var part1289 = match("MESSAGE#773:00402:01/2", "nwparser.p0", "%{} %{interface->} in zone %{zone}. %{info}"); -var all272 = all_match({ +var all267 = all_match({ processors: [ - part1293, - dup339, - part1294, + part1288, + dup337, + part1289, ], on_success: processor_chain([ dup85, @@ -16983,31 +15365,29 @@ var all272 = all_match({ dup4, dup5, dup3, - dup294, + dup292, ]), }); -var msg783 = msg("00402:01", all272); +var msg783 = msg("00402:01", all267); var select296 = linear_select([ msg782, msg783, ]); -var part1295 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,false), Constant(', int '), Field(interface,false), Constant('). '), Field(info,false)}" -match("MESSAGE#774:00403", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ +var part1290 = match("MESSAGE#774:00403", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ dup85, dup2, dup4, dup5, dup3, - dup293, + dup291, ])); -var msg784 = msg("00403", part1295); +var msg784 = msg("00403", part1290); -var part1296 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,false), Constant(', int '), Field(interface,false), Constant('). '), Field(info,false)}" -match("MESSAGE#775:00404", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ +var part1291 = match("MESSAGE#775:00404", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ dup147, dup148, dup149, @@ -17016,34 +15396,33 @@ match("MESSAGE#775:00404", "nwparser.payload", "%{signame}! From %{saddr}:%{spor dup4, dup5, dup3, - dup294, + dup292, ])); -var msg785 = msg("00404", part1296); +var msg785 = msg("00404", part1291); -var part1297 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,false), Constant(', int '), Field(interface,false), Constant('). '), Field(info,false)}" -match("MESSAGE#776:00405", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ +var part1292 = match("MESSAGE#776:00405", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ dup147, dup2, dup4, dup5, dup3, - dup293, + dup291, ])); -var msg786 = msg("00405", part1297); +var msg786 = msg("00405", part1292); -var msg787 = msg("00406", dup416); +var msg787 = msg("00406", dup413); -var msg788 = msg("00407", dup416); +var msg788 = msg("00407", dup413); -var msg789 = msg("00408", dup416); +var msg789 = msg("00408", dup413); -var all273 = all_match({ +var all268 = all_match({ processors: [ dup132, - dup345, - dup295, + dup343, + dup293, ], on_success: processor_chain([ dup58, @@ -17056,12 +15435,11 @@ var all273 = all_match({ ]), }); -var msg790 = msg("00409", all273); +var msg790 = msg("00409", all268); -var msg791 = msg("00410", dup416); +var msg791 = msg("00410", dup413); -var part1298 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times.')}" -match("MESSAGE#782:00410:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ +var part1293 = match("MESSAGE#782:00410:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ dup58, dup2, dup3, @@ -17071,21 +15449,20 @@ match("MESSAGE#782:00410:01", "nwparser.payload", "%{signame->} From %{saddr->} dup60, ])); -var msg792 = msg("00410:01", part1298); +var msg792 = msg("00410:01", part1293); var select297 = linear_select([ msg791, msg792, ]); -var part1299 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto TCP (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#783:00411/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto TCP (zone %{zone->} %{p0}"); +var part1294 = match("MESSAGE#783:00411/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto TCP (zone %{zone->} %{p0}"); -var all274 = all_match({ +var all269 = all_match({ processors: [ - part1299, - dup345, - dup295, + part1294, + dup343, + dup293, ], on_success: processor_chain([ dup58, @@ -17098,19 +15475,17 @@ var all274 = all_match({ ]), }); -var msg793 = msg("00411", all274); +var msg793 = msg("00411", all269); -var part1300 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' and arriving at '), Field(p0,false)}" -match("MESSAGE#784:00413/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at %{p0}"); +var part1295 = match("MESSAGE#784:00413/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at %{p0}"); -var part1301 = // "Pattern{Field(,true), Constant(' '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#784:00413/2", "nwparser.p0", "%{} %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); +var part1296 = match("MESSAGE#784:00413/2", "nwparser.p0", "%{} %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); -var all275 = all_match({ +var all270 = all_match({ processors: [ - part1300, - dup339, - part1301, + part1295, + dup337, + part1296, ], on_success: processor_chain([ dup58, @@ -17123,15 +15498,14 @@ var all275 = all_match({ ]), }); -var msg794 = msg("00413", all275); +var msg794 = msg("00413", all270); -var part1302 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,false), Constant('(zone '), Field(group,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#785:00413:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}(zone %{group->} %{p0}"); +var part1297 = match("MESSAGE#785:00413:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}(zone %{group->} %{p0}"); -var all276 = all_match({ +var all271 = all_match({ processors: [ - part1302, - dup345, + part1297, + dup343, dup83, ], on_success: processor_chain([ @@ -17146,10 +15520,9 @@ var all276 = all_match({ ]), }); -var msg795 = msg("00413:01", all276); +var msg795 = msg("00413:01", all271); -var part1303 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.The attack occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#786:00413:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ +var part1298 = match("MESSAGE#786:00413:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ dup58, dup2, dup3, @@ -17159,7 +15532,7 @@ match("MESSAGE#786:00413:02", "nwparser.payload", "%{signame->} From %{saddr}:%{ dup9, ])); -var msg796 = msg("00413:02", part1303); +var msg796 = msg("00413:02", part1298); var select298 = linear_select([ msg794, @@ -17167,8 +15540,7 @@ var select298 = linear_select([ msg796, ]); -var part1304 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,false), Constant(', int '), Field(interface,false), Constant('). Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#787:00414", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ +var part1299 = match("MESSAGE#787:00414", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ dup58, dup2, dup59, @@ -17178,10 +15550,9 @@ match("MESSAGE#787:00414", "nwparser.payload", "%{signame->} From %{saddr->} to dup9, ])); -var msg797 = msg("00414", part1304); +var msg797 = msg("00414", part1299); -var part1305 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.The attack occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#788:00414:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ +var part1300 = match("MESSAGE#788:00414:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ dup58, dup2, dup3, @@ -17191,15 +15562,14 @@ match("MESSAGE#788:00414:01", "nwparser.payload", "%{signame->} From %{saddr->} dup9, ])); -var msg798 = msg("00414:01", part1305); +var msg798 = msg("00414:01", part1300); var select299 = linear_select([ msg797, msg798, ]); -var part1306 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' and arriving at interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#789:00415", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part1301 = match("MESSAGE#789:00415", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup59, @@ -17209,13 +15579,13 @@ match("MESSAGE#789:00415", "nwparser.payload", "%{signame->} From %{saddr}:%{spo dup61, ])); -var msg799 = msg("00415", part1306); +var msg799 = msg("00415", part1301); -var all277 = all_match({ +var all272 = all_match({ processors: [ dup132, - dup345, - dup296, + dup343, + dup294, ], on_success: processor_chain([ dup58, @@ -17228,12 +15598,12 @@ var all277 = all_match({ ]), }); -var msg800 = msg("00423", all277); +var msg800 = msg("00423", all272); -var all278 = all_match({ +var all273 = all_match({ processors: [ dup80, - dup345, + dup343, dup83, ], on_success: processor_chain([ @@ -17248,12 +15618,12 @@ var all278 = all_match({ ]), }); -var msg801 = msg("00429", all278); +var msg801 = msg("00429", all273); -var all279 = all_match({ +var all274 = all_match({ processors: [ dup132, - dup345, + dup343, dup83, ], on_success: processor_chain([ @@ -17268,19 +15638,19 @@ var all279 = all_match({ ]), }); -var msg802 = msg("00429:01", all279); +var msg802 = msg("00429:01", all274); var select300 = linear_select([ msg801, msg802, ]); -var all280 = all_match({ +var all275 = all_match({ processors: [ dup80, - dup345, - dup297, - dup353, + dup343, + dup295, + dup351, ], on_success: processor_chain([ dup85, @@ -17294,14 +15664,14 @@ var all280 = all_match({ ]), }); -var msg803 = msg("00430", all280); +var msg803 = msg("00430", all275); -var all281 = all_match({ +var all276 = all_match({ processors: [ dup132, - dup345, - dup297, - dup353, + dup343, + dup295, + dup351, ], on_success: processor_chain([ dup85, @@ -17315,28 +15685,28 @@ var all281 = all_match({ ]), }); -var msg804 = msg("00430:01", all281); +var msg804 = msg("00430:01", all276); var select301 = linear_select([ msg803, msg804, ]); -var msg805 = msg("00431", dup417); +var msg805 = msg("00431", dup414); -var msg806 = msg("00432", dup417); +var msg806 = msg("00432", dup414); -var msg807 = msg("00433", dup418); +var msg807 = msg("00433", dup415); -var msg808 = msg("00434", dup418); +var msg808 = msg("00434", dup415); -var msg809 = msg("00435", dup398); +var msg809 = msg("00435", dup395); -var all282 = all_match({ +var all277 = all_match({ processors: [ dup132, - dup345, - dup296, + dup343, + dup294, ], on_success: processor_chain([ dup58, @@ -17349,19 +15719,19 @@ var all282 = all_match({ ]), }); -var msg810 = msg("00435:01", all282); +var msg810 = msg("00435:01", all277); var select302 = linear_select([ msg809, msg810, ]); -var msg811 = msg("00436", dup398); +var msg811 = msg("00436", dup395); -var all283 = all_match({ +var all278 = all_match({ processors: [ dup64, - dup340, + dup338, dup67, ], on_success: processor_chain([ @@ -17376,15 +15746,14 @@ var all283 = all_match({ ]), }); -var msg812 = msg("00436:01", all283); +var msg812 = msg("00436:01", all278); var select303 = linear_select([ msg811, msg812, ]); -var part1307 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#803:00437", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part1302 = match("MESSAGE#803:00437", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup59, @@ -17394,12 +15763,12 @@ match("MESSAGE#803:00437", "nwparser.payload", "%{signame->} has been detected! dup61, ])); -var msg813 = msg("00437", part1307); +var msg813 = msg("00437", part1302); -var all284 = all_match({ +var all279 = all_match({ processors: [ - dup301, - dup340, + dup299, + dup338, dup67, ], on_success: processor_chain([ @@ -17414,10 +15783,9 @@ var all284 = all_match({ ]), }); -var msg814 = msg("00437:01", all284); +var msg814 = msg("00437:01", all279); -var part1308 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.The attack occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#805:00437:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ +var part1303 = match("MESSAGE#805:00437:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ dup58, dup2, dup59, @@ -17428,7 +15796,7 @@ match("MESSAGE#805:00437:02", "nwparser.payload", "%{signame->} From %{saddr}:%{ dup9, ])); -var msg815 = msg("00437:02", part1308); +var msg815 = msg("00437:02", part1303); var select304 = linear_select([ msg813, @@ -17436,8 +15804,7 @@ var select304 = linear_select([ msg815, ]); -var part1309 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' and arriving at interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#806:00438", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part1304 = match("MESSAGE#806:00438", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup59, @@ -17447,10 +15814,9 @@ match("MESSAGE#806:00438", "nwparser.payload", "%{signame->} has been detected! dup61, ])); -var msg816 = msg("00438", part1309); +var msg816 = msg("00438", part1304); -var part1310 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times.')}" -match("MESSAGE#807:00438:01", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ +var part1305 = match("MESSAGE#807:00438:01", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ dup58, dup2, dup59, @@ -17460,12 +15826,12 @@ match("MESSAGE#807:00438:01", "nwparser.payload", "%{signame->} From %{saddr}:%{ dup61, ])); -var msg817 = msg("00438:01", part1310); +var msg817 = msg("00438:01", part1305); -var all285 = all_match({ +var all280 = all_match({ processors: [ - dup301, - dup340, + dup299, + dup338, dup67, ], on_success: processor_chain([ @@ -17480,7 +15846,7 @@ var all285 = all_match({ ]), }); -var msg818 = msg("00438:02", all285); +var msg818 = msg("00438:02", all280); var select305 = linear_select([ msg816, @@ -17488,8 +15854,7 @@ var select305 = linear_select([ msg818, ]); -var part1311 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#809:00440", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ +var part1306 = match("MESSAGE#809:00440", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ dup58, dup2, dup59, @@ -17500,10 +15865,9 @@ match("MESSAGE#809:00440", "nwparser.payload", "%{signame->} has been detected! dup60, ])); -var msg819 = msg("00440", part1311); +var msg819 = msg("00440", part1306); -var part1312 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times.')}" -match("MESSAGE#810:00440:02", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ +var part1307 = match("MESSAGE#810:00440:02", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ dup58, dup2, dup59, @@ -17513,12 +15877,12 @@ match("MESSAGE#810:00440:02", "nwparser.payload", "%{signame->} has been detecte dup61, ])); -var msg820 = msg("00440:02", part1312); +var msg820 = msg("00440:02", part1307); -var all286 = all_match({ +var all281 = all_match({ processors: [ - dup241, - dup345, + dup239, + dup343, dup83, ], on_success: processor_chain([ @@ -17533,15 +15897,14 @@ var all286 = all_match({ ]), }); -var msg821 = msg("00440:01", all286); +var msg821 = msg("00440:01", all281); -var part1313 = // "Pattern{Constant('Fragmented traffic! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(group,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#812:00440:03/0", "nwparser.payload", "Fragmented traffic! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{group->} %{p0}"); +var part1308 = match("MESSAGE#812:00440:03/0", "nwparser.payload", "Fragmented traffic! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{group->} %{p0}"); -var all287 = all_match({ +var all282 = all_match({ processors: [ - part1313, - dup345, + part1308, + dup343, dup83, ], on_success: processor_chain([ @@ -17556,7 +15919,7 @@ var all287 = all_match({ ]), }); -var msg822 = msg("00440:03", all287); +var msg822 = msg("00440:03", all282); var select306 = linear_select([ msg819, @@ -17565,8 +15928,7 @@ var select306 = linear_select([ msg822, ]); -var part1314 = // "Pattern{Field(signame,true), Constant(' id='), Field(fld2,false), Constant('! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,false), Constant('). Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#813:00441", "nwparser.payload", "%{signame->} id=%{fld2}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ +var part1309 = match("MESSAGE#813:00441", "nwparser.payload", "%{signame->} id=%{fld2}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ dup58, dup4, dup59, @@ -17577,14 +15939,13 @@ match("MESSAGE#813:00441", "nwparser.payload", "%{signame->} id=%{fld2}! From %{ dup60, ])); -var msg823 = msg("00441", part1314); +var msg823 = msg("00441", part1309); -var msg824 = msg("00442", dup399); +var msg824 = msg("00442", dup396); -var msg825 = msg("00443", dup399); +var msg825 = msg("00443", dup396); -var part1315 = // "Pattern{Constant('admin '), Field(administrator,true), Constant(' issued command '), Field(fld2,true), Constant(' to redirect output.')}" -match("MESSAGE#816:00511", "nwparser.payload", "admin %{administrator->} issued command %{fld2->} to redirect output.", processor_chain([ +var part1310 = match("MESSAGE#816:00511", "nwparser.payload", "admin %{administrator->} issued command %{fld2->} to redirect output.", processor_chain([ dup1, dup2, dup3, @@ -17592,15 +15953,14 @@ match("MESSAGE#816:00511", "nwparser.payload", "admin %{administrator->} issued dup5, ])); -var msg826 = msg("00511", part1315); +var msg826 = msg("00511", part1310); -var part1316 = // "Pattern{Constant('All System Config saved by admin '), Field(p0,false)}" -match("MESSAGE#817:00511:01/0", "nwparser.payload", "All System Config saved by admin %{p0}"); +var part1311 = match("MESSAGE#817:00511:01/0", "nwparser.payload", "All System Config saved by admin %{p0}"); -var all288 = all_match({ +var all283 = all_match({ processors: [ - part1316, - dup400, + part1311, + dup397, ], on_success: processor_chain([ dup1, @@ -17612,10 +15972,9 @@ var all288 = all_match({ ]), }); -var msg827 = msg("00511:01", all288); +var msg827 = msg("00511:01", all283); -var part1317 = // "Pattern{Constant('All logged events or alarms are cleared by admin '), Field(administrator,false), Constant('.')}" -match("MESSAGE#818:00511:02", "nwparser.payload", "All logged events or alarms are cleared by admin %{administrator}.", processor_chain([ +var part1312 = match("MESSAGE#818:00511:02", "nwparser.payload", "All logged events or alarms are cleared by admin %{administrator}.", processor_chain([ dup1, dup2, dup3, @@ -17623,15 +15982,14 @@ match("MESSAGE#818:00511:02", "nwparser.payload", "All logged events or alarms a dup5, ])); -var msg828 = msg("00511:02", part1317); +var msg828 = msg("00511:02", part1312); -var part1318 = // "Pattern{Constant('Get new software from flash to slot (file: '), Field(fld2,false), Constant(') by admin '), Field(p0,false)}" -match("MESSAGE#819:00511:03/0", "nwparser.payload", "Get new software from flash to slot (file: %{fld2}) by admin %{p0}"); +var part1313 = match("MESSAGE#819:00511:03/0", "nwparser.payload", "Get new software from flash to slot (file: %{fld2}) by admin %{p0}"); -var all289 = all_match({ +var all284 = all_match({ processors: [ - part1318, - dup400, + part1313, + dup397, ], on_success: processor_chain([ dup1, @@ -17643,15 +16001,14 @@ var all289 = all_match({ ]), }); -var msg829 = msg("00511:03", all289); +var msg829 = msg("00511:03", all284); -var part1319 = // "Pattern{Constant('Get new software from '), Field(hostip,true), Constant(' (file: '), Field(fld2,false), Constant(') to slot (file: '), Field(fld3,false), Constant(') by admin '), Field(p0,false)}" -match("MESSAGE#820:00511:04/0", "nwparser.payload", "Get new software from %{hostip->} (file: %{fld2}) to slot (file: %{fld3}) by admin %{p0}"); +var part1314 = match("MESSAGE#820:00511:04/0", "nwparser.payload", "Get new software from %{hostip->} (file: %{fld2}) to slot (file: %{fld3}) by admin %{p0}"); -var all290 = all_match({ +var all285 = all_match({ processors: [ - part1319, - dup400, + part1314, + dup397, ], on_success: processor_chain([ dup1, @@ -17663,15 +16020,14 @@ var all290 = all_match({ ]), }); -var msg830 = msg("00511:04", all290); +var msg830 = msg("00511:04", all285); -var part1320 = // "Pattern{Constant('Get new software to '), Field(hostip,true), Constant(' (file: '), Field(fld2,false), Constant(') by admin '), Field(p0,false)}" -match("MESSAGE#821:00511:05/0", "nwparser.payload", "Get new software to %{hostip->} (file: %{fld2}) by admin %{p0}"); +var part1315 = match("MESSAGE#821:00511:05/0", "nwparser.payload", "Get new software to %{hostip->} (file: %{fld2}) by admin %{p0}"); -var all291 = all_match({ +var all286 = all_match({ processors: [ - part1320, - dup400, + part1315, + dup397, ], on_success: processor_chain([ dup1, @@ -17683,15 +16039,14 @@ var all291 = all_match({ ]), }); -var msg831 = msg("00511:05", all291); +var msg831 = msg("00511:05", all286); -var part1321 = // "Pattern{Constant('Log setting is modified by admin '), Field(p0,false)}" -match("MESSAGE#822:00511:06/0", "nwparser.payload", "Log setting is modified by admin %{p0}"); +var part1316 = match("MESSAGE#822:00511:06/0", "nwparser.payload", "Log setting is modified by admin %{p0}"); -var all292 = all_match({ +var all287 = all_match({ processors: [ - part1321, - dup400, + part1316, + dup397, ], on_success: processor_chain([ dup1, @@ -17703,15 +16058,14 @@ var all292 = all_match({ ]), }); -var msg832 = msg("00511:06", all292); +var msg832 = msg("00511:06", all287); -var part1322 = // "Pattern{Constant('Save configuration to '), Field(hostip,true), Constant(' (file: '), Field(fld2,false), Constant(') by admin '), Field(p0,false)}" -match("MESSAGE#823:00511:07/0", "nwparser.payload", "Save configuration to %{hostip->} (file: %{fld2}) by admin %{p0}"); +var part1317 = match("MESSAGE#823:00511:07/0", "nwparser.payload", "Save configuration to %{hostip->} (file: %{fld2}) by admin %{p0}"); -var all293 = all_match({ +var all288 = all_match({ processors: [ - part1322, - dup400, + part1317, + dup397, ], on_success: processor_chain([ dup1, @@ -17723,15 +16077,14 @@ var all293 = all_match({ ]), }); -var msg833 = msg("00511:07", all293); +var msg833 = msg("00511:07", all288); -var part1323 = // "Pattern{Constant('Save new software from slot (file: '), Field(fld2,false), Constant(') to flash by admin '), Field(p0,false)}" -match("MESSAGE#824:00511:08/0", "nwparser.payload", "Save new software from slot (file: %{fld2}) to flash by admin %{p0}"); +var part1318 = match("MESSAGE#824:00511:08/0", "nwparser.payload", "Save new software from slot (file: %{fld2}) to flash by admin %{p0}"); -var all294 = all_match({ +var all289 = all_match({ processors: [ - part1323, - dup400, + part1318, + dup397, ], on_success: processor_chain([ dup1, @@ -17743,15 +16096,14 @@ var all294 = all_match({ ]), }); -var msg834 = msg("00511:08", all294); +var msg834 = msg("00511:08", all289); -var part1324 = // "Pattern{Constant('Save new software from '), Field(hostip,true), Constant(' (file: '), Field(result,false), Constant(') to flash by admin '), Field(p0,false)}" -match("MESSAGE#825:00511:09/0", "nwparser.payload", "Save new software from %{hostip->} (file: %{result}) to flash by admin %{p0}"); +var part1319 = match("MESSAGE#825:00511:09/0", "nwparser.payload", "Save new software from %{hostip->} (file: %{result}) to flash by admin %{p0}"); -var all295 = all_match({ +var all290 = all_match({ processors: [ - part1324, - dup400, + part1319, + dup397, ], on_success: processor_chain([ dup1, @@ -17763,15 +16115,14 @@ var all295 = all_match({ ]), }); -var msg835 = msg("00511:09", all295); +var msg835 = msg("00511:09", all290); -var part1325 = // "Pattern{Constant('System Config from flash to slot - '), Field(fld2,true), Constant(' by admin '), Field(p0,false)}" -match("MESSAGE#826:00511:10/0", "nwparser.payload", "System Config from flash to slot - %{fld2->} by admin %{p0}"); +var part1320 = match("MESSAGE#826:00511:10/0", "nwparser.payload", "System Config from flash to slot - %{fld2->} by admin %{p0}"); -var all296 = all_match({ +var all291 = all_match({ processors: [ - part1325, - dup400, + part1320, + dup397, ], on_success: processor_chain([ dup1, @@ -17783,15 +16134,14 @@ var all296 = all_match({ ]), }); -var msg836 = msg("00511:10", all296); +var msg836 = msg("00511:10", all291); -var part1326 = // "Pattern{Constant('System Config load from '), Field(hostip,true), Constant(' (file '), Field(fld2,false), Constant(') to slot - '), Field(fld3,true), Constant(' by admin '), Field(p0,false)}" -match("MESSAGE#827:00511:11/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) to slot - %{fld3->} by admin %{p0}"); +var part1321 = match("MESSAGE#827:00511:11/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) to slot - %{fld3->} by admin %{p0}"); -var all297 = all_match({ +var all292 = all_match({ processors: [ - part1326, - dup400, + part1321, + dup397, ], on_success: processor_chain([ dup1, @@ -17803,15 +16153,14 @@ var all297 = all_match({ ]), }); -var msg837 = msg("00511:11", all297); +var msg837 = msg("00511:11", all292); -var part1327 = // "Pattern{Constant('System Config load from '), Field(hostip,true), Constant(' (file '), Field(fld2,false), Constant(') by admin '), Field(p0,false)}" -match("MESSAGE#828:00511:12/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) by admin %{p0}"); +var part1322 = match("MESSAGE#828:00511:12/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) by admin %{p0}"); -var all298 = all_match({ +var all293 = all_match({ processors: [ - part1327, - dup400, + part1322, + dup397, ], on_success: processor_chain([ dup1, @@ -17823,15 +16172,14 @@ var all298 = all_match({ ]), }); -var msg838 = msg("00511:12", all298); +var msg838 = msg("00511:12", all293); -var part1328 = // "Pattern{Constant('The system configuration was loaded from the slot by admin '), Field(p0,false)}" -match("MESSAGE#829:00511:13/0", "nwparser.payload", "The system configuration was loaded from the slot by admin %{p0}"); +var part1323 = match("MESSAGE#829:00511:13/0", "nwparser.payload", "The system configuration was loaded from the slot by admin %{p0}"); -var all299 = all_match({ +var all294 = all_match({ processors: [ - part1328, - dup400, + part1323, + dup397, ], on_success: processor_chain([ dup1, @@ -17843,10 +16191,9 @@ var all299 = all_match({ ]), }); -var msg839 = msg("00511:13", all299); +var msg839 = msg("00511:13", all294); -var part1329 = // "Pattern{Constant('FIPS: Attempt to set RADIUS shared secret with invalid length '), Field(fld2,false)}" -match("MESSAGE#830:00511:14", "nwparser.payload", "FIPS: Attempt to set RADIUS shared secret with invalid length %{fld2}", processor_chain([ +var part1324 = match("MESSAGE#830:00511:14", "nwparser.payload", "FIPS: Attempt to set RADIUS shared secret with invalid length %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -17854,7 +16201,7 @@ match("MESSAGE#830:00511:14", "nwparser.payload", "FIPS: Attempt to set RADIUS s dup5, ])); -var msg840 = msg("00511:14", part1329); +var msg840 = msg("00511:14", part1324); var select307 = linear_select([ msg826, @@ -17874,37 +16221,32 @@ var select307 = linear_select([ msg840, ]); -var part1330 = // "Pattern{Constant('The physical state of '), Field(p0,false)}" -match("MESSAGE#831:00513/0", "nwparser.payload", "The physical state of %{p0}"); +var part1325 = match("MESSAGE#831:00513/0", "nwparser.payload", "The physical state of %{p0}"); -var part1331 = // "Pattern{Constant('the Interface '), Field(p0,false)}" -match("MESSAGE#831:00513/1_1", "nwparser.p0", "the Interface %{p0}"); +var part1326 = match("MESSAGE#831:00513/1_1", "nwparser.p0", "the Interface %{p0}"); var select308 = linear_select([ dup123, - part1331, + part1326, dup122, ]); -var part1332 = // "Pattern{Constant(''), Field(interface,true), Constant(' has changed to '), Field(p0,false)}" -match("MESSAGE#831:00513/2", "nwparser.p0", "%{interface->} has changed to %{p0}"); +var part1327 = match("MESSAGE#831:00513/2", "nwparser.p0", "%{interface->} has changed to %{p0}"); -var part1333 = // "Pattern{Field(result,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#831:00513/3_0", "nwparser.p0", "%{result}. (%{fld1})"); +var part1328 = match("MESSAGE#831:00513/3_0", "nwparser.p0", "%{result}. (%{fld1})"); -var part1334 = // "Pattern{Field(result,false)}" -match_copy("MESSAGE#831:00513/3_1", "nwparser.p0", "result"); +var part1329 = match_copy("MESSAGE#831:00513/3_1", "nwparser.p0", "result"); var select309 = linear_select([ - part1333, - part1334, + part1328, + part1329, ]); -var all300 = all_match({ +var all295 = all_match({ processors: [ - part1330, + part1325, select308, - part1332, + part1327, select309, ], on_success: processor_chain([ @@ -17917,39 +16259,35 @@ var all300 = all_match({ ]), }); -var msg841 = msg("00513", all300); +var msg841 = msg("00513", all295); -var part1335 = // "Pattern{Constant('Vsys Admin '), Field(p0,false)}" -match("MESSAGE#832:00515/0_0", "nwparser.payload", "Vsys Admin %{p0}"); +var part1330 = match("MESSAGE#832:00515/0_0", "nwparser.payload", "Vsys Admin %{p0}"); var select310 = linear_select([ - part1335, - dup289, + part1330, + dup287, ]); -var part1336 = // "Pattern{Constant(''), Field(administrator,true), Constant(' has logged on via the '), Field(logon_type,true), Constant(' ( HTTP'), Field(p0,false)}" -match("MESSAGE#832:00515/1", "nwparser.p0", "%{administrator->} has logged on via the %{logon_type->} ( HTTP%{p0}"); +var part1331 = match("MESSAGE#832:00515/1", "nwparser.p0", "%{administrator->} has logged on via the %{logon_type->} ( HTTP%{p0}"); -var part1337 = // "Pattern{Constant('S'), Field(p0,false)}" -match("MESSAGE#832:00515/2_1", "nwparser.p0", "S%{p0}"); +var part1332 = match("MESSAGE#832:00515/2_1", "nwparser.p0", "S%{p0}"); var select311 = linear_select([ dup96, - part1337, + part1332, ]); -var part1338 = // "Pattern{Field(,false), Constant(') to port '), Field(interface,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#832:00515/3", "nwparser.p0", "%{}) to port %{interface->} from %{saddr}:%{sport}"); +var part1333 = match("MESSAGE#832:00515/3", "nwparser.p0", "%{}) to port %{interface->} from %{saddr}:%{sport}"); -var all301 = all_match({ +var all296 = all_match({ processors: [ select310, - part1336, + part1331, select311, - part1338, + part1333, ], on_success: processor_chain([ - dup303, + dup301, dup2, dup3, dup4, @@ -17957,33 +16295,29 @@ var all301 = all_match({ ]), }); -var msg842 = msg("00515", all301); +var msg842 = msg("00515", all296); -var part1339 = // "Pattern{Constant('Login attempt to system by admin '), Field(administrator,true), Constant(' via '), Field(p0,false)}" -match("MESSAGE#833:00515:01/0", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{p0}"); +var part1334 = match("MESSAGE#833:00515:01/0", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{p0}"); -var part1340 = // "Pattern{Constant('the '), Field(logon_type,true), Constant(' has failed '), Field(p0,false)}" -match("MESSAGE#833:00515:01/1_0", "nwparser.p0", "the %{logon_type->} has failed %{p0}"); +var part1335 = match("MESSAGE#833:00515:01/1_0", "nwparser.p0", "the %{logon_type->} has failed %{p0}"); -var part1341 = // "Pattern{Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has failed '), Field(p0,false)}" -match("MESSAGE#833:00515:01/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} has failed %{p0}"); +var part1336 = match("MESSAGE#833:00515:01/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} has failed %{p0}"); var select312 = linear_select([ - part1340, - part1341, + part1335, + part1336, ]); -var part1342 = // "Pattern{Field(fld2,false)}" -match_copy("MESSAGE#833:00515:01/2", "nwparser.p0", "fld2"); +var part1337 = match_copy("MESSAGE#833:00515:01/2", "nwparser.p0", "fld2"); -var all302 = all_match({ +var all297 = all_match({ processors: [ - part1339, + part1334, select312, - part1342, + part1337, ], on_success: processor_chain([ - dup208, + dup206, dup29, dup30, dup31, @@ -17991,48 +16325,42 @@ var all302 = all_match({ dup2, dup4, dup5, - dup304, + dup302, dup3, ]), }); -var msg843 = msg("00515:01", all302); +var msg843 = msg("00515:01", all297); -var part1343 = // "Pattern{Constant('Management session via '), Field(p0,false)}" -match("MESSAGE#834:00515:02/0", "nwparser.payload", "Management session via %{p0}"); +var part1338 = match("MESSAGE#834:00515:02/0", "nwparser.payload", "Management session via %{p0}"); -var part1344 = // "Pattern{Constant('the '), Field(logon_type,true), Constant(' for '), Field(p0,false)}" -match("MESSAGE#834:00515:02/1_0", "nwparser.p0", "the %{logon_type->} for %{p0}"); +var part1339 = match("MESSAGE#834:00515:02/1_0", "nwparser.p0", "the %{logon_type->} for %{p0}"); -var part1345 = // "Pattern{Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' for '), Field(p0,false)}" -match("MESSAGE#834:00515:02/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} for %{p0}"); +var part1340 = match("MESSAGE#834:00515:02/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} for %{p0}"); var select313 = linear_select([ - part1344, - part1345, + part1339, + part1340, ]); -var part1346 = // "Pattern{Constant('[vsys] admin '), Field(p0,false)}" -match("MESSAGE#834:00515:02/2_0", "nwparser.p0", "[vsys] admin %{p0}"); +var part1341 = match("MESSAGE#834:00515:02/2_0", "nwparser.p0", "[vsys] admin %{p0}"); -var part1347 = // "Pattern{Constant('vsys admin '), Field(p0,false)}" -match("MESSAGE#834:00515:02/2_1", "nwparser.p0", "vsys admin %{p0}"); +var part1342 = match("MESSAGE#834:00515:02/2_1", "nwparser.p0", "vsys admin %{p0}"); var select314 = linear_select([ - part1346, - part1347, + part1341, + part1342, dup15, ]); -var part1348 = // "Pattern{Constant(''), Field(administrator,true), Constant(' has timed out')}" -match("MESSAGE#834:00515:02/3", "nwparser.p0", "%{administrator->} has timed out"); +var part1343 = match("MESSAGE#834:00515:02/3", "nwparser.p0", "%{administrator->} has timed out"); -var all303 = all_match({ +var all298 = all_match({ processors: [ - part1343, + part1338, select313, select314, - part1348, + part1343, ], on_success: processor_chain([ dup27, @@ -18043,40 +16371,36 @@ var all303 = all_match({ ]), }); -var msg844 = msg("00515:02", all303); +var msg844 = msg("00515:02", all298); -var part1349 = // "Pattern{Constant('[Vsys] '), Field(p0,false)}" -match("MESSAGE#835:00515:04/0_0", "nwparser.payload", "[Vsys] %{p0}"); +var part1344 = match("MESSAGE#835:00515:04/0_0", "nwparser.payload", "[Vsys] %{p0}"); -var part1350 = // "Pattern{Constant('Vsys '), Field(p0,false)}" -match("MESSAGE#835:00515:04/0_1", "nwparser.payload", "Vsys %{p0}"); +var part1345 = match("MESSAGE#835:00515:04/0_1", "nwparser.payload", "Vsys %{p0}"); var select315 = linear_select([ - part1349, - part1350, + part1344, + part1345, ]); -var part1351 = // "Pattern{Constant('Admin '), Field(administrator,true), Constant(' has logged o'), Field(p0,false)}" -match("MESSAGE#835:00515:04/1", "nwparser.p0", "Admin %{administrator->} has logged o%{p0}"); +var part1346 = match("MESSAGE#835:00515:04/1", "nwparser.p0", "Admin %{administrator->} has logged o%{p0}"); -var part1352 = // "Pattern{Field(logon_type,false)}" -match_copy("MESSAGE#835:00515:04/4_1", "nwparser.p0", "logon_type"); +var part1347 = match_copy("MESSAGE#835:00515:04/4_1", "nwparser.p0", "logon_type"); var select316 = linear_select([ - dup306, - part1352, + dup304, + part1347, ]); -var all304 = all_match({ +var all299 = all_match({ processors: [ select315, - part1351, - dup401, + part1346, + dup398, dup40, select316, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -18084,50 +16408,46 @@ var all304 = all_match({ ]), }); -var msg845 = msg("00515:04", all304); +var msg845 = msg("00515:04", all299); -var part1353 = // "Pattern{Constant('Admin User '), Field(administrator,true), Constant(' has logged on via '), Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#836:00515:06", "nwparser.payload", "Admin User %{administrator->} has logged on via %{logon_type->} from %{saddr}:%{sport}", processor_chain([ - dup242, +var part1348 = match("MESSAGE#836:00515:06", "nwparser.payload", "Admin User %{administrator->} has logged on via %{logon_type->} from %{saddr}:%{sport}", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg846 = msg("00515:06", part1353); +var msg846 = msg("00515:06", part1348); -var part1354 = // "Pattern{Field(,false), Constant('Admin '), Field(p0,false)}" -match("MESSAGE#837:00515:05/0", "nwparser.payload", "%{}Admin %{p0}"); +var part1349 = match("MESSAGE#837:00515:05/0", "nwparser.payload", "%{}Admin %{p0}"); var select317 = linear_select([ - dup307, + dup305, dup16, ]); -var part1355 = // "Pattern{Constant(''), Field(administrator,true), Constant(' has logged o'), Field(p0,false)}" -match("MESSAGE#837:00515:05/2", "nwparser.p0", "%{administrator->} has logged o%{p0}"); +var part1350 = match("MESSAGE#837:00515:05/2", "nwparser.p0", "%{administrator->} has logged o%{p0}"); -var part1356 = // "Pattern{Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(fld2,false), Constant(')')}" -match("MESSAGE#837:00515:05/5_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{fld2})"); +var part1351 = match("MESSAGE#837:00515:05/5_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{fld2})"); var select318 = linear_select([ - dup308, - part1356, dup306, + part1351, + dup304, ]); -var all305 = all_match({ +var all300 = all_match({ processors: [ - part1354, + part1349, select317, - part1355, - dup401, + part1350, + dup398, dup40, select318, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -18135,44 +16455,39 @@ var all305 = all_match({ ]), }); -var msg847 = msg("00515:05", all305); +var msg847 = msg("00515:05", all300); -var part1357 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' login attempt for '), Field(logon_type,false), Constant('(http) management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' '), Field(disposition,false)}" -match("MESSAGE#838:00515:07", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(http) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ - dup242, +var part1352 = match("MESSAGE#838:00515:07", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(http) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg848 = msg("00515:07", part1357); +var msg848 = msg("00515:07", part1352); -var part1358 = // "Pattern{Field(fld2,true), Constant(' Admin User "'), Field(administrator,false), Constant('" logged in for '), Field(logon_type,false), Constant('(http'), Field(p0,false)}" -match("MESSAGE#839:00515:08/0", "nwparser.payload", "%{fld2->} Admin User \"%{administrator}\" logged in for %{logon_type}(http%{p0}"); +var part1353 = match("MESSAGE#839:00515:08/0", "nwparser.payload", "%{fld2->} Admin User \"%{administrator}\" logged in for %{logon_type}(http%{p0}"); -var part1359 = // "Pattern{Constant(') '), Field(p0,false)}" -match("MESSAGE#839:00515:08/1_0", "nwparser.p0", ") %{p0}"); +var part1354 = match("MESSAGE#839:00515:08/1_0", "nwparser.p0", ") %{p0}"); -var part1360 = // "Pattern{Constant('s) '), Field(p0,false)}" -match("MESSAGE#839:00515:08/1_1", "nwparser.p0", "s) %{p0}"); +var part1355 = match("MESSAGE#839:00515:08/1_1", "nwparser.p0", "s) %{p0}"); var select319 = linear_select([ - part1359, - part1360, + part1354, + part1355, ]); -var part1361 = // "Pattern{Constant('management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#839:00515:08/2", "nwparser.p0", "management (port %{network_port}) from %{saddr}:%{sport}"); +var part1356 = match("MESSAGE#839:00515:08/2", "nwparser.p0", "management (port %{network_port}) from %{saddr}:%{sport}"); -var all306 = all_match({ +var all301 = all_match({ processors: [ - part1358, + part1353, select319, - part1361, + part1356, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -18180,32 +16495,29 @@ var all306 = all_match({ ]), }); -var msg849 = msg("00515:08", all306); +var msg849 = msg("00515:08", all301); -var part1362 = // "Pattern{Constant('User '), Field(username,true), Constant(' telnet management session from ('), Field(saddr,false), Constant(':'), Field(sport,false), Constant(') timed out')}" -match("MESSAGE#840:00515:09", "nwparser.payload", "User %{username->} telnet management session from (%{saddr}:%{sport}) timed out", processor_chain([ - dup242, +var part1357 = match("MESSAGE#840:00515:09", "nwparser.payload", "User %{username->} telnet management session from (%{saddr}:%{sport}) timed out", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg850 = msg("00515:09", part1362); +var msg850 = msg("00515:09", part1357); -var part1363 = // "Pattern{Constant('User '), Field(username,true), Constant(' logged out of telnet session from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#841:00515:10", "nwparser.payload", "User %{username->} logged out of telnet session from %{saddr}:%{sport}", processor_chain([ - dup242, +var part1358 = match("MESSAGE#841:00515:10", "nwparser.payload", "User %{username->} logged out of telnet session from %{saddr}:%{sport}", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg851 = msg("00515:10", part1363); +var msg851 = msg("00515:10", part1358); -var part1364 = // "Pattern{Constant('The session limit threshold has been set to '), Field(trigger_val,true), Constant(' on zone '), Field(zone,false), Constant('.')}" -match("MESSAGE#842:00515:11", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on zone %{zone}.", processor_chain([ +var part1359 = match("MESSAGE#842:00515:11", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on zone %{zone}.", processor_chain([ dup1, dup2, dup3, @@ -18213,22 +16525,20 @@ match("MESSAGE#842:00515:11", "nwparser.payload", "The session limit threshold h dup5, ])); -var msg852 = msg("00515:11", part1364); +var msg852 = msg("00515:11", part1359); -var part1365 = // "Pattern{Constant('[ Vsys ] Admin User "'), Field(administrator,false), Constant('" logged in for Web( http'), Field(p0,false)}" -match("MESSAGE#843:00515:12/0", "nwparser.payload", "[ Vsys ] Admin User \"%{administrator}\" logged in for Web( http%{p0}"); +var part1360 = match("MESSAGE#843:00515:12/0", "nwparser.payload", "[ Vsys ] Admin User \"%{administrator}\" logged in for Web( http%{p0}"); -var part1366 = // "Pattern{Constant(') management (port '), Field(network_port,false), Constant(')')}" -match("MESSAGE#843:00515:12/2", "nwparser.p0", ") management (port %{network_port})"); +var part1361 = match("MESSAGE#843:00515:12/2", "nwparser.p0", ") management (port %{network_port})"); -var all307 = all_match({ +var all302 = all_match({ processors: [ - part1365, - dup402, - part1366, + part1360, + dup399, + part1361, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -18236,31 +16546,30 @@ var all307 = all_match({ ]), }); -var msg853 = msg("00515:12", all307); +var msg853 = msg("00515:12", all302); var select320 = linear_select([ - dup290, - dup289, + dup288, + dup287, ]); -var part1367 = // "Pattern{Constant('user '), Field(administrator,true), Constant(' has logged o'), Field(p0,false)}" -match("MESSAGE#844:00515:13/1", "nwparser.p0", "user %{administrator->} has logged o%{p0}"); +var part1362 = match("MESSAGE#844:00515:13/1", "nwparser.p0", "user %{administrator->} has logged o%{p0}"); var select321 = linear_select([ - dup308, dup306, + dup304, ]); -var all308 = all_match({ +var all303 = all_match({ processors: [ select320, - part1367, - dup401, + part1362, + dup398, dup40, select321, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -18268,46 +16577,40 @@ var all308 = all_match({ ]), }); -var msg854 = msg("00515:13", all308); +var msg854 = msg("00515:13", all303); -var part1368 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' has been forced to log o'), Field(p0,false)}" -match("MESSAGE#845:00515:14/0_0", "nwparser.payload", "Admin user %{administrator->} has been forced to log o%{p0}"); +var part1363 = match("MESSAGE#845:00515:14/0_0", "nwparser.payload", "Admin user %{administrator->} has been forced to log o%{p0}"); -var part1369 = // "Pattern{Field(username,true), Constant(' '), Field(fld1,true), Constant(' has been forced to log o'), Field(p0,false)}" -match("MESSAGE#845:00515:14/0_1", "nwparser.payload", "%{username->} %{fld1->} has been forced to log o%{p0}"); +var part1364 = match("MESSAGE#845:00515:14/0_1", "nwparser.payload", "%{username->} %{fld1->} has been forced to log o%{p0}"); var select322 = linear_select([ - part1368, - part1369, + part1363, + part1364, ]); -var part1370 = // "Pattern{Constant('of the '), Field(p0,false)}" -match("MESSAGE#845:00515:14/2", "nwparser.p0", "of the %{p0}"); +var part1365 = match("MESSAGE#845:00515:14/2", "nwparser.p0", "of the %{p0}"); -var part1371 = // "Pattern{Constant('serial '), Field(logon_type,true), Constant(' session.')}" -match("MESSAGE#845:00515:14/3_0", "nwparser.p0", "serial %{logon_type->} session."); +var part1366 = match("MESSAGE#845:00515:14/3_0", "nwparser.p0", "serial %{logon_type->} session."); -var part1372 = // "Pattern{Field(logon_type,true), Constant(' session on host '), Field(hostip,false), Constant(':'), Field(network_port,true), Constant(' ('), Field(event_time,false), Constant(')')}" -match("MESSAGE#845:00515:14/3_1", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port->} (%{event_time})"); +var part1367 = match("MESSAGE#845:00515:14/3_1", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port->} (%{event_time})"); -var part1373 = // "Pattern{Field(logon_type,true), Constant(' session on host '), Field(hostip,false), Constant(':'), Field(network_port,false)}" -match("MESSAGE#845:00515:14/3_2", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port}"); +var part1368 = match("MESSAGE#845:00515:14/3_2", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port}"); var select323 = linear_select([ - part1371, - part1372, - part1373, + part1366, + part1367, + part1368, ]); -var all309 = all_match({ +var all304 = all_match({ processors: [ select322, - dup401, - part1370, + dup398, + part1365, select323, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -18315,32 +16618,29 @@ var all309 = all_match({ ]), }); -var msg855 = msg("00515:14", all309); +var msg855 = msg("00515:14", all304); -var part1374 = // "Pattern{Field(fld2,false), Constant(': Admin User '), Field(administrator,true), Constant(' has logged o'), Field(p0,false)}" -match("MESSAGE#846:00515:15/0", "nwparser.payload", "%{fld2}: Admin User %{administrator->} has logged o%{p0}"); +var part1369 = match("MESSAGE#846:00515:15/0", "nwparser.payload", "%{fld2}: Admin User %{administrator->} has logged o%{p0}"); -var part1375 = // "Pattern{Constant('the '), Field(logon_type,true), Constant(' ('), Field(p0,false)}" -match("MESSAGE#846:00515:15/3_0", "nwparser.p0", "the %{logon_type->} (%{p0}"); +var part1370 = match("MESSAGE#846:00515:15/3_0", "nwparser.p0", "the %{logon_type->} (%{p0}"); -var part1376 = // "Pattern{Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(p0,false)}" -match("MESSAGE#846:00515:15/3_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{p0}"); +var part1371 = match("MESSAGE#846:00515:15/3_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{p0}"); var select324 = linear_select([ - part1375, - part1376, + part1370, + part1371, ]); -var all310 = all_match({ +var all305 = all_match({ processors: [ - part1374, - dup401, + part1369, + dup398, dup40, select324, dup41, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup9, @@ -18349,31 +16649,28 @@ var all310 = all_match({ ]), }); -var msg856 = msg("00515:15", all310); +var msg856 = msg("00515:15", all305); -var part1377 = // "Pattern{Field(fld2,false), Constant(': Admin '), Field(p0,false)}" -match("MESSAGE#847:00515:16/0_0", "nwparser.payload", "%{fld2}: Admin %{p0}"); +var part1372 = match("MESSAGE#847:00515:16/0_0", "nwparser.payload", "%{fld2}: Admin %{p0}"); var select325 = linear_select([ - part1377, - dup289, + part1372, + dup287, ]); -var part1378 = // "Pattern{Constant('user '), Field(administrator,true), Constant(' attempt access to '), Field(url,true), Constant(' illegal from '), Field(logon_type,false), Constant('( http'), Field(p0,false)}" -match("MESSAGE#847:00515:16/1", "nwparser.p0", "user %{administrator->} attempt access to %{url->} illegal from %{logon_type}( http%{p0}"); +var part1373 = match("MESSAGE#847:00515:16/1", "nwparser.p0", "user %{administrator->} attempt access to %{url->} illegal from %{logon_type}( http%{p0}"); -var part1379 = // "Pattern{Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#847:00515:16/3", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}. (%{fld1})"); +var part1374 = match("MESSAGE#847:00515:16/3", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}. (%{fld1})"); -var all311 = all_match({ +var all306 = all_match({ processors: [ select325, - part1378, - dup402, - part1379, + part1373, + dup399, + part1374, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup9, @@ -18382,33 +16679,29 @@ var all311 = all_match({ ]), }); -var msg857 = msg("00515:16", all311); +var msg857 = msg("00515:16", all306); -var part1380 = // "Pattern{Constant('Admin user "'), Field(administrator,false), Constant('" logged out for '), Field(logon_type,false), Constant('('), Field(p0,false)}" -match("MESSAGE#848:00515:17/0", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{p0}"); +var part1375 = match("MESSAGE#848:00515:17/0", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{p0}"); -var part1381 = // "Pattern{Constant('https '), Field(p0,false)}" -match("MESSAGE#848:00515:17/1_0", "nwparser.p0", "https %{p0}"); +var part1376 = match("MESSAGE#848:00515:17/1_0", "nwparser.p0", "https %{p0}"); -var part1382 = // "Pattern{Constant(' http '), Field(p0,false)}" -match("MESSAGE#848:00515:17/1_1", "nwparser.p0", " http %{p0}"); +var part1377 = match("MESSAGE#848:00515:17/1_1", "nwparser.p0", " http %{p0}"); var select326 = linear_select([ - part1381, - part1382, + part1376, + part1377, ]); -var part1383 = // "Pattern{Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#848:00515:17/2", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}"); +var part1378 = match("MESSAGE#848:00515:17/2", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}"); -var all312 = all_match({ +var all307 = all_match({ processors: [ - part1380, + part1375, select326, - part1383, + part1378, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -18416,11 +16709,10 @@ var all312 = all_match({ ]), }); -var msg858 = msg("00515:17", all312); +var msg858 = msg("00515:17", all307); -var part1384 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' login attempt for '), Field(logon_type,false), Constant('(https) management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' '), Field(disposition,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#849:00515:18", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(https) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ - dup242, +var part1379 = match("MESSAGE#849:00515:18", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(https) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ + dup240, dup2, dup3, dup9, @@ -18428,30 +16720,27 @@ match("MESSAGE#849:00515:18", "nwparser.payload", "Admin user %{administrator->} dup5, ])); -var msg859 = msg("00515:18", part1384); +var msg859 = msg("00515:18", part1379); -var part1385 = // "Pattern{Constant('Vsys admin user '), Field(administrator,true), Constant(' logged on via '), Field(p0,false)}" -match("MESSAGE#850:00515:19/0", "nwparser.payload", "Vsys admin user %{administrator->} logged on via %{p0}"); +var part1380 = match("MESSAGE#850:00515:19/0", "nwparser.payload", "Vsys admin user %{administrator->} logged on via %{p0}"); -var part1386 = // "Pattern{Field(logon_type,true), Constant(' from remote IP address '), Field(saddr,true), Constant(' using port '), Field(sport,false), Constant('. ('), Field(p0,false)}" -match("MESSAGE#850:00515:19/1_0", "nwparser.p0", "%{logon_type->} from remote IP address %{saddr->} using port %{sport}. (%{p0}"); +var part1381 = match("MESSAGE#850:00515:19/1_0", "nwparser.p0", "%{logon_type->} from remote IP address %{saddr->} using port %{sport}. (%{p0}"); -var part1387 = // "Pattern{Constant('the console. ('), Field(p0,false)}" -match("MESSAGE#850:00515:19/1_1", "nwparser.p0", "the console. (%{p0}"); +var part1382 = match("MESSAGE#850:00515:19/1_1", "nwparser.p0", "the console. (%{p0}"); var select327 = linear_select([ - part1386, - part1387, + part1381, + part1382, ]); -var all313 = all_match({ +var all308 = all_match({ processors: [ - part1385, + part1380, select327, dup41, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup9, @@ -18460,11 +16749,10 @@ var all313 = all_match({ ]), }); -var msg860 = msg("00515:19", all313); +var msg860 = msg("00515:19", all308); -var part1388 = // "Pattern{Constant('netscreen: Management session via SCS from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' for admin netscreen has timed out ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#851:00515:20", "nwparser.payload", "netscreen: Management session via SCS from %{saddr}:%{sport->} for admin netscreen has timed out (%{fld1})", processor_chain([ - dup242, +var part1383 = match("MESSAGE#851:00515:20", "nwparser.payload", "netscreen: Management session via SCS from %{saddr}:%{sport->} for admin netscreen has timed out (%{fld1})", processor_chain([ + dup240, dup2, dup3, dup9, @@ -18472,7 +16760,7 @@ match("MESSAGE#851:00515:20", "nwparser.payload", "netscreen: Management session dup5, ])); -var msg861 = msg("00515:20", part1388); +var msg861 = msg("00515:20", part1383); var select328 = linear_select([ msg842, @@ -18497,85 +16785,77 @@ var select328 = linear_select([ msg861, ]); -var part1389 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' '), Field(fld1,false), Constant('at '), Field(saddr,true), Constant(' has been '), Field(disposition,true), Constant(' via the '), Field(logon_type,true), Constant(' server at '), Field(hostip,false)}" -match("MESSAGE#852:00518", "nwparser.payload", "Admin user %{administrator->} %{fld1}at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup283, +var part1384 = match("MESSAGE#852:00518", "nwparser.payload", "Admin user %{administrator->} %{fld1}at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, ])); -var msg862 = msg("00518", part1389); +var msg862 = msg("00518", part1384); -var part1390 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' has been '), Field(disposition,true), Constant(' via the '), Field(logon_type,true), Constant(' server at '), Field(hostip,false)}" -match("MESSAGE#853:00518:17", "nwparser.payload", "Admin user %{administrator->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup283, +var part1385 = match("MESSAGE#853:00518:17", "nwparser.payload", "Admin user %{administrator->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, ])); -var msg863 = msg("00518:17", part1390); +var msg863 = msg("00518:17", part1385); -var part1391 = // "Pattern{Constant('Local authentication for WebAuth user '), Field(username,true), Constant(' was '), Field(disposition,false)}" -match("MESSAGE#854:00518:01", "nwparser.payload", "Local authentication for WebAuth user %{username->} was %{disposition}", processor_chain([ - dup283, +var part1386 = match("MESSAGE#854:00518:01", "nwparser.payload", "Local authentication for WebAuth user %{username->} was %{disposition}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, ])); -var msg864 = msg("00518:01", part1391); +var msg864 = msg("00518:01", part1386); -var part1392 = // "Pattern{Constant('Local authentication for user '), Field(username,true), Constant(' was '), Field(disposition,false)}" -match("MESSAGE#855:00518:02", "nwparser.payload", "Local authentication for user %{username->} was %{disposition}", processor_chain([ - dup283, +var part1387 = match("MESSAGE#855:00518:02", "nwparser.payload", "Local authentication for user %{username->} was %{disposition}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, ])); -var msg865 = msg("00518:02", part1392); +var msg865 = msg("00518:02", part1387); -var part1393 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' must enter "Next Code" for SecurID '), Field(hostip,false)}" -match("MESSAGE#856:00518:03", "nwparser.payload", "User %{username->} at %{saddr->} must enter \"Next Code\" for SecurID %{hostip}", processor_chain([ - dup205, +var part1388 = match("MESSAGE#856:00518:03", "nwparser.payload", "User %{username->} at %{saddr->} must enter \"Next Code\" for SecurID %{hostip}", processor_chain([ + dup203, dup2, dup3, dup4, dup5, ])); -var msg866 = msg("00518:03", part1393); +var msg866 = msg("00518:03", part1388); -var part1394 = // "Pattern{Constant('WebAuth user '), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' has been '), Field(disposition,true), Constant(' via the '), Field(logon_type,true), Constant(' server at '), Field(hostip,false)}" -match("MESSAGE#857:00518:04", "nwparser.payload", "WebAuth user %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup205, +var part1389 = match("MESSAGE#857:00518:04", "nwparser.payload", "WebAuth user %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ + dup203, dup2, dup4, dup5, dup3, ])); -var msg867 = msg("00518:04", part1394); +var msg867 = msg("00518:04", part1389); -var part1395 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' has been challenged via the '), Field(authmethod,true), Constant(' server at '), Field(hostip,true), Constant(' (Rejected since challenge is not supported for '), Field(logon_type,false), Constant(')')}" -match("MESSAGE#858:00518:05", "nwparser.payload", "User %{username->} at %{saddr->} has been challenged via the %{authmethod->} server at %{hostip->} (Rejected since challenge is not supported for %{logon_type})", processor_chain([ - dup205, +var part1390 = match("MESSAGE#858:00518:05", "nwparser.payload", "User %{username->} at %{saddr->} has been challenged via the %{authmethod->} server at %{hostip->} (Rejected since challenge is not supported for %{logon_type})", processor_chain([ + dup203, dup2, dup4, dup5, dup3, ])); -var msg868 = msg("00518:05", part1395); +var msg868 = msg("00518:05", part1390); -var part1396 = // "Pattern{Constant('Error in authentication for WebAuth user '), Field(username,false)}" -match("MESSAGE#859:00518:06", "nwparser.payload", "Error in authentication for WebAuth user %{username}", processor_chain([ +var part1391 = match("MESSAGE#859:00518:06", "nwparser.payload", "Error in authentication for WebAuth user %{username}", processor_chain([ dup35, dup29, dup31, @@ -18586,27 +16866,24 @@ match("MESSAGE#859:00518:06", "nwparser.payload", "Error in authentication for W dup3, ])); -var msg869 = msg("00518:06", part1396); +var msg869 = msg("00518:06", part1391); -var part1397 = // "Pattern{Constant('Authentication for user '), Field(username,true), Constant(' was denied (long '), Field(p0,false)}" -match("MESSAGE#860:00518:07/0", "nwparser.payload", "Authentication for user %{username->} was denied (long %{p0}"); +var part1392 = match("MESSAGE#860:00518:07/0", "nwparser.payload", "Authentication for user %{username->} was denied (long %{p0}"); -var part1398 = // "Pattern{Constant('username '), Field(p0,false)}" -match("MESSAGE#860:00518:07/1_1", "nwparser.p0", "username %{p0}"); +var part1393 = match("MESSAGE#860:00518:07/1_1", "nwparser.p0", "username %{p0}"); var select329 = linear_select([ dup24, - part1398, + part1393, ]); -var part1399 = // "Pattern{Constant(')'), Field(,false)}" -match("MESSAGE#860:00518:07/2", "nwparser.p0", ")%{}"); +var part1394 = match("MESSAGE#860:00518:07/2", "nwparser.p0", ")%{}"); -var all314 = all_match({ +var all309 = all_match({ processors: [ - part1397, + part1392, select329, - part1399, + part1394, ], on_success: processor_chain([ dup53, @@ -18620,10 +16897,9 @@ var all314 = all_match({ ]), }); -var msg870 = msg("00518:07", all314); +var msg870 = msg("00518:07", all309); -var part1400 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' '), Field(authmethod,true), Constant(' authentication attempt has timed out')}" -match("MESSAGE#861:00518:08", "nwparser.payload", "User %{username->} at %{saddr->} %{authmethod->} authentication attempt has timed out", processor_chain([ +var part1395 = match("MESSAGE#861:00518:08", "nwparser.payload", "User %{username->} at %{saddr->} %{authmethod->} authentication attempt has timed out", processor_chain([ dup35, dup29, dup31, @@ -18634,22 +16910,20 @@ match("MESSAGE#861:00518:08", "nwparser.payload", "User %{username->} at %{saddr dup3, ])); -var msg871 = msg("00518:08", part1400); +var msg871 = msg("00518:08", part1395); -var part1401 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' has been '), Field(disposition,true), Constant(' via the '), Field(logon_type,true), Constant(' server at '), Field(hostip,false)}" -match("MESSAGE#862:00518:09", "nwparser.payload", "User %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup205, +var part1396 = match("MESSAGE#862:00518:09", "nwparser.payload", "User %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ + dup203, dup2, dup4, dup5, dup3, ])); -var msg872 = msg("00518:09", part1401); +var msg872 = msg("00518:09", part1396); -var part1402 = // "Pattern{Constant('Admin user "'), Field(administrator,false), Constant('" login attempt for '), Field(logon_type,true), Constant(' ('), Field(network_service,false), Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' failed due to '), Field(result,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#863:00518:10", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed due to %{result}. (%{fld1})", processor_chain([ - dup208, +var part1397 = match("MESSAGE#863:00518:10", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed due to %{result}. (%{fld1})", processor_chain([ + dup206, dup29, dup30, dup31, @@ -18659,36 +16933,32 @@ match("MESSAGE#863:00518:10", "nwparser.payload", "Admin user \"%{administrator} dup9, dup5, dup3, - dup304, + dup302, ])); -var msg873 = msg("00518:10", part1402); +var msg873 = msg("00518:10", part1397); -var part1403 = // "Pattern{Constant('ADM: Local admin authentication failed for login name '), Field(p0,false)}" -match("MESSAGE#864:00518:11/0", "nwparser.payload", "ADM: Local admin authentication failed for login name %{p0}"); +var part1398 = match("MESSAGE#864:00518:11/0", "nwparser.payload", "ADM: Local admin authentication failed for login name %{p0}"); -var part1404 = // "Pattern{Constant('''), Field(username,false), Constant('': '), Field(p0,false)}" -match("MESSAGE#864:00518:11/1_0", "nwparser.p0", "'%{username}': %{p0}"); +var part1399 = match("MESSAGE#864:00518:11/1_0", "nwparser.p0", "'%{username}': %{p0}"); -var part1405 = // "Pattern{Field(username,false), Constant(': '), Field(p0,false)}" -match("MESSAGE#864:00518:11/1_1", "nwparser.p0", "%{username}: %{p0}"); +var part1400 = match("MESSAGE#864:00518:11/1_1", "nwparser.p0", "%{username}: %{p0}"); var select330 = linear_select([ - part1404, - part1405, + part1399, + part1400, ]); -var part1406 = // "Pattern{Field(result,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#864:00518:11/2", "nwparser.p0", "%{result->} (%{fld1})"); +var part1401 = match("MESSAGE#864:00518:11/2", "nwparser.p0", "%{result->} (%{fld1})"); -var all315 = all_match({ +var all310 = all_match({ processors: [ - part1403, + part1398, select330, - part1406, + part1401, ], on_success: processor_chain([ - dup208, + dup206, dup29, dup30, dup31, @@ -18701,11 +16971,10 @@ var all315 = all_match({ ]), }); -var msg874 = msg("00518:11", all315); +var msg874 = msg("00518:11", all310); -var part1407 = // "Pattern{Constant('Admin user "'), Field(administrator,false), Constant('" login attempt for '), Field(logon_type,false), Constant('('), Field(network_service,false), Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' '), Field(disposition,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#865:00518:12", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ - dup242, +var part1402 = match("MESSAGE#865:00518:12", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ + dup240, dup2, dup4, dup9, @@ -18713,11 +16982,10 @@ match("MESSAGE#865:00518:12", "nwparser.payload", "Admin user \"%{administrator} dup3, ])); -var msg875 = msg("00518:12", part1407); +var msg875 = msg("00518:12", part1402); -var part1408 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' is rejected by the Radius server at '), Field(hostip,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#866:00518:13", "nwparser.payload", "User %{username->} at %{saddr->} is rejected by the Radius server at %{hostip}. (%{fld1})", processor_chain([ - dup292, +var part1403 = match("MESSAGE#866:00518:13", "nwparser.payload", "User %{username->} at %{saddr->} is rejected by the Radius server at %{hostip}. (%{fld1})", processor_chain([ + dup290, dup2, dup3, dup4, @@ -18725,18 +16993,17 @@ match("MESSAGE#866:00518:13", "nwparser.payload", "User %{username->} at %{saddr dup5, ])); -var msg876 = msg("00518:13", part1408); +var msg876 = msg("00518:13", part1403); -var part1409 = // "Pattern{Field(fld2,false), Constant(': Admin user has been rejected via the Radius server at '), Field(hostip,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#867:00518:14", "nwparser.payload", "%{fld2}: Admin user has been rejected via the Radius server at %{hostip->} (%{fld1})", processor_chain([ - dup292, +var part1404 = match("MESSAGE#867:00518:14", "nwparser.payload", "%{fld2}: Admin user has been rejected via the Radius server at %{hostip->} (%{fld1})", processor_chain([ + dup290, dup2, dup4, dup5, dup9, ])); -var msg877 = msg("00518:14", part1409); +var msg877 = msg("00518:14", part1404); var select331 = linear_select([ msg862, @@ -18757,45 +17024,39 @@ var select331 = linear_select([ msg877, ]); -var part1410 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#868:00519/0", "nwparser.payload", "Admin user %{administrator->} %{p0}"); +var part1405 = match("MESSAGE#868:00519/0", "nwparser.payload", "Admin user %{administrator->} %{p0}"); -var part1411 = // "Pattern{Constant('of group '), Field(group,true), Constant(' at '), Field(saddr,true), Constant(' has '), Field(p0,false)}" -match("MESSAGE#868:00519/1_1", "nwparser.p0", "of group %{group->} at %{saddr->} has %{p0}"); +var part1406 = match("MESSAGE#868:00519/1_1", "nwparser.p0", "of group %{group->} at %{saddr->} has %{p0}"); -var part1412 = // "Pattern{Field(group,true), Constant(' at '), Field(saddr,true), Constant(' has '), Field(p0,false)}" -match("MESSAGE#868:00519/1_2", "nwparser.p0", "%{group->} at %{saddr->} has %{p0}"); +var part1407 = match("MESSAGE#868:00519/1_2", "nwparser.p0", "%{group->} at %{saddr->} has %{p0}"); var select332 = linear_select([ - dup196, - part1411, - part1412, + dup194, + part1406, + part1407, ]); -var part1413 = // "Pattern{Constant('been '), Field(disposition,true), Constant(' via the '), Field(logon_type,true), Constant(' server '), Field(p0,false)}" -match("MESSAGE#868:00519/2", "nwparser.p0", "been %{disposition->} via the %{logon_type->} server %{p0}"); +var part1408 = match("MESSAGE#868:00519/2", "nwparser.p0", "been %{disposition->} via the %{logon_type->} server %{p0}"); -var part1414 = // "Pattern{Constant('at '), Field(p0,false)}" -match("MESSAGE#868:00519/3_0", "nwparser.p0", "at %{p0}"); +var part1409 = match("MESSAGE#868:00519/3_0", "nwparser.p0", "at %{p0}"); var select333 = linear_select([ - part1414, + part1409, dup16, ]); -var part1415 = // "Pattern{Constant(''), Field(hostip,false)}" -match("MESSAGE#868:00519/4", "nwparser.p0", "%{hostip}"); +var part1410 = match("MESSAGE#868:00519/4", "nwparser.p0", "%{hostip}"); -var all316 = all_match({ +var all311 = all_match({ processors: [ - part1410, + part1405, select332, - part1413, + part1408, select333, - part1415, + part1410, ], on_success: processor_chain([ - dup205, + dup203, dup2, dup3, dup4, @@ -18803,27 +17064,25 @@ var all316 = all_match({ ]), }); -var msg878 = msg("00519", all316); +var msg878 = msg("00519", all311); -var part1416 = // "Pattern{Constant('Local authentication for '), Field(p0,false)}" -match("MESSAGE#869:00519:01/0", "nwparser.payload", "Local authentication for %{p0}"); +var part1411 = match("MESSAGE#869:00519:01/0", "nwparser.payload", "Local authentication for %{p0}"); var select334 = linear_select([ - dup309, dup307, + dup305, ]); -var part1417 = // "Pattern{Constant(''), Field(username,true), Constant(' was '), Field(disposition,false)}" -match("MESSAGE#869:00519:01/2", "nwparser.p0", "%{username->} was %{disposition}"); +var part1412 = match("MESSAGE#869:00519:01/2", "nwparser.p0", "%{username->} was %{disposition}"); -var all317 = all_match({ +var all312 = all_match({ processors: [ - part1416, + part1411, select334, - part1417, + part1412, ], on_success: processor_chain([ - dup205, + dup203, dup2, dup3, dup4, @@ -18831,27 +17090,25 @@ var all317 = all_match({ ]), }); -var msg879 = msg("00519:01", all317); +var msg879 = msg("00519:01", all312); -var part1418 = // "Pattern{Constant('User '), Field(p0,false)}" -match("MESSAGE#870:00519:02/1_1", "nwparser.p0", "User %{p0}"); +var part1413 = match("MESSAGE#870:00519:02/1_1", "nwparser.p0", "User %{p0}"); var select335 = linear_select([ - dup309, - part1418, + dup307, + part1413, ]); -var part1419 = // "Pattern{Constant(''), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' has been '), Field(disposition,true), Constant(' via the '), Field(logon_type,true), Constant(' server at '), Field(hostip,false)}" -match("MESSAGE#870:00519:02/2", "nwparser.p0", "%{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}"); +var part1414 = match("MESSAGE#870:00519:02/2", "nwparser.p0", "%{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}"); -var all318 = all_match({ +var all313 = all_match({ processors: [ - dup162, + dup160, select335, - part1419, + part1414, ], on_success: processor_chain([ - dup205, + dup203, dup2, dup3, dup4, @@ -18859,40 +17116,37 @@ var all318 = all_match({ ]), }); -var msg880 = msg("00519:02", all318); +var msg880 = msg("00519:02", all313); -var part1420 = // "Pattern{Constant('Admin user "'), Field(administrator,false), Constant('" logged in for '), Field(logon_type,false), Constant('('), Field(network_service,false), Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' '), Field(fld4,false)}" -match("MESSAGE#871:00519:03", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{fld4}", processor_chain([ - dup242, +var part1415 = match("MESSAGE#871:00519:03", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{fld4}", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg881 = msg("00519:03", part1420); +var msg881 = msg("00519:03", part1415); -var part1421 = // "Pattern{Constant('ADM: Local admin authentication successful for login name '), Field(username,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#872:00519:04", "nwparser.payload", "ADM: Local admin authentication successful for login name %{username->} (%{fld1})", processor_chain([ - dup242, +var part1416 = match("MESSAGE#872:00519:04", "nwparser.payload", "ADM: Local admin authentication successful for login name %{username->} (%{fld1})", processor_chain([ + dup240, dup2, dup4, dup5, dup9, ])); -var msg882 = msg("00519:04", part1421); +var msg882 = msg("00519:04", part1416); -var part1422 = // "Pattern{Field(fld2,false), Constant('Admin user '), Field(administrator,true), Constant(' has been accepted via the Radius server at '), Field(hostip,false), Constant('('), Field(fld1,false), Constant(')')}" -match("MESSAGE#873:00519:05", "nwparser.payload", "%{fld2}Admin user %{administrator->} has been accepted via the Radius server at %{hostip}(%{fld1})", processor_chain([ - dup242, +var part1417 = match("MESSAGE#873:00519:05", "nwparser.payload", "%{fld2}Admin user %{administrator->} has been accepted via the Radius server at %{hostip}(%{fld1})", processor_chain([ + dup240, dup2, dup4, dup5, dup9, ])); -var msg883 = msg("00519:05", part1422); +var msg883 = msg("00519:05", part1417); var select336 = linear_select([ msg878, @@ -18903,8 +17157,7 @@ var select336 = linear_select([ msg883, ]); -var part1423 = // "Pattern{Field(hostname,true), Constant(' user authentication attempt has timed out')}" -match("MESSAGE#874:00520", "nwparser.payload", "%{hostname->} user authentication attempt has timed out", processor_chain([ +var part1418 = match("MESSAGE#874:00520", "nwparser.payload", "%{hostname->} user authentication attempt has timed out", processor_chain([ dup35, dup31, dup39, @@ -18914,38 +17167,32 @@ match("MESSAGE#874:00520", "nwparser.payload", "%{hostname->} user authenticatio dup5, ])); -var msg884 = msg("00520", part1423); +var msg884 = msg("00520", part1418); -var part1424 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(hostip,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#875:00520:01/0", "nwparser.payload", "User %{username->} at %{hostip->} %{p0}"); +var part1419 = match("MESSAGE#875:00520:01/0", "nwparser.payload", "User %{username->} at %{hostip->} %{p0}"); -var part1425 = // "Pattern{Constant('RADIUS '), Field(p0,false)}" -match("MESSAGE#875:00520:01/1_0", "nwparser.p0", "RADIUS %{p0}"); +var part1420 = match("MESSAGE#875:00520:01/1_0", "nwparser.p0", "RADIUS %{p0}"); -var part1426 = // "Pattern{Constant('SecurID '), Field(p0,false)}" -match("MESSAGE#875:00520:01/1_1", "nwparser.p0", "SecurID %{p0}"); +var part1421 = match("MESSAGE#875:00520:01/1_1", "nwparser.p0", "SecurID %{p0}"); -var part1427 = // "Pattern{Constant('LDAP '), Field(p0,false)}" -match("MESSAGE#875:00520:01/1_2", "nwparser.p0", "LDAP %{p0}"); +var part1422 = match("MESSAGE#875:00520:01/1_2", "nwparser.p0", "LDAP %{p0}"); -var part1428 = // "Pattern{Constant('Local '), Field(p0,false)}" -match("MESSAGE#875:00520:01/1_3", "nwparser.p0", "Local %{p0}"); +var part1423 = match("MESSAGE#875:00520:01/1_3", "nwparser.p0", "Local %{p0}"); var select337 = linear_select([ - part1425, - part1426, - part1427, - part1428, + part1420, + part1421, + part1422, + part1423, ]); -var part1429 = // "Pattern{Constant('authentication attempt has timed out'), Field(,false)}" -match("MESSAGE#875:00520:01/2", "nwparser.p0", "authentication attempt has timed out%{}"); +var part1424 = match("MESSAGE#875:00520:01/2", "nwparser.p0", "authentication attempt has timed out%{}"); -var all319 = all_match({ +var all314 = all_match({ processors: [ - part1424, + part1419, select337, - part1429, + part1424, ], on_success: processor_chain([ dup35, @@ -18958,19 +17205,17 @@ var all319 = all_match({ ]), }); -var msg885 = msg("00520:01", all319); +var msg885 = msg("00520:01", all314); -var part1430 = // "Pattern{Constant('Trying '), Field(p0,false)}" -match("MESSAGE#876:00520:02/0", "nwparser.payload", "Trying %{p0}"); +var part1425 = match("MESSAGE#876:00520:02/0", "nwparser.payload", "Trying %{p0}"); -var part1431 = // "Pattern{Constant('server '), Field(fld2,false)}" -match("MESSAGE#876:00520:02/2", "nwparser.p0", "server %{fld2}"); +var part1426 = match("MESSAGE#876:00520:02/2", "nwparser.p0", "server %{fld2}"); -var all320 = all_match({ +var all315 = all_match({ processors: [ - part1430, - dup403, - part1431, + part1425, + dup400, + part1426, ], on_success: processor_chain([ dup44, @@ -18981,41 +17226,35 @@ var all320 = all_match({ ]), }); -var msg886 = msg("00520:02", all320); +var msg886 = msg("00520:02", all315); -var part1432 = // "Pattern{Constant('Primary '), Field(p0,false)}" -match("MESSAGE#877:00520:03/1_0", "nwparser.p0", "Primary %{p0}"); +var part1427 = match("MESSAGE#877:00520:03/1_0", "nwparser.p0", "Primary %{p0}"); -var part1433 = // "Pattern{Constant('Backup1 '), Field(p0,false)}" -match("MESSAGE#877:00520:03/1_1", "nwparser.p0", "Backup1 %{p0}"); +var part1428 = match("MESSAGE#877:00520:03/1_1", "nwparser.p0", "Backup1 %{p0}"); -var part1434 = // "Pattern{Constant('Backup2 '), Field(p0,false)}" -match("MESSAGE#877:00520:03/1_2", "nwparser.p0", "Backup2 %{p0}"); +var part1429 = match("MESSAGE#877:00520:03/1_2", "nwparser.p0", "Backup2 %{p0}"); var select338 = linear_select([ - part1432, - part1433, - part1434, + part1427, + part1428, + part1429, ]); -var part1435 = // "Pattern{Constant(''), Field(fld2,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#877:00520:03/2", "nwparser.p0", "%{fld2}, %{p0}"); +var part1430 = match("MESSAGE#877:00520:03/2", "nwparser.p0", "%{fld2}, %{p0}"); -var part1436 = // "Pattern{Constant(''), Field(fld3,false), Constant(', and '), Field(p0,false)}" -match("MESSAGE#877:00520:03/4", "nwparser.p0", "%{fld3}, and %{p0}"); +var part1431 = match("MESSAGE#877:00520:03/4", "nwparser.p0", "%{fld3}, and %{p0}"); -var part1437 = // "Pattern{Constant(''), Field(fld4,true), Constant(' servers failed')}" -match("MESSAGE#877:00520:03/6", "nwparser.p0", "%{fld4->} servers failed"); +var part1432 = match("MESSAGE#877:00520:03/6", "nwparser.p0", "%{fld4->} servers failed"); -var all321 = all_match({ +var all316 = all_match({ processors: [ - dup162, + dup160, select338, - part1435, - dup403, - part1436, - dup403, - part1437, + part1430, + dup400, + part1431, + dup400, + part1432, ], on_success: processor_chain([ dup19, @@ -19026,10 +17265,9 @@ var all321 = all_match({ ]), }); -var msg887 = msg("00520:03", all321); +var msg887 = msg("00520:03", all316); -var part1438 = // "Pattern{Constant('Trying '), Field(fld2,true), Constant(' Server '), Field(hostip,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#878:00520:04", "nwparser.payload", "Trying %{fld2->} Server %{hostip->} (%{fld1})", processor_chain([ +var part1433 = match("MESSAGE#878:00520:04", "nwparser.payload", "Trying %{fld2->} Server %{hostip->} (%{fld1})", processor_chain([ dup44, dup2, dup4, @@ -19037,10 +17275,9 @@ match("MESSAGE#878:00520:04", "nwparser.payload", "Trying %{fld2->} Server %{hos dup9, ])); -var msg888 = msg("00520:04", part1438); +var msg888 = msg("00520:04", part1433); -var part1439 = // "Pattern{Constant('Active Server Switchover: New requests for '), Field(fld31,true), Constant(' server will try '), Field(fld32,true), Constant(' from now on. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1221:00520:05", "nwparser.payload", "Active Server Switchover: New requests for %{fld31->} server will try %{fld32->} from now on. (%{fld1})", processor_chain([ +var part1434 = match("MESSAGE#1221:00520:05", "nwparser.payload", "Active Server Switchover: New requests for %{fld31->} server will try %{fld32->} from now on. (%{fld1})", processor_chain([ dup44, dup2, dup4, @@ -19048,7 +17285,7 @@ match("MESSAGE#1221:00520:05", "nwparser.payload", "Active Server Switchover: Ne dup9, ])); -var msg889 = msg("00520:05", part1439); +var msg889 = msg("00520:05", part1434); var select339 = linear_select([ msg884, @@ -19059,8 +17296,7 @@ var select339 = linear_select([ msg889, ]); -var part1440 = // "Pattern{Constant('Can't connect to E-mail server '), Field(hostip,false)}" -match("MESSAGE#879:00521", "nwparser.payload", "Can't connect to E-mail server %{hostip}", processor_chain([ +var part1435 = match("MESSAGE#879:00521", "nwparser.payload", "Can't connect to E-mail server %{hostip}", processor_chain([ dup27, dup2, dup3, @@ -19068,10 +17304,9 @@ match("MESSAGE#879:00521", "nwparser.payload", "Can't connect to E-mail server % dup5, ])); -var msg890 = msg("00521", part1440); +var msg890 = msg("00521", part1435); -var part1441 = // "Pattern{Constant('HA link state has '), Field(fld2,false)}" -match("MESSAGE#880:00522", "nwparser.payload", "HA link state has %{fld2}", processor_chain([ +var part1436 = match("MESSAGE#880:00522", "nwparser.payload", "HA link state has %{fld2}", processor_chain([ dup117, dup2, dup3, @@ -19079,32 +17314,29 @@ match("MESSAGE#880:00522", "nwparser.payload", "HA link state has %{fld2}", proc dup5, ])); -var msg891 = msg("00522", part1441); +var msg891 = msg("00522", part1436); -var part1442 = // "Pattern{Constant('URL filtering received an error from '), Field(fld2,true), Constant(' (error '), Field(resultcode,false), Constant(').')}" -match("MESSAGE#881:00523", "nwparser.payload", "URL filtering received an error from %{fld2->} (error %{resultcode}).", processor_chain([ - dup234, +var part1437 = match("MESSAGE#881:00523", "nwparser.payload", "URL filtering received an error from %{fld2->} (error %{resultcode}).", processor_chain([ + dup232, dup2, dup3, dup4, dup5, ])); -var msg892 = msg("00523", part1442); +var msg892 = msg("00523", part1437); -var part1443 = // "Pattern{Constant('NetScreen device at '), Field(hostip,false), Constant(':'), Field(network_port,true), Constant(' has responded successfully to SNMP request from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#882:00524", "nwparser.payload", "NetScreen device at %{hostip}:%{network_port->} has responded successfully to SNMP request from %{saddr}:%{sport}", processor_chain([ - dup211, +var part1438 = match("MESSAGE#882:00524", "nwparser.payload", "NetScreen device at %{hostip}:%{network_port->} has responded successfully to SNMP request from %{saddr}:%{sport}", processor_chain([ + dup209, dup2, dup3, dup4, dup5, ])); -var msg893 = msg("00524", part1443); +var msg893 = msg("00524", part1438); -var part1444 = // "Pattern{Constant('SNMP request from an unknown SNMP community public at '), Field(hostip,false), Constant(':'), Field(network_port,true), Constant(' has been received. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#883:00524:02", "nwparser.payload", "SNMP request from an unknown SNMP community public at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ +var part1439 = match("MESSAGE#883:00524:02", "nwparser.payload", "SNMP request from an unknown SNMP community public at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -19113,10 +17345,9 @@ match("MESSAGE#883:00524:02", "nwparser.payload", "SNMP request from an unknown dup5, ])); -var msg894 = msg("00524:02", part1444); +var msg894 = msg("00524:02", part1439); -var part1445 = // "Pattern{Constant('SNMP: NetScreen device has responded successfully to the SNMP request from '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#884:00524:03", "nwparser.payload", "SNMP: NetScreen device has responded successfully to the SNMP request from %{saddr}:%{sport}. (%{fld1})", processor_chain([ +var part1440 = match("MESSAGE#884:00524:03", "nwparser.payload", "SNMP: NetScreen device has responded successfully to the SNMP request from %{saddr}:%{sport}. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -19125,10 +17356,9 @@ match("MESSAGE#884:00524:03", "nwparser.payload", "SNMP: NetScreen device has re dup5, ])); -var msg895 = msg("00524:03", part1445); +var msg895 = msg("00524:03", part1440); -var part1446 = // "Pattern{Constant('SNMP request from an unknown SNMP community admin at '), Field(hostip,false), Constant(':'), Field(network_port,true), Constant(' has been received. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#885:00524:04", "nwparser.payload", "SNMP request from an unknown SNMP community admin at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ +var part1441 = match("MESSAGE#885:00524:04", "nwparser.payload", "SNMP request from an unknown SNMP community admin at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -19137,10 +17367,9 @@ match("MESSAGE#885:00524:04", "nwparser.payload", "SNMP request from an unknown dup5, ])); -var msg896 = msg("00524:04", part1446); +var msg896 = msg("00524:04", part1441); -var part1447 = // "Pattern{Constant('SNMP request from an unknown SNMP community '), Field(fld2,true), Constant(' at '), Field(hostip,false), Constant(':'), Field(network_port,true), Constant(' has been received. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#886:00524:05", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ +var part1442 = match("MESSAGE#886:00524:05", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ dup18, dup2, dup4, @@ -19148,10 +17377,9 @@ match("MESSAGE#886:00524:05", "nwparser.payload", "SNMP request from an unknown dup9, ])); -var msg897 = msg("00524:05", part1447); +var msg897 = msg("00524:05", part1442); -var part1448 = // "Pattern{Constant('SNMP request has been received from an unknown host in SNMP community '), Field(fld2,true), Constant(' at '), Field(hostip,false), Constant(':'), Field(network_port,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#887:00524:06", "nwparser.payload", "SNMP request has been received from an unknown host in SNMP community %{fld2->} at %{hostip}:%{network_port}. (%{fld1})", processor_chain([ +var part1443 = match("MESSAGE#887:00524:06", "nwparser.payload", "SNMP request has been received from an unknown host in SNMP community %{fld2->} at %{hostip}:%{network_port}. (%{fld1})", processor_chain([ dup18, dup2, dup4, @@ -19159,20 +17387,18 @@ match("MESSAGE#887:00524:06", "nwparser.payload", "SNMP request has been receive dup9, ])); -var msg898 = msg("00524:06", part1448); +var msg898 = msg("00524:06", part1443); -var part1449 = // "Pattern{Constant('SNMP request from an unknown SNMP community '), Field(fld2,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' has been received')}" -match("MESSAGE#888:00524:12", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{saddr}:%{sport->} to %{daddr}:%{dport->} has been received", processor_chain([ +var part1444 = match("MESSAGE#888:00524:12", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{saddr}:%{sport->} to %{daddr}:%{dport->} has been received", processor_chain([ dup18, dup2, dup4, dup5, ])); -var msg899 = msg("00524:12", part1449); +var msg899 = msg("00524:12", part1444); -var part1450 = // "Pattern{Constant('SNMP request from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has been received, but the SNMP version type is incorrect. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#889:00524:14", "nwparser.payload", "SNMP request from %{saddr}:%{sport->} has been received, but the SNMP version type is incorrect. (%{fld1})", processor_chain([ +var part1445 = match("MESSAGE#889:00524:14", "nwparser.payload", "SNMP request from %{saddr}:%{sport->} has been received, but the SNMP version type is incorrect. (%{fld1})", processor_chain([ dup19, dup2, dup4, @@ -19181,19 +17407,17 @@ match("MESSAGE#889:00524:14", "nwparser.payload", "SNMP request from %{saddr}:%{ dup9, ])); -var msg900 = msg("00524:14", part1450); +var msg900 = msg("00524:14", part1445); -var part1451 = // "Pattern{Constant('SNMP request has been received'), Field(p0,false)}" -match("MESSAGE#890:00524:13/0", "nwparser.payload", "SNMP request has been received%{p0}"); +var part1446 = match("MESSAGE#890:00524:13/0", "nwparser.payload", "SNMP request has been received%{p0}"); -var part1452 = // "Pattern{Field(,false), Constant('but '), Field(result,false)}" -match("MESSAGE#890:00524:13/2", "nwparser.p0", "%{}but %{result}"); +var part1447 = match("MESSAGE#890:00524:13/2", "nwparser.p0", "%{}but %{result}"); -var all322 = all_match({ +var all317 = all_match({ processors: [ - part1451, - dup404, - part1452, + part1446, + dup401, + part1447, ], on_success: processor_chain([ dup18, @@ -19203,60 +17427,54 @@ var all322 = all_match({ ]), }); -var msg901 = msg("00524:13", all322); +var msg901 = msg("00524:13", all317); -var part1453 = // "Pattern{Constant('Response to SNMP request from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' has '), Field(disposition,true), Constant(' due to '), Field(result,false)}" -match("MESSAGE#891:00524:07", "nwparser.payload", "Response to SNMP request from %{saddr}:%{sport->} to %{daddr}:%{dport->} has %{disposition->} due to %{result}", processor_chain([ +var part1448 = match("MESSAGE#891:00524:07", "nwparser.payload", "Response to SNMP request from %{saddr}:%{sport->} to %{daddr}:%{dport->} has %{disposition->} due to %{result}", processor_chain([ dup18, dup2, dup4, dup5, ])); -var msg902 = msg("00524:07", part1453); +var msg902 = msg("00524:07", part1448); -var part1454 = // "Pattern{Constant('SNMP community '), Field(fld2,true), Constant(' cannot be added because '), Field(result,false)}" -match("MESSAGE#892:00524:08", "nwparser.payload", "SNMP community %{fld2->} cannot be added because %{result}", processor_chain([ +var part1449 = match("MESSAGE#892:00524:08", "nwparser.payload", "SNMP community %{fld2->} cannot be added because %{result}", processor_chain([ dup18, dup2, dup4, dup5, ])); -var msg903 = msg("00524:08", part1454); +var msg903 = msg("00524:08", part1449); -var part1455 = // "Pattern{Constant('SNMP host '), Field(hostip,true), Constant(' cannot be added to community '), Field(fld2,true), Constant(' because of '), Field(result,false)}" -match("MESSAGE#893:00524:09", "nwparser.payload", "SNMP host %{hostip->} cannot be added to community %{fld2->} because of %{result}", processor_chain([ +var part1450 = match("MESSAGE#893:00524:09", "nwparser.payload", "SNMP host %{hostip->} cannot be added to community %{fld2->} because of %{result}", processor_chain([ dup18, dup2, dup4, dup5, ])); -var msg904 = msg("00524:09", part1455); +var msg904 = msg("00524:09", part1450); -var part1456 = // "Pattern{Constant('SNMP host '), Field(hostip,true), Constant(' cannot be added because '), Field(result,false)}" -match("MESSAGE#894:00524:10", "nwparser.payload", "SNMP host %{hostip->} cannot be added because %{result}", processor_chain([ +var part1451 = match("MESSAGE#894:00524:10", "nwparser.payload", "SNMP host %{hostip->} cannot be added because %{result}", processor_chain([ dup18, dup2, dup4, dup5, ])); -var msg905 = msg("00524:10", part1456); +var msg905 = msg("00524:10", part1451); -var part1457 = // "Pattern{Constant('SNMP host '), Field(hostip,true), Constant(' cannot be removed from community '), Field(fld2,true), Constant(' because '), Field(result,false)}" -match("MESSAGE#895:00524:11", "nwparser.payload", "SNMP host %{hostip->} cannot be removed from community %{fld2->} because %{result}", processor_chain([ +var part1452 = match("MESSAGE#895:00524:11", "nwparser.payload", "SNMP host %{hostip->} cannot be removed from community %{fld2->} because %{result}", processor_chain([ dup18, dup2, dup4, dup5, ])); -var msg906 = msg("00524:11", part1457); +var msg906 = msg("00524:11", part1452); -var part1458 = // "Pattern{Constant('SNMP user/community '), Field(fld34,true), Constant(' doesn't exist. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1222:00524:16", "nwparser.payload", "SNMP user/community %{fld34->} doesn't exist. (%{fld1})", processor_chain([ +var part1453 = match("MESSAGE#1222:00524:16", "nwparser.payload", "SNMP user/community %{fld34->} doesn't exist. (%{fld1})", processor_chain([ dup44, dup2, dup4, @@ -19264,7 +17482,7 @@ match("MESSAGE#1222:00524:16", "nwparser.payload", "SNMP user/community %{fld34- dup9, ])); -var msg907 = msg("00524:16", part1458); +var msg907 = msg("00524:16", part1453); var select340 = linear_select([ msg893, @@ -19284,9 +17502,8 @@ var select340 = linear_select([ msg907, ]); -var part1459 = // "Pattern{Constant('The new PIN for user '), Field(username,true), Constant(' at '), Field(hostip,true), Constant(' has been '), Field(disposition,true), Constant(' by SecurID '), Field(fld2,false)}" -match("MESSAGE#896:00525", "nwparser.payload", "The new PIN for user %{username->} at %{hostip->} has been %{disposition->} by SecurID %{fld2}", processor_chain([ - dup205, +var part1454 = match("MESSAGE#896:00525", "nwparser.payload", "The new PIN for user %{username->} at %{hostip->} has been %{disposition->} by SecurID %{fld2}", processor_chain([ + dup203, setc("ec_subject","Password"), dup38, dup2, @@ -19295,40 +17512,37 @@ match("MESSAGE#896:00525", "nwparser.payload", "The new PIN for user %{username- dup5, ])); -var msg908 = msg("00525", part1459); +var msg908 = msg("00525", part1454); -var part1460 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(hostip,true), Constant(' has selected a system-generated PIN for authentication with SecurID '), Field(fld2,false)}" -match("MESSAGE#897:00525:01", "nwparser.payload", "User %{username->} at %{hostip->} has selected a system-generated PIN for authentication with SecurID %{fld2}", processor_chain([ - dup205, +var part1455 = match("MESSAGE#897:00525:01", "nwparser.payload", "User %{username->} at %{hostip->} has selected a system-generated PIN for authentication with SecurID %{fld2}", processor_chain([ + dup203, dup2, dup3, dup4, dup5, ])); -var msg909 = msg("00525:01", part1460); +var msg909 = msg("00525:01", part1455); -var part1461 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(hostip,true), Constant(' must enter the "new PIN" for SecurID '), Field(fld2,false)}" -match("MESSAGE#898:00525:02", "nwparser.payload", "User %{username->} at %{hostip->} must enter the \"new PIN\" for SecurID %{fld2}", processor_chain([ - dup205, +var part1456 = match("MESSAGE#898:00525:02", "nwparser.payload", "User %{username->} at %{hostip->} must enter the \"new PIN\" for SecurID %{fld2}", processor_chain([ + dup203, dup2, dup3, dup4, dup5, ])); -var msg910 = msg("00525:02", part1461); +var msg910 = msg("00525:02", part1456); -var part1462 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(hostip,true), Constant(' must make a "New PIN" choice for SecurID '), Field(fld2,false)}" -match("MESSAGE#899:00525:03", "nwparser.payload", "User %{username->} at %{hostip->} must make a \"New PIN\" choice for SecurID %{fld2}", processor_chain([ - dup205, +var part1457 = match("MESSAGE#899:00525:03", "nwparser.payload", "User %{username->} at %{hostip->} must make a \"New PIN\" choice for SecurID %{fld2}", processor_chain([ + dup203, dup2, dup3, dup4, dup5, ])); -var msg911 = msg("00525:03", part1462); +var msg911 = msg("00525:03", part1457); var select341 = linear_select([ msg908, @@ -19337,10 +17551,9 @@ var select341 = linear_select([ msg911, ]); -var part1463 = // "Pattern{Constant('The user limit has been exceeded and '), Field(hostip,true), Constant(' cannot be added')}" -match("MESSAGE#900:00526", "nwparser.payload", "The user limit has been exceeded and %{hostip->} cannot be added", processor_chain([ +var part1458 = match("MESSAGE#900:00526", "nwparser.payload", "The user limit has been exceeded and %{hostip->} cannot be added", processor_chain([ dup37, - dup221, + dup219, dup38, dup39, dup2, @@ -19349,39 +17562,34 @@ match("MESSAGE#900:00526", "nwparser.payload", "The user limit has been exceeded dup5, ])); -var msg912 = msg("00526", part1463); +var msg912 = msg("00526", part1458); -var part1464 = // "Pattern{Constant('A DHCP-'), Field(p0,false)}" -match("MESSAGE#901:00527/0", "nwparser.payload", "A DHCP-%{p0}"); +var part1459 = match("MESSAGE#901:00527/0", "nwparser.payload", "A DHCP-%{p0}"); -var part1465 = // "Pattern{Constant(' assigned '), Field(p0,false)}" -match("MESSAGE#901:00527/1_1", "nwparser.p0", " assigned %{p0}"); +var part1460 = match("MESSAGE#901:00527/1_1", "nwparser.p0", " assigned %{p0}"); var select342 = linear_select([ - dup313, - part1465, + dup311, + part1460, ]); -var part1466 = // "Pattern{Constant('IP address '), Field(hostip,true), Constant(' has been '), Field(p0,false)}" -match("MESSAGE#901:00527/2", "nwparser.p0", "IP address %{hostip->} has been %{p0}"); +var part1461 = match("MESSAGE#901:00527/2", "nwparser.p0", "IP address %{hostip->} has been %{p0}"); -var part1467 = // "Pattern{Constant('freed from '), Field(p0,false)}" -match("MESSAGE#901:00527/3_1", "nwparser.p0", "freed from %{p0}"); +var part1462 = match("MESSAGE#901:00527/3_1", "nwparser.p0", "freed from %{p0}"); -var part1468 = // "Pattern{Constant('freed '), Field(p0,false)}" -match("MESSAGE#901:00527/3_2", "nwparser.p0", "freed %{p0}"); +var part1463 = match("MESSAGE#901:00527/3_2", "nwparser.p0", "freed %{p0}"); var select343 = linear_select([ - dup314, - part1467, - part1468, + dup312, + part1462, + part1463, ]); -var all323 = all_match({ +var all318 = all_match({ processors: [ - part1464, + part1459, select342, - part1466, + part1461, select343, dup108, ], @@ -19394,10 +17602,9 @@ var all323 = all_match({ ]), }); -var msg913 = msg("00527", all323); +var msg913 = msg("00527", all318); -var part1469 = // "Pattern{Constant('A DHCP-assigned IP address has been manually released'), Field(,false)}" -match("MESSAGE#902:00527:01", "nwparser.payload", "A DHCP-assigned IP address has been manually released%{}", processor_chain([ +var part1464 = match("MESSAGE#902:00527:01", "nwparser.payload", "A DHCP-assigned IP address has been manually released%{}", processor_chain([ dup44, dup2, dup3, @@ -19405,31 +17612,27 @@ match("MESSAGE#902:00527:01", "nwparser.payload", "A DHCP-assigned IP address ha dup5, ])); -var msg914 = msg("00527:01", part1469); +var msg914 = msg("00527:01", part1464); -var part1470 = // "Pattern{Constant('DHCP server has '), Field(p0,false)}" -match("MESSAGE#903:00527:02/0", "nwparser.payload", "DHCP server has %{p0}"); +var part1465 = match("MESSAGE#903:00527:02/0", "nwparser.payload", "DHCP server has %{p0}"); -var part1471 = // "Pattern{Constant('released '), Field(p0,false)}" -match("MESSAGE#903:00527:02/1_1", "nwparser.p0", "released %{p0}"); +var part1466 = match("MESSAGE#903:00527:02/1_1", "nwparser.p0", "released %{p0}"); -var part1472 = // "Pattern{Constant('assigned or released '), Field(p0,false)}" -match("MESSAGE#903:00527:02/1_2", "nwparser.p0", "assigned or released %{p0}"); +var part1467 = match("MESSAGE#903:00527:02/1_2", "nwparser.p0", "assigned or released %{p0}"); var select344 = linear_select([ - dup313, - part1471, - part1472, + dup311, + part1466, + part1467, ]); -var part1473 = // "Pattern{Constant('an IP address'), Field(,false)}" -match("MESSAGE#903:00527:02/2", "nwparser.p0", "an IP address%{}"); +var part1468 = match("MESSAGE#903:00527:02/2", "nwparser.p0", "an IP address%{}"); -var all324 = all_match({ +var all319 = all_match({ processors: [ - part1470, + part1465, select344, - part1473, + part1468, ], on_success: processor_chain([ dup44, @@ -19440,21 +17643,19 @@ var all324 = all_match({ ]), }); -var msg915 = msg("00527:02", all324); +var msg915 = msg("00527:02", all319); -var part1474 = // "Pattern{Constant('MAC address '), Field(macaddr,true), Constant(' has detected an IP conflict and has declined address '), Field(hostip,false)}" -match("MESSAGE#904:00527:03", "nwparser.payload", "MAC address %{macaddr->} has detected an IP conflict and has declined address %{hostip}", processor_chain([ - dup274, +var part1469 = match("MESSAGE#904:00527:03", "nwparser.payload", "MAC address %{macaddr->} has detected an IP conflict and has declined address %{hostip}", processor_chain([ + dup272, dup2, dup3, dup4, dup5, ])); -var msg916 = msg("00527:03", part1474); +var msg916 = msg("00527:03", part1469); -var part1475 = // "Pattern{Constant('One or more DHCP-assigned IP addresses have been manually released.'), Field(,false)}" -match("MESSAGE#905:00527:04", "nwparser.payload", "One or more DHCP-assigned IP addresses have been manually released.%{}", processor_chain([ +var part1470 = match("MESSAGE#905:00527:04", "nwparser.payload", "One or more DHCP-assigned IP addresses have been manually released.%{}", processor_chain([ dup44, dup2, dup3, @@ -19462,16 +17663,15 @@ match("MESSAGE#905:00527:04", "nwparser.payload", "One or more DHCP-assigned IP dup5, ])); -var msg917 = msg("00527:04", part1475); +var msg917 = msg("00527:04", part1470); -var part1476 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' is more than '), Field(fld2,true), Constant(' allocated.')}" -match("MESSAGE#906:00527:05/2", "nwparser.p0", "%{} %{interface->} is more than %{fld2->} allocated."); +var part1471 = match("MESSAGE#906:00527:05/2", "nwparser.p0", "%{} %{interface->} is more than %{fld2->} allocated."); -var all325 = all_match({ +var all320 = all_match({ processors: [ - dup212, - dup339, - part1476, + dup210, + dup337, + part1471, ], on_success: processor_chain([ dup44, @@ -19482,34 +17682,31 @@ var all325 = all_match({ ]), }); -var msg918 = msg("00527:05", all325); +var msg918 = msg("00527:05", all320); -var part1477 = // "Pattern{Constant('IP address '), Field(hostip,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#907:00527:06/0", "nwparser.payload", "IP address %{hostip->} %{p0}"); +var part1472 = match("MESSAGE#907:00527:06/0", "nwparser.payload", "IP address %{hostip->} %{p0}"); var select345 = linear_select([ dup106, dup127, ]); -var part1478 = // "Pattern{Constant('released from '), Field(p0,false)}" -match("MESSAGE#907:00527:06/3_1", "nwparser.p0", "released from %{p0}"); +var part1473 = match("MESSAGE#907:00527:06/3_1", "nwparser.p0", "released from %{p0}"); var select346 = linear_select([ - dup314, - part1478, + dup312, + part1473, ]); -var part1479 = // "Pattern{Constant(''), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#907:00527:06/4", "nwparser.p0", "%{fld2->} (%{fld1})"); +var part1474 = match("MESSAGE#907:00527:06/4", "nwparser.p0", "%{fld2->} (%{fld1})"); -var all326 = all_match({ +var all321 = all_match({ processors: [ - part1477, + part1472, select345, dup23, select346, - part1479, + part1474, ], on_success: processor_chain([ dup44, @@ -19521,10 +17718,9 @@ var all326 = all_match({ ]), }); -var msg919 = msg("00527:06", all326); +var msg919 = msg("00527:06", all321); -var part1480 = // "Pattern{Constant('One or more IP addresses have expired. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#908:00527:07", "nwparser.payload", "One or more IP addresses have expired. (%{fld1})", processor_chain([ +var part1475 = match("MESSAGE#908:00527:07", "nwparser.payload", "One or more IP addresses have expired. (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -19533,10 +17729,9 @@ match("MESSAGE#908:00527:07", "nwparser.payload", "One or more IP addresses have dup5, ])); -var msg920 = msg("00527:07", part1480); +var msg920 = msg("00527:07", part1475); -var part1481 = // "Pattern{Constant('DHCP server on interface '), Field(interface,true), Constant(' received '), Field(protocol_detail,true), Constant(' from '), Field(smacaddr,true), Constant(' requesting out-of-scope IP address '), Field(hostip,false), Constant('/'), Field(mask,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#909:00527:08", "nwparser.payload", "DHCP server on interface %{interface->} received %{protocol_detail->} from %{smacaddr->} requesting out-of-scope IP address %{hostip}/%{mask->} (%{fld1})", processor_chain([ +var part1476 = match("MESSAGE#909:00527:08", "nwparser.payload", "DHCP server on interface %{interface->} received %{protocol_detail->} from %{smacaddr->} requesting out-of-scope IP address %{hostip}/%{mask->} (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -19545,30 +17740,27 @@ match("MESSAGE#909:00527:08", "nwparser.payload", "DHCP server on interface %{in dup5, ])); -var msg921 = msg("00527:08", part1481); +var msg921 = msg("00527:08", part1476); -var part1482 = // "Pattern{Constant('MAC address '), Field(macaddr,true), Constant(' has '), Field(disposition,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#910:00527:09/0", "nwparser.payload", "MAC address %{macaddr->} has %{disposition->} %{p0}"); +var part1477 = match("MESSAGE#910:00527:09/0", "nwparser.payload", "MAC address %{macaddr->} has %{disposition->} %{p0}"); -var part1483 = // "Pattern{Constant('address '), Field(hostip,true), Constant(' ('), Field(p0,false)}" -match("MESSAGE#910:00527:09/1_0", "nwparser.p0", "address %{hostip->} (%{p0}"); +var part1478 = match("MESSAGE#910:00527:09/1_0", "nwparser.p0", "address %{hostip->} (%{p0}"); -var part1484 = // "Pattern{Field(hostip,true), Constant(' ('), Field(p0,false)}" -match("MESSAGE#910:00527:09/1_1", "nwparser.p0", "%{hostip->} (%{p0}"); +var part1479 = match("MESSAGE#910:00527:09/1_1", "nwparser.p0", "%{hostip->} (%{p0}"); var select347 = linear_select([ - part1483, - part1484, + part1478, + part1479, ]); -var all327 = all_match({ +var all322 = all_match({ processors: [ - part1482, + part1477, select347, dup41, ], on_success: processor_chain([ - dup274, + dup272, dup2, dup3, dup9, @@ -19577,10 +17769,9 @@ var all327 = all_match({ ]), }); -var msg922 = msg("00527:09", all327); +var msg922 = msg("00527:09", all322); -var part1485 = // "Pattern{Constant('One or more IP addresses are expired. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#911:00527:10", "nwparser.payload", "One or more IP addresses are expired. (%{fld1})", processor_chain([ +var part1480 = match("MESSAGE#911:00527:10", "nwparser.payload", "One or more IP addresses are expired. (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -19589,7 +17780,7 @@ match("MESSAGE#911:00527:10", "nwparser.payload", "One or more IP addresses are dup5, ])); -var msg923 = msg("00527:10", part1485); +var msg923 = msg("00527:10", part1480); var select348 = linear_select([ msg913, @@ -19605,8 +17796,7 @@ var select348 = linear_select([ msg923, ]); -var part1486 = // "Pattern{Constant('SCS: User ''), Field(username,false), Constant('' authenticated using password :')}" -match("MESSAGE#912:00528", "nwparser.payload", "SCS: User '%{username}' authenticated using password :", processor_chain([ +var part1481 = match("MESSAGE#912:00528", "nwparser.payload", "SCS: User '%{username}' authenticated using password :", processor_chain([ setc("eventcategory","1302010000"), dup29, dup31, @@ -19617,66 +17807,60 @@ match("MESSAGE#912:00528", "nwparser.payload", "SCS: User '%{username}' authenti dup5, ])); -var msg924 = msg("00528", part1486); +var msg924 = msg("00528", part1481); -var part1487 = // "Pattern{Constant('SCS: Connection terminated for user '), Field(username,true), Constant(' from')}" -match("MESSAGE#913:00528:01", "nwparser.payload", "SCS: Connection terminated for user %{username->} from", processor_chain([ - dup205, +var part1482 = match("MESSAGE#913:00528:01", "nwparser.payload", "SCS: Connection terminated for user %{username->} from", processor_chain([ + dup203, dup2, dup3, dup4, dup5, ])); -var msg925 = msg("00528:01", part1487); +var msg925 = msg("00528:01", part1482); -var part1488 = // "Pattern{Constant('SCS: Disabled for all root/vsys on device. Client host attempting connection to interface ''), Field(interface,false), Constant('' with address '), Field(hostip,true), Constant(' from '), Field(saddr,false)}" -match("MESSAGE#914:00528:02", "nwparser.payload", "SCS: Disabled for all root/vsys on device. Client host attempting connection to interface '%{interface}' with address %{hostip->} from %{saddr}", processor_chain([ - dup205, +var part1483 = match("MESSAGE#914:00528:02", "nwparser.payload", "SCS: Disabled for all root/vsys on device. Client host attempting connection to interface '%{interface}' with address %{hostip->} from %{saddr}", processor_chain([ + dup203, dup2, dup3, dup4, dup5, ])); -var msg926 = msg("00528:02", part1488); +var msg926 = msg("00528:02", part1483); -var part1489 = // "Pattern{Constant('SSH: NetScreen device '), Field(disposition,true), Constant(' to identify itself to the SSH client at '), Field(hostip,false)}" -match("MESSAGE#915:00528:03", "nwparser.payload", "SSH: NetScreen device %{disposition->} to identify itself to the SSH client at %{hostip}", processor_chain([ - dup205, +var part1484 = match("MESSAGE#915:00528:03", "nwparser.payload", "SSH: NetScreen device %{disposition->} to identify itself to the SSH client at %{hostip}", processor_chain([ + dup203, dup2, dup4, dup5, dup3, ])); -var msg927 = msg("00528:03", part1489); +var msg927 = msg("00528:03", part1484); -var part1490 = // "Pattern{Constant('SSH: Incompatible SSH version string has been received from SSH client at '), Field(hostip,false)}" -match("MESSAGE#916:00528:04", "nwparser.payload", "SSH: Incompatible SSH version string has been received from SSH client at %{hostip}", processor_chain([ - dup205, +var part1485 = match("MESSAGE#916:00528:04", "nwparser.payload", "SSH: Incompatible SSH version string has been received from SSH client at %{hostip}", processor_chain([ + dup203, dup2, dup4, dup5, dup3, ])); -var msg928 = msg("00528:04", part1490); +var msg928 = msg("00528:04", part1485); -var part1491 = // "Pattern{Constant('SSH: '), Field(disposition,true), Constant(' to send identification string to client host at '), Field(hostip,false)}" -match("MESSAGE#917:00528:05", "nwparser.payload", "SSH: %{disposition->} to send identification string to client host at %{hostip}", processor_chain([ - dup205, +var part1486 = match("MESSAGE#917:00528:05", "nwparser.payload", "SSH: %{disposition->} to send identification string to client host at %{hostip}", processor_chain([ + dup203, dup2, dup3, dup4, dup5, ])); -var msg929 = msg("00528:05", part1491); +var msg929 = msg("00528:05", part1486); -var part1492 = // "Pattern{Constant('SSH: Client at '), Field(saddr,true), Constant(' attempted to connect with invalid version string.')}" -match("MESSAGE#918:00528:06", "nwparser.payload", "SSH: Client at %{saddr->} attempted to connect with invalid version string.", processor_chain([ - dup315, +var part1487 = match("MESSAGE#918:00528:06", "nwparser.payload", "SSH: Client at %{saddr->} attempted to connect with invalid version string.", processor_chain([ + dup313, dup2, dup3, dup4, @@ -19684,38 +17868,33 @@ match("MESSAGE#918:00528:06", "nwparser.payload", "SSH: Client at %{saddr->} att setc("result","invalid version string"), ])); -var msg930 = msg("00528:06", part1492); +var msg930 = msg("00528:06", part1487); -var part1493 = // "Pattern{Constant('SSH: '), Field(disposition,true), Constant(' to negotiate '), Field(p0,false)}" -match("MESSAGE#919:00528:07/0", "nwparser.payload", "SSH: %{disposition->} to negotiate %{p0}"); +var part1488 = match("MESSAGE#919:00528:07/0", "nwparser.payload", "SSH: %{disposition->} to negotiate %{p0}"); -var part1494 = // "Pattern{Constant('MAC '), Field(p0,false)}" -match("MESSAGE#919:00528:07/1_1", "nwparser.p0", "MAC %{p0}"); +var part1489 = match("MESSAGE#919:00528:07/1_1", "nwparser.p0", "MAC %{p0}"); -var part1495 = // "Pattern{Constant('key exchange '), Field(p0,false)}" -match("MESSAGE#919:00528:07/1_2", "nwparser.p0", "key exchange %{p0}"); +var part1490 = match("MESSAGE#919:00528:07/1_2", "nwparser.p0", "key exchange %{p0}"); -var part1496 = // "Pattern{Constant('host key '), Field(p0,false)}" -match("MESSAGE#919:00528:07/1_3", "nwparser.p0", "host key %{p0}"); +var part1491 = match("MESSAGE#919:00528:07/1_3", "nwparser.p0", "host key %{p0}"); var select349 = linear_select([ dup88, - part1494, - part1495, - part1496, + part1489, + part1490, + part1491, ]); -var part1497 = // "Pattern{Constant('algorithm with host '), Field(hostip,false)}" -match("MESSAGE#919:00528:07/2", "nwparser.p0", "algorithm with host %{hostip}"); +var part1492 = match("MESSAGE#919:00528:07/2", "nwparser.p0", "algorithm with host %{hostip}"); -var all328 = all_match({ +var all323 = all_match({ processors: [ - part1493, + part1488, select349, - part1497, + part1492, ], on_success: processor_chain([ - dup316, + dup314, dup2, dup4, dup5, @@ -19723,55 +17902,50 @@ var all328 = all_match({ ]), }); -var msg931 = msg("00528:07", all328); +var msg931 = msg("00528:07", all323); -var part1498 = // "Pattern{Constant('SSH: Unsupported cipher type '), Field(fld2,true), Constant(' requested from '), Field(saddr,false)}" -match("MESSAGE#920:00528:08", "nwparser.payload", "SSH: Unsupported cipher type %{fld2->} requested from %{saddr}", processor_chain([ - dup316, +var part1493 = match("MESSAGE#920:00528:08", "nwparser.payload", "SSH: Unsupported cipher type %{fld2->} requested from %{saddr}", processor_chain([ + dup314, dup2, dup4, dup5, dup3, ])); -var msg932 = msg("00528:08", part1498); +var msg932 = msg("00528:08", part1493); -var part1499 = // "Pattern{Constant('SSH: Host client has requested NO cipher from '), Field(saddr,false)}" -match("MESSAGE#921:00528:09", "nwparser.payload", "SSH: Host client has requested NO cipher from %{saddr}", processor_chain([ - dup316, +var part1494 = match("MESSAGE#921:00528:09", "nwparser.payload", "SSH: Host client has requested NO cipher from %{saddr}", processor_chain([ + dup314, dup2, dup3, dup4, dup5, ])); -var msg933 = msg("00528:09", part1499); +var msg933 = msg("00528:09", part1494); -var part1500 = // "Pattern{Constant('SSH: Disabled for ''), Field(vsys,false), Constant(''. Attempted connection '), Field(disposition,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#922:00528:10", "nwparser.payload", "SSH: Disabled for '%{vsys}'. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup283, +var part1495 = match("MESSAGE#922:00528:10", "nwparser.payload", "SSH: Disabled for '%{vsys}'. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, ])); -var msg934 = msg("00528:10", part1500); +var msg934 = msg("00528:10", part1495); -var part1501 = // "Pattern{Constant('SSH: Disabled for '), Field(fld2,true), Constant(' Attempted connection '), Field(disposition,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#923:00528:11", "nwparser.payload", "SSH: Disabled for %{fld2->} Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup283, +var part1496 = match("MESSAGE#923:00528:11", "nwparser.payload", "SSH: Disabled for %{fld2->} Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, ])); -var msg935 = msg("00528:11", part1501); +var msg935 = msg("00528:11", part1496); -var part1502 = // "Pattern{Constant('SSH: SSH user '), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' tried unsuccessfully to log in to '), Field(vsys,true), Constant(' using the shared untrusted interface. SSH disabled on that interface.')}" -match("MESSAGE#924:00528:12", "nwparser.payload", "SSH: SSH user %{username->} at %{saddr->} tried unsuccessfully to log in to %{vsys->} using the shared untrusted interface. SSH disabled on that interface.", processor_chain([ - dup283, +var part1497 = match("MESSAGE#924:00528:12", "nwparser.payload", "SSH: SSH user %{username->} at %{saddr->} tried unsuccessfully to log in to %{vsys->} using the shared untrusted interface. SSH disabled on that interface.", processor_chain([ + dup281, dup2, dup4, dup5, @@ -19779,51 +17953,44 @@ match("MESSAGE#924:00528:12", "nwparser.payload", "SSH: SSH user %{username->} a setc("disposition","disabled"), ])); -var msg936 = msg("00528:12", part1502); +var msg936 = msg("00528:12", part1497); -var part1503 = // "Pattern{Constant('SSH: SSH client at '), Field(saddr,true), Constant(' tried unsuccessfully to '), Field(p0,false)}" -match("MESSAGE#925:00528:13/0", "nwparser.payload", "SSH: SSH client at %{saddr->} tried unsuccessfully to %{p0}"); +var part1498 = match("MESSAGE#925:00528:13/0", "nwparser.payload", "SSH: SSH client at %{saddr->} tried unsuccessfully to %{p0}"); -var part1504 = // "Pattern{Constant('make '), Field(p0,false)}" -match("MESSAGE#925:00528:13/1_0", "nwparser.p0", "make %{p0}"); +var part1499 = match("MESSAGE#925:00528:13/1_0", "nwparser.p0", "make %{p0}"); -var part1505 = // "Pattern{Constant('establish '), Field(p0,false)}" -match("MESSAGE#925:00528:13/1_1", "nwparser.p0", "establish %{p0}"); +var part1500 = match("MESSAGE#925:00528:13/1_1", "nwparser.p0", "establish %{p0}"); var select350 = linear_select([ - part1504, - part1505, + part1499, + part1500, ]); -var part1506 = // "Pattern{Constant('an SSH connection to '), Field(p0,false)}" -match("MESSAGE#925:00528:13/2", "nwparser.p0", "an SSH connection to %{p0}"); +var part1501 = match("MESSAGE#925:00528:13/2", "nwparser.p0", "an SSH connection to %{p0}"); -var part1507 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' with IP '), Field(hostip,true), Constant(' SSH '), Field(p0,false)}" -match("MESSAGE#925:00528:13/4", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} SSH %{p0}"); +var part1502 = match("MESSAGE#925:00528:13/4", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} SSH %{p0}"); -var part1508 = // "Pattern{Constant('not enabled '), Field(p0,false)}" -match("MESSAGE#925:00528:13/5_0", "nwparser.p0", "not enabled %{p0}"); +var part1503 = match("MESSAGE#925:00528:13/5_0", "nwparser.p0", "not enabled %{p0}"); var select351 = linear_select([ - part1508, + part1503, dup157, ]); -var part1509 = // "Pattern{Constant('on that interface.'), Field(,false)}" -match("MESSAGE#925:00528:13/6", "nwparser.p0", "on that interface.%{}"); +var part1504 = match("MESSAGE#925:00528:13/6", "nwparser.p0", "on that interface.%{}"); -var all329 = all_match({ +var all324 = all_match({ processors: [ - part1503, + part1498, select350, - part1506, - dup339, - part1507, + part1501, + dup337, + part1502, select351, - part1509, + part1504, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, @@ -19831,54 +17998,48 @@ var all329 = all_match({ ]), }); -var msg937 = msg("00528:13", all329); +var msg937 = msg("00528:13", all324); -var part1510 = // "Pattern{Constant('SSH: SSH client '), Field(saddr,true), Constant(' unsuccessfully attempted to make an SSH connection to '), Field(vsys,true), Constant(' SSH was not completely initialized for that system.')}" -match("MESSAGE#926:00528:14", "nwparser.payload", "SSH: SSH client %{saddr->} unsuccessfully attempted to make an SSH connection to %{vsys->} SSH was not completely initialized for that system.", processor_chain([ - dup283, +var part1505 = match("MESSAGE#926:00528:14", "nwparser.payload", "SSH: SSH client %{saddr->} unsuccessfully attempted to make an SSH connection to %{vsys->} SSH was not completely initialized for that system.", processor_chain([ + dup281, dup2, dup4, dup5, dup3, ])); -var msg938 = msg("00528:14", part1510); +var msg938 = msg("00528:14", part1505); -var part1511 = // "Pattern{Constant('SSH: Admin user '), Field(p0,false)}" -match("MESSAGE#927:00528:15/0", "nwparser.payload", "SSH: Admin user %{p0}"); +var part1506 = match("MESSAGE#927:00528:15/0", "nwparser.payload", "SSH: Admin user %{p0}"); -var part1512 = // "Pattern{Field(administrator,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#927:00528:15/1_1", "nwparser.p0", "%{administrator->} %{p0}"); +var part1507 = match("MESSAGE#927:00528:15/1_1", "nwparser.p0", "%{administrator->} %{p0}"); var select352 = linear_select([ - dup317, - part1512, + dup315, + part1507, ]); -var part1513 = // "Pattern{Constant('at host '), Field(saddr,true), Constant(' requested unsupported '), Field(p0,false)}" -match("MESSAGE#927:00528:15/2", "nwparser.p0", "at host %{saddr->} requested unsupported %{p0}"); +var part1508 = match("MESSAGE#927:00528:15/2", "nwparser.p0", "at host %{saddr->} requested unsupported %{p0}"); -var part1514 = // "Pattern{Constant('PKA algorithm '), Field(p0,false)}" -match("MESSAGE#927:00528:15/3_0", "nwparser.p0", "PKA algorithm %{p0}"); +var part1509 = match("MESSAGE#927:00528:15/3_0", "nwparser.p0", "PKA algorithm %{p0}"); -var part1515 = // "Pattern{Constant('authentication method '), Field(p0,false)}" -match("MESSAGE#927:00528:15/3_1", "nwparser.p0", "authentication method %{p0}"); +var part1510 = match("MESSAGE#927:00528:15/3_1", "nwparser.p0", "authentication method %{p0}"); var select353 = linear_select([ - part1514, - part1515, + part1509, + part1510, ]); -var all330 = all_match({ +var all325 = all_match({ processors: [ - part1511, + part1506, select352, - part1513, + part1508, select353, dup108, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, @@ -19886,43 +18047,40 @@ var all330 = all_match({ ]), }); -var msg939 = msg("00528:15", all330); +var msg939 = msg("00528:15", all325); -var part1516 = // "Pattern{Constant('SCP: Admin ''), Field(administrator,false), Constant('' at host '), Field(saddr,true), Constant(' executed invalid scp command: ''), Field(fld2,false), Constant(''')}" -match("MESSAGE#928:00528:16", "nwparser.payload", "SCP: Admin '%{administrator}' at host %{saddr->} executed invalid scp command: '%{fld2}'", processor_chain([ - dup283, +var part1511 = match("MESSAGE#928:00528:16", "nwparser.payload", "SCP: Admin '%{administrator}' at host %{saddr->} executed invalid scp command: '%{fld2}'", processor_chain([ + dup281, dup2, dup4, dup5, dup3, ])); -var msg940 = msg("00528:16", part1516); +var msg940 = msg("00528:16", part1511); -var part1517 = // "Pattern{Constant('SCP: Disabled for ''), Field(username,false), Constant(''. Attempted file transfer failed from host '), Field(saddr,false)}" -match("MESSAGE#929:00528:17", "nwparser.payload", "SCP: Disabled for '%{username}'. Attempted file transfer failed from host %{saddr}", processor_chain([ - dup283, +var part1512 = match("MESSAGE#929:00528:17", "nwparser.payload", "SCP: Disabled for '%{username}'. Attempted file transfer failed from host %{saddr}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, ])); -var msg941 = msg("00528:17", part1517); +var msg941 = msg("00528:17", part1512); -var part1518 = // "Pattern{Constant('authentication successful for admin user '), Field(p0,false)}" -match("MESSAGE#930:00528:18/2", "nwparser.p0", "authentication successful for admin user %{p0}"); +var part1513 = match("MESSAGE#930:00528:18/2", "nwparser.p0", "authentication successful for admin user %{p0}"); -var all331 = all_match({ +var all326 = all_match({ processors: [ - dup318, - dup405, - part1518, - dup406, - dup322, + dup316, + dup402, + part1513, + dup403, + dup320, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, @@ -19932,46 +18090,44 @@ var all331 = all_match({ ]), }); -var msg942 = msg("00528:18", all331); +var msg942 = msg("00528:18", all326); -var part1519 = // "Pattern{Constant('authentication failed for admin user '), Field(p0,false)}" -match("MESSAGE#931:00528:26/2", "nwparser.p0", "authentication failed for admin user %{p0}"); +var part1514 = match("MESSAGE#931:00528:26/2", "nwparser.p0", "authentication failed for admin user %{p0}"); -var all332 = all_match({ +var all327 = all_match({ processors: [ - dup318, - dup405, - part1519, - dup406, - dup322, + dup316, + dup402, + part1514, + dup403, + dup320, ], on_success: processor_chain([ - dup208, + dup206, dup29, dup31, dup54, dup2, dup4, dup5, - dup304, + dup302, dup3, setc("event_description","authentication failed for admin user"), ]), }); -var msg943 = msg("00528:26", all332); +var msg943 = msg("00528:26", all327); -var part1520 = // "Pattern{Constant(': SSH user '), Field(username,true), Constant(' has been '), Field(disposition,true), Constant(' using password from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#932:00528:19/2", "nwparser.p0", ": SSH user %{username->} has been %{disposition->} using password from %{saddr}:%{sport}"); +var part1515 = match("MESSAGE#932:00528:19/2", "nwparser.p0", ": SSH user %{username->} has been %{disposition->} using password from %{saddr}:%{sport}"); -var all333 = all_match({ +var all328 = all_match({ processors: [ - dup323, - dup407, - part1520, + dup321, + dup404, + part1515, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, @@ -19979,19 +18135,18 @@ var all333 = all_match({ ]), }); -var msg944 = msg("00528:19", all333); +var msg944 = msg("00528:19", all328); -var part1521 = // "Pattern{Constant(': Connection has been '), Field(disposition,true), Constant(' for admin user '), Field(administrator,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#933:00528:20/2", "nwparser.p0", ": Connection has been %{disposition->} for admin user %{administrator->} at %{saddr}:%{sport}"); +var part1516 = match("MESSAGE#933:00528:20/2", "nwparser.p0", ": Connection has been %{disposition->} for admin user %{administrator->} at %{saddr}:%{sport}"); -var all334 = all_match({ +var all329 = all_match({ processors: [ - dup323, - dup407, - part1521, + dup321, + dup404, + part1516, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, @@ -19999,33 +18154,30 @@ var all334 = all_match({ ]), }); -var msg945 = msg("00528:20", all334); +var msg945 = msg("00528:20", all329); -var part1522 = // "Pattern{Constant('SCS: SSH user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has requested PKA RSA authentication, which is not supported for that client.')}" -match("MESSAGE#934:00528:21", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has requested PKA RSA authentication, which is not supported for that client.", processor_chain([ - dup283, +var part1517 = match("MESSAGE#934:00528:21", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has requested PKA RSA authentication, which is not supported for that client.", processor_chain([ + dup281, dup2, dup4, dup5, dup3, ])); -var msg946 = msg("00528:21", part1522); +var msg946 = msg("00528:21", part1517); -var part1523 = // "Pattern{Constant('SCS: SSH client at '), Field(saddr,true), Constant(' has attempted to make an SCS connection to '), Field(p0,false)}" -match("MESSAGE#935:00528:22/0", "nwparser.payload", "SCS: SSH client at %{saddr->} has attempted to make an SCS connection to %{p0}"); +var part1518 = match("MESSAGE#935:00528:22/0", "nwparser.payload", "SCS: SSH client at %{saddr->} has attempted to make an SCS connection to %{p0}"); -var part1524 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' with IP '), Field(hostip,true), Constant(' but '), Field(disposition,true), Constant(' because SCS is not enabled for that interface.')}" -match("MESSAGE#935:00528:22/2", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} but %{disposition->} because SCS is not enabled for that interface."); +var part1519 = match("MESSAGE#935:00528:22/2", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} but %{disposition->} because SCS is not enabled for that interface."); -var all335 = all_match({ +var all330 = all_match({ processors: [ - part1523, - dup339, - part1524, + part1518, + dup337, + part1519, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, @@ -20034,11 +18186,10 @@ var all335 = all_match({ ]), }); -var msg947 = msg("00528:22", all335); +var msg947 = msg("00528:22", all330); -var part1525 = // "Pattern{Constant('SCS: SSH client at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has '), Field(disposition,true), Constant(' to make an SCS connection to vsys '), Field(vsys,true), Constant(' because SCS cannot generate the host and server keys before timing out.')}" -match("MESSAGE#936:00528:23", "nwparser.payload", "SCS: SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to vsys %{vsys->} because SCS cannot generate the host and server keys before timing out.", processor_chain([ - dup283, +var part1520 = match("MESSAGE#936:00528:23", "nwparser.payload", "SCS: SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to vsys %{vsys->} because SCS cannot generate the host and server keys before timing out.", processor_chain([ + dup281, dup2, dup4, dup5, @@ -20046,33 +18197,30 @@ match("MESSAGE#936:00528:23", "nwparser.payload", "SCS: SSH client at %{saddr}:% setc("result","SCS cannot generate the host and server keys before timing out"), ])); -var msg948 = msg("00528:23", part1525); +var msg948 = msg("00528:23", part1520); -var part1526 = // "Pattern{Constant('SSH: '), Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#937:00528:24", "nwparser.payload", "SSH: %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup283, +var part1521 = match("MESSAGE#937:00528:24", "nwparser.payload", "SSH: %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup281, dup2, dup3, dup4, dup5, ])); -var msg949 = msg("00528:24", part1526); +var msg949 = msg("00528:24", part1521); -var part1527 = // "Pattern{Constant('SSH: Admin '), Field(p0,false)}" -match("MESSAGE#938:00528:25/0", "nwparser.payload", "SSH: Admin %{p0}"); +var part1522 = match("MESSAGE#938:00528:25/0", "nwparser.payload", "SSH: Admin %{p0}"); -var part1528 = // "Pattern{Constant('at host '), Field(saddr,true), Constant(' attempted to be authenticated with no authentication methods enabled.')}" -match("MESSAGE#938:00528:25/2", "nwparser.p0", "at host %{saddr->} attempted to be authenticated with no authentication methods enabled."); +var part1523 = match("MESSAGE#938:00528:25/2", "nwparser.p0", "at host %{saddr->} attempted to be authenticated with no authentication methods enabled."); -var all336 = all_match({ +var all331 = all_match({ processors: [ - part1527, - dup406, - part1528, + part1522, + dup403, + part1523, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, @@ -20080,7 +18228,7 @@ var all336 = all_match({ ]), }); -var msg950 = msg("00528:25", all336); +var msg950 = msg("00528:25", all331); var select354 = linear_select([ msg924, @@ -20112,25 +18260,22 @@ var select354 = linear_select([ msg950, ]); -var part1529 = // "Pattern{Constant('manually '), Field(p0,false)}" -match("MESSAGE#939:00529/1_0", "nwparser.p0", "manually %{p0}"); +var part1524 = match("MESSAGE#939:00529/1_0", "nwparser.p0", "manually %{p0}"); -var part1530 = // "Pattern{Constant('automatically '), Field(p0,false)}" -match("MESSAGE#939:00529/1_1", "nwparser.p0", "automatically %{p0}"); +var part1525 = match("MESSAGE#939:00529/1_1", "nwparser.p0", "automatically %{p0}"); var select355 = linear_select([ - part1529, - part1530, + part1524, + part1525, ]); -var part1531 = // "Pattern{Constant('refreshed'), Field(,false)}" -match("MESSAGE#939:00529/2", "nwparser.p0", "refreshed%{}"); +var part1526 = match("MESSAGE#939:00529/2", "nwparser.p0", "refreshed%{}"); -var all337 = all_match({ +var all332 = all_match({ processors: [ dup63, select355, - part1531, + part1526, ], on_success: processor_chain([ dup44, @@ -20141,25 +18286,22 @@ var all337 = all_match({ ]), }); -var msg951 = msg("00529", all337); +var msg951 = msg("00529", all332); -var part1532 = // "Pattern{Constant('DNS entries have been refreshed by '), Field(p0,false)}" -match("MESSAGE#940:00529:01/0", "nwparser.payload", "DNS entries have been refreshed by %{p0}"); +var part1527 = match("MESSAGE#940:00529:01/0", "nwparser.payload", "DNS entries have been refreshed by %{p0}"); -var part1533 = // "Pattern{Constant('state change'), Field(,false)}" -match("MESSAGE#940:00529:01/1_0", "nwparser.p0", "state change%{}"); +var part1528 = match("MESSAGE#940:00529:01/1_0", "nwparser.p0", "state change%{}"); -var part1534 = // "Pattern{Constant('HA'), Field(,false)}" -match("MESSAGE#940:00529:01/1_1", "nwparser.p0", "HA%{}"); +var part1529 = match("MESSAGE#940:00529:01/1_1", "nwparser.p0", "HA%{}"); var select356 = linear_select([ - part1533, - part1534, + part1528, + part1529, ]); -var all338 = all_match({ +var all333 = all_match({ processors: [ - part1532, + part1527, select356, ], on_success: processor_chain([ @@ -20171,35 +18313,32 @@ var all338 = all_match({ ]), }); -var msg952 = msg("00529:01", all338); +var msg952 = msg("00529:01", all333); var select357 = linear_select([ msg951, msg952, ]); -var part1535 = // "Pattern{Constant('An IP conflict has been detected and the DHCP client has declined address '), Field(hostip,false)}" -match("MESSAGE#941:00530", "nwparser.payload", "An IP conflict has been detected and the DHCP client has declined address %{hostip}", processor_chain([ - dup274, +var part1530 = match("MESSAGE#941:00530", "nwparser.payload", "An IP conflict has been detected and the DHCP client has declined address %{hostip}", processor_chain([ + dup272, dup2, dup3, dup4, dup5, ])); -var msg953 = msg("00530", part1535); +var msg953 = msg("00530", part1530); -var part1536 = // "Pattern{Constant('DHCP client IP '), Field(hostip,true), Constant(' for the '), Field(p0,false)}" -match("MESSAGE#942:00530:01/0", "nwparser.payload", "DHCP client IP %{hostip->} for the %{p0}"); +var part1531 = match("MESSAGE#942:00530:01/0", "nwparser.payload", "DHCP client IP %{hostip->} for the %{p0}"); -var part1537 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' has been manually released')}" -match("MESSAGE#942:00530:01/2", "nwparser.p0", "%{} %{interface->} has been manually released"); +var part1532 = match("MESSAGE#942:00530:01/2", "nwparser.p0", "%{} %{interface->} has been manually released"); -var all339 = all_match({ +var all334 = all_match({ processors: [ - part1536, - dup339, - part1537, + part1531, + dup337, + part1532, ], on_success: processor_chain([ dup44, @@ -20210,10 +18349,9 @@ var all339 = all_match({ ]), }); -var msg954 = msg("00530:01", all339); +var msg954 = msg("00530:01", all334); -var part1538 = // "Pattern{Constant('DHCP client is unable to get an IP address for the '), Field(interface,true), Constant(' interface')}" -match("MESSAGE#943:00530:02", "nwparser.payload", "DHCP client is unable to get an IP address for the %{interface->} interface", processor_chain([ +var part1533 = match("MESSAGE#943:00530:02", "nwparser.payload", "DHCP client is unable to get an IP address for the %{interface->} interface", processor_chain([ dup18, dup2, dup3, @@ -20221,10 +18359,9 @@ match("MESSAGE#943:00530:02", "nwparser.payload", "DHCP client is unable to get dup5, ])); -var msg955 = msg("00530:02", part1538); +var msg955 = msg("00530:02", part1533); -var part1539 = // "Pattern{Constant('DHCP client lease for '), Field(hostip,true), Constant(' has expired')}" -match("MESSAGE#944:00530:03", "nwparser.payload", "DHCP client lease for %{hostip->} has expired", processor_chain([ +var part1534 = match("MESSAGE#944:00530:03", "nwparser.payload", "DHCP client lease for %{hostip->} has expired", processor_chain([ dup44, dup2, dup3, @@ -20232,10 +18369,9 @@ match("MESSAGE#944:00530:03", "nwparser.payload", "DHCP client lease for %{hosti dup5, ])); -var msg956 = msg("00530:03", part1539); +var msg956 = msg("00530:03", part1534); -var part1540 = // "Pattern{Constant('DHCP server '), Field(hostip,true), Constant(' has assigned the untrust Interface '), Field(interface,true), Constant(' with lease '), Field(fld2,false), Constant('.')}" -match("MESSAGE#945:00530:04", "nwparser.payload", "DHCP server %{hostip->} has assigned the untrust Interface %{interface->} with lease %{fld2}.", processor_chain([ +var part1535 = match("MESSAGE#945:00530:04", "nwparser.payload", "DHCP server %{hostip->} has assigned the untrust Interface %{interface->} with lease %{fld2}.", processor_chain([ dup44, dup2, dup3, @@ -20243,10 +18379,9 @@ match("MESSAGE#945:00530:04", "nwparser.payload", "DHCP server %{hostip->} has a dup5, ])); -var msg957 = msg("00530:04", part1540); +var msg957 = msg("00530:04", part1535); -var part1541 = // "Pattern{Constant('DHCP server '), Field(hostip,true), Constant(' has assigned the '), Field(interface,true), Constant(' interface '), Field(fld2,true), Constant(' with lease '), Field(fld3,false)}" -match("MESSAGE#946:00530:05", "nwparser.payload", "DHCP server %{hostip->} has assigned the %{interface->} interface %{fld2->} with lease %{fld3}", processor_chain([ +var part1536 = match("MESSAGE#946:00530:05", "nwparser.payload", "DHCP server %{hostip->} has assigned the %{interface->} interface %{fld2->} with lease %{fld3}", processor_chain([ dup44, dup2, dup3, @@ -20254,10 +18389,9 @@ match("MESSAGE#946:00530:05", "nwparser.payload", "DHCP server %{hostip->} has a dup5, ])); -var msg958 = msg("00530:05", part1541); +var msg958 = msg("00530:05", part1536); -var part1542 = // "Pattern{Constant('DHCP client is unable to get IP address for the untrust interface.'), Field(,false)}" -match("MESSAGE#947:00530:06", "nwparser.payload", "DHCP client is unable to get IP address for the untrust interface.%{}", processor_chain([ +var part1537 = match("MESSAGE#947:00530:06", "nwparser.payload", "DHCP client is unable to get IP address for the untrust interface.%{}", processor_chain([ dup18, dup2, dup3, @@ -20265,7 +18399,7 @@ match("MESSAGE#947:00530:06", "nwparser.payload", "DHCP client is unable to get dup5, ])); -var msg959 = msg("00530:06", part1542); +var msg959 = msg("00530:06", part1537); var select358 = linear_select([ msg953, @@ -20277,13 +18411,12 @@ var select358 = linear_select([ msg959, ]); -var part1543 = // "Pattern{Constant('System clock configurations have been changed by admin '), Field(p0,false)}" -match("MESSAGE#948:00531/0", "nwparser.payload", "System clock configurations have been changed by admin %{p0}"); +var part1538 = match("MESSAGE#948:00531/0", "nwparser.payload", "System clock configurations have been changed by admin %{p0}"); -var all340 = all_match({ +var all335 = all_match({ processors: [ - part1543, - dup400, + part1538, + dup397, ], on_success: processor_chain([ dup1, @@ -20295,10 +18428,9 @@ var all340 = all_match({ ]), }); -var msg960 = msg("00531", all340); +var msg960 = msg("00531", all335); -var part1544 = // "Pattern{Constant('failed to get clock through NTP'), Field(,false)}" -match("MESSAGE#949:00531:01", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ +var part1539 = match("MESSAGE#949:00531:01", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ dup86, dup2, dup3, @@ -20306,10 +18438,9 @@ match("MESSAGE#949:00531:01", "nwparser.payload", "failed to get clock through N dup5, ])); -var msg961 = msg("00531:01", part1544); +var msg961 = msg("00531:01", part1539); -var part1545 = // "Pattern{Constant('The system clock has been updated through NTP.'), Field(,false)}" -match("MESSAGE#950:00531:02", "nwparser.payload", "The system clock has been updated through NTP.%{}", processor_chain([ +var part1540 = match("MESSAGE#950:00531:02", "nwparser.payload", "The system clock has been updated through NTP.%{}", processor_chain([ dup1, dup2, dup3, @@ -20317,38 +18448,33 @@ match("MESSAGE#950:00531:02", "nwparser.payload", "The system clock has been upd dup5, ])); -var msg962 = msg("00531:02", part1545); +var msg962 = msg("00531:02", part1540); -var part1546 = // "Pattern{Constant('The system clock was updated from '), Field(type,true), Constant(' NTP server type '), Field(hostname,true), Constant(' with a'), Field(p0,false)}" -match("MESSAGE#951:00531:03/0", "nwparser.payload", "The system clock was updated from %{type->} NTP server type %{hostname->} with a%{p0}"); +var part1541 = match("MESSAGE#951:00531:03/0", "nwparser.payload", "The system clock was updated from %{type->} NTP server type %{hostname->} with a%{p0}"); -var part1547 = // "Pattern{Constant(' ms '), Field(p0,false)}" -match("MESSAGE#951:00531:03/1_0", "nwparser.p0", " ms %{p0}"); +var part1542 = match("MESSAGE#951:00531:03/1_0", "nwparser.p0", " ms %{p0}"); var select359 = linear_select([ - part1547, + part1542, dup115, ]); -var part1548 = // "Pattern{Constant('adjustment of '), Field(fld3,false), Constant('. Authentication was '), Field(fld4,false), Constant('. Update mode was '), Field(p0,false)}" -match("MESSAGE#951:00531:03/2", "nwparser.p0", "adjustment of %{fld3}. Authentication was %{fld4}. Update mode was %{p0}"); +var part1543 = match("MESSAGE#951:00531:03/2", "nwparser.p0", "adjustment of %{fld3}. Authentication was %{fld4}. Update mode was %{p0}"); -var part1549 = // "Pattern{Field(fld5,false), Constant('('), Field(fld2,false), Constant(')')}" -match("MESSAGE#951:00531:03/3_0", "nwparser.p0", "%{fld5}(%{fld2})"); +var part1544 = match("MESSAGE#951:00531:03/3_0", "nwparser.p0", "%{fld5}(%{fld2})"); -var part1550 = // "Pattern{Field(fld5,false)}" -match_copy("MESSAGE#951:00531:03/3_1", "nwparser.p0", "fld5"); +var part1545 = match_copy("MESSAGE#951:00531:03/3_1", "nwparser.p0", "fld5"); var select360 = linear_select([ - part1549, - part1550, + part1544, + part1545, ]); -var all341 = all_match({ +var all336 = all_match({ processors: [ - part1546, + part1541, select359, - part1548, + part1543, select360, ], on_success: processor_chain([ @@ -20361,31 +18487,27 @@ var all341 = all_match({ ]), }); -var msg963 = msg("00531:03", all341); +var msg963 = msg("00531:03", all336); -var part1551 = // "Pattern{Constant('The NetScreen device is attempting to contact the '), Field(p0,false)}" -match("MESSAGE#952:00531:04/0", "nwparser.payload", "The NetScreen device is attempting to contact the %{p0}"); +var part1546 = match("MESSAGE#952:00531:04/0", "nwparser.payload", "The NetScreen device is attempting to contact the %{p0}"); -var part1552 = // "Pattern{Constant('primary backup '), Field(p0,false)}" -match("MESSAGE#952:00531:04/1_0", "nwparser.p0", "primary backup %{p0}"); +var part1547 = match("MESSAGE#952:00531:04/1_0", "nwparser.p0", "primary backup %{p0}"); -var part1553 = // "Pattern{Constant('secondary backup '), Field(p0,false)}" -match("MESSAGE#952:00531:04/1_1", "nwparser.p0", "secondary backup %{p0}"); +var part1548 = match("MESSAGE#952:00531:04/1_1", "nwparser.p0", "secondary backup %{p0}"); var select361 = linear_select([ - part1552, - part1553, - dup191, + part1547, + part1548, + dup189, ]); -var part1554 = // "Pattern{Constant('NTP server '), Field(hostname,false)}" -match("MESSAGE#952:00531:04/2", "nwparser.p0", "NTP server %{hostname}"); +var part1549 = match("MESSAGE#952:00531:04/2", "nwparser.p0", "NTP server %{hostname}"); -var all342 = all_match({ +var all337 = all_match({ processors: [ - part1551, + part1546, select361, - part1554, + part1549, ], on_success: processor_chain([ dup1, @@ -20396,10 +18518,9 @@ var all342 = all_match({ ]), }); -var msg964 = msg("00531:04", all342); +var msg964 = msg("00531:04", all337); -var part1555 = // "Pattern{Constant('No NTP server could be contacted. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#953:00531:05", "nwparser.payload", "No NTP server could be contacted. (%{fld1})", processor_chain([ +var part1550 = match("MESSAGE#953:00531:05", "nwparser.payload", "No NTP server could be contacted. (%{fld1})", processor_chain([ dup86, dup2, dup3, @@ -20408,10 +18529,9 @@ match("MESSAGE#953:00531:05", "nwparser.payload", "No NTP server could be contac dup5, ])); -var msg965 = msg("00531:05", part1555); +var msg965 = msg("00531:05", part1550); -var part1556 = // "Pattern{Constant('Network Time Protocol adjustment of '), Field(fld2,true), Constant(' from NTP server '), Field(hostname,true), Constant(' exceeds the allowed adjustment of '), Field(fld3,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#954:00531:06", "nwparser.payload", "Network Time Protocol adjustment of %{fld2->} from NTP server %{hostname->} exceeds the allowed adjustment of %{fld3}. (%{fld1})", processor_chain([ +var part1551 = match("MESSAGE#954:00531:06", "nwparser.payload", "Network Time Protocol adjustment of %{fld2->} from NTP server %{hostname->} exceeds the allowed adjustment of %{fld3}. (%{fld1})", processor_chain([ dup86, dup2, dup3, @@ -20420,10 +18540,9 @@ match("MESSAGE#954:00531:06", "nwparser.payload", "Network Time Protocol adjustm dup5, ])); -var msg966 = msg("00531:06", part1556); +var msg966 = msg("00531:06", part1551); -var part1557 = // "Pattern{Constant('No acceptable time could be obtained from any NTP server. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#955:00531:07", "nwparser.payload", "No acceptable time could be obtained from any NTP server. (%{fld1})", processor_chain([ +var part1552 = match("MESSAGE#955:00531:07", "nwparser.payload", "No acceptable time could be obtained from any NTP server. (%{fld1})", processor_chain([ dup86, dup2, dup3, @@ -20432,10 +18551,9 @@ match("MESSAGE#955:00531:07", "nwparser.payload", "No acceptable time could be o dup5, ])); -var msg967 = msg("00531:07", part1557); +var msg967 = msg("00531:07", part1552); -var part1558 = // "Pattern{Constant('Administrator '), Field(administrator,true), Constant(' changed the '), Field(change_attribute,true), Constant(' from '), Field(change_old,true), Constant(' to '), Field(change_new,true), Constant(' (by '), Field(fld3,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(') ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#956:00531:08", "nwparser.payload", "Administrator %{administrator->} changed the %{change_attribute->} from %{change_old->} to %{change_new->} (by %{fld3->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}) (%{fld1})", processor_chain([ +var part1553 = match("MESSAGE#956:00531:08", "nwparser.payload", "Administrator %{administrator->} changed the %{change_attribute->} from %{change_old->} to %{change_new->} (by %{fld3->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}) (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -20444,10 +18562,9 @@ match("MESSAGE#956:00531:08", "nwparser.payload", "Administrator %{administrator dup5, ])); -var msg968 = msg("00531:08", part1558); +var msg968 = msg("00531:08", part1553); -var part1559 = // "Pattern{Constant('Network Time Protocol settings changed. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#957:00531:09", "nwparser.payload", "Network Time Protocol settings changed. (%{fld1})", processor_chain([ +var part1554 = match("MESSAGE#957:00531:09", "nwparser.payload", "Network Time Protocol settings changed. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -20456,10 +18573,9 @@ match("MESSAGE#957:00531:09", "nwparser.payload", "Network Time Protocol setting dup5, ])); -var msg969 = msg("00531:09", part1559); +var msg969 = msg("00531:09", part1554); -var part1560 = // "Pattern{Constant('NTP server is '), Field(disposition,true), Constant(' on interface '), Field(interface,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#958:00531:10", "nwparser.payload", "NTP server is %{disposition->} on interface %{interface->} (%{fld1})", processor_chain([ +var part1555 = match("MESSAGE#958:00531:10", "nwparser.payload", "NTP server is %{disposition->} on interface %{interface->} (%{fld1})", processor_chain([ dup86, dup2, dup3, @@ -20468,10 +18584,9 @@ match("MESSAGE#958:00531:10", "nwparser.payload", "NTP server is %{disposition-> dup5, ])); -var msg970 = msg("00531:10", part1560); +var msg970 = msg("00531:10", part1555); -var part1561 = // "Pattern{Constant('The system clock will be changed from '), Field(change_old,true), Constant(' to '), Field(change_new,true), Constant(' received from primary NTP server '), Field(hostip,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#959:00531:11", "nwparser.payload", "The system clock will be changed from %{change_old->} to %{change_new->} received from primary NTP server %{hostip->} (%{fld1})", processor_chain([ +var part1556 = match("MESSAGE#959:00531:11", "nwparser.payload", "The system clock will be changed from %{change_old->} to %{change_new->} received from primary NTP server %{hostip->} (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -20481,10 +18596,9 @@ match("MESSAGE#959:00531:11", "nwparser.payload", "The system clock will be chan setc("event_description","system clock changed based on receive from primary NTP server"), ])); -var msg971 = msg("00531:11", part1561); +var msg971 = msg("00531:11", part1556); -var part1562 = // "Pattern{Field(fld35,true), Constant(' NTP server '), Field(saddr,true), Constant(' could not be contacted. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1223:00531:12", "nwparser.payload", "%{fld35->} NTP server %{saddr->} could not be contacted. (%{fld1})", processor_chain([ +var part1557 = match("MESSAGE#1223:00531:12", "nwparser.payload", "%{fld35->} NTP server %{saddr->} could not be contacted. (%{fld1})", processor_chain([ dup44, dup2, dup4, @@ -20492,7 +18606,7 @@ match("MESSAGE#1223:00531:12", "nwparser.payload", "%{fld35->} NTP server %{sadd dup9, ])); -var msg972 = msg("00531:12", part1562); +var msg972 = msg("00531:12", part1557); var select362 = linear_select([ msg960, @@ -20510,8 +18624,7 @@ var select362 = linear_select([ msg972, ]); -var part1563 = // "Pattern{Constant('VIP server '), Field(hostip,true), Constant(' is now responding')}" -match("MESSAGE#960:00533", "nwparser.payload", "VIP server %{hostip->} is now responding", processor_chain([ +var part1558 = match("MESSAGE#960:00533", "nwparser.payload", "VIP server %{hostip->} is now responding", processor_chain([ dup44, dup2, dup3, @@ -20519,10 +18632,9 @@ match("MESSAGE#960:00533", "nwparser.payload", "VIP server %{hostip->} is now re dup5, ])); -var msg973 = msg("00533", part1563); +var msg973 = msg("00533", part1558); -var part1564 = // "Pattern{Field(fld2,true), Constant(' has been cleared')}" -match("MESSAGE#961:00534", "nwparser.payload", "%{fld2->} has been cleared", processor_chain([ +var part1559 = match("MESSAGE#961:00534", "nwparser.payload", "%{fld2->} has been cleared", processor_chain([ dup44, dup2, dup3, @@ -20530,55 +18642,50 @@ match("MESSAGE#961:00534", "nwparser.payload", "%{fld2->} has been cleared", pro dup5, ])); -var msg974 = msg("00534", part1564); +var msg974 = msg("00534", part1559); -var part1565 = // "Pattern{Constant('Cannot find the CA certificate with distinguished name '), Field(fld2,false)}" -match("MESSAGE#962:00535", "nwparser.payload", "Cannot find the CA certificate with distinguished name %{fld2}", processor_chain([ - dup316, +var part1560 = match("MESSAGE#962:00535", "nwparser.payload", "Cannot find the CA certificate with distinguished name %{fld2}", processor_chain([ + dup314, dup2, dup3, dup4, dup5, ])); -var msg975 = msg("00535", part1565); +var msg975 = msg("00535", part1560); -var part1566 = // "Pattern{Constant('Distinguished name '), Field(dn,true), Constant(' in the X509 certificate request is '), Field(disposition,false)}" -match("MESSAGE#963:00535:01", "nwparser.payload", "Distinguished name %{dn->} in the X509 certificate request is %{disposition}", processor_chain([ - dup316, +var part1561 = match("MESSAGE#963:00535:01", "nwparser.payload", "Distinguished name %{dn->} in the X509 certificate request is %{disposition}", processor_chain([ + dup314, dup2, dup3, dup4, dup5, ])); -var msg976 = msg("00535:01", part1566); +var msg976 = msg("00535:01", part1561); -var part1567 = // "Pattern{Constant('Local certificate with distinguished name '), Field(dn,true), Constant(' is '), Field(disposition,false)}" -match("MESSAGE#964:00535:02", "nwparser.payload", "Local certificate with distinguished name %{dn->} is %{disposition}", processor_chain([ - dup316, +var part1562 = match("MESSAGE#964:00535:02", "nwparser.payload", "Local certificate with distinguished name %{dn->} is %{disposition}", processor_chain([ + dup314, dup2, dup3, dup4, dup5, ])); -var msg977 = msg("00535:02", part1567); +var msg977 = msg("00535:02", part1562); -var part1568 = // "Pattern{Constant('PKCS #7 data cannot be decapsulated'), Field(,false)}" -match("MESSAGE#965:00535:03", "nwparser.payload", "PKCS #7 data cannot be decapsulated%{}", processor_chain([ - dup316, +var part1563 = match("MESSAGE#965:00535:03", "nwparser.payload", "PKCS #7 data cannot be decapsulated%{}", processor_chain([ + dup314, dup2, dup3, dup4, dup5, ])); -var msg978 = msg("00535:03", part1568); +var msg978 = msg("00535:03", part1563); -var part1569 = // "Pattern{Constant('SCEP_FAILURE message has been received from the CA'), Field(,false)}" -match("MESSAGE#966:00535:04", "nwparser.payload", "SCEP_FAILURE message has been received from the CA%{}", processor_chain([ - dup316, +var part1564 = match("MESSAGE#966:00535:04", "nwparser.payload", "SCEP_FAILURE message has been received from the CA%{}", processor_chain([ + dup314, dup2, dup3, dup4, @@ -20586,22 +18693,20 @@ match("MESSAGE#966:00535:04", "nwparser.payload", "SCEP_FAILURE message has been setc("result","SCEP_FAILURE message"), ])); -var msg979 = msg("00535:04", part1569); +var msg979 = msg("00535:04", part1564); -var part1570 = // "Pattern{Constant('PKI error message has been received: '), Field(result,false)}" -match("MESSAGE#967:00535:05", "nwparser.payload", "PKI error message has been received: %{result}", processor_chain([ - dup316, +var part1565 = match("MESSAGE#967:00535:05", "nwparser.payload", "PKI error message has been received: %{result}", processor_chain([ + dup314, dup2, dup3, dup4, dup5, ])); -var msg980 = msg("00535:05", part1570); +var msg980 = msg("00535:05", part1565); -var part1571 = // "Pattern{Constant('PKI: Saved CA configuration (CA cert subject name '), Field(dn,false), Constant('). ('), Field(event_time_string,false), Constant(')')}" -match("MESSAGE#968:00535:06", "nwparser.payload", "PKI: Saved CA configuration (CA cert subject name %{dn}). (%{event_time_string})", processor_chain([ - dup316, +var part1566 = match("MESSAGE#968:00535:06", "nwparser.payload", "PKI: Saved CA configuration (CA cert subject name %{dn}). (%{event_time_string})", processor_chain([ + dup314, dup2, dup3, dup4, @@ -20609,7 +18714,7 @@ match("MESSAGE#968:00535:06", "nwparser.payload", "PKI: Saved CA configuration ( setc("event_description","Saved CA configuration - cert subject name"), ])); -var msg981 = msg("00535:06", part1571); +var msg981 = msg("00535:06", part1566); var select363 = linear_select([ msg975, @@ -20621,31 +18726,26 @@ var select363 = linear_select([ msg981, ]); -var part1572 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#969:00536:49/0", "nwparser.payload", "IKE %{hostip->} %{p0}"); +var part1567 = match("MESSAGE#969:00536:49/0", "nwparser.payload", "IKE %{hostip->} %{p0}"); -var part1573 = // "Pattern{Constant('Phase 2 msg ID '), Field(sessionid,false), Constant(': '), Field(disposition,false), Constant('. '), Field(p0,false)}" -match("MESSAGE#969:00536:49/1_0", "nwparser.p0", "Phase 2 msg ID %{sessionid}: %{disposition}. %{p0}"); +var part1568 = match("MESSAGE#969:00536:49/1_0", "nwparser.p0", "Phase 2 msg ID %{sessionid}: %{disposition}. %{p0}"); -var part1574 = // "Pattern{Constant('Phase 1: '), Field(disposition,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#969:00536:49/1_1", "nwparser.p0", "Phase 1: %{disposition->} %{p0}"); +var part1569 = match("MESSAGE#969:00536:49/1_1", "nwparser.p0", "Phase 1: %{disposition->} %{p0}"); -var part1575 = // "Pattern{Constant('phase 2:'), Field(disposition,false), Constant('. '), Field(p0,false)}" -match("MESSAGE#969:00536:49/1_2", "nwparser.p0", "phase 2:%{disposition}. %{p0}"); +var part1570 = match("MESSAGE#969:00536:49/1_2", "nwparser.p0", "phase 2:%{disposition}. %{p0}"); -var part1576 = // "Pattern{Constant('phase 1:'), Field(disposition,false), Constant('. '), Field(p0,false)}" -match("MESSAGE#969:00536:49/1_3", "nwparser.p0", "phase 1:%{disposition}. %{p0}"); +var part1571 = match("MESSAGE#969:00536:49/1_3", "nwparser.p0", "phase 1:%{disposition}. %{p0}"); var select364 = linear_select([ - part1573, - part1574, - part1575, - part1576, + part1568, + part1569, + part1570, + part1571, ]); -var all343 = all_match({ +var all338 = all_match({ processors: [ - part1572, + part1567, select364, dup10, ], @@ -20659,10 +18759,9 @@ var all343 = all_match({ ]), }); -var msg982 = msg("00536:49", all343); +var msg982 = msg("00536:49", all338); -var part1577 = // "Pattern{Constant('UDP packets have been received from '), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' at interface '), Field(interface,true), Constant(' at '), Field(daddr,false), Constant('/'), Field(dport,false)}" -match("MESSAGE#970:00536", "nwparser.payload", "UDP packets have been received from %{saddr}/%{sport->} at interface %{interface->} at %{daddr}/%{dport}", processor_chain([ +var part1572 = match("MESSAGE#970:00536", "nwparser.payload", "UDP packets have been received from %{saddr}/%{sport->} at interface %{interface->} at %{daddr}/%{dport}", processor_chain([ dup44, dup2, dup4, @@ -20671,10 +18770,9 @@ match("MESSAGE#970:00536", "nwparser.payload", "UDP packets have been received f dup61, ])); -var msg983 = msg("00536", part1577); +var msg983 = msg("00536", part1572); -var part1578 = // "Pattern{Constant('Attempt to set tunnel ('), Field(fld2,false), Constant(') without IP address at both end points! Check outgoing interface.')}" -match("MESSAGE#971:00536:01", "nwparser.payload", "Attempt to set tunnel (%{fld2}) without IP address at both end points! Check outgoing interface.", processor_chain([ +var part1573 = match("MESSAGE#971:00536:01", "nwparser.payload", "Attempt to set tunnel (%{fld2}) without IP address at both end points! Check outgoing interface.", processor_chain([ dup18, dup2, dup3, @@ -20682,10 +18780,9 @@ match("MESSAGE#971:00536:01", "nwparser.payload", "Attempt to set tunnel (%{fld2 dup5, ])); -var msg984 = msg("00536:01", part1578); +var msg984 = msg("00536:01", part1573); -var part1579 = // "Pattern{Constant('Gateway '), Field(fld2,true), Constant(' at '), Field(hostip,true), Constant(' in '), Field(fld4,true), Constant(' mode with ID: '), Field(fld3,true), Constant(' has been '), Field(disposition,false), Constant('.')}" -match("MESSAGE#972:00536:02", "nwparser.payload", "Gateway %{fld2->} at %{hostip->} in %{fld4->} mode with ID: %{fld3->} has been %{disposition}.", processor_chain([ +var part1574 = match("MESSAGE#972:00536:02", "nwparser.payload", "Gateway %{fld2->} at %{hostip->} in %{fld4->} mode with ID: %{fld3->} has been %{disposition}.", processor_chain([ dup1, dup2, dup3, @@ -20693,10 +18790,9 @@ match("MESSAGE#972:00536:02", "nwparser.payload", "Gateway %{fld2->} at %{hostip dup5, ])); -var msg985 = msg("00536:02", part1579); +var msg985 = msg("00536:02", part1574); -var part1580 = // "Pattern{Constant('IKE gateway '), Field(fld2,true), Constant(' has been '), Field(disposition,false), Constant('. '), Field(info,false)}" -match("MESSAGE#973:00536:03", "nwparser.payload", "IKE gateway %{fld2->} has been %{disposition}. %{info}", processor_chain([ +var part1575 = match("MESSAGE#973:00536:03", "nwparser.payload", "IKE gateway %{fld2->} has been %{disposition}. %{info}", processor_chain([ dup1, dup2, dup3, @@ -20704,10 +18800,9 @@ match("MESSAGE#973:00536:03", "nwparser.payload", "IKE gateway %{fld2->} has bee dup5, ])); -var msg986 = msg("00536:03", part1580); +var msg986 = msg("00536:03", part1575); -var part1581 = // "Pattern{Constant('VPN monitoring for VPN '), Field(group,true), Constant(' has deactivated the SA with ID '), Field(fld2,false), Constant('.')}" -match("MESSAGE#974:00536:04", "nwparser.payload", "VPN monitoring for VPN %{group->} has deactivated the SA with ID %{fld2}.", processor_chain([ +var part1576 = match("MESSAGE#974:00536:04", "nwparser.payload", "VPN monitoring for VPN %{group->} has deactivated the SA with ID %{fld2}.", processor_chain([ setc("eventcategory","1801010100"), dup2, dup3, @@ -20715,10 +18810,9 @@ match("MESSAGE#974:00536:04", "nwparser.payload", "VPN monitoring for VPN %{grou dup5, ])); -var msg987 = msg("00536:04", part1581); +var msg987 = msg("00536:04", part1576); -var part1582 = // "Pattern{Constant('VPN ID number cannot be assigned'), Field(,false)}" -match("MESSAGE#975:00536:05", "nwparser.payload", "VPN ID number cannot be assigned%{}", processor_chain([ +var part1577 = match("MESSAGE#975:00536:05", "nwparser.payload", "VPN ID number cannot be assigned%{}", processor_chain([ dup44, dup2, dup3, @@ -20726,10 +18820,9 @@ match("MESSAGE#975:00536:05", "nwparser.payload", "VPN ID number cannot be assig dup5, ])); -var msg988 = msg("00536:05", part1582); +var msg988 = msg("00536:05", part1577); -var part1583 = // "Pattern{Constant('Local gateway IP address has changed to '), Field(fld2,false), Constant('. VPNs cannot terminate at an interface with IP '), Field(hostip,false)}" -match("MESSAGE#976:00536:06", "nwparser.payload", "Local gateway IP address has changed to %{fld2}. VPNs cannot terminate at an interface with IP %{hostip}", processor_chain([ +var part1578 = match("MESSAGE#976:00536:06", "nwparser.payload", "Local gateway IP address has changed to %{fld2}. VPNs cannot terminate at an interface with IP %{hostip}", processor_chain([ dup1, dup2, dup3, @@ -20737,10 +18830,9 @@ match("MESSAGE#976:00536:06", "nwparser.payload", "Local gateway IP address has dup5, ])); -var msg989 = msg("00536:06", part1583); +var msg989 = msg("00536:06", part1578); -var part1584 = // "Pattern{Constant('Local gateway IP address has changed from '), Field(change_old,true), Constant(' to another setting')}" -match("MESSAGE#977:00536:07", "nwparser.payload", "Local gateway IP address has changed from %{change_old->} to another setting", processor_chain([ +var part1579 = match("MESSAGE#977:00536:07", "nwparser.payload", "Local gateway IP address has changed from %{change_old->} to another setting", processor_chain([ dup1, dup2, dup3, @@ -20748,10 +18840,9 @@ match("MESSAGE#977:00536:07", "nwparser.payload", "Local gateway IP address has dup5, ])); -var msg990 = msg("00536:07", part1584); +var msg990 = msg("00536:07", part1579); -var part1585 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Sent initial contact notification message')}" -match("MESSAGE#978:00536:08", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification message", processor_chain([ +var part1580 = match("MESSAGE#978:00536:08", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification message", processor_chain([ dup44, dup2, dup3, @@ -20759,10 +18850,9 @@ match("MESSAGE#978:00536:08", "nwparser.payload", "IKE %{hostip}: Sent initial c dup5, ])); -var msg991 = msg("00536:08", part1585); +var msg991 = msg("00536:08", part1580); -var part1586 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Sent initial contact notification')}" -match("MESSAGE#979:00536:09", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification", processor_chain([ +var part1581 = match("MESSAGE#979:00536:09", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification", processor_chain([ dup44, dup2, dup3, @@ -20770,10 +18860,9 @@ match("MESSAGE#979:00536:09", "nwparser.payload", "IKE %{hostip}: Sent initial c dup5, ])); -var msg992 = msg("00536:09", part1586); +var msg992 = msg("00536:09", part1581); -var part1587 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Responded to a packet with a bad SPI after rebooting')}" -match("MESSAGE#980:00536:10", "nwparser.payload", "IKE %{hostip}: Responded to a packet with a bad SPI after rebooting", processor_chain([ +var part1582 = match("MESSAGE#980:00536:10", "nwparser.payload", "IKE %{hostip}: Responded to a packet with a bad SPI after rebooting", processor_chain([ dup44, dup2, dup3, @@ -20781,10 +18870,9 @@ match("MESSAGE#980:00536:10", "nwparser.payload", "IKE %{hostip}: Responded to a dup5, ])); -var msg993 = msg("00536:10", part1587); +var msg993 = msg("00536:10", part1582); -var part1588 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Removed Phase 2 SAs after receiving a notification message')}" -match("MESSAGE#981:00536:11", "nwparser.payload", "IKE %{hostip}: Removed Phase 2 SAs after receiving a notification message", processor_chain([ +var part1583 = match("MESSAGE#981:00536:11", "nwparser.payload", "IKE %{hostip}: Removed Phase 2 SAs after receiving a notification message", processor_chain([ dup44, dup2, dup3, @@ -20792,10 +18880,9 @@ match("MESSAGE#981:00536:11", "nwparser.payload", "IKE %{hostip}: Removed Phase dup5, ])); -var msg994 = msg("00536:11", part1588); +var msg994 = msg("00536:11", part1583); -var part1589 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Rejected first Phase 1 packet from an unrecognized source')}" -match("MESSAGE#982:00536:12", "nwparser.payload", "IKE %{hostip}: Rejected first Phase 1 packet from an unrecognized source", processor_chain([ +var part1584 = match("MESSAGE#982:00536:12", "nwparser.payload", "IKE %{hostip}: Rejected first Phase 1 packet from an unrecognized source", processor_chain([ dup44, dup2, dup3, @@ -20803,10 +18890,9 @@ match("MESSAGE#982:00536:12", "nwparser.payload", "IKE %{hostip}: Rejected first dup5, ])); -var msg995 = msg("00536:12", part1589); +var msg995 = msg("00536:12", part1584); -var part1590 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Rejected an initial Phase 1 packet from an unrecognized peer gateway')}" -match("MESSAGE#983:00536:13", "nwparser.payload", "IKE %{hostip}: Rejected an initial Phase 1 packet from an unrecognized peer gateway", processor_chain([ +var part1585 = match("MESSAGE#983:00536:13", "nwparser.payload", "IKE %{hostip}: Rejected an initial Phase 1 packet from an unrecognized peer gateway", processor_chain([ dup44, dup2, dup3, @@ -20814,19 +18900,17 @@ match("MESSAGE#983:00536:13", "nwparser.payload", "IKE %{hostip}: Rejected an in dup5, ])); -var msg996 = msg("00536:13", part1590); +var msg996 = msg("00536:13", part1585); -var part1591 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Received initial contact notification and removed Phase '), Field(p0,false)}" -match("MESSAGE#984:00536:14/0", "nwparser.payload", "IKE %{hostip}: Received initial contact notification and removed Phase %{p0}"); +var part1586 = match("MESSAGE#984:00536:14/0", "nwparser.payload", "IKE %{hostip}: Received initial contact notification and removed Phase %{p0}"); -var part1592 = // "Pattern{Constant('SAs'), Field(,false)}" -match("MESSAGE#984:00536:14/2", "nwparser.p0", "SAs%{}"); +var part1587 = match("MESSAGE#984:00536:14/2", "nwparser.p0", "SAs%{}"); -var all344 = all_match({ +var all339 = all_match({ processors: [ - part1591, - dup386, - part1592, + part1586, + dup383, + part1587, ], on_success: processor_chain([ dup44, @@ -20837,10 +18921,9 @@ var all344 = all_match({ ]), }); -var msg997 = msg("00536:14", all344); +var msg997 = msg("00536:14", all339); -var part1593 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Received a notification message for '), Field(disposition,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#985:00536:50", "nwparser.payload", "IKE %{hostip}: Received a notification message for %{disposition}. (%{fld1})", processor_chain([ +var part1588 = match("MESSAGE#985:00536:50", "nwparser.payload", "IKE %{hostip}: Received a notification message for %{disposition}. (%{fld1})", processor_chain([ dup44, dup2, dup9, @@ -20849,10 +18932,9 @@ match("MESSAGE#985:00536:50", "nwparser.payload", "IKE %{hostip}: Received a not dup5, ])); -var msg998 = msg("00536:50", part1593); +var msg998 = msg("00536:50", part1588); -var part1594 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Received incorrect ID payload: IP address '), Field(fld2,true), Constant(' instead of IP address '), Field(fld3,false)}" -match("MESSAGE#986:00536:15", "nwparser.payload", "IKE %{hostip}: Received incorrect ID payload: IP address %{fld2->} instead of IP address %{fld3}", processor_chain([ +var part1589 = match("MESSAGE#986:00536:15", "nwparser.payload", "IKE %{hostip}: Received incorrect ID payload: IP address %{fld2->} instead of IP address %{fld3}", processor_chain([ dup44, dup2, dup3, @@ -20860,10 +18942,9 @@ match("MESSAGE#986:00536:15", "nwparser.payload", "IKE %{hostip}: Received incor dup5, ])); -var msg999 = msg("00536:15", part1594); +var msg999 = msg("00536:15", part1589); -var part1595 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Phase 2 negotiation request is already in the task list')}" -match("MESSAGE#987:00536:16", "nwparser.payload", "IKE %{hostip}: Phase 2 negotiation request is already in the task list", processor_chain([ +var part1590 = match("MESSAGE#987:00536:16", "nwparser.payload", "IKE %{hostip}: Phase 2 negotiation request is already in the task list", processor_chain([ dup44, dup2, dup3, @@ -20871,10 +18952,9 @@ match("MESSAGE#987:00536:16", "nwparser.payload", "IKE %{hostip}: Phase 2 negoti dup5, ])); -var msg1000 = msg("00536:16", part1595); +var msg1000 = msg("00536:16", part1590); -var part1596 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Heartbeats have been lost '), Field(fld2,true), Constant(' times')}" -match("MESSAGE#988:00536:17", "nwparser.payload", "IKE %{hostip}: Heartbeats have been lost %{fld2->} times", processor_chain([ +var part1591 = match("MESSAGE#988:00536:17", "nwparser.payload", "IKE %{hostip}: Heartbeats have been lost %{fld2->} times", processor_chain([ dup44, dup2, dup3, @@ -20882,10 +18962,9 @@ match("MESSAGE#988:00536:17", "nwparser.payload", "IKE %{hostip}: Heartbeats hav dup5, ])); -var msg1001 = msg("00536:17", part1596); +var msg1001 = msg("00536:17", part1591); -var part1597 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Dropped peer packet because no policy uses the peer configuration')}" -match("MESSAGE#989:00536:18", "nwparser.payload", "IKE %{hostip}: Dropped peer packet because no policy uses the peer configuration", processor_chain([ +var part1592 = match("MESSAGE#989:00536:18", "nwparser.payload", "IKE %{hostip}: Dropped peer packet because no policy uses the peer configuration", processor_chain([ dup44, dup2, dup3, @@ -20893,10 +18972,9 @@ match("MESSAGE#989:00536:18", "nwparser.payload", "IKE %{hostip}: Dropped peer p dup5, ])); -var msg1002 = msg("00536:18", part1597); +var msg1002 = msg("00536:18", part1592); -var part1598 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Dropped packet because remote gateway OK is not used in any VPN tunnel configurations')}" -match("MESSAGE#990:00536:19", "nwparser.payload", "IKE %{hostip}: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", processor_chain([ +var part1593 = match("MESSAGE#990:00536:19", "nwparser.payload", "IKE %{hostip}: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", processor_chain([ dup44, dup2, dup3, @@ -20904,10 +18982,9 @@ match("MESSAGE#990:00536:19", "nwparser.payload", "IKE %{hostip}: Dropped packet dup5, ])); -var msg1003 = msg("00536:19", part1598); +var msg1003 = msg("00536:19", part1593); -var part1599 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Added the initial contact task to the task list')}" -match("MESSAGE#991:00536:20", "nwparser.payload", "IKE %{hostip}: Added the initial contact task to the task list", processor_chain([ +var part1594 = match("MESSAGE#991:00536:20", "nwparser.payload", "IKE %{hostip}: Added the initial contact task to the task list", processor_chain([ dup44, dup2, dup3, @@ -20915,10 +18992,9 @@ match("MESSAGE#991:00536:20", "nwparser.payload", "IKE %{hostip}: Added the init dup5, ])); -var msg1004 = msg("00536:20", part1599); +var msg1004 = msg("00536:20", part1594); -var part1600 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Added Phase 2 session tasks to the task list')}" -match("MESSAGE#992:00536:21", "nwparser.payload", "IKE %{hostip}: Added Phase 2 session tasks to the task list", processor_chain([ +var part1595 = match("MESSAGE#992:00536:21", "nwparser.payload", "IKE %{hostip}: Added Phase 2 session tasks to the task list", processor_chain([ dup44, dup2, dup3, @@ -20926,10 +19002,9 @@ match("MESSAGE#992:00536:21", "nwparser.payload", "IKE %{hostip}: Added Phase 2 dup5, ])); -var msg1005 = msg("00536:21", part1600); +var msg1005 = msg("00536:21", part1595); -var part1601 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1 : '), Field(disposition,true), Constant(' proposals from peer. Negotiations failed')}" -match("MESSAGE#993:00536:22", "nwparser.payload", "IKE %{hostip->} Phase 1 : %{disposition->} proposals from peer. Negotiations failed", processor_chain([ +var part1596 = match("MESSAGE#993:00536:22", "nwparser.payload", "IKE %{hostip->} Phase 1 : %{disposition->} proposals from peer. Negotiations failed", processor_chain([ dup44, dup2, dup3, @@ -20938,10 +19013,9 @@ match("MESSAGE#993:00536:22", "nwparser.payload", "IKE %{hostip->} Phase 1 : %{d setc("result","Negotiations failed"), ])); -var msg1006 = msg("00536:22", part1601); +var msg1006 = msg("00536:22", part1596); -var part1602 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1 : Aborted negotiations because the time limit has elapsed')}" -match("MESSAGE#994:00536:23", "nwparser.payload", "IKE %{hostip->} Phase 1 : Aborted negotiations because the time limit has elapsed", processor_chain([ +var part1597 = match("MESSAGE#994:00536:23", "nwparser.payload", "IKE %{hostip->} Phase 1 : Aborted negotiations because the time limit has elapsed", processor_chain([ dup44, dup2, dup3, @@ -20951,10 +19025,9 @@ match("MESSAGE#994:00536:23", "nwparser.payload", "IKE %{hostip->} Phase 1 : Abo setc("disposition","Aborted"), ])); -var msg1007 = msg("00536:23", part1602); +var msg1007 = msg("00536:23", part1597); -var part1603 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 2: Received a message but did not check a policy because id-mode is set to IP or policy-checking is disabled')}" -match("MESSAGE#995:00536:24", "nwparser.payload", "IKE %{hostip->} Phase 2: Received a message but did not check a policy because id-mode is set to IP or policy-checking is disabled", processor_chain([ +var part1598 = match("MESSAGE#995:00536:24", "nwparser.payload", "IKE %{hostip->} Phase 2: Received a message but did not check a policy because id-mode is set to IP or policy-checking is disabled", processor_chain([ dup44, dup2, dup3, @@ -20962,10 +19035,9 @@ match("MESSAGE#995:00536:24", "nwparser.payload", "IKE %{hostip->} Phase 2: Rece dup5, ])); -var msg1008 = msg("00536:24", part1603); +var msg1008 = msg("00536:24", part1598); -var part1604 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 2: Received DH group '), Field(fld2,true), Constant(' instead of expected group '), Field(fld3,true), Constant(' for PFS')}" -match("MESSAGE#996:00536:25", "nwparser.payload", "IKE %{hostip->} Phase 2: Received DH group %{fld2->} instead of expected group %{fld3->} for PFS", processor_chain([ +var part1599 = match("MESSAGE#996:00536:25", "nwparser.payload", "IKE %{hostip->} Phase 2: Received DH group %{fld2->} instead of expected group %{fld3->} for PFS", processor_chain([ dup44, dup2, dup3, @@ -20973,10 +19045,9 @@ match("MESSAGE#996:00536:25", "nwparser.payload", "IKE %{hostip->} Phase 2: Rece dup5, ])); -var msg1009 = msg("00536:25", part1604); +var msg1009 = msg("00536:25", part1599); -var part1605 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 2: No policy exists for the proxy ID received: local ID '), Field(fld2,true), Constant(' remote ID '), Field(fld3,false)}" -match("MESSAGE#997:00536:26", "nwparser.payload", "IKE %{hostip->} Phase 2: No policy exists for the proxy ID received: local ID %{fld2->} remote ID %{fld3}", processor_chain([ +var part1600 = match("MESSAGE#997:00536:26", "nwparser.payload", "IKE %{hostip->} Phase 2: No policy exists for the proxy ID received: local ID %{fld2->} remote ID %{fld3}", processor_chain([ dup44, dup2, dup3, @@ -20984,10 +19055,9 @@ match("MESSAGE#997:00536:26", "nwparser.payload", "IKE %{hostip->} Phase 2: No p dup5, ])); -var msg1010 = msg("00536:26", part1605); +var msg1010 = msg("00536:26", part1600); -var part1606 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: RSA private key is needed to sign packets')}" -match("MESSAGE#998:00536:27", "nwparser.payload", "IKE %{hostip->} Phase 1: RSA private key is needed to sign packets", processor_chain([ +var part1601 = match("MESSAGE#998:00536:27", "nwparser.payload", "IKE %{hostip->} Phase 1: RSA private key is needed to sign packets", processor_chain([ dup44, dup2, dup3, @@ -20995,10 +19065,9 @@ match("MESSAGE#998:00536:27", "nwparser.payload", "IKE %{hostip->} Phase 1: RSA dup5, ])); -var msg1011 = msg("00536:27", part1606); +var msg1011 = msg("00536:27", part1601); -var part1607 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Aggressive mode negotiations have '), Field(disposition,false)}" -match("MESSAGE#999:00536:28", "nwparser.payload", "IKE %{hostip->} Phase 1: Aggressive mode negotiations have %{disposition}", processor_chain([ +var part1602 = match("MESSAGE#999:00536:28", "nwparser.payload", "IKE %{hostip->} Phase 1: Aggressive mode negotiations have %{disposition}", processor_chain([ dup44, dup2, dup3, @@ -21006,10 +19075,9 @@ match("MESSAGE#999:00536:28", "nwparser.payload", "IKE %{hostip->} Phase 1: Aggr dup5, ])); -var msg1012 = msg("00536:28", part1607); +var msg1012 = msg("00536:28", part1602); -var part1608 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Vendor ID payload indicates that the peer does not support NAT-T')}" -match("MESSAGE#1000:00536:29", "nwparser.payload", "IKE %{hostip->} Phase 1: Vendor ID payload indicates that the peer does not support NAT-T", processor_chain([ +var part1603 = match("MESSAGE#1000:00536:29", "nwparser.payload", "IKE %{hostip->} Phase 1: Vendor ID payload indicates that the peer does not support NAT-T", processor_chain([ dup44, dup2, dup3, @@ -21017,10 +19085,9 @@ match("MESSAGE#1000:00536:29", "nwparser.payload", "IKE %{hostip->} Phase 1: Ven dup5, ])); -var msg1013 = msg("00536:29", part1608); +var msg1013 = msg("00536:29", part1603); -var part1609 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Retransmission limit has been reached')}" -match("MESSAGE#1001:00536:30", "nwparser.payload", "IKE %{hostip->} Phase 1: Retransmission limit has been reached", processor_chain([ +var part1604 = match("MESSAGE#1001:00536:30", "nwparser.payload", "IKE %{hostip->} Phase 1: Retransmission limit has been reached", processor_chain([ dup44, dup2, dup3, @@ -21028,10 +19095,9 @@ match("MESSAGE#1001:00536:30", "nwparser.payload", "IKE %{hostip->} Phase 1: Ret dup5, ])); -var msg1014 = msg("00536:30", part1609); +var msg1014 = msg("00536:30", part1604); -var part1610 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Received an invalid RSA signature')}" -match("MESSAGE#1002:00536:31", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an invalid RSA signature", processor_chain([ +var part1605 = match("MESSAGE#1002:00536:31", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an invalid RSA signature", processor_chain([ dup44, dup2, dup3, @@ -21039,10 +19105,9 @@ match("MESSAGE#1002:00536:31", "nwparser.payload", "IKE %{hostip->} Phase 1: Rec dup5, ])); -var msg1015 = msg("00536:31", part1610); +var msg1015 = msg("00536:31", part1605); -var part1611 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Received an incorrect public key authentication method')}" -match("MESSAGE#1003:00536:32", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an incorrect public key authentication method", processor_chain([ +var part1606 = match("MESSAGE#1003:00536:32", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an incorrect public key authentication method", processor_chain([ dup44, dup2, dup3, @@ -21050,10 +19115,9 @@ match("MESSAGE#1003:00536:32", "nwparser.payload", "IKE %{hostip->} Phase 1: Rec dup5, ])); -var msg1016 = msg("00536:32", part1611); +var msg1016 = msg("00536:32", part1606); -var part1612 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: No private key exists to sign packets')}" -match("MESSAGE#1004:00536:33", "nwparser.payload", "IKE %{hostip->} Phase 1: No private key exists to sign packets", processor_chain([ +var part1607 = match("MESSAGE#1004:00536:33", "nwparser.payload", "IKE %{hostip->} Phase 1: No private key exists to sign packets", processor_chain([ dup44, dup2, dup3, @@ -21061,10 +19125,9 @@ match("MESSAGE#1004:00536:33", "nwparser.payload", "IKE %{hostip->} Phase 1: No dup5, ])); -var msg1017 = msg("00536:33", part1612); +var msg1017 = msg("00536:33", part1607); -var part1613 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Main mode packet has arrived with ID type IP address but no user configuration was found for that ID')}" -match("MESSAGE#1005:00536:34", "nwparser.payload", "IKE %{hostip->} Phase 1: Main mode packet has arrived with ID type IP address but no user configuration was found for that ID", processor_chain([ +var part1608 = match("MESSAGE#1005:00536:34", "nwparser.payload", "IKE %{hostip->} Phase 1: Main mode packet has arrived with ID type IP address but no user configuration was found for that ID", processor_chain([ dup44, dup2, dup3, @@ -21072,10 +19135,9 @@ match("MESSAGE#1005:00536:34", "nwparser.payload", "IKE %{hostip->} Phase 1: Mai dup5, ])); -var msg1018 = msg("00536:34", part1613); +var msg1018 = msg("00536:34", part1608); -var part1614 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: IKE initiator has detected NAT in front of the local device')}" -match("MESSAGE#1006:00536:35", "nwparser.payload", "IKE %{hostip->} Phase 1: IKE initiator has detected NAT in front of the local device", processor_chain([ +var part1609 = match("MESSAGE#1006:00536:35", "nwparser.payload", "IKE %{hostip->} Phase 1: IKE initiator has detected NAT in front of the local device", processor_chain([ dup44, dup2, dup3, @@ -21083,19 +19145,17 @@ match("MESSAGE#1006:00536:35", "nwparser.payload", "IKE %{hostip->} Phase 1: IKE dup5, ])); -var msg1019 = msg("00536:35", part1614); +var msg1019 = msg("00536:35", part1609); -var part1615 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Discarded a second initial packet'), Field(p0,false)}" -match("MESSAGE#1007:00536:36/0", "nwparser.payload", "IKE %{hostip->} Phase 1: Discarded a second initial packet%{p0}"); +var part1610 = match("MESSAGE#1007:00536:36/0", "nwparser.payload", "IKE %{hostip->} Phase 1: Discarded a second initial packet%{p0}"); -var part1616 = // "Pattern{Field(,false), Constant('which arrived within '), Field(fld2,true), Constant(' after the first')}" -match("MESSAGE#1007:00536:36/2", "nwparser.p0", "%{}which arrived within %{fld2->} after the first"); +var part1611 = match("MESSAGE#1007:00536:36/2", "nwparser.p0", "%{}which arrived within %{fld2->} after the first"); -var all345 = all_match({ +var all340 = all_match({ processors: [ - part1615, - dup404, - part1616, + part1610, + dup401, + part1611, ], on_success: processor_chain([ dup44, @@ -21106,10 +19166,19 @@ var all345 = all_match({ ]), }); -var msg1020 = msg("00536:36", all345); +var msg1020 = msg("00536:36", all340); + +var part1612 = match("MESSAGE#1008:00536:37", "nwparser.payload", "IKE %{hostip->} Phase 1: Completed Aggressive mode negotiations with a %{fld2->} lifetime", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1021 = msg("00536:37", part1612); -var part1617 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Completed Aggressive mode negotiations with a '), Field(fld2,true), Constant(' lifetime')}" -match("MESSAGE#1008:00536:37", "nwparser.payload", "IKE %{hostip->} Phase 1: Completed Aggressive mode negotiations with a %{fld2->} lifetime", processor_chain([ +var part1613 = match("MESSAGE#1009:00536:38", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a subject name that does not match the ID payload", processor_chain([ dup44, dup2, dup3, @@ -21117,10 +19186,9 @@ match("MESSAGE#1008:00536:37", "nwparser.payload", "IKE %{hostip->} Phase 1: Com dup5, ])); -var msg1021 = msg("00536:37", part1617); +var msg1022 = msg("00536:38", part1613); -var part1618 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Certificate received has a subject name that does not match the ID payload')}" -match("MESSAGE#1009:00536:38", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a subject name that does not match the ID payload", processor_chain([ +var part1614 = match("MESSAGE#1010:00536:39", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a different IP address %{fld2->} than expected", processor_chain([ dup44, dup2, dup3, @@ -21128,10 +19196,9 @@ match("MESSAGE#1009:00536:38", "nwparser.payload", "IKE %{hostip->} Phase 1: Cer dup5, ])); -var msg1022 = msg("00536:38", part1618); +var msg1023 = msg("00536:39", part1614); -var part1619 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Certificate received has a different IP address '), Field(fld2,true), Constant(' than expected')}" -match("MESSAGE#1010:00536:39", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a different IP address %{fld2->} than expected", processor_chain([ +var part1615 = match("MESSAGE#1011:00536:40", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot use a preshared key because the peer%{quote}s gateway has a dynamic IP address and negotiations are in Main mode", processor_chain([ dup44, dup2, dup3, @@ -21139,33 +19206,9 @@ match("MESSAGE#1010:00536:39", "nwparser.payload", "IKE %{hostip->} Phase 1: Cer dup5, ])); -var msg1023 = msg("00536:39", part1619); - -var part1620 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Cannot use a preshared key because the peer'), Field(p0,false)}" -match("MESSAGE#1011:00536:40/0", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot use a preshared key because the peer%{p0}"); - -var part1621 = // "Pattern{Constant('s gateway has a dynamic IP address and negotiations are in Main mode'), Field(,false)}" -match("MESSAGE#1011:00536:40/2", "nwparser.p0", "s gateway has a dynamic IP address and negotiations are in Main mode%{}"); - -var all346 = all_match({ - processors: [ - part1620, - dup363, - part1621, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1024 = msg("00536:40", all346); +var msg1024 = msg("00536:40", part1615); -var part1622 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Initiated negotiations in Aggressive mode')}" -match("MESSAGE#1012:00536:47", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated negotiations in Aggressive mode", processor_chain([ +var part1616 = match("MESSAGE#1012:00536:47", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated negotiations in Aggressive mode", processor_chain([ dup44, dup2, dup3, @@ -21173,10 +19216,9 @@ match("MESSAGE#1012:00536:47", "nwparser.payload", "IKE %{hostip->} Phase 1: Ini dup5, ])); -var msg1025 = msg("00536:47", part1622); +var msg1025 = msg("00536:47", part1616); -var part1623 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Cannot verify RSA signature')}" -match("MESSAGE#1013:00536:41", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot verify RSA signature", processor_chain([ +var part1617 = match("MESSAGE#1013:00536:41", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot verify RSA signature", processor_chain([ dup44, dup2, dup3, @@ -21184,10 +19226,9 @@ match("MESSAGE#1013:00536:41", "nwparser.payload", "IKE %{hostip->} Phase 1: Can dup5, ])); -var msg1026 = msg("00536:41", part1623); +var msg1026 = msg("00536:41", part1617); -var part1624 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Initiated Main mode negotiations')}" -match("MESSAGE#1014:00536:42", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated Main mode negotiations", processor_chain([ +var part1618 = match("MESSAGE#1014:00536:42", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated Main mode negotiations", processor_chain([ dup44, dup2, dup3, @@ -21195,10 +19236,9 @@ match("MESSAGE#1014:00536:42", "nwparser.payload", "IKE %{hostip->} Phase 1: Ini dup5, ])); -var msg1027 = msg("00536:42", part1624); +var msg1027 = msg("00536:42", part1618); -var part1625 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 2: Initiated negotiations')}" -match("MESSAGE#1015:00536:43", "nwparser.payload", "IKE %{hostip->} Phase 2: Initiated negotiations", processor_chain([ +var part1619 = match("MESSAGE#1015:00536:43", "nwparser.payload", "IKE %{hostip->} Phase 2: Initiated negotiations", processor_chain([ dup44, dup2, dup3, @@ -21206,10 +19246,9 @@ match("MESSAGE#1015:00536:43", "nwparser.payload", "IKE %{hostip->} Phase 2: Ini dup5, ])); -var msg1028 = msg("00536:43", part1625); +var msg1028 = msg("00536:43", part1619); -var part1626 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Changed heartbeat interval to '), Field(fld2,false)}" -match("MESSAGE#1016:00536:44", "nwparser.payload", "IKE %{hostip}: Changed heartbeat interval to %{fld2}", processor_chain([ +var part1620 = match("MESSAGE#1016:00536:44", "nwparser.payload", "IKE %{hostip}: Changed heartbeat interval to %{fld2}", processor_chain([ dup44, dup2, dup3, @@ -21217,10 +19256,9 @@ match("MESSAGE#1016:00536:44", "nwparser.payload", "IKE %{hostip}: Changed heart dup5, ])); -var msg1029 = msg("00536:44", part1626); +var msg1029 = msg("00536:44", part1620); -var part1627 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Heartbeats have been '), Field(disposition,true), Constant(' because '), Field(result,false)}" -match("MESSAGE#1017:00536:45", "nwparser.payload", "IKE %{hostip}: Heartbeats have been %{disposition->} because %{result}", processor_chain([ +var part1621 = match("MESSAGE#1017:00536:45", "nwparser.payload", "IKE %{hostip}: Heartbeats have been %{disposition->} because %{result}", processor_chain([ dup44, dup2, dup3, @@ -21228,10 +19266,9 @@ match("MESSAGE#1017:00536:45", "nwparser.payload", "IKE %{hostip}: Heartbeats ha dup5, ])); -var msg1030 = msg("00536:45", part1627); +var msg1030 = msg("00536:45", part1621); -var part1628 = // "Pattern{Constant('Received an IKE packet on '), Field(interface,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('/'), Field(fld1,false), Constant('. Cookies: '), Field(ike_cookie1,false), Constant(', '), Field(ike_cookie2,false), Constant('. ('), Field(event_time_string,false), Constant(')')}" -match("MESSAGE#1018:00536:48", "nwparser.payload", "Received an IKE packet on %{interface->} from %{saddr}:%{sport->} to %{daddr}:%{dport}/%{fld1}. Cookies: %{ike_cookie1}, %{ike_cookie2}. (%{event_time_string})", processor_chain([ +var part1622 = match("MESSAGE#1018:00536:48", "nwparser.payload", "Received an IKE packet on %{interface->} from %{saddr}:%{sport->} to %{daddr}:%{dport}/%{fld1}. Cookies: %{ike_cookie1}, %{ike_cookie2}. (%{event_time_string})", processor_chain([ dup44, dup2, dup3, @@ -21240,10 +19277,9 @@ match("MESSAGE#1018:00536:48", "nwparser.payload", "Received an IKE packet on %{ setc("event_description","Received an IKE packet on interface"), ])); -var msg1031 = msg("00536:48", part1628); +var msg1031 = msg("00536:48", part1622); -var part1629 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Received a bad SPI')}" -match("MESSAGE#1019:00536:46", "nwparser.payload", "IKE %{hostip}: Received a bad SPI", processor_chain([ +var part1623 = match("MESSAGE#1019:00536:46", "nwparser.payload", "IKE %{hostip}: Received a bad SPI", processor_chain([ dup44, dup2, dup3, @@ -21251,7 +19287,7 @@ match("MESSAGE#1019:00536:46", "nwparser.payload", "IKE %{hostip}: Received a ba dup5, ])); -var msg1032 = msg("00536:46", part1629); +var msg1032 = msg("00536:46", part1623); var select365 = linear_select([ msg982, @@ -21307,8 +19343,7 @@ var select365 = linear_select([ msg1032, ]); -var part1630 = // "Pattern{Constant('PPPoE '), Field(disposition,true), Constant(' to establish a session: '), Field(info,false)}" -match("MESSAGE#1020:00537", "nwparser.payload", "PPPoE %{disposition->} to establish a session: %{info}", processor_chain([ +var part1624 = match("MESSAGE#1020:00537", "nwparser.payload", "PPPoE %{disposition->} to establish a session: %{info}", processor_chain([ dup18, dup2, dup4, @@ -21316,10 +19351,9 @@ match("MESSAGE#1020:00537", "nwparser.payload", "PPPoE %{disposition->} to estab dup3, ])); -var msg1033 = msg("00537", part1630); +var msg1033 = msg("00537", part1624); -var part1631 = // "Pattern{Constant('PPPoE session shuts down: '), Field(result,false)}" -match("MESSAGE#1021:00537:01", "nwparser.payload", "PPPoE session shuts down: %{result}", processor_chain([ +var part1625 = match("MESSAGE#1021:00537:01", "nwparser.payload", "PPPoE session shuts down: %{result}", processor_chain([ dup18, dup2, dup3, @@ -21327,10 +19361,9 @@ match("MESSAGE#1021:00537:01", "nwparser.payload", "PPPoE session shuts down: %{ dup5, ])); -var msg1034 = msg("00537:01", part1631); +var msg1034 = msg("00537:01", part1625); -var part1632 = // "Pattern{Constant('The Point-to-Point over Ethernet (PPPoE) connection failed to establish a session: '), Field(result,false)}" -match("MESSAGE#1022:00537:02", "nwparser.payload", "The Point-to-Point over Ethernet (PPPoE) connection failed to establish a session: %{result}", processor_chain([ +var part1626 = match("MESSAGE#1022:00537:02", "nwparser.payload", "The Point-to-Point over Ethernet (PPPoE) connection failed to establish a session: %{result}", processor_chain([ dup18, dup2, dup3, @@ -21338,10 +19371,9 @@ match("MESSAGE#1022:00537:02", "nwparser.payload", "The Point-to-Point over Ethe dup5, ])); -var msg1035 = msg("00537:02", part1632); +var msg1035 = msg("00537:02", part1626); -var part1633 = // "Pattern{Constant('PPPoE session has successfully established'), Field(,false)}" -match("MESSAGE#1023:00537:03", "nwparser.payload", "PPPoE session has successfully established%{}", processor_chain([ +var part1627 = match("MESSAGE#1023:00537:03", "nwparser.payload", "PPPoE session has successfully established%{}", processor_chain([ dup44, dup2, dup3, @@ -21349,7 +19381,7 @@ match("MESSAGE#1023:00537:03", "nwparser.payload", "PPPoE session has successful dup5, ])); -var msg1036 = msg("00537:03", part1633); +var msg1036 = msg("00537:03", part1627); var select366 = linear_select([ msg1033, @@ -21358,22 +19390,20 @@ var select366 = linear_select([ msg1036, ]); -var part1634 = // "Pattern{Constant('NACN failed to register to Policy Manager '), Field(fld2,true), Constant(' because '), Field(p0,false)}" -match("MESSAGE#1024:00538/0", "nwparser.payload", "NACN failed to register to Policy Manager %{fld2->} because %{p0}"); +var part1628 = match("MESSAGE#1024:00538/0", "nwparser.payload", "NACN failed to register to Policy Manager %{fld2->} because %{p0}"); var select367 = linear_select([ dup111, dup119, ]); -var part1635 = // "Pattern{Constant(''), Field(result,false)}" -match("MESSAGE#1024:00538/2", "nwparser.p0", "%{result}"); +var part1629 = match("MESSAGE#1024:00538/2", "nwparser.p0", "%{result}"); -var all347 = all_match({ +var all341 = all_match({ processors: [ - part1634, + part1628, select367, - part1635, + part1629, ], on_success: processor_chain([ dup44, @@ -21384,10 +19414,9 @@ var all347 = all_match({ ]), }); -var msg1037 = msg("00538", all347); +var msg1037 = msg("00538", all341); -var part1636 = // "Pattern{Constant('NACN successfully registered to Policy Manager '), Field(fld2,false), Constant('.')}" -match("MESSAGE#1025:00538:01", "nwparser.payload", "NACN successfully registered to Policy Manager %{fld2}.", processor_chain([ +var part1630 = match("MESSAGE#1025:00538:01", "nwparser.payload", "NACN successfully registered to Policy Manager %{fld2}.", processor_chain([ dup44, dup2, dup3, @@ -21395,10 +19424,9 @@ match("MESSAGE#1025:00538:01", "nwparser.payload", "NACN successfully registered dup5, ])); -var msg1038 = msg("00538:01", part1636); +var msg1038 = msg("00538:01", part1630); -var part1637 = // "Pattern{Constant('The NACN protocol has started for Policy Manager '), Field(fld2,true), Constant(' on hostname '), Field(hostname,true), Constant(' IP address '), Field(hostip,true), Constant(' port '), Field(network_port,false), Constant('.')}" -match("MESSAGE#1026:00538:02", "nwparser.payload", "The NACN protocol has started for Policy Manager %{fld2->} on hostname %{hostname->} IP address %{hostip->} port %{network_port}.", processor_chain([ +var part1631 = match("MESSAGE#1026:00538:02", "nwparser.payload", "The NACN protocol has started for Policy Manager %{fld2->} on hostname %{hostname->} IP address %{hostip->} port %{network_port}.", processor_chain([ dup44, dup2, dup3, @@ -21406,10 +19434,9 @@ match("MESSAGE#1026:00538:02", "nwparser.payload", "The NACN protocol has starte dup5, ])); -var msg1039 = msg("00538:02", part1637); +var msg1039 = msg("00538:02", part1631); -var part1638 = // "Pattern{Constant('Cannot connect to NSM Server at '), Field(hostip,true), Constant(' ('), Field(fld2,true), Constant(' connect attempt(s)) '), Field(fld3,false)}" -match("MESSAGE#1027:00538:03", "nwparser.payload", "Cannot connect to NSM Server at %{hostip->} (%{fld2->} connect attempt(s)) %{fld3}", processor_chain([ +var part1632 = match("MESSAGE#1027:00538:03", "nwparser.payload", "Cannot connect to NSM Server at %{hostip->} (%{fld2->} connect attempt(s)) %{fld3}", processor_chain([ dup19, dup2, dup4, @@ -21417,10 +19444,9 @@ match("MESSAGE#1027:00538:03", "nwparser.payload", "Cannot connect to NSM Server dup3, ])); -var msg1040 = msg("00538:03", part1638); +var msg1040 = msg("00538:03", part1632); -var part1639 = // "Pattern{Constant('Device is not known to Global PRO data collector at '), Field(hostip,false)}" -match("MESSAGE#1028:00538:04", "nwparser.payload", "Device is not known to Global PRO data collector at %{hostip}", processor_chain([ +var part1633 = match("MESSAGE#1028:00538:04", "nwparser.payload", "Device is not known to Global PRO data collector at %{hostip}", processor_chain([ dup27, dup2, dup3, @@ -21428,30 +19454,26 @@ match("MESSAGE#1028:00538:04", "nwparser.payload", "Device is not known to Globa dup5, ])); -var msg1041 = msg("00538:04", part1639); +var msg1041 = msg("00538:04", part1633); -var part1640 = // "Pattern{Constant('Lost '), Field(p0,false)}" -match("MESSAGE#1029:00538:05/0", "nwparser.payload", "Lost %{p0}"); +var part1634 = match("MESSAGE#1029:00538:05/0", "nwparser.payload", "Lost %{p0}"); -var part1641 = // "Pattern{Constant('socket connection'), Field(p0,false)}" -match("MESSAGE#1029:00538:05/1_0", "nwparser.p0", "socket connection%{p0}"); +var part1635 = match("MESSAGE#1029:00538:05/1_0", "nwparser.p0", "socket connection%{p0}"); -var part1642 = // "Pattern{Constant('connection'), Field(p0,false)}" -match("MESSAGE#1029:00538:05/1_1", "nwparser.p0", "connection%{p0}"); +var part1636 = match("MESSAGE#1029:00538:05/1_1", "nwparser.p0", "connection%{p0}"); var select368 = linear_select([ - part1641, - part1642, + part1635, + part1636, ]); -var part1643 = // "Pattern{Field(,false), Constant('to Global PRO data collector at '), Field(hostip,false)}" -match("MESSAGE#1029:00538:05/2", "nwparser.p0", "%{}to Global PRO data collector at %{hostip}"); +var part1637 = match("MESSAGE#1029:00538:05/2", "nwparser.p0", "%{}to Global PRO data collector at %{hostip}"); -var all348 = all_match({ +var all342 = all_match({ processors: [ - part1640, + part1634, select368, - part1643, + part1637, ], on_success: processor_chain([ dup27, @@ -21462,30 +19484,26 @@ var all348 = all_match({ ]), }); -var msg1042 = msg("00538:05", all348); +var msg1042 = msg("00538:05", all342); -var part1644 = // "Pattern{Constant('Device has connected to the Global PRO'), Field(p0,false)}" -match("MESSAGE#1030:00538:06/0", "nwparser.payload", "Device has connected to the Global PRO%{p0}"); +var part1638 = match("MESSAGE#1030:00538:06/0", "nwparser.payload", "Device has connected to the Global PRO%{p0}"); -var part1645 = // "Pattern{Constant(' '), Field(fld2,true), Constant(' primary data collector at '), Field(p0,false)}" -match("MESSAGE#1030:00538:06/1_0", "nwparser.p0", " %{fld2->} primary data collector at %{p0}"); +var part1639 = match("MESSAGE#1030:00538:06/1_0", "nwparser.p0", " %{fld2->} primary data collector at %{p0}"); -var part1646 = // "Pattern{Constant(' primary data collector at '), Field(p0,false)}" -match("MESSAGE#1030:00538:06/1_1", "nwparser.p0", " primary data collector at %{p0}"); +var part1640 = match("MESSAGE#1030:00538:06/1_1", "nwparser.p0", " primary data collector at %{p0}"); var select369 = linear_select([ - part1645, - part1646, + part1639, + part1640, ]); -var part1647 = // "Pattern{Field(hostip,false)}" -match_copy("MESSAGE#1030:00538:06/2", "nwparser.p0", "hostip"); +var part1641 = match_copy("MESSAGE#1030:00538:06/2", "nwparser.p0", "hostip"); -var all349 = all_match({ +var all343 = all_match({ processors: [ - part1644, + part1638, select369, - part1647, + part1641, ], on_success: processor_chain([ dup27, @@ -21496,22 +19514,20 @@ var all349 = all_match({ ]), }); -var msg1043 = msg("00538:06", all349); +var msg1043 = msg("00538:06", all343); -var part1648 = // "Pattern{Constant('Connection to Global PRO data collector at '), Field(hostip,true), Constant(' has'), Field(p0,false)}" -match("MESSAGE#1031:00538:07/0", "nwparser.payload", "Connection to Global PRO data collector at %{hostip->} has%{p0}"); +var part1642 = match("MESSAGE#1031:00538:07/0", "nwparser.payload", "Connection to Global PRO data collector at %{hostip->} has%{p0}"); -var part1649 = // "Pattern{Constant(' been'), Field(p0,false)}" -match("MESSAGE#1031:00538:07/1_0", "nwparser.p0", " been%{p0}"); +var part1643 = match("MESSAGE#1031:00538:07/1_0", "nwparser.p0", " been%{p0}"); var select370 = linear_select([ - part1649, + part1643, dup16, ]); -var all350 = all_match({ +var all344 = all_match({ processors: [ - part1648, + part1642, select370, dup136, ], @@ -21524,10 +19540,9 @@ var all350 = all_match({ ]), }); -var msg1044 = msg("00538:07", all350); +var msg1044 = msg("00538:07", all344); -var part1650 = // "Pattern{Constant('Cannot connect to Global PRO data collector at '), Field(hostip,false)}" -match("MESSAGE#1032:00538:08", "nwparser.payload", "Cannot connect to Global PRO data collector at %{hostip}", processor_chain([ +var part1644 = match("MESSAGE#1032:00538:08", "nwparser.payload", "Cannot connect to Global PRO data collector at %{hostip}", processor_chain([ dup27, dup2, dup3, @@ -21535,11 +19550,10 @@ match("MESSAGE#1032:00538:08", "nwparser.payload", "Cannot connect to Global PRO dup5, ])); -var msg1045 = msg("00538:08", part1650); +var msg1045 = msg("00538:08", part1644); -var part1651 = // "Pattern{Constant('NSM: Connected to NSM server at '), Field(hostip,true), Constant(' ('), Field(info,false), Constant(') ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1033:00538:09", "nwparser.payload", "NSM: Connected to NSM server at %{hostip->} (%{info}) (%{fld1})", processor_chain([ - dup303, +var part1645 = match("MESSAGE#1033:00538:09", "nwparser.payload", "NSM: Connected to NSM server at %{hostip->} (%{info}) (%{fld1})", processor_chain([ + dup301, dup2, dup3, dup9, @@ -21548,26 +19562,24 @@ match("MESSAGE#1033:00538:09", "nwparser.payload", "NSM: Connected to NSM server setc("event_description","Connected to NSM server"), ])); -var msg1046 = msg("00538:09", part1651); +var msg1046 = msg("00538:09", part1645); -var part1652 = // "Pattern{Constant('NSM: Connection to NSM server at '), Field(hostip,true), Constant(' is down. Reason: '), Field(resultcode,false), Constant(', '), Field(result,true), Constant(' ('), Field(p0,false)}" -match("MESSAGE#1034:00538:10/0", "nwparser.payload", "NSM: Connection to NSM server at %{hostip->} is down. Reason: %{resultcode}, %{result->} (%{p0}"); +var part1646 = match("MESSAGE#1034:00538:10/0", "nwparser.payload", "NSM: Connection to NSM server at %{hostip->} is down. Reason: %{resultcode}, %{result->} (%{p0}"); -var part1653 = // "Pattern{Field(info,false), Constant(') ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1034:00538:10/1_0", "nwparser.p0", "%{info}) (%{fld1})"); +var part1647 = match("MESSAGE#1034:00538:10/1_0", "nwparser.p0", "%{info}) (%{fld1})"); var select371 = linear_select([ - part1653, + part1647, dup41, ]); -var all351 = all_match({ +var all345 = all_match({ processors: [ - part1652, + part1646, select371, ], on_success: processor_chain([ - dup200, + dup198, dup2, dup3, dup9, @@ -21577,36 +19589,33 @@ var all351 = all_match({ ]), }); -var msg1047 = msg("00538:10", all351); +var msg1047 = msg("00538:10", all345); -var part1654 = // "Pattern{Constant('NSM: Cannot connect to NSM server at '), Field(hostip,false), Constant('. Reason: '), Field(resultcode,false), Constant(', '), Field(result,true), Constant(' ('), Field(info,false), Constant(') ('), Field(fld2,true), Constant(' connect attempt(s)) ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1035:00538:11", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld2->} connect attempt(s)) (%{fld1})", processor_chain([ - dup200, +var part1648 = match("MESSAGE#1035:00538:11", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld2->} connect attempt(s)) (%{fld1})", processor_chain([ + dup198, dup2, dup3, dup9, dup4, dup5, - dup325, + dup323, ])); -var msg1048 = msg("00538:11", part1654); +var msg1048 = msg("00538:11", part1648); -var part1655 = // "Pattern{Constant('NSM: Cannot connect to NSM server at '), Field(hostip,false), Constant('. Reason: '), Field(resultcode,false), Constant(', '), Field(result,true), Constant(' ('), Field(info,false), Constant(') ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1036:00538:12", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld1})", processor_chain([ - dup200, +var part1649 = match("MESSAGE#1036:00538:12", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld1})", processor_chain([ + dup198, dup2, dup3, dup9, dup4, dup5, - dup325, + dup323, ])); -var msg1049 = msg("00538:12", part1655); +var msg1049 = msg("00538:12", part1649); -var part1656 = // "Pattern{Constant('NSM: Sent 2B message ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1037:00538:13", "nwparser.payload", "NSM: Sent 2B message (%{fld1})", processor_chain([ +var part1650 = match("MESSAGE#1037:00538:13", "nwparser.payload", "NSM: Sent 2B message (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -21616,7 +19625,7 @@ match("MESSAGE#1037:00538:13", "nwparser.payload", "NSM: Sent 2B message (%{fld1 setc("event_description","Sent 2B message"), ])); -var msg1050 = msg("00538:13", part1656); +var msg1050 = msg("00538:13", part1650); var select372 = linear_select([ msg1037, @@ -21635,8 +19644,7 @@ var select372 = linear_select([ msg1050, ]); -var part1657 = // "Pattern{Constant('No IP address in L2TP IP pool for user '), Field(username,false)}" -match("MESSAGE#1038:00539", "nwparser.payload", "No IP address in L2TP IP pool for user %{username}", processor_chain([ +var part1651 = match("MESSAGE#1038:00539", "nwparser.payload", "No IP address in L2TP IP pool for user %{username}", processor_chain([ dup117, dup2, dup3, @@ -21644,10 +19652,9 @@ match("MESSAGE#1038:00539", "nwparser.payload", "No IP address in L2TP IP pool f dup5, ])); -var msg1051 = msg("00539", part1657); +var msg1051 = msg("00539", part1651); -var part1658 = // "Pattern{Constant('No L2TP IP pool for user '), Field(username,false)}" -match("MESSAGE#1039:00539:01", "nwparser.payload", "No L2TP IP pool for user %{username}", processor_chain([ +var part1652 = match("MESSAGE#1039:00539:01", "nwparser.payload", "No L2TP IP pool for user %{username}", processor_chain([ dup117, dup2, dup3, @@ -21655,10 +19662,9 @@ match("MESSAGE#1039:00539:01", "nwparser.payload", "No L2TP IP pool for user %{u dup5, ])); -var msg1052 = msg("00539:01", part1658); +var msg1052 = msg("00539:01", part1652); -var part1659 = // "Pattern{Constant('Cannot allocate IP addr from Pool '), Field(group_object,true), Constant(' for user '), Field(username,false)}" -match("MESSAGE#1040:00539:02", "nwparser.payload", "Cannot allocate IP addr from Pool %{group_object->} for user %{username}", processor_chain([ +var part1653 = match("MESSAGE#1040:00539:02", "nwparser.payload", "Cannot allocate IP addr from Pool %{group_object->} for user %{username}", processor_chain([ dup117, dup2, dup3, @@ -21666,10 +19672,9 @@ match("MESSAGE#1040:00539:02", "nwparser.payload", "Cannot allocate IP addr from dup5, ])); -var msg1053 = msg("00539:02", part1659); +var msg1053 = msg("00539:02", part1653); -var part1660 = // "Pattern{Constant('Dialup HDLC PPP failed to establish a session: '), Field(fld2,false), Constant('.')}" -match("MESSAGE#1041:00539:03", "nwparser.payload", "Dialup HDLC PPP failed to establish a session: %{fld2}.", processor_chain([ +var part1654 = match("MESSAGE#1041:00539:03", "nwparser.payload", "Dialup HDLC PPP failed to establish a session: %{fld2}.", processor_chain([ dup19, dup2, dup3, @@ -21677,10 +19682,9 @@ match("MESSAGE#1041:00539:03", "nwparser.payload", "Dialup HDLC PPP failed to es dup5, ])); -var msg1054 = msg("00539:03", part1660); +var msg1054 = msg("00539:03", part1654); -var part1661 = // "Pattern{Constant('Dialup HDLC PPP session has successfully established.'), Field(,false)}" -match("MESSAGE#1042:00539:04", "nwparser.payload", "Dialup HDLC PPP session has successfully established.%{}", processor_chain([ +var part1655 = match("MESSAGE#1042:00539:04", "nwparser.payload", "Dialup HDLC PPP session has successfully established.%{}", processor_chain([ dup44, dup2, dup3, @@ -21688,10 +19692,9 @@ match("MESSAGE#1042:00539:04", "nwparser.payload", "Dialup HDLC PPP session has dup5, ])); -var msg1055 = msg("00539:04", part1661); +var msg1055 = msg("00539:04", part1655); -var part1662 = // "Pattern{Constant('No IP Pool has been assigned. You cannot allocate an IP address'), Field(,false)}" -match("MESSAGE#1043:00539:05", "nwparser.payload", "No IP Pool has been assigned. You cannot allocate an IP address%{}", processor_chain([ +var part1656 = match("MESSAGE#1043:00539:05", "nwparser.payload", "No IP Pool has been assigned. You cannot allocate an IP address%{}", processor_chain([ dup18, dup2, dup3, @@ -21699,10 +19702,9 @@ match("MESSAGE#1043:00539:05", "nwparser.payload", "No IP Pool has been assigned dup5, ])); -var msg1056 = msg("00539:05", part1662); +var msg1056 = msg("00539:05", part1656); -var part1663 = // "Pattern{Constant('PPP settings changed.'), Field(,false)}" -match("MESSAGE#1044:00539:06", "nwparser.payload", "PPP settings changed.%{}", processor_chain([ +var part1657 = match("MESSAGE#1044:00539:06", "nwparser.payload", "PPP settings changed.%{}", processor_chain([ dup1, dup2, dup3, @@ -21710,7 +19712,7 @@ match("MESSAGE#1044:00539:06", "nwparser.payload", "PPP settings changed.%{}", p dup5, ])); -var msg1057 = msg("00539:06", part1663); +var msg1057 = msg("00539:06", part1657); var select373 = linear_select([ msg1051, @@ -21722,20 +19724,18 @@ var select373 = linear_select([ msg1057, ]); -var part1664 = // "Pattern{Constant('ScreenOS '), Field(fld2,true), Constant(' serial # '), Field(serial_number,false), Constant(': Asset recovery has been '), Field(disposition,false)}" -match("MESSAGE#1045:00541", "nwparser.payload", "ScreenOS %{fld2->} serial # %{serial_number}: Asset recovery has been %{disposition}", processor_chain([ - dup326, +var part1658 = match("MESSAGE#1045:00541", "nwparser.payload", "ScreenOS %{fld2->} serial # %{serial_number}: Asset recovery has been %{disposition}", processor_chain([ + dup324, dup2, dup3, dup4, dup5, ])); -var msg1058 = msg("00541", part1664); +var msg1058 = msg("00541", part1658); -var part1665 = // "Pattern{Constant('Neighbor router ID - '), Field(fld2,true), Constant(' IP address - '), Field(hostip,true), Constant(' changed its state to '), Field(change_new,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1216:00541:01", "nwparser.payload", "Neighbor router ID - %{fld2->} IP address - %{hostip->} changed its state to %{change_new}. (%{fld1})", processor_chain([ - dup275, +var part1659 = match("MESSAGE#1216:00541:01", "nwparser.payload", "Neighbor router ID - %{fld2->} IP address - %{hostip->} changed its state to %{change_new}. (%{fld1})", processor_chain([ + dup273, dup9, dup2, dup3, @@ -21743,11 +19743,10 @@ match("MESSAGE#1216:00541:01", "nwparser.payload", "Neighbor router ID - %{fld2- dup5, ])); -var msg1059 = msg("00541:01", part1665); +var msg1059 = msg("00541:01", part1659); -var part1666 = // "Pattern{Constant('The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from '), Field(change_old,true), Constant(' to '), Field(change_new,true), Constant(' state, (neighbor router-id 1'), Field(fld2,false), Constant(', ip-address '), Field(hostip,false), Constant('). ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1218:00541:02", "nwparser.payload", "The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from %{change_old->} to %{change_new->} state, (neighbor router-id 1%{fld2}, ip-address %{hostip}). (%{fld1})", processor_chain([ - dup275, +var part1660 = match("MESSAGE#1218:00541:02", "nwparser.payload", "The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from %{change_old->} to %{change_new->} state, (neighbor router-id 1%{fld2}, ip-address %{hostip}). (%{fld1})", processor_chain([ + dup273, dup9, dup2, dup3, @@ -21755,22 +19754,20 @@ match("MESSAGE#1218:00541:02", "nwparser.payload", "The system killed OSPF neigh dup5, ])); -var msg1060 = msg("00541:02", part1666); +var msg1060 = msg("00541:02", part1660); -var part1667 = // "Pattern{Constant('LSA in following area aged out: LSA area ID '), Field(fld3,false), Constant(', LSA ID '), Field(fld4,false), Constant(', router ID '), Field(fld2,false), Constant(', type '), Field(fld7,true), Constant(' in OSPF. ('), Field(fld1,false), Constant(')'), Field(p0,false)}" -match("MESSAGE#1219:00541:03/0", "nwparser.payload", "LSA in following area aged out: LSA area ID %{fld3}, LSA ID %{fld4}, router ID %{fld2}, type %{fld7->} in OSPF. (%{fld1})%{p0}"); +var part1661 = match("MESSAGE#1219:00541:03/0", "nwparser.payload", "LSA in following area aged out: LSA area ID %{fld3}, LSA ID %{fld4}, router ID %{fld2}, type %{fld7->} in OSPF. (%{fld1})%{p0}"); -var part1668 = // "Pattern{Constant('<<'), Field(fld16,false), Constant('>')}" -match("MESSAGE#1219:00541:03/1_0", "nwparser.p0", "\u003c\u003c%{fld16}>"); +var part1662 = match("MESSAGE#1219:00541:03/1_0", "nwparser.p0", "\u003c\u003c%{fld16}>"); var select374 = linear_select([ - part1668, + part1662, dup21, ]); -var all352 = all_match({ +var all346 = all_match({ processors: [ - part1667, + part1661, select374, ], on_success: processor_chain([ @@ -21783,7 +19780,7 @@ var all352 = all_match({ ]), }); -var msg1061 = msg("00541:03", all352); +var msg1061 = msg("00541:03", all346); var select375 = linear_select([ msg1058, @@ -21792,8 +19789,7 @@ var select375 = linear_select([ msg1061, ]); -var part1669 = // "Pattern{Constant('BGP of vr: '), Field(node,false), Constant(', prefix adding: '), Field(fld2,false), Constant(', ribin overflow '), Field(fld3,true), Constant(' times (max rib-in '), Field(fld4,false), Constant(')')}" -match("MESSAGE#1046:00542", "nwparser.payload", "BGP of vr: %{node}, prefix adding: %{fld2}, ribin overflow %{fld3->} times (max rib-in %{fld4})", processor_chain([ +var part1663 = match("MESSAGE#1046:00542", "nwparser.payload", "BGP of vr: %{node}, prefix adding: %{fld2}, ribin overflow %{fld3->} times (max rib-in %{fld4})", processor_chain([ dup1, dup2, dup3, @@ -21801,46 +19797,40 @@ match("MESSAGE#1046:00542", "nwparser.payload", "BGP of vr: %{node}, prefix addi dup5, ])); -var msg1062 = msg("00542", part1669); +var msg1062 = msg("00542", part1663); -var part1670 = // "Pattern{Constant('Access for '), Field(p0,false)}" -match("MESSAGE#1047:00543/0", "nwparser.payload", "Access for %{p0}"); +var part1664 = match("MESSAGE#1047:00543/0", "nwparser.payload", "Access for %{p0}"); -var part1671 = // "Pattern{Constant('WebAuth firewall '), Field(p0,false)}" -match("MESSAGE#1047:00543/1_0", "nwparser.p0", "WebAuth firewall %{p0}"); +var part1665 = match("MESSAGE#1047:00543/1_0", "nwparser.p0", "WebAuth firewall %{p0}"); -var part1672 = // "Pattern{Constant('firewall '), Field(p0,false)}" -match("MESSAGE#1047:00543/1_1", "nwparser.p0", "firewall %{p0}"); +var part1666 = match("MESSAGE#1047:00543/1_1", "nwparser.p0", "firewall %{p0}"); var select376 = linear_select([ - part1671, - part1672, + part1665, + part1666, ]); -var part1673 = // "Pattern{Constant('user '), Field(username,true), Constant(' '), Field(space,false), Constant('at '), Field(hostip,true), Constant(' (accepted at '), Field(fld2,true), Constant(' for duration '), Field(duration,true), Constant(' via the '), Field(logon_type,false), Constant(') '), Field(p0,false)}" -match("MESSAGE#1047:00543/2", "nwparser.p0", "user %{username->} %{space}at %{hostip->} (accepted at %{fld2->} for duration %{duration->} via the %{logon_type}) %{p0}"); +var part1667 = match("MESSAGE#1047:00543/2", "nwparser.p0", "user %{username->} %{space}at %{hostip->} (accepted at %{fld2->} for duration %{duration->} via the %{logon_type}) %{p0}"); -var part1674 = // "Pattern{Constant('by policy id '), Field(policy_id,true), Constant(' is '), Field(p0,false)}" -match("MESSAGE#1047:00543/3_0", "nwparser.p0", "by policy id %{policy_id->} is %{p0}"); +var part1668 = match("MESSAGE#1047:00543/3_0", "nwparser.p0", "by policy id %{policy_id->} is %{p0}"); var select377 = linear_select([ - part1674, + part1668, dup106, ]); -var part1675 = // "Pattern{Constant('now over ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1047:00543/4", "nwparser.p0", "now over (%{fld1})"); +var part1669 = match("MESSAGE#1047:00543/4", "nwparser.p0", "now over (%{fld1})"); -var all353 = all_match({ +var all347 = all_match({ processors: [ - part1670, + part1664, select376, - part1673, + part1667, select377, - part1675, + part1669, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, @@ -21849,11 +19839,10 @@ var all353 = all_match({ ]), }); -var msg1063 = msg("00543", all353); +var msg1063 = msg("00543", all347); -var part1676 = // "Pattern{Constant('User '), Field(username,true), Constant(' [ of group '), Field(group,true), Constant(' ] at '), Field(hostip,true), Constant(' has been challenged by the RADIUS server at '), Field(daddr,false)}" -match("MESSAGE#1048:00544", "nwparser.payload", "User %{username->} [ of group %{group->} ] at %{hostip->} has been challenged by the RADIUS server at %{daddr}", processor_chain([ - dup283, +var part1670 = match("MESSAGE#1048:00544", "nwparser.payload", "User %{username->} [ of group %{group->} ] at %{hostip->} has been challenged by the RADIUS server at %{daddr}", processor_chain([ + dup281, dup2, dup4, dup5, @@ -21862,21 +19851,19 @@ match("MESSAGE#1048:00544", "nwparser.payload", "User %{username->} [ of group % setc("action","RADIUS server challenge"), ])); -var msg1064 = msg("00544", part1676); +var msg1064 = msg("00544", part1670); -var part1677 = // "Pattern{Constant('delete-route-> trust-vr: '), Field(fld2,false)}" -match("MESSAGE#1049:00546", "nwparser.payload", "delete-route-> trust-vr: %{fld2}", processor_chain([ - dup283, +var part1671 = match("MESSAGE#1049:00546", "nwparser.payload", "delete-route-> trust-vr: %{fld2}", processor_chain([ + dup281, dup2, dup3, dup4, dup5, ])); -var msg1065 = msg("00546", part1677); +var msg1065 = msg("00546", part1671); -var part1678 = // "Pattern{Constant('AV: Content from '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('->'), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' was not scanned because max content size was exceeded.')}" -match("MESSAGE#1050:00547", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned because max content size was exceeded.", processor_chain([ +var part1672 = match("MESSAGE#1050:00547", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned because max content size was exceeded.", processor_chain([ dup44, dup2, dup4, @@ -21885,10 +19872,9 @@ match("MESSAGE#1050:00547", "nwparser.payload", "AV: Content from %{saddr}:%{spo dup61, ])); -var msg1066 = msg("00547", part1678); +var msg1066 = msg("00547", part1672); -var part1679 = // "Pattern{Constant('AV: Content from '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('->'), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' was not scanned due to a scan engine error or constraint.')}" -match("MESSAGE#1051:00547:01", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned due to a scan engine error or constraint.", processor_chain([ +var part1673 = match("MESSAGE#1051:00547:01", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned due to a scan engine error or constraint.", processor_chain([ dup44, dup2, dup4, @@ -21897,10 +19883,9 @@ match("MESSAGE#1051:00547:01", "nwparser.payload", "AV: Content from %{saddr}:%{ dup61, ])); -var msg1067 = msg("00547:01", part1679); +var msg1067 = msg("00547:01", part1673); -var part1680 = // "Pattern{Constant('AV object scan-mgr data has been '), Field(disposition,false), Constant('.')}" -match("MESSAGE#1052:00547:02", "nwparser.payload", "AV object scan-mgr data has been %{disposition}.", processor_chain([ +var part1674 = match("MESSAGE#1052:00547:02", "nwparser.payload", "AV object scan-mgr data has been %{disposition}.", processor_chain([ dup1, dup2, dup3, @@ -21908,30 +19893,26 @@ match("MESSAGE#1052:00547:02", "nwparser.payload", "AV object scan-mgr data has dup5, ])); -var msg1068 = msg("00547:02", part1680); +var msg1068 = msg("00547:02", part1674); -var part1681 = // "Pattern{Constant('AV: Content from '), Field(location_desc,false), Constant(', http url: '), Field(url,false), Constant(', is passed '), Field(p0,false)}" -match("MESSAGE#1053:00547:03/0", "nwparser.payload", "AV: Content from %{location_desc}, http url: %{url}, is passed %{p0}"); +var part1675 = match("MESSAGE#1053:00547:03/0", "nwparser.payload", "AV: Content from %{location_desc}, http url: %{url}, is passed %{p0}"); -var part1682 = // "Pattern{Constant('due to '), Field(p0,false)}" -match("MESSAGE#1053:00547:03/1_0", "nwparser.p0", "due to %{p0}"); +var part1676 = match("MESSAGE#1053:00547:03/1_0", "nwparser.p0", "due to %{p0}"); -var part1683 = // "Pattern{Constant('because '), Field(p0,false)}" -match("MESSAGE#1053:00547:03/1_1", "nwparser.p0", "because %{p0}"); +var part1677 = match("MESSAGE#1053:00547:03/1_1", "nwparser.p0", "because %{p0}"); var select378 = linear_select([ - part1682, - part1683, + part1676, + part1677, ]); -var part1684 = // "Pattern{Constant(''), Field(result,false), Constant('. ('), Field(event_time_string,false), Constant(')')}" -match("MESSAGE#1053:00547:03/2", "nwparser.p0", "%{result}. (%{event_time_string})"); +var part1678 = match("MESSAGE#1053:00547:03/2", "nwparser.p0", "%{result}. (%{event_time_string})"); -var all354 = all_match({ +var all348 = all_match({ processors: [ - part1681, + part1675, select378, - part1684, + part1678, ], on_success: processor_chain([ dup1, @@ -21943,7 +19924,7 @@ var all354 = all_match({ ]), }); -var msg1069 = msg("00547:03", all354); +var msg1069 = msg("00547:03", all348); var select379 = linear_select([ msg1066, @@ -21952,19 +19933,17 @@ var select379 = linear_select([ msg1069, ]); -var part1685 = // "Pattern{Constant('add-route-> untrust-vr: '), Field(fld2,false)}" -match("MESSAGE#1054:00549", "nwparser.payload", "add-route-> untrust-vr: %{fld2}", processor_chain([ - dup283, +var part1679 = match("MESSAGE#1054:00549", "nwparser.payload", "add-route-> untrust-vr: %{fld2}", processor_chain([ + dup281, dup2, dup3, dup4, dup5, ])); -var msg1070 = msg("00549", part1685); +var msg1070 = msg("00549", part1679); -var part1686 = // "Pattern{Constant('Error '), Field(resultcode,true), Constant(' occurred during configlet file processing.')}" -match("MESSAGE#1055:00551", "nwparser.payload", "Error %{resultcode->} occurred during configlet file processing.", processor_chain([ +var part1680 = match("MESSAGE#1055:00551", "nwparser.payload", "Error %{resultcode->} occurred during configlet file processing.", processor_chain([ dup18, dup2, dup3, @@ -21972,10 +19951,9 @@ match("MESSAGE#1055:00551", "nwparser.payload", "Error %{resultcode->} occurred dup5, ])); -var msg1071 = msg("00551", part1686); +var msg1071 = msg("00551", part1680); -var part1687 = // "Pattern{Constant('Error '), Field(resultcode,true), Constant(' occurred, causing failure to establish secure management with Management System.')}" -match("MESSAGE#1056:00551:01", "nwparser.payload", "Error %{resultcode->} occurred, causing failure to establish secure management with Management System.", processor_chain([ +var part1681 = match("MESSAGE#1056:00551:01", "nwparser.payload", "Error %{resultcode->} occurred, causing failure to establish secure management with Management System.", processor_chain([ dup86, dup2, dup3, @@ -21983,22 +19961,20 @@ match("MESSAGE#1056:00551:01", "nwparser.payload", "Error %{resultcode->} occurr dup5, ])); -var msg1072 = msg("00551:01", part1687); +var msg1072 = msg("00551:01", part1681); -var part1688 = // "Pattern{Constant('Configlet file '), Field(p0,false)}" -match("MESSAGE#1057:00551:02/0", "nwparser.payload", "Configlet file %{p0}"); +var part1682 = match("MESSAGE#1057:00551:02/0", "nwparser.payload", "Configlet file %{p0}"); -var part1689 = // "Pattern{Constant('decryption '), Field(p0,false)}" -match("MESSAGE#1057:00551:02/1_0", "nwparser.p0", "decryption %{p0}"); +var part1683 = match("MESSAGE#1057:00551:02/1_0", "nwparser.p0", "decryption %{p0}"); var select380 = linear_select([ - part1689, + part1683, dup89, ]); -var all355 = all_match({ +var all349 = all_match({ processors: [ - part1688, + part1682, select380, dup128, ], @@ -22011,10 +19987,9 @@ var all355 = all_match({ ]), }); -var msg1073 = msg("00551:02", all355); +var msg1073 = msg("00551:02", all349); -var part1690 = // "Pattern{Constant('Rapid Deployment cannot start because gateway has undergone configuration changes. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1058:00551:03", "nwparser.payload", "Rapid Deployment cannot start because gateway has undergone configuration changes. (%{fld1})", processor_chain([ +var part1684 = match("MESSAGE#1058:00551:03", "nwparser.payload", "Rapid Deployment cannot start because gateway has undergone configuration changes. (%{fld1})", processor_chain([ dup18, dup2, dup3, @@ -22023,10 +19998,9 @@ match("MESSAGE#1058:00551:03", "nwparser.payload", "Rapid Deployment cannot star dup5, ])); -var msg1074 = msg("00551:03", part1690); +var msg1074 = msg("00551:03", part1684); -var part1691 = // "Pattern{Constant('Secure management established successfully with remote server. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1059:00551:04", "nwparser.payload", "Secure management established successfully with remote server. (%{fld1})", processor_chain([ +var part1685 = match("MESSAGE#1059:00551:04", "nwparser.payload", "Secure management established successfully with remote server. (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -22035,7 +20009,7 @@ match("MESSAGE#1059:00551:04", "nwparser.payload", "Secure management establishe dup5, ])); -var msg1075 = msg("00551:04", part1691); +var msg1075 = msg("00551:04", part1685); var select381 = linear_select([ msg1071, @@ -22045,29 +20019,25 @@ var select381 = linear_select([ msg1075, ]); -var part1692 = // "Pattern{Constant('SCAN-MGR: Failed to get '), Field(p0,false)}" -match("MESSAGE#1060:00553/0", "nwparser.payload", "SCAN-MGR: Failed to get %{p0}"); +var part1686 = match("MESSAGE#1060:00553/0", "nwparser.payload", "SCAN-MGR: Failed to get %{p0}"); -var part1693 = // "Pattern{Constant('AltServer '), Field(p0,false)}" -match("MESSAGE#1060:00553/1_0", "nwparser.p0", "AltServer %{p0}"); +var part1687 = match("MESSAGE#1060:00553/1_0", "nwparser.p0", "AltServer %{p0}"); -var part1694 = // "Pattern{Constant('Version '), Field(p0,false)}" -match("MESSAGE#1060:00553/1_1", "nwparser.p0", "Version %{p0}"); +var part1688 = match("MESSAGE#1060:00553/1_1", "nwparser.p0", "Version %{p0}"); -var part1695 = // "Pattern{Constant('Path_GateLockCE '), Field(p0,false)}" -match("MESSAGE#1060:00553/1_2", "nwparser.p0", "Path_GateLockCE %{p0}"); +var part1689 = match("MESSAGE#1060:00553/1_2", "nwparser.p0", "Path_GateLockCE %{p0}"); var select382 = linear_select([ - part1693, - part1694, - part1695, + part1687, + part1688, + part1689, ]); -var all356 = all_match({ +var all350 = all_match({ processors: [ - part1692, + part1686, select382, - dup327, + dup325, ], on_success: processor_chain([ dup18, @@ -22078,10 +20048,9 @@ var all356 = all_match({ ]), }); -var msg1076 = msg("00553", all356); +var msg1076 = msg("00553", all350); -var part1696 = // "Pattern{Constant('SCAN-MGR: Zero pattern size from server.ini.'), Field(,false)}" -match("MESSAGE#1061:00553:01", "nwparser.payload", "SCAN-MGR: Zero pattern size from server.ini.%{}", processor_chain([ +var part1690 = match("MESSAGE#1061:00553:01", "nwparser.payload", "SCAN-MGR: Zero pattern size from server.ini.%{}", processor_chain([ dup18, dup2, dup3, @@ -22089,10 +20058,9 @@ match("MESSAGE#1061:00553:01", "nwparser.payload", "SCAN-MGR: Zero pattern size dup5, ])); -var msg1077 = msg("00553:01", part1696); +var msg1077 = msg("00553:01", part1690); -var part1697 = // "Pattern{Constant('SCAN-MGR: Pattern size from server.ini is too large: '), Field(bytes,true), Constant(' (bytes).')}" -match("MESSAGE#1062:00553:02", "nwparser.payload", "SCAN-MGR: Pattern size from server.ini is too large: %{bytes->} (bytes).", processor_chain([ +var part1691 = match("MESSAGE#1062:00553:02", "nwparser.payload", "SCAN-MGR: Pattern size from server.ini is too large: %{bytes->} (bytes).", processor_chain([ dup18, dup2, dup3, @@ -22100,10 +20068,9 @@ match("MESSAGE#1062:00553:02", "nwparser.payload", "SCAN-MGR: Pattern size from dup5, ])); -var msg1078 = msg("00553:02", part1697); +var msg1078 = msg("00553:02", part1691); -var part1698 = // "Pattern{Constant('SCAN-MGR: Pattern URL from server.ini is too long: '), Field(fld2,false), Constant('; max is '), Field(fld3,false), Constant('.')}" -match("MESSAGE#1063:00553:03", "nwparser.payload", "SCAN-MGR: Pattern URL from server.ini is too long: %{fld2}; max is %{fld3}.", processor_chain([ +var part1692 = match("MESSAGE#1063:00553:03", "nwparser.payload", "SCAN-MGR: Pattern URL from server.ini is too long: %{fld2}; max is %{fld3}.", processor_chain([ dup18, dup2, dup3, @@ -22111,24 +20078,22 @@ match("MESSAGE#1063:00553:03", "nwparser.payload", "SCAN-MGR: Pattern URL from s dup5, ])); -var msg1079 = msg("00553:03", part1698); +var msg1079 = msg("00553:03", part1692); -var part1699 = // "Pattern{Constant('SCAN-MGR: Failed to retrieve '), Field(p0,false)}" -match("MESSAGE#1064:00553:04/0", "nwparser.payload", "SCAN-MGR: Failed to retrieve %{p0}"); +var part1693 = match("MESSAGE#1064:00553:04/0", "nwparser.payload", "SCAN-MGR: Failed to retrieve %{p0}"); var select383 = linear_select([ - dup328, - dup329, + dup326, + dup327, ]); -var part1700 = // "Pattern{Constant('file: '), Field(fld2,false), Constant('; http status code: '), Field(resultcode,false), Constant('.')}" -match("MESSAGE#1064:00553:04/2", "nwparser.p0", "file: %{fld2}; http status code: %{resultcode}."); +var part1694 = match("MESSAGE#1064:00553:04/2", "nwparser.p0", "file: %{fld2}; http status code: %{resultcode}."); -var all357 = all_match({ +var all351 = all_match({ processors: [ - part1699, + part1693, select383, - part1700, + part1694, ], on_success: processor_chain([ dup18, @@ -22139,10 +20104,9 @@ var all357 = all_match({ ]), }); -var msg1080 = msg("00553:04", all357); +var msg1080 = msg("00553:04", all351); -var part1701 = // "Pattern{Constant('SCAN-MGR: Failed to write pattern into a RAM file.'), Field(,false)}" -match("MESSAGE#1065:00553:05", "nwparser.payload", "SCAN-MGR: Failed to write pattern into a RAM file.%{}", processor_chain([ +var part1695 = match("MESSAGE#1065:00553:05", "nwparser.payload", "SCAN-MGR: Failed to write pattern into a RAM file.%{}", processor_chain([ dup18, dup2, dup3, @@ -22150,10 +20114,9 @@ match("MESSAGE#1065:00553:05", "nwparser.payload", "SCAN-MGR: Failed to write pa dup5, ])); -var msg1081 = msg("00553:05", part1701); +var msg1081 = msg("00553:05", part1695); -var part1702 = // "Pattern{Constant('SCAN-MGR: Check Pattern File failed: code from VSAPI: '), Field(resultcode,false)}" -match("MESSAGE#1066:00553:06", "nwparser.payload", "SCAN-MGR: Check Pattern File failed: code from VSAPI: %{resultcode}", processor_chain([ +var part1696 = match("MESSAGE#1066:00553:06", "nwparser.payload", "SCAN-MGR: Check Pattern File failed: code from VSAPI: %{resultcode}", processor_chain([ dup18, dup2, dup3, @@ -22161,10 +20124,9 @@ match("MESSAGE#1066:00553:06", "nwparser.payload", "SCAN-MGR: Check Pattern File dup5, ])); -var msg1082 = msg("00553:06", part1702); +var msg1082 = msg("00553:06", part1696); -var part1703 = // "Pattern{Constant('SCAN-MGR: Failed to write pattern into flash.'), Field(,false)}" -match("MESSAGE#1067:00553:07", "nwparser.payload", "SCAN-MGR: Failed to write pattern into flash.%{}", processor_chain([ +var part1697 = match("MESSAGE#1067:00553:07", "nwparser.payload", "SCAN-MGR: Failed to write pattern into flash.%{}", processor_chain([ dup18, dup2, dup3, @@ -22172,21 +20134,20 @@ match("MESSAGE#1067:00553:07", "nwparser.payload", "SCAN-MGR: Failed to write pa dup5, ])); -var msg1083 = msg("00553:07", part1703); +var msg1083 = msg("00553:07", part1697); -var part1704 = // "Pattern{Constant('SCAN-MGR: Internal error while setting up for retrieving '), Field(p0,false)}" -match("MESSAGE#1068:00553:08/0", "nwparser.payload", "SCAN-MGR: Internal error while setting up for retrieving %{p0}"); +var part1698 = match("MESSAGE#1068:00553:08/0", "nwparser.payload", "SCAN-MGR: Internal error while setting up for retrieving %{p0}"); var select384 = linear_select([ - dup329, - dup328, + dup327, + dup326, ]); -var all358 = all_match({ +var all352 = all_match({ processors: [ - part1704, + part1698, select384, - dup330, + dup328, ], on_success: processor_chain([ dup19, @@ -22197,10 +20158,9 @@ var all358 = all_match({ ]), }); -var msg1084 = msg("00553:08", all358); +var msg1084 = msg("00553:08", all352); -var part1705 = // "Pattern{Constant('SCAN-MGR: '), Field(fld2,true), Constant(' '), Field(disposition,false), Constant(': Err: '), Field(resultcode,false), Constant('.')}" -match("MESSAGE#1069:00553:09", "nwparser.payload", "SCAN-MGR: %{fld2->} %{disposition}: Err: %{resultcode}.", processor_chain([ +var part1699 = match("MESSAGE#1069:00553:09", "nwparser.payload", "SCAN-MGR: %{fld2->} %{disposition}: Err: %{resultcode}.", processor_chain([ dup19, dup2, dup3, @@ -22208,10 +20168,9 @@ match("MESSAGE#1069:00553:09", "nwparser.payload", "SCAN-MGR: %{fld2->} %{dispos dup5, ])); -var msg1085 = msg("00553:09", part1705); +var msg1085 = msg("00553:09", part1699); -var part1706 = // "Pattern{Constant('SCAN-MGR: TMIntCPVSInit '), Field(disposition,true), Constant(' due to '), Field(result,false)}" -match("MESSAGE#1070:00553:10", "nwparser.payload", "SCAN-MGR: TMIntCPVSInit %{disposition->} due to %{result}", processor_chain([ +var part1700 = match("MESSAGE#1070:00553:10", "nwparser.payload", "SCAN-MGR: TMIntCPVSInit %{disposition->} due to %{result}", processor_chain([ dup19, dup2, dup3, @@ -22219,10 +20178,9 @@ match("MESSAGE#1070:00553:10", "nwparser.payload", "SCAN-MGR: TMIntCPVSInit %{di dup5, ])); -var msg1086 = msg("00553:10", part1706); +var msg1086 = msg("00553:10", part1700); -var part1707 = // "Pattern{Constant('SCAN-MGR: Attempted Pattern Creation Date('), Field(fld2,false), Constant(') is after AV Key Expiration date('), Field(fld3,false), Constant(').')}" -match("MESSAGE#1071:00553:11", "nwparser.payload", "SCAN-MGR: Attempted Pattern Creation Date(%{fld2}) is after AV Key Expiration date(%{fld3}).", processor_chain([ +var part1701 = match("MESSAGE#1071:00553:11", "nwparser.payload", "SCAN-MGR: Attempted Pattern Creation Date(%{fld2}) is after AV Key Expiration date(%{fld3}).", processor_chain([ dup18, dup2, dup3, @@ -22230,10 +20188,9 @@ match("MESSAGE#1071:00553:11", "nwparser.payload", "SCAN-MGR: Attempted Pattern dup5, ])); -var msg1087 = msg("00553:11", part1707); +var msg1087 = msg("00553:11", part1701); -var part1708 = // "Pattern{Constant('SCAN-MGR: TMIntSetDecompressLayer '), Field(disposition,false), Constant(': Layer: '), Field(fld2,false), Constant(', Err: '), Field(resultcode,false), Constant('.')}" -match("MESSAGE#1072:00553:12", "nwparser.payload", "SCAN-MGR: TMIntSetDecompressLayer %{disposition}: Layer: %{fld2}, Err: %{resultcode}.", processor_chain([ +var part1702 = match("MESSAGE#1072:00553:12", "nwparser.payload", "SCAN-MGR: TMIntSetDecompressLayer %{disposition}: Layer: %{fld2}, Err: %{resultcode}.", processor_chain([ dup19, dup2, dup3, @@ -22241,10 +20198,9 @@ match("MESSAGE#1072:00553:12", "nwparser.payload", "SCAN-MGR: TMIntSetDecompress dup5, ])); -var msg1088 = msg("00553:12", part1708); +var msg1088 = msg("00553:12", part1702); -var part1709 = // "Pattern{Constant('SCAN-MGR: TMIntSetExtractFileSizeLimit '), Field(disposition,false), Constant(': Limit: '), Field(fld2,false), Constant(', Err: '), Field(resultcode,false), Constant('.')}" -match("MESSAGE#1073:00553:13", "nwparser.payload", "SCAN-MGR: TMIntSetExtractFileSizeLimit %{disposition}: Limit: %{fld2}, Err: %{resultcode}.", processor_chain([ +var part1703 = match("MESSAGE#1073:00553:13", "nwparser.payload", "SCAN-MGR: TMIntSetExtractFileSizeLimit %{disposition}: Limit: %{fld2}, Err: %{resultcode}.", processor_chain([ dup19, dup2, dup3, @@ -22252,10 +20208,9 @@ match("MESSAGE#1073:00553:13", "nwparser.payload", "SCAN-MGR: TMIntSetExtractFil dup5, ])); -var msg1089 = msg("00553:13", part1709); +var msg1089 = msg("00553:13", part1703); -var part1710 = // "Pattern{Constant('SCAN-MGR: TMIntScanFile '), Field(disposition,false), Constant(': ret: '), Field(fld2,false), Constant('; cpapiErrCode: '), Field(resultcode,false), Constant('.')}" -match("MESSAGE#1074:00553:14", "nwparser.payload", "SCAN-MGR: TMIntScanFile %{disposition}: ret: %{fld2}; cpapiErrCode: %{resultcode}.", processor_chain([ +var part1704 = match("MESSAGE#1074:00553:14", "nwparser.payload", "SCAN-MGR: TMIntScanFile %{disposition}: ret: %{fld2}; cpapiErrCode: %{resultcode}.", processor_chain([ dup19, dup2, dup3, @@ -22263,10 +20218,9 @@ match("MESSAGE#1074:00553:14", "nwparser.payload", "SCAN-MGR: TMIntScanFile %{di dup5, ])); -var msg1090 = msg("00553:14", part1710); +var msg1090 = msg("00553:14", part1704); -var part1711 = // "Pattern{Constant('SCAN-MGR: VSAPI resource usage error. Left usage: '), Field(fld2,false), Constant('.')}" -match("MESSAGE#1075:00553:15", "nwparser.payload", "SCAN-MGR: VSAPI resource usage error. Left usage: %{fld2}.", processor_chain([ +var part1705 = match("MESSAGE#1075:00553:15", "nwparser.payload", "SCAN-MGR: VSAPI resource usage error. Left usage: %{fld2}.", processor_chain([ dup19, dup2, dup3, @@ -22274,10 +20228,9 @@ match("MESSAGE#1075:00553:15", "nwparser.payload", "SCAN-MGR: VSAPI resource usa dup5, ])); -var msg1091 = msg("00553:15", part1711); +var msg1091 = msg("00553:15", part1705); -var part1712 = // "Pattern{Constant('SCAN-MGR: Set decompress layer to '), Field(fld2,false), Constant('.')}" -match("MESSAGE#1076:00553:16", "nwparser.payload", "SCAN-MGR: Set decompress layer to %{fld2}.", processor_chain([ +var part1706 = match("MESSAGE#1076:00553:16", "nwparser.payload", "SCAN-MGR: Set decompress layer to %{fld2}.", processor_chain([ dup1, dup2, dup3, @@ -22285,10 +20238,9 @@ match("MESSAGE#1076:00553:16", "nwparser.payload", "SCAN-MGR: Set decompress lay dup5, ])); -var msg1092 = msg("00553:16", part1712); +var msg1092 = msg("00553:16", part1706); -var part1713 = // "Pattern{Constant('SCAN-MGR: Set maximum content size to '), Field(fld2,false), Constant('.')}" -match("MESSAGE#1077:00553:17", "nwparser.payload", "SCAN-MGR: Set maximum content size to %{fld2}.", processor_chain([ +var part1707 = match("MESSAGE#1077:00553:17", "nwparser.payload", "SCAN-MGR: Set maximum content size to %{fld2}.", processor_chain([ dup1, dup2, dup3, @@ -22296,10 +20248,9 @@ match("MESSAGE#1077:00553:17", "nwparser.payload", "SCAN-MGR: Set maximum conten dup5, ])); -var msg1093 = msg("00553:17", part1713); +var msg1093 = msg("00553:17", part1707); -var part1714 = // "Pattern{Constant('SCAN-MGR: Set maximum number of concurrent messages to '), Field(fld2,false), Constant('.')}" -match("MESSAGE#1078:00553:18", "nwparser.payload", "SCAN-MGR: Set maximum number of concurrent messages to %{fld2}.", processor_chain([ +var part1708 = match("MESSAGE#1078:00553:18", "nwparser.payload", "SCAN-MGR: Set maximum number of concurrent messages to %{fld2}.", processor_chain([ dup1, dup2, dup3, @@ -22307,10 +20258,9 @@ match("MESSAGE#1078:00553:18", "nwparser.payload", "SCAN-MGR: Set maximum number dup5, ])); -var msg1094 = msg("00553:18", part1714); +var msg1094 = msg("00553:18", part1708); -var part1715 = // "Pattern{Constant('SCAN-MGR: Set drop if maximum number of concurrent messages exceeds max to '), Field(fld2,false), Constant('.')}" -match("MESSAGE#1079:00553:19", "nwparser.payload", "SCAN-MGR: Set drop if maximum number of concurrent messages exceeds max to %{fld2}.", processor_chain([ +var part1709 = match("MESSAGE#1079:00553:19", "nwparser.payload", "SCAN-MGR: Set drop if maximum number of concurrent messages exceeds max to %{fld2}.", processor_chain([ dup1, dup2, dup3, @@ -22318,10 +20268,9 @@ match("MESSAGE#1079:00553:19", "nwparser.payload", "SCAN-MGR: Set drop if maximu dup5, ])); -var msg1095 = msg("00553:19", part1715); +var msg1095 = msg("00553:19", part1709); -var part1716 = // "Pattern{Constant('SCAN-MGR: Set Pattern URL to '), Field(fld2,false), Constant('; update interval is '), Field(fld3,false), Constant('.')}" -match("MESSAGE#1080:00553:20", "nwparser.payload", "SCAN-MGR: Set Pattern URL to %{fld2}; update interval is %{fld3}.", processor_chain([ +var part1710 = match("MESSAGE#1080:00553:20", "nwparser.payload", "SCAN-MGR: Set Pattern URL to %{fld2}; update interval is %{fld3}.", processor_chain([ dup1, dup2, dup3, @@ -22329,10 +20278,9 @@ match("MESSAGE#1080:00553:20", "nwparser.payload", "SCAN-MGR: Set Pattern URL to dup5, ])); -var msg1096 = msg("00553:20", part1716); +var msg1096 = msg("00553:20", part1710); -var part1717 = // "Pattern{Constant('SCAN-MGR: Unset Pattern URL; Pattern will not be updated automatically.'), Field(,false)}" -match("MESSAGE#1081:00553:21", "nwparser.payload", "SCAN-MGR: Unset Pattern URL; Pattern will not be updated automatically.%{}", processor_chain([ +var part1711 = match("MESSAGE#1081:00553:21", "nwparser.payload", "SCAN-MGR: Unset Pattern URL; Pattern will not be updated automatically.%{}", processor_chain([ dup1, dup2, dup3, @@ -22340,10 +20288,9 @@ match("MESSAGE#1081:00553:21", "nwparser.payload", "SCAN-MGR: Unset Pattern URL; dup5, ])); -var msg1097 = msg("00553:21", part1717); +var msg1097 = msg("00553:21", part1711); -var part1718 = // "Pattern{Constant('SCAN-MGR: New pattern updated: version: '), Field(version,false), Constant(', size: '), Field(bytes,true), Constant(' (bytes).')}" -match("MESSAGE#1082:00553:22", "nwparser.payload", "SCAN-MGR: New pattern updated: version: %{version}, size: %{bytes->} (bytes).", processor_chain([ +var part1712 = match("MESSAGE#1082:00553:22", "nwparser.payload", "SCAN-MGR: New pattern updated: version: %{version}, size: %{bytes->} (bytes).", processor_chain([ dup1, dup2, dup3, @@ -22351,7 +20298,7 @@ match("MESSAGE#1082:00553:22", "nwparser.payload", "SCAN-MGR: New pattern update dup5, ])); -var msg1098 = msg("00553:22", part1718); +var msg1098 = msg("00553:22", part1712); var select385 = linear_select([ msg1076, @@ -22379,29 +20326,25 @@ var select385 = linear_select([ msg1098, ]); -var part1719 = // "Pattern{Constant('SCAN-MGR: Cannot get '), Field(p0,false)}" -match("MESSAGE#1083:00554/0", "nwparser.payload", "SCAN-MGR: Cannot get %{p0}"); +var part1713 = match("MESSAGE#1083:00554/0", "nwparser.payload", "SCAN-MGR: Cannot get %{p0}"); -var part1720 = // "Pattern{Constant('AltServer info '), Field(p0,false)}" -match("MESSAGE#1083:00554/1_0", "nwparser.p0", "AltServer info %{p0}"); +var part1714 = match("MESSAGE#1083:00554/1_0", "nwparser.p0", "AltServer info %{p0}"); -var part1721 = // "Pattern{Constant('Version number '), Field(p0,false)}" -match("MESSAGE#1083:00554/1_1", "nwparser.p0", "Version number %{p0}"); +var part1715 = match("MESSAGE#1083:00554/1_1", "nwparser.p0", "Version number %{p0}"); -var part1722 = // "Pattern{Constant('Path_GateLockCE info '), Field(p0,false)}" -match("MESSAGE#1083:00554/1_2", "nwparser.p0", "Path_GateLockCE info %{p0}"); +var part1716 = match("MESSAGE#1083:00554/1_2", "nwparser.p0", "Path_GateLockCE info %{p0}"); var select386 = linear_select([ - part1720, - part1721, - part1722, + part1714, + part1715, + part1716, ]); -var all359 = all_match({ +var all353 = all_match({ processors: [ - part1719, + part1713, select386, - dup327, + dup325, ], on_success: processor_chain([ dup144, @@ -22412,10 +20355,9 @@ var all359 = all_match({ ]), }); -var msg1099 = msg("00554", all359); +var msg1099 = msg("00554", all353); -var part1723 = // "Pattern{Constant('SCAN-MGR: Per server.ini file, the AV pattern file size is zero.'), Field(,false)}" -match("MESSAGE#1084:00554:01", "nwparser.payload", "SCAN-MGR: Per server.ini file, the AV pattern file size is zero.%{}", processor_chain([ +var part1717 = match("MESSAGE#1084:00554:01", "nwparser.payload", "SCAN-MGR: Per server.ini file, the AV pattern file size is zero.%{}", processor_chain([ dup19, dup2, dup3, @@ -22423,10 +20365,9 @@ match("MESSAGE#1084:00554:01", "nwparser.payload", "SCAN-MGR: Per server.ini fil dup5, ])); -var msg1100 = msg("00554:01", part1723); +var msg1100 = msg("00554:01", part1717); -var part1724 = // "Pattern{Constant('SCAN-MGR: AV pattern file size is too large ('), Field(bytes,true), Constant(' bytes).')}" -match("MESSAGE#1085:00554:02", "nwparser.payload", "SCAN-MGR: AV pattern file size is too large (%{bytes->} bytes).", processor_chain([ +var part1718 = match("MESSAGE#1085:00554:02", "nwparser.payload", "SCAN-MGR: AV pattern file size is too large (%{bytes->} bytes).", processor_chain([ dup19, dup2, dup3, @@ -22434,10 +20375,9 @@ match("MESSAGE#1085:00554:02", "nwparser.payload", "SCAN-MGR: AV pattern file si dup5, ])); -var msg1101 = msg("00554:02", part1724); +var msg1101 = msg("00554:02", part1718); -var part1725 = // "Pattern{Constant('SCAN-MGR: Alternate AV pattern file server URL is too long: '), Field(bytes,true), Constant(' bytes. Max: '), Field(fld2,true), Constant(' bytes.')}" -match("MESSAGE#1086:00554:03", "nwparser.payload", "SCAN-MGR: Alternate AV pattern file server URL is too long: %{bytes->} bytes. Max: %{fld2->} bytes.", processor_chain([ +var part1719 = match("MESSAGE#1086:00554:03", "nwparser.payload", "SCAN-MGR: Alternate AV pattern file server URL is too long: %{bytes->} bytes. Max: %{fld2->} bytes.", processor_chain([ dup19, dup2, dup3, @@ -22445,19 +20385,17 @@ match("MESSAGE#1086:00554:03", "nwparser.payload", "SCAN-MGR: Alternate AV patte dup5, ])); -var msg1102 = msg("00554:03", part1725); +var msg1102 = msg("00554:03", part1719); -var part1726 = // "Pattern{Constant('SCAN-MGR: Cannot retrieve '), Field(p0,false)}" -match("MESSAGE#1087:00554:04/0", "nwparser.payload", "SCAN-MGR: Cannot retrieve %{p0}"); +var part1720 = match("MESSAGE#1087:00554:04/0", "nwparser.payload", "SCAN-MGR: Cannot retrieve %{p0}"); -var part1727 = // "Pattern{Constant('file from '), Field(hostip,false), Constant(':'), Field(network_port,false), Constant('. HTTP status code: '), Field(fld2,false), Constant('.')}" -match("MESSAGE#1087:00554:04/2", "nwparser.p0", "file from %{hostip}:%{network_port}. HTTP status code: %{fld2}."); +var part1721 = match("MESSAGE#1087:00554:04/2", "nwparser.p0", "file from %{hostip}:%{network_port}. HTTP status code: %{fld2}."); -var all360 = all_match({ +var all354 = all_match({ processors: [ - part1726, - dup408, - part1727, + part1720, + dup405, + part1721, ], on_success: processor_chain([ dup144, @@ -22468,25 +20406,22 @@ var all360 = all_match({ ]), }); -var msg1103 = msg("00554:04", all360); +var msg1103 = msg("00554:04", all354); -var part1728 = // "Pattern{Constant('SCAN-MGR: Cannot write AV pattern file to '), Field(p0,false)}" -match("MESSAGE#1088:00554:05/0", "nwparser.payload", "SCAN-MGR: Cannot write AV pattern file to %{p0}"); +var part1722 = match("MESSAGE#1088:00554:05/0", "nwparser.payload", "SCAN-MGR: Cannot write AV pattern file to %{p0}"); -var part1729 = // "Pattern{Constant('RAM '), Field(p0,false)}" -match("MESSAGE#1088:00554:05/1_0", "nwparser.p0", "RAM %{p0}"); +var part1723 = match("MESSAGE#1088:00554:05/1_0", "nwparser.p0", "RAM %{p0}"); -var part1730 = // "Pattern{Constant('flash '), Field(p0,false)}" -match("MESSAGE#1088:00554:05/1_1", "nwparser.p0", "flash %{p0}"); +var part1724 = match("MESSAGE#1088:00554:05/1_1", "nwparser.p0", "flash %{p0}"); var select387 = linear_select([ - part1729, - part1730, + part1723, + part1724, ]); -var all361 = all_match({ +var all355 = all_match({ processors: [ - part1728, + part1722, select387, dup116, ], @@ -22499,10 +20434,9 @@ var all361 = all_match({ ]), }); -var msg1104 = msg("00554:05", all361); +var msg1104 = msg("00554:05", all355); -var part1731 = // "Pattern{Constant('SCAN-MGR: Cannot check AV pattern file. VSAPI code: '), Field(fld2,false)}" -match("MESSAGE#1089:00554:06", "nwparser.payload", "SCAN-MGR: Cannot check AV pattern file. VSAPI code: %{fld2}", processor_chain([ +var part1725 = match("MESSAGE#1089:00554:06", "nwparser.payload", "SCAN-MGR: Cannot check AV pattern file. VSAPI code: %{fld2}", processor_chain([ dup144, dup2, dup3, @@ -22510,16 +20444,15 @@ match("MESSAGE#1089:00554:06", "nwparser.payload", "SCAN-MGR: Cannot check AV pa dup5, ])); -var msg1105 = msg("00554:06", part1731); +var msg1105 = msg("00554:06", part1725); -var part1732 = // "Pattern{Constant('SCAN-MGR: Internal error occurred while retrieving '), Field(p0,false)}" -match("MESSAGE#1090:00554:07/0", "nwparser.payload", "SCAN-MGR: Internal error occurred while retrieving %{p0}"); +var part1726 = match("MESSAGE#1090:00554:07/0", "nwparser.payload", "SCAN-MGR: Internal error occurred while retrieving %{p0}"); -var all362 = all_match({ +var all356 = all_match({ processors: [ - part1732, - dup408, - dup330, + part1726, + dup405, + dup328, ], on_success: processor_chain([ dup19, @@ -22530,29 +20463,25 @@ var all362 = all_match({ ]), }); -var msg1106 = msg("00554:07", all362); +var msg1106 = msg("00554:07", all356); -var part1733 = // "Pattern{Constant('SCAN-MGR: Internal error occurred when calling this function: '), Field(fld2,false), Constant('. '), Field(fld3,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#1091:00554:08/0", "nwparser.payload", "SCAN-MGR: Internal error occurred when calling this function: %{fld2}. %{fld3->} %{p0}"); +var part1727 = match("MESSAGE#1091:00554:08/0", "nwparser.payload", "SCAN-MGR: Internal error occurred when calling this function: %{fld2}. %{fld3->} %{p0}"); -var part1734 = // "Pattern{Constant('Error: '), Field(resultcode,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#1091:00554:08/1_0", "nwparser.p0", "Error: %{resultcode->} %{p0}"); +var part1728 = match("MESSAGE#1091:00554:08/1_0", "nwparser.p0", "Error: %{resultcode->} %{p0}"); -var part1735 = // "Pattern{Constant('Returned a NULL VSC handler '), Field(p0,false)}" -match("MESSAGE#1091:00554:08/1_1", "nwparser.p0", "Returned a NULL VSC handler %{p0}"); +var part1729 = match("MESSAGE#1091:00554:08/1_1", "nwparser.p0", "Returned a NULL VSC handler %{p0}"); -var part1736 = // "Pattern{Constant('cpapiErrCode: '), Field(resultcode,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#1091:00554:08/1_2", "nwparser.p0", "cpapiErrCode: %{resultcode->} %{p0}"); +var part1730 = match("MESSAGE#1091:00554:08/1_2", "nwparser.p0", "cpapiErrCode: %{resultcode->} %{p0}"); var select388 = linear_select([ - part1734, - part1735, - part1736, + part1728, + part1729, + part1730, ]); -var all363 = all_match({ +var all357 = all_match({ processors: [ - part1733, + part1727, select388, dup116, ], @@ -22565,10 +20494,9 @@ var all363 = all_match({ ]), }); -var msg1107 = msg("00554:08", all363); +var msg1107 = msg("00554:08", all357); -var part1737 = // "Pattern{Constant('SCAN-MGR: Number of decompression layers has been set to '), Field(fld2,false), Constant('.')}" -match("MESSAGE#1092:00554:09", "nwparser.payload", "SCAN-MGR: Number of decompression layers has been set to %{fld2}.", processor_chain([ +var part1731 = match("MESSAGE#1092:00554:09", "nwparser.payload", "SCAN-MGR: Number of decompression layers has been set to %{fld2}.", processor_chain([ dup1, dup2, dup3, @@ -22576,10 +20504,9 @@ match("MESSAGE#1092:00554:09", "nwparser.payload", "SCAN-MGR: Number of decompre dup5, ])); -var msg1108 = msg("00554:09", part1737); +var msg1108 = msg("00554:09", part1731); -var part1738 = // "Pattern{Constant('SCAN-MGR: Maximum content size has been set to '), Field(fld2,true), Constant(' KB.')}" -match("MESSAGE#1093:00554:10", "nwparser.payload", "SCAN-MGR: Maximum content size has been set to %{fld2->} KB.", processor_chain([ +var part1732 = match("MESSAGE#1093:00554:10", "nwparser.payload", "SCAN-MGR: Maximum content size has been set to %{fld2->} KB.", processor_chain([ dup1, dup2, dup3, @@ -22587,10 +20514,9 @@ match("MESSAGE#1093:00554:10", "nwparser.payload", "SCAN-MGR: Maximum content si dup5, ])); -var msg1109 = msg("00554:10", part1738); +var msg1109 = msg("00554:10", part1732); -var part1739 = // "Pattern{Constant('SCAN-MGR: Maximum number of concurrent messages has been set to '), Field(fld2,false), Constant('.')}" -match("MESSAGE#1094:00554:11", "nwparser.payload", "SCAN-MGR: Maximum number of concurrent messages has been set to %{fld2}.", processor_chain([ +var part1733 = match("MESSAGE#1094:00554:11", "nwparser.payload", "SCAN-MGR: Maximum number of concurrent messages has been set to %{fld2}.", processor_chain([ dup1, dup2, dup3, @@ -22598,46 +20524,39 @@ match("MESSAGE#1094:00554:11", "nwparser.payload", "SCAN-MGR: Maximum number of dup5, ])); -var msg1110 = msg("00554:11", part1739); +var msg1110 = msg("00554:11", part1733); -var part1740 = // "Pattern{Constant('SCAN-MGR: Fail mode has been set to '), Field(p0,false)}" -match("MESSAGE#1095:00554:12/0", "nwparser.payload", "SCAN-MGR: Fail mode has been set to %{p0}"); +var part1734 = match("MESSAGE#1095:00554:12/0", "nwparser.payload", "SCAN-MGR: Fail mode has been set to %{p0}"); -var part1741 = // "Pattern{Constant('drop '), Field(p0,false)}" -match("MESSAGE#1095:00554:12/1_0", "nwparser.p0", "drop %{p0}"); +var part1735 = match("MESSAGE#1095:00554:12/1_0", "nwparser.p0", "drop %{p0}"); -var part1742 = // "Pattern{Constant('pass '), Field(p0,false)}" -match("MESSAGE#1095:00554:12/1_1", "nwparser.p0", "pass %{p0}"); +var part1736 = match("MESSAGE#1095:00554:12/1_1", "nwparser.p0", "pass %{p0}"); var select389 = linear_select([ - part1741, - part1742, + part1735, + part1736, ]); -var part1743 = // "Pattern{Constant('unexamined traffic if '), Field(p0,false)}" -match("MESSAGE#1095:00554:12/2", "nwparser.p0", "unexamined traffic if %{p0}"); +var part1737 = match("MESSAGE#1095:00554:12/2", "nwparser.p0", "unexamined traffic if %{p0}"); -var part1744 = // "Pattern{Constant('content size '), Field(p0,false)}" -match("MESSAGE#1095:00554:12/3_0", "nwparser.p0", "content size %{p0}"); +var part1738 = match("MESSAGE#1095:00554:12/3_0", "nwparser.p0", "content size %{p0}"); -var part1745 = // "Pattern{Constant('number of concurrent messages '), Field(p0,false)}" -match("MESSAGE#1095:00554:12/3_1", "nwparser.p0", "number of concurrent messages %{p0}"); +var part1739 = match("MESSAGE#1095:00554:12/3_1", "nwparser.p0", "number of concurrent messages %{p0}"); var select390 = linear_select([ - part1744, - part1745, + part1738, + part1739, ]); -var part1746 = // "Pattern{Constant('exceeds max.'), Field(,false)}" -match("MESSAGE#1095:00554:12/4", "nwparser.p0", "exceeds max.%{}"); +var part1740 = match("MESSAGE#1095:00554:12/4", "nwparser.p0", "exceeds max.%{}"); -var all364 = all_match({ +var all358 = all_match({ processors: [ - part1740, + part1734, select389, - part1743, + part1737, select390, - part1746, + part1740, ], on_success: processor_chain([ dup1, @@ -22648,10 +20567,9 @@ var all364 = all_match({ ]), }); -var msg1111 = msg("00554:12", all364); +var msg1111 = msg("00554:12", all358); -var part1747 = // "Pattern{Constant('SCAN-MGR: URL for AV pattern update server has been set to '), Field(fld2,false), Constant(', and the update interval to '), Field(fld3,true), Constant(' minutes.')}" -match("MESSAGE#1096:00554:13", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been set to %{fld2}, and the update interval to %{fld3->} minutes.", processor_chain([ +var part1741 = match("MESSAGE#1096:00554:13", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been set to %{fld2}, and the update interval to %{fld3->} minutes.", processor_chain([ dup1, dup2, dup3, @@ -22659,10 +20577,9 @@ match("MESSAGE#1096:00554:13", "nwparser.payload", "SCAN-MGR: URL for AV pattern dup5, ])); -var msg1112 = msg("00554:13", part1747); +var msg1112 = msg("00554:13", part1741); -var part1748 = // "Pattern{Constant('SCAN-MGR: URL for AV pattern update server has been unset, and the update interval returned to its default.'), Field(,false)}" -match("MESSAGE#1097:00554:14", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been unset, and the update interval returned to its default.%{}", processor_chain([ +var part1742 = match("MESSAGE#1097:00554:14", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been unset, and the update interval returned to its default.%{}", processor_chain([ dup1, dup2, dup3, @@ -22670,10 +20587,9 @@ match("MESSAGE#1097:00554:14", "nwparser.payload", "SCAN-MGR: URL for AV pattern dup5, ])); -var msg1113 = msg("00554:14", part1748); +var msg1113 = msg("00554:14", part1742); -var part1749 = // "Pattern{Constant('SCAN-MGR: New AV pattern file has been updated. Version: '), Field(version,false), Constant('; size: '), Field(bytes,true), Constant(' bytes.')}" -match("MESSAGE#1098:00554:15", "nwparser.payload", "SCAN-MGR: New AV pattern file has been updated. Version: %{version}; size: %{bytes->} bytes.", processor_chain([ +var part1743 = match("MESSAGE#1098:00554:15", "nwparser.payload", "SCAN-MGR: New AV pattern file has been updated. Version: %{version}; size: %{bytes->} bytes.", processor_chain([ dup1, dup2, dup3, @@ -22681,10 +20597,9 @@ match("MESSAGE#1098:00554:15", "nwparser.payload", "SCAN-MGR: New AV pattern fil dup5, ])); -var msg1114 = msg("00554:15", part1749); +var msg1114 = msg("00554:15", part1743); -var part1750 = // "Pattern{Constant('SCAN-MGR: AV client has exceeded its resource allotment. Remaining available resources: '), Field(fld2,false), Constant('.')}" -match("MESSAGE#1099:00554:16", "nwparser.payload", "SCAN-MGR: AV client has exceeded its resource allotment. Remaining available resources: %{fld2}.", processor_chain([ +var part1744 = match("MESSAGE#1099:00554:16", "nwparser.payload", "SCAN-MGR: AV client has exceeded its resource allotment. Remaining available resources: %{fld2}.", processor_chain([ dup19, dup2, dup3, @@ -22692,10 +20607,9 @@ match("MESSAGE#1099:00554:16", "nwparser.payload", "SCAN-MGR: AV client has exce dup5, ])); -var msg1115 = msg("00554:16", part1750); +var msg1115 = msg("00554:16", part1744); -var part1751 = // "Pattern{Constant('SCAN-MGR: Attempted to load AV pattern file created '), Field(fld2,true), Constant(' after the AV subscription expired. (Exp: '), Field(fld3,false), Constant(')')}" -match("MESSAGE#1100:00554:17", "nwparser.payload", "SCAN-MGR: Attempted to load AV pattern file created %{fld2->} after the AV subscription expired. (Exp: %{fld3})", processor_chain([ +var part1745 = match("MESSAGE#1100:00554:17", "nwparser.payload", "SCAN-MGR: Attempted to load AV pattern file created %{fld2->} after the AV subscription expired. (Exp: %{fld3})", processor_chain([ dup1, dup2, dup3, @@ -22703,7 +20617,7 @@ match("MESSAGE#1100:00554:17", "nwparser.payload", "SCAN-MGR: Attempted to load dup5, ])); -var msg1116 = msg("00554:17", part1751); +var msg1116 = msg("00554:17", part1745); var select391 = linear_select([ msg1099, @@ -22726,8 +20640,7 @@ var select391 = linear_select([ msg1116, ]); -var part1752 = // "Pattern{Constant('Vrouter '), Field(node,true), Constant(' PIMSM cannot process non-multicast address '), Field(hostip,false)}" -match("MESSAGE#1101:00555", "nwparser.payload", "Vrouter %{node->} PIMSM cannot process non-multicast address %{hostip}", processor_chain([ +var part1746 = match("MESSAGE#1101:00555", "nwparser.payload", "Vrouter %{node->} PIMSM cannot process non-multicast address %{hostip}", processor_chain([ dup19, dup2, dup3, @@ -22735,10 +20648,9 @@ match("MESSAGE#1101:00555", "nwparser.payload", "Vrouter %{node->} PIMSM cannot dup5, ])); -var msg1117 = msg("00555", part1752); +var msg1117 = msg("00555", part1746); -var part1753 = // "Pattern{Constant('UF-MGR: Failed to process a request. Reason: '), Field(result,false)}" -match("MESSAGE#1102:00556", "nwparser.payload", "UF-MGR: Failed to process a request. Reason: %{result}", processor_chain([ +var part1747 = match("MESSAGE#1102:00556", "nwparser.payload", "UF-MGR: Failed to process a request. Reason: %{result}", processor_chain([ dup19, dup2, dup3, @@ -22746,10 +20658,9 @@ match("MESSAGE#1102:00556", "nwparser.payload", "UF-MGR: Failed to process a req dup5, ])); -var msg1118 = msg("00556", part1753); +var msg1118 = msg("00556", part1747); -var part1754 = // "Pattern{Constant('UF-MGR: Failed to abort a transaction. Reason: '), Field(result,false)}" -match("MESSAGE#1103:00556:01", "nwparser.payload", "UF-MGR: Failed to abort a transaction. Reason: %{result}", processor_chain([ +var part1748 = match("MESSAGE#1103:00556:01", "nwparser.payload", "UF-MGR: Failed to abort a transaction. Reason: %{result}", processor_chain([ dup19, dup2, dup3, @@ -22757,49 +20668,42 @@ match("MESSAGE#1103:00556:01", "nwparser.payload", "UF-MGR: Failed to abort a tr dup5, ])); -var msg1119 = msg("00556:01", part1754); +var msg1119 = msg("00556:01", part1748); -var part1755 = // "Pattern{Constant('UF-MGR: UF '), Field(p0,false)}" -match("MESSAGE#1104:00556:02/0", "nwparser.payload", "UF-MGR: UF %{p0}"); +var part1749 = match("MESSAGE#1104:00556:02/0", "nwparser.payload", "UF-MGR: UF %{p0}"); -var part1756 = // "Pattern{Constant('K'), Field(p0,false)}" -match("MESSAGE#1104:00556:02/1_0", "nwparser.p0", "K%{p0}"); +var part1750 = match("MESSAGE#1104:00556:02/1_0", "nwparser.p0", "K%{p0}"); -var part1757 = // "Pattern{Constant('k'), Field(p0,false)}" -match("MESSAGE#1104:00556:02/1_1", "nwparser.p0", "k%{p0}"); +var part1751 = match("MESSAGE#1104:00556:02/1_1", "nwparser.p0", "k%{p0}"); var select392 = linear_select([ - part1756, - part1757, + part1750, + part1751, ]); -var part1758 = // "Pattern{Constant('ey '), Field(p0,false)}" -match("MESSAGE#1104:00556:02/2", "nwparser.p0", "ey %{p0}"); +var part1752 = match("MESSAGE#1104:00556:02/2", "nwparser.p0", "ey %{p0}"); -var part1759 = // "Pattern{Constant('Expired'), Field(p0,false)}" -match("MESSAGE#1104:00556:02/3_0", "nwparser.p0", "Expired%{p0}"); +var part1753 = match("MESSAGE#1104:00556:02/3_0", "nwparser.p0", "Expired%{p0}"); -var part1760 = // "Pattern{Constant('expired'), Field(p0,false)}" -match("MESSAGE#1104:00556:02/3_1", "nwparser.p0", "expired%{p0}"); +var part1754 = match("MESSAGE#1104:00556:02/3_1", "nwparser.p0", "expired%{p0}"); var select393 = linear_select([ - part1759, - part1760, + part1753, + part1754, ]); -var part1761 = // "Pattern{Field(,false), Constant('(expiration date: '), Field(fld2,false), Constant('; current date: '), Field(fld3,false), Constant(').')}" -match("MESSAGE#1104:00556:02/4", "nwparser.p0", "%{}(expiration date: %{fld2}; current date: %{fld3})."); +var part1755 = match("MESSAGE#1104:00556:02/4", "nwparser.p0", "%{}(expiration date: %{fld2}; current date: %{fld3})."); -var all365 = all_match({ +var all359 = all_match({ processors: [ - part1755, + part1749, select392, - part1758, + part1752, select393, - part1761, + part1755, ], on_success: processor_chain([ - dup256, + dup254, dup2, dup3, dup4, @@ -22807,30 +20711,26 @@ var all365 = all_match({ ]), }); -var msg1120 = msg("00556:02", all365); +var msg1120 = msg("00556:02", all359); -var part1762 = // "Pattern{Constant('UF-MGR: Failed to '), Field(p0,false)}" -match("MESSAGE#1105:00556:03/0", "nwparser.payload", "UF-MGR: Failed to %{p0}"); +var part1756 = match("MESSAGE#1105:00556:03/0", "nwparser.payload", "UF-MGR: Failed to %{p0}"); -var part1763 = // "Pattern{Constant('enable '), Field(p0,false)}" -match("MESSAGE#1105:00556:03/1_0", "nwparser.p0", "enable %{p0}"); +var part1757 = match("MESSAGE#1105:00556:03/1_0", "nwparser.p0", "enable %{p0}"); -var part1764 = // "Pattern{Constant('disable '), Field(p0,false)}" -match("MESSAGE#1105:00556:03/1_1", "nwparser.p0", "disable %{p0}"); +var part1758 = match("MESSAGE#1105:00556:03/1_1", "nwparser.p0", "disable %{p0}"); var select394 = linear_select([ - part1763, - part1764, + part1757, + part1758, ]); -var part1765 = // "Pattern{Constant('cache.'), Field(,false)}" -match("MESSAGE#1105:00556:03/2", "nwparser.p0", "cache.%{}"); +var part1759 = match("MESSAGE#1105:00556:03/2", "nwparser.p0", "cache.%{}"); -var all366 = all_match({ +var all360 = all_match({ processors: [ - part1762, + part1756, select394, - part1765, + part1759, ], on_success: processor_chain([ dup19, @@ -22841,10 +20741,9 @@ var all366 = all_match({ ]), }); -var msg1121 = msg("00556:03", all366); +var msg1121 = msg("00556:03", all360); -var part1766 = // "Pattern{Constant('UF-MGR: Internal Error: '), Field(resultcode,false)}" -match("MESSAGE#1106:00556:04", "nwparser.payload", "UF-MGR: Internal Error: %{resultcode}", processor_chain([ +var part1760 = match("MESSAGE#1106:00556:04", "nwparser.payload", "UF-MGR: Internal Error: %{resultcode}", processor_chain([ dup19, dup2, dup3, @@ -22852,10 +20751,9 @@ match("MESSAGE#1106:00556:04", "nwparser.payload", "UF-MGR: Internal Error: %{re dup5, ])); -var msg1122 = msg("00556:04", part1766); +var msg1122 = msg("00556:04", part1760); -var part1767 = // "Pattern{Constant('UF-MGR: Cache size changed to '), Field(fld2,false), Constant('(K).')}" -match("MESSAGE#1107:00556:05", "nwparser.payload", "UF-MGR: Cache size changed to %{fld2}(K).", processor_chain([ +var part1761 = match("MESSAGE#1107:00556:05", "nwparser.payload", "UF-MGR: Cache size changed to %{fld2}(K).", processor_chain([ dup19, dup2, dup3, @@ -22863,10 +20761,9 @@ match("MESSAGE#1107:00556:05", "nwparser.payload", "UF-MGR: Cache size changed t dup5, ])); -var msg1123 = msg("00556:05", part1767); +var msg1123 = msg("00556:05", part1761); -var part1768 = // "Pattern{Constant('UF-MGR: Cache timeout changes to '), Field(fld2,true), Constant(' (hours).')}" -match("MESSAGE#1108:00556:06", "nwparser.payload", "UF-MGR: Cache timeout changes to %{fld2->} (hours).", processor_chain([ +var part1762 = match("MESSAGE#1108:00556:06", "nwparser.payload", "UF-MGR: Cache timeout changes to %{fld2->} (hours).", processor_chain([ dup19, dup2, dup3, @@ -22874,10 +20771,9 @@ match("MESSAGE#1108:00556:06", "nwparser.payload", "UF-MGR: Cache timeout change dup5, ])); -var msg1124 = msg("00556:06", part1768); +var msg1124 = msg("00556:06", part1762); -var part1769 = // "Pattern{Constant('UF-MGR: Category update interval changed to '), Field(fld2,true), Constant(' (weeks).')}" -match("MESSAGE#1109:00556:07", "nwparser.payload", "UF-MGR: Category update interval changed to %{fld2->} (weeks).", processor_chain([ +var part1763 = match("MESSAGE#1109:00556:07", "nwparser.payload", "UF-MGR: Category update interval changed to %{fld2->} (weeks).", processor_chain([ dup19, dup2, dup3, @@ -22885,15 +20781,14 @@ match("MESSAGE#1109:00556:07", "nwparser.payload", "UF-MGR: Category update inte dup5, ])); -var msg1125 = msg("00556:07", part1769); +var msg1125 = msg("00556:07", part1763); -var part1770 = // "Pattern{Constant('UF-MGR: Cache '), Field(p0,false)}" -match("MESSAGE#1110:00556:08/0", "nwparser.payload", "UF-MGR: Cache %{p0}"); +var part1764 = match("MESSAGE#1110:00556:08/0", "nwparser.payload", "UF-MGR: Cache %{p0}"); -var all367 = all_match({ +var all361 = all_match({ processors: [ - part1770, - dup360, + part1764, + dup358, dup116, ], on_success: processor_chain([ @@ -22905,33 +20800,30 @@ var all367 = all_match({ ]), }); -var msg1126 = msg("00556:08", all367); +var msg1126 = msg("00556:08", all361); -var part1771 = // "Pattern{Constant('UF-MGR: URL BLOCKED: ip_addr ('), Field(fld2,false), Constant(') -> ip_addr ('), Field(fld3,false), Constant('), '), Field(fld4,true), Constant(' action: '), Field(disposition,false), Constant(', category: '), Field(fld5,false), Constant(', reason '), Field(result,false)}" -match("MESSAGE#1111:00556:09", "nwparser.payload", "UF-MGR: URL BLOCKED: ip_addr (%{fld2}) -> ip_addr (%{fld3}), %{fld4->} action: %{disposition}, category: %{fld5}, reason %{result}", processor_chain([ - dup234, +var part1765 = match("MESSAGE#1111:00556:09", "nwparser.payload", "UF-MGR: URL BLOCKED: ip_addr (%{fld2}) -> ip_addr (%{fld3}), %{fld4->} action: %{disposition}, category: %{fld5}, reason %{result}", processor_chain([ + dup232, dup2, dup3, dup4, dup5, - dup284, + dup282, ])); -var msg1127 = msg("00556:09", part1771); +var msg1127 = msg("00556:09", part1765); -var part1772 = // "Pattern{Constant('UF-MGR: URL FILTER ERR: ip_addr ('), Field(fld2,false), Constant(') -> ip_addr ('), Field(fld3,false), Constant('), host: '), Field(fld5,true), Constant(' page: '), Field(fld4,true), Constant(' code: '), Field(resultcode,true), Constant(' reason: '), Field(result,false), Constant('.')}" -match("MESSAGE#1112:00556:10", "nwparser.payload", "UF-MGR: URL FILTER ERR: ip_addr (%{fld2}) -> ip_addr (%{fld3}), host: %{fld5->} page: %{fld4->} code: %{resultcode->} reason: %{result}.", processor_chain([ - dup234, +var part1766 = match("MESSAGE#1112:00556:10", "nwparser.payload", "UF-MGR: URL FILTER ERR: ip_addr (%{fld2}) -> ip_addr (%{fld3}), host: %{fld5->} page: %{fld4->} code: %{resultcode->} reason: %{result}.", processor_chain([ + dup232, dup2, dup3, dup4, dup5, ])); -var msg1128 = msg("00556:10", part1772); +var msg1128 = msg("00556:10", part1766); -var part1773 = // "Pattern{Constant('UF-MGR: Primary CPA server changed to '), Field(fld2,false)}" -match("MESSAGE#1113:00556:11", "nwparser.payload", "UF-MGR: Primary CPA server changed to %{fld2}", processor_chain([ +var part1767 = match("MESSAGE#1113:00556:11", "nwparser.payload", "UF-MGR: Primary CPA server changed to %{fld2}", processor_chain([ dup19, dup2, dup3, @@ -22939,24 +20831,22 @@ match("MESSAGE#1113:00556:11", "nwparser.payload", "UF-MGR: Primary CPA server c dup5, ])); -var msg1129 = msg("00556:11", part1773); +var msg1129 = msg("00556:11", part1767); -var part1774 = // "Pattern{Constant('UF-MGR: '), Field(fld2,true), Constant(' CPA server '), Field(p0,false)}" -match("MESSAGE#1114:00556:12/0", "nwparser.payload", "UF-MGR: %{fld2->} CPA server %{p0}"); +var part1768 = match("MESSAGE#1114:00556:12/0", "nwparser.payload", "UF-MGR: %{fld2->} CPA server %{p0}"); var select395 = linear_select([ dup140, - dup171, + dup169, ]); -var part1775 = // "Pattern{Constant('changed to '), Field(fld3,false), Constant('.')}" -match("MESSAGE#1114:00556:12/2", "nwparser.p0", "changed to %{fld3}."); +var part1769 = match("MESSAGE#1114:00556:12/2", "nwparser.p0", "changed to %{fld3}."); -var all368 = all_match({ +var all362 = all_match({ processors: [ - part1774, + part1768, select395, - part1775, + part1769, ], on_success: processor_chain([ dup19, @@ -22967,10 +20857,9 @@ var all368 = all_match({ ]), }); -var msg1130 = msg("00556:12", all368); +var msg1130 = msg("00556:12", all362); -var part1776 = // "Pattern{Constant('UF-MGR: SurfControl URL filtering '), Field(disposition,false), Constant('.')}" -match("MESSAGE#1115:00556:13", "nwparser.payload", "UF-MGR: SurfControl URL filtering %{disposition}.", processor_chain([ +var part1770 = match("MESSAGE#1115:00556:13", "nwparser.payload", "UF-MGR: SurfControl URL filtering %{disposition}.", processor_chain([ dup19, dup2, dup3, @@ -22978,19 +20867,17 @@ match("MESSAGE#1115:00556:13", "nwparser.payload", "UF-MGR: SurfControl URL filt dup5, ])); -var msg1131 = msg("00556:13", part1776); +var msg1131 = msg("00556:13", part1770); -var part1777 = // "Pattern{Constant('UF-MGR: The url '), Field(url,true), Constant(' was '), Field(p0,false)}" -match("MESSAGE#1116:00556:14/0", "nwparser.payload", "UF-MGR: The url %{url->} was %{p0}"); +var part1771 = match("MESSAGE#1116:00556:14/0", "nwparser.payload", "UF-MGR: The url %{url->} was %{p0}"); -var part1778 = // "Pattern{Constant('category '), Field(fld2,false), Constant('.')}" -match("MESSAGE#1116:00556:14/2", "nwparser.p0", "category %{fld2}."); +var part1772 = match("MESSAGE#1116:00556:14/2", "nwparser.p0", "category %{fld2}."); -var all369 = all_match({ +var all363 = all_match({ processors: [ - part1777, - dup409, - part1778, + part1771, + dup406, + part1772, ], on_success: processor_chain([ dup19, @@ -23001,19 +20888,17 @@ var all369 = all_match({ ]), }); -var msg1132 = msg("00556:14", all369); +var msg1132 = msg("00556:14", all363); -var part1779 = // "Pattern{Constant('UF-MGR: The category '), Field(fld2,true), Constant(' was '), Field(p0,false)}" -match("MESSAGE#1117:00556:15/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was %{p0}"); +var part1773 = match("MESSAGE#1117:00556:15/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was %{p0}"); -var part1780 = // "Pattern{Constant('profile '), Field(fld3,true), Constant(' with action '), Field(disposition,false), Constant('.')}" -match("MESSAGE#1117:00556:15/2", "nwparser.p0", "profile %{fld3->} with action %{disposition}."); +var part1774 = match("MESSAGE#1117:00556:15/2", "nwparser.p0", "profile %{fld3->} with action %{disposition}."); -var all370 = all_match({ +var all364 = all_match({ processors: [ - part1779, - dup409, - part1780, + part1773, + dup406, + part1774, ], on_success: processor_chain([ dup19, @@ -23021,39 +20906,35 @@ var all370 = all_match({ dup3, dup4, dup5, - dup284, + dup282, ]), }); -var msg1133 = msg("00556:15", all370); +var msg1133 = msg("00556:15", all364); -var part1781 = // "Pattern{Constant('UF-MGR: The '), Field(p0,false)}" -match("MESSAGE#1118:00556:16/0", "nwparser.payload", "UF-MGR: The %{p0}"); +var part1775 = match("MESSAGE#1118:00556:16/0", "nwparser.payload", "UF-MGR: The %{p0}"); -var part1782 = // "Pattern{Constant('profile '), Field(p0,false)}" -match("MESSAGE#1118:00556:16/1_0", "nwparser.p0", "profile %{p0}"); +var part1776 = match("MESSAGE#1118:00556:16/1_0", "nwparser.p0", "profile %{p0}"); -var part1783 = // "Pattern{Constant('category '), Field(p0,false)}" -match("MESSAGE#1118:00556:16/1_1", "nwparser.p0", "category %{p0}"); +var part1777 = match("MESSAGE#1118:00556:16/1_1", "nwparser.p0", "category %{p0}"); var select396 = linear_select([ - part1782, - part1783, + part1776, + part1777, ]); -var part1784 = // "Pattern{Constant(''), Field(fld2,true), Constant(' was '), Field(p0,false)}" -match("MESSAGE#1118:00556:16/2", "nwparser.p0", "%{fld2->} was %{p0}"); +var part1778 = match("MESSAGE#1118:00556:16/2", "nwparser.p0", "%{fld2->} was %{p0}"); var select397 = linear_select([ dup104, dup120, ]); -var all371 = all_match({ +var all365 = all_match({ processors: [ - part1781, + part1775, select396, - part1784, + part1778, select397, dup116, ], @@ -23066,30 +20947,26 @@ var all371 = all_match({ ]), }); -var msg1134 = msg("00556:16", all371); +var msg1134 = msg("00556:16", all365); -var part1785 = // "Pattern{Constant('UF-MGR: The category '), Field(fld2,true), Constant(' was set in profile '), Field(profile,true), Constant(' as the '), Field(p0,false)}" -match("MESSAGE#1119:00556:17/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was set in profile %{profile->} as the %{p0}"); +var part1779 = match("MESSAGE#1119:00556:17/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was set in profile %{profile->} as the %{p0}"); -var part1786 = // "Pattern{Constant('black '), Field(p0,false)}" -match("MESSAGE#1119:00556:17/1_0", "nwparser.p0", "black %{p0}"); +var part1780 = match("MESSAGE#1119:00556:17/1_0", "nwparser.p0", "black %{p0}"); -var part1787 = // "Pattern{Constant('white '), Field(p0,false)}" -match("MESSAGE#1119:00556:17/1_1", "nwparser.p0", "white %{p0}"); +var part1781 = match("MESSAGE#1119:00556:17/1_1", "nwparser.p0", "white %{p0}"); var select398 = linear_select([ - part1786, - part1787, + part1780, + part1781, ]); -var part1788 = // "Pattern{Constant('list.'), Field(,false)}" -match("MESSAGE#1119:00556:17/2", "nwparser.p0", "list.%{}"); +var part1782 = match("MESSAGE#1119:00556:17/2", "nwparser.p0", "list.%{}"); -var all372 = all_match({ +var all366 = all_match({ processors: [ - part1785, + part1779, select398, - part1788, + part1782, ], on_success: processor_chain([ dup19, @@ -23100,27 +20977,24 @@ var all372 = all_match({ ]), }); -var msg1135 = msg("00556:17", all372); +var msg1135 = msg("00556:17", all366); -var part1789 = // "Pattern{Constant('UF-MGR: The action for '), Field(fld2,true), Constant(' in profile '), Field(profile,true), Constant(' was '), Field(p0,false)}" -match("MESSAGE#1120:00556:18/0", "nwparser.payload", "UF-MGR: The action for %{fld2->} in profile %{profile->} was %{p0}"); +var part1783 = match("MESSAGE#1120:00556:18/0", "nwparser.payload", "UF-MGR: The action for %{fld2->} in profile %{profile->} was %{p0}"); -var part1790 = // "Pattern{Constant('changed '), Field(p0,false)}" -match("MESSAGE#1120:00556:18/1_1", "nwparser.p0", "changed %{p0}"); +var part1784 = match("MESSAGE#1120:00556:18/1_1", "nwparser.p0", "changed %{p0}"); var select399 = linear_select([ dup101, - part1790, + part1784, ]); -var part1791 = // "Pattern{Constant('to '), Field(fld3,false), Constant('.')}" -match("MESSAGE#1120:00556:18/2", "nwparser.p0", "to %{fld3}."); +var part1785 = match("MESSAGE#1120:00556:18/2", "nwparser.p0", "to %{fld3}."); -var all373 = all_match({ +var all367 = all_match({ processors: [ - part1789, + part1783, select399, - part1791, + part1785, ], on_success: processor_chain([ dup19, @@ -23131,29 +21005,26 @@ var all373 = all_match({ ]), }); -var msg1136 = msg("00556:18", all373); +var msg1136 = msg("00556:18", all367); -var part1792 = // "Pattern{Constant('UF-MGR: The category list from the CPA server '), Field(p0,false)}" -match("MESSAGE#1121:00556:20/0", "nwparser.payload", "UF-MGR: The category list from the CPA server %{p0}"); +var part1786 = match("MESSAGE#1121:00556:20/0", "nwparser.payload", "UF-MGR: The category list from the CPA server %{p0}"); -var part1793 = // "Pattern{Constant('updated on'), Field(p0,false)}" -match("MESSAGE#1121:00556:20/2", "nwparser.p0", "updated on%{p0}"); +var part1787 = match("MESSAGE#1121:00556:20/2", "nwparser.p0", "updated on%{p0}"); var select400 = linear_select([ dup103, dup96, ]); -var part1794 = // "Pattern{Constant('the device.'), Field(,false)}" -match("MESSAGE#1121:00556:20/4", "nwparser.p0", "the device.%{}"); +var part1788 = match("MESSAGE#1121:00556:20/4", "nwparser.p0", "the device.%{}"); -var all374 = all_match({ +var all368 = all_match({ processors: [ - part1792, - dup357, - part1793, + part1786, + dup355, + part1787, select400, - part1794, + part1788, ], on_success: processor_chain([ dup19, @@ -23164,24 +21035,22 @@ var all374 = all_match({ ]), }); -var msg1137 = msg("00556:20", all374); +var msg1137 = msg("00556:20", all368); -var part1795 = // "Pattern{Constant('UF-MGR: URL BLOCKED: '), Field(saddr,false), Constant('('), Field(sport,false), Constant(')->'), Field(daddr,false), Constant('('), Field(dport,false), Constant('), '), Field(fld2,true), Constant(' action: '), Field(disposition,false), Constant(', category: '), Field(category,false), Constant(', reason: '), Field(result,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1122:00556:21", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} action: %{disposition}, category: %{category}, reason: %{result->} (%{fld1})", processor_chain([ - dup234, +var part1789 = match("MESSAGE#1122:00556:21", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} action: %{disposition}, category: %{category}, reason: %{result->} (%{fld1})", processor_chain([ + dup232, dup2, dup3, dup9, dup4, dup5, - dup284, + dup282, ])); -var msg1138 = msg("00556:21", part1795); +var msg1138 = msg("00556:21", part1789); -var part1796 = // "Pattern{Constant('UF-MGR: URL BLOCKED: '), Field(saddr,false), Constant('('), Field(sport,false), Constant(')->'), Field(daddr,false), Constant('('), Field(dport,false), Constant('), '), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1123:00556:22", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} (%{fld1})", processor_chain([ - dup234, +var part1790 = match("MESSAGE#1123:00556:22", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} (%{fld1})", processor_chain([ + dup232, dup2, dup3, dup9, @@ -23189,7 +21058,7 @@ match("MESSAGE#1123:00556:22", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr dup5, ])); -var msg1139 = msg("00556:22", part1796); +var msg1139 = msg("00556:22", part1790); var select401 = linear_select([ msg1118, @@ -23216,8 +21085,7 @@ var select401 = linear_select([ msg1139, ]); -var part1797 = // "Pattern{Constant('PPP LCP on interface '), Field(interface,true), Constant(' is '), Field(fld2,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1124:00572", "nwparser.payload", "PPP LCP on interface %{interface->} is %{fld2}. (%{fld1})", processor_chain([ +var part1791 = match("MESSAGE#1124:00572", "nwparser.payload", "PPP LCP on interface %{interface->} is %{fld2}. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -23226,10 +21094,9 @@ match("MESSAGE#1124:00572", "nwparser.payload", "PPP LCP on interface %{interfac dup5, ])); -var msg1140 = msg("00572", part1797); +var msg1140 = msg("00572", part1791); -var part1798 = // "Pattern{Constant('PPP authentication state on interface '), Field(interface,false), Constant(': '), Field(result,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1125:00572:01", "nwparser.payload", "PPP authentication state on interface %{interface}: %{result}. (%{fld1})", processor_chain([ +var part1792 = match("MESSAGE#1125:00572:01", "nwparser.payload", "PPP authentication state on interface %{interface}: %{result}. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -23238,10 +21105,9 @@ match("MESSAGE#1125:00572:01", "nwparser.payload", "PPP authentication state on dup5, ])); -var msg1141 = msg("00572:01", part1798); +var msg1141 = msg("00572:01", part1792); -var part1799 = // "Pattern{Constant('PPP on interface '), Field(interface,true), Constant(' is '), Field(disposition,true), Constant(' by receiving Terminate-Request. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1126:00572:03", "nwparser.payload", "PPP on interface %{interface->} is %{disposition->} by receiving Terminate-Request. (%{fld1})", processor_chain([ +var part1793 = match("MESSAGE#1126:00572:03", "nwparser.payload", "PPP on interface %{interface->} is %{disposition->} by receiving Terminate-Request. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -23250,7 +21116,7 @@ match("MESSAGE#1126:00572:03", "nwparser.payload", "PPP on interface %{interface dup5, ])); -var msg1142 = msg("00572:03", part1799); +var msg1142 = msg("00572:03", part1793); var select402 = linear_select([ msg1140, @@ -23258,8 +21124,7 @@ var select402 = linear_select([ msg1142, ]); -var part1800 = // "Pattern{Constant('PBR policy "'), Field(policyname,false), Constant('" rebuilding lookup tree for virtual router "'), Field(node,false), Constant('". ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1127:00615", "nwparser.payload", "PBR policy \"%{policyname}\" rebuilding lookup tree for virtual router \"%{node}\". (%{fld1})", processor_chain([ +var part1794 = match("MESSAGE#1127:00615", "nwparser.payload", "PBR policy \"%{policyname}\" rebuilding lookup tree for virtual router \"%{node}\". (%{fld1})", processor_chain([ dup44, dup2, dup4, @@ -23267,10 +21132,9 @@ match("MESSAGE#1127:00615", "nwparser.payload", "PBR policy \"%{policyname}\" re dup9, ])); -var msg1143 = msg("00615", part1800); +var msg1143 = msg("00615", part1794); -var part1801 = // "Pattern{Constant('PBR policy "'), Field(policyname,false), Constant('" lookup tree rebuilt successfully in virtual router "'), Field(node,false), Constant('". ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1128:00615:01", "nwparser.payload", "PBR policy \"%{policyname}\" lookup tree rebuilt successfully in virtual router \"%{node}\". (%{fld1})", processor_chain([ +var part1795 = match("MESSAGE#1128:00615:01", "nwparser.payload", "PBR policy \"%{policyname}\" lookup tree rebuilt successfully in virtual router \"%{node}\". (%{fld1})", processor_chain([ dup44, dup2, dup4, @@ -23278,15 +21142,14 @@ match("MESSAGE#1128:00615:01", "nwparser.payload", "PBR policy \"%{policyname}\" dup9, ])); -var msg1144 = msg("00615:01", part1801); +var msg1144 = msg("00615:01", part1795); var select403 = linear_select([ msg1143, msg1144, ]); -var part1802 = // "Pattern{Field(signame,true), Constant(' attack! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,false), Constant(', through policy '), Field(policyname,false), Constant('. Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1129:00601", "nwparser.payload", "%{signame->} attack! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}, through policy %{policyname}. Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ +var part1796 = match("MESSAGE#1129:00601", "nwparser.payload", "%{signame->} attack! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}, through policy %{policyname}. Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ dup58, dup2, dup59, @@ -23297,10 +21160,9 @@ match("MESSAGE#1129:00601", "nwparser.payload", "%{signame->} attack! From %{sad dup61, ])); -var msg1145 = msg("00601", part1802); +var msg1145 = msg("00601", part1796); -var part1803 = // "Pattern{Field(signame,true), Constant(' has been detected from '), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,true), Constant(' through policy '), Field(policyname,true), Constant(' '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1130:00601:01", "nwparser.payload", "%{signame->} has been detected from %{saddr}/%{sport->} to %{daddr}/%{dport->} through policy %{policyname->} %{dclass_counter1->} times. (%{fld1})", processor_chain([ +var part1797 = match("MESSAGE#1130:00601:01", "nwparser.payload", "%{signame->} has been detected from %{saddr}/%{sport->} to %{daddr}/%{dport->} through policy %{policyname->} %{dclass_counter1->} times. (%{fld1})", processor_chain([ dup58, dup2, dup59, @@ -23311,10 +21173,9 @@ match("MESSAGE#1130:00601:01", "nwparser.payload", "%{signame->} has been detect dup61, ])); -var msg1146 = msg("00601:01", part1803); +var msg1146 = msg("00601:01", part1797); -var part1804 = // "Pattern{Constant('Error in initializing multicast.'), Field(,false)}" -match("MESSAGE#1131:00601:18", "nwparser.payload", "Error in initializing multicast.%{}", processor_chain([ +var part1798 = match("MESSAGE#1131:00601:18", "nwparser.payload", "Error in initializing multicast.%{}", processor_chain([ dup19, dup2, dup3, @@ -23322,7 +21183,7 @@ match("MESSAGE#1131:00601:18", "nwparser.payload", "Error in initializing multic dup5, ])); -var msg1147 = msg("00601:18", part1804); +var msg1147 = msg("00601:18", part1798); var select404 = linear_select([ msg1145, @@ -23330,8 +21191,7 @@ var select404 = linear_select([ msg1147, ]); -var part1805 = // "Pattern{Constant('PIMSM Error in initializing interface state change'), Field(,false)}" -match("MESSAGE#1132:00602", "nwparser.payload", "PIMSM Error in initializing interface state change%{}", processor_chain([ +var part1799 = match("MESSAGE#1132:00602", "nwparser.payload", "PIMSM Error in initializing interface state change%{}", processor_chain([ dup19, dup2, dup3, @@ -23339,48 +21199,41 @@ match("MESSAGE#1132:00602", "nwparser.payload", "PIMSM Error in initializing int dup5, ])); -var msg1148 = msg("00602", part1805); +var msg1148 = msg("00602", part1799); -var part1806 = // "Pattern{Constant('Switch event: the status of ethernet port '), Field(fld2,true), Constant(' changed to link '), Field(p0,false)}" -match("MESSAGE#1133:00612/0", "nwparser.payload", "Switch event: the status of ethernet port %{fld2->} changed to link %{p0}"); +var part1800 = match("MESSAGE#1133:00612/0", "nwparser.payload", "Switch event: the status of ethernet port %{fld2->} changed to link %{p0}"); -var part1807 = // "Pattern{Constant(', duplex '), Field(p0,false)}" -match("MESSAGE#1133:00612/2", "nwparser.p0", ", duplex %{p0}"); +var part1801 = match("MESSAGE#1133:00612/2", "nwparser.p0", ", duplex %{p0}"); -var part1808 = // "Pattern{Constant('full '), Field(p0,false)}" -match("MESSAGE#1133:00612/3_0", "nwparser.p0", "full %{p0}"); +var part1802 = match("MESSAGE#1133:00612/3_0", "nwparser.p0", "full %{p0}"); -var part1809 = // "Pattern{Constant('half '), Field(p0,false)}" -match("MESSAGE#1133:00612/3_1", "nwparser.p0", "half %{p0}"); +var part1803 = match("MESSAGE#1133:00612/3_1", "nwparser.p0", "half %{p0}"); var select405 = linear_select([ - part1808, - part1809, + part1802, + part1803, ]); -var part1810 = // "Pattern{Constant(', speed 10'), Field(p0,false)}" -match("MESSAGE#1133:00612/4", "nwparser.p0", ", speed 10%{p0}"); +var part1804 = match("MESSAGE#1133:00612/4", "nwparser.p0", ", speed 10%{p0}"); -var part1811 = // "Pattern{Constant('0 '), Field(p0,false)}" -match("MESSAGE#1133:00612/5_0", "nwparser.p0", "0 %{p0}"); +var part1805 = match("MESSAGE#1133:00612/5_0", "nwparser.p0", "0 %{p0}"); var select406 = linear_select([ - part1811, + part1805, dup96, ]); -var part1812 = // "Pattern{Constant('M. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1133:00612/6", "nwparser.p0", "M. (%{fld1})"); +var part1806 = match("MESSAGE#1133:00612/6", "nwparser.p0", "M. (%{fld1})"); -var all375 = all_match({ +var all369 = all_match({ processors: [ - part1806, - dup355, - part1807, + part1800, + dup353, + part1801, select405, - part1810, + part1804, select406, - part1812, + part1806, ], on_success: processor_chain([ dup1, @@ -23392,11 +21245,10 @@ var all375 = all_match({ ]), }); -var msg1149 = msg("00612", all375); +var msg1149 = msg("00612", all369); -var part1813 = // "Pattern{Constant('RTSYNC: Event posted to send all the DRP routes to backup device. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1134:00620", "nwparser.payload", "RTSYNC: Event posted to send all the DRP routes to backup device. (%{fld1})", processor_chain([ - dup274, +var part1807 = match("MESSAGE#1134:00620", "nwparser.payload", "RTSYNC: Event posted to send all the DRP routes to backup device. (%{fld1})", processor_chain([ + dup272, dup2, dup3, dup9, @@ -23404,33 +21256,29 @@ match("MESSAGE#1134:00620", "nwparser.payload", "RTSYNC: Event posted to send al dup5, ])); -var msg1150 = msg("00620", part1813); +var msg1150 = msg("00620", part1807); -var part1814 = // "Pattern{Constant('RTSYNC: '), Field(p0,false)}" -match("MESSAGE#1135:00620:01/0", "nwparser.payload", "RTSYNC: %{p0}"); +var part1808 = match("MESSAGE#1135:00620:01/0", "nwparser.payload", "RTSYNC: %{p0}"); -var part1815 = // "Pattern{Constant('Serviced'), Field(p0,false)}" -match("MESSAGE#1135:00620:01/1_0", "nwparser.p0", "Serviced%{p0}"); +var part1809 = match("MESSAGE#1135:00620:01/1_0", "nwparser.p0", "Serviced%{p0}"); -var part1816 = // "Pattern{Constant('Recieved'), Field(p0,false)}" -match("MESSAGE#1135:00620:01/1_1", "nwparser.p0", "Recieved%{p0}"); +var part1810 = match("MESSAGE#1135:00620:01/1_1", "nwparser.p0", "Recieved%{p0}"); var select407 = linear_select([ - part1815, - part1816, + part1809, + part1810, ]); -var part1817 = // "Pattern{Field(,false), Constant('coldstart request for route synchronization from NSRP peer. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1135:00620:01/2", "nwparser.p0", "%{}coldstart request for route synchronization from NSRP peer. (%{fld1})"); +var part1811 = match("MESSAGE#1135:00620:01/2", "nwparser.p0", "%{}coldstart request for route synchronization from NSRP peer. (%{fld1})"); -var all376 = all_match({ +var all370 = all_match({ processors: [ - part1814, + part1808, select407, - part1817, + part1811, ], on_success: processor_chain([ - dup274, + dup272, dup2, dup3, dup9, @@ -23439,11 +21287,10 @@ var all376 = all_match({ ]), }); -var msg1151 = msg("00620:01", all376); +var msg1151 = msg("00620:01", all370); -var part1818 = // "Pattern{Constant('RTSYNC: Started timer to purge all the DRP backup routes - '), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1136:00620:02", "nwparser.payload", "RTSYNC: Started timer to purge all the DRP backup routes - %{fld2->} (%{fld1})", processor_chain([ - dup274, +var part1812 = match("MESSAGE#1136:00620:02", "nwparser.payload", "RTSYNC: Started timer to purge all the DRP backup routes - %{fld2->} (%{fld1})", processor_chain([ + dup272, dup2, dup3, dup9, @@ -23451,11 +21298,10 @@ match("MESSAGE#1136:00620:02", "nwparser.payload", "RTSYNC: Started timer to pur dup5, ])); -var msg1152 = msg("00620:02", part1818); +var msg1152 = msg("00620:02", part1812); -var part1819 = // "Pattern{Constant('RTSYNC: Event posted to purge backup routes in all vrouters. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1137:00620:03", "nwparser.payload", "RTSYNC: Event posted to purge backup routes in all vrouters. (%{fld1})", processor_chain([ - dup274, +var part1813 = match("MESSAGE#1137:00620:03", "nwparser.payload", "RTSYNC: Event posted to purge backup routes in all vrouters. (%{fld1})", processor_chain([ + dup272, dup2, dup3, dup9, @@ -23463,11 +21309,10 @@ match("MESSAGE#1137:00620:03", "nwparser.payload", "RTSYNC: Event posted to purg dup5, ])); -var msg1153 = msg("00620:03", part1819); +var msg1153 = msg("00620:03", part1813); -var part1820 = // "Pattern{Constant('RTSYNC: Timer to purge the DRP backup routes is stopped. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1138:00620:04", "nwparser.payload", "RTSYNC: Timer to purge the DRP backup routes is stopped. (%{fld1})", processor_chain([ - dup274, +var part1814 = match("MESSAGE#1138:00620:04", "nwparser.payload", "RTSYNC: Timer to purge the DRP backup routes is stopped. (%{fld1})", processor_chain([ + dup272, dup2, dup3, dup9, @@ -23475,7 +21320,7 @@ match("MESSAGE#1138:00620:04", "nwparser.payload", "RTSYNC: Timer to purge the D dup5, ])); -var msg1154 = msg("00620:04", part1820); +var msg1154 = msg("00620:04", part1814); var select408 = linear_select([ msg1150, @@ -23485,9 +21330,8 @@ var select408 = linear_select([ msg1154, ]); -var part1821 = // "Pattern{Constant('NHRP : NHRP instance in virtual router '), Field(node,true), Constant(' is created. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1139:00622", "nwparser.payload", "NHRP : NHRP instance in virtual router %{node->} is created. (%{fld1})", processor_chain([ - dup275, +var part1815 = match("MESSAGE#1139:00622", "nwparser.payload", "NHRP : NHRP instance in virtual router %{node->} is created. (%{fld1})", processor_chain([ + dup273, dup2, dup3, dup9, @@ -23495,30 +21339,27 @@ match("MESSAGE#1139:00622", "nwparser.payload", "NHRP : NHRP instance in virtual dup5, ])); -var msg1155 = msg("00622", part1821); +var msg1155 = msg("00622", part1815); -var part1822 = // "Pattern{Constant('Session (id '), Field(sessionid,true), Constant(' src-ip '), Field(saddr,true), Constant(' dst-ip '), Field(daddr,true), Constant(' dst port '), Field(dport,false), Constant(') route is '), Field(p0,false)}" -match("MESSAGE#1140:00625/0", "nwparser.payload", "Session (id %{sessionid->} src-ip %{saddr->} dst-ip %{daddr->} dst port %{dport}) route is %{p0}"); +var part1816 = match("MESSAGE#1140:00625/0", "nwparser.payload", "Session (id %{sessionid->} src-ip %{saddr->} dst-ip %{daddr->} dst port %{dport}) route is %{p0}"); -var part1823 = // "Pattern{Constant('invalid'), Field(p0,false)}" -match("MESSAGE#1140:00625/1_0", "nwparser.p0", "invalid%{p0}"); +var part1817 = match("MESSAGE#1140:00625/1_0", "nwparser.p0", "invalid%{p0}"); -var part1824 = // "Pattern{Constant('valid'), Field(p0,false)}" -match("MESSAGE#1140:00625/1_1", "nwparser.p0", "valid%{p0}"); +var part1818 = match("MESSAGE#1140:00625/1_1", "nwparser.p0", "valid%{p0}"); var select409 = linear_select([ - part1823, - part1824, + part1817, + part1818, ]); -var all377 = all_match({ +var all371 = all_match({ processors: [ - part1822, + part1816, select409, dup49, ], on_success: processor_chain([ - dup275, + dup273, dup2, dup4, dup5, @@ -23526,37 +21367,32 @@ var all377 = all_match({ ]), }); -var msg1156 = msg("00625", all377); +var msg1156 = msg("00625", all371); -var part1825 = // "Pattern{Constant('audit log queue '), Field(p0,false)}" -match("MESSAGE#1141:00628/0", "nwparser.payload", "audit log queue %{p0}"); +var part1819 = match("MESSAGE#1141:00628/0", "nwparser.payload", "audit log queue %{p0}"); -var part1826 = // "Pattern{Constant('Traffic Log '), Field(p0,false)}" -match("MESSAGE#1141:00628/1_0", "nwparser.p0", "Traffic Log %{p0}"); +var part1820 = match("MESSAGE#1141:00628/1_0", "nwparser.p0", "Traffic Log %{p0}"); -var part1827 = // "Pattern{Constant('Event Alarm Log '), Field(p0,false)}" -match("MESSAGE#1141:00628/1_1", "nwparser.p0", "Event Alarm Log %{p0}"); +var part1821 = match("MESSAGE#1141:00628/1_1", "nwparser.p0", "Event Alarm Log %{p0}"); -var part1828 = // "Pattern{Constant('Event Log '), Field(p0,false)}" -match("MESSAGE#1141:00628/1_2", "nwparser.p0", "Event Log %{p0}"); +var part1822 = match("MESSAGE#1141:00628/1_2", "nwparser.p0", "Event Log %{p0}"); var select410 = linear_select([ - part1826, - part1827, - part1828, + part1820, + part1821, + part1822, ]); -var part1829 = // "Pattern{Constant('is overwritten ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1141:00628/2", "nwparser.p0", "is overwritten (%{fld1})"); +var part1823 = match("MESSAGE#1141:00628/2", "nwparser.p0", "is overwritten (%{fld1})"); -var all378 = all_match({ +var all372 = all_match({ processors: [ - part1825, + part1819, select410, - part1829, + part1823, ], on_success: processor_chain([ - dup225, + dup223, dup2, dup4, dup5, @@ -23564,22 +21400,20 @@ var all378 = all_match({ ]), }); -var msg1157 = msg("00628", all378); +var msg1157 = msg("00628", all372); -var part1830 = // "Pattern{Constant('Log setting was modified to '), Field(disposition,true), Constant(' '), Field(fld2,true), Constant(' level by admin '), Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1142:00767:50", "nwparser.payload", "Log setting was modified to %{disposition->} %{fld2->} level by admin %{administrator->} (%{fld1})", processor_chain([ +var part1824 = match("MESSAGE#1142:00767:50", "nwparser.payload", "Log setting was modified to %{disposition->} %{fld2->} level by admin %{administrator->} (%{fld1})", processor_chain([ dup1, dup2, dup4, dup5, dup9, - dup284, + dup282, ])); -var msg1158 = msg("00767:50", part1830); +var msg1158 = msg("00767:50", part1824); -var part1831 = // "Pattern{Constant('Attack CS:Man in Middle is created by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' by admin '), Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1143:00767:51", "nwparser.payload", "Attack CS:Man in Middle is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ +var part1825 = match("MESSAGE#1143:00767:51", "nwparser.payload", "Attack CS:Man in Middle is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ dup58, dup2, dup4, @@ -23587,10 +21421,9 @@ match("MESSAGE#1143:00767:51", "nwparser.payload", "Attack CS:Man in Middle is c dup9, ])); -var msg1159 = msg("00767:51", part1831); +var msg1159 = msg("00767:51", part1825); -var part1832 = // "Pattern{Constant('Attack group '), Field(group,true), Constant(' is created by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' by admin '), Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1144:00767:52", "nwparser.payload", "Attack group %{group->} is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ +var part1826 = match("MESSAGE#1144:00767:52", "nwparser.payload", "Attack group %{group->} is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ dup58, dup2, dup4, @@ -23598,10 +21431,9 @@ match("MESSAGE#1144:00767:52", "nwparser.payload", "Attack group %{group->} is c dup9, ])); -var msg1160 = msg("00767:52", part1832); +var msg1160 = msg("00767:52", part1826); -var part1833 = // "Pattern{Constant('Attack CS:Man in Middle is added to attack group '), Field(group,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' by admin '), Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1145:00767:53", "nwparser.payload", "Attack CS:Man in Middle is added to attack group %{group->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ +var part1827 = match("MESSAGE#1145:00767:53", "nwparser.payload", "Attack CS:Man in Middle is added to attack group %{group->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ dup58, dup2, dup4, @@ -23609,10 +21441,9 @@ match("MESSAGE#1145:00767:53", "nwparser.payload", "Attack CS:Man in Middle is a dup9, ])); -var msg1161 = msg("00767:53", part1833); +var msg1161 = msg("00767:53", part1827); -var part1834 = // "Pattern{Constant('Cannot contact the SecurID server'), Field(,false)}" -match("MESSAGE#1146:00767", "nwparser.payload", "Cannot contact the SecurID server%{}", processor_chain([ +var part1828 = match("MESSAGE#1146:00767", "nwparser.payload", "Cannot contact the SecurID server%{}", processor_chain([ dup27, setc("ec_theme","Communication"), dup39, @@ -23622,25 +21453,22 @@ match("MESSAGE#1146:00767", "nwparser.payload", "Cannot contact the SecurID serv dup5, ])); -var msg1162 = msg("00767", part1834); +var msg1162 = msg("00767", part1828); -var part1835 = // "Pattern{Constant('System auto-config of file '), Field(fld2,true), Constant(' from TFTP server '), Field(hostip,true), Constant(' has '), Field(p0,false)}" -match("MESSAGE#1147:00767:01/0", "nwparser.payload", "System auto-config of file %{fld2->} from TFTP server %{hostip->} has %{p0}"); +var part1829 = match("MESSAGE#1147:00767:01/0", "nwparser.payload", "System auto-config of file %{fld2->} from TFTP server %{hostip->} has %{p0}"); -var part1836 = // "Pattern{Constant('been loaded successfully'), Field(,false)}" -match("MESSAGE#1147:00767:01/1_0", "nwparser.p0", "been loaded successfully%{}"); +var part1830 = match("MESSAGE#1147:00767:01/1_0", "nwparser.p0", "been loaded successfully%{}"); -var part1837 = // "Pattern{Constant('failed'), Field(,false)}" -match("MESSAGE#1147:00767:01/1_1", "nwparser.p0", "failed%{}"); +var part1831 = match("MESSAGE#1147:00767:01/1_1", "nwparser.p0", "failed%{}"); var select411 = linear_select([ - part1836, - part1837, + part1830, + part1831, ]); -var all379 = all_match({ +var all373 = all_match({ processors: [ - part1835, + part1829, select411, ], on_success: processor_chain([ @@ -23652,10 +21480,9 @@ var all379 = all_match({ ]), }); -var msg1163 = msg("00767:01", all379); +var msg1163 = msg("00767:01", all373); -var part1838 = // "Pattern{Constant('netscreen: System Config saved from host '), Field(saddr,false)}" -match("MESSAGE#1148:00767:02", "nwparser.payload", "netscreen: System Config saved from host %{saddr}", processor_chain([ +var part1832 = match("MESSAGE#1148:00767:02", "nwparser.payload", "netscreen: System Config saved from host %{saddr}", processor_chain([ setc("eventcategory","1702000000"), dup2, dup3, @@ -23663,10 +21490,9 @@ match("MESSAGE#1148:00767:02", "nwparser.payload", "netscreen: System Config sav dup5, ])); -var msg1164 = msg("00767:02", part1838); +var msg1164 = msg("00767:02", part1832); -var part1839 = // "Pattern{Constant('System Config saved to filename '), Field(filename,false)}" -match("MESSAGE#1149:00767:03", "nwparser.payload", "System Config saved to filename %{filename}", processor_chain([ +var part1833 = match("MESSAGE#1149:00767:03", "nwparser.payload", "System Config saved to filename %{filename}", processor_chain([ dup1, dup2, dup3, @@ -23674,10 +21500,9 @@ match("MESSAGE#1149:00767:03", "nwparser.payload", "System Config saved to filen dup5, ])); -var msg1165 = msg("00767:03", part1839); +var msg1165 = msg("00767:03", part1833); -var part1840 = // "Pattern{Constant('System is operational.'), Field(,false)}" -match("MESSAGE#1150:00767:04", "nwparser.payload", "System is operational.%{}", processor_chain([ +var part1834 = match("MESSAGE#1150:00767:04", "nwparser.payload", "System is operational.%{}", processor_chain([ dup44, dup2, dup3, @@ -23685,10 +21510,9 @@ match("MESSAGE#1150:00767:04", "nwparser.payload", "System is operational.%{}", dup5, ])); -var msg1166 = msg("00767:04", part1840); +var msg1166 = msg("00767:04", part1834); -var part1841 = // "Pattern{Constant('The device cannot contact the SecurID server'), Field(,false)}" -match("MESSAGE#1151:00767:05", "nwparser.payload", "The device cannot contact the SecurID server%{}", processor_chain([ +var part1835 = match("MESSAGE#1151:00767:05", "nwparser.payload", "The device cannot contact the SecurID server%{}", processor_chain([ dup27, dup2, dup3, @@ -23696,10 +21520,9 @@ match("MESSAGE#1151:00767:05", "nwparser.payload", "The device cannot contact th dup5, ])); -var msg1167 = msg("00767:05", part1841); +var msg1167 = msg("00767:05", part1835); -var part1842 = // "Pattern{Constant('The device cannot send data to the SecurID server'), Field(,false)}" -match("MESSAGE#1152:00767:06", "nwparser.payload", "The device cannot send data to the SecurID server%{}", processor_chain([ +var part1836 = match("MESSAGE#1152:00767:06", "nwparser.payload", "The device cannot send data to the SecurID server%{}", processor_chain([ dup27, dup2, dup3, @@ -23707,10 +21530,9 @@ match("MESSAGE#1152:00767:06", "nwparser.payload", "The device cannot send data dup5, ])); -var msg1168 = msg("00767:06", part1842); +var msg1168 = msg("00767:06", part1836); -var part1843 = // "Pattern{Constant('The system configuration was saved from peer unit by admin'), Field(,false)}" -match("MESSAGE#1153:00767:07", "nwparser.payload", "The system configuration was saved from peer unit by admin%{}", processor_chain([ +var part1837 = match("MESSAGE#1153:00767:07", "nwparser.payload", "The system configuration was saved from peer unit by admin%{}", processor_chain([ dup1, dup2, dup3, @@ -23718,15 +21540,14 @@ match("MESSAGE#1153:00767:07", "nwparser.payload", "The system configuration was dup5, ])); -var msg1169 = msg("00767:07", part1843); +var msg1169 = msg("00767:07", part1837); -var part1844 = // "Pattern{Constant('The system configuration was saved by admin '), Field(p0,false)}" -match("MESSAGE#1154:00767:08/0", "nwparser.payload", "The system configuration was saved by admin %{p0}"); +var part1838 = match("MESSAGE#1154:00767:08/0", "nwparser.payload", "The system configuration was saved by admin %{p0}"); -var all380 = all_match({ +var all374 = all_match({ processors: [ - part1844, - dup400, + part1838, + dup397, ], on_success: processor_chain([ dup1, @@ -23738,25 +21559,22 @@ var all380 = all_match({ ]), }); -var msg1170 = msg("00767:08", all380); +var msg1170 = msg("00767:08", all374); -var part1845 = // "Pattern{Constant('traffic shaping is turned O'), Field(p0,false)}" -match("MESSAGE#1155:00767:09/0", "nwparser.payload", "traffic shaping is turned O%{p0}"); +var part1839 = match("MESSAGE#1155:00767:09/0", "nwparser.payload", "traffic shaping is turned O%{p0}"); -var part1846 = // "Pattern{Constant('N'), Field(,false)}" -match("MESSAGE#1155:00767:09/1_0", "nwparser.p0", "N%{}"); +var part1840 = match("MESSAGE#1155:00767:09/1_0", "nwparser.p0", "N%{}"); -var part1847 = // "Pattern{Constant('FF'), Field(,false)}" -match("MESSAGE#1155:00767:09/1_1", "nwparser.p0", "FF%{}"); +var part1841 = match("MESSAGE#1155:00767:09/1_1", "nwparser.p0", "FF%{}"); var select412 = linear_select([ - part1846, - part1847, + part1840, + part1841, ]); -var all381 = all_match({ +var all375 = all_match({ processors: [ - part1845, + part1839, select412, ], on_success: processor_chain([ @@ -23768,15 +21586,14 @@ var all381 = all_match({ ]), }); -var msg1171 = msg("00767:09", all381); +var msg1171 = msg("00767:09", all375); -var part1848 = // "Pattern{Constant('The system configuration was saved from host '), Field(saddr,true), Constant(' by admin '), Field(p0,false)}" -match("MESSAGE#1156:00767:10/0", "nwparser.payload", "The system configuration was saved from host %{saddr->} by admin %{p0}"); +var part1842 = match("MESSAGE#1156:00767:10/0", "nwparser.payload", "The system configuration was saved from host %{saddr->} by admin %{p0}"); -var all382 = all_match({ +var all376 = all_match({ processors: [ - part1848, - dup400, + part1842, + dup397, ], on_success: processor_chain([ dup1, @@ -23788,40 +21605,35 @@ var all382 = all_match({ ]), }); -var msg1172 = msg("00767:10", all382); +var msg1172 = msg("00767:10", all376); -var part1849 = // "Pattern{Constant('Fatal error. The NetScreen device was unable to upgrade the '), Field(p0,false)}" -match("MESSAGE#1157:00767:11/0", "nwparser.payload", "Fatal error. The NetScreen device was unable to upgrade the %{p0}"); +var part1843 = match("MESSAGE#1157:00767:11/0", "nwparser.payload", "Fatal error. The NetScreen device was unable to upgrade the %{p0}"); -var part1850 = // "Pattern{Constant('file system '), Field(p0,false)}" -match("MESSAGE#1157:00767:11/1_1", "nwparser.p0", "file system %{p0}"); +var part1844 = match("MESSAGE#1157:00767:11/1_1", "nwparser.p0", "file system %{p0}"); var select413 = linear_select([ - dup333, - part1850, + dup331, + part1844, ]); -var part1851 = // "Pattern{Constant(', and the '), Field(p0,false)}" -match("MESSAGE#1157:00767:11/2", "nwparser.p0", ", and the %{p0}"); +var part1845 = match("MESSAGE#1157:00767:11/2", "nwparser.p0", ", and the %{p0}"); -var part1852 = // "Pattern{Constant('old file system '), Field(p0,false)}" -match("MESSAGE#1157:00767:11/3_1", "nwparser.p0", "old file system %{p0}"); +var part1846 = match("MESSAGE#1157:00767:11/3_1", "nwparser.p0", "old file system %{p0}"); var select414 = linear_select([ - dup333, - part1852, + dup331, + part1846, ]); -var part1853 = // "Pattern{Constant('is damaged.'), Field(,false)}" -match("MESSAGE#1157:00767:11/4", "nwparser.p0", "is damaged.%{}"); +var part1847 = match("MESSAGE#1157:00767:11/4", "nwparser.p0", "is damaged.%{}"); -var all383 = all_match({ +var all377 = all_match({ processors: [ - part1849, + part1843, select413, - part1851, + part1845, select414, - part1853, + part1847, ], on_success: processor_chain([ dup18, @@ -23832,10 +21644,9 @@ var all383 = all_match({ ]), }); -var msg1173 = msg("00767:11", all383); +var msg1173 = msg("00767:11", all377); -var part1854 = // "Pattern{Constant('System configuration saved by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' by '), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1158:00767:12", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ +var part1848 = match("MESSAGE#1158:00767:12", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -23844,15 +21655,14 @@ match("MESSAGE#1158:00767:12", "nwparser.payload", "System configuration saved b dup5, ])); -var msg1174 = msg("00767:12", part1854); +var msg1174 = msg("00767:12", part1848); -var part1855 = // "Pattern{Field(fld2,false), Constant('Environment variable '), Field(fld3,true), Constant(' is changed to '), Field(fld4,true), Constant(' by admin '), Field(p0,false)}" -match("MESSAGE#1159:00767:13/0", "nwparser.payload", "%{fld2}Environment variable %{fld3->} is changed to %{fld4->} by admin %{p0}"); +var part1849 = match("MESSAGE#1159:00767:13/0", "nwparser.payload", "%{fld2}Environment variable %{fld3->} is changed to %{fld4->} by admin %{p0}"); -var all384 = all_match({ +var all378 = all_match({ processors: [ - part1855, - dup400, + part1849, + dup397, ], on_success: processor_chain([ dup1, @@ -23864,38 +21674,33 @@ var all384 = all_match({ ]), }); -var msg1175 = msg("00767:13", all384); +var msg1175 = msg("00767:13", all378); -var part1856 = // "Pattern{Constant('System was '), Field(p0,false)}" -match("MESSAGE#1160:00767:14/0", "nwparser.payload", "System was %{p0}"); +var part1850 = match("MESSAGE#1160:00767:14/0", "nwparser.payload", "System was %{p0}"); -var part1857 = // "Pattern{Constant('reset '), Field(p0,false)}" -match("MESSAGE#1160:00767:14/1_0", "nwparser.p0", "reset %{p0}"); +var part1851 = match("MESSAGE#1160:00767:14/1_0", "nwparser.p0", "reset %{p0}"); var select415 = linear_select([ - part1857, - dup264, + part1851, + dup262, ]); -var part1858 = // "Pattern{Constant('at '), Field(fld2,true), Constant(' by '), Field(p0,false)}" -match("MESSAGE#1160:00767:14/2", "nwparser.p0", "at %{fld2->} by %{p0}"); +var part1852 = match("MESSAGE#1160:00767:14/2", "nwparser.p0", "at %{fld2->} by %{p0}"); -var part1859 = // "Pattern{Constant('admin '), Field(administrator,false)}" -match("MESSAGE#1160:00767:14/3_0", "nwparser.p0", "admin %{administrator}"); +var part1853 = match("MESSAGE#1160:00767:14/3_0", "nwparser.p0", "admin %{administrator}"); -var part1860 = // "Pattern{Field(username,false)}" -match_copy("MESSAGE#1160:00767:14/3_1", "nwparser.p0", "username"); +var part1854 = match_copy("MESSAGE#1160:00767:14/3_1", "nwparser.p0", "username"); var select416 = linear_select([ - part1859, - part1860, + part1853, + part1854, ]); -var all385 = all_match({ +var all379 = all_match({ processors: [ - part1856, + part1850, select415, - part1858, + part1852, select416, ], on_success: processor_chain([ @@ -23907,39 +21712,34 @@ var all385 = all_match({ ]), }); -var msg1176 = msg("00767:14", all385); +var msg1176 = msg("00767:14", all379); -var part1861 = // "Pattern{Constant('System '), Field(p0,false)}" -match("MESSAGE#1161:00767:15/1_0", "nwparser.p0", "System %{p0}"); +var part1855 = match("MESSAGE#1161:00767:15/1_0", "nwparser.p0", "System %{p0}"); -var part1862 = // "Pattern{Constant('Event '), Field(p0,false)}" -match("MESSAGE#1161:00767:15/1_1", "nwparser.p0", "Event %{p0}"); +var part1856 = match("MESSAGE#1161:00767:15/1_1", "nwparser.p0", "Event %{p0}"); -var part1863 = // "Pattern{Constant('Traffic '), Field(p0,false)}" -match("MESSAGE#1161:00767:15/1_2", "nwparser.p0", "Traffic %{p0}"); +var part1857 = match("MESSAGE#1161:00767:15/1_2", "nwparser.p0", "Traffic %{p0}"); var select417 = linear_select([ - part1861, - part1862, - part1863, + part1855, + part1856, + part1857, ]); -var part1864 = // "Pattern{Constant('log was reviewed by '), Field(p0,false)}" -match("MESSAGE#1161:00767:15/2", "nwparser.p0", "log was reviewed by %{p0}"); +var part1858 = match("MESSAGE#1161:00767:15/2", "nwparser.p0", "log was reviewed by %{p0}"); -var part1865 = // "Pattern{Field(,true), Constant(' '), Field(username,false), Constant('.')}" -match("MESSAGE#1161:00767:15/4", "nwparser.p0", "%{} %{username}."); +var part1859 = match("MESSAGE#1161:00767:15/4", "nwparser.p0", "%{} %{username}."); -var all386 = all_match({ +var all380 = all_match({ processors: [ - dup185, + dup183, select417, - part1864, - dup338, - part1865, + part1858, + dup336, + part1859, ], on_success: processor_chain([ - dup225, + dup223, dup2, dup3, dup4, @@ -23947,10 +21747,9 @@ var all386 = all_match({ ]), }); -var msg1177 = msg("00767:15", all386); +var msg1177 = msg("00767:15", all380); -var part1866 = // "Pattern{Field(fld2,true), Constant(' Admin '), Field(administrator,true), Constant(' issued command '), Field(info,true), Constant(' to redirect output.')}" -match("MESSAGE#1162:00767:16", "nwparser.payload", "%{fld2->} Admin %{administrator->} issued command %{info->} to redirect output.", processor_chain([ +var part1860 = match("MESSAGE#1162:00767:16", "nwparser.payload", "%{fld2->} Admin %{administrator->} issued command %{info->} to redirect output.", processor_chain([ dup1, dup2, dup3, @@ -23958,15 +21757,14 @@ match("MESSAGE#1162:00767:16", "nwparser.payload", "%{fld2->} Admin %{administra dup5, ])); -var msg1178 = msg("00767:16", part1866); +var msg1178 = msg("00767:16", part1860); -var part1867 = // "Pattern{Field(fld2,true), Constant(' Save new software from '), Field(fld3,true), Constant(' to flash by admin '), Field(p0,false)}" -match("MESSAGE#1163:00767:17/0", "nwparser.payload", "%{fld2->} Save new software from %{fld3->} to flash by admin %{p0}"); +var part1861 = match("MESSAGE#1163:00767:17/0", "nwparser.payload", "%{fld2->} Save new software from %{fld3->} to flash by admin %{p0}"); -var all387 = all_match({ +var all381 = all_match({ processors: [ - part1867, - dup400, + part1861, + dup397, ], on_success: processor_chain([ dup1, @@ -23978,10 +21776,9 @@ var all387 = all_match({ ]), }); -var msg1179 = msg("00767:17", all387); +var msg1179 = msg("00767:17", all381); -var part1868 = // "Pattern{Constant('Attack database version '), Field(version,true), Constant(' has been '), Field(fld2,true), Constant(' saved to flash.')}" -match("MESSAGE#1164:00767:18", "nwparser.payload", "Attack database version %{version->} has been %{fld2->} saved to flash.", processor_chain([ +var part1862 = match("MESSAGE#1164:00767:18", "nwparser.payload", "Attack database version %{version->} has been %{fld2->} saved to flash.", processor_chain([ dup1, dup2, dup3, @@ -23989,10 +21786,9 @@ match("MESSAGE#1164:00767:18", "nwparser.payload", "Attack database version %{ve dup5, ])); -var msg1180 = msg("00767:18", part1868); +var msg1180 = msg("00767:18", part1862); -var part1869 = // "Pattern{Constant('Attack database version '), Field(version,true), Constant(' was rejected because the authentication check failed.')}" -match("MESSAGE#1165:00767:19", "nwparser.payload", "Attack database version %{version->} was rejected because the authentication check failed.", processor_chain([ +var part1863 = match("MESSAGE#1165:00767:19", "nwparser.payload", "Attack database version %{version->} was rejected because the authentication check failed.", processor_chain([ dup1, dup2, dup3, @@ -24000,10 +21796,9 @@ match("MESSAGE#1165:00767:19", "nwparser.payload", "Attack database version %{ve dup5, ])); -var msg1181 = msg("00767:19", part1869); +var msg1181 = msg("00767:19", part1863); -var part1870 = // "Pattern{Constant('The dictionary file version of the RADIUS server '), Field(hostname,true), Constant(' does not match '), Field(fld2,false)}" -match("MESSAGE#1166:00767:20", "nwparser.payload", "The dictionary file version of the RADIUS server %{hostname->} does not match %{fld2}", processor_chain([ +var part1864 = match("MESSAGE#1166:00767:20", "nwparser.payload", "The dictionary file version of the RADIUS server %{hostname->} does not match %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -24011,10 +21806,9 @@ match("MESSAGE#1166:00767:20", "nwparser.payload", "The dictionary file version dup5, ])); -var msg1182 = msg("00767:20", part1870); +var msg1182 = msg("00767:20", part1864); -var part1871 = // "Pattern{Constant('Session ('), Field(fld2,true), Constant(' '), Field(fld3,false), Constant(', '), Field(fld4,false), Constant(') cleared '), Field(fld5,false)}" -match("MESSAGE#1167:00767:21", "nwparser.payload", "Session (%{fld2->} %{fld3}, %{fld4}) cleared %{fld5}", processor_chain([ +var part1865 = match("MESSAGE#1167:00767:21", "nwparser.payload", "Session (%{fld2->} %{fld3}, %{fld4}) cleared %{fld5}", processor_chain([ dup1, dup2, dup3, @@ -24022,47 +21816,40 @@ match("MESSAGE#1167:00767:21", "nwparser.payload", "Session (%{fld2->} %{fld3}, dup5, ])); -var msg1183 = msg("00767:21", part1871); +var msg1183 = msg("00767:21", part1865); -var part1872 = // "Pattern{Constant('The system configuration was not saved '), Field(p0,false)}" -match("MESSAGE#1168:00767:22/0", "nwparser.payload", "The system configuration was not saved %{p0}"); +var part1866 = match("MESSAGE#1168:00767:22/0", "nwparser.payload", "The system configuration was not saved %{p0}"); -var part1873 = // "Pattern{Field(fld2,true), Constant(' by admin '), Field(administrator,true), Constant(' via NSRP Peer '), Field(p0,false)}" -match("MESSAGE#1168:00767:22/1_0", "nwparser.p0", "%{fld2->} by admin %{administrator->} via NSRP Peer %{p0}"); +var part1867 = match("MESSAGE#1168:00767:22/1_0", "nwparser.p0", "%{fld2->} by admin %{administrator->} via NSRP Peer %{p0}"); -var part1874 = // "Pattern{Constant(''), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#1168:00767:22/1_1", "nwparser.p0", "%{fld2->} %{p0}"); +var part1868 = match("MESSAGE#1168:00767:22/1_1", "nwparser.p0", "%{fld2->} %{p0}"); var select418 = linear_select([ - part1873, - part1874, + part1867, + part1868, ]); -var part1875 = // "Pattern{Constant('by administrator '), Field(fld3,false), Constant('. '), Field(p0,false)}" -match("MESSAGE#1168:00767:22/2", "nwparser.p0", "by administrator %{fld3}. %{p0}"); +var part1869 = match("MESSAGE#1168:00767:22/2", "nwparser.p0", "by administrator %{fld3}. %{p0}"); -var part1876 = // "Pattern{Constant('It was locked '), Field(p0,false)}" -match("MESSAGE#1168:00767:22/3_0", "nwparser.p0", "It was locked %{p0}"); +var part1870 = match("MESSAGE#1168:00767:22/3_0", "nwparser.p0", "It was locked %{p0}"); -var part1877 = // "Pattern{Constant('Locked '), Field(p0,false)}" -match("MESSAGE#1168:00767:22/3_1", "nwparser.p0", "Locked %{p0}"); +var part1871 = match("MESSAGE#1168:00767:22/3_1", "nwparser.p0", "Locked %{p0}"); var select419 = linear_select([ - part1876, - part1877, + part1870, + part1871, ]); -var part1878 = // "Pattern{Constant('by administrator '), Field(fld4,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#1168:00767:22/4", "nwparser.p0", "by administrator %{fld4->} %{p0}"); +var part1872 = match("MESSAGE#1168:00767:22/4", "nwparser.p0", "by administrator %{fld4->} %{p0}"); -var all388 = all_match({ +var all382 = all_match({ processors: [ - part1872, + part1866, select418, - part1875, + part1869, select419, - part1878, - dup356, + part1872, + dup354, ], on_success: processor_chain([ dup50, @@ -24076,10 +21863,9 @@ var all388 = all_match({ ]), }); -var msg1184 = msg("00767:22", all388); +var msg1184 = msg("00767:22", all382); -var part1879 = // "Pattern{Constant('Save new software from slot filename '), Field(filename,true), Constant(' to flash memory by administrator '), Field(administrator,false)}" -match("MESSAGE#1169:00767:23", "nwparser.payload", "Save new software from slot filename %{filename->} to flash memory by administrator %{administrator}", processor_chain([ +var part1873 = match("MESSAGE#1169:00767:23", "nwparser.payload", "Save new software from slot filename %{filename->} to flash memory by administrator %{administrator}", processor_chain([ dup1, dup2, dup3, @@ -24087,30 +21873,27 @@ match("MESSAGE#1169:00767:23", "nwparser.payload", "Save new software from slot dup5, ])); -var msg1185 = msg("00767:23", part1879); +var msg1185 = msg("00767:23", part1873); -var part1880 = // "Pattern{Constant('System configuration saved by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from '), Field(p0,false)}" -match("MESSAGE#1170:00767:25/0", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from %{p0}"); +var part1874 = match("MESSAGE#1170:00767:25/0", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from %{p0}"); var select420 = linear_select([ - dup171, + dup169, dup16, ]); -var part1881 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' by '), Field(p0,false)}" -match("MESSAGE#1170:00767:25/3_0", "nwparser.p0", "%{saddr}:%{sport->} by %{p0}"); +var part1875 = match("MESSAGE#1170:00767:25/3_0", "nwparser.p0", "%{saddr}:%{sport->} by %{p0}"); -var part1882 = // "Pattern{Field(saddr,true), Constant(' by '), Field(p0,false)}" -match("MESSAGE#1170:00767:25/3_1", "nwparser.p0", "%{saddr->} by %{p0}"); +var part1876 = match("MESSAGE#1170:00767:25/3_1", "nwparser.p0", "%{saddr->} by %{p0}"); var select421 = linear_select([ - part1881, - part1882, + part1875, + part1876, ]); -var all389 = all_match({ +var all383 = all_match({ processors: [ - part1880, + part1874, select420, dup23, select421, @@ -24125,41 +21908,35 @@ var all389 = all_match({ ]), }); -var msg1186 = msg("00767:25", all389); +var msg1186 = msg("00767:25", all383); -var part1883 = // "Pattern{Constant('Lock configuration '), Field(p0,false)}" -match("MESSAGE#1171:00767:26/0", "nwparser.payload", "Lock configuration %{p0}"); +var part1877 = match("MESSAGE#1171:00767:26/0", "nwparser.payload", "Lock configuration %{p0}"); -var part1884 = // "Pattern{Constant('started'), Field(p0,false)}" -match("MESSAGE#1171:00767:26/1_0", "nwparser.p0", "started%{p0}"); +var part1878 = match("MESSAGE#1171:00767:26/1_0", "nwparser.p0", "started%{p0}"); -var part1885 = // "Pattern{Constant('ended'), Field(p0,false)}" -match("MESSAGE#1171:00767:26/1_1", "nwparser.p0", "ended%{p0}"); +var part1879 = match("MESSAGE#1171:00767:26/1_1", "nwparser.p0", "ended%{p0}"); var select422 = linear_select([ - part1884, - part1885, + part1878, + part1879, ]); -var part1886 = // "Pattern{Field(,false), Constant('by task '), Field(p0,false)}" -match("MESSAGE#1171:00767:26/2", "nwparser.p0", "%{}by task %{p0}"); +var part1880 = match("MESSAGE#1171:00767:26/2", "nwparser.p0", "%{}by task %{p0}"); -var part1887 = // "Pattern{Constant(''), Field(fld3,false), Constant(', with a timeout value of '), Field(fld2,false)}" -match("MESSAGE#1171:00767:26/3_0", "nwparser.p0", "%{fld3}, with a timeout value of %{fld2}"); +var part1881 = match("MESSAGE#1171:00767:26/3_0", "nwparser.p0", "%{fld3}, with a timeout value of %{fld2}"); -var part1888 = // "Pattern{Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1171:00767:26/3_1", "nwparser.p0", "%{fld2->} (%{fld1})"); +var part1882 = match("MESSAGE#1171:00767:26/3_1", "nwparser.p0", "%{fld2->} (%{fld1})"); var select423 = linear_select([ - part1887, - part1888, + part1881, + part1882, ]); -var all390 = all_match({ +var all384 = all_match({ processors: [ - part1883, + part1877, select422, - part1886, + part1880, select423, ], on_success: processor_chain([ @@ -24174,29 +21951,26 @@ var all390 = all_match({ ]), }); -var msg1187 = msg("00767:26", all390); +var msg1187 = msg("00767:26", all384); -var part1889 = // "Pattern{Constant('Environment variable '), Field(fld2,true), Constant(' changed to '), Field(p0,false)}" -match("MESSAGE#1172:00767:27/0", "nwparser.payload", "Environment variable %{fld2->} changed to %{p0}"); +var part1883 = match("MESSAGE#1172:00767:27/0", "nwparser.payload", "Environment variable %{fld2->} changed to %{p0}"); -var part1890 = // "Pattern{Field(fld3,true), Constant(' by '), Field(username,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1172:00767:27/1_0", "nwparser.p0", "%{fld3->} by %{username->} (%{fld1})"); +var part1884 = match("MESSAGE#1172:00767:27/1_0", "nwparser.p0", "%{fld3->} by %{username->} (%{fld1})"); -var part1891 = // "Pattern{Field(fld3,false)}" -match_copy("MESSAGE#1172:00767:27/1_1", "nwparser.p0", "fld3"); +var part1885 = match_copy("MESSAGE#1172:00767:27/1_1", "nwparser.p0", "fld3"); var select424 = linear_select([ - part1890, - part1891, + part1884, + part1885, ]); -var all391 = all_match({ +var all385 = all_match({ processors: [ - part1889, + part1883, select424, ], on_success: processor_chain([ - dup225, + dup223, dup2, dup3, dup9, @@ -24205,10 +21979,9 @@ var all391 = all_match({ ]), }); -var msg1188 = msg("00767:27", all391); +var msg1188 = msg("00767:27", all385); -var part1892 = // "Pattern{Constant('The system configuration was loaded from IP address '), Field(hostip,true), Constant(' under filename '), Field(filename,true), Constant(' by administrator by admin '), Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1173:00767:28", "nwparser.payload", "The system configuration was loaded from IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ +var part1886 = match("MESSAGE#1173:00767:28", "nwparser.payload", "The system configuration was loaded from IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -24217,10 +21990,9 @@ match("MESSAGE#1173:00767:28", "nwparser.payload", "The system configuration was dup5, ])); -var msg1189 = msg("00767:28", part1892); +var msg1189 = msg("00767:28", part1886); -var part1893 = // "Pattern{Constant('Save configuration to IP address '), Field(hostip,true), Constant(' under filename '), Field(filename,true), Constant(' by administrator by admin '), Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1174:00767:29", "nwparser.payload", "Save configuration to IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ +var part1887 = match("MESSAGE#1174:00767:29", "nwparser.payload", "Save configuration to IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -24229,10 +22001,9 @@ match("MESSAGE#1174:00767:29", "nwparser.payload", "Save configuration to IP add dup5, ])); -var msg1190 = msg("00767:29", part1893); +var msg1190 = msg("00767:29", part1887); -var part1894 = // "Pattern{Field(fld2,false), Constant(': The system configuration was saved from host '), Field(saddr,true), Constant(' by admin '), Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1175:00767:30", "nwparser.payload", "%{fld2}: The system configuration was saved from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ +var part1888 = match("MESSAGE#1175:00767:30", "nwparser.payload", "%{fld2}: The system configuration was saved from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -24241,28 +22012,25 @@ match("MESSAGE#1175:00767:30", "nwparser.payload", "%{fld2}: The system configur dup5, ])); -var msg1191 = msg("00767:30", part1894); +var msg1191 = msg("00767:30", part1888); -var part1895 = // "Pattern{Constant('logged events or alarms '), Field(p0,false)}" -match("MESSAGE#1176:00767:31/1_0", "nwparser.p0", "logged events or alarms %{p0}"); +var part1889 = match("MESSAGE#1176:00767:31/1_0", "nwparser.p0", "logged events or alarms %{p0}"); -var part1896 = // "Pattern{Constant('traffic logs '), Field(p0,false)}" -match("MESSAGE#1176:00767:31/1_1", "nwparser.p0", "traffic logs %{p0}"); +var part1890 = match("MESSAGE#1176:00767:31/1_1", "nwparser.p0", "traffic logs %{p0}"); var select425 = linear_select([ - part1895, - part1896, + part1889, + part1890, ]); -var part1897 = // "Pattern{Constant('were cleared by admin '), Field(p0,false)}" -match("MESSAGE#1176:00767:31/2", "nwparser.p0", "were cleared by admin %{p0}"); +var part1891 = match("MESSAGE#1176:00767:31/2", "nwparser.p0", "were cleared by admin %{p0}"); -var all392 = all_match({ +var all386 = all_match({ processors: [ - dup188, + dup186, select425, - part1897, - dup400, + part1891, + dup397, ], on_success: processor_chain([ dup1, @@ -24274,30 +22042,26 @@ var all392 = all_match({ ]), }); -var msg1192 = msg("00767:31", all392); +var msg1192 = msg("00767:31", all386); -var part1898 = // "Pattern{Constant('SIP parser error '), Field(p0,false)}" -match("MESSAGE#1177:00767:32/0", "nwparser.payload", "SIP parser error %{p0}"); +var part1892 = match("MESSAGE#1177:00767:32/0", "nwparser.payload", "SIP parser error %{p0}"); -var part1899 = // "Pattern{Constant('SIP-field'), Field(p0,false)}" -match("MESSAGE#1177:00767:32/1_0", "nwparser.p0", "SIP-field%{p0}"); +var part1893 = match("MESSAGE#1177:00767:32/1_0", "nwparser.p0", "SIP-field%{p0}"); -var part1900 = // "Pattern{Constant('Message'), Field(p0,false)}" -match("MESSAGE#1177:00767:32/1_1", "nwparser.p0", "Message%{p0}"); +var part1894 = match("MESSAGE#1177:00767:32/1_1", "nwparser.p0", "Message%{p0}"); var select426 = linear_select([ - part1899, - part1900, + part1893, + part1894, ]); -var part1901 = // "Pattern{Constant(': '), Field(result,false), Constant('('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1177:00767:32/2", "nwparser.p0", ": %{result}(%{fld1})"); +var part1895 = match("MESSAGE#1177:00767:32/2", "nwparser.p0", ": %{result}(%{fld1})"); -var all393 = all_match({ +var all387 = all_match({ processors: [ - part1898, + part1892, select426, - part1901, + part1895, ], on_success: processor_chain([ dup27, @@ -24309,10 +22073,9 @@ var all393 = all_match({ ]), }); -var msg1193 = msg("00767:32", all393); +var msg1193 = msg("00767:32", all387); -var part1902 = // "Pattern{Constant('Daylight Saving Time has started. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1178:00767:33", "nwparser.payload", "Daylight Saving Time has started. (%{fld1})", processor_chain([ +var part1896 = match("MESSAGE#1178:00767:33", "nwparser.payload", "Daylight Saving Time has started. (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -24321,11 +22084,10 @@ match("MESSAGE#1178:00767:33", "nwparser.payload", "Daylight Saving Time has sta dup5, ])); -var msg1194 = msg("00767:33", part1902); +var msg1194 = msg("00767:33", part1896); -var part1903 = // "Pattern{Constant('NetScreen devices do not support multiple IP addresses '), Field(hostip,true), Constant(' or ports '), Field(network_port,true), Constant(' in SIP headers RESPONSE ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1179:00767:34", "nwparser.payload", "NetScreen devices do not support multiple IP addresses %{hostip->} or ports %{network_port->} in SIP headers RESPONSE (%{fld1})", processor_chain([ - dup315, +var part1897 = match("MESSAGE#1179:00767:34", "nwparser.payload", "NetScreen devices do not support multiple IP addresses %{hostip->} or ports %{network_port->} in SIP headers RESPONSE (%{fld1})", processor_chain([ + dup313, dup2, dup3, dup9, @@ -24333,10 +22095,9 @@ match("MESSAGE#1179:00767:34", "nwparser.payload", "NetScreen devices do not sup dup5, ])); -var msg1195 = msg("00767:34", part1903); +var msg1195 = msg("00767:34", part1897); -var part1904 = // "Pattern{Constant('Environment variable '), Field(fld2,true), Constant(' set to '), Field(fld3,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1180:00767:35", "nwparser.payload", "Environment variable %{fld2->} set to %{fld3->} (%{fld1})", processor_chain([ +var part1898 = match("MESSAGE#1180:00767:35", "nwparser.payload", "Environment variable %{fld2->} set to %{fld3->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -24345,10 +22106,9 @@ match("MESSAGE#1180:00767:35", "nwparser.payload", "Environment variable %{fld2- dup5, ])); -var msg1196 = msg("00767:35", part1904); +var msg1196 = msg("00767:35", part1898); -var part1905 = // "Pattern{Constant('System configuration saved from '), Field(fld2,true), Constant(' by '), Field(username,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1181:00767:36", "nwparser.payload", "System configuration saved from %{fld2->} by %{username->} (%{fld1})", processor_chain([ +var part1899 = match("MESSAGE#1181:00767:36", "nwparser.payload", "System configuration saved from %{fld2->} by %{username->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -24357,11 +22117,10 @@ match("MESSAGE#1181:00767:36", "nwparser.payload", "System configuration saved f dup5, ])); -var msg1197 = msg("00767:36", part1905); +var msg1197 = msg("00767:36", part1899); -var part1906 = // "Pattern{Constant('Trial keys are available to download to enable advanced features. '), Field(space,true), Constant(' To find out, please visit '), Field(url,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1182:00767:37", "nwparser.payload", "Trial keys are available to download to enable advanced features. %{space->} To find out, please visit %{url->} (%{fld1})", processor_chain([ - dup256, +var part1900 = match("MESSAGE#1182:00767:37", "nwparser.payload", "Trial keys are available to download to enable advanced features. %{space->} To find out, please visit %{url->} (%{fld1})", processor_chain([ + dup254, dup2, dup3, dup9, @@ -24369,10 +22128,9 @@ match("MESSAGE#1182:00767:37", "nwparser.payload", "Trial keys are available to dup5, ])); -var msg1198 = msg("00767:37", part1906); +var msg1198 = msg("00767:37", part1900); -var part1907 = // "Pattern{Constant('Log buffer was full and remaining messages were sent to external destination. '), Field(fld2,true), Constant(' packets were dropped. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1183:00767:38", "nwparser.payload", "Log buffer was full and remaining messages were sent to external destination. %{fld2->} packets were dropped. (%{fld1})", processor_chain([ +var part1901 = match("MESSAGE#1183:00767:38", "nwparser.payload", "Log buffer was full and remaining messages were sent to external destination. %{fld2->} packets were dropped. (%{fld1})", processor_chain([ setc("eventcategory","1602000000"), dup2, dup3, @@ -24381,46 +22139,40 @@ match("MESSAGE#1183:00767:38", "nwparser.payload", "Log buffer was full and rema dup5, ])); -var msg1199 = msg("00767:38", part1907); +var msg1199 = msg("00767:38", part1901); -var part1908 = // "Pattern{Constant('Cannot '), Field(p0,false)}" -match("MESSAGE#1184:00767:39/0", "nwparser.payload", "Cannot %{p0}"); +var part1902 = match("MESSAGE#1184:00767:39/0", "nwparser.payload", "Cannot %{p0}"); -var part1909 = // "Pattern{Constant('download '), Field(p0,false)}" -match("MESSAGE#1184:00767:39/1_0", "nwparser.p0", "download %{p0}"); +var part1903 = match("MESSAGE#1184:00767:39/1_0", "nwparser.p0", "download %{p0}"); -var part1910 = // "Pattern{Constant('parse '), Field(p0,false)}" -match("MESSAGE#1184:00767:39/1_1", "nwparser.p0", "parse %{p0}"); +var part1904 = match("MESSAGE#1184:00767:39/1_1", "nwparser.p0", "parse %{p0}"); var select427 = linear_select([ - part1909, - part1910, + part1903, + part1904, ]); -var part1911 = // "Pattern{Constant('attack database '), Field(p0,false)}" -match("MESSAGE#1184:00767:39/2", "nwparser.p0", "attack database %{p0}"); +var part1905 = match("MESSAGE#1184:00767:39/2", "nwparser.p0", "attack database %{p0}"); -var part1912 = // "Pattern{Constant('from '), Field(url,true), Constant(' ('), Field(result,false), Constant('). '), Field(p0,false)}" -match("MESSAGE#1184:00767:39/3_0", "nwparser.p0", "from %{url->} (%{result}). %{p0}"); +var part1906 = match("MESSAGE#1184:00767:39/3_0", "nwparser.p0", "from %{url->} (%{result}). %{p0}"); -var part1913 = // "Pattern{Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#1184:00767:39/3_1", "nwparser.p0", "%{fld2->} %{p0}"); +var part1907 = match("MESSAGE#1184:00767:39/3_1", "nwparser.p0", "%{fld2->} %{p0}"); var select428 = linear_select([ - part1912, - part1913, + part1906, + part1907, ]); -var all394 = all_match({ +var all388 = all_match({ processors: [ - part1908, + part1902, select427, - part1911, + part1905, select428, dup10, ], on_success: processor_chain([ - dup326, + dup324, dup2, dup3, dup9, @@ -24429,10 +22181,9 @@ var all394 = all_match({ ]), }); -var msg1200 = msg("00767:39", all394); +var msg1200 = msg("00767:39", all388); -var part1914 = // "Pattern{Constant('Deep Inspection update key is '), Field(disposition,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1185:00767:40", "nwparser.payload", "Deep Inspection update key is %{disposition}. (%{fld1})", processor_chain([ +var part1908 = match("MESSAGE#1185:00767:40", "nwparser.payload", "Deep Inspection update key is %{disposition}. (%{fld1})", processor_chain([ dup62, dup2, dup3, @@ -24441,10 +22192,9 @@ match("MESSAGE#1185:00767:40", "nwparser.payload", "Deep Inspection update key i dup5, ])); -var msg1201 = msg("00767:40", part1914); +var msg1201 = msg("00767:40", part1908); -var part1915 = // "Pattern{Constant('System configuration saved by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' by '), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1186:00767:42", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ +var part1909 = match("MESSAGE#1186:00767:42", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -24453,10 +22203,9 @@ match("MESSAGE#1186:00767:42", "nwparser.payload", "System configuration saved b dup5, ])); -var msg1202 = msg("00767:42", part1915); +var msg1202 = msg("00767:42", part1909); -var part1916 = // "Pattern{Constant('Daylight Saving Time ended. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1187:00767:43", "nwparser.payload", "Daylight Saving Time ended. (%{fld1})", processor_chain([ +var part1910 = match("MESSAGE#1187:00767:43", "nwparser.payload", "Daylight Saving Time ended. (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -24465,10 +22214,9 @@ match("MESSAGE#1187:00767:43", "nwparser.payload", "Daylight Saving Time ended. dup5, ])); -var msg1203 = msg("00767:43", part1916); +var msg1203 = msg("00767:43", part1910); -var part1917 = // "Pattern{Constant('New GMT zone ahead or behind by '), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1188:00767:44", "nwparser.payload", "New GMT zone ahead or behind by %{fld2->} (%{fld1})", processor_chain([ +var part1911 = match("MESSAGE#1188:00767:44", "nwparser.payload", "New GMT zone ahead or behind by %{fld2->} (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -24477,10 +22225,9 @@ match("MESSAGE#1188:00767:44", "nwparser.payload", "New GMT zone ahead or behind dup5, ])); -var msg1204 = msg("00767:44", part1917); +var msg1204 = msg("00767:44", part1911); -var part1918 = // "Pattern{Constant('Attack database version '), Field(version,true), Constant(' is saved to flash. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1189:00767:45", "nwparser.payload", "Attack database version %{version->} is saved to flash. (%{fld1})", processor_chain([ +var part1912 = match("MESSAGE#1189:00767:45", "nwparser.payload", "Attack database version %{version->} is saved to flash. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -24489,10 +22236,9 @@ match("MESSAGE#1189:00767:45", "nwparser.payload", "Attack database version %{ve dup5, ])); -var msg1205 = msg("00767:45", part1918); +var msg1205 = msg("00767:45", part1912); -var part1919 = // "Pattern{Constant('System configuration saved by netscreen via '), Field(logon_type,true), Constant(' by netscreen. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1190:00767:46", "nwparser.payload", "System configuration saved by netscreen via %{logon_type->} by netscreen. (%{fld1})", processor_chain([ +var part1913 = match("MESSAGE#1190:00767:46", "nwparser.payload", "System configuration saved by netscreen via %{logon_type->} by netscreen. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -24501,10 +22247,9 @@ match("MESSAGE#1190:00767:46", "nwparser.payload", "System configuration saved b dup5, ])); -var msg1206 = msg("00767:46", part1919); +var msg1206 = msg("00767:46", part1913); -var part1920 = // "Pattern{Constant('User '), Field(username,true), Constant(' belongs to a different group in the RADIUS server than that allowed in the device. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1191:00767:47", "nwparser.payload", "User %{username->} belongs to a different group in the RADIUS server than that allowed in the device. (%{fld1})", processor_chain([ +var part1914 = match("MESSAGE#1191:00767:47", "nwparser.payload", "User %{username->} belongs to a different group in the RADIUS server than that allowed in the device. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -24513,19 +22258,17 @@ match("MESSAGE#1191:00767:47", "nwparser.payload", "User %{username->} belongs t dup9, ])); -var msg1207 = msg("00767:47", part1920); +var msg1207 = msg("00767:47", part1914); -var part1921 = // "Pattern{Constant('System configuration saved by '), Field(p0,false)}" -match("MESSAGE#1192:00767:24/0", "nwparser.payload", "System configuration saved by %{p0}"); +var part1915 = match("MESSAGE#1192:00767:24/0", "nwparser.payload", "System configuration saved by %{p0}"); -var part1922 = // "Pattern{Field(logon_type,true), Constant(' by '), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1192:00767:24/2", "nwparser.p0", "%{logon_type->} by %{fld2->} (%{fld1})"); +var part1916 = match("MESSAGE#1192:00767:24/2", "nwparser.p0", "%{logon_type->} by %{fld2->} (%{fld1})"); -var all395 = all_match({ +var all389 = all_match({ processors: [ - part1921, - dup367, - part1922, + part1915, + dup364, + part1916, ], on_success: processor_chain([ dup1, @@ -24537,11 +22280,10 @@ var all395 = all_match({ ]), }); -var msg1208 = msg("00767:24", all395); +var msg1208 = msg("00767:24", all389); -var part1923 = // "Pattern{Constant('HA: Synchronization file(s) hidden file end with c sent to backup device in cluster. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1193:00767:48", "nwparser.payload", "HA: Synchronization file(s) hidden file end with c sent to backup device in cluster. (%{fld1})", processor_chain([ - dup274, +var part1917 = match("MESSAGE#1193:00767:48", "nwparser.payload", "HA: Synchronization file(s) hidden file end with c sent to backup device in cluster. (%{fld1})", processor_chain([ + dup272, dup2, dup3, dup9, @@ -24549,30 +22291,26 @@ match("MESSAGE#1193:00767:48", "nwparser.payload", "HA: Synchronization file(s) dup5, ])); -var msg1209 = msg("00767:48", part1923); +var msg1209 = msg("00767:48", part1917); -var part1924 = // "Pattern{Field(fld2,true), Constant(' turn o'), Field(p0,false)}" -match("MESSAGE#1194:00767:49/0", "nwparser.payload", "%{fld2->} turn o%{p0}"); +var part1918 = match("MESSAGE#1194:00767:49/0", "nwparser.payload", "%{fld2->} turn o%{p0}"); -var part1925 = // "Pattern{Constant('n'), Field(p0,false)}" -match("MESSAGE#1194:00767:49/1_0", "nwparser.p0", "n%{p0}"); +var part1919 = match("MESSAGE#1194:00767:49/1_0", "nwparser.p0", "n%{p0}"); -var part1926 = // "Pattern{Constant('ff'), Field(p0,false)}" -match("MESSAGE#1194:00767:49/1_1", "nwparser.p0", "ff%{p0}"); +var part1920 = match("MESSAGE#1194:00767:49/1_1", "nwparser.p0", "ff%{p0}"); var select429 = linear_select([ - part1925, - part1926, + part1919, + part1920, ]); -var part1927 = // "Pattern{Field(,false), Constant('debug switch for '), Field(fld3,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1194:00767:49/2", "nwparser.p0", "%{}debug switch for %{fld3->} (%{fld1})"); +var part1921 = match("MESSAGE#1194:00767:49/2", "nwparser.p0", "%{}debug switch for %{fld3->} (%{fld1})"); -var all396 = all_match({ +var all390 = all_match({ processors: [ - part1924, + part1918, select429, - part1927, + part1921, ], on_success: processor_chain([ dup1, @@ -24583,7 +22321,7 @@ var all396 = all_match({ ]), }); -var msg1210 = msg("00767:49", all396); +var msg1210 = msg("00767:49", all390); var select430 = linear_select([ msg1158, @@ -24641,26 +22379,25 @@ var select430 = linear_select([ msg1210, ]); -var part1928 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,false)}" -match("MESSAGE#1195:01269", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup187, +var part1922 = match("MESSAGE#1195:01269", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup185, dup2, dup4, dup5, - dup276, - dup279, - dup3, + dup274, dup277, + dup3, + dup275, dup60, ])); -var msg1211 = msg("01269", part1928); +var msg1211 = msg("01269", part1922); -var msg1212 = msg("01269:01", dup410); +var msg1212 = msg("01269:01", dup407); -var msg1213 = msg("01269:02", dup411); +var msg1213 = msg("01269:02", dup408); -var msg1214 = msg("01269:03", dup412); +var msg1214 = msg("01269:03", dup409); var select431 = linear_select([ msg1211, @@ -24669,67 +22406,63 @@ var select431 = linear_select([ msg1214, ]); -var part1929 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#1199:17852", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup187, +var part1923 = match("MESSAGE#1199:17852", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, dup2, dup4, dup5, - dup276, + dup274, dup3, - dup278, - dup279, + dup276, dup277, - dup334, + dup275, + dup332, ])); -var msg1215 = msg("17852", part1929); +var msg1215 = msg("17852", part1923); -var part1930 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#1200:17852:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup283, +var part1924 = match("MESSAGE#1200:17852:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, dup2, dup4, dup5, - dup276, + dup274, dup3, - dup277, - dup334, - dup284, + dup275, + dup332, + dup282, ])); -var msg1216 = msg("17852:01", part1930); +var msg1216 = msg("17852:01", part1924); -var part1931 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#1201:17852:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup187, +var part1925 = match("MESSAGE#1201:17852:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, dup2, dup4, dup5, - dup276, + dup274, dup3, + dup275, + dup276, dup277, - dup278, - dup279, dup61, ])); -var msg1217 = msg("17852:02", part1931); +var msg1217 = msg("17852:02", part1925); -var part1932 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#1202:17852:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup283, +var part1926 = match("MESSAGE#1202:17852:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, dup2, dup4, dup5, - dup276, + dup274, dup3, - dup277, - dup334, - dup284, + dup275, + dup332, + dup282, ])); -var msg1218 = msg("17852:03", part1932); +var msg1218 = msg("17852:03", part1926); var select432 = linear_select([ msg1215, @@ -24738,53 +22471,50 @@ var select432 = linear_select([ msg1218, ]); -var msg1219 = msg("23184", dup413); +var msg1219 = msg("23184", dup410); -var part1933 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' ('), Field(fld3,false), Constant(') proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#1204:23184:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup283, +var part1927 = match("MESSAGE#1204:23184:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, dup2, dup4, dup5, - dup276, + dup274, dup3, - dup277, + dup275, dup61, - dup284, + dup282, ])); -var msg1220 = msg("23184:01", part1933); +var msg1220 = msg("23184:01", part1927); -var part1934 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' ('), Field(fld3,false), Constant(') proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#1205:23184:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup187, +var part1928 = match("MESSAGE#1205:23184:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, dup2, dup4, dup5, - dup276, + dup274, dup3, - dup278, - dup279, + dup276, dup277, + dup275, dup61, ])); -var msg1221 = msg("23184:02", part1934); +var msg1221 = msg("23184:02", part1928); -var part1935 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' ('), Field(fld3,false), Constant(') proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#1206:23184:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup283, +var part1929 = match("MESSAGE#1206:23184:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, dup2, dup4, dup5, - dup276, + dup274, dup3, - dup277, - dup334, - dup284, + dup275, + dup332, + dup282, ])); -var msg1222 = msg("23184:03", part1935); +var msg1222 = msg("23184:03", part1929); var select433 = linear_select([ msg1219, @@ -24793,49 +22523,47 @@ var select433 = linear_select([ msg1222, ]); -var msg1223 = msg("27052", dup413); +var msg1223 = msg("27052", dup410); -var part1936 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' ('), Field(fld3,false), Constant(') proto='), Field(protocol,false), Constant('direction='), Field(direction,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#1208:27052:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol}direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup283, +var part1930 = match("MESSAGE#1208:27052:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol}direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, dup2, dup4, dup5, - dup276, + dup274, dup3, - dup277, + dup275, dup61, - dup284, + dup282, ])); -var msg1224 = msg("27052:01", part1936); +var msg1224 = msg("27052:01", part1930); var select434 = linear_select([ msg1223, msg1224, ]); -var part1937 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,false)}" -match("MESSAGE#1209:39568", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup187, +var part1931 = match("MESSAGE#1209:39568", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup185, dup2, dup4, - dup279, + dup277, dup5, - dup276, + dup274, dup3, - dup277, - dup278, + dup275, + dup276, dup60, ])); -var msg1225 = msg("39568", part1937); +var msg1225 = msg("39568", part1931); -var msg1226 = msg("39568:01", dup410); +var msg1226 = msg("39568:01", dup407); -var msg1227 = msg("39568:02", dup411); +var msg1227 = msg("39568:02", dup408); -var msg1228 = msg("39568:03", dup412); +var msg1228 = msg("39568:03", dup409); var select435 = linear_select([ msg1225, @@ -25010,751 +22738,500 @@ var chain1 = processor_chain([ }), ]); -var part1938 = // "Pattern{Constant('Address '), Field(group_object,true), Constant(' for '), Field(p0,false)}" -match("MESSAGE#2:00001:02/0", "nwparser.payload", "Address %{group_object->} for %{p0}"); - -var part1939 = // "Pattern{Constant('domain address '), Field(domain,true), Constant(' in zone '), Field(p0,false)}" -match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); +var part1932 = match("MESSAGE#2:00001:02/0", "nwparser.payload", "Address %{group_object->} for %{p0}"); -var part1940 = // "Pattern{Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); +var part1933 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); -var part1941 = // "Pattern{Constant('('), Field(fld1,false), Constant(')')}" -match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); +var part1934 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); -var part1942 = // "Pattern{Field(fld1,false)}" -match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); +var part1935 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); -var part1943 = // "Pattern{Constant('Address '), Field(p0,false)}" -match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); +var part1936 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); -var part1944 = // "Pattern{Constant('MIP('), Field(interface,false), Constant(') '), Field(p0,false)}" -match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); +var part1937 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); -var part1945 = // "Pattern{Field(group_object,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); +var part1938 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); -var part1946 = // "Pattern{Constant('admin '), Field(p0,false)}" -match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); +var part1939 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); -var part1947 = // "Pattern{Field(p0,false)}" -match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); +var part1940 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); -var part1948 = // "Pattern{Constant('from host '), Field(saddr,true), Constant(' ')}" -match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); +var part1941 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); -var part1949 = // "Pattern{}" -match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); +var part1942 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); -var part1950 = // "Pattern{Constant(''), Field(p0,false)}" -match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); +var part1943 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); -var part1951 = // "Pattern{Constant('password '), Field(p0,false)}" -match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); +var part1944 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); -var part1952 = // "Pattern{Constant('name '), Field(p0,false)}" -match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); +var part1945 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); -var part1953 = // "Pattern{Field(administrator,false)}" -match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); +var part1946 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); -var part1954 = // "Pattern{Field(disposition,false)}" -match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); +var part1947 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); -var part1955 = // "Pattern{Constant('via '), Field(p0,false)}" -match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); +var part1948 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); -var part1956 = // "Pattern{Field(fld1,false), Constant(')')}" -match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); +var part1949 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); -var part1957 = // "Pattern{Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(p0,false)}" -match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); +var part1950 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); -var part1958 = // "Pattern{Constant('admin '), Field(administrator,true), Constant(' via '), Field(p0,false)}" -match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); +var part1951 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); -var part1959 = // "Pattern{Field(username,true), Constant(' via '), Field(p0,false)}" -match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); +var part1952 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); -var part1960 = // "Pattern{Constant('NSRP Peer . ('), Field(p0,false)}" -match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); +var part1953 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); -var part1961 = // "Pattern{Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); +var part1954 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); -var part1962 = // "Pattern{Constant('changed'), Field(p0,false)}" -match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); +var part1955 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); -var part1963 = // "Pattern{Constant('The '), Field(p0,false)}" -match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); +var part1956 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); -var part1964 = // "Pattern{Constant('interface'), Field(p0,false)}" -match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); +var part1957 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); -var part1965 = // "Pattern{Constant('Interface'), Field(p0,false)}" -match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); +var part1958 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); -var part1966 = // "Pattern{Constant('DNS entries have been '), Field(p0,false)}" -match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); +var part1959 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); -var part1967 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(p0,false)}" -match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); +var part1960 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); -var part1968 = // "Pattern{Field(zone,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); +var part1961 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); -var part1969 = // "Pattern{Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); +var part1962 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); -var part1970 = // "Pattern{Constant('int '), Field(interface,false), Constant(').'), Field(space,false), Constant('Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); +var part1963 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); -var part1971 = // "Pattern{Field(dport,false), Constant(','), Field(p0,false)}" -match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); +var part1964 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); -var part1972 = // "Pattern{Field(dport,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); +var part1965 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); -var part1973 = // "Pattern{Field(space,false), Constant('using protocol '), Field(p0,false)}" -match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); +var part1966 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); -var part1974 = // "Pattern{Field(protocol,false), Constant(','), Field(p0,false)}" -match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); +var part1967 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); -var part1975 = // "Pattern{Field(protocol,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); +var part1968 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); -var part1976 = // "Pattern{Constant('. '), Field(p0,false)}" -match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); +var part1969 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); -var part1977 = // "Pattern{Field(fld2,false), Constant(': SYN '), Field(p0,false)}" -match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); +var part1970 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); -var part1978 = // "Pattern{Constant('SYN '), Field(p0,false)}" -match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); +var part1971 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); -var part1979 = // "Pattern{Constant('timeout value '), Field(p0,false)}" -match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); +var part1972 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); -var part1980 = // "Pattern{Constant('destination '), Field(p0,false)}" -match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); +var part1973 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); -var part1981 = // "Pattern{Constant('source '), Field(p0,false)}" -match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); +var part1974 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); -var part1982 = // "Pattern{Constant('A '), Field(p0,false)}" -match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); +var part1975 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); -var part1983 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); +var part1976 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); -var part1984 = // "Pattern{Constant(', int '), Field(p0,false)}" -match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); +var part1977 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); -var part1985 = // "Pattern{Constant('int '), Field(p0,false)}" -match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); +var part1978 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); -var part1986 = // "Pattern{Constant(''), Field(interface,false), Constant(').'), Field(space,false), Constant('Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); +var part1979 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); -var part1987 = // "Pattern{Constant('HA '), Field(p0,false)}" -match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); +var part1980 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); -var part1988 = // "Pattern{Constant('encryption '), Field(p0,false)}" -match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); +var part1981 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); -var part1989 = // "Pattern{Constant('authentication '), Field(p0,false)}" -match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); +var part1982 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); -var part1990 = // "Pattern{Constant('key '), Field(p0,false)}" -match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); +var part1983 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); -var part1991 = // "Pattern{Constant('disabled'), Field(,false)}" -match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); +var part1984 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); -var part1992 = // "Pattern{Constant('set to '), Field(trigger_val,false)}" -match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); +var part1985 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); -var part1993 = // "Pattern{Constant('up'), Field(,false)}" -match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); +var part1986 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); -var part1994 = // "Pattern{Constant('down'), Field(,false)}" -match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); +var part1987 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); -var part1995 = // "Pattern{Constant(' '), Field(p0,false)}" -match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); +var part1988 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); -var part1996 = // "Pattern{Constant('set'), Field(,false)}" -match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); +var part1989 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); -var part1997 = // "Pattern{Constant('unset'), Field(,false)}" -match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); +var part1990 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); -var part1998 = // "Pattern{Constant('undefined '), Field(p0,false)}" -match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); +var part1991 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); -var part1999 = // "Pattern{Constant('set '), Field(p0,false)}" -match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); +var part1992 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); -var part2000 = // "Pattern{Constant('active '), Field(p0,false)}" -match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); +var part1993 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); -var part2001 = // "Pattern{Constant('to '), Field(p0,false)}" -match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); +var part1994 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); -var part2002 = // "Pattern{Constant('created '), Field(p0,false)}" -match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); +var part1995 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); -var part2003 = // "Pattern{Constant(', '), Field(p0,false)}" -match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); +var part1996 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); -var part2004 = // "Pattern{Constant('is '), Field(p0,false)}" -match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); +var part1997 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); -var part2005 = // "Pattern{Constant('was '), Field(p0,false)}" -match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); +var part1998 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); -var part2006 = // "Pattern{Constant(''), Field(fld2,false)}" -match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); +var part1999 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); -var part2007 = // "Pattern{Constant('threshold '), Field(p0,false)}" -match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); +var part2000 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); -var part2008 = // "Pattern{Constant('interval '), Field(p0,false)}" -match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); +var part2001 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); -var part2009 = // "Pattern{Constant('of '), Field(p0,false)}" -match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); +var part2002 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); -var part2010 = // "Pattern{Constant('that '), Field(p0,false)}" -match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); +var part2003 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); -var part2011 = // "Pattern{Constant('Zone '), Field(p0,false)}" -match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); +var part2004 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); -var part2012 = // "Pattern{Constant('Interface '), Field(p0,false)}" -match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); +var part2005 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); -var part2013 = // "Pattern{Constant('n '), Field(p0,false)}" -match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); +var part2006 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); -var part2014 = // "Pattern{Constant('.'), Field(,false)}" -match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); +var part2007 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); -var part2015 = // "Pattern{Constant('for '), Field(p0,false)}" -match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); +var part2008 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); -var part2016 = // "Pattern{Constant('the '), Field(p0,false)}" -match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); +var part2009 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); -var part2017 = // "Pattern{Constant('removed '), Field(p0,false)}" -match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); +var part2010 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); -var part2018 = // "Pattern{Constant('interface '), Field(p0,false)}" -match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); +var part2011 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); -var part2019 = // "Pattern{Constant('the interface '), Field(p0,false)}" -match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); +var part2012 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); -var part2020 = // "Pattern{Field(interface,false)}" -match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); +var part2013 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); -var part2021 = // "Pattern{Constant('s '), Field(p0,false)}" -match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); +var part2014 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); -var part2022 = // "Pattern{Constant('on interface '), Field(interface,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); +var part2015 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); -var part2023 = // "Pattern{Constant('has been '), Field(p0,false)}" -match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); +var part2016 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); -var part2024 = // "Pattern{Constant(''), Field(disposition,false), Constant('.')}" -match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); +var part2017 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); -var part2025 = // "Pattern{Constant('removed from '), Field(p0,false)}" -match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); +var part2018 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); -var part2026 = // "Pattern{Constant('added to '), Field(p0,false)}" -match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); +var part2019 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); -var part2027 = // "Pattern{Constant(''), Field(interface,false), Constant('). Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); +var part2020 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); -var part2028 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); +var part2021 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); -var part2029 = // "Pattern{Constant('Interface '), Field(p0,false)}" -match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); +var part2022 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); -var part2030 = // "Pattern{Constant('set to '), Field(fld2,false)}" -match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); +var part2023 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); -var part2031 = // "Pattern{Constant('gateway '), Field(p0,false)}" -match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); +var part2024 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); -var part2032 = // "Pattern{Field(,true), Constant(' '), Field(disposition,false)}" -match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); +var part2025 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); -var part2033 = // "Pattern{Constant('port number '), Field(p0,false)}" -match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); +var part2026 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); -var part2034 = // "Pattern{Constant('has been '), Field(disposition,false)}" -match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); +var part2027 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); -var part2035 = // "Pattern{Constant('IP '), Field(p0,false)}" -match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); +var part2028 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); -var part2036 = // "Pattern{Constant('port '), Field(p0,false)}" -match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); +var part2029 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); -var part2037 = // "Pattern{Constant('up '), Field(p0,false)}" -match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); +var part2030 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); -var part2038 = // "Pattern{Constant('down '), Field(p0,false)}" -match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); +var part2031 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); -var part2039 = // "Pattern{Constant('('), Field(fld1,false), Constant(') ')}" -match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); +var part2032 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); -var part2040 = // "Pattern{Constant(': '), Field(p0,false)}" -match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); +var part2033 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); -var part2041 = // "Pattern{Constant('IP '), Field(p0,false)}" -match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); +var part2034 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); -var part2042 = // "Pattern{Constant('address pool '), Field(p0,false)}" -match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); +var part2035 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); -var part2043 = // "Pattern{Constant('pool '), Field(p0,false)}" -match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); +var part2036 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); -var part2044 = // "Pattern{Constant('enabled '), Field(p0,false)}" -match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); +var part2037 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); -var part2045 = // "Pattern{Constant('disabled '), Field(p0,false)}" -match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); +var part2038 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); -var part2046 = // "Pattern{Constant('AH '), Field(p0,false)}" -match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); +var part2039 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); -var part2047 = // "Pattern{Constant('ESP '), Field(p0,false)}" -match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); +var part2040 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); -var part2048 = // "Pattern{Constant('’'), Field(p0,false)}" -match("MESSAGE#347:00018:02/1_0", "nwparser.p0", "’%{p0}"); +var part2041 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); -var part2049 = // "Pattern{Constant('&'), Field(p0,false)}" -match("MESSAGE#347:00018:02/1_1", "nwparser.p0", "\u0026%{p0}"); +var part2042 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); -var part2050 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); +var part2043 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); -var part2051 = // "Pattern{Constant('Source'), Field(p0,false)}" -match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); +var part2044 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); -var part2052 = // "Pattern{Constant('Destination'), Field(p0,false)}" -match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); +var part2045 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); -var part2053 = // "Pattern{Constant('from '), Field(p0,false)}" -match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); +var part2046 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); -var part2054 = // "Pattern{Constant('policy ID '), Field(policy_id,true), Constant(' by admin '), Field(administrator,true), Constant(' via NSRP Peer . ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); +var part2047 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); -var part2055 = // "Pattern{Constant('Attempt to enable '), Field(p0,false)}" -match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); +var part2048 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); -var part2056 = // "Pattern{Constant('traffic logging via syslog '), Field(p0,false)}" -match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); +var part2049 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); -var part2057 = // "Pattern{Constant('syslog '), Field(p0,false)}" -match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); +var part2050 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); -var part2058 = // "Pattern{Constant('Syslog '), Field(p0,false)}" -match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); +var part2051 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); -var part2059 = // "Pattern{Constant('host '), Field(p0,false)}" -match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); +var part2052 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); -var part2060 = // "Pattern{Constant('domain name '), Field(p0,false)}" -match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); +var part2053 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); -var part2061 = // "Pattern{Constant('has been changed to '), Field(fld2,false)}" -match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); +var part2054 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); -var part2062 = // "Pattern{Constant('security facility '), Field(p0,false)}" -match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); +var part2055 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); -var part2063 = // "Pattern{Constant('facility '), Field(p0,false)}" -match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); +var part2056 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); -var part2064 = // "Pattern{Constant('local0'), Field(,false)}" -match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); +var part2057 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); -var part2065 = // "Pattern{Constant('local1'), Field(,false)}" -match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); +var part2058 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); -var part2066 = // "Pattern{Constant('local2'), Field(,false)}" -match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); +var part2059 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); -var part2067 = // "Pattern{Constant('local3'), Field(,false)}" -match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); +var part2060 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); -var part2068 = // "Pattern{Constant('local4'), Field(,false)}" -match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); +var part2061 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); -var part2069 = // "Pattern{Constant('local5'), Field(,false)}" -match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); +var part2062 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); -var part2070 = // "Pattern{Constant('local6'), Field(,false)}" -match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); +var part2063 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); -var part2071 = // "Pattern{Constant('local7'), Field(,false)}" -match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); +var part2064 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); -var part2072 = // "Pattern{Constant('auth/sec'), Field(,false)}" -match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); +var part2065 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); -var part2073 = // "Pattern{Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); +var part2066 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); -var part2074 = // "Pattern{Constant('All '), Field(p0,false)}" -match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); +var part2067 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); -var part2075 = // "Pattern{Constant('primary '), Field(p0,false)}" -match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); +var part2068 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); -var part2076 = // "Pattern{Constant('secondary '), Field(p0,false)}" -match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); +var part2069 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); -var part2077 = // "Pattern{Constant('t '), Field(p0,false)}" -match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); +var part2070 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); -var part2078 = // "Pattern{Constant('w '), Field(p0,false)}" -match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); +var part2071 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); -var part2079 = // "Pattern{Constant('server '), Field(p0,false)}" -match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); +var part2072 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); -var part2080 = // "Pattern{Constant('has '), Field(p0,false)}" -match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); +var part2073 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); -var part2081 = // "Pattern{Constant('SCS'), Field(p0,false)}" -match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); +var part2074 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); -var part2082 = // "Pattern{Constant('bound to '), Field(p0,false)}" -match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); +var part2075 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); -var part2083 = // "Pattern{Constant('unbound from '), Field(p0,false)}" -match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); +var part2076 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); -var part2084 = // "Pattern{Constant('PKA RSA '), Field(p0,false)}" -match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); +var part2077 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); -var part2085 = // "Pattern{Constant('unbind '), Field(p0,false)}" -match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); +var part2078 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); -var part2086 = // "Pattern{Constant('PKA key '), Field(p0,false)}" -match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); +var part2079 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); -var part2087 = // "Pattern{Constant('Multiple login failures '), Field(p0,false)}" -match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); +var part2080 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); -var part2088 = // "Pattern{Constant('occurred for '), Field(p0,false)}" -match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); +var part2081 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); -var part2089 = // "Pattern{Constant('aborted'), Field(,false)}" -match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); +var part2082 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); -var part2090 = // "Pattern{Constant('performed'), Field(,false)}" -match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); +var part2083 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); -var part2091 = // "Pattern{Constant('IP pool of DHCP server on '), Field(p0,false)}" -match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); +var part2084 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); -var part2092 = // "Pattern{Constant('certificate '), Field(p0,false)}" -match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); +var part2085 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); -var part2093 = // "Pattern{Constant('CRL '), Field(p0,false)}" -match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); +var part2086 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); -var part2094 = // "Pattern{Constant('auto '), Field(p0,false)}" -match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); +var part2087 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); -var part2095 = // "Pattern{Constant('RSA '), Field(p0,false)}" -match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); +var part2088 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); -var part2096 = // "Pattern{Constant('DSA '), Field(p0,false)}" -match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); +var part2089 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); -var part2097 = // "Pattern{Constant('key pair.'), Field(,false)}" -match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); +var part2090 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); -var part2098 = // "Pattern{Constant('FIPS test for '), Field(p0,false)}" -match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); +var part2091 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); -var part2099 = // "Pattern{Constant('ECDSA '), Field(p0,false)}" -match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); +var part2092 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); -var part2100 = // "Pattern{Constant('yes '), Field(p0,false)}" -match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); +var part2093 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); -var part2101 = // "Pattern{Constant('no '), Field(p0,false)}" -match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); +var part2094 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); -var part2102 = // "Pattern{Constant('location '), Field(p0,false)}" -match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); +var part2095 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); -var part2103 = // "Pattern{Field(,true), Constant(' '), Field(interface,false)}" -match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); +var part2096 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); -var part2104 = // "Pattern{Constant('arp re'), Field(p0,false)}" -match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); +var part2097 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); -var part2105 = // "Pattern{Constant('q '), Field(p0,false)}" -match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); +var part2098 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); -var part2106 = // "Pattern{Constant('ply '), Field(p0,false)}" -match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); +var part2099 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); -var part2107 = // "Pattern{Field(interface,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); +var part2100 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); -var part2108 = // "Pattern{Constant('Global PRO '), Field(p0,false)}" -match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); +var part2101 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); -var part2109 = // "Pattern{Field(fld3,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); +var part2102 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); -var part2110 = // "Pattern{Constant('NACN Policy Manager '), Field(p0,false)}" -match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); +var part2103 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); -var part2111 = // "Pattern{Constant('1 '), Field(p0,false)}" -match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); +var part2104 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); -var part2112 = // "Pattern{Constant('2 '), Field(p0,false)}" -match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); +var part2105 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); -var part2113 = // "Pattern{Constant('unset '), Field(p0,false)}" -match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); +var part2106 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); -var part2114 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); +var part2107 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); -var part2115 = // "Pattern{Constant('SSH '), Field(p0,false)}" -match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); +var part2108 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); -var part2116 = // "Pattern{Constant('SCS: NetScreen '), Field(p0,false)}" -match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); +var part2109 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); -var part2117 = // "Pattern{Constant('NetScreen '), Field(p0,false)}" -match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); +var part2110 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); -var part2118 = // "Pattern{Constant('S'), Field(p0,false)}" -match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); +var part2111 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); -var part2119 = // "Pattern{Constant('CS: SSH'), Field(p0,false)}" -match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); +var part2112 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); -var part2120 = // "Pattern{Constant('SH'), Field(p0,false)}" -match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); +var part2113 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); -var part2121 = // "Pattern{Constant('the root system '), Field(p0,false)}" -match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); +var part2114 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); -var part2122 = // "Pattern{Constant('vsys '), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); +var part2115 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); -var part2123 = // "Pattern{Constant('CS: SSH '), Field(p0,false)}" -match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); +var part2116 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); -var part2124 = // "Pattern{Constant('SH '), Field(p0,false)}" -match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); +var part2117 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); -var part2125 = // "Pattern{Constant('a '), Field(p0,false)}" -match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); +var part2118 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); -var part2126 = // "Pattern{Constant('ert '), Field(p0,false)}" -match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); +var part2119 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); -var part2127 = // "Pattern{Constant('SSL '), Field(p0,false)}" -match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); +var part2120 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); -var part2128 = // "Pattern{Constant('id: '), Field(p0,false)}" -match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); +var part2121 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); -var part2129 = // "Pattern{Constant('ID '), Field(p0,false)}" -match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); +var part2122 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); -var part2130 = // "Pattern{Constant('permit '), Field(p0,false)}" -match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); +var part2123 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); -var part2131 = // "Pattern{Constant('IGMP '), Field(p0,false)}" -match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); +var part2124 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); -var part2132 = // "Pattern{Constant('IGMP will '), Field(p0,false)}" -match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); +var part2125 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); -var part2133 = // "Pattern{Constant('not do '), Field(p0,false)}" -match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); +var part2126 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); -var part2134 = // "Pattern{Constant('do '), Field(p0,false)}" -match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); +var part2127 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); -var part2135 = // "Pattern{Constant('shut down '), Field(p0,false)}" -match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); +var part2128 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); -var part2136 = // "Pattern{Constant('NSRP: '), Field(p0,false)}" -match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); +var part2129 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); -var part2137 = // "Pattern{Constant('Unit '), Field(p0,false)}" -match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); +var part2130 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); -var part2138 = // "Pattern{Constant('local unit= '), Field(p0,false)}" -match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); +var part2131 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); -var part2139 = // "Pattern{Field(fld2,true), Constant(' of VSD group '), Field(group,true), Constant(' '), Field(info,false)}" -match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); +var part2132 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); -var part2140 = // "Pattern{Constant('The local device '), Field(fld2,true), Constant(' in the Virtual Sec'), Field(p0,false)}" -match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); +var part2133 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); -var part2141 = // "Pattern{Constant('ruity'), Field(p0,false)}" -match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); +var part2134 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); -var part2142 = // "Pattern{Constant('urity'), Field(p0,false)}" -match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); +var part2135 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); -var part2143 = // "Pattern{Field(,false), Constant('Device group '), Field(group,true), Constant(' changed state')}" -match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); +var part2136 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); -var part2144 = // "Pattern{Constant(''), Field(fld2,true), Constant(' of VSD group '), Field(group,true), Constant(' '), Field(info,false)}" -match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); +var part2137 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); -var part2145 = // "Pattern{Constant('start_time='), Field(p0,false)}" -match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); +var part2138 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); -var part2146 = // "Pattern{Constant('\"'), Field(fld2,false), Constant('\"'), Field(p0,false)}" -match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); +var part2139 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); -var part2147 = // "Pattern{Constant(' "'), Field(fld2,false), Constant('" '), Field(p0,false)}" -match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); +var part2140 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); -var part2148 = // "Pattern{Field(daddr,false)}" -match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); +var part2141 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); -var part2149 = // "Pattern{Constant('Admin '), Field(p0,false)}" -match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); +var part2142 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); -var part2150 = // "Pattern{Constant('Vsys admin '), Field(p0,false)}" -match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); +var part2143 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); -var part2151 = // "Pattern{Constant('Telnet '), Field(p0,false)}" -match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); +var part2144 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); -var part2152 = // "Pattern{Constant(''), Field(interface,false), Constant('). Occurred '), Field(dclass_counter1,true), Constant(' times.')}" -match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); +var part2145 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); -var part2153 = // "Pattern{Constant(''), Field(interface,false), Constant(').'), Field(space,false), Constant('Occurred '), Field(dclass_counter1,true), Constant(' times.')}" -match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); +var part2146 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); -var part2154 = // "Pattern{Constant(''), Field(interface,false), Constant(').'), Field(space,false), Constant('Occurred '), Field(dclass_counter1,true), Constant(' times.'), Field(p0,false)}" -match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); +var part2147 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); -var part2155 = // "Pattern{Field(obj_type,true), Constant(' '), Field(disposition,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); +var part2148 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); -var part2156 = // "Pattern{Field(signame,true), Constant(' '), Field(disposition,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); +var part2149 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); -var part2157 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(p0,false)}" -match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); +var part2150 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); -var part2158 = // "Pattern{Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); +var part2151 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); -var part2159 = // "Pattern{Constant('ut '), Field(p0,false)}" -match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); +var part2152 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); -var part2160 = // "Pattern{Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); +var part2153 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); -var part2161 = // "Pattern{Constant('user '), Field(p0,false)}" -match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); +var part2154 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); -var part2162 = // "Pattern{Constant('the '), Field(logon_type,false)}" -match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); +var part2155 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); -var part2163 = // "Pattern{Constant('WebAuth user '), Field(p0,false)}" -match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); +var part2156 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); -var part2164 = // "Pattern{Constant('backup1 '), Field(p0,false)}" -match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); +var part2157 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); -var part2165 = // "Pattern{Constant('backup2 '), Field(p0,false)}" -match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); +var part2158 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); -var part2166 = // "Pattern{Constant(','), Field(p0,false)}" -match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); +var part2159 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); -var part2167 = // "Pattern{Constant('assigned '), Field(p0,false)}" -match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); +var part2160 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); -var part2168 = // "Pattern{Constant('assigned to '), Field(p0,false)}" -match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); +var part2161 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); -var part2169 = // "Pattern{Constant('''), Field(administrator,false), Constant('' '), Field(p0,false)}" -match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); +var part2162 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); -var part2170 = // "Pattern{Constant('SSH: P'), Field(p0,false)}" -match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); +var part2163 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); -var part2171 = // "Pattern{Constant('KA '), Field(p0,false)}" -match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); +var part2164 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); -var part2172 = // "Pattern{Constant('assword '), Field(p0,false)}" -match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); +var part2165 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); -var part2173 = // "Pattern{Constant('\''), Field(administrator,false), Constant('\' '), Field(p0,false)}" -match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); +var part2166 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); -var part2174 = // "Pattern{Constant('at host '), Field(saddr,false)}" -match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); +var part2167 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); -var part2175 = // "Pattern{Field(,false), Constant('S'), Field(p0,false)}" -match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); +var part2168 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); -var part2176 = // "Pattern{Constant('CS '), Field(p0,false)}" -match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); +var part2169 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); -var part2177 = // "Pattern{Constant('from server.ini file.'), Field(,false)}" -match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); +var part2170 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); -var part2178 = // "Pattern{Constant('pattern '), Field(p0,false)}" -match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); +var part2171 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); -var part2179 = // "Pattern{Constant('server.ini '), Field(p0,false)}" -match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); +var part2172 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); -var part2180 = // "Pattern{Constant('file.'), Field(,false)}" -match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); +var part2173 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); -var part2181 = // "Pattern{Constant('AV pattern '), Field(p0,false)}" -match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); +var part2174 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); -var part2182 = // "Pattern{Constant('added into '), Field(p0,false)}" -match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); - -var part2183 = // "Pattern{Constant('loader '), Field(p0,false)}" -match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); +var part2175 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); var select436 = linear_select([ dup10, dup11, ]); -var part2184 = // "Pattern{Constant('Policy ID='), Field(policy_id,true), Constant(' Rate='), Field(fld2,true), Constant(' exceeds threshold')}" -match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ +var part2176 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ dup1, dup2, dup3, @@ -25792,8 +23269,7 @@ var select442 = linear_select([ dup72, ]); -var part2185 = // "Pattern{Field(signame,true), Constant(' from '), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,true), Constant(' protocol '), Field(protocol,true), Constant(' ('), Field(interface,false), Constant(')')}" -match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ +var part2177 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ dup58, dup2, dup3, @@ -25899,41 +23375,38 @@ var select461 = linear_select([ ]); var select462 = linear_select([ - dup160, dup161, + dup162, ]); var select463 = linear_select([ dup163, - dup164, + dup103, ]); var select464 = linear_select([ - dup165, - dup103, + dup162, + dup161, ]); var select465 = linear_select([ - dup164, - dup163, + dup46, + dup47, ]); var select466 = linear_select([ - dup46, - dup47, + dup166, + dup167, ]); var select467 = linear_select([ - dup168, - dup169, + dup172, + dup173, ]); var select468 = linear_select([ dup174, dup175, -]); - -var select469 = linear_select([ dup176, dup177, dup178, @@ -25941,47 +23414,44 @@ var select469 = linear_select([ dup180, dup181, dup182, - dup183, - dup184, ]); -var select470 = linear_select([ +var select469 = linear_select([ dup49, dup21, ]); -var select471 = linear_select([ - dup191, - dup192, +var select470 = linear_select([ + dup189, + dup190, ]); -var select472 = linear_select([ +var select471 = linear_select([ dup96, dup152, ]); -var select473 = linear_select([ - dup198, - dup199, +var select472 = linear_select([ + dup196, + dup197, ]); -var select474 = linear_select([ +var select473 = linear_select([ dup24, - dup202, + dup200, ]); -var select475 = linear_select([ +var select474 = linear_select([ dup103, - dup165, + dup163, ]); -var select476 = linear_select([ - dup207, +var select475 = linear_select([ + dup205, dup118, ]); -var part2186 = // "Pattern{Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ +var part2178 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -25989,49 +23459,54 @@ match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has bee dup5, ])); +var select476 = linear_select([ + dup212, + dup213, +]); + var select477 = linear_select([ - dup214, dup215, + dup216, ]); var select478 = linear_select([ - dup217, - dup218, + dup222, + dup215, ]); var select479 = linear_select([ dup224, - dup217, + dup225, ]); var select480 = linear_select([ - dup226, - dup227, + dup231, + dup124, ]); var select481 = linear_select([ - dup233, - dup124, + dup229, + dup230, ]); var select482 = linear_select([ - dup231, - dup232, + dup233, + dup234, ]); var select483 = linear_select([ - dup235, dup236, + dup237, ]); var select484 = linear_select([ - dup238, - dup239, + dup242, + dup243, ]); var select485 = linear_select([ - dup244, dup245, + dup246, ]); var select486 = linear_select([ @@ -26050,27 +23525,21 @@ var select488 = linear_select([ ]); var select489 = linear_select([ - dup253, - dup254, + dup260, + dup261, ]); var select490 = linear_select([ - dup262, - dup263, + dup264, + dup265, ]); var select491 = linear_select([ - dup266, - dup267, -]); - -var select492 = linear_select([ - dup270, - dup271, + dup268, + dup269, ]); -var part2187 = // "Pattern{Constant('The local device '), Field(fld2,true), Constant(' in the Virtual Security Device group '), Field(group,true), Constant(' '), Field(info,false)}" -match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ +var part2179 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ dup1, dup2, dup3, @@ -26078,18 +23547,17 @@ match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in th dup5, ])); -var select493 = linear_select([ - dup286, - dup287, +var select492 = linear_select([ + dup284, + dup285, ]); -var select494 = linear_select([ - dup289, - dup290, +var select493 = linear_select([ + dup287, + dup288, ]); -var part2188 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times.')}" -match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ +var part2180 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ dup58, dup2, dup59, @@ -26099,8 +23567,7 @@ match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to dup60, ])); -var part2189 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to zone '), Field(zone,false), Constant(', proto '), Field(protocol,true), Constant(' (int '), Field(interface,false), Constant('). Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ +var part2181 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ dup58, dup4, dup59, @@ -26111,116 +23578,112 @@ match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to dup60, ])); -var select495 = linear_select([ - dup302, +var select494 = linear_select([ + dup300, dup26, ]); -var select496 = linear_select([ +var select495 = linear_select([ dup115, - dup305, + dup303, ]); -var select497 = linear_select([ +var select496 = linear_select([ dup125, dup96, ]); +var select497 = linear_select([ + dup189, + dup308, + dup309, +]); + var select498 = linear_select([ - dup191, dup310, - dup311, + dup16, ]); var select499 = linear_select([ - dup312, - dup16, + dup317, + dup318, ]); var select500 = linear_select([ dup319, - dup320, + dup315, ]); var select501 = linear_select([ - dup321, - dup317, + dup322, + dup250, ]); var select502 = linear_select([ - dup324, - dup252, -]); - -var select503 = linear_select([ + dup327, dup329, - dup331, ]); -var select504 = linear_select([ - dup332, +var select503 = linear_select([ + dup330, dup129, ]); -var part2190 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,false)}" -match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup283, +var part2182 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup281, dup2, dup4, dup5, - dup276, + dup274, dup3, - dup277, + dup275, dup60, - dup284, + dup282, ])); -var part2191 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,false)}" -match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup187, +var part2183 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup185, dup2, dup4, dup5, - dup276, + dup274, dup3, + dup275, + dup276, dup277, - dup278, - dup279, dup60, ])); -var part2192 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,false)}" -match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup283, +var part2184 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup281, dup2, dup4, dup5, - dup276, + dup274, dup3, - dup277, + dup275, dup60, - dup284, + dup282, ])); -var part2193 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' ('), Field(fld3,false), Constant(') proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup187, +var part2185 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, dup2, dup4, dup5, - dup276, + dup274, dup3, + dup275, + dup276, dup277, - dup278, - dup279, dup61, ])); -var all397 = all_match({ +var all391 = all_match({ processors: [ - dup265, - dup393, - dup268, + dup263, + dup390, + dup266, ], on_success: processor_chain([ dup1, @@ -26231,11 +23694,11 @@ var all397 = all_match({ ]), }); -var all398 = all_match({ +var all392 = all_match({ processors: [ - dup269, - dup394, - dup272, + dup267, + dup391, + dup270, ], on_success: processor_chain([ dup1, @@ -26246,11 +23709,11 @@ var all398 = all_match({ ]), }); -var all399 = all_match({ +var all393 = all_match({ processors: [ dup80, - dup345, - dup295, + dup343, + dup293, ], on_success: processor_chain([ dup58, @@ -26263,14 +23726,14 @@ var all399 = all_match({ ]), }); -var all400 = all_match({ +var all394 = all_match({ processors: [ - dup298, - dup345, + dup296, + dup343, dup131, ], on_success: processor_chain([ - dup299, + dup297, dup2, dup3, dup9, @@ -26281,14 +23744,14 @@ var all400 = all_match({ ]), }); -var all401 = all_match({ +var all395 = all_match({ processors: [ - dup300, - dup345, + dup298, + dup343, dup131, ], on_success: processor_chain([ - dup299, + dup297, dup2, dup3, dup9, diff --git a/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json b/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json index a33eb424fdd..da17c3a5f76 100644 --- a/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json +++ b/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json @@ -1353,8 +1353,8 @@ "observer.type": "Firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.142.21.251", - "10.154.16.147" + "10.154.16.147", + "10.142.21.251" ], "rsa.internal.messageid": "00625", "rsa.misc.hardware_id": "ute", @@ -1387,8 +1387,8 @@ "observer.type": "Firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.105.212.51", - "10.119.53.68" + "10.119.53.68", + "10.105.212.51" ], "rsa.db.index": "giatqu", "rsa.internal.messageid": "00042", @@ -1852,8 +1852,8 @@ "observer.type": "Firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.51.161.245", - "10.193.80.21" + "10.193.80.21", + "10.51.161.245" ], "rsa.internal.messageid": "00625", "rsa.misc.hardware_id": "modi", @@ -2318,8 +2318,8 @@ "observer.type": "Firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.185.50.112", - "10.126.150.15" + "10.126.150.15", + "10.185.50.112" ], "rsa.internal.messageid": "00625", "rsa.misc.hardware_id": "tot", @@ -2399,8 +2399,8 @@ "observer.type": "Firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.119.181.171", - "10.166.144.66" + "10.166.144.66", + "10.119.181.171" ], "rsa.internal.messageid": "00625", "rsa.misc.hardware_id": "dol", @@ -2479,8 +2479,8 @@ "observer.type": "Firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.96.165.147", - "10.96.218.99" + "10.96.218.99", + "10.96.165.147" ], "related.user": [ "utla" diff --git a/x-pack/filebeat/module/juniper/srx/_meta/fields.yml b/x-pack/filebeat/module/juniper/srx/_meta/fields.yml new file mode 100644 index 00000000000..55ded3a11e6 --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/_meta/fields.yml @@ -0,0 +1,488 @@ +- name: juniper.srx + type: group + release: beta + default_field: false + overwrite: true + description: > + Module for parsing junipersrx syslog. + fields: + - name: reason + type: keyword + description: > + reason + + - name: connection_tag + type: keyword + description: > + connection tag + + - name: service_name + type: keyword + description: > + service name + + - name: nat_connection_tag + type: keyword + description: > + nat connection tag + + - name: src_nat_rule_type + type: keyword + description: > + src nat rule type + + - name: src_nat_rule_name + type: keyword + description: > + src nat rule name + + - name: dst_nat_rule_type + type: keyword + description: > + dst nat rule type + + - name: dst_nat_rule_name + type: keyword + description: > + dst nat rule name + + - name: protocol_id + type: keyword + description: > + protocol id + + - name: policy_name + type: keyword + description: > + policy name + + - name: session_id_32 + type: keyword + description: > + session id 32 + + - name: session_id + type: keyword + description: > + session id + + - name: outbound_packets + type: integer + description: > + packets from client + + - name: outbound_bytes + type: integer + description: > + bytes from client + + - name: inbound_packets + type: integer + description: > + packets from server + + - name: inbound_bytes + type: integer + description: > + bytes from server + + - name: elapsed_time + type: date + description: > + elapsed time + + - name: application + type: keyword + description: > + application + + - name: nested_application + type: keyword + description: > + nested application + + - name: username + type: keyword + description: > + username + + - name: roles + type: keyword + description: > + roles + + - name: encrypted + type: keyword + description: > + encrypted + + - name: application_category + type: keyword + description: > + application category + + - name: application_sub_category + type: keyword + description: > + application sub category + + - name: application_characteristics + type: keyword + description: > + application characteristics + + - name: secure_web_proxy_session_type + type: keyword + description: > + secure web proxy session type + + - name: peer_session_id + type: keyword + description: > + peer session id + + - name: peer_source_address + type: ip + description: > + peer source address + + - name: peer_source_port + type: integer + description: > + peer source port + + - name: peer_destination_address + type: ip + description: > + peer destination address + + - name: peer_destination_port + type: integer + description: > + peer destination port + + - name: hostname + type: keyword + description: > + hostname + + - name: src_vrf_grp + type: keyword + description: > + src_vrf_grp + + - name: dst_vrf_grp + type: keyword + description: > + dst_vrf_grp + + - name: icmp_type + type: integer + description: > + icmp type + + - name: process + type: keyword + description: > + process that generated the message + + - name: apbr_rule_type + type: keyword + description: > + apbr rule type + + - name: dscp_value + type: integer + description: > + apbr rule type + + - name: logical_system_name + type: keyword + description: > + logical system name + + - name: profile_name + type: keyword + description: > + profile name + + - name: routing_instance + type: keyword + description: > + routing instance + + - name: rule_name + type: keyword + description: > + rule name + + - name: uplink_tx_bytes + type: integer + description: > + uplink tx bytes + + - name: uplink_rx_bytes + type: integer + description: > + uplink rx bytes + + - name: obj + type: keyword + description: > + url path + + - name: url + type: keyword + description: > + url domain + + - name: profile + type: keyword + description: > + filter profile + + - name: category + type: keyword + description: > + filter category + + - name: filename + type: keyword + description: > + filename + + - name: temporary_filename + type: keyword + description: > + temporary_filename + + - name: name + type: keyword + description: > + name + + - name: error_message + type: keyword + description: > + error_message + + - name: error_code + type: keyword + description: > + error_code + + - name: action + type: keyword + description: > + action + + - name: protocol + type: keyword + description: > + protocol + + - name: protocol_name + type: keyword + description: > + protocol name + + - name: type + type: keyword + description: > + type + + - name: repeat_count + type: integer + description: > + repeat count + + - name: alert + type: keyword + description: > + repeat alert + + - name: message_type + type: keyword + description: > + message type + + - name: threat_severity + type: keyword + description: > + threat severity + + - name: application_name + type: keyword + description: > + application name + + - name: attack_name + type: keyword + description: > + attack name + + - name: index + type: keyword + description: > + index + + - name: message + type: keyword + description: > + mesagge + + - name: epoch_time + type: date + description: > + epoch time + + - name: packet_log_id + type: integer + description: > + packet log id + + - name: export_id + type: integer + description: > + packet log id + + - name: ddos_application_name + type: keyword + description: > + ddos application name + + - name: connection_hit_rate + type: integer + description: > + connection hit rate + + - name: time_scope + type: keyword + description: > + time scope + + - name: context_hit_rate + type: integer + description: > + context hit rate + + - name: context_value_hit_rate + type: integer + description: > + context value hit rate + + - name: time_count + type: integer + description: > + time count + + - name: time_period + type: integer + description: > + time period + + - name: context_value + type: keyword + description: > + context value + + - name: context_name + type: keyword + description: > + context name + + - name: ruleebase_name + type: keyword + description: > + ruleebase name + + - name: verdict_source + type: keyword + description: > + verdict source + + - name: verdict_number + type: integer + description: > + verdict number + + - name: file_category + type: keyword + description: > + file category + + - name: sample_sha256 + type: keyword + description: > + sample sha256 + + - name: malware_info + type: keyword + description: > + malware info + + - name: client_ip + type: ip + description: > + client ip + + - name: tenant_id + type: keyword + description: > + tenant id + + - name: timestamp + type: date + description: > + timestamp + + - name: th + type: keyword + description: > + th + + - name: status + type: keyword + description: > + status + + - name: state + type: keyword + description: > + state + + - name: file_hash_lookup + type: keyword + description: > + file hash lookup + + - name: file_name + type: keyword + description: > + file name + + - name: action_detail + type: keyword + description: > + action detail + + - name: sub_category + type: keyword + description: > + sub category + + - name: feed_name + type: keyword + description: > + feed name + + - name: occur_count + type: integer + description: > + occur count + + - name: tag + type: keyword + description: > + system log message tag, which uniquely identifies the message. + diff --git a/x-pack/filebeat/module/juniper/srx/config/srx.yml b/x-pack/filebeat/module/juniper/srx/config/srx.yml new file mode 100644 index 00000000000..6af16945317 --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/config/srx.yml @@ -0,0 +1,31 @@ +{{ if eq .input "tcp" }} + +type: tcp +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ else if eq .input "udp" }} + +type: udp +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} + +exclude_files: [".gz$"] + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_locale: ~ + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/juniper/srx/ingest/atp.yml b/x-pack/filebeat/module/juniper/srx/ingest/atp.yml new file mode 100644 index 00000000000..b93e8da9f98 --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/ingest/atp.yml @@ -0,0 +1,363 @@ +description: Pipeline for parsing junipersrx firewall logs (atp pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.juniper?.srx?.tag != null" +- append: + field: event.category + value: network +- set: + field: event.kind + value: alert + if: '["SRX_AAMW_ACTION_LOG", "AAMW_MALWARE_EVENT_LOG", "AAMW_HOST_INFECTED_EVENT_LOG", "AAMW_ACTION_LOG"].contains(ctx.juniper?.srx?.tag) && ctx.juniper?.srx?.action != "PERMIT"' +- append: + field: event.category + value: malware + if: '["SRX_AAMW_ACTION_LOG", "AAMW_MALWARE_EVENT_LOG", "AAMW_HOST_INFECTED_EVENT_LOG", "AAMW_ACTION_LOG"].contains(ctx.juniper?.srx?.tag) && ctx.juniper?.srx?.action != "PERMIT"' +- append: + field: event.type + value: + - info + - denied + - connection + if: "ctx.juniper?.srx?.action == 'BLOCK' || ctx.juniper?.srx?.tag == 'AAMW_MALWARE_EVENT_LOG'" +- append: + field: event.type + value: + - allowed + - connection + if: "ctx.juniper?.srx?.action != 'BLOCK' && ctx.juniper?.srx?.tag != 'AAMW_MALWARE_EVENT_LOG'" +- set: + field: event.action + value: malware_detected + if: "ctx.juniper?.srx?.action == 'BLOCK' || ctx.juniper?.srx?.tag == 'AAMW_MALWARE_EVENT_LOG'" + + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: juniper.srx.destination_address + target_field: destination.ip + ignore_missing: true + if: "ctx.juniper?.srx?.destination_address != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: juniper.srx.nat_destination_address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_address != null" +- convert: + field: juniper.srx.destination_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.destination_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: juniper.srx.nat_destination_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_port != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_server + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_server != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: juniper.srx.packets_from_server + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_server != null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: juniper.srx.source_address + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.source_address != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: juniper.srx.nat_source_address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_address != null" +- rename: + field: juniper.srx.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.sourceip != null" +- convert: + field: juniper.srx.source_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.source_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: juniper.srx.nat_source_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_client + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_client != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: juniper.srx.packets_from_client + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_client != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: juniper.srx.username + target_field: source.user.name + ignore_missing: true + if: "ctx.juniper?.srx?.username != null" +- rename: + field: juniper.srx.hostname + target_field: source.domain + ignore_missing: true + if: "ctx.juniper?.srx?.hostname != null" +- rename: + field: juniper.srx.client_ip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.client_ip != null" + +###################### +## ECS URL Mapping ## +###################### +- rename: + field: juniper.srx.http_host + target_field: url.domain + ignore_missing: true + if: "ctx.juniper?.srx?.http_host != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: juniper.srx.protocol_id + target_field: network.iana_number + ignore_missing: true + if: "ctx.juniper?.srx?.protocol_id != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +############### +## Timestamp ## +############### +- date: + if: 'ctx.juniper.srx?.timestamp != null' + field: juniper.srx.timestamp + target_field: juniper.srx.timestamp + formats: + - 'EEE MMM dd HH:mm:ss yyyy' + - 'EEE MMM d HH:mm:ss yyyy' + on_failure: + - remove: + field: + - juniper.srx.timestamp + +############# +## Cleanup ## +############# +- remove: + field: + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.bytes_from_client + - juniper.srx.packets_from_client + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.bytes_from_server + - juniper.srx.packets_from_server + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/juniper/srx/ingest/flow.yml b/x-pack/filebeat/module/juniper/srx/ingest/flow.yml new file mode 100644 index 00000000000..1a488a57bd8 --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/ingest/flow.yml @@ -0,0 +1,360 @@ +description: Pipeline for parsing junipersrx firewall logs (flow pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.juniper?.srx?.tag != null" +- append: + field: event.category + value: network +- rename: + field: juniper.srx.application_risk + target_field: event.risk_score + ignore_missing: true + if: "ctx.juniper?.srx?.application_risk != null" +- append: + field: event.type + value: + - start + - allowed + - connection + if: "ctx.juniper?.srx?.tag.endsWith('CREATE') || ctx.juniper?.srx?.tag.endsWith('UPDATE') || ctx.juniper?.srx?.tag.endsWith('CREATE_LS') || ctx.juniper?.srx?.tag.endsWith('UPDATE_LS')" +- append: + field: event.type + value: + - end + - allowed + - connection + if: "ctx.juniper?.srx?.tag.endsWith('CLOSE') || ctx.juniper?.srx?.tag.endsWith('CLOSE_LS')" +- append: + field: event.type + value: + - denied + - connection + if: "ctx.juniper?.srx?.tag.endsWith('DENY') || ctx.juniper?.srx?.tag.endsWith('DENY_LS')" +- set: + field: event.action + value: flow_started + if: "ctx.juniper?.srx?.tag.endsWith('CREATE') || ctx.juniper?.srx?.tag.endsWith('UPDATE') || ctx.juniper?.srx?.tag.endsWith('CREATE_LS') || ctx.juniper?.srx?.tag.endsWith('UPDATE_LS')" +- set: + field: event.action + value: flow_close + if: "ctx.juniper?.srx?.tag.endsWith('CLOSE') || ctx.juniper?.srx?.tag.endsWith('CLOSE_LS')" +- set: + field: event.action + value: flow_deny + if: "ctx.juniper?.srx?.tag.endsWith('DENY') || ctx.juniper?.srx?.tag.endsWith('DENY_LS')" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: juniper.srx.destination_address + target_field: destination.ip + ignore_missing: true + if: "ctx.juniper?.srx?.destination_address != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: juniper.srx.nat_destination_address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_address != null" +- convert: + field: juniper.srx.destination_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.destination_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx?.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: juniper.srx.nat_destination_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_port != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_server + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_server != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: juniper.srx.packets_from_server + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_server != null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: juniper.srx.source_address + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.source_address != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: juniper.srx.nat_source_address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_address != null" +- rename: + field: juniper.srx.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.sourceip != null" +- convert: + field: juniper.srx.source_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.source_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: juniper.srx.nat_source_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_client + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_client != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: juniper.srx.packets_from_client + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_client != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: juniper.srx.username + target_field: source.user.name + ignore_missing: true + if: "ctx.juniper?.srx?.username != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: juniper.srx.policy_name + target_field: rule.name + ignore_missing: true + if: "ctx.juniper?.srx?.policy_name != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: juniper.srx.protocol_id + target_field: network.iana_number + ignore_missing: true + if: "ctx.juniper?.srx?.protocol_id != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true +- script: + lang: painless + source: "ctx.network.packets = ctx.client.packets + ctx.server.packets" + if: "ctx?.client?.packets != null && ctx?.server?.packets != null" + ignore_failure: true + +############# +## Cleanup ## +############# +- remove: + field: + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.bytes_from_client + - juniper.srx.packets_from_client + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.bytes_from_server + - juniper.srx.packets_from_server + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/juniper/srx/ingest/idp.yml b/x-pack/filebeat/module/juniper/srx/ingest/idp.yml new file mode 100644 index 00000000000..808185410d7 --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/ingest/idp.yml @@ -0,0 +1,287 @@ +description: Pipeline for parsing junipersrx firewall logs (idp pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.juniper?.srx?.tag != null" +- append: + field: event.category + value: network +- set: + field: event.kind + value: alert + if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.category + value: intrusion_detection + if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.type + value: + - info + - denied + - connection + if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.type + value: + - allowed + - connection + if: '!["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: application_ddos + if: '["IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: security_threat + if: '["IDP_ATTACK_LOG_EVENT", "IDP_ATTACK_LOG_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' + + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: juniper.srx.destination_address + target_field: destination.ip + ignore_missing: true + if: "ctx.juniper?.srx?.destination_address != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: juniper.srx.nat_destination_address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_address != null" +- convert: + field: juniper.srx.destination_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.destination_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: juniper.srx.nat_destination_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx['nat_destination_port'] != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: juniper.srx.inbound_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.inbound_bytes != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: juniper.srx.inbound_packets + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.inbound_packets !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: juniper.srx.source_address + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.source_address != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: juniper.srx.nat_source_address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_address != null" +- rename: + field: juniper.srx.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.sourceip != null" +- convert: + field: juniper.srx.source_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.source_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: juniper.srx.nat_source_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: juniper.srx.outbound_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.outbound_bytes != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: juniper.srx.outbound_packets + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.outbound_packets != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: juniper.srx.username + target_field: source.user.name + ignore_missing: true + if: "ctx.juniper?.srx?.username != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: juniper.srx.rulebase_name + target_field: rule.name + ignore_missing: true + if: "ctx.juniper?.srx?.rulebase_name != null" +- rename: + field: juniper.srx.rule_name + target_field: rule.id + ignore_missing: true + if: "ctx.juniper?.srx?.rule_name != null" + +######################### +## ECS Network Mapping ## +######################### +- rename: + field: juniper.srx.protocol_name + target_field: network.protocol + ignore_missing: true + if: "ctx.juniper?.srx?.protocol_name != null" + +######################### +## ECS message Mapping ## +######################### +- rename: + field: juniper.srx.message + target_field: message + ignore_missing: true + if: "ctx.juniper?.srx?.message != null" + +############# +## Cleanup ## +############# +- remove: + field: + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.outbound_bytes + - juniper.srx.outbound_packets + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.inbound_bytes + - juniper.srx.inbound_packets + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/juniper/srx/ingest/ids.yml b/x-pack/filebeat/module/juniper/srx/ingest/ids.yml new file mode 100644 index 00000000000..039fdd64ccb --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/ingest/ids.yml @@ -0,0 +1,363 @@ +description: Pipeline for parsing junipersrx firewall logs (ids pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.juniper?.srx?.tag != null" +- append: + field: event.category + value: network +- set: + field: event.kind + value: alert + if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.category + value: intrusion_detection + if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.type + value: + - info + - denied + - connection + if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.type + value: + - allowed + - connection + if: '!["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: flood_detected + if: '["ICMP flood!", "UDP flood!", "SYN flood!", "SYN flood Src-IP based!", "SYN flood Dst-IP based!"].contains(ctx.juniper?.srx?.attack_name)' +- set: + field: event.action + value: scan_detected + if: "ctx.juniper?.srx?.attack_name == 'TCP port scan!'" +- set: + field: event.action + value: sweep_detected + if: '["TCP sweep!", "IP sweep!", "UDP sweep!", "Address sweep!"].contains(ctx.juniper?.srx?.attack_name)' +- set: + field: event.action + value: fragment_detected + if: '["ICMP fragment!", "SYN fragment!"].contains(ctx.juniper?.srx?.attack_name)' +- set: + field: event.action + value: spoofing_detected + if: "ctx.juniper?.srx?.attack_name == 'IP spoofing!'" +- set: + field: event.action + value: session_limit_detected + if: '["Src IP session limit!", "Dst IP session limit!"].contains(ctx.juniper?.srx?.attack_name)' +- set: + field: event.action + value: attack_detected + if: '["Land attack!", "WinNuke attack!"].contains(ctx.juniper?.srx?.attack_name)' +- set: + field: event.action + value: illegal_tcp_flag_detected + if: '["No TCP flag!", "SYN and FIN bits!", "FIN but no ACK bit!"].contains(ctx.juniper?.srx?.attack_name)' +- set: + field: event.action + value: tunneling_screen + if: "ctx.juniper?.srx?.attack_name.startsWith('Tunnel')" + + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: juniper.srx.destination_address + target_field: destination.ip + ignore_missing: true + if: "ctx.juniper?.srx?.destination_address != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: juniper.srx.nat_destination_address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_address != null" +- convert: + field: juniper.srx.destination_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.destination_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: juniper.srx.nat_destination_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_port != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_server + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_server != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: juniper.srx.packets_from_server + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_server !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: juniper.srx.source_address + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.source_address != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: juniper.srx.nat_source_address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_address != null" +- rename: + field: juniper.srx.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.sourceip != null" +- convert: + field: juniper.srx.source_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.source_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: juniper.srx.nat_source_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_client + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_client != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: juniper.srx.packets_from_client + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_client != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: juniper.srx.username + target_field: source.user.name + ignore_missing: true + if: "ctx.juniper?.srx?.username != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: juniper.srx.protocol_id + target_field: network.iana_number + ignore_missing: true + if: "ctx.juniper?.srx?.protocol_id != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + + +############# +## Cleanup ## +############# +- remove: + field: + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.bytes_from_client + - juniper.srx.packets_from_client + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.bytes_from_server + - juniper.srx.packets_from_server + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml b/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml new file mode 100644 index 00000000000..5bc4d45e82e --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml @@ -0,0 +1,275 @@ +# This module only supports syslog messages in the format "structured-data + brief" +# https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/structured-data-edit-system.html +description: Pipeline for parsing junipersrx firewall logs +processors: +- grok: + field: message + patterns: + - '^<%{POSINT:syslog_pri}>(\d{1,3}\s)?(?:%{TIMESTAMP_ISO8601:_temp_.raw_date})\s%{SYSLOGHOST:syslog_hostname}\s%{PROG:syslog_program}\s(?:%{POSINT:syslog_pid}|-)?\s%{WORD:log_type}\s\[.+?\s%{GREEDYDATA:log.original}\]$' + +# split Juniper-SRX fields +- kv: + field: log.original + field_split: " (?=[a-z0-9\\_\\-]+=)" + value_split: "=" + prefix: "juniper.srx." + ignore_missing: true + ignore_failure: false + trim_value: "\"" + +# Converts all kebab-case key names to snake_case +- script: + lang: painless + source: >- + ctx.juniper.srx = ctx?.juniper?.srx.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace('-', '_'), e -> e.getValue())); + +# +# Parse the date +# +- date: + if: "ctx.event.timezone == null" + field: _temp_.raw_date + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss z + - yyyy-MM-dd HH:mm:ss Z + - ISO8601 +- date: + if: "ctx.event.timezone != null" + timezone: "{{ event.timezone }}" + field: _temp_.raw_date + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss z + - yyyy-MM-dd HH:mm:ss Z + - ISO8601 + +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' + +# Can possibly be omitted if there is a solution for the equal signs and the calculation of the start time. +# -> juniper.srx.elapsed_time +- rename: + field: juniper.srx.elapsed_time + target_field: juniper.srx.duration + if: "ctx.juniper?.srx?.elapsed_time != null" + +# Sets starts, end and duration when start and duration is known +- script: + lang: painless + if: ctx?.juniper?.srx?.duration != null + source: >- + ctx.event.duration = Integer.parseInt(ctx.juniper.srx.duration) * 1000000000L; + ctx.event.start = ctx['@timestamp']; + ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); + ctx.event.end = start.plus(ctx.event.duration, ChronoUnit.NANOS); + +# Removes all empty fields +- script: + lang: painless + params: + values: + - "None" + - "UNKNOWN" + - "N/A" + - "-" + source: >- + ctx?.juniper?.srx.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.module + value: juniper +- set: + field: event.dataset + value: juniper.srx +- set: + field: event.severity + value: '{{syslog_pri}}' +- rename: + field: log.original + target_field: event.original + ignore_missing: true + +##################### +## ECS Log Mapping ## +##################### +# https://www.juniper.net/documentation/en_US/junos/topics/reference/general/syslog-interpreting-msg-generated-structured-data-format.html#fac_sev_codes +- set: + field: "log.level" + if: '["0", "8", "16", "24", "32", "40", "48", "56", "64", "72", "80", "88", "96", "104", "112", "128", "136", "144", "152", "160", "168", "176", "184"].contains(ctx.syslog_pri)' + value: emergency +- set: + field: "log.level" + if: '["1", "9", "17", "25", "33", "41", "49", "57", "65", "73", "81", "89", "97", "105", "113", "129", "137", "145", "153", "161", "169", "177", "185"].contains(ctx.syslog_pri)' + value: alert +- set: + field: "log.level" + if: '["2", "10", "18", "26", "34", "42", "50", "58", "66", "74", "82", "90", "98", "106", "114", "130", "138", "146", "154", "162", "170", "178", "186"].contains(ctx.syslog_pri)' + value: critical +- set: + field: "log.level" + if: '["3", "11", "19", "27", "35", "43", "51", "59", "67", "75", "83", "91", "99", "107", "115", "131", "139", "147", "155", "163", "171", "179", "187"].contains(ctx.syslog_pri)' + value: error +- set: + field: "log.level" + if: '["4", "12", "20", "28", "36", "44", "52", "60", "68", "76", "84", "92", "100", "108", "116", "132", "140", "148", "156", "164", "172", "180", "188"].contains(ctx.syslog_pri)' + value: warning +- set: + field: "log.level" + if: '["5", "13", "21", "29", "37", "45", "53", "61", "69", "77", "85", "93", "101", "109", "117", "133", "141", "149", "157", "165", "173", "181", "189"].contains(ctx.syslog_pri)' + value: notification +- set: + field: "log.level" + if: '["6", "14", "22", "30", "38", "46", "54", "62", "70", "78", "86", "94", "102", "110", "118", "134", "142", "150", "158", "166", "174", "182", "190"].contains(ctx.syslog_pri)' + value: informational +- set: + field: "log.level" + if: '["7", "15", "23", "31", "39", "47", "55", "63", "71", "79", "87", "95", "103", "111", "119", "135", "143", "151", "159", "167", "175", "183", "191"].contains(ctx.syslog_pri)' + value: debug + +########################## +## ECS Observer Mapping ## +########################## +- set: + field: observer.vendor + value: Juniper +- set: + field: observer.product + value: SRX +- set: + field: observer.type + value: firewall +- rename: + field: syslog_hostname + target_field: observer.name + ignore_missing: true +- rename: + field: juniper.srx.packet_incoming_interface + target_field: observer.ingress.interface.name + ignore_missing: true +- rename: + field: juniper.srx.destination_interface_name + target_field: observer.egress.interface.name + ignore_missing: true +- rename: + field: juniper.srx.source_interface_name + target_field: observer.ingress.interface.name + ignore_missing: true +- rename: + field: juniper.srx.interface_name + target_field: observer.ingress.interface.name + ignore_missing: true +- rename: + field: juniper.srx.source_zone_name + target_field: observer.ingress.zone + ignore_missing: true +- rename: + field: juniper.srx.source_zone + target_field: observer.ingress.zone + ignore_missing: true +- rename: + field: juniper.srx.destination_zone_name + target_field: observer.egress.zone + ignore_missing: true +- rename: + field: juniper.srx.destination_zone + target_field: observer.egress.zone + ignore_missing: true +- rename: + field: syslog_program + target_field: juniper.srx.process + ignore_missing: true +- rename: + field: log_type + target_field: juniper.srx.tag + ignore_missing: true + + +############# +## Cleanup ## +############# +- remove: + field: + - message + - _temp_ + - _temp + - juniper.srx.duration + - juniper.srx.dir_disp + - juniper.srx.srczone + - juniper.srx.dstzone + - juniper.srx.duration + - syslog_pri + ignore_missing: true + +################################ +## Product Specific Pipelines ## +################################ +- pipeline: + name: '{< IngestPipeline "flow" >}' + if: "ctx.juniper?.srx?.process == 'RT_FLOW'" +- pipeline: + name: '{< IngestPipeline "utm" >}' + if: "ctx.juniper?.srx?.process == 'RT_UTM'" +- pipeline: + name: '{< IngestPipeline "idp" >}' + if: "ctx.juniper?.srx?.process == 'RT_IDP'" +- pipeline: + name: '{< IngestPipeline "ids" >}' + if: "ctx.juniper?.srx?.process == 'RT_IDS'" +- pipeline: + name: '{< IngestPipeline "atp" >}' + if: "ctx.juniper?.srx?.process == 'RT_AAMW'" +- pipeline: + name: '{< IngestPipeline "secintel" >}' + if: "ctx.juniper?.srx?.process == 'RT_SECINTEL'" + +######################### +## ECS Related Mapping ## +######################### +- append: + if: 'ctx.source?.ip != null' + field: related.ip + value: '{{source.ip}}' + ignore_failure: true +- append: + if: 'ctx.destination?.ip != null' + field: related.ip + value: '{{destination.ip}}' + ignore_failure: true +- append: + if: 'ctx.source?.nat?.ip != null' + field: related.ip + value: '{{source.nat.ip}}' + ignore_failure: true +- append: + if: 'ctx?.destination?.nat?.ip != null' + field: related.ip + value: '{{destination.nat.ip}}' + ignore_failure: true + +- append: + if: 'ctx.url?.domain != null' + field: related.hosts + value: '{{url.domain}}' + ignore_failure: true +- append: + if: 'ctx.source?.domain != null' + field: related.hosts + value: '{{source.domain}}' + ignore_failure: true +- append: + if: 'ctx.destination?.domain != null' + field: related.hosts + value: '{{destination.domain}}' + ignore_failure: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/juniper/srx/ingest/secintel.yml b/x-pack/filebeat/module/juniper/srx/ingest/secintel.yml new file mode 100644 index 00000000000..f2abb2bcf9c --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/ingest/secintel.yml @@ -0,0 +1,349 @@ +description: Pipeline for parsing junipersrx firewall logs (secintel pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.juniper?.srx?.tag != null" +- append: + field: event.category + value: network +- set: + field: event.kind + value: alert + if: 'ctx.juniper?.srx?.tag == "SECINTEL_ACTION_LOG" && ctx.juniper?.srx?.action != "PERMIT"' +- append: + field: event.category + value: malware + if: 'ctx.juniper?.srx?.tag == "SECINTEL_ACTION_LOG" && ctx.juniper?.srx?.action != "PERMIT"' +- append: + field: event.type + value: + - info + - denied + - connection + if: "ctx.juniper?.srx?.action == 'BLOCK'" +- append: + field: event.type + value: + - allowed + - connection + if: "ctx.juniper?.srx?.action != 'BLOCK'" +- set: + field: event.action + value: malware_detected + if: "ctx.juniper?.srx?.action == 'BLOCK'" + + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: juniper.srx.destination_address + target_field: destination.ip + ignore_missing: true + if: "ctx.juniper?.srx?.destination_address != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: juniper.srx.nat_destination_address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_address != null" +- convert: + field: juniper.srx.destination_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.destination_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: juniper.srx.nat_destination_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_port != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_server + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_server != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: juniper.srx.packets_from_server + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_server !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: juniper.srx.source_address + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.source_address != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: juniper.srx.nat_source_address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_address != null" +- rename: + field: juniper.srx.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.sourceip != null" +- convert: + field: juniper.srx.source_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.source_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: juniper.srx.nat_source_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_client + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_client != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: juniper.srx.packets_from_client + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_client != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: juniper.srx.username + target_field: source.user.name + ignore_missing: true + if: "ctx.juniper?.srx?.username != null" +- rename: + field: juniper.srx.hostname + target_field: source.address + ignore_missing: true + if: "ctx.juniper?.srx?.hostname != null" +- rename: + field: juniper.srx.client_ip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.client_ip != null" + +###################### +## ECS URL Mapping ## +###################### +- rename: + field: juniper.srx.http_host + target_field: url.domain + ignore_missing: true + if: "ctx.juniper?.srx?.http_host != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: juniper.srx.protocol_id + target_field: network.iana_number + ignore_missing: true + if: "ctx.juniper?.srx?.protocol_id != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +############# +## Cleanup ## +############# +- remove: + field: + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.bytes_from_client + - juniper.srx.packets_from_client + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.bytes_from_server + - juniper.srx.packets_from_server + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/juniper/srx/ingest/utm.yml b/x-pack/filebeat/module/juniper/srx/ingest/utm.yml new file mode 100644 index 00000000000..a80e5a94d97 --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/ingest/utm.yml @@ -0,0 +1,388 @@ +description: Pipeline for parsing junipersrx firewall logs (utm pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.juniper?.srx?.tag != null" +- append: + field: event.category + value: network +- rename: + field: juniper.srx.urlcategory_risk + target_field: event.risk_score + ignore_missing: true + if: "ctx.juniper?.srx?.urlcategory_risk != null" +- set: + field: event.kind + value: alert + if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.category + value: malware + if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.type + value: + - info + - denied + - connection + if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.type + value: + - allowed + - connection + if: '!["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: web_filter + if: '["WEBFILTER_URL_BLOCKED", "WEBFILTER_URL_BLOCKED_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: content_filter + if: '["CONTENT_FILTERING_BLOCKED_MT", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: antispam_filter + if: '["ANTISPAM_SPAM_DETECTED_MT", "ANTISPAM_SPAM_DETECTED_MT_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: virus_detected + if: '["AV_VIRUS_DETECTED_MT", "AV_VIRUS_DETECTED_MT_LS"].contains(ctx.juniper?.srx?.tag)' + + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: juniper.srx.destination_address + target_field: destination.ip + ignore_missing: true + if: "ctx.juniper?.srx?.destination_address != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: juniper.srx.nat_destination_address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_address != null" +- convert: + field: juniper.srx.destination_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.destination_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: juniper.srx.nat_destination_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_port != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_server + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_server != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: juniper.srx.packets_from_server + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_server !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: juniper.srx.source_address + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.source_address != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: juniper.srx.nat_source_address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_address != null" +- rename: + field: juniper.srx.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.sourceip != null" +- convert: + field: juniper.srx.source_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.source_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: juniper.srx.nat_source_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_client + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_client != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: juniper.srx.packets_from_client + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_client != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: juniper.srx.username + target_field: source.user.name + ignore_missing: true + if: "ctx.juniper?.srx?.username != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: juniper.srx.policy_name + target_field: rule.name + ignore_missing: true + if: "ctx.juniper?.srx?.policy_name != null" + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: juniper.srx.url + target_field: url.domain + ignore_missing: true + if: "ctx.juniper?.srx?.url != null" +- rename: + field: juniper.srx.obj + target_field: url.path + ignore_missing: true + if: "ctx.juniper?.srx?.obj != null" + +###################### +## ECS File Mapping ## +###################### +- rename: + field: juniper.srx.filename + target_field: file.name + ignore_missing: true + if: "ctx.juniper?.srx?.filename != null" + +######################### +## ECS Network Mapping ## +######################### +- rename: + field: juniper.srx.protocol + target_field: network.protocol + ignore_missing: true + if: "ctx.juniper?.srx?.protocol != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: juniper.srx.protocol_id + target_field: network.iana_number + ignore_missing: true + if: "ctx.juniper?.srx?.protocol_id != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +############# +## Cleanup ## +############# +- remove: + field: + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.bytes_from_client + - juniper.srx.packets_from_client + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.bytes_from_server + - juniper.srx.packets_from_server + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/juniper/srx/manifest.yml b/x-pack/filebeat/module/juniper/srx/manifest.yml new file mode 100644 index 00000000000..879be66b99d --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/manifest.yml @@ -0,0 +1,26 @@ +module_version: 1.0 + +var: + - name: syslog_host + default: localhost + - name: tags + default: ["juniper.srx", "forwarded"] + - name: syslog_port + default: 9006 + - name: input + default: udp + +ingest_pipeline: + - ingest/pipeline.yml + - ingest/flow.yml + - ingest/utm.yml + - ingest/idp.yml + - ingest/ids.yml + - ingest/atp.yml + - ingest/secintel.yml + +input: config/srx.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/juniper/srx/test/atp.log b/x-pack/filebeat/module/juniper/srx/test/atp.log new file mode 100644 index 00000000000..95c8210f038 --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/test/atp.log @@ -0,0 +1,4 @@ +<14>1 2013-12-14T16:06:59.134Z pinarello RT_AAMW - SRX_AAMW_ACTION_LOG [junos@xxx.x.x.x.x.28 http-host="www.mytest.com" file-category="executable" action="BLOCK" verdict-number="8" verdict-source=”cloud/blacklist/whitelist” source-address="10.10.10.1" source-port="57116" destination-address="187.19.188.200" destination-port="80" protocol-id="6" application="UNKNOWN" nested-application="UNKNOWN" policy-name="argon_policy" username="user1" session-id-32="50000002" source-zone-name="untrust" destination-zone-name="trust"] +<14>1 2016-09-20T10:43:30.330-07:00 host-example RT_AAMW - AAMW_MALWARE_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" sample-sha256="ABC123" client-ip="192.0.2.0" verdict-number="9" malware-info="Eicar:TestVirus" username="admin" hostname="host.example.com"] +<11>1 2016-09-20T10:40:30.050-07:00 host-example RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" client-ip="192.0.2.0" hostname="host.example.com" status="in_progress" policy-name="default" th="7" state="added" reason="malware" message="malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123"] +<165>1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@2636.1.1.1.2.129 hostname="dummy_host" file-category="executable" verdict-number="10" malware-info="Testfile" action="PERMIT" list-hit="N/A" file-hash-lookup="FALSE" source-address="1.1.1.1" source-port="60148" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" policy-name="test-policy" username="N/A" roles="N/A" session-id-32="502156" source-zone-name="Inside" destination-zone-name="Outside" sample-sha256="e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494" file-name="dummy_file" url="dummy_url"] diff --git a/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json new file mode 100644 index 00000000000..4187866594e --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json @@ -0,0 +1,240 @@ +[ + { + "@timestamp": "2013-12-14T14:06:59.134-02:00", + "client.ip": "10.10.10.1", + "client.port": 57116, + "destination.as.number": 28126, + "destination.as.organization.name": "BRISANET SERVICOS DE TELECOMUNICACOES LTDA", + "destination.geo.city_name": "Juazeiro do Norte", + "destination.geo.continent_name": "South America", + "destination.geo.country_iso_code": "BR", + "destination.geo.country_name": "Brazil", + "destination.geo.location.lat": -7.1467, + "destination.geo.location.lon": -39.247, + "destination.geo.region_iso_code": "BR-CE", + "destination.geo.region_name": "Ceara", + "destination.ip": "187.19.188.200", + "destination.port": 80, + "event.action": "malware_detected", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "http-host=\"www.mytest.com\" file-category=\"executable\" action=\"BLOCK\" verdict-number=\"8\" verdict-source=\u201dcloud/blacklist/whitelist\u201d source-address=\"10.10.10.1\" source-port=\"57116\" destination-address=\"187.19.188.200\" destination-port=\"80\" protocol-id=\"6\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" policy-name=\"argon_policy\" username=\"user1\" session-id-32=\"50000002\" source-zone-name=\"untrust\" destination-zone-name=\"trust\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "BLOCK", + "juniper.srx.file_category": "executable", + "juniper.srx.policy_name": "argon_policy", + "juniper.srx.process": "RT_AAMW", + "juniper.srx.session_id_32": "50000002", + "juniper.srx.tag": "SRX_AAMW_ACTION_LOG", + "juniper.srx.verdict_number": "8", + "juniper.srx.verdict_source": "\u201dcloud/blacklist/whitelist\u201d", + "log.level": "informational", + "log.offset": 0, + "network.iana_number": "6", + "observer.egress.zone": "trust", + "observer.ingress.zone": "untrust", + "observer.name": "pinarello", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.hosts": [ + "www.mytest.com" + ], + "related.ip": [ + "10.10.10.1", + "187.19.188.200" + ], + "server.ip": "187.19.188.200", + "server.port": 80, + "service.type": "juniper", + "source.ip": "10.10.10.1", + "source.port": 57116, + "source.user.name": "user1", + "tags": [ + "juniper.srx", + "forwarded" + ], + "url.domain": "www.mytest.com" + }, + { + "@timestamp": "2016-09-20T15:43:30.330-02:00", + "event.action": "malware_detected", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" sample-sha256=\"ABC123\" client-ip=\"192.0.2.0\" verdict-number=\"9\" malware-info=\"Eicar:TestVirus\" username=\"admin\" hostname=\"host.example.com\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.malware_info": "Eicar:TestVirus", + "juniper.srx.process": "RT_AAMW", + "juniper.srx.sample_sha256": "ABC123", + "juniper.srx.tag": "AAMW_MALWARE_EVENT_LOG", + "juniper.srx.tenant_id": "ABC123456", + "juniper.srx.timestamp": "2016-06-23T09:55:38.000Z", + "juniper.srx.verdict_number": "9", + "log.level": "informational", + "log.offset": 529, + "observer.name": "host-example", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.hosts": [ + "host.example.com" + ], + "related.ip": [ + "192.0.2.0" + ], + "service.type": "juniper", + "source.domain": "host.example.com", + "source.ip": "192.0.2.0", + "source.user.name": "admin", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2016-09-20T15:40:30.050-02:00", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" client-ip=\"192.0.2.0\" hostname=\"host.example.com\" status=\"in_progress\" policy-name=\"default\" th=\"7\" state=\"added\" reason=\"malware\" message=\"malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.message": "malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123", + "juniper.srx.policy_name": "default", + "juniper.srx.process": "RT_AAMW", + "juniper.srx.reason": "malware", + "juniper.srx.state": "added", + "juniper.srx.status": "in_progress", + "juniper.srx.tag": "AAMW_HOST_INFECTED_EVENT_LOG", + "juniper.srx.tenant_id": "ABC123456", + "juniper.srx.th": "7", + "juniper.srx.timestamp": "2016-06-23T09:55:38.000Z", + "log.level": "error", + "log.offset": 835, + "observer.name": "host-example", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.hosts": [ + "host.example.com" + ], + "related.ip": [ + "192.0.2.0" + ], + "service.type": "juniper", + "source.domain": "host.example.com", + "source.ip": "192.0.2.0", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2007-02-15T07:17:15.719-02:00", + "client.ip": "1.1.1.1", + "client.port": 60148, + "destination.ip": "10.0.0.1", + "destination.port": 80, + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"1.1.1.1\" source-port=\"60148\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"", + "event.outcome": "success", + "event.severity": "165", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "PERMIT", + "juniper.srx.application": "HTTP", + "juniper.srx.file_category": "executable", + "juniper.srx.file_hash_lookup": "FALSE", + "juniper.srx.file_name": "dummy_file", + "juniper.srx.malware_info": "Testfile", + "juniper.srx.policy_name": "test-policy", + "juniper.srx.process": "RT_AAMW", + "juniper.srx.sample_sha256": "e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494", + "juniper.srx.session_id_32": "502156", + "juniper.srx.tag": "AAMW_ACTION_LOG", + "juniper.srx.url": "dummy_url", + "juniper.srx.verdict_number": "10", + "log.level": "notification", + "log.offset": 1235, + "network.iana_number": "6", + "observer.egress.zone": "Outside", + "observer.ingress.zone": "Inside", + "observer.name": "aamw1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.hosts": [ + "dummy_host" + ], + "related.ip": [ + "1.1.1.1", + "10.0.0.1" + ], + "server.ip": "10.0.0.1", + "server.port": 80, + "service.type": "juniper", + "source.as.number": 13335, + "source.as.organization.name": "Cloudflare, Inc.", + "source.domain": "dummy_host", + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.country_name": "Australia", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": "1.1.1.1", + "source.port": 60148, + "tags": [ + "juniper.srx", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/srx/test/flow.log b/x-pack/filebeat/module/juniper/srx/test/flow.log new file mode 100644 index 00000000000..400bceceeee --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/test/flow.log @@ -0,0 +1,25 @@ +<14>1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.134 source-address="10.0.0.1" source-port="594" destination-address="10.128.0.1" destination-port="10400" connection-tag="0" service-name="icmp" nat-source-address="10.0.0.1" nat-source-port="594" nat-destination-address="10.128.0.1" nat-destination-port="10400" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="vpn_trust_permit-all" source-zone-name="vpn" destination-zone-name="trust" session-id-32="6093" username="N/A" roles="N/A" packet-incoming-interface="st0.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] +<14>1 2019-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.134 source-address="10.0.0.26" source-port="37233" destination-address="10.128.0.1" destination-port="161" connection-tag="0" service-name="None" protocol-id="17" icmp-type="0" policy-name="MgmtAccess-trust-cleanup" source-zone-name="trust" destination-zone-name="junos-host" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface=".local..0" encrypted="No" reason="Denied by policy" session-id-32="7087" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] +<14>1 2014-05-01T08:26:51.179Z fw01 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.39 source-address="1.2.3.4" source-port="56639" destination-address="5.6.7.8" destination-port="2003" service-name="None" protocol-id="6" icmp-type="0" policy-name="log-all-else" source-zone-name="campus" destination-zone-name="mngmt" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth6.0" encrypted="No "] +<14>1 2014-05-01T08:28:10.933Z fw01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.39 reason="unset" source-address="1.2.3.4" source-port="63456" destination-address="5.6.7.8" destination-port="902" service-name="None" nat-source-address="1.2.3.4" nat-source-port="63456" nat-destination-address="5.6.7.8" nat-destination-port="902" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="17" policy-name="mngmt-to-vcenter" source-zone-name="mngmt" destination-zone-name="intra" session-id-32="15353" packets-from-client="1" bytes-from-client="94" packets-from-server="0" bytes-from-server="0" elapsed-time="60" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth3.5" encrypted="No "] +<14>1 2013-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.35 source-address="50.0.0.100" source-port="24065" destination-address="30.0.0.100" destination-port="768" service-name="icmp" nat-source-address="50.0.0.100" nat-source-port="24065" nat-destination-address="30.0.0.100" nat-destination-port="768" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="alg-policy" source-zone-name="untrust" destination-zone-name="trust" session-id-32="100000165" username="N/A" roles="N/A" packet-incoming-interface="reth2.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN"] +<14>1 2010-09-30T14:55:04.323+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2626.192.0.2.1.40 source-address="192.0.2.1" source-port="1" destination-address="198.51.100.12" destination-port="46384" service-name="icmp" nat-source-address="192.0.2.1" nat-source-port="1" nat-destination-address="18.51.100.12" nat-destination-port="46384" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="policy1" source-zone-name="trustZone" destination-zone-name="untrustZone" session-id-32="41" packet-incoming-interface="ge-0/0/1.0"] +<14>1 2010-09-30T14:55:07.188+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2626.192.0.2.1.40 reason="response received" source-address="192.0.2.1" source-port="1" destination-address="198.51.100.12" destination-port="46384" service-name="icmp" nat-source-address="192.0.2.1" nat-source-port="1" nat-destination-address="18.51.100.12" nat-destination-port="46384" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="policy1" source-zone-name="trustZone" destination-zone-name="untrustZone" session-id-32="41" packets-from-client="1" bytes-from-client="84" packets-from-server="1" bytes-from-server="84" elapsed-time="0" packet-incoming-interface="ge-0/0/1.0"] +<14>1 2019-04-12T14:29:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="TCP FIN" source-address="10.3.255.203" source-port="47776" destination-address="8.23.224.110" destination-port="80" connection-tag="0" service-name="junos-http" nat-source-address="10.3.136.49" nat-source-port="19162" nat-destination-address="8.23.224.110" nat-destination-port="80" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="nat1" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit_all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="5" packets-from-client="6" bytes-from-client="337" packets-from-server="4" bytes-from-server="535" elapsed-time="1" application="HTTP" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/0.0" encrypted="No" application-category="Web" application-sub-category="N/A" application-risk="4" application-characteristics="Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;"] +<14>1 2019-04-13T14:33:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.58 reason="TCP RST" source-address="192.168.2.164" source-port="53232" destination-address="172.16.1.19" destination-port="445" service-name="junos-smb" nat-source-address="192.168.2.164" nat-source-port="53232" nat-destination-address="172.16.1.19" nat-destination-port="445" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="6" policy-name="35" source-zone-name="Trust" destination-zone-name="Trust" session-id-32="206" packets-from-client="13" bytes-from-client="4274" packets-from-server="9" bytes-from-server="1575" elapsed-time="16" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/2.0"] +<14>1 2018-10-07T01:32:20.898Z TestFW2 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.34 reason="idle Timeout" source-address="100.73.10.92" source-port="52890" destination-address="58.68.126.198" destination-port="53" service-name="junos-dns-udp" nat-source-address="58.78.140.131" nat-source-port="11152" nat-destination-address="58.68.126.198" nat-destination-port="53" src-nat-rule-type="source rule" src-nat-rule-name="NAT_S" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="NAT" source-zone-name="Gi_nat" destination-zone-name="Internet" session-id-32="220368889" packets-from-client="1" bytes-from-client="72" packets-from-server="1" bytes-from-server="136" elapsed-time="8" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.108" encrypted="UNKNOWN"] +<14>1 2018-06-30T02:17:22.753Z fw0001 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.41 reason="idle Timeout" source-address="192.168.255.2" source-port="62047" destination-address="8.8.8.8" destination-port="53" service-name="junos-dns-udp" nat-source-address="192.168.0.47" nat-source-port="20215" nat-destination-address="8.8.8.8" nat-destination-port="53" src-nat-rule-type="source rule" src-nat-rule-name="rule001" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="trust-to-untrust-001" source-zone-name="trust" destination-zone-name="untrust" session-id-32="9621" packets-from-client="1" bytes-from-client="67" packets-from-server="1" bytes-from-server="116" elapsed-time="3" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="fe-0/0/1.0" encrypted="UNKNOWN"] +<14>1 2015-09-25T14:19:53.846Z VPNBox-A RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.36 reason="application failure or action" source-address="10.164.110.223" source-port="9057" destination-address="10.104.12.161" destination-port="21" service-name="junos-ftp" nat-source-address="10.9.1.150" nat-source-port="58020" nat-destination-address="10.12.70.1" nat-destination-port="21" src-nat-rule-name="SNAT-Policy5" dst-nat-rule-name="NAT-Policy10" protocol-id="6" policy-name="FW-FTP" source-zone-name="trust" destination-zone-name="untrust" session-id-32="24311" packets-from-client="0" bytes-from-client="0" packets-from-server="0" bytes-from-server="0" elapsed-time="1" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.0" encrypted="No "] +<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CREATE [junos@2636.1.1.1.2.41 source-address="192.168.224.30" source-port="3129" destination-address="207.17.137.56" destination-port="21" service-name="junos-ftp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="173.167.224.7" nat-source-port="14406" nat-destination-address="207.17.137.56" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" username="N/A" roles="N/A" encrypted="N/A"] +<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.41 source-address="192.168.224.30" source-port="3129" destination-address="207.17.137.56" destination-port="21" service-name="junos-ftp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="173.167.224.7" nat-source-port="14406" nat-destination-address="207.17.137.56" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" packets-from-client="1" bytes-from-client="48" packets-from-server="0" bytes-from-server="0" elapsed-time="0" username="N/A" roles="N/A" encrypted="N/A"] +<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.41 reason="application failure or action" source-address="192.168.224.30" source-port="3129" destination-address="207.17.137.56" destination-port="21" service-name="junos-ftp" application="FTP" nested-application="UNKNOWN" nat-source-address="173.167.224.7" nat-source-port="14406" nat-destination-address="207.17.137.56" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" packets-from-client="3" bytes-from-client="144" packets-from-server="2" bytes-from-server="104" elapsed-time="1" username="N/A" roles="N/A" encrypted="N/A"] +<14>1 2013-01-19T15:18:18.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.129 source-address="4.0.0.1" source-port="33040" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="4.0.0.1" nat-source-port="33040" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" packets-from-client="371" bytes-from-client="19592" packets-from-server="584" bytes-from-server="686432" elapsed-time="60" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] +<14>1 2013-01-19T15:18:19.040 SRX100HM RT_FLOW - APPTRACK_SESSION_ROUTE_UPDATE [junos@2636.1.1.1.2.129 source-address="4.0.0.1" source-port="33040" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="4.0.0.1" nat-source-port="33040" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" username="user1" roles="DEPT1" encrypted="No" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0” apbr-rule-type=”default”] +<14>1 2013-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="TCP CLIENT RST" source-address="4.0.0.1" source-port="48873" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="4.0.0.1" nat-source-port="48873" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" packets-from-client="5" bytes-from-client="392" packets-from-server="3" bytes-from-server="646" elapsed-time="3" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] +<14>1 2020-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE_LS [junos@2636.1.1.1.2.35 source-address="50.0.0.100" source-port="24065" destination-address="30.0.0.100" destination-port="768" service-name="icmp" nat-source-address="50.0.0.100" nat-source-port="24065" nat-destination-address="30.0.0.100" nat-destination-port="768" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="alg-policy" source-zone-name="untrust" destination-zone-name="trust" session-id-32="100000165" username="N/A" roles="N/A" packet-incoming-interface="reth2.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN"] +<14>1 2020-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY_LS [junos@2636.1.1.1.2.134 source-address="10.0.0.26" source-port="37233" destination-address="10.128.0.1" destination-port="161" connection-tag="0" service-name="None" protocol-id="17" icmp-type="0" policy-name="MgmtAccess-trust-cleanup" source-zone-name="trust" destination-zone-name="junos-host" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface=".local..0" encrypted="No" reason="Denied by policy" session-id-32="7087" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] +<14>1 2020-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE_LS [junos@2636.1.1.1.2.129 reason="TCP CLIENT RST" source-address="4.0.0.1" source-port="48873" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="4.0.0.1" nat-source-port="48873" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" packets-from-client="5" bytes-from-client="392" packets-from-server="3" bytes-from-server="646" elapsed-time="3" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] +<14>1 2020-07-14T14:17:11.928Z SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.129 source-address="10.1.1.100" source-port="58943" destination-address="46.165.154.241" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="172.19.34.100" nat-source-port="6018" nat-destination-address="46.165.154.241" nat-destination-port="80" src-nat-rule-name="our-nat-rule" dst-nat-rule-name="N/A" protocol-id="6" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="16118" packets-from-client="42" bytes-from-client="2322" packets-from-server="34" bytes-from-server="2132" elapsed-time="60" username="N/A" roles="N/A" encrypted="No" destination-interface-name="ge-0/0/0.0" category="N/A" sub-category="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] +<14>1 2020-07-13T16:43:05.041Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="idle Timeout" source-address="10.1.1.100" source-port="64720" destination-address="91.228.167.172" destination-port="8883" connection-tag="0" service-name="None" nat-source-address="172.19.34.100" nat-source-port="24519" nat-destination-address="91.228.167.172" nat-destination-port="8883" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="our-nat-rule" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="3851" packets-from-client="161" bytes-from-client="9530" packets-from-server="96" bytes-from-server="9670" elapsed-time="23755" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/1.0" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A" secure-web-proxy-session-type="NA" peer-session-id="0" peer-source-address="0.0.0.0" peer-source-port="0" peer-destination-address="0.0.0.0" peer-destination-port="0" hostname="NA NA" src-vrf-grp="N/A" dst-vrf-grp="N/A"] +<14>1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.129 source-address="10.1.1.100" source-port="49583" destination-address="8.8.8.8" destination-port="53" connection-tag="0" service-name="junos-dns-udp" nat-source-address="172.19.34.100" nat-source-port="30838" nat-destination-address="8.8.8.8" nat-destination-port="53" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="our-nat-rule" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="15399" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/1.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] +<14>1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="Closed by junos-alg" source-address="10.1.1.100" source-port="63381" destination-address="8.8.8.8" destination-port="53" service-name="junos-dns-udp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="172.19.34.100" nat-source-port="26764" nat-destination-address="8.8.8.8" nat-destination-port="53" src-nat-rule-name="our-nat-rule" dst-nat-rule-name="N/A" protocol-id="17" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="15361" packets-from-client="1" bytes-from-client="66" packets-from-server="1" bytes-from-server="82" elapsed-time="3" username="N/A" roles="N/A" encrypted="No" profile-name="N/A" rule-name="N/A" routing-instance="default" destination-interface-name="ge-0/0/0.0" uplink-incoming-interface-name="N/A" uplink-tx-bytes="0" uplink-rx-bytes="0" category="N/A" sub-category="N/A" apbr-policy-name="N/A" multipath-rule-name="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] diff --git a/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json new file mode 100644 index 00000000000..b597ed2afc5 --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json @@ -0,0 +1,2013 @@ +[ + { + "@timestamp": "2019-11-14T06:37:51.184-02:00", + "client.ip": "10.0.0.1", + "client.nat.port": 594, + "client.port": 594, + "destination.ip": "10.128.0.1", + "destination.nat.ip": "10.128.0.1", + "destination.nat.port": 10400, + "destination.port": 10400, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"10.0.0.1\" source-port=\"594\" destination-address=\"10.128.0.1\" destination-port=\"10400\" connection-tag=\"0\" service-name=\"icmp\" nat-source-address=\"10.0.0.1\" nat-source-port=\"594\" nat-destination-address=\"10.128.0.1\" nat-destination-port=\"10400\" nat-connection-tag=\"0\" src-nat-rule-type=\"N/A\" src-nat-rule-name=\"N/A\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"1\" policy-name=\"vpn_trust_permit-all\" source-zone-name=\"vpn\" destination-zone-name=\"trust\" session-id-32=\"6093\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"st0.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"", + "event.outcome": "success", + "event.risk_score": "1", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.connection_tag": "0", + "juniper.srx.nat_connection_tag": "0", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.service_name": "icmp", + "juniper.srx.session_id_32": "6093", + "juniper.srx.tag": "RT_FLOW_SESSION_CREATE", + "log.level": "informational", + "log.offset": 0, + "network.iana_number": "1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "st0.0", + "observer.ingress.zone": "vpn", + "observer.name": "SRX-GW1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.0.0.1", + "10.128.0.1", + "10.0.0.1", + "10.128.0.1" + ], + "rule.name": "vpn_trust_permit-all", + "server.ip": "10.128.0.1", + "server.nat.port": 10400, + "server.port": 10400, + "service.type": "juniper", + "source.ip": "10.0.0.1", + "source.nat.ip": "10.0.0.1", + "source.nat.port": 594, + "source.port": 594, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-14T08:12:46.573-02:00", + "client.ip": "10.0.0.26", + "client.port": 37233, + "destination.ip": "10.128.0.1", + "destination.port": 161, + "event.action": "flow_deny", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"", + "event.outcome": "success", + "event.risk_score": "1", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.connection_tag": "0", + "juniper.srx.encrypted": "No", + "juniper.srx.icmp_type": "0", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "Denied by policy", + "juniper.srx.session_id_32": "7087", + "juniper.srx.tag": "RT_FLOW_SESSION_DENY", + "log.level": "informational", + "log.offset": 850, + "network.iana_number": "17", + "observer.egress.zone": "junos-host", + "observer.ingress.interface.name": ".local..0", + "observer.ingress.zone": "trust", + "observer.name": "SRX-GW1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.0.0.26", + "10.128.0.1" + ], + "rule.name": "MgmtAccess-trust-cleanup", + "server.ip": "10.128.0.1", + "server.port": 161, + "service.type": "juniper", + "source.ip": "10.0.0.26", + "source.port": 37233, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2014-05-01T06:26:51.179-02:00", + "client.ip": "1.2.3.4", + "client.port": 56639, + "destination.as.number": 6805, + "destination.as.organization.name": "Telefonica Germany", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "5.6.7.8", + "destination.port": 2003, + "event.action": "flow_deny", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"1.2.3.4\" source-port=\"56639\" destination-address=\"5.6.7.8\" destination-port=\"2003\" service-name=\"None\" protocol-id=\"6\" icmp-type=\"0\" policy-name=\"log-all-else\" source-zone-name=\"campus\" destination-zone-name=\"mngmt\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth6.0\" encrypted=\"No \"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.encrypted": "No ", + "juniper.srx.icmp_type": "0", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.tag": "RT_FLOW_SESSION_DENY", + "log.level": "informational", + "log.offset": 1513, + "network.iana_number": "6", + "observer.egress.zone": "mngmt", + "observer.ingress.interface.name": "reth6.0", + "observer.ingress.zone": "campus", + "observer.name": "fw01", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "rule.name": "log-all-else", + "server.ip": "5.6.7.8", + "server.port": 2003, + "service.type": "juniper", + "source.geo.city_name": "Moscow", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", + "source.geo.location.lat": 55.7527, + "source.geo.location.lon": 37.6172, + "source.geo.region_iso_code": "RU-MOW", + "source.geo.region_name": "Moscow", + "source.ip": "1.2.3.4", + "source.port": 56639, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2014-05-01T06:28:10.933-02:00", + "client.bytes": 94, + "client.ip": "1.2.3.4", + "client.nat.port": 63456, + "client.packets": 1, + "client.port": 63456, + "destination.as.number": 6805, + "destination.as.organization.name": "Telefonica Germany", + "destination.bytes": 0, + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "5.6.7.8", + "destination.nat.ip": "5.6.7.8", + "destination.nat.port": 902, + "destination.packets": 0, + "destination.port": 902, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 60000000000, + "event.end": "2014-05-01T06:29:10.933-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "reason=\"unset\" source-address=\"1.2.3.4\" source-port=\"63456\" destination-address=\"5.6.7.8\" destination-port=\"902\" service-name=\"None\" nat-source-address=\"1.2.3.4\" nat-source-port=\"63456\" nat-destination-address=\"5.6.7.8\" nat-destination-port=\"902\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"17\" policy-name=\"mngmt-to-vcenter\" source-zone-name=\"mngmt\" destination-zone-name=\"intra\" session-id-32=\"15353\" packets-from-client=\"1\" bytes-from-client=\"94\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"60\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth3.5\" encrypted=\"No \"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2014-05-01T06:28:10.933-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.encrypted": "No ", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "unset", + "juniper.srx.session_id_32": "15353", + "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 1966, + "network.bytes": 94, + "network.iana_number": "17", + "network.packets": 1, + "observer.egress.zone": "intra", + "observer.ingress.interface.name": "reth3.5", + "observer.ingress.zone": "mngmt", + "observer.name": "fw01", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "1.2.3.4", + "5.6.7.8", + "1.2.3.4", + "5.6.7.8" + ], + "rule.name": "mngmt-to-vcenter", + "server.bytes": 0, + "server.ip": "5.6.7.8", + "server.nat.port": 902, + "server.packets": 0, + "server.port": 902, + "service.type": "juniper", + "source.bytes": 94, + "source.geo.city_name": "Moscow", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", + "source.geo.location.lat": 55.7527, + "source.geo.location.lon": 37.6172, + "source.geo.region_iso_code": "RU-MOW", + "source.geo.region_name": "Moscow", + "source.ip": "1.2.3.4", + "source.nat.ip": "1.2.3.4", + "source.nat.port": 63456, + "source.packets": 1, + "source.port": 63456, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2013-11-04T14:23:09.264-02:00", + "client.ip": "50.0.0.100", + "client.nat.port": 24065, + "client.port": 24065, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "30.0.0.100", + "destination.nat.ip": "30.0.0.100", + "destination.nat.port": 768, + "destination.port": 768, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.service_name": "icmp", + "juniper.srx.session_id_32": "100000165", + "juniper.srx.tag": "RT_FLOW_SESSION_CREATE", + "log.level": "informational", + "log.offset": 2721, + "network.iana_number": "1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "reth2.0", + "observer.ingress.zone": "untrust", + "observer.name": "cixi", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "50.0.0.100", + "30.0.0.100", + "50.0.0.100", + "30.0.0.100" + ], + "rule.name": "alg-policy", + "server.ip": "30.0.0.100", + "server.nat.port": 768, + "server.port": 768, + "service.type": "juniper", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "50.0.0.100", + "source.nat.ip": "50.0.0.100", + "source.nat.port": 24065, + "source.port": 24065, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2010-09-30T04:55:04.323-02:00", + "client.ip": "192.0.2.1", + "client.nat.port": 1, + "client.port": 1, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "198.51.100.12", + "destination.nat.ip": "18.51.100.12", + "destination.nat.port": 46384, + "destination.port": 46384, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"192.0.2.1\" source-port=\"1\" destination-address=\"198.51.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.0.2.1\" nat-source-port=\"1\" nat-destination-address=\"18.51.100.12\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packet-incoming-interface=\"ge-0/0/1.0\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.service_name": "icmp", + "juniper.srx.session_id_32": "41", + "juniper.srx.tag": "RT_FLOW_SESSION_CREATE", + "log.level": "informational", + "log.offset": 3366, + "network.iana_number": "1", + "observer.egress.zone": "untrustZone", + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "mrpp-srx550-dut01", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "192.0.2.1", + "198.51.100.12", + "192.0.2.1", + "18.51.100.12" + ], + "rule.name": "policy1", + "server.ip": "198.51.100.12", + "server.nat.port": 46384, + "server.port": 46384, + "service.type": "juniper", + "source.ip": "192.0.2.1", + "source.nat.ip": "192.0.2.1", + "source.nat.port": 1, + "source.port": 1, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2010-09-30T04:55:07.188-02:00", + "client.bytes": 84, + "client.ip": "192.0.2.1", + "client.nat.port": 1, + "client.packets": 1, + "client.port": 1, + "destination.bytes": 84, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "198.51.100.12", + "destination.nat.ip": "18.51.100.12", + "destination.nat.port": 46384, + "destination.packets": 1, + "destination.port": 46384, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 0, + "event.end": "2010-09-30T04:55:07.188-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "reason=\"response received\" source-address=\"192.0.2.1\" source-port=\"1\" destination-address=\"198.51.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.0.2.1\" nat-source-port=\"1\" nat-destination-address=\"18.51.100.12\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packets-from-client=\"1\" bytes-from-client=\"84\" packets-from-server=\"1\" bytes-from-server=\"84\" elapsed-time=\"0\" packet-incoming-interface=\"ge-0/0/1.0\"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2010-09-30T04:55:07.188-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "response received", + "juniper.srx.service_name": "icmp", + "juniper.srx.session_id_32": "41", + "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 3933, + "network.bytes": 168, + "network.iana_number": "1", + "network.packets": 2, + "observer.egress.zone": "untrustZone", + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "mrpp-srx550-dut01", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "192.0.2.1", + "198.51.100.12", + "192.0.2.1", + "18.51.100.12" + ], + "rule.name": "policy1", + "server.bytes": 84, + "server.ip": "198.51.100.12", + "server.nat.port": 46384, + "server.packets": 1, + "server.port": 46384, + "service.type": "juniper", + "source.bytes": 84, + "source.ip": "192.0.2.1", + "source.nat.ip": "192.0.2.1", + "source.nat.port": 1, + "source.packets": 1, + "source.port": 1, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-12T12:29:06.576-02:00", + "client.bytes": 337, + "client.ip": "10.3.255.203", + "client.nat.port": 19162, + "client.packets": 6, + "client.port": 47776, + "destination.as.number": 14627, + "destination.as.organization.name": "Vitalwerks Internet Solutions, LLC", + "destination.bytes": 535, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.23.224.110", + "destination.nat.ip": "8.23.224.110", + "destination.nat.port": 80, + "destination.packets": 4, + "destination.port": 80, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 1000000000, + "event.end": "2019-04-12T12:29:07.576-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "reason=\"TCP FIN\" source-address=\"10.3.255.203\" source-port=\"47776\" destination-address=\"8.23.224.110\" destination-port=\"80\" connection-tag=\"0\" service-name=\"junos-http\" nat-source-address=\"10.3.136.49\" nat-source-port=\"19162\" nat-destination-address=\"8.23.224.110\" nat-destination-port=\"80\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"nat1\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit_all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"5\" packets-from-client=\"6\" bytes-from-client=\"337\" packets-from-server=\"4\" bytes-from-server=\"535\" elapsed-time=\"1\" application=\"HTTP\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/0.0\" encrypted=\"No\" application-category=\"Web\" application-sub-category=\"N/A\" application-risk=\"4\" application-characteristics=\"Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;\"", + "event.outcome": "success", + "event.risk_score": "4", + "event.severity": "14", + "event.start": "2019-04-12T12:29:06.576-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.application": "HTTP", + "juniper.srx.application_category": "Web", + "juniper.srx.application_characteristics": "Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;", + "juniper.srx.connection_tag": "0", + "juniper.srx.encrypted": "No", + "juniper.srx.nat_connection_tag": "0", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "TCP FIN", + "juniper.srx.service_name": "junos-http", + "juniper.srx.session_id_32": "5", + "juniper.srx.src_nat_rule_name": "nat1", + "juniper.srx.src_nat_rule_type": "source rule", + "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 4637, + "network.bytes": 872, + "network.iana_number": "6", + "network.packets": 10, + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ge-0/0/0.0", + "observer.ingress.zone": "trust", + "observer.name": "cixi", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.3.255.203", + "8.23.224.110", + "10.3.136.49", + "8.23.224.110" + ], + "rule.name": "permit_all", + "server.bytes": 535, + "server.ip": "8.23.224.110", + "server.nat.port": 80, + "server.packets": 4, + "server.port": 80, + "service.type": "juniper", + "source.bytes": 337, + "source.ip": "10.3.255.203", + "source.nat.ip": "10.3.136.49", + "source.nat.port": 19162, + "source.packets": 6, + "source.port": 47776, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-13T12:33:06.576-02:00", + "client.bytes": 4274, + "client.ip": "192.168.2.164", + "client.nat.port": 53232, + "client.packets": 13, + "client.port": 53232, + "destination.bytes": 1575, + "destination.ip": "172.16.1.19", + "destination.nat.ip": "172.16.1.19", + "destination.nat.port": 445, + "destination.packets": 9, + "destination.port": 445, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 16000000000, + "event.end": "2019-04-13T12:33:22.576-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "reason=\"TCP RST\" source-address=\"192.168.2.164\" source-port=\"53232\" destination-address=\"172.16.1.19\" destination-port=\"445\" service-name=\"junos-smb\" nat-source-address=\"192.168.2.164\" nat-source-port=\"53232\" nat-destination-address=\"172.16.1.19\" nat-destination-port=\"445\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"35\" source-zone-name=\"Trust\" destination-zone-name=\"Trust\" session-id-32=\"206\" packets-from-client=\"13\" bytes-from-client=\"4274\" packets-from-server=\"9\" bytes-from-server=\"1575\" elapsed-time=\"16\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/2.0\"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2019-04-13T12:33:06.576-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "TCP RST", + "juniper.srx.service_name": "junos-smb", + "juniper.srx.session_id_32": "206", + "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 5739, + "network.bytes": 5849, + "network.iana_number": "6", + "network.packets": 22, + "observer.egress.zone": "Trust", + "observer.ingress.interface.name": "ge-0/0/2.0", + "observer.ingress.zone": "Trust", + "observer.name": "cixi", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "192.168.2.164", + "172.16.1.19", + "192.168.2.164", + "172.16.1.19" + ], + "rule.name": "35", + "server.bytes": 1575, + "server.ip": "172.16.1.19", + "server.nat.port": 445, + "server.packets": 9, + "server.port": 445, + "service.type": "juniper", + "source.bytes": 4274, + "source.ip": "192.168.2.164", + "source.nat.ip": "192.168.2.164", + "source.nat.port": 53232, + "source.packets": 13, + "source.port": 53232, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2018-10-06T23:32:20.898-02:00", + "client.bytes": 72, + "client.ip": "100.73.10.92", + "client.nat.port": 11152, + "client.packets": 1, + "client.port": 52890, + "destination.as.number": 10201, + "destination.as.organization.name": "Dishnet Wireless Limited. Broadband Wireless", + "destination.bytes": 136, + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "IN", + "destination.geo.country_name": "India", + "destination.geo.location.lat": 20.0, + "destination.geo.location.lon": 77.0, + "destination.ip": "58.68.126.198", + "destination.nat.ip": "58.68.126.198", + "destination.nat.port": 53, + "destination.packets": 1, + "destination.port": 53, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 8000000000, + "event.end": "2018-10-06T23:32:28.898-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "reason=\"idle Timeout\" source-address=\"100.73.10.92\" source-port=\"52890\" destination-address=\"58.68.126.198\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"58.78.140.131\" nat-source-port=\"11152\" nat-destination-address=\"58.68.126.198\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"NAT_S\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"NAT\" source-zone-name=\"Gi_nat\" destination-zone-name=\"Internet\" session-id-32=\"220368889\" packets-from-client=\"1\" bytes-from-client=\"72\" packets-from-server=\"1\" bytes-from-server=\"136\" elapsed-time=\"8\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.108\" encrypted=\"UNKNOWN\"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2018-10-06T23:32:20.898-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "idle Timeout", + "juniper.srx.service_name": "junos-dns-udp", + "juniper.srx.session_id_32": "220368889", + "juniper.srx.src_nat_rule_name": "NAT_S", + "juniper.srx.src_nat_rule_type": "source rule", + "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 6497, + "network.bytes": 208, + "network.iana_number": "17", + "network.packets": 2, + "observer.egress.zone": "Internet", + "observer.ingress.interface.name": "reth0.108", + "observer.ingress.zone": "Gi_nat", + "observer.name": "TestFW2", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "100.73.10.92", + "58.68.126.198", + "58.78.140.131", + "58.68.126.198" + ], + "rule.name": "NAT", + "server.bytes": 136, + "server.ip": "58.68.126.198", + "server.nat.port": 53, + "server.packets": 1, + "server.port": 53, + "service.type": "juniper", + "source.as.number": 3786, + "source.as.organization.name": "LG DACOM Corporation", + "source.bytes": 72, + "source.geo.city_name": "Seogwipo", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "KR", + "source.geo.country_name": "South Korea", + "source.geo.location.lat": 33.2486, + "source.geo.location.lon": 126.5628, + "source.geo.region_iso_code": "KR-49", + "source.geo.region_name": "Jeju-do", + "source.ip": "100.73.10.92", + "source.nat.ip": "58.78.140.131", + "source.nat.port": 11152, + "source.packets": 1, + "source.port": 52890, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-30T00:17:22.753-02:00", + "client.bytes": 67, + "client.ip": "192.168.255.2", + "client.nat.port": 20215, + "client.packets": 1, + "client.port": 62047, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 116, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.nat.ip": "8.8.8.8", + "destination.nat.port": 53, + "destination.packets": 1, + "destination.port": 53, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 3000000000, + "event.end": "2018-06-30T00:17:25.753-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "reason=\"idle Timeout\" source-address=\"192.168.255.2\" source-port=\"62047\" destination-address=\"8.8.8.8\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"192.168.0.47\" nat-source-port=\"20215\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"rule001\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"trust-to-untrust-001\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"9621\" packets-from-client=\"1\" bytes-from-client=\"67\" packets-from-server=\"1\" bytes-from-server=\"116\" elapsed-time=\"3\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"fe-0/0/1.0\" encrypted=\"UNKNOWN\"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2018-06-30T00:17:22.753-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "idle Timeout", + "juniper.srx.service_name": "junos-dns-udp", + "juniper.srx.session_id_32": "9621", + "juniper.srx.src_nat_rule_name": "rule001", + "juniper.srx.src_nat_rule_type": "source rule", + "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 7350, + "network.bytes": 183, + "network.iana_number": "17", + "network.packets": 2, + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "fe-0/0/1.0", + "observer.ingress.zone": "trust", + "observer.name": "fw0001", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "192.168.255.2", + "8.8.8.8", + "192.168.0.47", + "8.8.8.8" + ], + "rule.name": "trust-to-untrust-001", + "server.bytes": 116, + "server.ip": "8.8.8.8", + "server.nat.port": 53, + "server.packets": 1, + "server.port": 53, + "service.type": "juniper", + "source.bytes": 67, + "source.ip": "192.168.255.2", + "source.nat.ip": "192.168.0.47", + "source.nat.port": 20215, + "source.packets": 1, + "source.port": 62047, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2015-09-25T12:19:53.846-02:00", + "client.bytes": 0, + "client.ip": "10.164.110.223", + "client.nat.port": 58020, + "client.packets": 0, + "client.port": 9057, + "destination.bytes": 0, + "destination.ip": "10.104.12.161", + "destination.nat.ip": "10.12.70.1", + "destination.nat.port": 21, + "destination.packets": 0, + "destination.port": 21, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 1000000000, + "event.end": "2015-09-25T12:19:54.846-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "reason=\"application failure or action\" source-address=\"10.164.110.223\" source-port=\"9057\" destination-address=\"10.104.12.161\" destination-port=\"21\" service-name=\"junos-ftp\" nat-source-address=\"10.9.1.150\" nat-source-port=\"58020\" nat-destination-address=\"10.12.70.1\" nat-destination-port=\"21\" src-nat-rule-name=\"SNAT-Policy5\" dst-nat-rule-name=\"NAT-Policy10\" protocol-id=\"6\" policy-name=\"FW-FTP\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"24311\" packets-from-client=\"0\" bytes-from-client=\"0\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"1\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.0\" encrypted=\"No \"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2015-09-25T12:19:53.846-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.dst_nat_rule_name": "NAT-Policy10", + "juniper.srx.encrypted": "No ", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "application failure or action", + "juniper.srx.service_name": "junos-ftp", + "juniper.srx.session_id_32": "24311", + "juniper.srx.src_nat_rule_name": "SNAT-Policy5", + "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 8203, + "network.bytes": 0, + "network.iana_number": "6", + "network.packets": 0, + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "reth0.0", + "observer.ingress.zone": "trust", + "observer.name": "VPNBox-A", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.164.110.223", + "10.104.12.161", + "10.9.1.150", + "10.12.70.1" + ], + "rule.name": "FW-FTP", + "server.bytes": 0, + "server.ip": "10.104.12.161", + "server.nat.port": 21, + "server.packets": 0, + "server.port": 21, + "service.type": "juniper", + "source.bytes": 0, + "source.ip": "10.164.110.223", + "source.nat.ip": "10.9.1.150", + "source.nat.port": 58020, + "source.packets": 0, + "source.port": 9057, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2013-01-19T15:18:17.040-02:00", + "client.ip": "192.168.224.30", + "client.nat.port": 14406, + "client.port": 3129, + "destination.as.number": 701, + "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "207.17.137.56", + "destination.nat.ip": "207.17.137.56", + "destination.nat.port": 21, + "destination.port": 21, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.service_name": "junos-ftp", + "juniper.srx.session_id_32": "5058", + "juniper.srx.src_nat_rule_name": "1", + "juniper.srx.tag": "APPTRACK_SESSION_CREATE", + "log.level": "informational", + "log.offset": 9012, + "network.iana_number": "6", + "observer.egress.zone": "Danger", + "observer.ingress.zone": "LAN", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "192.168.224.30", + "207.17.137.56", + "173.167.224.7", + "207.17.137.56" + ], + "rule.name": "General-Outbound", + "server.ip": "207.17.137.56", + "server.nat.port": 21, + "server.port": 21, + "service.type": "juniper", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "Plymouth", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 42.3695, + "source.geo.location.lon": -83.4769, + "source.geo.region_iso_code": "US-MI", + "source.geo.region_name": "Michigan", + "source.ip": "192.168.224.30", + "source.nat.ip": "173.167.224.7", + "source.nat.port": 14406, + "source.port": 3129, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2013-01-19T15:18:17.040-02:00", + "client.bytes": 48, + "client.ip": "192.168.224.30", + "client.nat.port": 14406, + "client.packets": 1, + "client.port": 3129, + "destination.as.number": 701, + "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", + "destination.bytes": 0, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "207.17.137.56", + "destination.nat.ip": "207.17.137.56", + "destination.nat.port": 21, + "destination.packets": 0, + "destination.port": 21, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 0, + "event.end": "2013-01-19T15:18:17.040-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"1\" bytes-from-client=\"48\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"0\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2013-01-19T15:18:17.040-02:00", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.service_name": "junos-ftp", + "juniper.srx.session_id_32": "5058", + "juniper.srx.src_nat_rule_name": "1", + "juniper.srx.tag": "APPTRACK_SESSION_VOL_UPDATE", + "log.level": "informational", + "log.offset": 9631, + "network.bytes": 48, + "network.iana_number": "6", + "network.packets": 1, + "observer.egress.zone": "Danger", + "observer.ingress.zone": "LAN", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "192.168.224.30", + "207.17.137.56", + "173.167.224.7", + "207.17.137.56" + ], + "rule.name": "General-Outbound", + "server.bytes": 0, + "server.ip": "207.17.137.56", + "server.nat.port": 21, + "server.packets": 0, + "server.port": 21, + "service.type": "juniper", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.bytes": 48, + "source.geo.city_name": "Plymouth", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 42.3695, + "source.geo.location.lon": -83.4769, + "source.geo.region_iso_code": "US-MI", + "source.geo.region_name": "Michigan", + "source.ip": "192.168.224.30", + "source.nat.ip": "173.167.224.7", + "source.nat.port": 14406, + "source.packets": 1, + "source.port": 3129, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2013-01-19T15:18:17.040-02:00", + "client.bytes": 144, + "client.ip": "192.168.224.30", + "client.nat.port": 14406, + "client.packets": 3, + "client.port": 3129, + "destination.as.number": 701, + "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", + "destination.bytes": 104, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "207.17.137.56", + "destination.nat.ip": "207.17.137.56", + "destination.nat.port": 21, + "destination.packets": 2, + "destination.port": 21, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 1000000000, + "event.end": "2013-01-19T15:18:18.040-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "reason=\"application failure or action\" source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"FTP\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"3\" bytes-from-client=\"144\" packets-from-server=\"2\" bytes-from-server=\"104\" elapsed-time=\"1\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2013-01-19T15:18:17.040-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.application": "FTP", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "application failure or action", + "juniper.srx.service_name": "junos-ftp", + "juniper.srx.session_id_32": "5058", + "juniper.srx.src_nat_rule_name": "1", + "juniper.srx.tag": "APPTRACK_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 10364, + "network.bytes": 248, + "network.iana_number": "6", + "network.packets": 5, + "observer.egress.zone": "Danger", + "observer.ingress.zone": "LAN", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "192.168.224.30", + "207.17.137.56", + "173.167.224.7", + "207.17.137.56" + ], + "rule.name": "General-Outbound", + "server.bytes": 104, + "server.ip": "207.17.137.56", + "server.nat.port": 21, + "server.packets": 2, + "server.port": 21, + "service.type": "juniper", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.bytes": 144, + "source.geo.city_name": "Plymouth", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 42.3695, + "source.geo.location.lon": -83.4769, + "source.geo.region_iso_code": "US-MI", + "source.geo.region_name": "Michigan", + "source.ip": "192.168.224.30", + "source.nat.ip": "173.167.224.7", + "source.nat.port": 14406, + "source.packets": 3, + "source.port": 3129, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2013-01-19T15:18:18.040-02:00", + "client.bytes": 19592, + "client.ip": "4.0.0.1", + "client.nat.port": 33040, + "client.packets": 371, + "client.port": 33040, + "destination.as.number": 29256, + "destination.as.organization.name": "Syrian Telecom", + "destination.bytes": 686432, + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "SY", + "destination.geo.country_name": "Syria", + "destination.geo.location.lat": 35.0, + "destination.geo.location.lon": 38.0, + "destination.ip": "5.0.0.1", + "destination.nat.ip": "5.0.0.1", + "destination.nat.port": 80, + "destination.packets": 584, + "destination.port": 80, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 60000000000, + "event.end": "2013-01-19T15:19:18.040-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"4.0.0.1\" source-port=\"33040\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"4.0.0.1\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" packets-from-client=\"371\" bytes-from-client=\"19592\" packets-from-server=\"584\" bytes-from-server=\"686432\" elapsed-time=\"60\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2013-01-19T15:18:18.040-02:00", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.apbr_rule_type": "\u201ddefault\u201d", + "juniper.srx.application": "HTTP", + "juniper.srx.encrypted": "No", + "juniper.srx.nested_application": "FACEBOOK-SOCIALRSS", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.roles": "DEPT1", + "juniper.srx.service_name": "junos-http", + "juniper.srx.session_id_32": "28", + "juniper.srx.tag": "APPTRACK_SESSION_VOL_UPDATE", + "log.level": "informational", + "log.offset": 11130, + "network.bytes": 706024, + "network.iana_number": "6", + "network.packets": 955, + "observer.egress.interface.name": "\u201dst0.0\u201d", + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "4.0.0.1", + "5.0.0.1", + "4.0.0.1", + "5.0.0.1" + ], + "rule.name": "permit-all", + "server.bytes": 686432, + "server.ip": "5.0.0.1", + "server.nat.port": 80, + "server.packets": 584, + "server.port": 80, + "service.type": "juniper", + "source.as.number": 3356, + "source.as.organization.name": "Level 3 Parent, LLC", + "source.bytes": 19592, + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "4.0.0.1", + "source.nat.ip": "4.0.0.1", + "source.nat.port": 33040, + "source.packets": 371, + "source.port": 33040, + "source.user.name": "user1", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2013-01-19T15:18:19.040-02:00", + "client.ip": "4.0.0.1", + "client.nat.port": 33040, + "client.port": 33040, + "destination.as.number": 29256, + "destination.as.organization.name": "Syrian Telecom", + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "SY", + "destination.geo.country_name": "Syria", + "destination.geo.location.lat": 35.0, + "destination.geo.location.lon": 38.0, + "destination.ip": "5.0.0.1", + "destination.nat.ip": "5.0.0.1", + "destination.nat.port": 80, + "destination.port": 80, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"4.0.0.1\" source-port=\"33040\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"4.0.0.1\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" profile-name=\u201dpf1\u201d rule-name=\u201dfacebook1\u201d routing-instance=\u201dinstance1\u201d destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.apbr_rule_type": "\u201ddefault\u201d", + "juniper.srx.application": "HTTP", + "juniper.srx.encrypted": "No", + "juniper.srx.nested_application": "FACEBOOK-SOCIALRSS", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.profile_name": "\u201dpf1\u201d", + "juniper.srx.roles": "DEPT1", + "juniper.srx.routing_instance": "\u201dinstance1\u201d", + "juniper.srx.rule_name": "\u201dfacebook1\u201d", + "juniper.srx.service_name": "junos-http", + "juniper.srx.session_id_32": "28", + "juniper.srx.tag": "APPTRACK_SESSION_ROUTE_UPDATE", + "log.level": "informational", + "log.offset": 11929, + "network.iana_number": "6", + "observer.egress.interface.name": "\u201dst0.0\u201d", + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "4.0.0.1", + "5.0.0.1", + "4.0.0.1", + "5.0.0.1" + ], + "rule.name": "permit-all", + "server.ip": "5.0.0.1", + "server.nat.port": 80, + "server.port": 80, + "service.type": "juniper", + "source.as.number": 3356, + "source.as.organization.name": "Level 3 Parent, LLC", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "4.0.0.1", + "source.nat.ip": "4.0.0.1", + "source.nat.port": 33040, + "source.port": 33040, + "source.user.name": "user1", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2013-01-19T15:18:20.040-02:00", + "client.bytes": 392, + "client.ip": "4.0.0.1", + "client.nat.port": 48873, + "client.packets": 5, + "client.port": 48873, + "destination.as.number": 29256, + "destination.as.organization.name": "Syrian Telecom", + "destination.bytes": 646, + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "SY", + "destination.geo.country_name": "Syria", + "destination.geo.location.lat": 35.0, + "destination.geo.location.lon": 38.0, + "destination.ip": "5.0.0.1", + "destination.nat.ip": "5.0.0.1", + "destination.nat.port": 80, + "destination.packets": 3, + "destination.port": 80, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 3000000000, + "event.end": "2013-01-19T15:18:23.040-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "reason=\"TCP CLIENT RST\" source-address=\"4.0.0.1\" source-port=\"48873\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"4.0.0.1\" nat-source-port=\"48873\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2013-01-19T15:18:20.040-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.apbr_rule_type": "\u201ddefault\u201d", + "juniper.srx.encrypted": "No", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "TCP CLIENT RST", + "juniper.srx.roles": "DEPT1", + "juniper.srx.service_name": "junos-http", + "juniper.srx.session_id_32": "32", + "juniper.srx.tag": "APPTRACK_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 12689, + "network.bytes": 1038, + "network.iana_number": "6", + "network.packets": 8, + "observer.egress.interface.name": "\u201dst0.0\u201d", + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "4.0.0.1", + "5.0.0.1", + "4.0.0.1", + "5.0.0.1" + ], + "rule.name": "permit-all", + "server.bytes": 646, + "server.ip": "5.0.0.1", + "server.nat.port": 80, + "server.packets": 3, + "server.port": 80, + "service.type": "juniper", + "source.as.number": 3356, + "source.as.organization.name": "Level 3 Parent, LLC", + "source.bytes": 392, + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "4.0.0.1", + "source.nat.ip": "4.0.0.1", + "source.nat.port": 48873, + "source.packets": 5, + "source.port": 48873, + "source.user.name": "user1", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2020-11-04T14:23:09.264-02:00", + "client.ip": "50.0.0.100", + "client.nat.port": 24065, + "client.port": 24065, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "30.0.0.100", + "destination.nat.ip": "30.0.0.100", + "destination.nat.port": 768, + "destination.port": 768, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.service_name": "icmp", + "juniper.srx.session_id_32": "100000165", + "juniper.srx.tag": "RT_FLOW_SESSION_CREATE_LS", + "log.level": "informational", + "log.offset": 13489, + "network.iana_number": "1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "reth2.0", + "observer.ingress.zone": "untrust", + "observer.name": "cixi", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "50.0.0.100", + "30.0.0.100", + "50.0.0.100", + "30.0.0.100" + ], + "rule.name": "alg-policy", + "server.ip": "30.0.0.100", + "server.nat.port": 768, + "server.port": 768, + "service.type": "juniper", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "50.0.0.100", + "source.nat.ip": "50.0.0.100", + "source.nat.port": 24065, + "source.port": 24065, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2020-11-14T08:12:46.573-02:00", + "client.ip": "10.0.0.26", + "client.port": 37233, + "destination.ip": "10.128.0.1", + "destination.port": 161, + "event.action": "flow_deny", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"", + "event.outcome": "success", + "event.risk_score": "1", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.connection_tag": "0", + "juniper.srx.encrypted": "No", + "juniper.srx.icmp_type": "0", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "Denied by policy", + "juniper.srx.session_id_32": "7087", + "juniper.srx.tag": "RT_FLOW_SESSION_DENY_LS", + "log.level": "informational", + "log.offset": 14137, + "network.iana_number": "17", + "observer.egress.zone": "junos-host", + "observer.ingress.interface.name": ".local..0", + "observer.ingress.zone": "trust", + "observer.name": "SRX-GW1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.0.0.26", + "10.128.0.1" + ], + "rule.name": "MgmtAccess-trust-cleanup", + "server.ip": "10.128.0.1", + "server.port": 161, + "service.type": "juniper", + "source.ip": "10.0.0.26", + "source.port": 37233, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2020-01-19T15:18:20.040-02:00", + "client.bytes": 392, + "client.ip": "4.0.0.1", + "client.nat.port": 48873, + "client.packets": 5, + "client.port": 48873, + "destination.as.number": 29256, + "destination.as.organization.name": "Syrian Telecom", + "destination.bytes": 646, + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "SY", + "destination.geo.country_name": "Syria", + "destination.geo.location.lat": 35.0, + "destination.geo.location.lon": 38.0, + "destination.ip": "5.0.0.1", + "destination.nat.ip": "5.0.0.1", + "destination.nat.port": 80, + "destination.packets": 3, + "destination.port": 80, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 3000000000, + "event.end": "2020-01-19T15:18:23.040-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "reason=\"TCP CLIENT RST\" source-address=\"4.0.0.1\" source-port=\"48873\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"4.0.0.1\" nat-source-port=\"48873\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2020-01-19T15:18:20.040-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.apbr_rule_type": "\u201ddefault\u201d", + "juniper.srx.encrypted": "No", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "TCP CLIENT RST", + "juniper.srx.roles": "DEPT1", + "juniper.srx.service_name": "junos-http", + "juniper.srx.session_id_32": "32", + "juniper.srx.tag": "APPTRACK_SESSION_CLOSE_LS", + "log.level": "informational", + "log.offset": 14803, + "network.bytes": 1038, + "network.iana_number": "6", + "network.packets": 8, + "observer.egress.interface.name": "\u201dst0.0\u201d", + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "4.0.0.1", + "5.0.0.1", + "4.0.0.1", + "5.0.0.1" + ], + "rule.name": "permit-all", + "server.bytes": 646, + "server.ip": "5.0.0.1", + "server.nat.port": 80, + "server.packets": 3, + "server.port": 80, + "service.type": "juniper", + "source.as.number": 3356, + "source.as.organization.name": "Level 3 Parent, LLC", + "source.bytes": 392, + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "4.0.0.1", + "source.nat.ip": "4.0.0.1", + "source.nat.port": 48873, + "source.packets": 5, + "source.port": 48873, + "source.user.name": "user1", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2020-07-14T12:17:11.928-02:00", + "client.bytes": 2322, + "client.ip": "10.1.1.100", + "client.nat.port": 6018, + "client.packets": 42, + "client.port": 58943, + "destination.as.number": 42652, + "destination.as.organization.name": "inexio Informationstechnologie und Telekommunikation Gmbh", + "destination.bytes": 2132, + "destination.geo.city_name": "Philippsburg", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", + "destination.geo.location.lat": 49.2317, + "destination.geo.location.lon": 8.4607, + "destination.geo.region_iso_code": "DE-BW", + "destination.geo.region_name": "Baden-W\u00fcrttemberg", + "destination.ip": "46.165.154.241", + "destination.nat.ip": "46.165.154.241", + "destination.nat.port": 80, + "destination.packets": 34, + "destination.port": 80, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 60000000000, + "event.end": "2020-07-14T12:18:11.928-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"10.1.1.100\" source-port=\"58943\" destination-address=\"46.165.154.241\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"6018\" nat-destination-address=\"46.165.154.241\" nat-destination-port=\"80\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"16118\" packets-from-client=\"42\" bytes-from-client=\"2322\" packets-from-server=\"34\" bytes-from-server=\"2132\" elapsed-time=\"60\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" destination-interface-name=\"ge-0/0/0.0\" category=\"N/A\" sub-category=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2020-07-14T12:17:11.928-02:00", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.encrypted": "No", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.service_name": "junos-http", + "juniper.srx.session_id_32": "16118", + "juniper.srx.src_nat_rule_name": "our-nat-rule", + "juniper.srx.tag": "APPTRACK_SESSION_VOL_UPDATE", + "log.level": "informational", + "log.offset": 15606, + "network.bytes": 4454, + "network.iana_number": "6", + "network.packets": 76, + "observer.egress.interface.name": "ge-0/0/0.0", + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.1.1.100", + "46.165.154.241", + "172.19.34.100", + "46.165.154.241" + ], + "rule.name": "default-permit", + "server.bytes": 2132, + "server.ip": "46.165.154.241", + "server.nat.port": 80, + "server.packets": 34, + "server.port": 80, + "service.type": "juniper", + "source.bytes": 2322, + "source.ip": "10.1.1.100", + "source.nat.ip": "172.19.34.100", + "source.nat.port": 6018, + "source.packets": 42, + "source.port": 58943, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2020-07-13T14:43:05.041-02:00", + "client.bytes": 9530, + "client.ip": "10.1.1.100", + "client.nat.port": 24519, + "client.packets": 161, + "client.port": 64720, + "destination.as.number": 50881, + "destination.as.organization.name": "ESET, spol. s r.o.", + "destination.bytes": 9670, + "destination.geo.city_name": "Bratislava", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SK", + "destination.geo.country_name": "Slovakia", + "destination.geo.location.lat": 48.15, + "destination.geo.location.lon": 17.1078, + "destination.geo.region_iso_code": "SK-BL", + "destination.geo.region_name": "Bratislava", + "destination.ip": "91.228.167.172", + "destination.nat.ip": "91.228.167.172", + "destination.nat.port": 8883, + "destination.packets": 96, + "destination.port": 8883, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 23755000000000, + "event.end": "2020-07-13T21:19:00.041-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "reason=\"idle Timeout\" source-address=\"10.1.1.100\" source-port=\"64720\" destination-address=\"91.228.167.172\" destination-port=\"8883\" connection-tag=\"0\" service-name=\"None\" nat-source-address=\"172.19.34.100\" nat-source-port=\"24519\" nat-destination-address=\"91.228.167.172\" nat-destination-port=\"8883\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"3851\" packets-from-client=\"161\" bytes-from-client=\"9530\" packets-from-server=\"96\" bytes-from-server=\"9670\" elapsed-time=\"23755\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" secure-web-proxy-session-type=\"NA\" peer-session-id=\"0\" peer-source-address=\"0.0.0.0\" peer-source-port=\"0\" peer-destination-address=\"0.0.0.0\" peer-destination-port=\"0\" hostname=\"NA NA\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", + "event.outcome": "success", + "event.risk_score": "1", + "event.severity": "14", + "event.start": "2020-07-13T14:43:05.041-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.connection_tag": "0", + "juniper.srx.hostname": "NA NA", + "juniper.srx.nat_connection_tag": "0", + "juniper.srx.peer_destination_address": "0.0.0.0", + "juniper.srx.peer_destination_port": "0", + "juniper.srx.peer_session_id": "0", + "juniper.srx.peer_source_address": "0.0.0.0", + "juniper.srx.peer_source_port": "0", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "idle Timeout", + "juniper.srx.secure_web_proxy_session_type": "NA", + "juniper.srx.session_id_32": "3851", + "juniper.srx.src_nat_rule_name": "our-nat-rule", + "juniper.srx.src_nat_rule_type": "source rule", + "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 16469, + "network.bytes": 19200, + "network.iana_number": "6", + "network.packets": 257, + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trust", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.1.1.100", + "91.228.167.172", + "172.19.34.100", + "91.228.167.172" + ], + "rule.name": "default-permit", + "server.bytes": 9670, + "server.ip": "91.228.167.172", + "server.nat.port": 8883, + "server.packets": 96, + "server.port": 8883, + "service.type": "juniper", + "source.bytes": 9530, + "source.ip": "10.1.1.100", + "source.nat.ip": "172.19.34.100", + "source.nat.port": 24519, + "source.packets": 161, + "source.port": 64720, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2020-07-13T14:12:05.530-02:00", + "client.ip": "10.1.1.100", + "client.nat.port": 30838, + "client.port": 49583, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.nat.ip": "8.8.8.8", + "destination.nat.port": 53, + "destination.port": 53, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"10.1.1.100\" source-port=\"49583\" destination-address=\"8.8.8.8\" destination-port=\"53\" connection-tag=\"0\" service-name=\"junos-dns-udp\" nat-source-address=\"172.19.34.100\" nat-source-port=\"30838\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15399\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", + "event.outcome": "success", + "event.risk_score": "1", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.connection_tag": "0", + "juniper.srx.nat_connection_tag": "0", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.service_name": "junos-dns-udp", + "juniper.srx.session_id_32": "15399", + "juniper.srx.src_nat_rule_name": "our-nat-rule", + "juniper.srx.src_nat_rule_type": "source rule", + "juniper.srx.tag": "RT_FLOW_SESSION_CREATE", + "log.level": "informational", + "log.offset": 17715, + "network.iana_number": "17", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trust", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.1.1.100", + "8.8.8.8", + "172.19.34.100", + "8.8.8.8" + ], + "rule.name": "default-permit", + "server.ip": "8.8.8.8", + "server.nat.port": 53, + "server.port": 53, + "service.type": "juniper", + "source.ip": "10.1.1.100", + "source.nat.ip": "172.19.34.100", + "source.nat.port": 30838, + "source.port": 49583, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2020-07-13T14:12:05.530-02:00", + "client.bytes": 66, + "client.ip": "10.1.1.100", + "client.nat.port": 26764, + "client.packets": 1, + "client.port": 63381, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 82, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.nat.ip": "8.8.8.8", + "destination.nat.port": 53, + "destination.packets": 1, + "destination.port": 53, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 3000000000, + "event.end": "2020-07-13T14:12:08.530-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "reason=\"Closed by junos-alg\" source-address=\"10.1.1.100\" source-port=\"63381\" destination-address=\"8.8.8.8\" destination-port=\"53\" service-name=\"junos-dns-udp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"26764\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15361\" packets-from-client=\"1\" bytes-from-client=\"66\" packets-from-server=\"1\" bytes-from-server=\"82\" elapsed-time=\"3\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" profile-name=\"N/A\" rule-name=\"N/A\" routing-instance=\"default\" destination-interface-name=\"ge-0/0/0.0\" uplink-incoming-interface-name=\"N/A\" uplink-tx-bytes=\"0\" uplink-rx-bytes=\"0\" category=\"N/A\" sub-category=\"N/A\" apbr-policy-name=\"N/A\" multipath-rule-name=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2020-07-13T14:12:05.530-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.encrypted": "No", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "Closed by junos-alg", + "juniper.srx.routing_instance": "default", + "juniper.srx.service_name": "junos-dns-udp", + "juniper.srx.session_id_32": "15361", + "juniper.srx.src_nat_rule_name": "our-nat-rule", + "juniper.srx.tag": "APPTRACK_SESSION_CLOSE", + "juniper.srx.uplink_rx_bytes": "0", + "juniper.srx.uplink_tx_bytes": "0", + "log.level": "informational", + "log.offset": 18627, + "network.bytes": 148, + "network.iana_number": "17", + "network.packets": 2, + "observer.egress.interface.name": "ge-0/0/0.0", + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.1.1.100", + "8.8.8.8", + "172.19.34.100", + "8.8.8.8" + ], + "rule.name": "default-permit", + "server.bytes": 82, + "server.ip": "8.8.8.8", + "server.nat.port": 53, + "server.packets": 1, + "server.port": 53, + "service.type": "juniper", + "source.bytes": 66, + "source.ip": "10.1.1.100", + "source.nat.ip": "172.19.34.100", + "source.nat.port": 26764, + "source.packets": 1, + "source.port": 63381, + "tags": [ + "juniper.srx", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/srx/test/idp.log b/x-pack/filebeat/module/juniper/srx/test/idp.log new file mode 100644 index 00000000000..c05d9732fb5 --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/test/idp.log @@ -0,0 +1,7 @@ +<165>1 2020-03-02T23:13:03.193Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.28 epoch-time="1583190783" message-type="SIG" source-address="10.11.11.1" source-port="12345" destination-address="187.188.188.10" destination-port="123" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="3" rulebase-name="IPS" policy-name="Recommended" export-id="20175" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="HTTP:MISC:GENERIC-DIR-TRAVERSAL" nat-source-address="0.0.0.0" nat-source-port="13312" nat-destination-address="3.3.10.11" nat-destination-port="9757" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="UNTRUST" source-interface-name="reth1.24" destination-zone-name="DMZ" destination-interface-name="reth2.21" packet-log-id="0" alert="no" username="unknown-user" roles="N/A" index="cnm" type="idp" message="-"] +<165>1 2020-03-02T23:13:03.197Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.28 epoch-time="1583190783" message-type="SIG" source-address="10.11.11.1" source-port="12345" destination-address="187.188.188.10" destination-port="123" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="3" rulebase-name="IPS" policy-name="Recommended" export-id="20175" repeat-count="0" action="DROP" threat-severity="CRITICAL" attack-name="TCP:C2S:AMBIG:C2S-SYN-DATA" nat-source-address="0.0.0.0" nat-source-port="13312" nat-destination-address="3.3.10.11" nat-destination-port="9757" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="UNTRUST" source-interface-name="reth1.24" destination-zone-name="DMZ" destination-interface-name="reth2.21" packet-log-id="0" alert="no" username="unknown-user" roles="N/A" index="cnm" type="idp" message="-"] +<165>1 2007-02-15T09:17:15.719Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time="1507845354" message-type="SIG" source-address="183.78.180.27" source-port="45610" destination-address="118.127.111.1" destination-port="80" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="9" rulebase-name="IPS" policy-name="Recommended" export-id="15229" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="TROJAN:ZMEU-BOT-SCAN" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="172.19.13.11" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="sec-zone-name-internet" source-interface-name="reth0.11" destination-zone-name="dst-sec-zone1-outside" destination-interface-name="reth1.1" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"] +<165>1 2017-10-13T08:55:55.792+11:00 idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time="1507845354" message-type="SIG" source-address="183.78.180.27" source-port="45610" destination-address="118.127.30.11" destination-port="80" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="9" rulebase-name="IPS" policy-name="Recommended" export-id="15229" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="TROJAN:ZMEU-BOT-SCAN" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="172.16.1.10" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="sec-zone-name-internet" source-interface-name="reth0.11" destination-zone-name="dst-sec-zone1-outside" destination-interface-name="reth1.1" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"] +<165>1 2011-10-23T02:06:26.544 SRX34001 RT_IDP - IDP_APPDDOS_APP_STATE_EVENT [junos@2636.1.1.1.2.35 epoch-time="1319367986" ddos-application-name="Webserver" destination-zone-name="untrust" destination-interface-name="reth0.0" destination-address="172.27.14.203" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" rulebase-name="DDOS" policy-name="A DoS-Webserver" repeat-count="0" message="Connection rate exceeded limit 60" context-value="N/A"] +<165>1 2011-10-23T16:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT [junos@2636.1.1.1.2.35 epoch-time="1319419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth1.O" source-address="192.168.14.214" source-port="50825" destination-zone-name="untrust" destination-interface-name="reth0.0" destination-address="172.27.14.203" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS" policy-name="AppDoS-Webserver" repeat-count="0" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="0" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"] +<165>1 2012-10-23T17:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT_LS [junos@2636.1.1.1.2.35 epoch-time="1419419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth3.0" source-address="193.168.14.214" source-port="50825" destination-zone-name="untrust" destination-interface-name="reth0.1" destination-address="172.30.20.201" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS02" policy-name="AppDoS-Webserver" repeat-count="0" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="0" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"] diff --git a/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json new file mode 100644 index 00000000000..7704c88fac0 --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json @@ -0,0 +1,537 @@ +[ + { + "@timestamp": "2020-03-02T21:13:03.193-02:00", + "client.bytes": 0, + "client.ip": "10.11.11.1", + "client.nat.port": 13312, + "client.packets": 0, + "client.port": 12345, + "destination.bytes": 0, + "destination.ip": "187.188.188.10", + "destination.nat.ip": "3.3.10.11", + "destination.nat.port": 9757, + "destination.packets": 0, + "destination.port": 123, + "event.action": "security_threat", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.duration": 0, + "event.end": "2020-03-02T21:13:03.193-02:00", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"187.188.188.10\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"HTTP:MISC:GENERIC-DIR-TRAVERSAL\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"3.3.10.11\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"", + "event.outcome": "success", + "event.severity": "165", + "event.start": "2020-03-02T21:13:03.193-02:00", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "DROP", + "juniper.srx.alert": "no", + "juniper.srx.application_name": "HTTP", + "juniper.srx.attack_name": "HTTP:MISC:GENERIC-DIR-TRAVERSAL", + "juniper.srx.epoch_time": "1583190783", + "juniper.srx.export_id": "20175", + "juniper.srx.index": "cnm", + "juniper.srx.message_type": "SIG", + "juniper.srx.packet_log_id": "0", + "juniper.srx.policy_name": "Recommended", + "juniper.srx.process": "RT_IDP", + "juniper.srx.repeat_count": "0", + "juniper.srx.service_name": "SERVICE_IDP", + "juniper.srx.tag": "IDP_ATTACK_LOG_EVENT", + "juniper.srx.threat_severity": "HIGH", + "juniper.srx.type": "idp", + "log.level": "notification", + "log.offset": 0, + "network.protocol": "TCP", + "observer.egress.interface.name": "reth2.21", + "observer.egress.zone": "DMZ", + "observer.ingress.interface.name": "reth1.24", + "observer.ingress.zone": "UNTRUST", + "observer.name": "idp1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.11.11.1", + "187.188.188.10", + "0.0.0.0", + "3.3.10.11" + ], + "rule.id": "3", + "rule.name": "IPS", + "server.bytes": 0, + "server.ip": "187.188.188.10", + "server.nat.port": 9757, + "server.packets": 0, + "server.port": 123, + "service.type": "juniper", + "source.bytes": 0, + "source.ip": "10.11.11.1", + "source.nat.ip": "0.0.0.0", + "source.nat.port": 13312, + "source.packets": 0, + "source.port": 12345, + "source.user.name": "unknown-user", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2020-03-02T21:13:03.197-02:00", + "client.bytes": 0, + "client.ip": "10.11.11.1", + "client.nat.port": 13312, + "client.packets": 0, + "client.port": 12345, + "destination.bytes": 0, + "destination.ip": "187.188.188.10", + "destination.nat.ip": "3.3.10.11", + "destination.nat.port": 9757, + "destination.packets": 0, + "destination.port": 123, + "event.action": "security_threat", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.duration": 0, + "event.end": "2020-03-02T21:13:03.197-02:00", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"187.188.188.10\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"CRITICAL\" attack-name=\"TCP:C2S:AMBIG:C2S-SYN-DATA\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"3.3.10.11\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"", + "event.outcome": "success", + "event.severity": "165", + "event.start": "2020-03-02T21:13:03.197-02:00", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "DROP", + "juniper.srx.alert": "no", + "juniper.srx.application_name": "HTTP", + "juniper.srx.attack_name": "TCP:C2S:AMBIG:C2S-SYN-DATA", + "juniper.srx.epoch_time": "1583190783", + "juniper.srx.export_id": "20175", + "juniper.srx.index": "cnm", + "juniper.srx.message_type": "SIG", + "juniper.srx.packet_log_id": "0", + "juniper.srx.policy_name": "Recommended", + "juniper.srx.process": "RT_IDP", + "juniper.srx.repeat_count": "0", + "juniper.srx.service_name": "SERVICE_IDP", + "juniper.srx.tag": "IDP_ATTACK_LOG_EVENT", + "juniper.srx.threat_severity": "CRITICAL", + "juniper.srx.type": "idp", + "log.level": "notification", + "log.offset": 929, + "network.protocol": "TCP", + "observer.egress.interface.name": "reth2.21", + "observer.egress.zone": "DMZ", + "observer.ingress.interface.name": "reth1.24", + "observer.ingress.zone": "UNTRUST", + "observer.name": "idp1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.11.11.1", + "187.188.188.10", + "0.0.0.0", + "3.3.10.11" + ], + "rule.id": "3", + "rule.name": "IPS", + "server.bytes": 0, + "server.ip": "187.188.188.10", + "server.nat.port": 9757, + "server.packets": 0, + "server.port": 123, + "service.type": "juniper", + "source.bytes": 0, + "source.ip": "10.11.11.1", + "source.nat.ip": "0.0.0.0", + "source.nat.port": 13312, + "source.packets": 0, + "source.port": 12345, + "source.user.name": "unknown-user", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2007-02-15T07:17:15.719-02:00", + "client.bytes": 0, + "client.ip": "183.78.180.27", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 45610, + "destination.bytes": 0, + "destination.ip": "118.127.111.1", + "destination.nat.ip": "172.19.13.11", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 80, + "event.action": "security_threat", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.duration": 0, + "event.end": "2007-02-15T07:17:15.719-02:00", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"183.78.180.27\" source-port=\"45610\" destination-address=\"118.127.111.1\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.19.13.11\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"", + "event.outcome": "success", + "event.severity": "165", + "event.start": "2007-02-15T07:17:15.719-02:00", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "DROP", + "juniper.srx.alert": "no", + "juniper.srx.application_name": "HTTP", + "juniper.srx.attack_name": "TROJAN:ZMEU-BOT-SCAN", + "juniper.srx.epoch_time": "1507845354", + "juniper.srx.export_id": "15229", + "juniper.srx.message_type": "SIG", + "juniper.srx.packet_log_id": "0", + "juniper.srx.policy_name": "Recommended", + "juniper.srx.process": "RT_IDP", + "juniper.srx.repeat_count": "0", + "juniper.srx.service_name": "SERVICE_IDP", + "juniper.srx.tag": "IDP_ATTACK_LOG_EVENT", + "juniper.srx.threat_severity": "HIGH", + "log.level": "notification", + "log.offset": 1857, + "network.protocol": "TCP", + "observer.egress.interface.name": "reth1.1", + "observer.egress.zone": "dst-sec-zone1-outside", + "observer.ingress.interface.name": "reth0.11", + "observer.ingress.zone": "sec-zone-name-internet", + "observer.name": "idp1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "183.78.180.27", + "118.127.111.1", + "0.0.0.0", + "172.19.13.11" + ], + "rule.id": "9", + "rule.name": "IPS", + "server.bytes": 0, + "server.ip": "118.127.111.1", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 80, + "service.type": "juniper", + "source.bytes": 0, + "source.ip": "183.78.180.27", + "source.nat.ip": "0.0.0.0", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 45610, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2017-10-12T19:55:55.792-02:00", + "client.bytes": 0, + "client.ip": "183.78.180.27", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 45610, + "destination.bytes": 0, + "destination.ip": "118.127.30.11", + "destination.nat.ip": "172.16.1.10", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 80, + "event.action": "security_threat", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.duration": 0, + "event.end": "2017-10-12T19:55:55.792-02:00", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"183.78.180.27\" source-port=\"45610\" destination-address=\"118.127.30.11\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.16.1.10\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"", + "event.outcome": "success", + "event.severity": "165", + "event.start": "2017-10-12T19:55:55.792-02:00", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "DROP", + "juniper.srx.alert": "no", + "juniper.srx.application_name": "HTTP", + "juniper.srx.attack_name": "TROJAN:ZMEU-BOT-SCAN", + "juniper.srx.epoch_time": "1507845354", + "juniper.srx.export_id": "15229", + "juniper.srx.message_type": "SIG", + "juniper.srx.packet_log_id": "0", + "juniper.srx.policy_name": "Recommended", + "juniper.srx.process": "RT_IDP", + "juniper.srx.repeat_count": "0", + "juniper.srx.service_name": "SERVICE_IDP", + "juniper.srx.tag": "IDP_ATTACK_LOG_EVENT", + "juniper.srx.threat_severity": "HIGH", + "log.level": "notification", + "log.offset": 2773, + "network.protocol": "TCP", + "observer.egress.interface.name": "reth1.1", + "observer.egress.zone": "dst-sec-zone1-outside", + "observer.ingress.interface.name": "reth0.11", + "observer.ingress.zone": "sec-zone-name-internet", + "observer.name": "idp1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "183.78.180.27", + "118.127.30.11", + "0.0.0.0", + "172.16.1.10" + ], + "rule.id": "9", + "rule.name": "IPS", + "server.bytes": 0, + "server.ip": "118.127.30.11", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 80, + "service.type": "juniper", + "source.bytes": 0, + "source.ip": "183.78.180.27", + "source.nat.ip": "0.0.0.0", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 45610, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2011-10-23T02:06:26.544-02:00", + "destination.ip": "172.27.14.203", + "destination.port": 80, + "event.action": "application_ddos", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "epoch-time=\"1319367986\" ddos-application-name=\"Webserver\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" rulebase-name=\"DDOS\" policy-name=\"A DoS-Webserver\" repeat-count=\"0\" message=\"Connection rate exceeded limit 60\" context-value=\"N/A\"", + "event.outcome": "success", + "event.severity": "165", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.ddos_application_name": "Webserver", + "juniper.srx.epoch_time": "1319367986", + "juniper.srx.policy_name": "A DoS-Webserver", + "juniper.srx.process": "RT_IDP", + "juniper.srx.repeat_count": "0", + "juniper.srx.service_name": "HTTP", + "juniper.srx.tag": "IDP_APPDDOS_APP_STATE_EVENT", + "log.level": "notification", + "log.offset": 3693, + "message": "Connection rate exceeded limit 60", + "network.protocol": "TCP", + "observer.egress.interface.name": "reth0.0", + "observer.egress.zone": "untrust", + "observer.name": "SRX34001", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "172.27.14.203" + ], + "rule.id": "1", + "rule.name": "DDOS", + "server.ip": "172.27.14.203", + "server.port": 80, + "service.type": "juniper", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2011-10-23T16:28:31.696-02:00", + "client.ip": "192.168.14.214", + "client.port": 50825, + "destination.ip": "172.27.14.203", + "destination.port": 80, + "event.action": "application_ddos", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "epoch-time=\"1319419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth1.O\" source-address=\"192.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"", + "event.outcome": "success", + "event.severity": "165", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "NONE", + "juniper.srx.connection_hit_rate": "30", + "juniper.srx.context_hit_rate": "123", + "juniper.srx.context_name": "http-get-url", + "juniper.srx.context_value_hit_rate": "0", + "juniper.srx.ddos_application_name": "Webserver", + "juniper.srx.epoch_time": "1319419711", + "juniper.srx.policy_name": "AppDoS-Webserver", + "juniper.srx.process": "RT_IDP", + "juniper.srx.repeat_count": "0", + "juniper.srx.ruleebase_name": "DDOS", + "juniper.srx.service_name": "HTTP", + "juniper.srx.tag": "IDP_APPDDOS_APP_ATTACK_EVENT", + "juniper.srx.threat_severity": "INFO", + "juniper.srx.time_count": "3", + "juniper.srx.time_period": "60", + "juniper.srx.time_scope": "PEER", + "log.level": "notification", + "log.offset": 4165, + "network.protocol": "TCP", + "observer.egress.interface.name": "reth0.0", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "reth1.O", + "observer.ingress.zone": "trust", + "observer.name": "SRX34001", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "192.168.14.214", + "172.27.14.203" + ], + "rule.id": "1", + "server.ip": "172.27.14.203", + "server.port": 80, + "service.type": "juniper", + "source.ip": "192.168.14.214", + "source.port": 50825, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2012-10-23T17:28:31.696-02:00", + "client.ip": "193.168.14.214", + "client.port": 50825, + "destination.ip": "172.30.20.201", + "destination.port": 80, + "event.action": "application_ddos", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "epoch-time=\"1419419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth3.0\" source-address=\"193.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.1\" destination-address=\"172.30.20.201\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS02\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"", + "event.outcome": "success", + "event.severity": "165", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "NONE", + "juniper.srx.connection_hit_rate": "30", + "juniper.srx.context_hit_rate": "123", + "juniper.srx.context_name": "http-get-url", + "juniper.srx.context_value_hit_rate": "0", + "juniper.srx.ddos_application_name": "Webserver", + "juniper.srx.epoch_time": "1419419711", + "juniper.srx.policy_name": "AppDoS-Webserver", + "juniper.srx.process": "RT_IDP", + "juniper.srx.repeat_count": "0", + "juniper.srx.ruleebase_name": "DDOS02", + "juniper.srx.service_name": "HTTP", + "juniper.srx.tag": "IDP_APPDDOS_APP_ATTACK_EVENT_LS", + "juniper.srx.threat_severity": "INFO", + "juniper.srx.time_count": "3", + "juniper.srx.time_period": "60", + "juniper.srx.time_scope": "PEER", + "log.level": "notification", + "log.offset": 4895, + "network.protocol": "TCP", + "observer.egress.interface.name": "reth0.1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "reth3.0", + "observer.ingress.zone": "trust", + "observer.name": "SRX34001", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "193.168.14.214", + "172.30.20.201" + ], + "rule.id": "1", + "server.ip": "172.30.20.201", + "server.port": 80, + "service.type": "juniper", + "source.ip": "193.168.14.214", + "source.port": 50825, + "tags": [ + "juniper.srx", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/srx/test/ids.log b/x-pack/filebeat/module/juniper/srx/test/ids.log new file mode 100644 index 00000000000..5b87817da86 --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/test/ids.log @@ -0,0 +1,12 @@ +<11>1 2018-07-19T18:17:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.137 attack-name="TCP sweep!" source-address="113.113.17.17" source-port="6000" destination-address="40.177.177.1" destination-port="1433" source-zone-name="untrust" interface-name="fe-0/0/2.0" action="drop"] +<11>1 2018-07-19T18:18:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.36 attack-name="WinNuke attack!" source-address="2000:0000:0000:0000:0000:0000:0000:0002" source-port="3240" destination-address="2001:0000:0000:0000:0000:0000:0000:0002" destination-port="139" source-zone-name="untrust" interface-name="fe-0/0/2.0" action="drop"] +<11>1 2018-07-19T18:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.40 attack-name="SYN flood!" source-address="1.1.1.2" source-port="40001" destination-address="2.2.2.2" destination-port="50010" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:22:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_UDP [junos@2636.1.1.1.2.40 attack-name="UDP flood!" source-address="111.1.1.3" source-port="40001" destination-address="3.4.2.2" destination-port="53" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:25:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_ICMP [junos@2636.1.1.1.2.40 attack-name="ICMP fragment!" source-address="111.1.1.3" destination-address="3.4.2.2" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:26:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name="Record Route IP option!" source-address="111.1.1.3" destination-address="3.4.2.2" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:27:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name="Tunnel GRE 6in6!" source-address="1212::12" destination-address="1111::11" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:28:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name="Tunnel GRE 4in4!" source-address="12.12.12.1" destination-address="11.11.11.1" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_DST_IP [junos@2636.1.1.1.2.40 attack-name="SYN flood!" destination-address="2.2.2.2" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="alarm-without-drop"] +<11>1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_SRC_IP [junos@2636.1.1.1.2.40 attack-name="SYN flood!" source-address="111.1.1.3" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="alarm-without-drop"] +<11>1 2020-07-17T09:54:43.912+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.129 attack-name="TCP port scan!" source-address="10.1.1.100" source-port="50630" destination-address="10.1.1.1" destination-port="10778" source-zone-name="trust" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2020-07-17T10:01:43.006+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.129 attack-name="FIN but no ACK bit!" source-address="10.1.1.100" source-port="42799" destination-address="10.1.1.1" destination-port="7" source-zone-name="trust" interface-name="ge-0/0/1.0" action="drop"] diff --git a/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json new file mode 100644 index 00000000000..10abae2fa6d --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json @@ -0,0 +1,699 @@ +[ + { + "@timestamp": "2018-07-19T21:17:02.309-02:00", + "client.ip": "113.113.17.17", + "client.port": 6000, + "destination.as.number": 4249, + "destination.as.organization.name": "Eli Lilly and Company", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "40.177.177.1", + "destination.port": 1433, + "event.action": "sweep_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "attack-name=\"TCP sweep!\" source-address=\"113.113.17.17\" source-port=\"6000\" destination-address=\"40.177.177.1\" destination-port=\"1433\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "TCP sweep!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_TCP", + "log.level": "error", + "log.offset": 0, + "observer.ingress.interface.name": "fe-0/0/2.0", + "observer.ingress.zone": "untrust", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "113.113.17.17", + "40.177.177.1" + ], + "server.ip": "40.177.177.1", + "server.port": 1433, + "service.type": "juniper", + "source.as.number": 4134, + "source.as.organization.name": "No.31,Jin-rong Street", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", + "source.geo.location.lat": 23.1167, + "source.geo.location.lon": 113.25, + "source.geo.region_iso_code": "CN-GD", + "source.geo.region_name": "Guangdong", + "source.ip": "113.113.17.17", + "source.port": 6000, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-19T21:18:02.309-02:00", + "client.ip": "2000:0000:0000:0000:0000:0000:0000:0002", + "client.port": 3240, + "destination.ip": "2001:0000:0000:0000:0000:0000:0000:0002", + "destination.port": 139, + "event.action": "attack_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "attack-name=\"WinNuke attack!\" source-address=\"2000:0000:0000:0000:0000:0000:0000:0002\" source-port=\"3240\" destination-address=\"2001:0000:0000:0000:0000:0000:0000:0002\" destination-port=\"139\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "WinNuke attack!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_TCP", + "log.level": "error", + "log.offset": 294, + "observer.ingress.interface.name": "fe-0/0/2.0", + "observer.ingress.zone": "untrust", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "2000:0000:0000:0000:0000:0000:0000:0002", + "2001:0000:0000:0000:0000:0000:0000:0002" + ], + "server.ip": "2001:0000:0000:0000:0000:0000:0000:0002", + "server.port": 139, + "service.type": "juniper", + "source.ip": "2000:0000:0000:0000:0000:0000:0000:0002", + "source.port": 3240, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-19T21:19:02.309-02:00", + "client.ip": "1.1.1.2", + "client.port": 40001, + "destination.as.number": 3215, + "destination.as.organization.name": "Orange", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", + "destination.geo.location.lat": 48.8582, + "destination.geo.location.lon": 2.3387, + "destination.ip": "2.2.2.2", + "destination.port": 50010, + "event.action": "flood_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "attack-name=\"SYN flood!\" source-address=\"1.1.1.2\" source-port=\"40001\" destination-address=\"2.2.2.2\" destination-port=\"50010\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "SYN flood!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_TCP", + "log.level": "error", + "log.offset": 644, + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "1.1.1.2", + "2.2.2.2" + ], + "server.ip": "2.2.2.2", + "server.port": 50010, + "service.type": "juniper", + "source.as.number": 13335, + "source.as.organization.name": "Cloudflare, Inc.", + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.country_name": "Australia", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": "1.1.1.2", + "source.port": 40001, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-19T21:22:02.309-02:00", + "client.ip": "111.1.1.3", + "client.port": 40001, + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "3.4.2.2", + "destination.port": 53, + "event.action": "flood_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "attack-name=\"UDP flood!\" source-address=\"111.1.1.3\" source-port=\"40001\" destination-address=\"3.4.2.2\" destination-port=\"53\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "UDP flood!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_UDP", + "log.level": "error", + "log.offset": 930, + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "111.1.1.3", + "3.4.2.2" + ], + "server.ip": "3.4.2.2", + "server.port": 53, + "service.type": "juniper", + "source.as.number": 56041, + "source.as.organization.name": "China Mobile communications corporation", + "source.geo.city_name": "Wenzhou", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", + "source.geo.location.lat": 27.9983, + "source.geo.location.lon": 120.6666, + "source.geo.region_iso_code": "CN-ZJ", + "source.geo.region_name": "Zhejiang", + "source.ip": "111.1.1.3", + "source.port": 40001, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-19T21:25:02.309-02:00", + "client.ip": "111.1.1.3", + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "3.4.2.2", + "event.action": "fragment_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "attack-name=\"ICMP fragment!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "ICMP fragment!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_ICMP", + "log.level": "error", + "log.offset": 1215, + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "111.1.1.3", + "3.4.2.2" + ], + "server.ip": "3.4.2.2", + "service.type": "juniper", + "source.as.number": 56041, + "source.as.organization.name": "China Mobile communications corporation", + "source.geo.city_name": "Wenzhou", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", + "source.geo.location.lat": 27.9983, + "source.geo.location.lon": 120.6666, + "source.geo.region_iso_code": "CN-ZJ", + "source.geo.region_name": "Zhejiang", + "source.ip": "111.1.1.3", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-19T21:26:02.309-02:00", + "client.ip": "111.1.1.3", + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "3.4.2.2", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "attack-name=\"Record Route IP option!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "Record Route IP option!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_IP", + "log.level": "error", + "log.offset": 1463, + "network.iana_number": "1", + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "111.1.1.3", + "3.4.2.2" + ], + "server.ip": "3.4.2.2", + "service.type": "juniper", + "source.as.number": 56041, + "source.as.organization.name": "China Mobile communications corporation", + "source.geo.city_name": "Wenzhou", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", + "source.geo.location.lat": 27.9983, + "source.geo.location.lon": 120.6666, + "source.geo.region_iso_code": "CN-ZJ", + "source.geo.region_name": "Zhejiang", + "source.ip": "111.1.1.3", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-19T21:27:02.309-02:00", + "client.ip": "1212::12", + "destination.ip": "1111::11", + "event.action": "tunneling_screen", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "attack-name=\"Tunnel GRE 6in6!\" source-address=\"1212::12\" destination-address=\"1111::11\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "Tunnel GRE 6in6!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_IP", + "log.level": "error", + "log.offset": 1734, + "network.iana_number": "1", + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "1212::12", + "1111::11" + ], + "server.ip": "1111::11", + "service.type": "juniper", + "source.ip": "1212::12", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-19T21:28:02.309-02:00", + "client.ip": "12.12.12.1", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "11.11.11.1", + "event.action": "tunneling_screen", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "attack-name=\"Tunnel GRE 4in4!\" source-address=\"12.12.12.1\" destination-address=\"11.11.11.1\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "Tunnel GRE 4in4!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_IP", + "log.level": "error", + "log.offset": 1998, + "network.iana_number": "1", + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "12.12.12.1", + "11.11.11.1" + ], + "server.ip": "11.11.11.1", + "service.type": "juniper", + "source.as.number": 32328, + "source.as.organization.name": "Alascom, Inc.", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "12.12.12.1", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-19T22:19:02.309-02:00", + "destination.as.number": 3215, + "destination.as.organization.name": "Orange", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", + "destination.geo.location.lat": 48.8582, + "destination.geo.location.lon": 2.3387, + "destination.ip": "2.2.2.2", + "event.action": "flood_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "attack-name=\"SYN flood!\" destination-address=\"2.2.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "alarm-without-drop", + "juniper.srx.attack_name": "SYN flood!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_TCP_DST_IP", + "log.level": "error", + "log.offset": 2266, + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "2.2.2.2" + ], + "server.ip": "2.2.2.2", + "service.type": "juniper", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-19T22:19:02.309-02:00", + "client.ip": "111.1.1.3", + "event.action": "flood_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "attack-name=\"SYN flood!\" source-address=\"111.1.1.3\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "alarm-without-drop", + "juniper.srx.attack_name": "SYN flood!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_TCP_SRC_IP", + "log.level": "error", + "log.offset": 2503, + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "111.1.1.3" + ], + "service.type": "juniper", + "source.as.number": 56041, + "source.as.organization.name": "China Mobile communications corporation", + "source.geo.city_name": "Wenzhou", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", + "source.geo.location.lat": 27.9983, + "source.geo.location.lon": 120.6666, + "source.geo.region_iso_code": "CN-ZJ", + "source.geo.region_name": "Zhejiang", + "source.ip": "111.1.1.3", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2020-07-17T05:54:43.912-02:00", + "client.ip": "10.1.1.100", + "client.port": 50630, + "destination.ip": "10.1.1.1", + "destination.port": 10778, + "event.action": "scan_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "attack-name=\"TCP port scan!\" source-address=\"10.1.1.100\" source-port=\"50630\" destination-address=\"10.1.1.1\" destination-port=\"10778\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "TCP port scan!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_TCP", + "log.level": "error", + "log.offset": 2737, + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trust", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.1.1.100", + "10.1.1.1" + ], + "server.ip": "10.1.1.1", + "server.port": 10778, + "service.type": "juniper", + "source.ip": "10.1.1.100", + "source.port": 50630, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2020-07-17T06:01:43.006-02:00", + "client.ip": "10.1.1.100", + "client.port": 42799, + "destination.ip": "10.1.1.1", + "destination.port": 7, + "event.action": "illegal_tcp_flag_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "attack-name=\"FIN but no ACK bit!\" source-address=\"10.1.1.100\" source-port=\"42799\" destination-address=\"10.1.1.1\" destination-port=\"7\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "FIN but no ACK bit!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_TCP", + "log.level": "error", + "log.offset": 3028, + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trust", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.1.1.100", + "10.1.1.1" + ], + "server.ip": "10.1.1.1", + "server.port": 7, + "service.type": "juniper", + "source.ip": "10.1.1.100", + "source.port": 42799, + "tags": [ + "juniper.srx", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/srx/test/secintel.log b/x-pack/filebeat/module/juniper/srx/test/secintel.log new file mode 100644 index 00000000000..12f8f137c7f --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/test/secintel.log @@ -0,0 +1,2 @@ +<14>1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category="secintel" sub-category="Blacklist" action="BLOCK" action-detail="DROP" http-host="N/A" threat-severity="0" source-address="5.196.121.161" source-port="1" destination-address="10.10.0.10" destination-port="24039" protocol-id="1" application="N/A" nested-application="N/A" feed-name="Tor_Exit_Nodes" policy-name="cc_policy" profile-name="Blacklist" username="N/A" roles="N/A" session-id-32="572564" source-zone-name="Outside" destination-zone-name="DMZ"] +<14>1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category="secintel" sub-category="CC" action="BLOCK" action-detail="CLOSE REDIRECT MSG" http-host="dummy_host" threat-severity="10" source-address="1.1.1.1" source-port="36612" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" feed-name="cc_url_data" policy-name="test" profile-name="test-profile" username="N/A" roles="N/A" session-id-32="502362" source-zone-name="Inside" destination-zone-name="Outside" occur-count="0"] diff --git a/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json new file mode 100644 index 00000000000..49667e85897 --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json @@ -0,0 +1,140 @@ +[ + { + "@timestamp": "2016-10-17T13:18:11.618-02:00", + "client.ip": "5.196.121.161", + "client.port": 1, + "destination.ip": "10.10.0.10", + "destination.port": 24039, + "event.action": "malware_detected", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "category=\"secintel\" sub-category=\"Blacklist\" action=\"BLOCK\" action-detail=\"DROP\" http-host=\"N/A\" threat-severity=\"0\" source-address=\"5.196.121.161\" source-port=\"1\" destination-address=\"10.10.0.10\" destination-port=\"24039\" protocol-id=\"1\" application=\"N/A\" nested-application=\"N/A\" feed-name=\"Tor_Exit_Nodes\" policy-name=\"cc_policy\" profile-name=\"Blacklist\" username=\"N/A\" roles=\"N/A\" session-id-32=\"572564\" source-zone-name=\"Outside\" destination-zone-name=\"DMZ\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "BLOCK", + "juniper.srx.action_detail": "DROP", + "juniper.srx.category": "secintel", + "juniper.srx.feed_name": "Tor_Exit_Nodes", + "juniper.srx.policy_name": "cc_policy", + "juniper.srx.process": "RT_SECINTEL", + "juniper.srx.profile_name": "Blacklist", + "juniper.srx.session_id_32": "572564", + "juniper.srx.sub_category": "Blacklist", + "juniper.srx.tag": "SECINTEL_ACTION_LOG", + "juniper.srx.threat_severity": "0", + "log.level": "informational", + "log.offset": 0, + "network.iana_number": "1", + "observer.egress.zone": "DMZ", + "observer.ingress.zone": "Outside", + "observer.name": "SRX-1500", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "5.196.121.161", + "10.10.0.10" + ], + "server.ip": "10.10.0.10", + "server.port": 24039, + "service.type": "juniper", + "source.as.number": 16276, + "source.as.organization.name": "OVH SAS", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "FR", + "source.geo.country_name": "France", + "source.geo.location.lat": 48.8582, + "source.geo.location.lon": 2.3387, + "source.ip": "5.196.121.161", + "source.port": 1, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2016-10-17T13:18:11.618-02:00", + "client.ip": "1.1.1.1", + "client.port": 36612, + "destination.ip": "10.0.0.1", + "destination.port": 80, + "event.action": "malware_detected", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "category=\"secintel\" sub-category=\"CC\" action=\"BLOCK\" action-detail=\"CLOSE REDIRECT MSG\" http-host=\"dummy_host\" threat-severity=\"10\" source-address=\"1.1.1.1\" source-port=\"36612\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" feed-name=\"cc_url_data\" policy-name=\"test\" profile-name=\"test-profile\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502362\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" occur-count=\"0\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "BLOCK", + "juniper.srx.action_detail": "CLOSE REDIRECT MSG", + "juniper.srx.application": "HTTP", + "juniper.srx.category": "secintel", + "juniper.srx.feed_name": "cc_url_data", + "juniper.srx.occur_count": "0", + "juniper.srx.policy_name": "test", + "juniper.srx.process": "RT_SECINTEL", + "juniper.srx.profile_name": "test-profile", + "juniper.srx.session_id_32": "502362", + "juniper.srx.sub_category": "CC", + "juniper.srx.tag": "SECINTEL_ACTION_LOG", + "juniper.srx.threat_severity": "10", + "log.level": "informational", + "log.offset": 561, + "network.iana_number": "6", + "observer.egress.zone": "Outside", + "observer.ingress.zone": "Inside", + "observer.name": "SRX-1500", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.hosts": [ + "dummy_host" + ], + "related.ip": [ + "1.1.1.1", + "10.0.0.1" + ], + "server.ip": "10.0.0.1", + "server.port": 80, + "service.type": "juniper", + "source.as.number": 13335, + "source.as.organization.name": "Cloudflare, Inc.", + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.country_name": "Australia", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": "1.1.1.1", + "source.port": 36612, + "tags": [ + "juniper.srx", + "forwarded" + ], + "url.domain": "dummy_host" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/srx/test/utm.log b/x-pack/filebeat/module/juniper/srx/test/utm.log new file mode 100644 index 00000000000..61c320ae885 --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/test/utm.log @@ -0,0 +1,12 @@ +<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.86 source-address="192.168.1.100" source-port="58071" destination-address="103.235.46.39" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.baidu.com" obj="/" username="user01" roles="N/A"] +<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.86 source-address="10.10.10.50" source-port="1402" destination-address="216.200.241.66" destination-port="80" category="N/A" reason="BY_OTHER" profile="wf-profile" url="www.checkpoint.com" obj="/css/homepage2012.css" username="user02" roles="N/A"] +<12>1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT [junos@2636.1.1.1.2.40 source-address="188.40.238.250" source-port="80" destination-address="10.1.1.103" destination-port="47095" source-zone-name="untrust" filename="www.eicar.org/download/eicar.com" temporary-filename="www.eicar.org/download/eicar.com" name="EICAR-Test-File" url="EICAR-Test-File"] +<12>1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_SCANNER_DROP_FILE_MT [junos@2636.1.1.1.2.40 source-address="74.125.155.147" source-port="80" destination-address="10.1.1.103" destination-port="33578" filename="www.google.com/" error-code="14" error-message="scan engine is not ready"] +<12>1 2010-01-29T10:59:59.660Z SRX650-1 RT_UTM - AV_HUGE_FILE_DROPPED_MT [junos@2636.1.1.1.2.40 source-address="10.2.1.101" source-port="80" destination-address="10.1.1.103" destination-port="51727" filename="10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz"] +<14>1 2016-02-18T01:33:50.391Z utm-srx550-b RT_UTM - ANTISPAM_SPAM_DETECTED_MT [junos@2636.1.1.1.2.86 source-zone="trust" destination-zone="untrust" source-name="N/A" source-address="10.10.10.1" profile-name="antispam01" action="drop" reason="Match local blacklist" username="user01" roles="N/A"] +<14>1 2016-02-18T01:34:50.391Z utm-srx550-b RT_UTM - CONTENT_FILTERING_BLOCKED_MT [junos@2636.1.1.1.2.86 source-zone="untrust" destination-zone="trust" protocol="http" source-address="192.0.2.3" source-port="58071" destination-address="198.51.100.2" destination-port="80" profile-name="content02" action="drop" reason="blocked due to file extension block list" username="user01@testuser.com" roles="N/A" filename="test.cmd"] +<12>1 2016-02-19T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED_LS [junos@2636.1.1.1.2.86 source-address="192.168.1.100" source-port="58071" destination-address="103.235.46.39" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.baidu.com" obj="/" username="user01" roles="N/A"] +<12>1 2011-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT_LS [junos@2636.1.1.1.2.40 source-address="188.40.238.250" source-port="80" destination-address="10.1.1.103" destination-port="47095" source-zone-name="untrust" filename="www.eicar.org/download/eicar.com" temporary-filename="www.eicar.org/download/eicar.com" name="EICAR-Test-File" url="EICAR-Test-File"] +<14>1 2020-07-14T14:16:18.345Z SRX650-1 RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.129 source-zone="trust" destination-zone="untrust" source-address="10.1.1.100" source-port="58974" destination-address="104.26.15.142" destination-port="443" session-id="16297" application="UNKNOWN" nested-application="UNKNOWN" category="Enhanced_Information_Technology" reason="BY_SITE_REPUTATION_MODERATELY_SAFE" profile="WCF1" url="datawrapper.dwcdn.net" obj="/" username="N/A" roles="N/A" application-sub-category="N/A" urlcategory-risk="0"] +<12>1 2020-07-14T14:16:29.541Z SRX650-1 RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.129 source-zone="trust" destination-zone="untrust" source-address="10.1.1.100" source-port="59075" destination-address="85.114.159.93" destination-port="443" session-id="16490" application="UNKNOWN" nested-application="UNKNOWN" category="Enhanced_Advertisements" reason="BY_SITE_REPUTATION_SUSPICIOUS" profile="WCF1" url="dsp.adfarm1.adition.com" obj="/" username="N/A" roles="N/A" application-sub-category="N/A" urlcategory-risk="3"] +<12>1 2020-07-14T14:17:04.733Z SRX650-1 RT_UTM - AV_FILE_NOT_SCANNED_DROPPED_MT [junos@2636.1.1.1.2.129 source-zone="trust" destination-zone="untrust" source-address="23.209.86.45" source-port="80" destination-address="10.1.1.100" destination-port="58954" profile-name="Custom-Sophos-Profile" filename="download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar" action="BLOCKED" reason="exceeding maximum content size" error-code="7" username="N/A" roles="N/A"] diff --git a/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json new file mode 100644 index 00000000000..f9890a6ca0f --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json @@ -0,0 +1,698 @@ +[ + { + "@timestamp": "2016-02-17T23:32:50.391-02:00", + "client.ip": "192.168.1.100", + "client.port": 58071, + "destination.as.number": 55967, + "destination.as.organization.name": "Beijing Baidu Netcom Science and Technology Co., Ltd.", + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "HK", + "destination.geo.country_name": "Hong Kong", + "destination.geo.location.lat": 22.25, + "destination.geo.location.lon": 114.1667, + "destination.ip": "103.235.46.39", + "destination.port": 80, + "event.action": "web_filter", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"103.235.46.39\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"", + "event.outcome": "success", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.category": "cat1", + "juniper.srx.process": "RT_UTM", + "juniper.srx.profile": "uf1", + "juniper.srx.reason": "BY_BLACK_LIST", + "juniper.srx.tag": "WEBFILTER_URL_BLOCKED", + "log.level": "warning", + "log.offset": 0, + "observer.name": "utm-srx550-b", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.hosts": [ + "www.baidu.com" + ], + "related.ip": [ + "192.168.1.100", + "103.235.46.39" + ], + "server.ip": "103.235.46.39", + "server.port": 80, + "service.type": "juniper", + "source.ip": "192.168.1.100", + "source.port": 58071, + "source.user.name": "user01", + "tags": [ + "juniper.srx", + "forwarded" + ], + "url.domain": "www.baidu.com", + "url.path": "/" + }, + { + "@timestamp": "2016-02-17T23:32:50.391-02:00", + "client.ip": "10.10.10.50", + "client.port": 1402, + "destination.as.number": 6461, + "destination.as.organization.name": "Zayo Bandwidth", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "216.200.241.66", + "destination.port": 80, + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"10.10.10.50\" source-port=\"1402\" destination-address=\"216.200.241.66\" destination-port=\"80\" category=\"N/A\" reason=\"BY_OTHER\" profile=\"wf-profile\" url=\"www.checkpoint.com\" obj=\"/css/homepage2012.css\" username=\"user02\" roles=\"N/A\"", + "event.outcome": "success", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.process": "RT_UTM", + "juniper.srx.profile": "wf-profile", + "juniper.srx.reason": "BY_OTHER", + "juniper.srx.tag": "WEBFILTER_URL_PERMITTED", + "log.level": "warning", + "log.offset": 319, + "observer.name": "utm-srx550-b", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.hosts": [ + "www.checkpoint.com" + ], + "related.ip": [ + "10.10.10.50", + "216.200.241.66" + ], + "server.ip": "216.200.241.66", + "server.port": 80, + "service.type": "juniper", + "source.ip": "10.10.10.50", + "source.port": 1402, + "source.user.name": "user02", + "tags": [ + "juniper.srx", + "forwarded" + ], + "url.domain": "www.checkpoint.com", + "url.path": "/css/homepage2012.css" + }, + { + "@timestamp": "2010-02-08T06:29:28.565-02:00", + "client.ip": "188.40.238.250", + "client.port": 80, + "destination.ip": "10.1.1.103", + "destination.port": 47095, + "event.action": "virus_detected", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"", + "event.outcome": "success", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "file.name": "www.eicar.org/download/eicar.com", + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.name": "EICAR-Test-File", + "juniper.srx.process": "RT_UTM", + "juniper.srx.tag": "AV_VIRUS_DETECTED_MT", + "juniper.srx.temporary_filename": "www.eicar.org/download/eicar.com", + "log.level": "warning", + "log.offset": 664, + "observer.ingress.zone": "untrust", + "observer.name": "SRX650-1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.hosts": [ + "EICAR-Test-File" + ], + "related.ip": [ + "188.40.238.250", + "10.1.1.103" + ], + "server.ip": "10.1.1.103", + "server.port": 47095, + "service.type": "juniper", + "source.as.number": 24940, + "source.as.organization.name": "Hetzner Online GmbH", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "188.40.238.250", + "source.port": 80, + "tags": [ + "juniper.srx", + "forwarded" + ], + "url.domain": "EICAR-Test-File" + }, + { + "@timestamp": "2010-02-08T06:29:28.565-02:00", + "client.ip": "74.125.155.147", + "client.port": 80, + "destination.ip": "10.1.1.103", + "destination.port": 33578, + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"74.125.155.147\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"33578\" filename=\"www.google.com/\" error-code=\"14\" error-message=\"scan engine is not ready\"", + "event.outcome": "success", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "file.name": "www.google.com/", + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.error_code": "14", + "juniper.srx.error_message": "scan engine is not ready", + "juniper.srx.process": "RT_UTM", + "juniper.srx.tag": "AV_SCANNER_DROP_FILE_MT", + "log.level": "warning", + "log.offset": 1035, + "observer.name": "SRX650-1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "74.125.155.147", + "10.1.1.103" + ], + "server.ip": "10.1.1.103", + "server.port": 33578, + "service.type": "juniper", + "source.as.number": 15169, + "source.as.organization.name": "Google LLC", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.155.147", + "source.port": 80, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2010-01-29T08:59:59.660-02:00", + "client.ip": "10.2.1.101", + "client.port": 80, + "destination.ip": "10.1.1.103", + "destination.port": 51727, + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"10.2.1.101\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"51727\" filename=\"10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz\"", + "event.outcome": "success", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "file.name": "10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz", + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.process": "RT_UTM", + "juniper.srx.tag": "AV_HUGE_FILE_DROPPED_MT", + "log.level": "warning", + "log.offset": 1323, + "observer.name": "SRX650-1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.2.1.101", + "10.1.1.103" + ], + "server.ip": "10.1.1.103", + "server.port": 51727, + "service.type": "juniper", + "source.ip": "10.2.1.101", + "source.port": 80, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2016-02-17T23:33:50.391-02:00", + "client.ip": "10.10.10.1", + "event.action": "antispam_filter", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-name=\"N/A\" source-address=\"10.10.10.1\" profile-name=\"antispam01\" action=\"drop\" reason=\"Match local blacklist\" username=\"user01\" roles=\"N/A\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "drop", + "juniper.srx.process": "RT_UTM", + "juniper.srx.profile_name": "antispam01", + "juniper.srx.reason": "Match local blacklist", + "juniper.srx.tag": "ANTISPAM_SPAM_DETECTED_MT", + "log.level": "informational", + "log.offset": 1595, + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "utm-srx550-b", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.10.10.1" + ], + "service.type": "juniper", + "source.ip": "10.10.10.1", + "source.user.name": "user01", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2016-02-17T23:34:50.391-02:00", + "client.ip": "192.0.2.3", + "client.port": 58071, + "destination.ip": "198.51.100.2", + "destination.port": 80, + "event.action": "content_filter", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "source-zone=\"untrust\" destination-zone=\"trust\" protocol=\"http\" source-address=\"192.0.2.3\" source-port=\"58071\" destination-address=\"198.51.100.2\" destination-port=\"80\" profile-name=\"content02\" action=\"drop\" reason=\"blocked due to file extension block list\" username=\"user01@testuser.com\" roles=\"N/A\" filename=\"test.cmd\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "file.name": "test.cmd", + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "drop", + "juniper.srx.process": "RT_UTM", + "juniper.srx.profile_name": "content02", + "juniper.srx.reason": "blocked due to file extension block list", + "juniper.srx.tag": "CONTENT_FILTERING_BLOCKED_MT", + "log.level": "informational", + "log.offset": 1892, + "network.protocol": "http", + "observer.egress.zone": "trust", + "observer.ingress.zone": "untrust", + "observer.name": "utm-srx550-b", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "192.0.2.3", + "198.51.100.2" + ], + "server.ip": "198.51.100.2", + "server.port": 80, + "service.type": "juniper", + "source.ip": "192.0.2.3", + "source.port": 58071, + "source.user.name": "user01@testuser.com", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2016-02-18T23:32:50.391-02:00", + "client.ip": "192.168.1.100", + "client.port": 58071, + "destination.as.number": 55967, + "destination.as.organization.name": "Beijing Baidu Netcom Science and Technology Co., Ltd.", + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "HK", + "destination.geo.country_name": "Hong Kong", + "destination.geo.location.lat": 22.25, + "destination.geo.location.lon": 114.1667, + "destination.ip": "103.235.46.39", + "destination.port": 80, + "event.action": "web_filter", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"103.235.46.39\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"", + "event.outcome": "success", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.category": "cat1", + "juniper.srx.process": "RT_UTM", + "juniper.srx.profile": "uf1", + "juniper.srx.reason": "BY_BLACK_LIST", + "juniper.srx.tag": "WEBFILTER_URL_BLOCKED_LS", + "log.level": "warning", + "log.offset": 2317, + "observer.name": "utm-srx550-b", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.hosts": [ + "www.baidu.com" + ], + "related.ip": [ + "192.168.1.100", + "103.235.46.39" + ], + "server.ip": "103.235.46.39", + "server.port": 80, + "service.type": "juniper", + "source.ip": "192.168.1.100", + "source.port": 58071, + "source.user.name": "user01", + "tags": [ + "juniper.srx", + "forwarded" + ], + "url.domain": "www.baidu.com", + "url.path": "/" + }, + { + "@timestamp": "2011-02-08T06:29:28.565-02:00", + "client.ip": "188.40.238.250", + "client.port": 80, + "destination.ip": "10.1.1.103", + "destination.port": 47095, + "event.action": "virus_detected", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"", + "event.outcome": "success", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "file.name": "www.eicar.org/download/eicar.com", + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.name": "EICAR-Test-File", + "juniper.srx.process": "RT_UTM", + "juniper.srx.tag": "AV_VIRUS_DETECTED_MT_LS", + "juniper.srx.temporary_filename": "www.eicar.org/download/eicar.com", + "log.level": "warning", + "log.offset": 2639, + "observer.ingress.zone": "untrust", + "observer.name": "SRX650-1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.hosts": [ + "EICAR-Test-File" + ], + "related.ip": [ + "188.40.238.250", + "10.1.1.103" + ], + "server.ip": "10.1.1.103", + "server.port": 47095, + "service.type": "juniper", + "source.as.number": 24940, + "source.as.organization.name": "Hetzner Online GmbH", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "188.40.238.250", + "source.port": 80, + "tags": [ + "juniper.srx", + "forwarded" + ], + "url.domain": "EICAR-Test-File" + }, + { + "@timestamp": "2020-07-14T12:16:18.345-02:00", + "client.ip": "10.1.1.100", + "client.port": 58974, + "destination.as.number": 13335, + "destination.as.organization.name": "Cloudflare, Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "104.26.15.142", + "destination.port": 443, + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"58974\" destination-address=\"104.26.15.142\" destination-port=\"443\" session-id=\"16297\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Information_Technology\" reason=\"BY_SITE_REPUTATION_MODERATELY_SAFE\" profile=\"WCF1\" url=\"datawrapper.dwcdn.net\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"0\"", + "event.outcome": "success", + "event.risk_score": "0", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.category": "Enhanced_Information_Technology", + "juniper.srx.process": "RT_UTM", + "juniper.srx.profile": "WCF1", + "juniper.srx.reason": "BY_SITE_REPUTATION_MODERATELY_SAFE", + "juniper.srx.session_id": "16297", + "juniper.srx.tag": "WEBFILTER_URL_PERMITTED", + "log.level": "informational", + "log.offset": 3013, + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX650-1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.hosts": [ + "datawrapper.dwcdn.net" + ], + "related.ip": [ + "10.1.1.100", + "104.26.15.142" + ], + "server.ip": "104.26.15.142", + "server.port": 443, + "service.type": "juniper", + "source.ip": "10.1.1.100", + "source.port": 58974, + "tags": [ + "juniper.srx", + "forwarded" + ], + "url.domain": "datawrapper.dwcdn.net", + "url.path": "/" + }, + { + "@timestamp": "2020-07-14T12:16:29.541-02:00", + "client.ip": "10.1.1.100", + "client.port": 59075, + "destination.as.number": 24961, + "destination.as.organization.name": "myLoc managed IT AG", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "85.114.159.93", + "destination.port": 443, + "event.action": "web_filter", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"59075\" destination-address=\"85.114.159.93\" destination-port=\"443\" session-id=\"16490\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Advertisements\" reason=\"BY_SITE_REPUTATION_SUSPICIOUS\" profile=\"WCF1\" url=\"dsp.adfarm1.adition.com\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"3\"", + "event.outcome": "success", + "event.risk_score": "3", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.category": "Enhanced_Advertisements", + "juniper.srx.process": "RT_UTM", + "juniper.srx.profile": "WCF1", + "juniper.srx.reason": "BY_SITE_REPUTATION_SUSPICIOUS", + "juniper.srx.session_id": "16490", + "juniper.srx.tag": "WEBFILTER_URL_BLOCKED", + "log.level": "warning", + "log.offset": 3552, + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX650-1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.hosts": [ + "dsp.adfarm1.adition.com" + ], + "related.ip": [ + "10.1.1.100", + "85.114.159.93" + ], + "server.ip": "85.114.159.93", + "server.port": 443, + "service.type": "juniper", + "source.ip": "10.1.1.100", + "source.port": 59075, + "tags": [ + "juniper.srx", + "forwarded" + ], + "url.domain": "dsp.adfarm1.adition.com", + "url.path": "/" + }, + { + "@timestamp": "2020-07-14T12:17:04.733-02:00", + "client.ip": "23.209.86.45", + "client.port": 80, + "destination.ip": "10.1.1.100", + "destination.port": 58954, + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"23.209.86.45\" source-port=\"80\" destination-address=\"10.1.1.100\" destination-port=\"58954\" profile-name=\"Custom-Sophos-Profile\" filename=\"download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar\" action=\"BLOCKED\" reason=\"exceeding maximum content size\" error-code=\"7\" username=\"N/A\" roles=\"N/A\"", + "event.outcome": "success", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "file.name": "download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar", + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "BLOCKED", + "juniper.srx.error_code": "7", + "juniper.srx.process": "RT_UTM", + "juniper.srx.profile_name": "Custom-Sophos-Profile", + "juniper.srx.reason": "exceeding maximum content size", + "juniper.srx.tag": "AV_FILE_NOT_SCANNED_DROPPED_MT", + "log.level": "warning", + "log.offset": 4078, + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX650-1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "23.209.86.45", + "10.1.1.100" + ], + "server.ip": "10.1.1.100", + "server.port": 58954, + "service.type": "juniper", + "source.as.number": 16625, + "source.as.organization.name": "Akamai Technologies, Inc.", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "NL", + "source.geo.country_name": "Netherlands", + "source.geo.location.lat": 52.3824, + "source.geo.location.lon": 4.8995, + "source.ip": "23.209.86.45", + "source.port": 80, + "tags": [ + "juniper.srx", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/microsoft/_meta/config.yml b/x-pack/filebeat/module/microsoft/_meta/config.yml index 8e793bd2f9c..ee06eea9228 100644 --- a/x-pack/filebeat/module/microsoft/_meta/config.yml +++ b/x-pack/filebeat/module/microsoft/_meta/config.yml @@ -10,7 +10,20 @@ # Oauth Client Secret #var.oauth2.client.secret: "" - + + # Oauth Token URL, should include the tenant ID + #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" + m365_defender: + enabled: true + # How often the API should be polled + #var.interval: 5m + + # Oauth Client ID + #var.oauth2.client.id: "" + + # Oauth Client Secret + #var.oauth2.client.secret: "" + # Oauth Token URL, should include the tenant ID #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" dhcp: diff --git a/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc index 8a3facdc259..7e646e1b4fe 100644 --- a/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc @@ -7,7 +7,8 @@ This is a module for ingesting data from the different Microsoft Products. Currently supports these filesets: -- `defender_atp` fileset: Supports Microsoft Defender ATP +- `defender_atp` fileset: Supports Microsoft Defender for Endpoint (Microsoft Defender ATP) +- `m365_defender` fileset: Supports Microsoft 365 Defender (Microsoft Threat Protection) - `dhcp` fileset: Supports Microsoft DHCP logs include::../include/what-happens.asciidoc[] @@ -20,6 +21,84 @@ include::../include/configuring-intro.asciidoc[] include::../include/config-option-intro.asciidoc[] +[float] +==== `m365_defender` fileset settings + +beta[] + +To configure access for Filebeat to Microsoft 365 Defender you will have to create a new Azure Application registration, this will again return Oauth tokens with access to the Microsoft 365 Defender API + +The procedure to create an application is found on the below link: + +https://docs.microsoft.com/en-us/microsoft-365/security/mtp/api-create-app-web?view=o365-worldwide#create-an-app[Create a new Azure Application] + +When giving the application the API permissions described in the documentation (Incident.Read.All) it will only grant access to read Incidents from 365 Defender and nothing else in the Azure Domain. + +After the application has been created, it should contain 3 values that you need to apply to the module configuration. + +These values are: + +- Client ID +- Client Secret +- Tenant ID + +Example config: + +[source,yaml] +---- +- module: microsoft + m365_defender: + enabled: true + var.oauth2.client.id: "123abc-879546asd-349587-ad64508" + var.oauth2.client.secret: "980453~-Sg99gedf" + var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token" +---- + +*`var.oauth2.client.id`*:: + +This is the client ID related to creating a new application on Azure. + +*`var.oauth2.client.secret`*:: + +The secret related to the client ID. + +*`var.oauth2.token_url`*:: + +A predefined URL towards the Oauth2 service for Microsoft. The URL should always be the same with the exception of the Tenant ID that needs to be added to the full URL. + +[float] +==== 365 Defender ECS fields + +This is a list of 365 Defender fields that are mapped to ECS. + +[options="header"] +|====================================================================== +| 365 Defender Fields | ECS Fields | +| lastUpdateTime | @timestamp | +| severity | event.severity | +| createdTime | event.created | +| alerts.category | threat.technique.name | +| alerts.description | rule.description | +| alerts.serviceSource | event.provider | +| alerts.alertId | event.id | +| alerts.firstActivity | event.start | +| alerts.lastActivity | event.end | +| alerts.title | message | +| entities.processId | process.pid | +| entities.processCommandLine | process.command_line | +| entities.processCreationTime | process.start | +| entities.parentProcessId | process.parent.pid | +| entities.parentProcessCreationTime | process.parent.start | +| entities.sha1 | file.hash.sha1 | +| entities.sha256 | file.hash.sha256 | +| entities.url | url.full | +| entities.filePath | file.path | +| entities.fileName | file.name | +| entities.userPrincipalName | host.user.name | +| entities.domainName | host.user.domain | +| entities.aadUserId | host.user.id | +|====================================================================== + [float] ==== `defender_atp` fileset settings @@ -109,7 +188,7 @@ This module comes with a sample dashboard for Defender ATP. [role="screenshot"] image::./images/filebeat-defender-atp-overview.png[] -The best way to view Defender ATP events and alert data is in the SIEM. +The best way to view Defender ATP events and alert data is in the SIEM. [role="screenshot"] image::./images/siem-alerts-cs.jpg[] diff --git a/x-pack/filebeat/module/microsoft/fields.go b/x-pack/filebeat/module/microsoft/fields.go index 2576fcb8ac7..d76c98c273d 100644 --- a/x-pack/filebeat/module/microsoft/fields.go +++ b/x-pack/filebeat/module/microsoft/fields.go @@ -19,5 +19,5 @@ func init() { // AssetMicrosoft returns asset data. // This is the base64 encoded gzipped contents of module/microsoft. func AssetMicrosoft() string { - return "eJzsfV1zGzmS4Pv8Clw/nO0JNz3t/tgb3+xeaCX3tm5tt9ayuzcuJqICRCVJjFBAGUCRYv/6CyRQxSILRUoUQMl754duWyITmQkgkd/5LbmB9RtScaaVUTP7J0IstwLekPe9H5VgmOa15Uq+If/yJ0LI5tfkvSobAX8iZMZBlOYN/tr9+ZZIWkEP+KSEGcgSdEFt3X2MELuu4Q2Za9X0f6pBADXwhkzB0t7PS5jRRtgCl3tDZlQY2Pr1ANf2j8eUzJQmXM7BWC7nPUIuAnbk7NPVpPfFXbr6tAlq7Oe6pBY+8Qq2PtLS5X6584s9OLo/nxaA3yJUlsTyCshzLsnnT+cviF0AoQK0JStqcHXS4PLlBuMoohqMEksos6LJJVktOFsgmsZS2xiiZjtIswWVcyiJVeTZx4DVswPYc8l4CdJellHcb2C9Unr3d3dA/zLAJZcXLaJnDtGD6Czd6ZlTBzs9Tj3gDjENwm2wY9hRCF7b4dY+EEfWaO3Y5vYYWs5tIX4AQWoMn0soP6l0iP26kqC3ztsBJPwJTYfAdQ2MzzgYxKDPo517MCFXyhg+FUCWVDRgCNXwhjz7LG+kWslnL8mzD7By/7uUV1rNNRjzDK/ZnW8ME47FM85wN5LT6MHel6ifnay+UoZbvgT3g0+62fz7AEUlWNAVl3kICpu2tcidyPug7NmSckGnAkk6q63733sqVlTjT66BNZrb9RVoo6QE0f/hJ/8MuR99lisqLZTXambb7/5qF6APccYuNFD7M624WH+gI/L9yLvuIJMZgj70wkwp+zf3hqdF4bMB7XWDXUGI27IfJ1g68c5gUqqKcpkWswuEiSs9BDVen5Wlu+FRzHh9P6Qurwj14NwjgKLCPcv3RYrS0jE+5du2eWIbt6UPwo4x1Uib/qDhXqbCEqR1F3xdJ3583dcdku1Cd0TH0XOlnSZVU5GWdR1Yck8GtkhKsCulbyZcWtAzymAitxFUS9Arza2TdrqBgfEwRPt4M+FDj4aAGOkQI6sFaMDfWU1nM87IghoyBZBETQ3oZV8V72SjofcgZtcSOkDK0D7ZqIHWnWmxRd746mPr7zeBKjPfORD7VrjHOfu04MZ9jnDjzhIKV0Zr2wT+a7oiFRhD5+7f1BKmKnBizwvhwSl9p+bkApgqQccJ8bD4LlLHkrO5gSBt4UhLDDggnJn7geVBqVXSgrSoznJpLJW2RcPEdZOhvXkXBA9Zo4gd9zih6UltMD0pMWCM094W3BpCyQewv3Mr3YsYdn8SEauBWLNQjSiJhCVoMoXu3NVUGyDvwVKHGiUzrareUs/fqbl5dUXZDVjzYqgpcA3MivVLYgPelHwELyz8CZc9NCdxTwMsQRzBSaHk7v3c4uQF1BoYKi8OkxJmXEJJlBSIlnV6LaloHceqMvMi2YXZs8fvwz2/vPjOq9/+xqPxvtHe4ZYyS4Sa+/3Sg41A6jjq9v604OfcdtRUW84aQTV+P2zsZPRkDEAfdVJiJ2MAefykjG7J8rR78vr/78n+PXGr5tmQh11fNf1HgYTsbsuTwW5JjxF62VHTYFSjWaa39+Fsy3X/H4YZugsrkPYpIkebktsC/WZPET2QVq+fImILp1M9RcS4PA6xvBpTKzme7kkrgR4jPfKybQZQprShRvSamJ3Z+2DrFnDYDPSQgZLwMCtiRw8ZQD9gRYxzUQ59PyfgYt8zFGWfZ9eAzETsIxEO3pt97BRqdSP5lwY2arTu6A8/Wm8btedKMvc4UKueumU7Im6WPK847HP3fCsu1h7Id2pO3i5BWnKNwpk0mAhASa0hCKoB6TN+CyUxYB2QrS9vr2HGDZZ2EwawH2ywdJswAH2vTRl6AtP7l447mAO67sGT+/FgoUwmfbV/Ln9RxvZFpNg9kQZkyeW8/aWJHZueD+nr4e8gwnUX7u4Pi/UZe3m1/KELiY1d913mDqi36mtl7vKn3Oz96f9d9tphcC+DbNiVC96R1veWlYSSOV+C7JxkX68i4Fh0nP8irwVSPkXl7+uIaIw6NFS9LjR8ybDX/eAhbjDSPV0jl9/6pckVXqSXwZttKfm0roEwOpQgUyDA7QI0+Xwp7Xc/EaXJz0JR+/1rMqUGT1EbIJvxeaOHWUpDuo9Rd79iujEMms/4TOBfcN+eq1xutn3WcbvyV+9gUHpFdZlNqetJtB7ZfU5eXv22pe9RzM3a3VJCzNpYqMIjGtB20BbgT6rxzHP/VprPuaSi/c62tnKAD7n0rz2JEZdXv/0UYUFAf8CJh7Ogw2jI5RSvz+agDhXHY1+fBdAS9Eli17/gUuTy4iFRUo9vP1iKYI6LlT5pJ5tgRXY/G20VrcuNooUXxZku50oIYFbpr1EAO+49Qs6NO3PcEOZZ59P9thTVd2pXbSF7GP0ELb6KTZ+Kqlopg8lulZJkuh5sGiEavjRgrANoeFWLddgn92EsfwLKFsTwEsjzvxC70A15/eOPL7A8xwDIbpU9nHgSyusdOGFqJQ3kYwX7ak4F5kx3PoWmmoZqGV6FR2gXAnlOp2oJPWb4JN7hKx/Em7EaaDV6f9hXc2wemVVQ8mZXT0vBqG9immPnWOAzwu3fm9d/+e6vxov0VzUK0Bbpvw+o+buzB9/RNWjymryVjNamET6y4kzKe8n1GPQHBj8iuZWxVb5/Tf7ZkfuSfP89+WfClMZyDtwmv+hL8t+F/Z/ug9yQbaZ8E91CqUp4srauXEHBqBBTym7yasAeOaksXhtqvV3hmAiyrBWXtq2ciSKKh6MArVWm/LSNPmhqYJwKxBgxNVZpp1nLtdc63C+WVPDSH4wYUoTMVCNL98IIQOS5nAfl6GDy4vaNGEBOEQsM12FP2GhkF9ZC0fKpvHMBHWL4H0AqsJqziNURTOH+h9EW9s99K4Tds0/tRqNVs3bbJuQXtXJbM7Q5uSRKO2PMKnIDUB9g2pN48b4SpmnFwJhiycuizBV1fdtKnjlI0NTiJS8dB3t24ZJr21DhjPYt37uMuDh4xZ3Z7WsUHTM8FeGqYwF3rcGgQwWZRvUcbPexg5wwOlPS06NzwmfC7eeEzhIKGgr+TXniR6iUBXIdzjvTgA/tdD0mKN2fNhDzFQRewkqFqQXPmdnwpM15wwdq/5PQzZzMzXje8da5NyCc9fbUtVZLeEL+a0QYvXiZcfEIMXq3qjOOrs7ProLuy6h07OFVrfSuxkvwifzq0iCap+H++OyfKjTE0XSPuVK3Tflm85WNwe71HLTMJ+T1jz+RFfK9AioJFSLuKwjdINSMbPxHZAUaPFhqiQBqLFFyp1xkm4mPriZ+3UyM3NUcYdvAu9+VLpFxmNUEbCGVUPP1biBuxvVAiyXkR8IWVFNmPRPdpV4j/ug0l6SRIadHbPnMRytqUxd0+0B9ziDCntglWhSVUzKVbMMImq5GZRpK1h21kjLUWH2MQgafg2Ks0S1EY6ksqS6JVLqigv8Ry+9VuorypwxZDkezSDXTwZN0LyZtsO6QeSX4DEITrojTkSlZjijYm+0ujM3pZ9lDEJdMVbUAGz0Ao05Uigq81XxHDPbqzbR9pIN87daOHuexo7x9MkePX6WkXSTapk19aqqcl02WU/lIjH/bdqNLy3YH8g8lc3db2CMW3eqtiunTawfN/AYiKtuNPiMWbm24fGQJ2vTKKcp9eWCR/X3oYVsDTUXmpkyPKV1Cme8dDEk24Zky3YqtjtFm2nQf7MfXh6+VVtUEoTZYlG8YSKq58mp91QjLv7UcNKF1Ldrql00vm4pKOo+V5hIiMLzT2oseKY+rIdw+M0StpI+MWVrVu57BgLFbzaE4vH3WELbgzrpRJZgJed8Yi2ZSH6i7ldSO5OVSC0du0l4BNps5vJdwCk0IN7ld0PNOwww0SOYPBHWqdcmXvHSaDZ6HuCC7bgXZpx3mxYm8rbk+GYWb/fSxoFt3ErkVa0+scULP6WsOqZ0mkiTiG0246aMunJdOGnfybDJYsksnU01qCVQNFLmHQuz4n/qqoAb5pYHmZEfJnW5/ijbycUUNQSTKkXODyH2XmqkJlYIthmaQafPKZnh951UOXOsiA6p1kUN7rlOKom2gr5NDzaAr9V6RxzEhd8zH6BszeC7v9eYcKzYPybVjggWbB2KnG0JqRxBlkVa7D1esTSNyh51GrCjVWKYqeOVx6IwXzMpWs8EJoTKwYMuAHDkgsATNbc7SkT2EtauHIsBeZGefyydv8eKgd6B/pbtKF2xjSo0PwM74xvCJa7c+mDPWUyXoyvmzmSIb0LkYebkpmGhdVGUIskTxDmbzqTbht20rvW8JKk1+vQ6psdy0CQG7fjVcv92hsSpJU2ND79ORhfqgw0qWm4b03d0d7cLTCFvka110T1Ekmwo0Z/eVRVHaTlDFtoewfiVbdzO8WPL3e0DaEmSJIzkOyi01/ccjdK9pQ7tq+g9gcTvaIZa/FnzA7tAIeg9iXtLn7FX3zfBChqr/IGaCl2tBu9xiqSyhZBE6XsQTaIWaF22iyqMI9fYg3luon6Jnypbsw6b7vms1io+44q8EZ+vct2ePXLhCBEJzbdmfJtBHUzciZ950nIEfGwFk0BG9E6dKWrjNrbF2CF1K76/b9EOlZWncf/BRpaJFKNYA5sDj7EfvFBJWuWXBWOASVr1QPyoh1mo+bSz0JMQwRz9MDXLaev/5i4sOU9Nkwm4zToVna1u5j2loCO7mF3lk+vpbxLjFCjDHsLbhoNnkfOkl6Am5Buj69E/oHLCVd8h0nynd4jCA3YIJk2B8n3///V7fCqXJVKsVzgAIPw26pje7RvtJX5ZXVNvUbroOcGqPSrhTalAdeqo7pUTZqY25rpSqIQQUc73FZzKMCGuzi/Rm0fAzH94K4qPXBACTkCIKc0mkkt9qqAEtmX3ZDyYyIitvH/3YAC2vx73iPsLWhn8GlK24XQRl2ct6coELTrHaRBIlv50r9/c9LwEqKUVEccxIN+0FA18hAg5JNSM4KIWDmXTTpXwQM4r5kU1d74DxuS/na4wzYnzJqE+2KYP4DYynhInG2PZAhn8Mtgm/wo3byVATHfwbTvHF346rQCfXfvwNi1v0vi1TPqXs2SHDy2F5gVgQaoxiHP2lbjei9iRu2Dt+A28IJfVibTijgpTc3LwktcaZKC8JWPYsrihTTY+pvbznQ+/rbDStwII2pKYGu3gZbOTgexEwVVVOiqmtoP2wtAYs26vu+ffgsTS+3h5meJi8+GaqqpvhHcywbZSsuCzVKuTTMiUZ1PZll0kxyowBmbNGiDX50lDhnZ9lb5oY0t0uJNTI09X3eqZSl/aQ7lTCd1zeQBlqgdpEdGrQOxUMFPebbzrUJrzct3Fi0BUiq6jrT3byboldBFr0fr1+LLx+rYPnlVwP2/V0QWc/pDDTaIQRF2tYE7H153+/pv19Yk17xkX+O96R/DOu1l1jDWXDgLSRI4i72wxoTkUReU2zPSLXuGSrNu++j70H0L0wo34BYDfmqJYDKTzGYXX30C2oWXQ3FOfnDd+Hhi185m9bY9OVGZ63kHZahDlCumUmRjP3re7fw0pT4uS5JBxz7hrJBFDtfoSN8DaohQLC4O3UbWHn4eiDF37NsM/Tk36xmKqmvcmo/QcrlI3qe7xeS64bc2pPX18bQQTGPX6nCZBGrsS5X933ZBz3lHoLLrtrvGOf9zJfXpAPXtI83xl56ot+HW4v4nq1d0A/hi+/536+vECWhpK3TkwMvQfbETmfBuhJmPhD5GTBipu4kbo065y97LejuqFA26sLe/3Y0hvfJzw1jvXn3cLk8uKgJpvKP3dAk3WIvZblRqOdkHNfnxn6nQr/i/3aLCKotz/x3TfBHTdtbFe5qWz3GDVSgPGcUf5BWSmypJrTqRhUAfqmDFySWtARQWBAmqz9UbY2tK+q+pUnTlI5DaOtL+Run69fXV7t6tAktIz1HoWxuuwjBwreuRZyE2nxSJJLack1n0uKwmLkiNZK52xe+2wgv9whvWp1N4VdHfGvDpHeXcZTVqrIwfnw6yfCJRNNCU6chUG27usT8vztLa1qAW9wdK/TcxEsSu9J3C+CkbmTxzbRObV5WuKYcXPjVO4j8LpHKV7PjfkhPA0fubnZE3K1ms/noPONsIuz7Ld+LCDggNrpQoNZKFG60+Nt9ZFJo1uh9xN4Foax9yCVn3/0OsaLrhnH5UW8jOTO0Xmmqro4cd4V7krIvcIxrt6/Z5rptw4dJbE+dYbjZlTZsDErLailj5Q11se8k5ZKY+cBJ9db/EamxFFdrqh+nAy9YVd9J11peIgcESOtkZ87IUrJe8rafspx5daJoJPaMUp+2yqoer8U8rZm8qHWGqhJnhtsLLVNKsW580dRLh7N7HCLT9Ut4eWr8ffLvazNKTB0GH0eND72d8FhEb+67TuWefre4JBfDOfuHfOccamaVDHOXh2JmSe/U06SpnQ6DDyyPyQGnLsz49aROBPCyT1iGsbAmFkjyFu3PmGqBOOORNvsN25ZcFnCbWIGCG7scZrnA2ULLoymmG6RmILG+GZFNReYwRPx4Pn4u5wTikz81n03SpnMcA7V1DcXeiSNOKxOnnf5nDVoU4eiWy9hBiwLKsImIb7t8PRipMjQu7mG73HuhBKvfHVJXsFX5T/tfkm5NKQES7mIOBmmqrG9742QpsTJczNbjy3t8tgQj/GH1EJVi2zZPGekhBkNIaDQ+bKN4YdsTacVL0ELusZCLqvC40qeR26k+wVa3eHbMGurwL2v3lhuG2zMSKKEbWyDYcOmh17XpFGsnn+H0dSYZpBVTFWVu095jtG5h054L9m31mrJS+8/a7vIVWBGE6FKxY4PNN7fW/YzFxutkfXz8uKqwW2NSU+PI+vb1fPK+n+o6ZF+p6PJ+99qGgIw8dtV83yNcy8wodjv/PXVJbkcKFR9NLJ1rQ3VJfsxSFjY1VXDzpMa0vfxh4Xc6rhy70VEMVVl7oqvQcXdrtIRcCEOlxH1aJG+W4IPGZyg8rznAg6lwz6BtouH8Dkvu1DOiBOvSm01DsrAE7z86ZS8ju66yflMtdO9rz777jltIAqTNW6BNX0vgk/9mkKsvLXtwrQvceMEjpCoV7zcdoh01ZV0Sbmgw0AG6VzhBOsrZ6D1yKQFf4eO8fWni7sFY6UKDaB8AHZAUkg3MHw+GZGIvCqmTVmuk/tneFUkrQPqwW0MHNfofK+XKj1EzVXCLgc7JXaFaU5RkMBNP3vV91ylTcltV1m36YsWMIoNtttUbHhRsgkv7CfSZ4ml5uDyZFb5+W9vyfNQK/FbI5yuPOUCCzgwD+ztba2M++QL8u3Q0SB3ozA3Uq3kliFkgDXYzGK5DX1k0iajJ3DB7aaFnrdV7h9CadI7mFO2Jp9HzTXBp5o+RlF+WHiLxVySinI507SCvekYNdU4tTd/n4Qt5fIKlyUfVOmTozdtAXtZZxGkyAHtC1MFHCNyWUjbfeM+wIr80kg0Jd+rEgR5zuVy8ueXhCv2kkzdf8D9h0oq1oabyZ/j8UXL6mIm6GByfmodalvDP78iuCj6ulBOrtvhV2q2t1GDVVkx9T+dBjzbNggGtDvIUYSWVVq5u4PZb+9/pxrIJ58A/Oc///b+97OPb//8Z59zu6Sa8tEzuVL6JmXJ8sEL9nu7YD/CNuoEozK1EhFqdtJ2KemeA8rcc7HOYMLMlAZpOEspQHqupAwYV+m9IJH4QCqgxYry4XDiB3sHsPd5aqDu+qQuUTfNNNOlsNPSWJ268h3rtbM5xPpvabJ3tK35yOckPbbYZTMYbKDShGKTTd1LqHdxIGZ81NHUkprNEXssqdFuRBEyd8t74kL56H6C93dcOOSD/v9xuOpGZfaT/x7liJU9H31AZC+Sj3I42jjuPvyUOkHS1tbO9uzS57bLaG+z7LBP5gt0uw1O7uHIdNuymp8iHoZFXzPKheN128zlKsiMy4t+bRt24nLmoIV5pIXBeFZhm3NdOBXxCHqOSbzGdOtQfXSuqqqRu56oAXbyuMZND8XuA9zaf4O4Tt3hZo7TrB+K2zWV5b+qeNRsg5ullh8jGR6M3XDhLeRMY2rOuEqWJXoqCx6xX1Eth0GHp466kVVdqFzC+PrD+yvyq/ejbpJS44h8OWkqwfV/vCNfGtAjvVsbIQsNu5068yY39Byia/KxLTqLpnV1WjpL+JD2garUYwQc0Poox9EhqDYSHHsw3DL9gAYqqK4y7JYDm8G9QOuEBcgd0KZMNpV2C2babldboEtqd7XCh8KdgmSLiupUZSUd3HVNB+OLHxx9omyQTpUEZrFIfhYYzNIWUHWAZ3NstZQBrJr+IwPUmiafhOE7TiU/Xhh0L3jqByd0bqvAqZ7JkZYFZTgYJX35iYNtZELjvQd4Oq+XP8hbu0j+vjNZMKuL0iTtu96D7iAfF3m6A+CloMklhixAzrlMWBQ5BJ0jN1oWs8KsuGXJ5YcsZkKtDK3S5670YUu7zAc9Q9SFyYLLnOKEyxp0NV0nS3gfwK7ZTR7gSypynBVeF7VWVhXpQ1IIfflDgR7H9LBFtrsp1LwoczDbAU6f/8ZkUdHbwtpUboNtwO5EC8jwKFRcZkKay3xI18IUYiqK1GHRLdh/yQg8eWfwHuzUvRD7sFNX9fZh/5gR9k8ZYf9TRtj/IyPsv+aBbVUt6BRyiJQOenrzTBZVI1D5nq4zvJMt8Pomg15SNYLPqzqP9u20TCrmqZOQAmSeQykx8IWl943IwviExAw7aDTLY006wHmsSbM2TZ1hFimTXVl1FlPVKutMD7jNIEKsss4wywUbzZoswBvJbyWVygDLcAiXPzmuZHoUlj+p2i6AlhncaqqqCyYy+LAd4AxBEoSrp2ub3i3qIJsskOumyBDTYJpbzqjIUEBkCjoHydYJs676sCUV6z+gnObAe1lgG9AskH07mDxY+8TaLNCn83r5Ux4ftCmm3P41S6MxZoq0s+J2AGuVXFSbLNccoQLT6avcjPfxJ5u11QMMduH9/OmdIx44qn1ZgPtu8uk6yPVgz7iAHDaMKWY5NpHPUhZnbwPOoRuYgteYpFhkEXW8Xv5QGlsPmvkngm00ywJb8BnkMGMMOporKHmygtFt2FzmOSWVKhsBhqkc3A7A+TyDbFK1WVGbdOZ/D3osgzwJYA1zbqym6T0hG9gZND4NdS5W62y8NtiJXGeSrz4z3x/xDNCtBlplUCR9KVAutPMp16uF4qbwE2bTQ19TTbMc8HKkEDYF5KWfb58aLjeWyuRzjktjp41ONSywhQp+VlAOqE1yXNPr0W1NcmqwOLlhln7Y9bGdBvbBnNOyTH0HeJk6rNq2DsrwFvGqYFqpKktXIgc4g5nGqyJPcmToeJSDzfVN8vZMtUnfspTXptY8MVBBLbdN8uwzwSWka7GzgWqSTtTp4GLxbXq3llC+62kxEyr5c94Bz5Dy72ze5FLHAc0gcZwNnQHV5LkJQs2zHF05z3KBa6VTC7Bq2sxzXLOKG5ZDLFQmy4HNMQdCgsXmSsnhJpfhvgF06ow/DzV1Op5crVJbIFkqypQfAJ3cElXpNSOl+byIzON6MNyVBJ3+zaoLP5Q3Odikk6k3YP2I1yyHLEPhZpiJk1oYBLCppUFdeEdScnSpMe6XBVukqvMfgIbbmicPBNSgq7mm0g567qaAvMoCOP3T6zuRff68MwU0AWCt5gU1dcKBAX3QmqaGqoGKHPqdBoZ88F1HMwFPz2QHOW0L1x5kpcsMGKd3ZJoMvmHjfcMZ8gEMpE4E8AOPMxgnBr6kPwCxBq3JoGYwpQyfZxC8pk7tZTOa5bgHmpXJFWmjWawrbgLANt2IrT7MxiTvqrlkMnWhRHRa7EOB+iadqcm3c5v+WHmg6SN63UzP1HDXdfJurU05zZKH3miR4S1sDOii5Kmr3rOMrWgjQznYYJmxtErtDV4WXBpLZxk0gyXXNocavqxlhtZNVulGpnSzxtqiRTqKnjVWkY+NJIOlu+yRjMPyfqOCl+RcQ8ktOae6DN0MDbZ/j6PjJ2dl5NLYhFAEg0P0CfY3YEqQWKlOlw/BZT7Ova1qodYwGCx4kH8z1SRr6n3HM+Z46H1GOO9MwxxuSUV3Gy1sYrFy3uwOA8mOpOAGhzO0q4etxwZKxDR1rbQlw8ajhKwW1BJuSa1hNnYUHpCWe58hFDHGB6ujQ4FwGTq7j/SFFlzmnsjfQ9Wt1sfTEKvmYBegJ5vPm4VqBi8aIRKWoLtxRFaRmmoD5D1YihPB/V2lHQuev1Nz8+rKl72+IBdhxNdLYheRKUXYDPgjhNHHiLYkH8D+zq0EE9/n4aHOwrwZjuzubhEu7ok1QDVbTLjkUfxw5u4J+mvviE+chYHJEK8EbSTO+p03OMe1beIeb+C+0699D03523F3NHVNuMP84hFj321EkbCm6W6dV3FZ8gluLd6KMXfBKaZRjwikzeC6DzihWoqRiZfYPTfjOHDsn2vAEg1fGjB2T9Pu47OV798r36sMOJbHr+ol9q5Hqss73Xan7MPJY4Sxsa2fY4d28yZKecrZ/4fnG7rFLi9aoYBrx88GWg3pknjveYTd4zKlBohP1+6wIYNb1e1S+Mbj4Cu7UfAd5kr79vVRNhJCDTEAOO6M7p9Xpak0lJ1gvO+gw7RfWqLauzk0rNE4AW0f0jXoint141RIb5b0gzn4kguYAxGwBEGoMXwu/cZt5vXHjz62ZH5E+Y3r7znp00eZ9OwwayT/0sDumEQav3w9fI/rmHjcFJRWo+Glv5BMSQmYW0FW3C7GBAUhkcqQTmPXcFR50b1NC8dOlCfdEyXUnDMqiMNgxPRBLB4XO1xqZEzj4/GuXqxNHL1eOttK7WS1pn7gqeDUFAuV3SbwRlxnruEslc1QIycV+yN44v0AiL80Dlt808IgFiaA6smZMMoZ4lv37QKD5eSX8I0JOZPr7l8D6BZteSMtoeWEqapuLOi4GM7ixneE5TPPvtndC5yxuLUh3P69ef2X7/7qbN+L3na0HPsminY4p0XaiNldHTd0DZr8U+eTM68CGohc/Nanrv/Jf+blBuetU793P45MXj4k257tDkxx60zIh18/vXW0gwbvPEF/ackN01BTydZOqwzqmdjNBSHIoZfk0/s35FLa71+/JJcfLt7+5xvy+VLan34gz1eLNZHA7QI0YQtlwqg0pTUwi5/67qf/9d9ePItyBOwio4zb5QfK1ElF4+N4TObTd89rfu3P4mWLVPyKl08L6b5sOoD5kQ3j7vzAx/DdUUw31slvXNuGCvLu7EMU2T+UhHy+rONOxv9REiZx3jp0vxoRioQcFp64BU/xDd6zD3NqYUUfYUQ6nu4rclaWGv20/pTH0OmeXlbVx8Y5HxoLuTx/f+VfpdHwWEXNCaMfW04lr6mGt5tcXjlURrxfjodHToJIwkO39jgPW02s8NO1TisgeujSsuTuw1RsAra9Wf7xd+6EB8CZhHjBVbjhF9tHYIDKJtc6i1531yeNkg8BwyulbSeSB0K3xAAbbgC368OS15yY954eLuftY9KS9X6M8RJiduOpvLgBO7R8qTGKcadyer/RQMchTi5rKucw6UwnpuSMzxsNJZmuESbIErOG4nKmPrL1wKBodERbji46y9DvQCTU/fslXMkdABoqZaEImd3p84zSs7aUpqCFT8XPALq2Og/wWYYjMctQLSxyXIdc/U/qDEylZdF64vKp5bsWvKNjsrta35nwCBrsW7sALcGST+saXpLP7TP2Dh1g35Or1gE2eAl+HdPU2lE9J1AmRkzjFungF39JqBBRZaLefBAT3KjGxLwlaPcGcmkVMRYfcy7J58tRgcIwQTabvEoush1QVWcY++YAazCpM3od2AwlLv5FTJ2Kjv72DNj60QqFADlPPikScXbKR0YtdEQD9SoPFb0AjCQM0wlmhJKflV5RXQ7ndBNyNsdkL02ou/G3mEs3BbsCkHHVM3HXxPvGuJWloh+q88gQbBmPmREDCrkMea6YllBx68RSGLERJ3EpqDxFHP8ODso2QaTnohwQuO2y3ERSls6CnaMBu/3ypI5UAsMuBMt0/eDuFrGn2nLWCKoJ9osmLRLP396+eafmajaLT38HVtgFZN/eLWQ/uQX9bezh/dbh7dA9a+wCpA3J4qNomyZl54S7JfT4JcdR/2xAjyKsGsvUaTkdlhxH+LphDIwZwRk7jx/XHO24xBPEizgVd670mkQKEwa4nUI4beEIOzg6qYQBPlMr6d4VJ7diymH3RTJQlLapWqbrRzfyblLiu5ZizYDgUHb0BD/Mjj7MJTHcNhH5SbC4AIKIDlAX1BBaqtq9LnYBXBO1kpst84yz9FZJVY3k1eJMDsN9i/rTKhFOueeydPJHadMxgJKfuQByFhCbDNhwF2ev7Ajzd3I0Ybyj/1HSFUZZcB2yFtJyIUZjhBEp690fwAifr3cd6jVSc2I8IXSqclYPRIifwoIuuWpQu2SqqrWq+EiGIpwaubeSTgUWkc3I+X7cuFx2YicjkrsYbmmdJIrAFoZJh8scgWBk/Q6/3Lvbe2U392302G3KLBtpd8vZUmv0JZaBF+wYs/5OWhC+x3OQoDlrSUKGYKLfbmoBtwt8amOz3UhAdsK+mxirx4OfLU3HtN16NJpe76cpqBd+rYx0RU3Tzgi3vALj5LrX9jTUMBpECruQrCnEwY3AxoMP3AZ9x6N1TO/uRzta39+Npu8Kk2zI6Z1JCw7jQxQOaEOKNwLhDsLg66Xu9UHq9En3zl+0JLTpwzuXrJfqaQTIATneCZCv9zh+f3jLUo02OM2W3U0+6pNKkJR37A7y46THMSVtg8PYKfVYgrbjp05eudPYRVGBXahHiJLQLU8y8WiEj41uOPZS0iqr12lPVOejEsFf6xDZcy4zeUL+c/LjX/5Cnr+7OLt6QS64sVzOG24WUGIpfBQXoeYqe1+gfZEwzJadeTzCNuMHRzLGtMrsVdxX/+l2NYZBd2PQI59s6PN9rgvDtP+u7rfn+EOcYjFTKmNt0jeZYlSk6k63Q8hHWvLG+BWI0sTwiguqvXhyYtPdIYbvery8Cu+54eUpO430M+U/u4PQehF3+mJuLnm+Ooszue+uY1gjVBr2/L/BSYS/GZyF4LiBXllGGXdlKp0zMWAQskFWKz2nkv+xJ6ta5jsKd2X2EZzun6kRds+4jtaSZur687NbDl8L3+LL9y7aymr+BaiwC0Y1kFpDqSouabTgrieerqjlIK05mB4v6CmpfUcflVjf+hHqTAfXXZ1nTnDVVFtshrQhdb9YPWGzoyBs7iJRZ1CCphbKIllS2Z7z4YTPz+2KXfDsSqslL7vmYeFztK5F0FQHByM0/3HP2rZOG1dwNkTy8kRUdkuGXn92PUJmdHgoZk4uuY+eL3YV95EWcJ3SmXIo+H01T7hFnan3pV4l9DxCqNdRUWOlhhirtJf4DloFluJqz/BTE/epZ3HqK16WAk4n5d7jeneVc5Ht7cm9o+RcOx7jNORehdV6HYbkuo3OviS1oG7L3PusNAHJ9Loe8/JjKuQJ7Mk7ZNDpzrb8RRlL3lO24HLEpCtpJsnxzS6vP0vM9K81OPHh9CPf5MxMyLuS1uQ3/IfXj0olfd3p34ePJ1nQJTjNSQDV5EsDek2wB6GplTTQalTx4lRHb4HfOY28DD3wmIOsedsFUnryfV++cTxbkk6A6uYAfQzNUe+KKU55yusw2z3jbWvprSZGzjYMDy83RDdSRu1Y87J7eXzk2beRGqmxCxCLYGHm3whKVlyWamWIqYHxGWfuNy9jdYIhT3Z4QRx5Ht9Nzg15jh1hQbLNM4Shyxc9bpFG4jv+DuaUrclns934tovAVruFtMmza90KJzDYR177vqmFqGCtGh4y9yIOON71AYhU/29VmmI5z5B922TnV6jHuvN69TpCMVIYPWjhO0cQe5q83jFSQ4ZvcL23su4tkj7eBXRIzWkcdl3AYHtvNgmZfhsGOxRvSHG4+BnLBlKOBBytcEOSS5hxGXz1KJywq19F65Gmg4jdUYVimXDbOGB21L/UgrHz2eamPfRSGulN2fmwraVsUZ24Bf5mVWQ4GVhH/e3IMuRlymW6CWJJ74YjGYsK8z6eESHVL9vBbfFttDfl/ZGpnQOs8759B7CuqW7PlPvxyw0pqwUftFIn7nY4W9Ynv9+JPJt8Zolva6H0Ot+G/83UVP7LwY4xLSLbXdRb9Tz2NDm2/O0VQj9A26OpRAOq2n7r+6kaPQUFSKtVfYzoKFUzHTgX7nTGw5rO2oYD5QiIo6/uOO09PFdVTeW6u4947XCcvrdXlqDdM1RwOVNxpYCam9w1Qgfkx44V2WK2grxd0WdfcuUI/NwIsSb/0VDBZxxKcoF1z945GEVlBdOCKXXDHyno/jtMiV9/Yz9TMabNJ+82uwmH141FlfvIEaaH7/rHbokwZSe4o71PfkI+rWtP+sZz4Jjjd3B88zTMiqTNZHfQdjh4R4R+ZmJta3eROYWrrlMut7HznsVa6dbbjyHmj+9GtrzXKyfxcWp5UeedQ7SHFW7lg577Fk2tVCZNZBspt47bD1JTG3dNMllQkzLa3wOsQzl9YsiNFgm3uQc14a50xmjR6FTekB5MA7qg83Q25QZ08udpG3TS9Mdt0OHUZxAscGtBomqV3jhx8JOd5k7RW2jYSZVJrVH5JU5RS7glcz/hsqhevQp/Pw8ovAp/CXlNMbc/FaDj2XmBnEeMnnti+sFz9Lj2Rq0NyCnDQDRnUnE5A61H4q5Duk9CV1/xP8j6qHv2BEi2fYlnvW2IXCkMa6usVyqyxMmO31sft3fH7hNmEOv+j/4dhgla4wM/eb0AfRp/hNPZQ8bT83Mc/fiCnOP6cdRA2xM1Sxnh8znoMPwTtrIw9zTnhayh4x4jexvuFn1mep2i9+40/+NYr+T9W6PEd5tc8z/i3hp+k0mmXP77WyJhriz3G1gvqBmZAGXYqdsK9bbSLz4+XNBtdbYJUIMEl50z1jZOb+tv4gkphs9PUVGx3d+om3r4aXTQspMm3JgmudKJkDFZKp+37mExFMQQtM7qAx1sSl96vnWLk2sMTu+TTifJkOg6g4co8vNrTO3c/xj1pOdxSN5feu7BcVyEGiOKZc4XfTekGhzZUWTKwh092iRv02hyAeY3ECzqTM0NvtmMK+k/SChbfyAG43VKk8vrs39/f0Wu3DtFfpUj01c22GaqpD4G208rFccWxRBbALsxRzmR7yaE8/Ygiw2d6/p1di3CMA00jCDcSME9Wi5oPmgK+QhKrsej6woyajQgzpba5mQTPvtYLqngpT+IESR2BeHJulrvE4TIsRtYm12xnejktwmkiWEvrK1NwXEGbRbQuJU5GMLoE7hNfC7byheluV0fuFFMVVXWPnF3xNvjERxC8RL8Fdcgdi3N1C6WlaCyMOaxBt66lb0M/z1Q29ZoRbH1pcZFrfgp0qpjCHsMCGKASMWtAWQrW1ApB40zcrebCqsiIiMx2xO1be4eljDz8Pd3Zx/Cu/dqZ/nuQbFK7/r+k/ds4+amWCrR5GLAWTvHWYY5N91k7HacbyO5NeS5R8K8wG4dWNjbTtTdAU8Q6Sg1oskkzd4FXD9LbkO6wGS76GAJGjMFZo0gTEkGtXWG8rXfw5H2CqtVTunrGe8M9naEtkO0VtoS5fj7y7+exVJwo2xPfe6Unp8+wXK3wGDLxTqlvtlJtFHMv7399eryiryntxWXZTfWO76tjraTp2FuDVEcISuQMaBuH1md+hQvWUyenu2rHIvZ6Qo2H7sIvyU5u9qx5SwLUvnyInTpDVjsxVCcblMeuVdAS3H1X75uuCvMkeVQk0x9u9Ff4kzoR8puDOOq0YrvgrqVL+59SUwTSVGnhvzNWK3k/F+mgrIbwY2F8m+vws9edr/lcgYs/qsZ17CiIqrI0KnofYdQWRKjyMix1DDnxuq1s+xPKSxqahehWX+HA9nFYYAkOqVOhaYvhPb1WkzpXhfyTp/sMAdp9fpP/zcAAP//faH2Mw==" + return "eJzsvd92I7mRJ3zvp8DXF1NVPmqVu9rd87k+j78jS2q31iWVpiR1z+7xOXnAzCAJCwlkAUhS7Ot9kn20fZI9CCD/kIkkJQqgqma2L+ySRAZ+CACBiED8+Zbcw+o9KVmupJZT8ztCDDMc3pPL3q8K0LlilWFSvCd/+R0hpPszuZRFzeF3hEwZ8EK/xz/b/74lgpbQI35cwBREASqjpmo/RohZVfCezJSs+79VwIFqeE8mYGjv9wVMac1NhsO9J1PKNaz9eYC1+c8hJVOpCBMz0IaJWW8iZx4dObm9Pu59cXNe/blxqs1dVVADt6yEtY8087J/3PjDFoz2v9s54LcIFQUxrATymglyd3v6hpg5EMpBGbKkGkcnNQ5fdIiDQBVoyRdQJIXJBFnOWT5HmNpQU2sipxug8zkVMyiIkeTVJ4/q1Q70TOSsAGEuiiD2e1gtpdr82yPgX3i65OKsAXpige6Es7C7Z0Yt7fiYesQtMAXcLrBl2F4Ab8xwaZ+JMa+VsmyzawwN59aA7wBItWYzAcWtjAfs41KAWttvO0C4HRoPwE0FOZsy0Iigz6ONc3BMrqXWbMKBLCivQROq4D15dSfuhVyKV0fk1RUs7f9diGslZwq0foXH7NEnJueWxVOW42pEn6Mj+9RJ/WRl9bXUzLAF2F/cqrr7eceMCjCgSibSTMgv2togj5relTQnC8o4nXCc0kll7P9dUr6kCn9zA3mtmFldg9JSCOD9X966a8j+6k4sqTBQ3Mipab770cxB7eKMmSug5idaMr66oiPyfc+zbimTKZLedcNMaP43e4fHhXCnQTndYFMQ4rJsxwQLK95zOC5kSZmIi+wMaeJIz4HGqpOisCc8iIxVTwN1cU2oI2cvARQV9lp+KihKC8v4mHdbd8XWdkmfhS7PZS1M/I2GaxkLJQhjD/iqinz52q9bkM1Aj4Rj53OtrCZVUR6XdS1Z8kQGNiAFmKVU98dMGFBTmsOxWAcoF6CWihkr7VQNA+NhCHt/M+GqNwcPjLTAyHIOCvBvRtHplOVkTjWZAAgiJxrUoq+Kt7JR0ydMZtMS2jGVoX3SqYHG7mm+Nr3x0cfG324ClXq2sSG2jfCEfXY7Z9p+jjBt9xIK15xWpvb8V3RJStCazuzP1JBclmDFnhPCg136Qc7IGeSyABWeiKPFNkHtO53uBIIwmZ1aZMIecGLue5Z7pVYKA8KgOsuENlSYBoYO6yZDe/MxAHdZo4iOOUxoelLjTU9KNGhttbc5M5pQcgXmV2aEvRH96h8HxKqfrJ7LmhdEwAIUmUC77yqqNJBLMNRCo2SqZNkb6vUHOdNvr2l+D0a/GWoKTEFu+OqIGI+bkk/ghIXb4aIH8zjsaYAF8D04yaXYPJ9rnDyDSkGOyotFUsCUCSiIFBxhGavXkpJWYVSlnmXRDsyWNb705/zi7DunfrsTj8Z7p73DA80N4XLm1ksNFgJnx1C3d7sFP2eXo6LKsLzmVOH3/cIej+6MAem9dkpoZwwoj++U0SVZHHZN3v3fNdm+JnbUNAvyvOMrJ//McCKby/LFoFvQfYRecmgKtKxVnujufT7bUp3/5yFDd2EJwnyJ4GhdMJOh3+xLhAfCqNWXCGxudaovERgT+wFLqzE1kuPL3WkF0H2kR1q2TQGKmDbUiF4TsjN7H2zcAhbNQA8ZKAnPsyI29JAB9R1WxDgXxdD3cwAu9j1DQfY5dg2mGYl9JMDBJ7MvP4RaXQv2uYZOjVbt/P2vVutG7akUub0cqJFfumU7Im4WLK047HP3dO1drNmQH+SMnC9AGHKDwpnUGAhASaXAC6rB1KfsAQqiwVgia19eH0OPGyzNIgxoP9tgaRdhQPpJizL0BMb3L+23MQfzegJPnsaDudSJ9NX+vvxZatMXkXxzR2oQBROz5o86tG16PqSvh7+DF67HcHf7s1ifsRfXiz+2T2Jjx32TuYPZG/m1MnfxY2r2/vhfl71m+LiXQDZsygXnSOt7ywpCyYwtQLROsq9XEbAs2s9/kdYCKb5E5e/reNEYdWjIapUp+JxgrfuPh7jAOO/JCrl87oYm13iQjrw321Byu6qA5HQoQSZAgJk5KHJ3Icx3PxKpyE9cUvP9OzKhGndR80A2ZbNaDaOUhvPeR939iueNz6DpjM8I/gX77ZlM5WbbZh03I3/1DgapllQVyZS6nkTrTbvPyYvrX9b0PYqxWZtLSoheaQOlv0Q9bEttDm6nasc8+7NUbMYE5c131rWVHXxIpX9tCYy4uP7lxwALPPwBJ57PghbRkMsxbp9uow4Vx31vnznQAtRB3q5/xqHIxdlzXkkd3v5jKZLZ7630i3ay8TxL7mejjaJ10SlaeFCs6XIqOYfcSPU1CmDLvReIubF7jmmSO9a5cL81RfWD3FRbyBZGf4EWX5lPvhRVtZQag91KKchkNVg0QhR8rkEbS1CzsuIrv072w5j+BDSfE80KIK//QMxc1eTdDz+8wfQcDSDaUbZw4otQXh/BCV1JoSEdK/KvZldgzHTrU6jLic+WYaW/hDYpkNd0IhfQY4YL4h3e8l68aaOAlqPnJ/9qts0LswoKVm/qaTEY9U1Ic2wdC2xKmPlH/e4P3/1JO5H+tkIB2oD+x2A2/7D24Ae6AkXekXOR00rX3L2sWJPySXI9RP2Zjx+B2MrQKN+/I/9mp3tEvv+e/BvJpcJ0DlwmN+gR+Rdu/j/7QabJOlO+CS6hkAV8sbauWEKWU84nNL9PqwE7cEIaPDbUOLvCMhFEUUkmTJM5EwSKmyMDpWSi+LROH9QV5IxyRIxItZHKatZi5bQO+4cF5axwGyMEipCprEVhbxgOCJ6JmVeOdgYvrp+IAeUYb4H+OGx5NhpZhRWXtPhS7jkPh2j2G5ASjGJ5wOrwpnD/w2gLu+u+EcL22qem02jltFm2Y/KzXNqlGdqcTBCprDFmJLkHqHYw7Yu48b4SpimZg9bZghVZkerV9byRPDMQoKjBQ15YDvbswgVTpqbcGu1rvncRcHGwklmz2+UoWma4WfijjgnclQKNDhVkGlUzMO3HdnJCq0RBTy/OCRcJt50TKslT0FDwd+mJn6CUBsiN3++5ArxoJ6sxQWn/ax5ivoKHFz9SpivOUkY2fNHmvGYDtf+L0M2szE243/HU2TvA7/Vm1zVWi79C/nO8MDrxMmX8Bd7o7ajWOLo+Pbn2um9OhWUPKyupNjVeglfkVxcGUX8Z7o87d1WhIY6me8iVum7K191XOoPd6TlomR+Tdz/8SJbI9xKoIJTzsK/AV4OQU9L5j8gSFDiy1BAOVBsixUa6yDoTX1xN/LqZGDirKZ5tPe9+lapAxmFUE+RzIbmcrTYf4qZMDbRYQn4g+ZwqmhvHRHuoV4gfneaC1MLH9PA1n/loRm3shG73UJ/yEWHL2yVaFKVVMqVonhEUXY7KNJSsG2olzVFjdW8UwvscZJ7XqqGoDRUFVQURUpWUs99C8b1SlUH+FD7KYW8WyXoyuJKexKQOdQvmLWdT8EW4Ak7HXIpiRMHuljvTJqWfZcuEmMhlWXEwwQ0w6kSlqMAbxTbEYC/fTJkX2sg3duzgdh7byus7c3T7lVKYeaRl6vJTY8W8dFFOxQsx/rypRheX7Zbkb1KkrrawRSza0RsV04XXDor5DURUshN9Qgw8GH/4yAKU7qVTFNviwALr+9zNtgIaa5pdml4uVQFFunvQB9n4a0q3IzY6RhNp036w/74+vK2ULI+Rao1J+ToHQRWTTq0va27Yt4aBIrSqeJP90tWyKamgs1BqLiEcn3cae9GBclg1YeaVJnIp3MuYoWW16Rn0iO1oFuLw9BlN8jmz1o0sQB+Ty1obNJP6RO2ppGYkLpca2HORtgqw6dTiXsAhNCFc5GZAxzsFU1AgcrchqFWtC7ZghdVscD+EBdlNI8huN5gXnuRDxdTBZtitp3sLerA7kRm+cpPVVuhZfc2C2igiSQK+0YiLPurCObLSuJVnx4Mh23AyWceWQOVAkXsuxZb/sY8KapCfa6gPtpXs7na7qJOPS6oJgihG9g2C+y42UyMqBWsMTSDTZqVJcPvOyhRYqywB1CpLoT1XMUXROtF30akm0JV6t8jLmJAb5mPwjhlcl0+6c/YVm7vk2j6PBd0FsVENIbYjiOaBUrvPV6x1zVM/O41YUbI2uSzhrcPQGi8YlS2ngx1ChWfBmgE5skFgAYqZlKkjWybWjO6TAHsvO9tcPmmTFwe1A90t3Wa6YBlTqt0D7JR1hk9Yu3WPOWM1VbyunD6aKbAArYuRFV3CROOiKvwjSxC3N5sPtQi/rFvpfUtQKvLxxofGMt0EBGz61XD8ZoXGsiR1hQW9Dzct1ActKlF0BenbsztahafmJktXuuiJokjUJSiWP1UWBed2gCy2LRPrZ7K1J8OJJXe+B1NbgCiwJcdOuSUn/3yB6jXN066c/BPysB1tgaXPBR+w2xeC3gLMSfqUteq+GR5In/XvxYz3cs1pG1sspCGUzH3Fi3AALZezrAlUeRGh3mzEJwv1Q9RMWZN9WHTfVa1G8RFW/CVn+Sr16dkiF64RgC+uLfrdBPowVc1Txk2HGfip5kAGFdFbcSqFgYfUGmsL6EI4f11XD5UWhbb/g5cq5Q2gUAGYHZeza72TCVimlgVjD5ew7D31oxJijGKT2kBPQgxj9H3XIKut96+/sOjQFY0m7Lp2KixZ2cptTENDcDO+yIHp628B4xYzwCzDmoKDuov5UgtQx+QGoK3Tf0xngKW8faT7VKoGw4B2Q8Z3gnF1/t33e3UrpCITJZfYA8D/1uuazuwarSd9UVxTZWK76VrCsT0q/kzJQXbooc6U5EWrNqY6UrIC/6CY6i4+Eb5FWBNdpLpB/e/c85YXH70iABiEFFCYCyKk+FZBBWjJbIt+0IEWWWnr6IcaaDk97i1zL2zN889gZktm5l5ZdrKenOGAE8w2EUSKb2fS/nvLTYBKShZQHBPOm/YeA98iAAtSTgk2SmGgj9vuUu4RM4h8z6Kuj0B86tL5am2NGJcy6oJtCi9+PeMpyXmtTbMh/Q+DZcKvMG1X0udEe/+GVXzxr+Mq0MG1H3fCwha9K8uUTil7tcvwsijPEAWhWsucob/UrkbQnsQF+8Du4T2hpJqvNMspJwXT90ekUtgT5YiAyV+FFWWq6D65l0+86F2ejaIlGFCaVFRjFS+NhRxcLYJclqWVYnLt0X6YWgMm36ruufvgpTS+3homuJic+M5lWdXDM5hg2ShZMlHIpY+nzaXIoTJHbSTFKDMG05zWnK/I55py5/wset3EcN7NQFyOXF19r2csdWnL1K1K+IGJeyh8LlATiE41eqe8gWL/8k0L7ZgV2xaOD6pCJBV1/c5Ozi2xCaCB9/HmpXB9rLznldwMy/W0j86uSWGi1ggjLlY/JqJ1+3+7pv19ZE17ynj6M95O+SccrT3GCoo6B9K8HEHY3aZBMcqzwG2a7BK5wSEbtXnzfuxdgPaGGfULQH6v9yo5EMNj7Ee3F92c6nl7QrF/3vB+qPO5i/xtcmzaNMPThtJGiTA7kXaYY61y+63252GmKbHyXBCGMXe1yDlQZX+FhfA6aD6B0Hs7VZPYufv1wQm/eljn6Yu+sXJZTnqdUfsXlk8bVU+4vRZM1frQnr6+NoIAxj1+h3kgDRyJUze6q8k47il1Flxy13jLPudlvjgjV07SvN5oeeqSfi22N2G92jmgX8KX33M/X5whS33KWysmht6D9Rc5FwbopnDsNpGVBUumw0bqQq9S1rJff9X1CdpOXdjqxxbO+D7grrGsP20HJhdnOzXZWP65HZqsBfZOFJ1Ge0xOXX6mr3fK3R+2a7MIUK1/4rtvvDtuUps2c1Oa9jKqBQftOCPdhbKUZEEVoxM+yAJ0RRmYIBWnI4JAg9BJ66OsLWhfVXUjH1tJZTWMJr+Q2XW+eXtxvalDE18y1nkUxvKy92wo+OhcyO6lxYEkF8KQGzYTFIXFyBatpEpZvPbVQH7ZTXrd6G4SqzriPy2Q3lnGXVbIwMa5+nhLmMh5XYAVZ76Rrf36MXl9/kDLisN7bN1r9Vwki9L7OOwXwZe5g79tonOqu1rCyJi+tyr3HriekIrXc2Ne+avhE9P3W55cjWKzGah0LezCLPul/xbgMaB2Oleg55IXdvc4W32k0+ja0/sBPAvDt3cvlV9/cjrGm7YYx8VZOI3k0a/zuSyr7MBxV7gqPvYK27g6/56uJ99aOFJgfuoU283Ios7HrDSvlr5Q1FgfeSstpcLKA1auN/hGusRRVSypepkIvWFVfStdqb+I7CRGSiO/tkKUkkuaN/WUw8qtFUEHtWOk+LZRUNV2KeRszehNrRVQHT02WBtq6liKc+uPooy/mNlhB5/IB8KKt+P3l71Z60MgtIjuBoWP3VmwKMJHt7nHEnffG2zys2HfvX2uMyZkHeuNs5dHomfRz5SVpDGdDgOP7B8jE05dmXFtS5xwbuUe0XWeg9bTmpNzOz7JZQHabomm2G/YsmCigIfIDOBMm/00z2fKFhwYTTHVgJiAwvfNkirGMYIn4MFz7+9iRigy8Vv73eDMRIJ9KCeuuNALacR+dPK6jeesQOnKJ906CTNgmVcRuoD4psLTm5EkQ+fmGt7HqQNKnPLVBnl5X5X7tP0jZUKTAgxlPOBkmMja9L43MjXJDx6b2XhsaRvHhjjGL1IDZcWTRfOckAKm1D8B+cqXzRu+j9a0WvECFKcrTOQy0l+u5HXgRNo/oNXtvw3TJgvc+eq1YabGwowkOLHONhgWbHrucY36itXz7+Q0NtIEsiqXZWnPU5ptdOqoE9YL9q2UXLDC+c+aKnIl6NFAqELm+z80Pt1b9hPjndaY9+PywqrBQ4VBTy8j65vR08r6f8rJnn6nvaf33+TEP8CET1fF0hXOPcOAYrfyN9cX5GKgUPVhJKta67NLtiOImNjVZsPOohrST/GH+djqsHLvREQ2kUXqjK9Bxt2m0uGxEItlRD2ax6+W4J4MDpB53nMB+9RhF0DbvoewGSvap5wRJ14Z22ocpIFHuPnjKXntvKs65TXVdPe+vnPVc5qHKAzWeIC87nsRXOjXBELprU0Vpm2BGwdwhAS94sW6Q6TNrqQLyjgdPmSQ1hVOML9yCkqNdFpwZ2gfX3+8dzdvrJS+AJR7gB1MyYcbaDY7HpGIrMwmdVGsovtnWJlFzQPq0a017FfofKuXKj5FxWTEKgcbKXaZrg+RkMB0P3rV1VyldcFMm1nX1UXziEKN7bqMDSdKuueF7ZN0UWKxObg4mFV++ss5ee1zJX6pudWVJ4xjAgfGgZ0/VFLbT74h3w4dDWLzFeZeyKVYM4Q05DUWs1isUx/ptJnTA7jgNsNCT5ss9yufmvQBZjRfkbtRc42ziaIvkZTvB15jMROkpExMFS1hazhGRRV27U1fJ2FNubzGYcmVLFxwdFcWsBd1FgBFdmhfGCpgGZHKQlqvG3cFS/JzLdCUvJQFcPKaicXx748Ik/kRmdj/Afs/VFC+0kwf/z78vmjyKptyOuicH1uHWtfwT68JDoq+LpSTq6b5lZxuLdRgZFKk7rcTj7Mpg6BB2Y0cBLQo48rdDWS/XP5KFZBbFwD8+9//cvnryafz3//exdwuqKJsdE8upbqPmbK884D92gzYf2EbdYJREVuJ8Dk7cauUtNcBze11sUpgwkylAqFZHlOA9FxJCRCX8b0ggfeBWESzJWXD5sTP9g5g7fPYRO3xiZ2irutJokNhJoU2KnbmO+ZrJ3OI9e/SaPdok/ORzkm6b7JL1xhsoNL4ZJMu78Xnu1gSUzbqaGqmmswRu+9Ug9WIAtPcTO8JC+W96wk+3XFhwXv9/9Nw1E5ldp3/XmSLFT0fvQeyFeSLbI7mHXcbPikPELS1trI9u/S1aSPamyg7rJP5Bt1ug527+2W6KVnNDvEehklfU8q45XVTzOXay4yLs35uG1bisuaggVmghMF4VGETc51ZFXGP+ewTeI3h1j776FSWZS02PVEDdGK/wk3PRXcFD+ZvENapW2x6P836udhuqCj+KsOvZh02Qw3bRzI8G91w4DVwutYVy5mMFiV6KAse0S+pEsNHhy8duhZllclUwvjm6vKafHR+1C4oNQzk80FDCW7+/QP5XIMaqd1ac5Ep2KzUmTa4oecQXZFPTdJZMKyr1dLziBdpn6iM3UbAEq32chztomoCj2PPplvEb9BAOVVlgtWyZBO4F2gVMQG5JVoX0brSrtGMW+1qjXRBzaZW+Fy6ExD5vKQqVlpJS3dV0UH74me/PtF8EE4VhWY2j74XcpjGTaBqCU9nWGopAVk5+WcCqhWN3gnDVZyKvr3w0T1jsS8cX7mtBKt6RgctMppjY5T46SeWthYRjfce4cmsWvxRPJh59Ps9F1luVFboqHXXe9Qt5f1enh5BeMFpdIkhMhAzJiImRQ5Jp4iNFtk000tm8ujyQ2RTLpealvFjV/q0hVmko57g1SUXGRMpxQkTFahysooW8D6gXeX3aYgvKE+xV1iVVUoamcV/kkLqiz9m6HGMT5snO5tczrIiBbMt4fjxb7nISvqQGRPLbbBO2O5oDgkuhZKJRKCZSAe64jrjE57FfhZdo/2HhMSjVwbv0Y5dC7FPO3ZWb5/2Dwlp/5iQ9r8mpP3/JqT9pzS0jaw4nUAKkdJSj2+eiaysOSrfk1WCe7IhXt0n0EvKmrNZWaXRvq2WSfksdhCSp8xSKCUaPufxfSMi0y4gMcEKapWnsSYt4TTWpF7pukrQizQXbVp1ElPVSGNND3hIIEKMNNYwS0UbzZokxGvBHgQVUkOeYBMufrRcSXQpLH6UlZkDLRK41WRZZTlP4MO2hBM8kiBdNVmZ+G5RS1knoVzVWYI3jVwxw3LKEyQQ6YzOQOSriFFXfdqC8tVvUExS4F5kWAY0CWVXDiYNahdYm4T6ZFYtfkzjg9bZhJk/JSk0lussbq+4DcJKRhfVOskxR6qQq/hZbtr5+KP12uoRBjN3fv74zhFHHNW+JMRdNfl4FeR6tKeMQwobRmfTFIvIpjGTs9cJp9ANdMYqDFLMkog6Vi3+WGhTDYr5R6KtVZ6ENmdTSGHGaHQ0l1CwaAmj67SZSLNLSlnUHHQuU3DbE2ezBLJJVnpJTdSe/z3qoQjyKIQVzJg2isb3hHS0E2h8CqpUrFbJeK2xErlKJF9dZL7b4gmoGwW0TKBIulSgVLDTKdfLuWQ6cx1m41NfUUWTbPBiJBE2BuWF628fmy7ThorofY4LbSa1itUssKEKrldQCqp1dKzx9egmJzk2WezcMI3f7HrfSgPbaM5oUcQ+A6yI/azalA5KcBexMsuVlGWSqkSWcAIzjZVZmuBIX/EoBZur++jlmSodv2Qpq3SlWGSinBpm6ujRZ5wJiFdip6Oqo3bUaeli8m18txaXruppNuUy+nXeEk8Q8m9t3uhSxxJNIHGsDZ0AavTYBC5nSbaumCU5wJVUsQVYOalnKY5ZyXSeQiyUOsmGTdEHQoDB4krR6UaX4a4AdOyIP0c1djieWC5jWyBJMsqkawAd3RKV8TUjqdgsC/TjejbdpQAV/86qMteUNzrZqJ2pO7KuxWuSTZYgcdP3xIktDDzZ2NKgypwjKTpcqrX9Y5bPY+X5D0jDQ8WiPwRUoMqZosIMau7GoLxMQjj+1esqkd3dbXQBjUBYyVlGdRWxYUCftKKxqSqgPIV+pyBHPriqo4mIx2eypRy3hGuPslRFAsTxHZk6gW9YO99wgngADbEDAVzD4wTGiYbP8TdAqEBrNKoJTCnNZgkEr65ie9m0ylOcA5UX0RVprfJQVdwIhE28Flt9mrWOXlVzkYvYiRLBbrHPJeqKdMaevpmZ+NvKEY3/otf29IxNd1VFr9ZaF5Mkcei14gnuwlqDygoWO+s9SduK5mUoBRtMrg0tY3uDFxkT2tBpAs1gwZRJoYYvKpGgdJORqhYx3ayhsmiBiqIntZHkUy3IYOg2eiRhs7xfKGcFOVVQMENOqSp8NUON5d/DcFznrIRcGusQimSwiT7B+ga55CSUqtPGQzCRjnPnZcXlCgaNBXfybyrraEW9H7nHLA+dzwj7nSmYwQMp6Wahhe4tVszqzWYgyUFyprE5QzO6X3osoER0XVVSGTIsPErIck4NYYZUCqZjW+EZYblPaUIRYry3OloIhAlf2X2kLjRnInVH/h5UO1ofpyZGzsDMQR13n9dzWQ9uNEIELEC17YiMJBVVGsglGIodwd1ZpS0LXn+QM/322qW9viFnvsXXETHzQJciLAb8CXzrY4QtyBWYX5kRoMPrPNzUSZg3xZbd7SnCwd1kNVCVz4+ZYEF82HP3APW1N8Qn9sLAYIi3nNYCe/3Oauzj2hRxDxdw36jXvmVO6ctxt3Nqi3D7/sUjxr5diCxiTtPjKq/isOQWHgyeijF3wSG6UY8IpK5x3RV2qBZ8pOMlVs9N2A4c6+dqMETB5xq02VK0e/9o5afXyncqA7blcaM6ib3pkWrjTtfdKdswOUT4Nrb2e6zQrt8HZx6z9//u/oZ2sIuzRijg2OG9gVZDvCDeJ25he7lMqAbiwrVbNGRwqtpV8t94GbyibQXfIpfKla8PspEQqokGwHZndHu/KkWFpvkB2vsOKky7oQWqvd2myWuFHdC2ga5AlcypG4cC3Q3pGnOwBeMwA8JhAZxQrdlMuIXr+vWHtz6WZH5B+Y3jb9npkxfp9GyR1YJ9rmGzTSINH74e3v0qJu7XBaXRaFjhDmQuhQCMrSBLZuZjgoKQQGZIq7Er2Cu96MmmhWUnypP2iuJyxnLKiUUwYvogipdFh0ONtGl8Od5V85UOw+uFsy3lRlRr7AueckZ1NpfJbQJnxLXmGvZS6ZoaWanYb8ETrgdA3KGxaPFO841Ycg5UHZ9wLa0hvnbezvCxnPzsv3FMTsSq/WlA3aAtr4UhtDjOZVnVBlRYDCdx49uJpTPPvtlcC+yxuLYgzPyjfveH7/5kbd+z3nI0HPsmCNvv0yzui9ljHTd0BYr8a+uT0289DAQXPvWx83/S73nRYV7b9VvXY8/g5V2y7dVmwxQ7zjG5+nh7bucOCpzzBP2lBdO5goqKfGW1Sq+e8c1YEIIcOiK3l+/JhTDfvzsiF1dn5//xntxdCPPjH8nr5XxFBDAzB0XyudS+VZpUCnKDn/rux////3nzKsgRMPOEMm6THyhTj0sabsejE+++Jx7zG7cXLxpQ4SNefFmg+7JpB/I9C8Y9+oIP4d1QTDvr5BemTE05+XByFQT7mxSQzpe13874H1LAcZi3Fu5XI0JxIruFJy7Bl3gHb1mHGTWwpC/QIh139zU5KQqFflq3y0Nw2qs3L6t93zmf+xZycXp57W6l0eexkuoDvn6sOZWcpurvbnJxbaGMeL8sD/fsBBGFh3bscR42mljmumsdVkD04NKiYPbDlHcPtr1e/uF77oAbwJqEeMClP+Fn61tgAKWLtU6i1z32SqPkyiO8lsq0InkgdAt8YMMFYGa1W/LqA/PezYeJWXOZNNO6HGO8gJDdeCgvrkeHli/VWubMqpzObzTQcYiVy4qKGRy3plMuxZTNagUFmayQJogCo4bCcqbas/TAIGl0RFsODjpNUO+AR9T9+ylc0R0ACkppIPOR3fHjjOKzthA6o5kLxU9AujIqDfFpgi0xTZAtzFMch1T1T6oETKVF1nji0qnlmxa8ncfx5mh9Z8ILaLDnZg5KgCG3qwqOyF1zjX1AB9j35LpxgA1ugo9jmlrTqucAysSIadyA9n7xI0I5DyoTVfdBDHCjCgPzFqDsHciEkUQbvMyZIHcXowIlxwDZZPIqusi2RGWVoO2bJaxAx47otWQTpLi4GzF2KDr62xOgda0VMg5iFr1TJGK2ykdCLXREA3UqD+W9BxhBcgwnmBJKfpJqSVUx7NNNyMkMg70UofbEP2As3QTMEkCEVc/IVROf+sYtDeX9pzoHhmDJeIyMGMyQCR/nimEJJTNWLPkWG+EpLjgVh3jHf4SDsgkQ6bkoBxNcd1l2LykLa8HO0IBdv3liv1RCjlUIFvHqwT3uxZ4qw/KaU0WwXjRpQLw+f3j/Qc7kdBru/g55ZuaQfHnXwN7aAd1p7OE+t7gt3JPazEEYHyw+ClvXMSsnPC6gxw05Dv1OgxoFLGuTy8Ny2g85DvimznPQegQzVh7frzjafoEniItYFXcm1YoEEhMG2A4hnNYwwgZGK5XwgU9XUth7xcqtkHLYfpEMFKX1WS3i1aMbuTcpcVVLMWeAMyja+Xg/zIY+zATRzNQB+UkwuQC8iPZU51QTWsjK3i5mDkwRuRTdkjnGGfoghSxH4mqxJ4dmrkT9YZUIq9wzUVj5I5VuGUDJT4wDOfHAjgdseIyzV7QTc2dyNGC8nf+LhCuMsuDGRy3E5UJojgFGxMx3fwYjXLzejc/XiM2J8YDQiUyZPRCY/ATmdMFkjdplLstKyZKNRCjCocGdCzrhmEQ2JafbsTGxaMVOQpCbCNe0ThIEsIYwanOZPQAGxm/xpV7d3i3bnbfRbdelWdbCbKazxdboC0wDz/J9zPpHaUF4H89AgGJ5MyVkCAb6bYYWMDPHqzbU2414sMf5d8faqPHHz2ZO+5TderE5vds+J69euLESzitomrZGuGElaCvXnbanoILRRyS/CtGKQuxcCCw8+MxlUI/cWvvU7n6xrfX94+b0XaajNTl99NS8w3jXDAdzwxl3AuERwuDrnd27nbNTB107d9CizE3tXrlotVQPI0B2yPFWgHy92/H73UsWq7XBYZbscfJRHVSCxDxjj5AfB92OMec22IytUo8paBt+6uiZO7WZZyWYuXyBVxK65kkmDob/2OiCYy0lJZN6nba86nyS3PtrLZAt+zKRJ+Q/jn/4wx/I6w9nJ9dvyBnTholZzfQcCkyFD2LhciaT1wXa9hKG0bJTh8MvM35wJGJMycRexW35n3ZVQwjaE4Me+WhNn59yXHIM+2/zfnuOP8QUejOlIlQmvYsUozxWdbqNiXyiBau1G4FIRTQrGafKiScrNu0ZyvFeD6dX4TnXrDhkpZF+pPyd3QiNF3GjLmZ3yNPlWZyIbWcdnzV8pmHP/+udRPiXwV7wjhvopWUUYVemVCkDAwZPNshqqWZUsN+2RFWLdFvhsczeg9P9PTXC7ilTwVzSRFV/frLD4W3hSny52kVrUc0/A+VmnlMFpFJQyJIJGky464mna2oYCKN3hsdzesjZfqAvOllX+hGqRBvXHp1XVnBVVBkshtRNdbtYPWCxIy9sHiNRp1CAogaKLFpQ2Zb9YYXPT82I7ePZtZILVrTFw/znaFVxr6kONoYv/mOvtXWdNqzgdJNkxYFm2Q7pa/2Z1cg0g81DMXJywdzr+XxTcR8pAdcqnTGbgj9V84QH1Jl6X+plQs8CE3U6KmqsVBNtpHIS31IrwVAc7RV+6th+6lV49iUrCg6Hk3KXON5j5VxgeXtyby8517THOMx0r/1ovQpDYtW8zh6RilO7ZPZ+loqAyNWqGvPyYyjkAezJR0TQqda2/FlqQy5pPmdixKQraCLJ8c0mr+8ERvpXCqz4sPqRK3Kmj8mHglbkF/zB6UeFFC7v9B/Dy5PM6QKs5sSBKvK5BrUiWINQV1JoaDSqcHKqnW+G3zmMvPQ18HJLWbGmCqRw03d1+cZxNlM6ANRuA33yxVEfixS7PKV1mG3u8aa09FoRI2sb+ouXaaJqIYJ2rD5qbx738uzKSI3k2HmKmbcw0y8EJUsmCrnURFeQsynL7V+OQnmCPk52eEDs9BzeLuaGvMaKsCDy7hrCp8s3PW6RWuA9/gFmNF+RO71e+LZ9gS03E2mjR9faEQ5gsI/c9n1TC6FgrhpuMnsjDjje1gEIZP+vZZpiOs+QfevTTq9Qj1Xndep1YMY4w+BG89/ZY7KHiesdm6qP8PWu90bWnePUx6uADmdzGIdd+2CwvjZdQKZbhsEKhQtS7E5+xrSBmC0BRzPccMoFTJnwvnoUTljVr6TVSNFBRLdXolgibJ0DZkP9iy0YW59t6rn7WkojtSlbH7YxNJ+XBy6B342KDCcD66i/HEmavEyYiNdBLOrZsFPGpMK0l2dASPXTdnBZXBntLr0/0LVzgDrt3bcDdUVVs6fsr4+6qSznbFBKndjTYW1ZF/z+qOmZ6D1LXFkLqVbpFvzPuqLiLzsrxjRA1quoN+p56GqybPnzW6S+Y24vphINZtXUW98+q9FdkIEwSlb7iI5C1pOBc+FRe9yPaa1t2JGOgBhddsdhz+GpLCsqVu15xGOH7fSdvbIAZa+hjImpDCsFVN+nzhHaIT82rMgG2RLSVkWffk4VI/BTzfmK/HtNOZsyKMgZ5j0752AQyhImWS7lPXuhR/dfYULc+J39TPmYNh+92mz3HF7VBlXuPVuY7j7rn9ohfJcd7452Pvljcruq3NQ7z4FljlvB8cVTMM2iFpPdgG0xOEeEeqVDZWs3wRzCVdcql+vonGexkqrx9uMT86cPI0veq5UTeTs1vKjS9iHawgo78k7PfQNTSZlIE1kHZcex60EqasKuyVxkVMd87e8RVj6dPjLlWvGIy9yjGnFVWmM0q1Usb0iPpgaV0Vk8m7IjHf16WicdNfxxnbTf9QkECzwYEKhaxTdOLP1ou7lV9OYKNkJlYmtUbohD5BKuydxbHBbVq7f+36cewlv/Dx/XFHL7Uw4qHJ3np/OCr+duMv3Hc/S49lqtDaZT+IZo1qRiYgpKjby7Dud9kHn1Ff+drA+6Zw8AsqlLPO0tQ+BI4bO2THqkAkMcbPudu3d7u+1uMYJY9X/1dxgGaI03/GTVHNRh/BFWZ/cRT69PsfXjG3KK44ehgTIHKpYywudTUL75J6xFYW4pzgtJn457jOwtuB30le5Vit660uy3fb2STy+NEl5tcsN+C3tr2H0imXLx93MiYCYNcwtYzake6QCl80OXFeotpRt8vLmgXepkHaAGAS4be6wpnN7k34QDUjSbHSKjYr2+Udv18Ha00bKVJkzrOrrSiZQxWCqdt+55byiIEJRK6gMdLEpfep7bwckNPk5vk04HiZBoK4P7V+TXNxjauf0y6knP/UA+XXpuwTguQrXm2SLljb75pOod2UEwRWa3Hq2jl2nUqQize/AWdaLiBt907Ur6FxLK1j8Sje91UpGLm5O/X16Ta3tPkY9ipPtKhzZRJvU+aG+XMowWxVA+h/xe7+VEfpwQTluDLNR0rq3X2ZYIwzBQ34Kwk4JbtFxQbFAU8gWUXIejrQoyajQgZkNNfbAOn32UC8pZ4TZiAMSmIDxYVettghA5dg8rvSm2I+38JoA0Mu25MZXOGPagTUIalzIFQ3L6BZwmNhNN5otUzKx2nKhclmXSOnGPxO1weIdQOAV/yRTwTUsztotlyanItH6phrd2ZCfDf/WzbXK0gmhdqnFWSXaIsOoQYIeAIAIEFbYGkK35nAoxKJyRutyUHxWBjLzZHqhsc3ux+J6Hv344ufL33tuN4dsLxUi16fuPXrON6ftsIXmdigEnTR9n4fvctJ2xm3a+tWBGk9cOhH6D1TowsbfpqLtBniDo4Gx4nUiaffBY7wQzPlzgeD3pYAEKIwWmNSe5FDlUxhrKN24NR8orLJcppa9jvDXYmxbaFmgllSHS8vfnv56EQnCDbI+976SaHT7AcjPBYM3FOqGu2EmwUMzfzj9eX1yTS/pQMlG0bb3Dy2rndvAwzLUmiiPT8tMYzG7btFr1KZyyGD0822U5ZtPDJWy+dBJ+M+Xkaseas8xL5YszX6XXo9iKkB9uUV64VkAz4/I/fd5wm5gjiqEmGft0o7/EmtAvFN3o21WjFd8+6pYuufeI6DoQok41+bM2SorZXyac5vecaQPFn9/63x21f2ViCnn4T1OmYEl5UJGhE977DqGiIFqSkW2pYMa0UStr2R9SWFTUzH2x/hYD2cQwAIlOqUPBdInQLl8rl6pXhbzVJ1vkIEwvJqUrFJArqeXUHJff//hDVsAURLHmnQ9veWuqUQ3vyQRM3wlQwJTW3GR4IN6TKeVrechr81kP37+URc0BTzwTM1/O4rKBR848MnJye92/qredPCZy1AIvNtn6aJb/ZbB779wV0mqXym4RBZUC9NPazdIMO9IVCFyMykUCcB8FX5FKVjVvAuCxsxHWm3CjWSExActaXFGUFjNA48z34JT4Q/P5IysLKqpMIzhaQj6XwZJCo2akza//+KA43LPmedWLornYyu0CDKjS677xANy4KHEvKdYG2WTUMbl16eYVKLNqjixV8J5cSXOyoIxbcXhETipzRC4pX1IFR+QG8loxs7oGpaU157tf3brDcUTuxJIKA8WNnBr3rY928cZWolfO/SZwHT2DHbdj18xFf9CRcHpvHd9uhvk85xwsBai1MKuRlFA62/StP2PUE6UoZvzktTayROqBJre9s2WFHTzQsuJgxciU0xmh7mRaOs0Htf9q4zPM51TR3IBi2owdvODDQbQd31/sWq9zmlxLrdmEw9pef3Un7oVcildH5NUVLO3/XYhrJWcKtH6FKsCrT6AlX0AxUtQGK5Y692mKw5yvHd/HzuUne8NdS80MW4D9xa2qu5/HMkhAGX38wteT07QRC3pz1jfqVuTKL9QtG5HqxVC87BIhrARXEcEhWlJNmmG2Yom90duQWb8HNHlNNbmC5RE5ye2iHll9q9mqb7ZjgwWoYa+3Z0rahmqzVRW4636LoPN4cgW4yROvGxYUJDjYjsXjVJu7yo6aei/ZkUjthtpxKntXVsyjeevqx8jS62b97iqsIEax2QzavubN0dyKtdagbgYulGdivOmiEZqdZcfZhsMqQJjHfBOKWH72dnelaFy5UcEMwwQ1N6bPonYxytv3fqLbAyGu3SBNxMIjNEB/kRyRtWvkiPQvEStuRM3543dtZO3uovOhND7VteFe6Q19YCvS/4oaebOE2/iSXA/u1E6PhrApEdJV4vIaACLYunw0N1LFteZufRmEhb3TUPk9stCoWPmiWxsq9COFo5MJP9GS8VVswJiYMkXS+8IrmVFwC/kcNbaICsxtU+vknpiWPNrxlLt3yLatw+XF7adzcnJ7+y+nf//f//N/kamiJSylut+KHOOSGfh/rAbBwM9Cf+6JO3GPNfsmWGOx0WjRvzmBxilx5Ir4uXvKyCNrP7FFc/WvHXXWecyc8NWgjshFdUTuFD/C/o1H5Nq5Ney5Z/yv8sH94xK0pjNwP5zyWhv71U/et/Y4bvnianG34omv2NbPK+rf2o+DVlLGJ/LhjOmK0+iHBUjhCAdR+rGfBDSUgfFskOv1y54BMnf7468R1f4TwplGH1wJhhbUUCshsRpfewatCO9tz8dh1Zvu3giMdDRbNajhoStCVrqT9Dh0CnJWDV7ong2wJRsDYzh36rks9IXmIuArgLMFqNXJsNDQ88+1p934gWKw06tUf7N6QGzzq9HXCFJv3oHbvhvdNeKO1jPRx5ejG/jRDR55Bs170c9sERH8p6aKqEWGZbGIHYAw0T1Qdd2zmV670dnU/b4Rcs03jsm5852+Jz///fy/Zx8+np58yC5PTn++uDp/2myH2ZyxJts/Dv1XxHaJFqNvF2NgseJxXK0LSSKB7ubrsL51kfYVZcMd9nj4BVgzPvaR7kI6PHA3zDNwsiqJetEAurhulYxHY3NzCgOacmoMCHgipEaAI+FNbrHws83v/k8AAAD//7KHlgw=" } diff --git a/x-pack/filebeat/module/microsoft/m365_defender/_meta/fields.yml b/x-pack/filebeat/module/microsoft/m365_defender/_meta/fields.yml new file mode 100644 index 00000000000..3656cd7c1de --- /dev/null +++ b/x-pack/filebeat/module/microsoft/m365_defender/_meta/fields.yml @@ -0,0 +1,176 @@ +- name: microsoft.m365_defender + type: group + release: beta + default_field: false + description: > + Module for ingesting Microsoft Defender ATP. + fields: + - name: incidentId + type: keyword + description: > + Unique identifier to represent the incident. + - name: redirectIncidentId + type: keyword + description: > + Only populated in case an incident is being grouped together with another incident, as part of the incident processing logic. + - name: incidentName + type: keyword + description: > + Name of the Incident. + - name: determination + type: keyword + description: > + Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other. + - name: investigationState + type: keyword + description: > + The current state of the Investigation. + - name: assignedTo + type: keyword + description: > + Owner of the alert. + - name: tags + type: keyword + description: > + Array of custom tags associated with an incident, for example to flag a group of incidents with a common characteristic. + - name: status + type: keyword + description: > + Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. + - name: classification + type: keyword + description: > + Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. + - name: alerts.incidentId + type: keyword + description: > + Unique identifier to represent the incident this alert is associated with. + - name: alerts.resolvedTime + type: date + description: > + Time when alert was resolved. + - name: alerts.status + type: keyword + description: > + Categorize alerts (as New, Active, or Resolved). + - name: alerts.severity + type: keyword + description: > + The severity of the related alert. + - name: alerts.creationTime + type: date + description: > + Time when alert was first created. + - name: alerts.lastUpdatedTime + type: date + description: > + Time when alert was last updated. + - name: alerts.investigationId + type: keyword + description: > + The automated investigation id triggered by this alert. + - name: alerts.userSid + type: keyword + description: > + The SID of the related user + - name: alerts.detectionSource + type: keyword + description: > + The service that initially detected the threat. + - name: alerts.classification + type: keyword + description: > + The specification for the incident. The property values are: Unknown, FalsePositive, TruePositive or null. + - name: alerts.investigationState + type: keyword + description: > + Information on the investigation's current status. + - name: alerts.determination + type: keyword + description: > + Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other or null + - name: alerts.assignedTo + type: keyword + description: > + Owner of the incident, or null if no owner is assigned. + - name: alerts.actorName + type: keyword + description: > + The activity group, if any, the associated with this alert. + - name: alerts.threatFamilyName + type: keyword + description: > + Threat family associated with this alert. + - name: alerts.mitreTechniques + type: keyword + description: > + The attack techniques, as aligned with the MITRE ATT&CK™ framework. + - name: alerts.entities.entityType + type: keyword + description: > + Entities that have been identified to be part of, or related to, a given alert. The properties values are: User, Ip, Url, File, Process, MailBox, MailMessage, MailCluster, Registry. + - name: alerts.entities.accountName + type: keyword + description: > + Account name of the related user. + - name: alerts.entities.mailboxDisplayName + type: keyword + description: > + The display name of the related mailbox. + - name: alerts.entities.mailboxAddress + type: keyword + description: > + The mail address of the related mailbox. + - name: alerts.entities.clusterBy + type: keyword + description: > + A list of metadata if the entityType is MailCluster. + - name: alerts.entities.sender + type: keyword + description: > + The sender for the related email message. + - name: alerts.entities.recipient + type: keyword + description: > + The recipient for the related email message. + - name: alerts.entities.subject + type: keyword + description: > + The subject for the related email message. + - name: alerts.entities.deliveryAction + type: keyword + description: > + The delivery status for the related email message. + - name: alerts.entities.securityGroupId + type: keyword + description: > + The Security Group ID for the user related to the email message. + - name: alerts.entities.securityGroupName + type: keyword + description: > + The Security Group Name for the user related to the email message. + - name: alerts.entities.registryHive + type: keyword + description: > + Reference to which Hive in registry the event is related to, if eventType is registry. Example: HKEY_LOCAL_MACHINE. + - name: alerts.entities.registryKey + type: keyword + description: > + Reference to the related registry key to the event. + - name: alerts.entities.registryValueType + type: keyword + description: > + Value type of the registry key/value pair related to the event. + - name: alerts.entities.deviceId + type: keyword + description: > + The unique ID of the device related to the event. + - name: alerts.entities.ipAddress + type: keyword + description: > + The related IP address to the event. + - name: alerts.devices + type: flattened + description: > + The devices related to the investigation. + diff --git a/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml b/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml new file mode 100644 index 00000000000..2b2a6f936f7 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml @@ -0,0 +1,43 @@ +{{ if eq .input "httpjson" }} + +type: httpjson +http_method: GET +interval: {{ .interval }} +json_objects_array: value +split_events_by: alerts..entities +url: {{ .url }} + +oauth2: {{ .oauth2 | tojson }} +oauth2.provider: azure +oauth2.azure.resource: https://api.security.microsoft.com +http_headers: + User-Agent: MdatpPartner-Elastic-Filebeat/1.0.0 +date_cursor.field: lastUpdateTime +date_cursor.url_field: '$filter' +date_cursor.value_template: 'lastUpdateTime gt {{.}}' +date_cursor.initial_interval: 55m +date_cursor.date_format: '2006-01-02T15:04:05.9999999Z' + + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +tags: {{ .tags | tojson }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - decode_json_fields: + fields: [message] + target: json + - add_fields: + target: '' + fields: + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/microsoft/m365_defender/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/m365_defender/ingest/pipeline.yml new file mode 100644 index 00000000000..f1ea7c03abd --- /dev/null +++ b/x-pack/filebeat/module/microsoft/m365_defender/ingest/pipeline.yml @@ -0,0 +1,301 @@ +--- +description: Pipeline for parsing microsoft atp logs +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- remove: + field: + - message + - json.comments + - host + ignore_missing: true + +######################### +## ECS General Mapping ## +######################### +- script: + lang: painless + if: ctx?.json != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + +- set: + field: cloud.provider + value: azure +- set: + field: '@timestamp' + value: '{{json.lastUpdateTime}}' + if: ctx.json?.lastUpdateTime != null +- rename: + field: json.alerts.title + target_field: message + ignore_missing: true + +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: alert +# Events returned from the API is always in UTC, so should never use anything else +- set: + field: event.timezone + value: UTC +- set: + field: event.action + value: '{{json.alerts.category}}' + if: ctx.json?.alerts?.category != null +- set: + field: event.provider + value: '{{json.alerts.serviceSource}}' + if: ctx.json?.alerts?.serviceSource != null +- set: + field: event.created + value: '{{json.createdTime}}' + if: ctx.json?.createdTime != null +- append: + field: event.category + value: host +- append: + field: event.category + value: malware + if: ctx.json?.determination == 'Malware' +- append: + field: event.category + value: process + if: ctx.json?.entities?.entityType == 'Process' +- append: + field: event.type + value: user + if: ctx.json?.entities?.entityType == 'User' +- append: + field: event.type + value: + - creation + - start + if: ctx.json?.status == 'New' +- append: + field: event.type + value: end + if: ctx.json?.status == 'Resolved' +- rename: + field: json.alerts.alertId + target_field: event.id + ignore_missing: true +- rename: + field: json.alerts.firstActivity + target_field: event.start + ignore_missing: true +- rename: + field: json.alerts.lastActivity + target_field: event.end + ignore_missing: true +- set: + field: event.severity + value: 0 + if: ctx.json?.severity == 'Unspecified' +- set: + field: event.severity + value: 1 + if: ctx.json?.severity == 'Informational' +- set: + field: event.severity + value: 2 + if: ctx.json?.severity == 'Low' +- set: + field: event.severity + value: 3 + if: ctx.json?.severity == 'Medium' +- set: + field: event.severity + value: 4 + if: ctx.json?.severity == 'High' +- script: + lang: painless + if: "ctx?.event?.start != null && ctx?.event?.end != null" + source: > + Instant eventstart = ZonedDateTime.parse(ctx?.event?.start).toInstant(); + Instant eventend = ZonedDateTime.parse(ctx?.event?.end).toInstant(); + ctx.event['duration'] = ChronoUnit.NANOS.between(eventstart, eventend); + +######################## +## ECS Threat Mapping ## +######################## +- set: + field: threat.framework + value: MITRE ATT&CK + if: ctx.json?.alerts?.category != null +- rename: + field: json.alerts.category + target_field: threat.technique.name + ignore_missing: true +- rename: + field: json.alerts.description + target_field: rule.description + ignore_missing: true + if: ctx.json?.alerts?.description.length() < 1020 + +###################### +## ECS File Mapping ## +###################### +- rename: + field: json.alerts.entities.fileName + target_field: file.name + ignore_missing: true +- rename: + field: json.alerts.entities.sha256 + target_field: file.hash.sha256 + ignore_missing: true +- rename: + field: json.alerts.entities.sha1 + target_field: file.hash.sha1 + ignore_missing: true +- rename: + field: json.alerts.entities.filePath + target_field: file.path + ignore_missing: true + +######################### +## ECS Process Mapping ## +######################### +- rename: + field: json.alerts.entities.processId + target_field: process.pid + ignore_missing: true +- rename: + field: json.alerts.entities.processCommandLine + target_field: process.command_line + ignore_missing: true +- rename: + field: json.alerts.entities.processCreationTime + target_field: process.start + ignore_missing: true +- rename: + field: json.alerts.entities.parentProcessId + target_field: process.parent.pid + ignore_missing: true +- rename: + field: json.alerts.entities.parentProcessCreationTime + target_field: process.parent.start + ignore_missing: true + +########################## +## ECS Observer Mapping ## +########################## +- set: + field: observer.product + value: 365 Defender +- set: + field: observer.vendor + value: Microsoft +- rename: + field: json.alerts.serviceSource + target_field: observer.name + ignore_missing: true + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: json.alerts.entities.url + target_field: url.full + ignore_missing: true + if: ctx?.json?.entities?.url != null + +###################### +## ECS User Mapping ## +###################### +- rename: + field: json.alerts.entities.userPrincipalName + target_field: host.user.name + ignore_missing: true +- rename: + field: json.alerts.entities.domainName + target_field: host.user.domain + ignore_missing: true +- rename: + field: json.alerts.entities.aadUserId + target_field: host.user.id + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{json.alerts.entities.ipAddress}}' + if: ctx.json?.entities?.ipAddress != null +- append: + field: related.user + value: '{{host.user.name}}' + if: ctx.host?.user?.name != null +- append: + field: related.hash + value: '{{file.hash.sha1}}' + if: ctx.file?.hash?.sha1 != null +- append: + field: related.hash + value: '{{file.hash.sha256}}' + if: ctx.file?.hash?.sha256 != null +- append: + field: related.hosts + value: '{{host.hostname}}' + if: ctx.host?.hostname != null + +############# +## Cleanup ## +############# +- convert: + field: json.alerts.incidentId + type: string + ignore_missing: true +- convert: + field: json.incidentId + type: string + ignore_missing: true +- remove: + field: json.alerts.mitreTechniques + ignore_missing: true + if: ctx?.json?.alerts?.mitreTechniques.isEmpty() +- remove: + field: json.alerts.devices + ignore_missing: true + if: ctx?.json?.alerts?.devices.isEmpty() +- remove: + field: json.tags + ignore_missing: true + if: ctx?.json?.tags.isEmpty() +- remove: + ignore_missing: true + field: + - json.createdTime + - json.severity + - json.lastUpdateTime +- rename: + field: json + target_field: microsoft.m365_defender + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{_ingest.on_failure_message}}' diff --git a/x-pack/filebeat/module/microsoft/m365_defender/manifest.yml b/x-pack/filebeat/module/microsoft/m365_defender/manifest.yml new file mode 100644 index 00000000000..d7b73352f79 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/m365_defender/manifest.yml @@ -0,0 +1,17 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: interval + default: 5m + - name: tags + default: [m365-defender, forwarded] + - name: url + default: "https://api.security.microsoft.com/api/incidents" + - name: oauth2 + +ingest_pipeline: ingest/pipeline.yml +input: config/defender.yml + + diff --git a/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log b/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log new file mode 100644 index 00000000000..4fc4cf141b6 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log @@ -0,0 +1,9 @@ +{"status":"Resolved","classification":"Unknown","createdTime":"2020-06-30T09:32:31.85Z","determination":"NotAvailable","incidentId":12,"incidentName":"12","redirectIncidentId":null,"severity":"Low","alerts":{"creationTime":"2020-06-30T09:32:31.4579225Z","detectionSource":"WindowsDefenderAv","firstActivity":"2020-06-30T09:31:22.5729558Z","incidentId":12,"serviceSource":"MicrosoftDefenderATP","actorName":null,"alertId":"da637291063515066999_-2102938302","determination":null,"lastActivity":"2020-06-30T09:46:15.0876676Z","assignedTo":"Automation","devices":[{"osBuild":17763,"osProcessor":"x64","rbacGroupId":0,"aadDeviceId":null,"firstSeen":"2020-06-30T08:55:08.8320449Z","mdatpDeviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","rbacGroupName":null,"riskScore":"High","version":"Other","deviceDnsName":"TestServer4","healthStatus":"Inactive","osPlatform":"Other"}],"investigationId":9,"threatFamilyName":null,"title":"'Mountsi' malware was detected","category":"Malware","classification":null,"description":"Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.","entities":{"deviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","entityType":"File","fileName":"amsistream-1D89ECED25A52AB98B76FF619B7BA07A","sha1":"ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281","sha256":"fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356"},"investigationState":"Benign","lastUpdatedTime":"2020-08-26T09:41:27.7233333Z","mitreTechniques":[],"resolvedTime":"2020-06-30T11:13:12.2680434Z","severity":"Informational","status":"Resolved"},"assignedTo":"elastic@elasticuser.com","lastUpdateTime":"2020-09-23T19:44:36.29Z","tags":[]} +{"incidentName":"12","redirectIncidentId":null,"severity":"Low","status":"Resolved","tags":[],"alerts":{"devices":[{"aadDeviceId":null,"firstSeen":"2020-06-30T08:55:08.8320449Z","healthStatus":"Inactive","osPlatform":"Other","rbacGroupId":0,"rbacGroupName":null,"deviceDnsName":"TestServer4","mdatpDeviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","osBuild":17763,"osProcessor":"x64","riskScore":"High","version":"Other"}],"entities":{"deviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","entityType":"File","fileName":"amsistream-B103C1A335BDB049E617D1AC4A41FCDC","sha1":"ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281","sha256":"fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356"},"firstActivity":"2020-06-30T09:31:22.5729558Z","lastUpdatedTime":"2020-08-26T09:41:27.7233333Z","alertId":"da637291063515066999_-2102938302","category":"Malware","classification":null,"determination":null,"mitreTechniques":[],"serviceSource":"MicrosoftDefenderATP","status":"Resolved","assignedTo":"Automation","detectionSource":"WindowsDefenderAv","incidentId":12,"investigationId":9,"severity":"Informational","title":"'Mountsi' malware was detected","actorName":null,"description":"Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.","lastActivity":"2020-06-30T09:46:15.0876676Z","resolvedTime":"2020-06-30T11:13:12.2680434Z","creationTime":"2020-06-30T09:32:31.4579225Z","investigationState":"Benign","threatFamilyName":null},"assignedTo":"elastic@elasticuser.com","determination":"NotAvailable","incidentId":12,"lastUpdateTime":"2020-09-23T19:44:36.29Z","classification":"Unknown","createdTime":"2020-06-30T09:32:31.85Z"} +{"alerts":{"mitreTechniques":[],"status":"Resolved","title":"'Exeselrun' malware was detected","threatFamilyName":null,"alertId":"da637291085389812387_-1296910232","category":"Malware","detectionSource":"WindowsDefenderAv","lastUpdatedTime":"2020-08-26T09:41:27.7233333Z","serviceSource":"MicrosoftDefenderATP","severity":"Informational","resolvedTime":"2020-06-30T11:13:12.2680434Z","description":"Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.","devices":[{"deviceDnsName":"testserver4","healthStatus":"Inactive","osProcessor":"x64","rbacGroupId":0,"riskScore":"High","version":"Other","aadDeviceId":null,"firstSeen":"2020-06-30T08:55:08.8320449Z","mdatpDeviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","osBuild":17763,"osPlatform":"Other","rbacGroupName":null}],"firstActivity":"2020-06-30T10:07:44.3144099Z","incidentId":12,"investigationId":9,"investigationState":"Benign","lastActivity":"2020-06-30T10:07:44.3144099Z","actorName":null,"assignedTo":"Automation","classification":null,"creationTime":"2020-06-30T10:08:58.9655663Z","determination":null,"entities":{"fileName":"SB.xsl","filePath":"C:\\Windows\\Temp\\sb-sim-temp-ikyxqi\\sb_10554_bs_h4qpk5","sha1":"d1bb29ce3d01d01451e3623132545d5f577a1bd6","sha256":"ce8d3a3811a3bf923902d6924532308506fe5d024435ddee0cabf90ad9b29f6a","deviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","entityType":"File"}},"createdTime":"2020-06-30T09:32:31.85Z","determination":"NotAvailable","incidentId":12,"lastUpdateTime":"2020-09-23T19:44:36.29Z","redirectIncidentId":null,"assignedTo":"elastic@elasticuser.com","classification":"Unknown","incidentName":"12","severity":"Low","status":"Resolved","tags":[]} +{"classification":"Unknown","createdTime":"2020-06-30T09:32:31.85Z","determination":"NotAvailable","incidentName":"12","lastUpdateTime":"2020-09-23T19:44:36.29Z","redirectIncidentId":null,"severity":"Low","assignedTo":"elastic@elasticuser.com","status":"Resolved","incidentId":12,"tags":[],"alerts":{"assignedTo":"elastic@elasticuser.com","firstActivity":"2020-06-30T10:07:44.333733Z","investigationId":9,"mitreTechniques":[],"resolvedTime":"2020-06-30T11:13:12.2680434Z","title":"An active 'Exeselrun' malware was detected","alertId":"da637291085411733957_-1043898914","category":"Malware","classification":null,"detectionSource":"WindowsDefenderAv","determination":null,"threatFamilyName":null,"actorName":null,"serviceSource":"MicrosoftDefenderATP","status":"Resolved","creationTime":"2020-06-30T10:09:01.1569718Z","devices":[{"deviceDnsName":"TestServer4","healthStatus":"Inactive","osBuild":17763,"osProcessor":"x64","rbacGroupName":null,"riskScore":"High","version":"Other","aadDeviceId":null,"firstSeen":"2020-06-30T08:55:08.8320449Z","mdatpDeviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","osPlatform":"Other","rbacGroupId":0}],"entities":{"filePath":"C:\\Windows\\Temp\\sb-sim-temp-ikyxqi\\sb_10554_bs_h4qpk5","deviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","entityType":"File","fileName":"SB.xsl"},"incidentId":12,"investigationState":"Benign","lastActivity":"2020-06-30T10:07:44.333733Z","lastUpdatedTime":"2020-08-26T09:41:27.7233333Z","severity":"Low","description":"Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection."}} +{"assignedTo":"elastic@elasticuser.com","classification":"Unknown","createdTime":"2020-06-30T09:32:31.85Z","redirectIncidentId":null,"severity":"Low","status":"Resolved","tags":[],"alerts":{"assignedTo":"elastic@elasticuser.com","determination":null,"serviceSource":"MicrosoftDefenderATP","severity":"Low","alertId":"da637291086161511365_-2075772905","classification":"FalsePositive","creationTime":"2020-06-30T10:10:16.1355657Z","description":"Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.","entities":{"deviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","entityType":"Process","processCreationTime":"2020-06-30T10:31:04.1092404Z","processId":6720},"mitreTechniques":[],"title":"Suspicious 'AccessibilityEscalation' behavior was detected","category":"SuspiciousActivity","devices":[{"aadDeviceId":null,"mdatpDeviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","osProcessor":"x64","riskScore":"High","osPlatform":"Other","rbacGroupId":0,"rbacGroupName":null,"version":"Other","deviceDnsName":"testserver4","firstSeen":"2020-06-30T08:55:08.8320449Z","healthStatus":"Inactive","osBuild":17763}],"firstActivity":"2020-06-30T10:09:10.8889583Z","investigationState":"UnsupportedAlertType","status":"Resolved","detectionSource":"WindowsDefenderAv","incidentId":12,"investigationId":null,"lastActivity":"2020-06-30T10:31:09.4165785Z","lastUpdatedTime":"2020-09-23T19:44:37.9666667Z","resolvedTime":"2020-09-23T19:44:36.1092821Z","threatFamilyName":null,"actorName":null},"determination":"NotAvailable","incidentId":12,"incidentName":"12","lastUpdateTime":"2020-09-23T19:44:36.29Z"} +{"determination":"NotAvailable","severity":"Low","classification":"Unknown","createdTime":"2020-06-30T09:32:31.85Z","incidentId":12,"incidentName":"12","lastUpdateTime":"2020-09-23T19:44:36.29Z","redirectIncidentId":null,"alerts":{"lastActivity":"2020-06-30T10:31:09.4165785Z","lastUpdatedTime":"2020-09-23T19:44:37.9666667Z","actorName":null,"description":"Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.","determination":null,"entities":{"accountName":"","entityType":"User"},"firstActivity":"2020-06-30T10:09:10.8889583Z","investigationState":"UnsupportedAlertType","serviceSource":"MicrosoftDefenderATP","status":"Resolved","title":"Suspicious 'AccessibilityEscalation' behavior was detected","classification":"FalsePositive","devices":[{"aadDeviceId":null,"healthStatus":"Inactive","osPlatform":"Other","osProcessor":"x64","riskScore":"High","deviceDnsName":"testserver4","firstSeen":"2020-06-30T08:55:08.8320449Z","mdatpDeviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","osBuild":17763,"rbacGroupId":0,"rbacGroupName":null,"version":"Other"}],"mitreTechniques":[],"severity":"Low","threatFamilyName":null,"creationTime":"2020-06-30T10:10:16.1355657Z","detectionSource":"WindowsDefenderAv","incidentId":12,"alertId":"da637291086161511365_-2075772905","assignedTo":"elastic@elasticuser.com","category":"SuspiciousActivity","investigationId":null,"resolvedTime":"2020-09-23T19:44:36.1092821Z"},"assignedTo":"elastic@elasticuser.com","status":"Resolved","tags":[]} +{"determination":"NotAvailable","lastUpdateTime":"2020-09-23T19:44:36.29Z","tags":[],"alerts":{"investigationState":"UnsupportedAlertType","status":"Resolved","alertId":"da637291086161511365_-2075772905","assignedTo":"elastic@elasticuser.com","determination":null,"firstActivity":"2020-06-30T10:09:10.8889583Z","mitreTechniques":[],"resolvedTime":"2020-09-23T19:44:36.1092821Z","severity":"Low","actorName":null,"category":"SuspiciousActivity","description":"Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.","lastUpdatedTime":"2020-09-23T19:44:37.9666667Z","title":"Suspicious 'AccessibilityEscalation' behavior was detected","classification":"FalsePositive","creationTime":"2020-06-30T10:10:16.1355657Z","entities":{"deviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","entityType":"Process","processCreationTime":"2020-06-30T10:09:10.5747992Z","processId":1324},"incidentId":12,"serviceSource":"MicrosoftDefenderATP","threatFamilyName":null,"detectionSource":"WindowsDefenderAv","devices":[{"osPlatform":"Other","osProcessor":"x64","rbacGroupId":0,"riskScore":"High","version":"Other","aadDeviceId":null,"deviceDnsName":"testserver4","mdatpDeviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","rbacGroupName":null,"firstSeen":"2020-06-30T08:55:08.8320449Z","healthStatus":"Inactive","osBuild":17763}],"investigationId":null,"lastActivity":"2020-06-30T10:31:09.4165785Z"},"assignedTo":"elastic@elasticuser.com","classification":"Unknown","createdTime":"2020-06-30T09:32:31.85Z","status":"Resolved","incidentId":12,"incidentName":"12","redirectIncidentId":null,"severity":"Low"} +{"incidentId":14,"incidentName":"Activity from infrequent country","redirectIncidentId":null,"tags":[],"alerts":{"category":"SuspiciousActivity","entities":{"aadUserId":"8e24c50a-a77c-4782-813f-965009b5ddf3","accountName":"brent","entityType":"User","userPrincipalName":"brent@elasticbv.onmicrosoft.com"},"incidentId":14,"investigationState":"UnsupportedAlertType","status":"New","actorName":null,"classification":"FalsePositive","description":"Brent Murphy (brent@elasticbv.onmicrosoft.com) performed an activity. No activity was performed in United States in the past 41 days.","investigationId":null,"lastActivity":"2020-07-27T15:47:22.088Z","lastUpdatedTime":"2020-09-23T19:32:17.5433333Z","mitreTechniques":[],"serviceSource":"MicrosoftCloudAppSecurity","severity":"Medium","threatFamilyName":null,"title":"Activity from infrequent country","assignedTo":"elastic@elasticuser.com","detectionSource":"MCAS","devices":[],"alertId":"caA214771F-6AB0-311D-B2B0-BECD3B4A967B","creationTime":"2020-07-27T15:54:20.52207Z","determination":null,"firstActivity":"2020-07-27T15:47:22.088Z","resolvedTime":null},"classification":"Unknown","determination":"NotAvailable","lastUpdateTime":"2020-09-23T19:32:05.8366667Z","severity":"Medium","status":"Active","assignedTo":"elastic@elasticuser.com","createdTime":"2020-07-27T15:54:21.58Z"} +{"incidentId":14,"incidentName":"Activity from infrequent country","severity":"Medium","status":"Active","tags":[],"alerts":{"description":"Brent Murphy (brent@elasticbv.onmicrosoft.com) performed an activity. No activity was performed in United States in the past 41 days.","detectionSource":"MCAS","firstActivity":"2020-07-27T15:47:22.088Z","investigationId":null,"investigationState":"UnsupportedAlertType","severity":"Medium","alertId":"caA214771F-6AB0-311D-B2B0-BECD3B4A967B","category":"SuspiciousActivity","classification":"FalsePositive","determination":null,"entities":{"entityType":"Ip","ipAddress":"73.172.171.53"},"incidentId":14,"serviceSource":"MicrosoftCloudAppSecurity","status":"New","actorName":null,"title":"Activity from infrequent country","devices":[],"lastActivity":"2020-07-27T15:47:22.088Z","lastUpdatedTime":"2020-09-23T19:32:17.5433333Z","creationTime":"2020-07-27T15:54:20.52207Z","mitreTechniques":[],"resolvedTime":null,"threatFamilyName":null,"assignedTo":"elastic@elasticuser.com"},"createdTime":"2020-07-27T15:54:21.58Z","determination":"NotAvailable","lastUpdateTime":"2020-09-23T19:32:05.8366667Z","redirectIncidentId":null,"assignedTo":"elastic@elasticuser.com","classification":"Unknown"} diff --git a/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log-expected.json b/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log-expected.json new file mode 100644 index 00000000000..1f81a57a98f --- /dev/null +++ b/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log-expected.json @@ -0,0 +1,611 @@ +[ + { + "@timestamp": "2020-09-23T19:44:36.29Z", + "cloud.provider": "azure", + "event.action": "Malware", + "event.category": [ + "host" + ], + "event.dataset": "microsoft.m365_defender", + "event.duration": 892514711800, + "event.end": "2020-06-30T09:46:15.0876676Z", + "event.id": "da637291063515066999_-2102938302", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "MicrosoftDefenderATP", + "event.severity": 2, + "event.start": "2020-06-30T09:31:22.5729558Z", + "event.timezone": "UTC", + "event.type": [ + "end" + ], + "file.hash.sha1": "ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281", + "file.hash.sha256": "fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356", + "file.name": "amsistream-1D89ECED25A52AB98B76FF619B7BA07A", + "fileset.name": "m365_defender", + "input.type": "log", + "log.offset": 0, + "message": "'Mountsi' malware was detected", + "microsoft.m365_defender.alerts.assignedTo": "Automation", + "microsoft.m365_defender.alerts.creationTime": "2020-06-30T09:32:31.4579225Z", + "microsoft.m365_defender.alerts.detectionSource": "WindowsDefenderAv", + "microsoft.m365_defender.alerts.devices": [ + { + "deviceDnsName": "TestServer4", + "firstSeen": "2020-06-30T08:55:08.8320449Z", + "healthStatus": "Inactive", + "mdatpDeviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "osBuild": 17763, + "osPlatform": "Other", + "osProcessor": "x64", + "rbacGroupId": 0, + "riskScore": "High", + "version": "Other" + } + ], + "microsoft.m365_defender.alerts.entities.deviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "microsoft.m365_defender.alerts.entities.entityType": "File", + "microsoft.m365_defender.alerts.incidentId": "12", + "microsoft.m365_defender.alerts.investigationId": 9, + "microsoft.m365_defender.alerts.investigationState": "Benign", + "microsoft.m365_defender.alerts.lastUpdatedTime": "2020-08-26T09:41:27.7233333Z", + "microsoft.m365_defender.alerts.resolvedTime": "2020-06-30T11:13:12.2680434Z", + "microsoft.m365_defender.alerts.severity": "Informational", + "microsoft.m365_defender.alerts.status": "Resolved", + "microsoft.m365_defender.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.classification": "Unknown", + "microsoft.m365_defender.determination": "NotAvailable", + "microsoft.m365_defender.incidentId": "12", + "microsoft.m365_defender.incidentName": "12", + "microsoft.m365_defender.status": "Resolved", + "observer.name": "MicrosoftDefenderATP", + "observer.product": "365 Defender", + "observer.vendor": "Microsoft", + "related.hash": [ + "ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281", + "fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356" + ], + "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.", + "service.type": "microsoft", + "tags": [ + "m365-defender", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "Malware" + }, + { + "@timestamp": "2020-09-23T19:44:36.29Z", + "cloud.provider": "azure", + "event.action": "Malware", + "event.category": [ + "host" + ], + "event.dataset": "microsoft.m365_defender", + "event.duration": 892514711800, + "event.end": "2020-06-30T09:46:15.0876676Z", + "event.id": "da637291063515066999_-2102938302", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "MicrosoftDefenderATP", + "event.severity": 2, + "event.start": "2020-06-30T09:31:22.5729558Z", + "event.timezone": "UTC", + "event.type": [ + "end" + ], + "file.hash.sha1": "ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281", + "file.hash.sha256": "fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356", + "file.name": "amsistream-B103C1A335BDB049E617D1AC4A41FCDC", + "fileset.name": "m365_defender", + "input.type": "log", + "log.offset": 2071, + "message": "'Mountsi' malware was detected", + "microsoft.m365_defender.alerts.assignedTo": "Automation", + "microsoft.m365_defender.alerts.creationTime": "2020-06-30T09:32:31.4579225Z", + "microsoft.m365_defender.alerts.detectionSource": "WindowsDefenderAv", + "microsoft.m365_defender.alerts.devices": [ + { + "deviceDnsName": "TestServer4", + "firstSeen": "2020-06-30T08:55:08.8320449Z", + "healthStatus": "Inactive", + "mdatpDeviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "osBuild": 17763, + "osPlatform": "Other", + "osProcessor": "x64", + "rbacGroupId": 0, + "riskScore": "High", + "version": "Other" + } + ], + "microsoft.m365_defender.alerts.entities.deviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "microsoft.m365_defender.alerts.entities.entityType": "File", + "microsoft.m365_defender.alerts.incidentId": "12", + "microsoft.m365_defender.alerts.investigationId": 9, + "microsoft.m365_defender.alerts.investigationState": "Benign", + "microsoft.m365_defender.alerts.lastUpdatedTime": "2020-08-26T09:41:27.7233333Z", + "microsoft.m365_defender.alerts.resolvedTime": "2020-06-30T11:13:12.2680434Z", + "microsoft.m365_defender.alerts.severity": "Informational", + "microsoft.m365_defender.alerts.status": "Resolved", + "microsoft.m365_defender.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.classification": "Unknown", + "microsoft.m365_defender.determination": "NotAvailable", + "microsoft.m365_defender.incidentId": "12", + "microsoft.m365_defender.incidentName": "12", + "microsoft.m365_defender.status": "Resolved", + "observer.name": "MicrosoftDefenderATP", + "observer.product": "365 Defender", + "observer.vendor": "Microsoft", + "related.hash": [ + "ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281", + "fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356" + ], + "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.", + "service.type": "microsoft", + "tags": [ + "m365-defender", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "Malware" + }, + { + "@timestamp": "2020-09-23T19:44:36.29Z", + "cloud.provider": "azure", + "event.action": "Malware", + "event.category": [ + "host" + ], + "event.dataset": "microsoft.m365_defender", + "event.duration": 0, + "event.end": "2020-06-30T10:07:44.3144099Z", + "event.id": "da637291085389812387_-1296910232", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "MicrosoftDefenderATP", + "event.severity": 2, + "event.start": "2020-06-30T10:07:44.3144099Z", + "event.timezone": "UTC", + "event.type": [ + "end" + ], + "file.hash.sha1": "d1bb29ce3d01d01451e3623132545d5f577a1bd6", + "file.hash.sha256": "ce8d3a3811a3bf923902d6924532308506fe5d024435ddee0cabf90ad9b29f6a", + "file.name": "SB.xsl", + "file.path": "C:\\Windows\\Temp\\sb-sim-temp-ikyxqi\\sb_10554_bs_h4qpk5", + "fileset.name": "m365_defender", + "input.type": "log", + "log.offset": 4142, + "message": "'Exeselrun' malware was detected", + "microsoft.m365_defender.alerts.assignedTo": "Automation", + "microsoft.m365_defender.alerts.creationTime": "2020-06-30T10:08:58.9655663Z", + "microsoft.m365_defender.alerts.detectionSource": "WindowsDefenderAv", + "microsoft.m365_defender.alerts.devices": [ + { + "deviceDnsName": "testserver4", + "firstSeen": "2020-06-30T08:55:08.8320449Z", + "healthStatus": "Inactive", + "mdatpDeviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "osBuild": 17763, + "osPlatform": "Other", + "osProcessor": "x64", + "rbacGroupId": 0, + "riskScore": "High", + "version": "Other" + } + ], + "microsoft.m365_defender.alerts.entities.deviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "microsoft.m365_defender.alerts.entities.entityType": "File", + "microsoft.m365_defender.alerts.incidentId": "12", + "microsoft.m365_defender.alerts.investigationId": 9, + "microsoft.m365_defender.alerts.investigationState": "Benign", + "microsoft.m365_defender.alerts.lastUpdatedTime": "2020-08-26T09:41:27.7233333Z", + "microsoft.m365_defender.alerts.resolvedTime": "2020-06-30T11:13:12.2680434Z", + "microsoft.m365_defender.alerts.severity": "Informational", + "microsoft.m365_defender.alerts.status": "Resolved", + "microsoft.m365_defender.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.classification": "Unknown", + "microsoft.m365_defender.determination": "NotAvailable", + "microsoft.m365_defender.incidentId": "12", + "microsoft.m365_defender.incidentName": "12", + "microsoft.m365_defender.status": "Resolved", + "observer.name": "MicrosoftDefenderATP", + "observer.product": "365 Defender", + "observer.vendor": "Microsoft", + "related.hash": [ + "d1bb29ce3d01d01451e3623132545d5f577a1bd6", + "ce8d3a3811a3bf923902d6924532308506fe5d024435ddee0cabf90ad9b29f6a" + ], + "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.", + "service.type": "microsoft", + "tags": [ + "m365-defender", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "Malware" + }, + { + "@timestamp": "2020-09-23T19:44:36.29Z", + "cloud.provider": "azure", + "event.action": "Malware", + "event.category": [ + "host" + ], + "event.dataset": "microsoft.m365_defender", + "event.duration": 0, + "event.end": "2020-06-30T10:07:44.333733Z", + "event.id": "da637291085411733957_-1043898914", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "MicrosoftDefenderATP", + "event.severity": 2, + "event.start": "2020-06-30T10:07:44.333733Z", + "event.timezone": "UTC", + "event.type": [ + "end" + ], + "file.name": "SB.xsl", + "file.path": "C:\\Windows\\Temp\\sb-sim-temp-ikyxqi\\sb_10554_bs_h4qpk5", + "fileset.name": "m365_defender", + "input.type": "log", + "log.offset": 6249, + "message": "An active 'Exeselrun' malware was detected", + "microsoft.m365_defender.alerts.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.alerts.creationTime": "2020-06-30T10:09:01.1569718Z", + "microsoft.m365_defender.alerts.detectionSource": "WindowsDefenderAv", + "microsoft.m365_defender.alerts.devices": [ + { + "deviceDnsName": "TestServer4", + "firstSeen": "2020-06-30T08:55:08.8320449Z", + "healthStatus": "Inactive", + "mdatpDeviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "osBuild": 17763, + "osPlatform": "Other", + "osProcessor": "x64", + "rbacGroupId": 0, + "riskScore": "High", + "version": "Other" + } + ], + "microsoft.m365_defender.alerts.entities.deviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "microsoft.m365_defender.alerts.entities.entityType": "File", + "microsoft.m365_defender.alerts.incidentId": "12", + "microsoft.m365_defender.alerts.investigationId": 9, + "microsoft.m365_defender.alerts.investigationState": "Benign", + "microsoft.m365_defender.alerts.lastUpdatedTime": "2020-08-26T09:41:27.7233333Z", + "microsoft.m365_defender.alerts.resolvedTime": "2020-06-30T11:13:12.2680434Z", + "microsoft.m365_defender.alerts.severity": "Low", + "microsoft.m365_defender.alerts.status": "Resolved", + "microsoft.m365_defender.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.classification": "Unknown", + "microsoft.m365_defender.determination": "NotAvailable", + "microsoft.m365_defender.incidentId": "12", + "microsoft.m365_defender.incidentName": "12", + "microsoft.m365_defender.status": "Resolved", + "observer.name": "MicrosoftDefenderATP", + "observer.product": "365 Defender", + "observer.vendor": "Microsoft", + "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.", + "service.type": "microsoft", + "tags": [ + "m365-defender", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "Malware" + }, + { + "@timestamp": "2020-09-23T19:44:36.29Z", + "cloud.provider": "azure", + "event.action": "SuspiciousActivity", + "event.category": [ + "host" + ], + "event.dataset": "microsoft.m365_defender", + "event.duration": 1318527620200, + "event.end": "2020-06-30T10:31:09.4165785Z", + "event.id": "da637291086161511365_-2075772905", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "MicrosoftDefenderATP", + "event.severity": 2, + "event.start": "2020-06-30T10:09:10.8889583Z", + "event.timezone": "UTC", + "event.type": [ + "end" + ], + "fileset.name": "m365_defender", + "input.type": "log", + "log.offset": 8376, + "message": "Suspicious 'AccessibilityEscalation' behavior was detected", + "microsoft.m365_defender.alerts.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.alerts.classification": "FalsePositive", + "microsoft.m365_defender.alerts.creationTime": "2020-06-30T10:10:16.1355657Z", + "microsoft.m365_defender.alerts.detectionSource": "WindowsDefenderAv", + "microsoft.m365_defender.alerts.devices": [ + { + "deviceDnsName": "testserver4", + "firstSeen": "2020-06-30T08:55:08.8320449Z", + "healthStatus": "Inactive", + "mdatpDeviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "osBuild": 17763, + "osPlatform": "Other", + "osProcessor": "x64", + "rbacGroupId": 0, + "riskScore": "High", + "version": "Other" + } + ], + "microsoft.m365_defender.alerts.entities.deviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "microsoft.m365_defender.alerts.entities.entityType": "Process", + "microsoft.m365_defender.alerts.incidentId": "12", + "microsoft.m365_defender.alerts.investigationState": "UnsupportedAlertType", + "microsoft.m365_defender.alerts.lastUpdatedTime": "2020-09-23T19:44:37.9666667Z", + "microsoft.m365_defender.alerts.resolvedTime": "2020-09-23T19:44:36.1092821Z", + "microsoft.m365_defender.alerts.severity": "Low", + "microsoft.m365_defender.alerts.status": "Resolved", + "microsoft.m365_defender.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.classification": "Unknown", + "microsoft.m365_defender.determination": "NotAvailable", + "microsoft.m365_defender.incidentId": "12", + "microsoft.m365_defender.incidentName": "12", + "microsoft.m365_defender.status": "Resolved", + "observer.name": "MicrosoftDefenderATP", + "observer.product": "365 Defender", + "observer.vendor": "Microsoft", + "process.pid": 6720, + "process.start": "2020-06-30T10:31:04.1092404Z", + "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.", + "service.type": "microsoft", + "tags": [ + "m365-defender", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "SuspiciousActivity" + }, + { + "@timestamp": "2020-09-23T19:44:36.29Z", + "cloud.provider": "azure", + "event.action": "SuspiciousActivity", + "event.category": [ + "host" + ], + "event.dataset": "microsoft.m365_defender", + "event.duration": 1318527620200, + "event.end": "2020-06-30T10:31:09.4165785Z", + "event.id": "da637291086161511365_-2075772905", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "MicrosoftDefenderATP", + "event.severity": 2, + "event.start": "2020-06-30T10:09:10.8889583Z", + "event.timezone": "UTC", + "event.type": [ + "end" + ], + "fileset.name": "m365_defender", + "input.type": "log", + "log.offset": 10542, + "message": "Suspicious 'AccessibilityEscalation' behavior was detected", + "microsoft.m365_defender.alerts.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.alerts.classification": "FalsePositive", + "microsoft.m365_defender.alerts.creationTime": "2020-06-30T10:10:16.1355657Z", + "microsoft.m365_defender.alerts.detectionSource": "WindowsDefenderAv", + "microsoft.m365_defender.alerts.devices": [ + { + "deviceDnsName": "testserver4", + "firstSeen": "2020-06-30T08:55:08.8320449Z", + "healthStatus": "Inactive", + "mdatpDeviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "osBuild": 17763, + "osPlatform": "Other", + "osProcessor": "x64", + "rbacGroupId": 0, + "riskScore": "High", + "version": "Other" + } + ], + "microsoft.m365_defender.alerts.entities.accountName": "", + "microsoft.m365_defender.alerts.entities.entityType": "User", + "microsoft.m365_defender.alerts.incidentId": "12", + "microsoft.m365_defender.alerts.investigationState": "UnsupportedAlertType", + "microsoft.m365_defender.alerts.lastUpdatedTime": "2020-09-23T19:44:37.9666667Z", + "microsoft.m365_defender.alerts.resolvedTime": "2020-09-23T19:44:36.1092821Z", + "microsoft.m365_defender.alerts.severity": "Low", + "microsoft.m365_defender.alerts.status": "Resolved", + "microsoft.m365_defender.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.classification": "Unknown", + "microsoft.m365_defender.determination": "NotAvailable", + "microsoft.m365_defender.incidentId": "12", + "microsoft.m365_defender.incidentName": "12", + "microsoft.m365_defender.status": "Resolved", + "observer.name": "MicrosoftDefenderATP", + "observer.product": "365 Defender", + "observer.vendor": "Microsoft", + "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.", + "service.type": "microsoft", + "tags": [ + "m365-defender", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "SuspiciousActivity" + }, + { + "@timestamp": "2020-09-23T19:44:36.29Z", + "cloud.provider": "azure", + "event.action": "SuspiciousActivity", + "event.category": [ + "host" + ], + "event.dataset": "microsoft.m365_defender", + "event.duration": 1318527620200, + "event.end": "2020-06-30T10:31:09.4165785Z", + "event.id": "da637291086161511365_-2075772905", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "MicrosoftDefenderATP", + "event.severity": 2, + "event.start": "2020-06-30T10:09:10.8889583Z", + "event.timezone": "UTC", + "event.type": [ + "end" + ], + "fileset.name": "m365_defender", + "input.type": "log", + "log.offset": 12598, + "message": "Suspicious 'AccessibilityEscalation' behavior was detected", + "microsoft.m365_defender.alerts.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.alerts.classification": "FalsePositive", + "microsoft.m365_defender.alerts.creationTime": "2020-06-30T10:10:16.1355657Z", + "microsoft.m365_defender.alerts.detectionSource": "WindowsDefenderAv", + "microsoft.m365_defender.alerts.devices": [ + { + "deviceDnsName": "testserver4", + "firstSeen": "2020-06-30T08:55:08.8320449Z", + "healthStatus": "Inactive", + "mdatpDeviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "osBuild": 17763, + "osPlatform": "Other", + "osProcessor": "x64", + "rbacGroupId": 0, + "riskScore": "High", + "version": "Other" + } + ], + "microsoft.m365_defender.alerts.entities.deviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "microsoft.m365_defender.alerts.entities.entityType": "Process", + "microsoft.m365_defender.alerts.incidentId": "12", + "microsoft.m365_defender.alerts.investigationState": "UnsupportedAlertType", + "microsoft.m365_defender.alerts.lastUpdatedTime": "2020-09-23T19:44:37.9666667Z", + "microsoft.m365_defender.alerts.resolvedTime": "2020-09-23T19:44:36.1092821Z", + "microsoft.m365_defender.alerts.severity": "Low", + "microsoft.m365_defender.alerts.status": "Resolved", + "microsoft.m365_defender.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.classification": "Unknown", + "microsoft.m365_defender.determination": "NotAvailable", + "microsoft.m365_defender.incidentId": "12", + "microsoft.m365_defender.incidentName": "12", + "microsoft.m365_defender.status": "Resolved", + "observer.name": "MicrosoftDefenderATP", + "observer.product": "365 Defender", + "observer.vendor": "Microsoft", + "process.pid": 1324, + "process.start": "2020-06-30T10:09:10.5747992Z", + "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.", + "service.type": "microsoft", + "tags": [ + "m365-defender", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "SuspiciousActivity" + }, + { + "@timestamp": "2020-09-23T19:32:05.8366667Z", + "cloud.provider": "azure", + "event.action": "SuspiciousActivity", + "event.category": [ + "host" + ], + "event.dataset": "microsoft.m365_defender", + "event.duration": 0, + "event.end": "2020-07-27T15:47:22.088Z", + "event.id": "caA214771F-6AB0-311D-B2B0-BECD3B4A967B", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "MicrosoftCloudAppSecurity", + "event.severity": 3, + "event.start": "2020-07-27T15:47:22.088Z", + "event.timezone": "UTC", + "fileset.name": "m365_defender", + "host.user.id": "8e24c50a-a77c-4782-813f-965009b5ddf3", + "host.user.name": "brent@elasticbv.onmicrosoft.com", + "input.type": "log", + "log.offset": 14764, + "message": "Activity from infrequent country", + "microsoft.m365_defender.alerts.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.alerts.classification": "FalsePositive", + "microsoft.m365_defender.alerts.creationTime": "2020-07-27T15:54:20.52207Z", + "microsoft.m365_defender.alerts.detectionSource": "MCAS", + "microsoft.m365_defender.alerts.entities.accountName": "brent", + "microsoft.m365_defender.alerts.entities.entityType": "User", + "microsoft.m365_defender.alerts.incidentId": "14", + "microsoft.m365_defender.alerts.investigationState": "UnsupportedAlertType", + "microsoft.m365_defender.alerts.lastUpdatedTime": "2020-09-23T19:32:17.5433333Z", + "microsoft.m365_defender.alerts.severity": "Medium", + "microsoft.m365_defender.alerts.status": "New", + "microsoft.m365_defender.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.classification": "Unknown", + "microsoft.m365_defender.determination": "NotAvailable", + "microsoft.m365_defender.incidentId": "14", + "microsoft.m365_defender.incidentName": "Activity from infrequent country", + "microsoft.m365_defender.status": "Active", + "observer.name": "MicrosoftCloudAppSecurity", + "observer.product": "365 Defender", + "observer.vendor": "Microsoft", + "related.user": [ + "brent@elasticbv.onmicrosoft.com" + ], + "rule.description": "Brent Murphy (brent@elasticbv.onmicrosoft.com) performed an activity. No activity was performed in United States in the past 41 days.", + "service.type": "microsoft", + "tags": [ + "m365-defender", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "SuspiciousActivity" + }, + { + "@timestamp": "2020-09-23T19:32:05.8366667Z", + "cloud.provider": "azure", + "event.action": "SuspiciousActivity", + "event.category": [ + "host" + ], + "event.dataset": "microsoft.m365_defender", + "event.duration": 0, + "event.end": "2020-07-27T15:47:22.088Z", + "event.id": "caA214771F-6AB0-311D-B2B0-BECD3B4A967B", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "MicrosoftCloudAppSecurity", + "event.severity": 3, + "event.start": "2020-07-27T15:47:22.088Z", + "event.timezone": "UTC", + "fileset.name": "m365_defender", + "input.type": "log", + "log.offset": 16091, + "message": "Activity from infrequent country", + "microsoft.m365_defender.alerts.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.alerts.classification": "FalsePositive", + "microsoft.m365_defender.alerts.creationTime": "2020-07-27T15:54:20.52207Z", + "microsoft.m365_defender.alerts.detectionSource": "MCAS", + "microsoft.m365_defender.alerts.entities.entityType": "Ip", + "microsoft.m365_defender.alerts.entities.ipAddress": "73.172.171.53", + "microsoft.m365_defender.alerts.incidentId": "14", + "microsoft.m365_defender.alerts.investigationState": "UnsupportedAlertType", + "microsoft.m365_defender.alerts.lastUpdatedTime": "2020-09-23T19:32:17.5433333Z", + "microsoft.m365_defender.alerts.severity": "Medium", + "microsoft.m365_defender.alerts.status": "New", + "microsoft.m365_defender.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.classification": "Unknown", + "microsoft.m365_defender.determination": "NotAvailable", + "microsoft.m365_defender.incidentId": "14", + "microsoft.m365_defender.incidentName": "Activity from infrequent country", + "microsoft.m365_defender.status": "Active", + "observer.name": "MicrosoftCloudAppSecurity", + "observer.product": "365 Defender", + "observer.vendor": "Microsoft", + "rule.description": "Brent Murphy (brent@elasticbv.onmicrosoft.com) performed an activity. No activity was performed in United States in the past 41 days.", + "service.type": "microsoft", + "tags": [ + "m365-defender", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "SuspiciousActivity" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/misp/threat/config/input.yml b/x-pack/filebeat/module/misp/threat/config/input.yml index 3ff985b07f3..26010fc478a 100644 --- a/x-pack/filebeat/module/misp/threat/config/input.yml +++ b/x-pack/filebeat/module/misp/threat/config/input.yml @@ -37,4 +37,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/misp/threat/test/misp-test.json.log-expected.json b/x-pack/filebeat/module/misp/threat/test/misp-test.json.log-expected.json index a4b6019bc5d..163acbfd544 100644 --- a/x-pack/filebeat/module/misp/threat/test/misp-test.json.log-expected.json +++ b/x-pack/filebeat/module/misp/threat/test/misp-test.json.log-expected.json @@ -4,6 +4,7 @@ "destination.geo.city_name": "State College", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 40.7957, "destination.geo.location.lon": -77.8618, "destination.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/mssql/log/config/config.yml b/x-pack/filebeat/module/mssql/log/config/config.yml index 31990fb32c3..0ac3d9da2c2 100644 --- a/x-pack/filebeat/module/mssql/log/config/config.yml +++ b/x-pack/filebeat/module/mssql/log/config/config.yml @@ -14,4 +14,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/netflow/log/config/netflow.yml b/x-pack/filebeat/module/netflow/log/config/netflow.yml index b34160bd6b9..f56ffeed226 100644 --- a/x-pack/filebeat/module/netflow/log/config/netflow.yml +++ b/x-pack/filebeat/module/netflow/log/config/netflow.yml @@ -31,4 +31,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json index 530aa6f4cc1..2ac0d3443e7 100644 --- a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json @@ -317,8 +317,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.66.171.247", - "10.155.162.162" + "10.155.162.162", + "10.66.171.247" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -396,8 +396,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.179.26.34", - "10.38.77.13" + "10.38.77.13", + "10.179.26.34" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -1101,8 +1101,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.97.164.220", - "10.128.31.83" + "10.128.31.83", + "10.97.164.220" ], "rsa.internal.messageid": "anomaly", "rsa.misc.category": "aera", @@ -1816,8 +1816,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.98.209.10", - "10.31.177.226" + "10.31.177.226", + "10.98.209.10" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -1848,8 +1848,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.44.47.27", - "10.179.210.218" + "10.179.210.218", + "10.44.47.27" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -2129,8 +2129,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.151.129.181", - "10.55.156.64" + "10.55.156.64", + "10.151.129.181" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -2236,8 +2236,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.166.90.130", - "10.73.89.189" + "10.73.89.189", + "10.166.90.130" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", diff --git a/x-pack/filebeat/module/o365/audit/config/input.yml b/x-pack/filebeat/module/o365/audit/config/input.yml index d41a5bb9aab..ec30daef127 100644 --- a/x-pack/filebeat/module/o365/audit/config/input.yml +++ b/x-pack/filebeat/module/o365/audit/config/input.yml @@ -62,4 +62,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json index 56a4f778e7f..12d780947fb 100644 --- a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json @@ -48,6 +48,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -116,6 +117,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -184,6 +186,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -252,6 +255,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", diff --git a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json index b5c79d506d1..6f54a5ce22f 100644 --- a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json @@ -55,6 +55,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -131,6 +132,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -207,6 +209,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -283,6 +286,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -360,6 +364,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -436,6 +441,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -512,6 +518,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -589,6 +596,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -665,6 +673,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -741,6 +750,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -817,6 +827,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", diff --git a/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json b/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json index cea77b1153f..78cfca3dbfb 100644 --- a/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json @@ -130,6 +130,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -273,6 +274,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -416,6 +418,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -570,6 +573,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -724,6 +728,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -885,6 +890,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1046,6 +1052,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1207,6 +1214,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1368,6 +1376,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1529,6 +1538,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1690,6 +1700,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1851,6 +1862,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2012,6 +2024,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2173,6 +2186,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2334,6 +2348,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2495,6 +2510,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2656,6 +2672,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2817,6 +2834,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2960,6 +2978,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3103,6 +3122,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3257,6 +3277,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3400,6 +3421,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3543,6 +3565,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3686,6 +3709,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3840,6 +3864,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4001,6 +4026,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4162,6 +4188,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4323,6 +4350,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4484,6 +4512,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4645,6 +4674,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4806,6 +4836,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4967,6 +4998,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5128,6 +5160,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5290,6 +5323,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5452,6 +5486,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5742,6 +5777,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5903,6 +5939,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6064,6 +6101,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6225,6 +6263,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6386,6 +6425,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6547,6 +6587,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6708,6 +6749,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6869,6 +6911,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -7030,6 +7073,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -7191,6 +7235,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -7352,6 +7397,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -7513,6 +7559,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -7674,6 +7721,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -7835,6 +7883,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -7996,6 +8045,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -8158,6 +8208,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -8320,6 +8371,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -8481,6 +8533,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -8642,6 +8695,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -8803,6 +8857,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -8964,6 +9019,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -9125,6 +9181,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -9286,6 +9343,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -9447,6 +9505,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -9608,6 +9667,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -9769,6 +9829,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -9912,6 +9973,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -10055,6 +10117,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -10198,6 +10261,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -10341,6 +10405,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -10494,6 +10559,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -10648,6 +10714,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -10802,6 +10869,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -10956,6 +11024,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -11110,6 +11179,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -11251,6 +11321,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -11394,6 +11465,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -11537,6 +11609,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -11691,6 +11764,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -11845,6 +11919,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -11999,6 +12074,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -12142,6 +12218,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -12285,6 +12362,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -12428,6 +12506,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -12582,6 +12661,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -12736,6 +12816,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -12890,6 +12971,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -13051,6 +13133,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -13212,6 +13295,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -13373,6 +13457,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -13534,6 +13619,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -13695,6 +13781,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -13856,6 +13943,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -14017,6 +14105,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -14178,6 +14267,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -14339,6 +14429,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -14500,6 +14591,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -14661,6 +14753,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -14823,6 +14916,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -14985,6 +15079,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -15147,6 +15242,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -15306,6 +15402,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -15465,6 +15562,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -15624,6 +15722,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", diff --git a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json index cc096b3acc2..97cb1f5bb01 100644 --- a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json @@ -305,6 +305,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -379,6 +380,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -454,6 +456,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -529,6 +532,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -604,6 +608,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", diff --git a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json index 60c77401b35..5470038d6b8 100644 --- a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json @@ -77,6 +77,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -174,6 +175,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -271,6 +273,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -368,6 +371,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -465,6 +469,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -562,6 +567,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -659,6 +665,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -756,6 +763,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -853,6 +861,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -950,6 +959,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1047,6 +1057,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1144,6 +1155,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1241,6 +1253,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1338,6 +1351,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1434,6 +1448,7 @@ "source.as.organization.name": "XFERA Moviles S.A.", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.4172, "source.geo.location.lon": -3.684, "source.ip": "37.29.234.179", @@ -1529,6 +1544,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1626,6 +1642,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1722,6 +1739,7 @@ "source.as.organization.name": "XFERA Moviles S.A.", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.4172, "source.geo.location.lon": -3.684, "source.ip": "37.29.234.179", @@ -1817,6 +1835,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1914,6 +1933,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2011,6 +2031,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2108,6 +2129,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2205,6 +2227,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2302,6 +2325,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2399,6 +2423,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2496,6 +2521,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2593,6 +2619,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2690,6 +2717,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2787,6 +2815,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2883,6 +2912,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2981,6 +3011,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3067,6 +3098,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3162,6 +3194,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3248,6 +3281,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3344,6 +3378,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3430,6 +3465,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3526,6 +3562,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3623,6 +3660,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3720,6 +3758,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3806,6 +3845,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3902,6 +3942,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3998,6 +4039,7 @@ "source.as.organization.name": "XFERA Moviles S.A.", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.4172, "source.geo.location.lon": -3.684, "source.ip": "37.29.234.179", @@ -4093,6 +4135,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4190,6 +4233,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4276,6 +4320,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4371,6 +4416,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4468,6 +4514,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4565,6 +4612,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4662,6 +4710,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4759,6 +4808,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4856,6 +4906,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4953,6 +5004,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5050,6 +5102,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5147,6 +5200,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5244,6 +5298,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5341,6 +5396,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5438,6 +5494,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5535,6 +5592,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5631,6 +5689,7 @@ "source.as.organization.name": "XFERA Moviles S.A.", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.4172, "source.geo.location.lon": -3.684, "source.ip": "37.29.234.179", @@ -5726,6 +5785,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5823,6 +5883,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5920,6 +5981,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6017,6 +6079,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6114,6 +6177,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6211,6 +6275,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6308,6 +6373,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6405,6 +6471,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6502,6 +6569,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6599,6 +6667,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", diff --git a/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json b/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json index 4bd20443e07..e6326bf27b1 100644 --- a/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json @@ -48,6 +48,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", diff --git a/x-pack/filebeat/module/okta/system/config/input.yml b/x-pack/filebeat/module/okta/system/config/input.yml index a544ab8dc65..487dfdf165e 100644 --- a/x-pack/filebeat/module/okta/system/config/input.yml +++ b/x-pack/filebeat/module/okta/system/config/input.yml @@ -67,4 +67,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json index 437a7ea5627..39d00244185 100644 --- a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json +++ b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json @@ -55,6 +55,7 @@ "source.geo.city_name": "Dublin", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.7201, "source.geo.location.lon": -121.919, "source.geo.region_iso_code": "US-CA", @@ -130,6 +131,7 @@ "source.geo.city_name": "Dublin", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.7201, "source.geo.location.lon": -121.919, "source.geo.region_iso_code": "US-CA", @@ -220,6 +222,7 @@ "source.geo.city_name": "Dublin", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.7201, "source.geo.location.lon": -121.919, "source.geo.region_iso_code": "US-CA", diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json index 96530ab70f3..54a45d4465e 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json @@ -739,6 +739,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json index 37735ccfce0..8e5df2e94e4 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json @@ -10,6 +10,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -104,6 +105,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -198,6 +200,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -292,6 +295,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -386,6 +390,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -480,6 +485,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -574,6 +580,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -668,6 +675,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -762,6 +770,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -856,6 +865,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -950,6 +960,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1044,6 +1055,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1138,6 +1150,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1232,6 +1245,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1325,6 +1339,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1419,6 +1434,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1512,6 +1528,7 @@ "destination.as.organization.name": "Leaseweb Deutschland GmbH", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 51.2993, "destination.geo.location.lon": 9.491, "destination.geo.name": "Germany", @@ -1603,6 +1620,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1697,6 +1715,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1791,6 +1810,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1885,6 +1905,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1979,6 +2000,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2073,6 +2095,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2167,6 +2190,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2261,6 +2285,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2355,6 +2380,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2449,6 +2475,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2543,6 +2570,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2637,6 +2665,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2731,6 +2760,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2825,6 +2855,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2919,6 +2950,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -3013,6 +3045,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -3106,6 +3139,7 @@ "destination.as.organization.name": "Castle Access Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3196,6 +3230,7 @@ "destination.as.organization.name": "INAMES", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "KR", + "destination.geo.country_name": "South Korea", "destination.geo.location.lat": 37.5112, "destination.geo.location.lon": 126.9741, "destination.geo.name": "Korea Republic Of", @@ -3286,6 +3321,7 @@ "destination.as.organization.name": "CJSC Registrar R01", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", "destination.geo.location.lat": 55.7386, "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", @@ -3377,6 +3413,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -3469,6 +3506,7 @@ "destination.as.organization.name": "Confluence Networks Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3559,6 +3597,7 @@ "destination.as.organization.name": "Confluence Networks Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3650,6 +3689,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -3742,6 +3782,7 @@ "destination.as.organization.name": "Confluence Networks Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3832,6 +3873,7 @@ "destination.as.organization.name": "Domain names registrar REG.RU, Ltd", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", "destination.geo.location.lat": 55.7386, "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", @@ -3922,6 +3964,7 @@ "destination.as.organization.name": "Domain names registrar REG.RU, Ltd", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", "destination.geo.location.lat": 55.7386, "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", @@ -4079,6 +4122,7 @@ "source.geo.city_name": "Fort Lauderdale", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 26.1792, "source.geo.location.lon": -80.1749, "source.geo.name": "United States", @@ -4103,6 +4147,7 @@ "destination.geo.city_name": "Kitchener", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "CA", + "destination.geo.country_name": "Canada", "destination.geo.location.lat": 43.4419, "destination.geo.location.lon": -80.4216, "destination.geo.name": "Canada", @@ -4195,6 +4240,7 @@ "destination.as.organization.name": "Castle Access Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -4285,6 +4331,7 @@ "destination.as.organization.name": "Confluence Networks Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "VG", + "destination.geo.country_name": "British Virgin Islands", "destination.geo.location.lat": 18.5, "destination.geo.location.lon": -64.5, "destination.geo.name": "Virgin Islands British", @@ -4375,6 +4422,7 @@ "destination.as.organization.name": "Confluence Networks Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -4466,6 +4514,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -4559,6 +4608,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -4652,6 +4702,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -4745,6 +4796,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -4838,6 +4890,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -5000,6 +5053,7 @@ "source.geo.city_name": "Brea", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 33.9339, "source.geo.location.lon": -117.8854, "source.geo.name": "United States", @@ -5024,6 +5078,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -5186,6 +5241,7 @@ "source.geo.city_name": "Montreal", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "CA", + "source.geo.country_name": "Canada", "source.geo.location.lat": 45.4995, "source.geo.location.lon": -73.5848, "source.geo.name": "European Union", @@ -5278,6 +5334,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 30.294, "source.geo.location.lon": 120.1619, "source.geo.name": "China", @@ -5302,6 +5359,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -5463,6 +5521,7 @@ "source.as.organization.name": "NForce Entertainment B.V.", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "NL", + "source.geo.country_name": "Netherlands", "source.geo.location.lat": 52.3824, "source.geo.location.lon": 4.8995, "source.geo.name": "Netherlands", @@ -5554,6 +5613,7 @@ "source.geo.city_name": "Montreal", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "CA", + "source.geo.country_name": "Canada", "source.geo.location.lat": 45.4995, "source.geo.location.lon": -73.5848, "source.geo.name": "European Union", @@ -5577,6 +5637,7 @@ "destination.as.organization.name": "YANDEX LLC", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", "destination.geo.location.lat": 55.7386, "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", @@ -5667,6 +5728,7 @@ "destination.as.organization.name": "YANDEX LLC", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", "destination.geo.location.lat": 55.7386, "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", @@ -5757,6 +5819,7 @@ "destination.as.organization.name": "YANDEX LLC", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", "destination.geo.location.lat": 55.7386, "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", @@ -5917,6 +5980,7 @@ "source.geo.city_name": "Brea", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 33.9339, "source.geo.location.lon": -117.8854, "source.geo.name": "United States", @@ -5941,6 +6005,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -6034,6 +6099,7 @@ "destination.geo.city_name": "Central", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "HK", + "destination.geo.country_name": "Hong Kong", "destination.geo.location.lat": 22.2909, "destination.geo.location.lon": 114.15, "destination.geo.name": "United States", @@ -6196,6 +6262,7 @@ "source.geo.city_name": "Redmond", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 47.6722, "source.geo.location.lon": -122.1257, "source.geo.name": "United States", @@ -6289,6 +6356,7 @@ "source.geo.city_name": "Redmond", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 47.6722, "source.geo.location.lon": -122.1257, "source.geo.name": "United States", @@ -6313,6 +6381,7 @@ "destination.geo.city_name": "Los Angeles", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 34.0544, "destination.geo.location.lon": -118.244, "destination.geo.name": "United States", @@ -6474,6 +6543,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -6495,6 +6565,7 @@ "destination.as.organization.name": "Pandora Media, Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -6654,6 +6725,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -6745,6 +6817,7 @@ "source.geo.city_name": "Oliva", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 38.9197, "source.geo.location.lon": -0.1193, "source.geo.name": "Ukraine", @@ -6837,6 +6910,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -6927,6 +7001,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7017,6 +7092,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7107,6 +7183,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7128,6 +7205,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -7287,6 +7365,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7377,6 +7456,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7467,6 +7547,7 @@ "source.as.organization.name": "Wikimedia Foundation Inc.", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7557,6 +7638,7 @@ "source.as.organization.name": "Wikimedia Foundation Inc.", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7648,6 +7730,7 @@ "source.geo.city_name": "Los Angeles", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 34.0544, "source.geo.location.lon": -118.244, "source.geo.name": "United States", @@ -7740,6 +7823,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7830,6 +7914,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7921,6 +8006,7 @@ "source.geo.city_name": "Liberal", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.0438, "source.geo.location.lon": -100.9286, "source.geo.name": "United States", @@ -8013,6 +8099,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -8103,6 +8190,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -8194,6 +8282,7 @@ "source.geo.city_name": "Albany", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 42.7008, "source.geo.location.lon": -73.8601, "source.geo.name": "United States", @@ -8286,6 +8375,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -8307,6 +8397,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -8466,6 +8557,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -8556,6 +8648,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -8577,6 +8670,7 @@ "destination.as.organization.name": "Pandora Media, Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -8736,6 +8830,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -8826,6 +8921,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -8916,6 +9012,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -9006,6 +9103,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -9096,6 +9194,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -9186,6 +9285,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json index 587b481636f..44f7a7790ab 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json @@ -13,6 +13,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -113,6 +114,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -211,6 +213,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -310,6 +313,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -411,6 +415,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -511,6 +516,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -609,6 +615,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -708,6 +715,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -809,6 +817,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -910,6 +919,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1011,6 +1021,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1112,6 +1123,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1213,6 +1225,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1314,6 +1327,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1415,6 +1429,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1516,6 +1531,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1617,6 +1633,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1718,6 +1735,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1819,6 +1837,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1919,6 +1938,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -2017,6 +2037,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -2116,6 +2137,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -2216,6 +2238,7 @@ "destination.bytes": 98, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -2315,6 +2338,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -2416,6 +2440,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -2517,6 +2542,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -2617,6 +2643,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -2715,6 +2742,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -2814,6 +2842,7 @@ "destination.geo.city_name": "Westminster", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 33.7518, "destination.geo.location.lon": -117.9932, "destination.geo.region_iso_code": "US-CA", @@ -2915,6 +2944,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -3015,6 +3045,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -3114,6 +3145,7 @@ "destination.geo.city_name": "Assago", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 45.4087, "destination.geo.location.lon": 9.1225, "destination.geo.region_iso_code": "IT-MI", @@ -3215,6 +3247,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -3315,6 +3348,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -3413,6 +3447,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -3512,6 +3547,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -3613,6 +3649,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -3713,6 +3750,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -3811,6 +3849,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -3908,6 +3947,7 @@ "destination.bytes": 111, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -4000,6 +4040,7 @@ "destination.bytes": 906, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 43.1479, "destination.geo.location.lon": 12.1097, "destination.ip": "62.211.68.12", @@ -4098,6 +4139,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -4193,6 +4235,7 @@ "destination.geo.city_name": "Washington", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.7095, "destination.geo.location.lon": -78.1539, "destination.geo.region_iso_code": "US-VA", @@ -4294,6 +4337,7 @@ "destination.geo.city_name": "Washington", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.7095, "destination.geo.location.lon": -78.1539, "destination.geo.region_iso_code": "US-VA", @@ -4393,6 +4437,7 @@ "destination.bytes": 141, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -4486,6 +4531,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -4586,6 +4632,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -4685,6 +4732,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -4785,6 +4833,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -4883,6 +4932,7 @@ "destination.bytes": 316, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -4981,6 +5031,7 @@ "destination.bytes": 121, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -5079,6 +5130,7 @@ "destination.bytes": 169, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -5177,6 +5229,7 @@ "destination.bytes": 954, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 43.1479, "destination.geo.location.lon": 12.1097, "destination.ip": "62.211.68.12", @@ -5276,6 +5329,7 @@ "destination.geo.city_name": "Assago", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 45.4087, "destination.geo.location.lon": 9.1225, "destination.geo.region_iso_code": "IT-MI", @@ -5377,6 +5431,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -5477,6 +5532,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -5576,6 +5632,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -5676,6 +5733,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -5774,6 +5832,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -5873,6 +5932,7 @@ "destination.geo.city_name": "Washington", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.7095, "destination.geo.location.lon": -78.1539, "destination.geo.region_iso_code": "US-VA", @@ -5974,6 +6034,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -6074,6 +6135,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -6172,6 +6234,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -6270,6 +6333,7 @@ "destination.bytes": 906, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 43.1479, "destination.geo.location.lon": 12.1097, "destination.ip": "62.211.68.12", @@ -6368,6 +6432,7 @@ "destination.bytes": 163, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -6466,6 +6531,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -6564,6 +6630,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -6663,6 +6730,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -6763,6 +6831,7 @@ "destination.bytes": 922, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 43.1479, "destination.geo.location.lon": 12.1097, "destination.ip": "62.211.68.12", @@ -6862,6 +6931,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -6962,6 +7032,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -7060,6 +7131,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -7159,6 +7231,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -7259,6 +7332,7 @@ "destination.bytes": 26786, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.5.1.1", @@ -7357,6 +7431,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -7455,6 +7530,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -7554,6 +7630,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -7747,6 +7824,7 @@ "destination.geo.city_name": "Assago", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 45.4087, "destination.geo.location.lon": 9.1225, "destination.geo.region_iso_code": "IT-MI", @@ -7848,6 +7926,7 @@ "destination.geo.city_name": "Assago", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 45.4087, "destination.geo.location.lon": 9.1225, "destination.geo.region_iso_code": "IT-MI", @@ -8133,6 +8212,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -8233,6 +8313,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -8331,6 +8412,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -8430,6 +8512,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -8530,6 +8613,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -8720,6 +8804,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -8819,6 +8904,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -8919,6 +9005,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -9017,6 +9104,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -9115,6 +9203,7 @@ "destination.bytes": 906, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 43.1479, "destination.geo.location.lon": 12.1097, "destination.ip": "62.211.68.12", @@ -9214,6 +9303,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -9315,6 +9405,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -9416,6 +9507,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -9609,6 +9701,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -9710,6 +9803,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -9811,6 +9905,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", diff --git a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json index 93fe08f75d9..de6c83a2fa1 100644 --- a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json @@ -10,6 +10,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -111,6 +112,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -212,6 +214,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -313,6 +316,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -414,6 +418,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -515,6 +520,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -616,6 +622,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -717,6 +724,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -818,6 +826,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -919,6 +928,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1020,6 +1030,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1121,6 +1132,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1222,6 +1234,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1323,6 +1336,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1424,6 +1438,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1525,6 +1540,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1626,6 +1642,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1727,6 +1744,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1828,6 +1846,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1929,6 +1948,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2030,6 +2050,7 @@ "destination.as.organization.name": "Akamai International B.V.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2131,6 +2152,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2232,6 +2254,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2333,6 +2356,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2434,6 +2458,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2535,6 +2560,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2636,6 +2662,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2737,6 +2764,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2838,6 +2866,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2939,6 +2968,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3040,6 +3070,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3141,6 +3172,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3242,6 +3274,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3343,6 +3376,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3444,6 +3478,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3545,6 +3580,7 @@ "destination.as.organization.name": "Fastly", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3647,6 +3683,7 @@ "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 47.6109, "destination.geo.location.lon": -122.3303, "destination.geo.name": "United States", @@ -3751,6 +3788,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -3855,6 +3893,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -3959,6 +3998,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4063,6 +4103,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4167,6 +4208,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4271,6 +4313,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4375,6 +4418,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4479,6 +4523,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4583,6 +4628,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4687,6 +4733,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4791,6 +4838,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4895,6 +4943,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4999,6 +5048,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.3861, "destination.geo.location.lon": -122.0839, "destination.geo.name": "United States", @@ -5102,6 +5152,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -5203,6 +5254,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -5304,6 +5356,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -5405,6 +5458,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -5506,6 +5560,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -5607,6 +5662,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -5708,6 +5764,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -5809,6 +5866,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -5910,6 +5968,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -6011,6 +6070,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -6113,6 +6173,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -6217,6 +6278,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -6321,6 +6383,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -6425,6 +6488,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -6529,6 +6593,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -6633,6 +6698,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -6737,6 +6803,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -6841,6 +6908,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -6945,6 +7013,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -7049,6 +7118,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -7153,6 +7223,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -7257,6 +7328,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -7361,6 +7433,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -7465,6 +7538,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -7569,6 +7643,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -7673,6 +7748,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", diff --git a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json index 5f979092c4b..200e02370d3 100644 --- a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json @@ -13,6 +13,7 @@ "destination.bytes": 5976, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "184.51.253.152", @@ -122,6 +123,7 @@ "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -232,6 +234,7 @@ "destination.geo.city_name": "Dallas", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 32.7787, "destination.geo.location.lon": -96.8217, "destination.geo.region_iso_code": "US-TX", @@ -343,6 +346,7 @@ "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -453,6 +457,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.3861, "destination.geo.location.lon": -122.0839, "destination.geo.region_iso_code": "US-CA", @@ -564,6 +569,7 @@ "destination.bytes": 21111, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "209.234.224.22", @@ -673,6 +679,7 @@ "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -782,6 +789,7 @@ "destination.bytes": 3732, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.2.238", @@ -891,6 +899,7 @@ "destination.bytes": 221, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1000,6 +1009,7 @@ "destination.bytes": 221, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1109,6 +1119,7 @@ "destination.bytes": 5469, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "17.249.60.78", @@ -1218,6 +1229,7 @@ "destination.bytes": 224, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1327,6 +1339,7 @@ "destination.bytes": 117, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1436,6 +1449,7 @@ "destination.bytes": 307, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1545,6 +1559,7 @@ "destination.bytes": 365, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1654,6 +1669,7 @@ "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1763,6 +1779,7 @@ "destination.bytes": 161, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1872,6 +1889,7 @@ "destination.bytes": 7805, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "98.138.49.44", @@ -1981,6 +1999,7 @@ "destination.bytes": 6106, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "72.30.3.43", @@ -2090,6 +2109,7 @@ "destination.bytes": 196, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -2199,6 +2219,7 @@ "destination.bytes": 3245, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.9.142", @@ -2308,6 +2329,7 @@ "destination.bytes": 179, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -2418,6 +2440,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -2528,6 +2551,7 @@ "destination.geo.city_name": "Sunnyvale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.386, "destination.geo.location.lon": -122.0144, "destination.geo.region_iso_code": "US-CA", @@ -2639,6 +2663,7 @@ "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -2748,6 +2773,7 @@ "destination.bytes": 130, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -2853,6 +2879,7 @@ "destination.bytes": 1991, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.9.142", @@ -2959,6 +2986,7 @@ "destination.bytes": 523, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "151.101.2.2", @@ -3069,6 +3097,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.3861, "destination.geo.location.lon": -122.0839, "destination.geo.region_iso_code": "US-CA", @@ -3180,6 +3209,7 @@ "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -3289,6 +3319,7 @@ "destination.bytes": 196, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -3398,6 +3429,7 @@ "destination.bytes": 5003, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "184.51.253.193", @@ -3507,6 +3539,7 @@ "destination.bytes": 171, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -3615,6 +3648,7 @@ "destination.geo.city_name": "Sunnyvale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.386, "destination.geo.location.lon": -122.0144, "destination.geo.region_iso_code": "US-CA", @@ -3727,6 +3761,7 @@ "destination.geo.city_name": "Sunnyvale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.386, "destination.geo.location.lon": -122.0144, "destination.geo.region_iso_code": "US-CA", @@ -3839,6 +3874,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -3950,6 +3986,7 @@ "destination.bytes": 244, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -4059,6 +4096,7 @@ "destination.bytes": 205, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -4169,6 +4207,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.4043, "destination.geo.location.lon": -122.0748, "destination.geo.region_iso_code": "US-CA", @@ -4389,6 +4428,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -4500,6 +4540,7 @@ "destination.bytes": 661, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "184.51.252.247", @@ -4610,6 +4651,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.4043, "destination.geo.location.lon": -122.0748, "destination.geo.region_iso_code": "US-CA", @@ -4722,6 +4764,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.4043, "destination.geo.location.lon": -122.0748, "destination.geo.region_iso_code": "US-CA", @@ -4833,6 +4876,7 @@ "destination.bytes": 182, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -4942,6 +4986,7 @@ "destination.bytes": 90, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -5052,6 +5097,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -5163,6 +5209,7 @@ "destination.bytes": 661, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "184.51.252.247", @@ -5380,6 +5427,7 @@ "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -5485,6 +5533,7 @@ "destination.bytes": 144, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -5594,6 +5643,7 @@ "destination.bytes": 206, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -5703,6 +5753,7 @@ "destination.bytes": 206, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -5812,6 +5863,7 @@ "destination.bytes": 169, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -5921,6 +5973,7 @@ "destination.bytes": 132, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6030,6 +6083,7 @@ "destination.bytes": 127, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6139,6 +6193,7 @@ "destination.bytes": 105, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6248,6 +6303,7 @@ "destination.bytes": 172, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6357,6 +6413,7 @@ "destination.bytes": 134, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6466,6 +6523,7 @@ "destination.bytes": 179, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6575,6 +6633,7 @@ "destination.bytes": 218, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6684,6 +6743,7 @@ "destination.bytes": 172, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6793,6 +6853,7 @@ "destination.bytes": 305, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6903,6 +6964,7 @@ "destination.geo.city_name": "Lanham", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9705, "destination.geo.location.lon": -76.8388, "destination.geo.region_iso_code": "US-MD", @@ -7014,6 +7076,7 @@ "destination.bytes": 153, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -7123,6 +7186,7 @@ "destination.bytes": 169, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -7232,6 +7296,7 @@ "destination.bytes": 128, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -7341,6 +7406,7 @@ "destination.bytes": 181, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -7450,6 +7516,7 @@ "destination.bytes": 121, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -7560,6 +7627,7 @@ "destination.geo.city_name": "San Antonio", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 29.4551, "destination.geo.location.lon": -98.6498, "destination.geo.region_iso_code": "US-TX", @@ -7671,6 +7739,7 @@ "destination.bytes": 315, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -7780,6 +7849,7 @@ "destination.bytes": 130, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -7890,6 +7960,7 @@ "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 47.54, "destination.geo.location.lon": -122.3032, "destination.geo.region_iso_code": "US-WA", @@ -8001,6 +8072,7 @@ "destination.bytes": 149, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -8110,6 +8182,7 @@ "destination.bytes": 202, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -8219,6 +8292,7 @@ "destination.bytes": 195, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -8328,6 +8402,7 @@ "destination.bytes": 90, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "208.83.246.20", @@ -8437,6 +8512,7 @@ "destination.bytes": 192, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -8545,6 +8621,7 @@ "destination.bytes": 208, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -8653,6 +8730,7 @@ "destination.bytes": 100, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -8761,6 +8839,7 @@ "destination.bytes": 7237, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.6583, "destination.geo.location.lon": -77.2481, "destination.geo.region_iso_code": "US-VA", @@ -8871,6 +8950,7 @@ "destination.bytes": 109, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -8980,6 +9060,7 @@ "destination.bytes": 116, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -9089,6 +9170,7 @@ "destination.bytes": 96, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -9199,6 +9281,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -9311,6 +9394,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -9423,6 +9507,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -9534,6 +9619,7 @@ "destination.bytes": 7820, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.254.150.9", @@ -9644,6 +9730,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -9756,6 +9843,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -9868,6 +9956,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -9980,6 +10069,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -10092,6 +10182,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.4043, "destination.geo.location.lon": -122.0748, "destination.geo.region_iso_code": "US-CA", @@ -10203,6 +10294,7 @@ "destination.bytes": 172, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -10312,6 +10404,7 @@ "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -10421,6 +10514,7 @@ "destination.bytes": 94, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -10530,6 +10624,7 @@ "destination.bytes": 170, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -10639,6 +10734,7 @@ "destination.bytes": 94, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -10748,6 +10844,7 @@ "destination.bytes": 94, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -10857,6 +10954,7 @@ "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/config/pipeline.js b/x-pack/filebeat/module/proofpoint/emailsecurity/config/pipeline.js index 618356e4723..bc962bd964d 100644 --- a/x-pack/filebeat/module/proofpoint/emailsecurity/config/pipeline.js +++ b/x-pack/filebeat/module/proofpoint/emailsecurity/config/pipeline.js @@ -21,20 +21,15 @@ function DeviceProcessor() { } } -var dup1 = // "Pattern{Constant('info'), Field(p0,false)}" -match("HEADER#0:0024/1_0", "nwparser.p0", "info%{p0}"); +var dup1 = match("HEADER#0:0024/1_0", "nwparser.p0", "info%{p0}"); -var dup2 = // "Pattern{Constant('rprt'), Field(p0,false)}" -match("HEADER#0:0024/1_1", "nwparser.p0", "rprt%{p0}"); +var dup2 = match("HEADER#0:0024/1_1", "nwparser.p0", "rprt%{p0}"); -var dup3 = // "Pattern{Constant('warn'), Field(p0,false)}" -match("HEADER#0:0024/1_2", "nwparser.p0", "warn%{p0}"); +var dup3 = match("HEADER#0:0024/1_2", "nwparser.p0", "warn%{p0}"); -var dup4 = // "Pattern{Constant('err'), Field(p0,false)}" -match("HEADER#0:0024/1_3", "nwparser.p0", "err%{p0}"); +var dup4 = match("HEADER#0:0024/1_3", "nwparser.p0", "err%{p0}"); -var dup5 = // "Pattern{Constant('note'), Field(p0,false)}" -match("HEADER#0:0024/1_4", "nwparser.p0", "note%{p0}"); +var dup5 = match("HEADER#0:0024/1_4", "nwparser.p0", "note%{p0}"); var dup6 = call({ dest: "nwparser.messageid", @@ -74,24 +69,19 @@ var dup12 = setc("dclass_counter1_string","No of attachments:"); var dup13 = setc("dclass_counter2_string","No of recipients:"); -var dup14 = // "Pattern{Field(hostip,true), Constant(' sampling='), Field(fld19,false)}" -match("MESSAGE#11:mail_env_from:ofrom/1_0", "nwparser.p0", "%{hostip->} sampling=%{fld19}"); +var dup14 = match("MESSAGE#11:mail_env_from:ofrom/1_0", "nwparser.p0", "%{hostip->} sampling=%{fld19}"); -var dup15 = // "Pattern{Field(hostip,false)}" -match_copy("MESSAGE#11:mail_env_from:ofrom/1_1", "nwparser.p0", "hostip"); +var dup15 = match_copy("MESSAGE#11:mail_env_from:ofrom/1_1", "nwparser.p0", "hostip"); var dup16 = setc("eventcategory","1207030000"); var dup17 = setc("eventcategory","1207000000"); -var dup18 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#25:session_judge/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} %{p0}"); +var dup18 = match("MESSAGE#25:session_judge/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} %{p0}"); -var dup19 = // "Pattern{Constant('attachment='), Field(fld58,true), Constant(' file='), Field(fld1,true), Constant(' mod='), Field(p0,false)}" -match("MESSAGE#25:session_judge/1_0", "nwparser.p0", "attachment=%{fld58->} file=%{fld1->} mod=%{p0}"); +var dup19 = match("MESSAGE#25:session_judge/1_0", "nwparser.p0", "attachment=%{fld58->} file=%{fld1->} mod=%{p0}"); -var dup20 = // "Pattern{Constant('mod='), Field(p0,false)}" -match("MESSAGE#25:session_judge/1_1", "nwparser.p0", "mod=%{p0}"); +var dup20 = match("MESSAGE#25:session_judge/1_1", "nwparser.p0", "mod=%{p0}"); var dup21 = call({ dest: "nwparser.filename", @@ -103,11 +93,9 @@ var dup21 = call({ var dup22 = setc("eventcategory","1207040200"); -var dup23 = // "Pattern{Constant('vendor='), Field(fld36,true), Constant(' version="'), Field(component_version,false), Constant('" duration='), Field(p0,false)}" -match("MESSAGE#39:av_run:02/1_1", "nwparser.p0", "vendor=%{fld36->} version=\"%{component_version}\" duration=%{p0}"); +var dup23 = match("MESSAGE#39:av_run:02/1_1", "nwparser.p0", "vendor=%{fld36->} version=\"%{component_version}\" duration=%{p0}"); -var dup24 = // "Pattern{Field(duration_string,false)}" -match_copy("MESSAGE#39:av_run:02/2", "nwparser.p0", "duration_string"); +var dup24 = match_copy("MESSAGE#39:av_run:02/2", "nwparser.p0", "duration_string"); var dup25 = setc("eventcategory","1003010000"); @@ -115,29 +103,21 @@ var dup26 = setc("eventcategory","1003000000"); var dup27 = setc("eventcategory","1207040000"); -var dup28 = // "Pattern{Constant('['), Field(daddr,false), Constant('] ['), Field(daddr,false), Constant('],'), Field(p0,false)}" -match("MESSAGE#98:queued-alert/3_0", "nwparser.p0", "[%{daddr}] [%{daddr}],%{p0}"); +var dup28 = match("MESSAGE#98:queued-alert/3_0", "nwparser.p0", "[%{daddr}] [%{daddr}],%{p0}"); -var dup29 = // "Pattern{Constant('['), Field(daddr,false), Constant('],'), Field(p0,false)}" -match("MESSAGE#98:queued-alert/3_1", "nwparser.p0", "[%{daddr}],%{p0}"); +var dup29 = match("MESSAGE#98:queued-alert/3_1", "nwparser.p0", "[%{daddr}],%{p0}"); -var dup30 = // "Pattern{Field(dhost,true), Constant(' ['), Field(daddr,false), Constant('],'), Field(p0,false)}" -match("MESSAGE#98:queued-alert/3_2", "nwparser.p0", "%{dhost->} [%{daddr}],%{p0}"); +var dup30 = match("MESSAGE#98:queued-alert/3_2", "nwparser.p0", "%{dhost->} [%{daddr}],%{p0}"); -var dup31 = // "Pattern{Field(dhost,false), Constant(','), Field(p0,false)}" -match("MESSAGE#98:queued-alert/3_3", "nwparser.p0", "%{dhost},%{p0}"); +var dup31 = match("MESSAGE#98:queued-alert/3_3", "nwparser.p0", "%{dhost},%{p0}"); -var dup32 = // "Pattern{Field(,false), Constant('dsn='), Field(resultcode,false), Constant(', stat='), Field(info,false)}" -match("MESSAGE#98:queued-alert/4", "nwparser.p0", "%{}dsn=%{resultcode}, stat=%{info}"); +var dup32 = match("MESSAGE#98:queued-alert/4", "nwparser.p0", "%{}dsn=%{resultcode}, stat=%{info}"); -var dup33 = // "Pattern{Constant('['), Field(daddr,false), Constant(']')}" -match("MESSAGE#99:queued-alert:01/1_1", "nwparser.p0", "[%{daddr}]"); +var dup33 = match("MESSAGE#99:queued-alert:01/1_1", "nwparser.p0", "[%{daddr}]"); -var dup34 = // "Pattern{Field(dhost,true), Constant(' ['), Field(daddr,false), Constant(']')}" -match("MESSAGE#99:queued-alert:01/1_2", "nwparser.p0", "%{dhost->} [%{daddr}]"); +var dup34 = match("MESSAGE#99:queued-alert:01/1_2", "nwparser.p0", "%{dhost->} [%{daddr}]"); -var dup35 = // "Pattern{Field(dhost,false)}" -match_copy("MESSAGE#99:queued-alert:01/1_3", "nwparser.p0", "dhost"); +var dup35 = match_copy("MESSAGE#99:queued-alert:01/1_3", "nwparser.p0", "dhost"); var dup36 = date_time({ dest: "event_time", @@ -147,29 +127,21 @@ var dup36 = date_time({ ], }); -var dup37 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: STARTTLS='), Field(fld1,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#100:queued-alert:02/0", "nwparser.payload", "%{agent}[%{process_id}]: STARTTLS=%{fld1}, relay=%{p0}"); +var dup37 = match("MESSAGE#100:queued-alert:02/0", "nwparser.payload", "%{agent}[%{process_id}]: STARTTLS=%{fld1}, relay=%{p0}"); -var dup38 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld51,false), Constant(': to='), Field(to,false), Constant(', delay='), Field(fld53,false), Constant(', xdelay='), Field(fld54,false), Constant(', mailer='), Field(fld55,false), Constant(', pri='), Field(fld23,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#101:queued-VoltageEncrypt/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); +var dup38 = match("MESSAGE#101:queued-VoltageEncrypt/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); -var dup39 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': from='), Field(from,false), Constant(', size='), Field(bytes,false), Constant(', class='), Field(fld57,false), Constant(', nrcpts='), Field(fld58,false), Constant(', msgid='), Field(id,false), Constant(', proto='), Field(protocol,false), Constant(', daemon='), Field(fld69,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#120:queued-VoltageEncrypt:01/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, relay=%{p0}"); +var dup39 = match("MESSAGE#120:queued-VoltageEncrypt:01/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, relay=%{p0}"); -var dup40 = // "Pattern{Constant('['), Field(daddr,false), Constant('] ['), Field(daddr,false), Constant(']')}" -match("MESSAGE#120:queued-VoltageEncrypt:01/1_0", "nwparser.p0", "[%{daddr}] [%{daddr}]"); +var dup40 = match("MESSAGE#120:queued-VoltageEncrypt:01/1_0", "nwparser.p0", "[%{daddr}] [%{daddr}]"); -var dup41 = // "Pattern{Field(,false), Constant('field='), Field(fld2,false), Constant(', status='), Field(info,false)}" -match("MESSAGE#104:queued-default:02/2", "nwparser.p0", "%{}field=%{fld2}, status=%{info}"); +var dup41 = match("MESSAGE#104:queued-default:02/2", "nwparser.p0", "%{}field=%{fld2}, status=%{info}"); -var dup42 = // "Pattern{Field(,false), Constant('version='), Field(fld55,false), Constant(', verify='), Field(fld57,false), Constant(', cipher='), Field(fld58,false), Constant(', bits='), Field(fld59,false)}" -match("MESSAGE#105:queued-default:03/2", "nwparser.p0", "%{}version=%{fld55}, verify=%{fld57}, cipher=%{fld58}, bits=%{fld59}"); +var dup42 = match("MESSAGE#105:queued-default:03/2", "nwparser.p0", "%{}version=%{fld55}, verify=%{fld57}, cipher=%{fld58}, bits=%{fld59}"); -var dup43 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': from='), Field(from,false), Constant(', size='), Field(bytes,false), Constant(', class='), Field(fld57,false), Constant(', nrcpts='), Field(fld58,false), Constant(', msgid='), Field(id,false), Constant(', proto='), Field(protocol,false), Constant(', daemon='), Field(fld69,false), Constant(', tls_verify='), Field(fld70,false), Constant(', auth='), Field(fld71,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#116:queued-eurort:02/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, tls_verify=%{fld70}, auth=%{fld71}, relay=%{p0}"); +var dup43 = match("MESSAGE#116:queued-eurort:02/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, tls_verify=%{fld70}, auth=%{fld71}, relay=%{p0}"); -var dup44 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': to='), Field(to,false), Constant(', delay='), Field(fld53,false), Constant(', xdelay='), Field(fld54,false), Constant(', mailer='), Field(fld55,false), Constant(', pri='), Field(fld23,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#126:sendmail/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); +var dup44 = match("MESSAGE#126:sendmail/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); var dup45 = linear_select([ dup1, @@ -189,62 +161,52 @@ var dup47 = linear_select([ dup20, ]); -var dup48 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' vendor='), Field(fld36,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,true), Constant(' signatures='), Field(fld94,false)}" -match("MESSAGE#43:av_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} vendor=%{fld36->} engine=%{fld49->} definitions=%{fld50->} signatures=%{fld94}", processor_chain([ +var dup48 = match("MESSAGE#43:av_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} vendor=%{fld36->} engine=%{fld49->} definitions=%{fld50->} signatures=%{fld94}", processor_chain([ dup26, dup9, ])); -var dup49 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#48:access_run:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ +var dup49 = match("MESSAGE#48:access_run:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); -var dup50 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#49:access_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ +var dup50 = match("MESSAGE#49:access_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); -var dup51 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' action='), Field(action,true), Constant(' dict='), Field(fld37,true), Constant(' file='), Field(filename,false)}" -match("MESSAGE#51:access_refresh:01", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} action=%{action->} dict=%{fld37->} file=%{filename}", processor_chain([ +var dup51 = match("MESSAGE#51:access_refresh:01", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} action=%{action->} dict=%{fld37->} file=%{filename}", processor_chain([ dup17, dup9, ])); -var dup52 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,false)}" -match("MESSAGE#52:access_load", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5}", processor_chain([ +var dup52 = match("MESSAGE#52:access_load", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5}", processor_chain([ dup17, dup9, ])); -var dup53 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,false)}" -match("MESSAGE#64:spam_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} engine=%{fld49->} definitions=%{fld50}", processor_chain([ +var dup53 = match("MESSAGE#64:spam_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} engine=%{fld49->} definitions=%{fld50}", processor_chain([ dup27, dup9, ])); -var dup54 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' version='), Field(fld55,false)}" -match("MESSAGE#71:zerohour_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} version=%{fld55}", processor_chain([ +var dup54 = match("MESSAGE#71:zerohour_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} version=%{fld55}", processor_chain([ dup17, dup9, ])); -var dup55 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' sig='), Field(fld60,false)}" -match("MESSAGE#82:cvtd:01", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} sig=%{fld60}", processor_chain([ +var dup55 = match("MESSAGE#82:cvtd:01", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} sig=%{fld60}", processor_chain([ dup17, dup9, ])); -var dup56 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,false)}" -match("MESSAGE#83:cvtd", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type}", processor_chain([ +var dup56 = match("MESSAGE#83:cvtd", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type}", processor_chain([ dup17, dup9, ])); -var dup57 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' addr='), Field(saddr,false)}" -match("MESSAGE#87:soap_listen", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} addr=%{saddr}", processor_chain([ +var dup57 = match("MESSAGE#87:soap_listen", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} addr=%{saddr}", processor_chain([ dup17, dup9, ])); @@ -263,20 +225,17 @@ var dup59 = linear_select([ dup35, ]); -var dup60 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': timeout waiting for input from '), Field(fld11,true), Constant(' during server cmd read')}" -match("MESSAGE#106:queued-default:04", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: timeout waiting for input from %{fld11->} during server cmd read", processor_chain([ +var dup60 = match("MESSAGE#106:queued-default:04", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: timeout waiting for input from %{fld11->} during server cmd read", processor_chain([ dup17, dup9, ])); -var dup61 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(event_description,false)}" -match("MESSAGE#113:queued-reinject:06", "nwparser.payload", "%{agent}[%{process_id}]: %{event_description}", processor_chain([ +var dup61 = match("MESSAGE#113:queued-reinject:06", "nwparser.payload", "%{agent}[%{process_id}]: %{event_description}", processor_chain([ dup17, dup9, ])); -var dup62 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' pid='), Field(process_id,true), Constant(' '), Field(web_method,true), Constant(' /'), Field(info,false), Constant(': '), Field(resultcode,false)}" -match("MESSAGE#141:info:pid", "nwparser.payload", "%{fld0->} %{severity->} pid=%{process_id->} %{web_method->} /%{info}: %{resultcode}", processor_chain([ +var dup62 = match("MESSAGE#141:info:pid", "nwparser.payload", "%{fld0->} %{severity->} pid=%{process_id->} %{web_method->} /%{info}: %{resultcode}", processor_chain([ dup17, dup9, ])); @@ -351,8 +310,7 @@ var dup68 = all_match({ ]), }); -var hdr1 = // "Pattern{Field(hdate,false), Constant('T'), Field(htime,false), Constant('.'), Field(hfld1,true), Constant(' '), Field(hfld2,true), Constant(' '), Field(hinstance,false), Constant('['), Field(hfld3,false), Constant(']: '), Field(p0,false)}" -match("HEADER#0:0024/0", "message", "%{hdate}T%{htime}.%{hfld1->} %{hfld2->} %{hinstance}[%{hfld3}]: %{p0}", processor_chain([ +var hdr1 = match("HEADER#0:0024/0", "message", "%{hdate}T%{htime}.%{hfld1->} %{hfld2->} %{hinstance}[%{hfld3}]: %{p0}", processor_chain([ call({ dest: "nwparser.payload", fn: STRCAT, @@ -366,8 +324,7 @@ match("HEADER#0:0024/0", "message", "%{hdate}T%{htime}.%{hfld1->} %{hfld2->} %{h }), ])); -var part1 = // "Pattern{Field(,false), Constant('s='), Field(hfld4,true), Constant(' cmd=send '), Field(p0,false)}" -match("HEADER#0:0024/2", "nwparser.p0", "%{}s=%{hfld4->} cmd=send %{p0}"); +var part1 = match("HEADER#0:0024/2", "nwparser.p0", "%{}s=%{hfld4->} cmd=send %{p0}"); var all1 = all_match({ processors: [ @@ -381,11 +338,9 @@ var all1 = all_match({ ]), }); -var hdr2 = // "Pattern{Field(hdate,false), Constant('T'), Field(htime,false), Constant('.'), Field(hfld1,true), Constant(' '), Field(hfld2,true), Constant(' '), Field(messageid,false), Constant('['), Field(hfld3,false), Constant(']: '), Field(p0,false)}" -match("HEADER#1:0023/0", "message", "%{hdate}T%{htime}.%{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]: %{p0}"); +var hdr2 = match("HEADER#1:0023/0", "message", "%{hdate}T%{htime}.%{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]: %{p0}"); -var part2 = // "Pattern{Field(,true), Constant(' '), Field(payload,false)}" -match("HEADER#1:0023/2", "nwparser.p0", "%{} %{payload}"); +var part2 = match("HEADER#1:0023/2", "nwparser.p0", "%{} %{payload}"); var all2 = all_match({ processors: [ @@ -398,8 +353,7 @@ var all2 = all_match({ ]), }); -var hdr3 = // "Pattern{Field(hdate,false), Constant('T'), Field(htime,false), Constant('.'), Field(hfld1,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(messageid,false), Constant('['), Field(hfld2,false), Constant(']: '), Field(p0,false)}" -match("HEADER#2:0025", "message", "%{hdate}T%{htime}.%{hfld1->} %{hinstance->} %{messageid}[%{hfld2}]: %{p0}", processor_chain([ +var hdr3 = match("HEADER#2:0025", "message", "%{hdate}T%{htime}.%{hfld1->} %{hinstance->} %{messageid}[%{hfld2}]: %{p0}", processor_chain([ setc("header_id","0025"), call({ dest: "nwparser.payload", @@ -414,8 +368,7 @@ match("HEADER#2:0025", "message", "%{hdate}T%{htime}.%{hfld1->} %{hinstance->} % }), ])); -var hdr4 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hostname,true), Constant(' '), Field(hinstance,false), Constant('['), Field(hfld4,false), Constant(']: '), Field(hseverity,true), Constant(' s='), Field(hfld1,true), Constant(' m='), Field(hfld2,true), Constant(' x='), Field(hfld3,true), Constant(' attachment='), Field(hfld7,true), Constant(' file='), Field(hfld5,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" -match("HEADER#3:0026", "message", "%{hmonth->} %{hday->} %{htime->} %{hostname->} %{hinstance}[%{hfld4}]: %{hseverity->} s=%{hfld1->} m=%{hfld2->} x=%{hfld3->} attachment=%{hfld7->} file=%{hfld5->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ +var hdr4 = match("HEADER#3:0026", "message", "%{hmonth->} %{hday->} %{htime->} %{hostname->} %{hinstance}[%{hfld4}]: %{hseverity->} s=%{hfld1->} m=%{hfld2->} x=%{hfld3->} attachment=%{hfld7->} file=%{hfld5->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ setc("header_id","0026"), dup6, call({ @@ -447,8 +400,7 @@ match("HEADER#3:0026", "message", "%{hmonth->} %{hday->} %{htime->} %{hostname-> }), ])); -var hdr5 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' s='), Field(hfld1,true), Constant(' m='), Field(hfld2,true), Constant(' x='), Field(hfld3,true), Constant(' attachment='), Field(hfld7,true), Constant(' file='), Field(hfld5,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" -match("HEADER#4:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} m=%{hfld2->} x=%{hfld3->} attachment=%{hfld7->} file=%{hfld5->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ +var hdr5 = match("HEADER#4:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} m=%{hfld2->} x=%{hfld3->} attachment=%{hfld7->} file=%{hfld5->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ setc("header_id","0003"), dup6, call({ @@ -478,8 +430,7 @@ match("HEADER#4:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance- }), ])); -var hdr6 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld1,true), Constant(' '), Field(hinstance,false), Constant('['), Field(hfld2,false), Constant(']: '), Field(hseverity,true), Constant(' s='), Field(hfld3,true), Constant(' m='), Field(hfld4,true), Constant(' x='), Field(hfld5,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" -match("HEADER#5:0015", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{hseverity->} s=%{hfld3->} m=%{hfld4->} x=%{hfld5->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ +var hdr6 = match("HEADER#5:0015", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{hseverity->} s=%{hfld3->} m=%{hfld4->} x=%{hfld5->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ setc("header_id","0015"), dup6, call({ @@ -507,8 +458,7 @@ match("HEADER#5:0015", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} % }), ])); -var hdr7 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld1,true), Constant(' '), Field(hinstance,false), Constant('['), Field(hfld2,false), Constant(']: '), Field(hseverity,true), Constant(' s='), Field(hfld3,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" -match("HEADER#6:0016", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{hseverity->} s=%{hfld3->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ +var hdr7 = match("HEADER#6:0016", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{hseverity->} s=%{hfld3->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ setc("header_id","0016"), dup6, call({ @@ -532,8 +482,7 @@ match("HEADER#6:0016", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} % }), ])); -var hdr8 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld1,true), Constant(' '), Field(hinstance,false), Constant('['), Field(hfld2,false), Constant(']: '), Field(severity,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' '), Field(p0,false)}" -match("HEADER#7:0017", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{severity->} mod=%{msgIdPart1->} %{p0}", processor_chain([ +var hdr8 = match("HEADER#7:0017", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{severity->} mod=%{msgIdPart1->} %{p0}", processor_chain([ setc("header_id","0017"), call({ dest: "nwparser.messageid", @@ -546,8 +495,7 @@ match("HEADER#7:0017", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} % dup7, ])); -var hdr9 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld1,true), Constant(' '), Field(hinstance,false), Constant(': '), Field(hseverity,true), Constant(' s='), Field(hfld2,true), Constant(' m='), Field(hfld3,true), Constant(' x='), Field(hfld4,true), Constant(' cmd='), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#8:0018", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}: %{hseverity->} s=%{hfld2->} m=%{hfld3->} x=%{hfld4->} cmd=%{messageid->} %{p0}", processor_chain([ +var hdr9 = match("HEADER#8:0018", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}: %{hseverity->} s=%{hfld2->} m=%{hfld3->} x=%{hfld4->} cmd=%{messageid->} %{p0}", processor_chain([ setc("header_id","0018"), call({ dest: "nwparser.payload", @@ -570,8 +518,7 @@ match("HEADER#8:0018", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} % }), ])); -var hdr10 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld1,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' s='), Field(hfld2,true), Constant(' mod='), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#9:0019", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance->} %{hseverity->} s=%{hfld2->} mod=%{messageid->} %{p0}", processor_chain([ +var hdr10 = match("HEADER#9:0019", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance->} %{hseverity->} s=%{hfld2->} mod=%{messageid->} %{p0}", processor_chain([ setc("header_id","0019"), call({ dest: "nwparser.payload", @@ -590,8 +537,7 @@ match("HEADER#9:0019", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} % }), ])); -var hdr11 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld1,true), Constant(' '), Field(hinstance,false), Constant('['), Field(hfld2,false), Constant(']: '), Field(hseverity,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,false), Constant('='), Field(hfld3,true), Constant(' '), Field(p0,false)}" -match("HEADER#10:0020", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{hseverity->} mod=%{msgIdPart1->} %{msgIdPart2}=%{hfld3->} %{p0}", processor_chain([ +var hdr11 = match("HEADER#10:0020", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{hseverity->} mod=%{msgIdPart1->} %{msgIdPart2}=%{hfld3->} %{p0}", processor_chain([ setc("header_id","0020"), dup6, call({ @@ -615,8 +561,7 @@ match("HEADER#10:0020", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} }), ])); -var hdr12 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld1,true), Constant(' '), Field(hinstance,false), Constant('['), Field(hfld2,false), Constant(']: '), Field(severity,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' '), Field(p0,false)}" -match("HEADER#11:0021", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{severity->} mod=%{msgIdPart1->} %{p0}", processor_chain([ +var hdr12 = match("HEADER#11:0021", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{severity->} mod=%{msgIdPart1->} %{p0}", processor_chain([ setc("header_id","0021"), call({ dest: "nwparser.messageid", @@ -629,8 +574,7 @@ match("HEADER#11:0021", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} dup7, ])); -var hdr13 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld1,true), Constant(' '), Field(hinstance,false), Constant(': '), Field(hseverity,true), Constant(' s='), Field(hfld2,true), Constant(' m='), Field(hfld3,true), Constant(' x='), Field(hfld4,true), Constant(' '), Field(msgIdPart1,false), Constant('='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" -match("HEADER#12:0022", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}: %{hseverity->} s=%{hfld2->} m=%{hfld3->} x=%{hfld4->} %{msgIdPart1}=%{msgIdPart2->} %{p0}", processor_chain([ +var hdr13 = match("HEADER#12:0022", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}: %{hseverity->} s=%{hfld2->} m=%{hfld3->} x=%{hfld4->} %{msgIdPart1}=%{msgIdPart2->} %{p0}", processor_chain([ setc("header_id","0022"), dup6, call({ @@ -656,8 +600,7 @@ match("HEADER#12:0022", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} }), ])); -var hdr14 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' s='), Field(hfld1,true), Constant(' m='), Field(hfld2,true), Constant(' x='), Field(hfld3,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" -match("HEADER#13:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} m=%{hfld2->} x=%{hfld3->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ +var hdr14 = match("HEADER#13:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} m=%{hfld2->} x=%{hfld3->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ setc("header_id","0001"), dup6, call({ @@ -683,8 +626,7 @@ match("HEADER#13:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance }), ])); -var hdr15 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' s='), Field(hfld1,true), Constant(' m='), Field(hfld2,true), Constant(' x='), Field(hfld3,true), Constant(' cmd='), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#14:0008", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} m=%{hfld2->} x=%{hfld3->} cmd=%{messageid->} %{p0}", processor_chain([ +var hdr15 = match("HEADER#14:0008", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} m=%{hfld2->} x=%{hfld3->} cmd=%{messageid->} %{p0}", processor_chain([ setc("header_id","0008"), call({ dest: "nwparser.payload", @@ -707,8 +649,7 @@ match("HEADER#14:0008", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance }), ])); -var hdr16 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' s='), Field(hfld1,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" -match("HEADER#15:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ +var hdr16 = match("HEADER#15:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ setc("header_id","0002"), dup6, call({ @@ -730,8 +671,7 @@ match("HEADER#15:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance }), ])); -var hdr17 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' s='), Field(hfld1,true), Constant(' mod='), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#16:0007", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} mod=%{messageid->} %{p0}", processor_chain([ +var hdr17 = match("HEADER#16:0007", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} mod=%{messageid->} %{p0}", processor_chain([ setc("header_id","0007"), call({ dest: "nwparser.payload", @@ -750,8 +690,7 @@ match("HEADER#16:0007", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance }), ])); -var hdr18 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' s='), Field(hfld1,true), Constant(' cmd='), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#17:0012", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} cmd=%{messageid->} %{p0}", processor_chain([ +var hdr18 = match("HEADER#17:0012", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} cmd=%{messageid->} %{p0}", processor_chain([ setc("header_id","0012"), call({ dest: "nwparser.payload", @@ -770,8 +709,7 @@ match("HEADER#17:0012", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance }), ])); -var hdr19 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' type='), Field(hfld5,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" -match("HEADER#18:0004", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} mod=%{msgIdPart1->} type=%{hfld5->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ +var hdr19 = match("HEADER#18:0004", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} mod=%{msgIdPart1->} type=%{hfld5->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ setc("header_id","0004"), dup6, call({ @@ -793,8 +731,7 @@ match("HEADER#18:0004", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance }), ])); -var hdr20 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' pid='), Field(hfld5,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" -match("HEADER#19:0005", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} pid=%{hfld5->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ +var hdr20 = match("HEADER#19:0005", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} pid=%{hfld5->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ setc("header_id","0005"), dup6, call({ @@ -816,8 +753,7 @@ match("HEADER#19:0005", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance }), ])); -var hdr21 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" -match("HEADER#20:0006", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ +var hdr21 = match("HEADER#20:0006", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ setc("header_id","0006"), dup6, call({ @@ -837,8 +773,7 @@ match("HEADER#20:0006", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance }), ])); -var hdr22 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' mod='), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#21:0009", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} mod=%{messageid->} %{p0}", processor_chain([ +var hdr22 = match("HEADER#21:0009", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} mod=%{messageid->} %{p0}", processor_chain([ setc("header_id","0009"), call({ dest: "nwparser.payload", @@ -855,8 +790,7 @@ match("HEADER#21:0009", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance }), ])); -var hdr23 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld2,true), Constant(' '), Field(hinstance,false), Constant('['), Field(hfld1,false), Constant(']: '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#22:0014", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld2->} %{hinstance}[%{hfld1}]: %{messageid->} %{p0}", processor_chain([ +var hdr23 = match("HEADER#22:0014", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld2->} %{hinstance}[%{hfld1}]: %{messageid->} %{p0}", processor_chain([ setc("header_id","0014"), call({ dest: "nwparser.payload", @@ -873,8 +807,7 @@ match("HEADER#22:0014", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld2->} }), ])); -var hdr24 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(messageid,false), Constant('['), Field(hfld1,false), Constant(']: '), Field(p0,false)}" -match("HEADER#23:0013", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{messageid}[%{hfld1}]: %{p0}", processor_chain([ +var hdr24 = match("HEADER#23:0013", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{messageid}[%{hfld1}]: %{p0}", processor_chain([ setc("header_id","0013"), call({ dest: "nwparser.payload", @@ -891,8 +824,7 @@ match("HEADER#23:0013", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance }), ])); -var hdr25 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#24:0011", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{messageid->} %{p0}", processor_chain([ +var hdr25 = match("HEADER#24:0011", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{messageid->} %{p0}", processor_chain([ setc("header_id","0011"), call({ dest: "nwparser.payload", @@ -907,8 +839,7 @@ match("HEADER#24:0011", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance }), ])); -var hdr26 = // "Pattern{Field(messageid,false), Constant('['), Field(hfld1,false), Constant(']: '), Field(p0,false)}" -match("HEADER#25:0010", "message", "%{messageid}[%{hfld1}]: %{p0}", processor_chain([ +var hdr26 = match("HEADER#25:0010", "message", "%{messageid}[%{hfld1}]: %{p0}", processor_chain([ setc("header_id","0010"), call({ dest: "nwparser.payload", @@ -952,16 +883,14 @@ var select1 = linear_select([ hdr26, ]); -var part3 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' r='), Field(event_counter,true), Constant(' value='), Field(to,true), Constant(' verified='), Field(fld3,true), Constant(' routes='), Field(fld4,false)}" -match("MESSAGE#0:mail_env_rcpt", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} r=%{event_counter->} value=%{to->} verified=%{fld3->} routes=%{fld4}", processor_chain([ +var part3 = match("MESSAGE#0:mail_env_rcpt", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} r=%{event_counter->} value=%{to->} verified=%{fld3->} routes=%{fld4}", processor_chain([ dup8, dup9, ])); var msg1 = msg("mail_env_rcpt", part3); -var part4 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' r='), Field(event_counter,true), Constant(' value='), Field(to,true), Constant(' verified='), Field(fld3,true), Constant(' routes='), Field(fld4,false)}" -match("MESSAGE#1:mail_env_rcpt:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} r=%{event_counter->} value=%{to->} verified=%{fld3->} routes=%{fld4}", processor_chain([ +var part4 = match("MESSAGE#1:mail_env_rcpt:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} r=%{event_counter->} value=%{to->} verified=%{fld3->} routes=%{fld4}", processor_chain([ dup8, dup9, ])); @@ -973,32 +902,28 @@ var select2 = linear_select([ msg2, ]); -var part5 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' file='), Field(filename,true), Constant(' mime='), Field(content_type,true), Constant(' type='), Field(fld6,true), Constant(' omime='), Field(fld7,true), Constant(' oext='), Field(fld8,true), Constant(' corrupted='), Field(fld9,true), Constant(' protected='), Field(fld10,true), Constant(' size='), Field(bytes,true), Constant(' virtual='), Field(fld11,true), Constant(' a='), Field(fld12,false)}" -match("MESSAGE#2:mail_attachment", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} file=%{filename->} mime=%{content_type->} type=%{fld6->} omime=%{fld7->} oext=%{fld8->} corrupted=%{fld9->} protected=%{fld10->} size=%{bytes->} virtual=%{fld11->} a=%{fld12}", processor_chain([ +var part5 = match("MESSAGE#2:mail_attachment", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} file=%{filename->} mime=%{content_type->} type=%{fld6->} omime=%{fld7->} oext=%{fld8->} corrupted=%{fld9->} protected=%{fld10->} size=%{bytes->} virtual=%{fld11->} a=%{fld12}", processor_chain([ dup10, dup9, ])); var msg3 = msg("mail_attachment", part5); -var part6 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' file='), Field(filename,true), Constant(' mime='), Field(content_type,true), Constant(' type='), Field(fld6,true), Constant(' omime='), Field(fld7,true), Constant(' oext='), Field(fld8,true), Constant(' corrupted='), Field(fld9,true), Constant(' protected='), Field(fld10,true), Constant(' size='), Field(bytes,true), Constant(' virtual='), Field(fld11,true), Constant(' a='), Field(fld12,false)}" -match("MESSAGE#3:mail_attachment:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} file=%{filename->} mime=%{content_type->} type=%{fld6->} omime=%{fld7->} oext=%{fld8->} corrupted=%{fld9->} protected=%{fld10->} size=%{bytes->} virtual=%{fld11->} a=%{fld12}", processor_chain([ +var part6 = match("MESSAGE#3:mail_attachment:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} file=%{filename->} mime=%{content_type->} type=%{fld6->} omime=%{fld7->} oext=%{fld8->} corrupted=%{fld9->} protected=%{fld10->} size=%{bytes->} virtual=%{fld11->} a=%{fld12}", processor_chain([ dup10, dup9, ])); var msg4 = msg("mail_attachment:01", part6); -var part7 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' file='), Field(filename,true), Constant(' mime='), Field(content_type,true), Constant(' type='), Field(fld6,true), Constant(' omime='), Field(fld7,true), Constant(' oext='), Field(fld8,true), Constant(' corrupted='), Field(fld9,true), Constant(' protected='), Field(fld10,true), Constant(' size='), Field(bytes,true), Constant(' virtual='), Field(fld11,false)}" -match("MESSAGE#4:mail_attachment:02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} file=%{filename->} mime=%{content_type->} type=%{fld6->} omime=%{fld7->} oext=%{fld8->} corrupted=%{fld9->} protected=%{fld10->} size=%{bytes->} virtual=%{fld11}", processor_chain([ +var part7 = match("MESSAGE#4:mail_attachment:02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} file=%{filename->} mime=%{content_type->} type=%{fld6->} omime=%{fld7->} oext=%{fld8->} corrupted=%{fld9->} protected=%{fld10->} size=%{bytes->} virtual=%{fld11}", processor_chain([ dup10, dup9, ])); var msg5 = msg("mail_attachment:02", part7); -var part8 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' file='), Field(filename,true), Constant(' mime='), Field(content_type,true), Constant(' type='), Field(fld6,true), Constant(' omime='), Field(fld7,true), Constant(' oext='), Field(fld8,true), Constant(' corrupted='), Field(fld9,true), Constant(' protected='), Field(fld10,true), Constant(' size='), Field(bytes,true), Constant(' virtual='), Field(fld11,false)}" -match("MESSAGE#5:mail_attachment:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} file=%{filename->} mime=%{content_type->} type=%{fld6->} omime=%{fld7->} oext=%{fld8->} corrupted=%{fld9->} protected=%{fld10->} size=%{bytes->} virtual=%{fld11}", processor_chain([ +var part8 = match("MESSAGE#5:mail_attachment:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} file=%{filename->} mime=%{content_type->} type=%{fld6->} omime=%{fld7->} oext=%{fld8->} corrupted=%{fld9->} protected=%{fld10->} size=%{bytes->} virtual=%{fld11}", processor_chain([ dup10, dup9, ])); @@ -1012,8 +937,7 @@ var select3 = linear_select([ msg6, ]); -var part9 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' attachments='), Field(dclass_counter1,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' size='), Field(bytes,true), Constant(' guid='), Field(fld14,true), Constant(' hdr_mid='), Field(id,true), Constant(' qid='), Field(fld15,true), Constant(' subject='), Field(subject,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' virusname='), Field(threat_name,true), Constant(' duration='), Field(duration_string,true), Constant(' elapsed='), Field(fld16,false)}" -match("MESSAGE#6:mail_msg", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} spamscore=%{reputation_num->} virusname=%{threat_name->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ +var part9 = match("MESSAGE#6:mail_msg", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} spamscore=%{reputation_num->} virusname=%{threat_name->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ dup11, dup9, dup12, @@ -1022,8 +946,7 @@ match("MESSAGE#6:mail_msg", "nwparser.payload", "%{fld0->} %{severity->} s=%{ses var msg7 = msg("mail_msg", part9); -var part10 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' attachments='), Field(dclass_counter1,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' size='), Field(bytes,true), Constant(' guid='), Field(fld14,true), Constant(' hdr_mid='), Field(id,true), Constant(' qid='), Field(fld15,true), Constant(' subject='), Field(subject,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' virusname='), Field(threat_name,true), Constant(' duration='), Field(duration_string,true), Constant(' elapsed='), Field(fld16,false)}" -match("MESSAGE#7:mail_msg:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} spamscore=%{reputation_num->} virusname=%{threat_name->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ +var part10 = match("MESSAGE#7:mail_msg:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} spamscore=%{reputation_num->} virusname=%{threat_name->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ dup11, dup9, dup12, @@ -1032,8 +955,7 @@ match("MESSAGE#7:mail_msg:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{ var msg8 = msg("mail_msg:01", part10); -var part11 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' attachments='), Field(dclass_counter1,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' size='), Field(bytes,true), Constant(' guid='), Field(fld14,true), Constant(' hdr_mid='), Field(id,true), Constant(' qid='), Field(fld15,true), Constant(' subject='), Field(subject,true), Constant(' virusname='), Field(threat_name,true), Constant(' duration='), Field(duration_string,true), Constant(' elapsed='), Field(fld16,false)}" -match("MESSAGE#8:mail_msg:04", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} virusname=%{threat_name->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ +var part11 = match("MESSAGE#8:mail_msg:04", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} virusname=%{threat_name->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ dup11, dup9, dup12, @@ -1042,8 +964,7 @@ match("MESSAGE#8:mail_msg:04", "nwparser.payload", "%{fld0->} %{severity->} s=%{ var msg9 = msg("mail_msg:04", part11); -var part12 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' attachments='), Field(dclass_counter1,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' size='), Field(bytes,true), Constant(' guid='), Field(fld14,true), Constant(' hdr_mid='), Field(id,true), Constant(' qid='), Field(fld15,true), Constant(' subject='), Field(subject,true), Constant(' duration='), Field(duration_string,true), Constant(' elapsed='), Field(fld16,false)}" -match("MESSAGE#9:mail_msg:02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ +var part12 = match("MESSAGE#9:mail_msg:02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ dup11, dup9, dup12, @@ -1052,8 +973,7 @@ match("MESSAGE#9:mail_msg:02", "nwparser.payload", "%{fld0->} %{severity->} s=%{ var msg10 = msg("mail_msg:02", part12); -var part13 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' attachments='), Field(dclass_counter1,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' size='), Field(bytes,true), Constant(' guid='), Field(fld14,true), Constant(' hdr_mid='), Field(id,true), Constant(' qid='), Field(fld15,true), Constant(' subject='), Field(subject,true), Constant(' duration='), Field(duration_string,true), Constant(' elapsed='), Field(fld16,false)}" -match("MESSAGE#10:mail_msg:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ +var part13 = match("MESSAGE#10:mail_msg:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ dup11, dup9, dup12, @@ -1070,8 +990,7 @@ var select4 = linear_select([ msg11, ]); -var part14 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' value='), Field(to,true), Constant(' ofrom='), Field(from,true), Constant(' qid='), Field(fld15,true), Constant(' tls='), Field(fld17,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,true), Constant(' host='), Field(hostname,true), Constant(' ip='), Field(p0,false)}" -match("MESSAGE#11:mail_env_from:ofrom/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} value=%{to->} ofrom=%{from->} qid=%{fld15->} tls=%{fld17->} routes=%{fld4->} notroutes=%{fld18->} host=%{hostname->} ip=%{p0}"); +var part14 = match("MESSAGE#11:mail_env_from:ofrom/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} value=%{to->} ofrom=%{from->} qid=%{fld15->} tls=%{fld17->} routes=%{fld4->} notroutes=%{fld18->} host=%{hostname->} ip=%{p0}"); var all3 = all_match({ processors: [ @@ -1086,16 +1005,14 @@ var all3 = all_match({ var msg12 = msg("mail_env_from:ofrom", all3); -var part15 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' value='), Field(to,true), Constant(' ofrom='), Field(from,true), Constant(' qid='), Field(fld15,true), Constant(' tls='), Field(fld17,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,true), Constant(' host='), Field(hostname,true), Constant(' ip='), Field(hostip,true), Constant(' sampling='), Field(fld19,false)}" -match("MESSAGE#12:mail_env_from:ofrom:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} value=%{to->} ofrom=%{from->} qid=%{fld15->} tls=%{fld17->} routes=%{fld4->} notroutes=%{fld18->} host=%{hostname->} ip=%{hostip->} sampling=%{fld19}", processor_chain([ +var part15 = match("MESSAGE#12:mail_env_from:ofrom:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} value=%{to->} ofrom=%{from->} qid=%{fld15->} tls=%{fld17->} routes=%{fld4->} notroutes=%{fld18->} host=%{hostname->} ip=%{hostip->} sampling=%{fld19}", processor_chain([ dup16, dup9, ])); var msg13 = msg("mail_env_from:ofrom:01", part15); -var part16 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' value='), Field(from,true), Constant(' qid='), Field(fld15,true), Constant(' tls='), Field(fld17,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,true), Constant(' host='), Field(hostname,true), Constant(' ip='), Field(p0,false)}" -match("MESSAGE#13:mail_env_from/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} value=%{from->} qid=%{fld15->} tls=%{fld17->} routes=%{fld4->} notroutes=%{fld18->} host=%{hostname->} ip=%{p0}"); +var part16 = match("MESSAGE#13:mail_env_from/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} value=%{from->} qid=%{fld15->} tls=%{fld17->} routes=%{fld4->} notroutes=%{fld18->} host=%{hostname->} ip=%{p0}"); var all4 = all_match({ processors: [ @@ -1110,8 +1027,7 @@ var all4 = all_match({ var msg14 = msg("mail_env_from", all4); -var part17 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' value='), Field(from,true), Constant(' qid='), Field(fld15,true), Constant(' tls='), Field(fld17,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,true), Constant(' host='), Field(hostname,true), Constant(' ip='), Field(hostip,true), Constant(' sampling='), Field(fld19,false)}" -match("MESSAGE#14:mail_env_from:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} value=%{from->} qid=%{fld15->} tls=%{fld17->} routes=%{fld4->} notroutes=%{fld18->} host=%{hostname->} ip=%{hostip->} sampling=%{fld19}", processor_chain([ +var part17 = match("MESSAGE#14:mail_env_from:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} value=%{from->} qid=%{fld15->} tls=%{fld17->} routes=%{fld4->} notroutes=%{fld18->} host=%{hostname->} ip=%{hostip->} sampling=%{fld19}", processor_chain([ dup16, dup9, ])); @@ -1125,16 +1041,14 @@ var select5 = linear_select([ msg15, ]); -var part18 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' value='), Field(ddomain,true), Constant(' routes='), Field(fld4,false)}" -match("MESSAGE#15:mail_helo", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} value=%{ddomain->} routes=%{fld4}", processor_chain([ +var part18 = match("MESSAGE#15:mail_helo", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} value=%{ddomain->} routes=%{fld4}", processor_chain([ dup17, dup9, ])); var msg16 = msg("mail_helo", part18); -var part19 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' value='), Field(ddomain,true), Constant(' routes='), Field(fld4,false)}" -match("MESSAGE#16:mail_helo:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} value=%{ddomain->} routes=%{fld4}", processor_chain([ +var part19 = match("MESSAGE#16:mail_helo:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} value=%{ddomain->} routes=%{fld4}", processor_chain([ dup17, dup9, ])); @@ -1146,33 +1060,27 @@ var select6 = linear_select([ msg17, ]); -var part20 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' action='), Field(action,true), Constant(' err='), Field(fld58,false)}" -match("MESSAGE#17:mail_continue-system-sendmail", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} action=%{action->} err=%{fld58}", processor_chain([ +var part20 = match("MESSAGE#17:mail_continue-system-sendmail", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} action=%{action->} err=%{fld58}", processor_chain([ dup17, dup9, ])); var msg18 = msg("mail_continue-system-sendmail", part20); -var part21 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' status='), Field(result,true), Constant(' err='), Field(fld58,false)}" -match("MESSAGE#18:mail_release", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} status=%{result->} err=%{fld58}", processor_chain([ +var part21 = match("MESSAGE#18:mail_release", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} status=%{result->} err=%{fld58}", processor_chain([ dup17, dup9, ])); var msg19 = msg("mail_release", part21); -var part22 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#19:session_data/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} %{p0}"); +var part22 = match("MESSAGE#19:session_data/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} %{p0}"); -var part23 = // "Pattern{Constant('rcpt_notroutes='), Field(fld20,true), Constant(' data_routes='), Field(fld21,false)}" -match("MESSAGE#19:session_data/1_0", "nwparser.p0", "rcpt_notroutes=%{fld20->} data_routes=%{fld21}"); +var part23 = match("MESSAGE#19:session_data/1_0", "nwparser.p0", "rcpt_notroutes=%{fld20->} data_routes=%{fld21}"); -var part24 = // "Pattern{Constant('rcpt='), Field(to,true), Constant(' suborg='), Field(fld22,false)}" -match("MESSAGE#19:session_data/1_1", "nwparser.p0", "rcpt=%{to->} suborg=%{fld22}"); +var part24 = match("MESSAGE#19:session_data/1_1", "nwparser.p0", "rcpt=%{to->} suborg=%{fld22}"); -var part25 = // "Pattern{Constant('from='), Field(from,true), Constant(' suborg='), Field(fld22,false)}" -match("MESSAGE#19:session_data/1_2", "nwparser.p0", "from=%{from->} suborg=%{fld22}"); +var part25 = match("MESSAGE#19:session_data/1_2", "nwparser.p0", "from=%{from->} suborg=%{fld22}"); var select7 = linear_select([ part23, @@ -1193,8 +1101,7 @@ var all5 = all_match({ var msg20 = msg("session_data", all5); -var part26 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rcpt_notroutes='), Field(fld20,true), Constant(' data_routes='), Field(fld21,false)}" -match("MESSAGE#20:session_data:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rcpt_notroutes=%{fld20->} data_routes=%{fld21}", processor_chain([ +var part26 = match("MESSAGE#20:session_data:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rcpt_notroutes=%{fld20->} data_routes=%{fld21}", processor_chain([ dup17, dup9, ])); @@ -1206,16 +1113,14 @@ var select8 = linear_select([ msg21, ]); -var part27 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' folder='), Field(fld22,true), Constant(' pri='), Field(fld23,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#21:session_store", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} folder=%{fld22->} pri=%{fld23->} duration=%{duration_string}", processor_chain([ +var part27 = match("MESSAGE#21:session_store", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} folder=%{fld22->} pri=%{fld23->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); var msg22 = msg("session_store", part27); -var part28 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' folder='), Field(fld22,true), Constant(' pri='), Field(fld23,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#22:session_store:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} folder=%{fld22->} pri=%{fld23->} duration=%{duration_string}", processor_chain([ +var part28 = match("MESSAGE#22:session_store:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} folder=%{fld22->} pri=%{fld23->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); @@ -1227,16 +1132,14 @@ var select9 = linear_select([ msg23, ]); -var part29 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,false)}" -match("MESSAGE#23:session_headers", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} routes=%{fld4->} notroutes=%{fld18}", processor_chain([ +var part29 = match("MESSAGE#23:session_headers", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} routes=%{fld4->} notroutes=%{fld18}", processor_chain([ dup17, dup9, ])); var msg24 = msg("session_headers", part29); -var part30 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,false)}" -match("MESSAGE#24:session_headers:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} routes=%{fld4->} notroutes=%{fld18}", processor_chain([ +var part30 = match("MESSAGE#24:session_headers:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} routes=%{fld4->} notroutes=%{fld18}", processor_chain([ dup17, dup9, ])); @@ -1248,8 +1151,7 @@ var select10 = linear_select([ msg25, ]); -var part31 = // "Pattern{Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,false)}" -match("MESSAGE#25:session_judge/2", "nwparser.p0", "%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename}"); +var part31 = match("MESSAGE#25:session_judge/2", "nwparser.p0", "%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename}"); var all6 = all_match({ processors: [ @@ -1266,8 +1168,7 @@ var all6 = all_match({ var msg26 = msg("session_judge", all6); -var part32 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,false)}" -match("MESSAGE#26:session_judge:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename}", processor_chain([ +var part32 = match("MESSAGE#26:session_judge:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename}", processor_chain([ dup17, dup9, ])); @@ -1279,16 +1180,14 @@ var select11 = linear_select([ msg27, ]); -var part33 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' ip='), Field(hostip,true), Constant(' country='), Field(location_country,true), Constant(' lip='), Field(fld24,true), Constant(' prot='), Field(fld25,true), Constant(' hops_active='), Field(fld26,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,true), Constant(' perlwait='), Field(fld27,false)}" -match("MESSAGE#27:session_connect", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} ip=%{hostip->} country=%{location_country->} lip=%{fld24->} prot=%{fld25->} hops_active=%{fld26->} routes=%{fld4->} notroutes=%{fld18->} perlwait=%{fld27}", processor_chain([ +var part33 = match("MESSAGE#27:session_connect", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} ip=%{hostip->} country=%{location_country->} lip=%{fld24->} prot=%{fld25->} hops_active=%{fld26->} routes=%{fld4->} notroutes=%{fld18->} perlwait=%{fld27}", processor_chain([ dup17, dup9, ])); var msg28 = msg("session_connect", part33); -var part34 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' ip='), Field(hostip,true), Constant(' country='), Field(location_country,true), Constant(' lip='), Field(fld24,true), Constant(' prot='), Field(fld25,true), Constant(' hops_active='), Field(fld26,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,true), Constant(' perlwait='), Field(fld27,false)}" -match("MESSAGE#28:session_connect:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} ip=%{hostip->} country=%{location_country->} lip=%{fld24->} prot=%{fld25->} hops_active=%{fld26->} routes=%{fld4->} notroutes=%{fld18->} perlwait=%{fld27}", processor_chain([ +var part34 = match("MESSAGE#28:session_connect:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} ip=%{hostip->} country=%{location_country->} lip=%{fld24->} prot=%{fld25->} hops_active=%{fld26->} routes=%{fld4->} notroutes=%{fld18->} perlwait=%{fld27}", processor_chain([ dup17, dup9, ])); @@ -1300,16 +1199,14 @@ var select12 = linear_select([ msg29, ]); -var part35 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' host='), Field(hostname,true), Constant(' resolve='), Field(fld28,true), Constant(' reverse='), Field(fld13,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,false)}" -match("MESSAGE#29:session_resolve", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} host=%{hostname->} resolve=%{fld28->} reverse=%{fld13->} routes=%{fld4->} notroutes=%{fld18}", processor_chain([ +var part35 = match("MESSAGE#29:session_resolve", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} host=%{hostname->} resolve=%{fld28->} reverse=%{fld13->} routes=%{fld4->} notroutes=%{fld18}", processor_chain([ dup17, dup9, ])); var msg30 = msg("session_resolve", part35); -var part36 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' host='), Field(hostname,true), Constant(' resolve='), Field(fld28,true), Constant(' reverse='), Field(fld13,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,false)}" -match("MESSAGE#30:session_resolve:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} host=%{hostname->} resolve=%{fld28->} reverse=%{fld13->} routes=%{fld4->} notroutes=%{fld18}", processor_chain([ +var part36 = match("MESSAGE#30:session_resolve:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} host=%{hostname->} resolve=%{fld28->} reverse=%{fld13->} routes=%{fld4->} notroutes=%{fld18}", processor_chain([ dup17, dup9, ])); @@ -1321,16 +1218,14 @@ var select13 = linear_select([ msg31, ]); -var part37 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' ip='), Field(hostip,true), Constant(' rate='), Field(fld29,true), Constant(' crate='), Field(fld30,true), Constant(' limit='), Field(fld31,false)}" -match("MESSAGE#31:session_throttle", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} ip=%{hostip->} rate=%{fld29->} crate=%{fld30->} limit=%{fld31}", processor_chain([ +var part37 = match("MESSAGE#31:session_throttle", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} ip=%{hostip->} rate=%{fld29->} crate=%{fld30->} limit=%{fld31}", processor_chain([ dup17, dup9, ])); var msg32 = msg("session_throttle", part37); -var part38 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' ip='), Field(hostip,true), Constant(' rate='), Field(fld29,true), Constant(' crate='), Field(fld30,true), Constant(' limit='), Field(fld31,false)}" -match("MESSAGE#32:session_throttle:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} ip=%{hostip->} rate=%{fld29->} crate=%{fld30->} limit=%{fld31}", processor_chain([ +var part38 = match("MESSAGE#32:session_throttle:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} ip=%{hostip->} rate=%{fld29->} crate=%{fld30->} limit=%{fld31}", processor_chain([ dup17, dup9, ])); @@ -1342,24 +1237,21 @@ var select14 = linear_select([ msg33, ]); -var part39 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' rate='), Field(fld58,false)}" -match("MESSAGE#33:session_dispose", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} rate=%{fld58}", processor_chain([ +var part39 = match("MESSAGE#33:session_dispose", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} rate=%{fld58}", processor_chain([ dup22, dup9, ])); var msg34 = msg("session_dispose", part39); -var part40 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' rate='), Field(fld58,false)}" -match("MESSAGE#34:session_dispose:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} rate=%{fld58}", processor_chain([ +var part40 = match("MESSAGE#34:session_dispose:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} rate=%{fld58}", processor_chain([ dup22, dup9, ])); var msg35 = msg("session_dispose:01", part40); -var part41 = // "Pattern{Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,false)}" -match("MESSAGE#35:session_dispose:02/2", "nwparser.p0", "%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action}"); +var part41 = match("MESSAGE#35:session_dispose:02/2", "nwparser.p0", "%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action}"); var all7 = all_match({ processors: [ @@ -1376,8 +1268,7 @@ var all7 = all_match({ var msg36 = msg("session_dispose:02", all7); -var part42 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,false)}" -match("MESSAGE#36:session_dispose:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action}", processor_chain([ +var part42 = match("MESSAGE#36:session_dispose:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action}", processor_chain([ dup22, dup9, ])); @@ -1391,8 +1282,7 @@ var select15 = linear_select([ msg37, ]); -var part43 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' helo='), Field(fld32,true), Constant(' msgs='), Field(fld33,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' duration='), Field(duration_string,true), Constant(' elapsed='), Field(fld16,false)}" -match("MESSAGE#37:session_disconnect", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} helo=%{fld32->} msgs=%{fld33->} rcpts=%{dclass_counter2->} routes=%{fld4->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ +var part43 = match("MESSAGE#37:session_disconnect", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} helo=%{fld32->} msgs=%{fld33->} rcpts=%{dclass_counter2->} routes=%{fld4->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ dup17, dup9, dup13, @@ -1400,8 +1290,7 @@ match("MESSAGE#37:session_disconnect", "nwparser.payload", "%{fld0->} %{severity var msg38 = msg("session_disconnect", part43); -var part44 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' helo='), Field(fld32,true), Constant(' msgs='), Field(fld33,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' duration='), Field(duration_string,true), Constant(' elapsed='), Field(fld16,false)}" -match("MESSAGE#38:session_disconnect:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} helo=%{fld32->} msgs=%{fld33->} rcpts=%{dclass_counter2->} routes=%{fld4->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ +var part44 = match("MESSAGE#38:session_disconnect:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} helo=%{fld32->} msgs=%{fld33->} rcpts=%{dclass_counter2->} routes=%{fld4->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ dup17, dup9, dup13, @@ -1414,14 +1303,11 @@ var select16 = linear_select([ msg39, ]); -var part45 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' attachment='), Field(fld58,true), Constant(' file='), Field(fld1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' name='), Field(fld34,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#39:av_run:02/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} attachment=%{fld58->} file=%{fld1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} name=%{fld34->} %{p0}"); +var part45 = match("MESSAGE#39:av_run:02/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} attachment=%{fld58->} file=%{fld1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} name=%{fld34->} %{p0}"); -var part46 = // "Pattern{Constant('cleaned='), Field(fld35,true), Constant(' vendor='), Field(fld36,true), Constant(' duration='), Field(p0,false)}" -match("MESSAGE#39:av_run:02/1_0", "nwparser.p0", "cleaned=%{fld35->} vendor=%{fld36->} duration=%{p0}"); +var part46 = match("MESSAGE#39:av_run:02/1_0", "nwparser.p0", "cleaned=%{fld35->} vendor=%{fld36->} duration=%{p0}"); -var part47 = // "Pattern{Constant('vendor='), Field(fld36,true), Constant(' duration='), Field(p0,false)}" -match("MESSAGE#39:av_run:02/1_2", "nwparser.p0", "vendor=%{fld36->} duration=%{p0}"); +var part47 = match("MESSAGE#39:av_run:02/1_2", "nwparser.p0", "vendor=%{fld36->} duration=%{p0}"); var select17 = linear_select([ part46, @@ -1444,22 +1330,18 @@ var all8 = all_match({ var msg40 = msg("av_run:02", all8); -var part48 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' attachment='), Field(fld58,true), Constant(' file='), Field(filename,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' name='), Field(fld34,true), Constant(' cleaned='), Field(fld35,true), Constant(' vendor='), Field(fld36,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#40:av_run:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} attachment=%{fld58->} file=%{filename->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} name=%{fld34->} cleaned=%{fld35->} vendor=%{fld36->} duration=%{duration_string}", processor_chain([ +var part48 = match("MESSAGE#40:av_run:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} attachment=%{fld58->} file=%{filename->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} name=%{fld34->} cleaned=%{fld35->} vendor=%{fld36->} duration=%{duration_string}", processor_chain([ dup25, dup9, ])); var msg41 = msg("av_run:03", part48); -var part49 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#41:av_run/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} %{p0}"); +var part49 = match("MESSAGE#41:av_run/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} %{p0}"); -var part50 = // "Pattern{Constant('name='), Field(fld34,true), Constant(' cleaned='), Field(fld35,true), Constant(' vendor='), Field(fld36,true), Constant(' duration='), Field(p0,false)}" -match("MESSAGE#41:av_run/1_1", "nwparser.p0", "name=%{fld34->} cleaned=%{fld35->} vendor=%{fld36->} duration=%{p0}"); +var part50 = match("MESSAGE#41:av_run/1_1", "nwparser.p0", "name=%{fld34->} cleaned=%{fld35->} vendor=%{fld36->} duration=%{p0}"); -var part51 = // "Pattern{Constant('name='), Field(fld34,true), Constant(' vendor='), Field(fld36,true), Constant(' duration='), Field(p0,false)}" -match("MESSAGE#41:av_run/1_2", "nwparser.p0", "name=%{fld34->} vendor=%{fld36->} duration=%{p0}"); +var part51 = match("MESSAGE#41:av_run/1_2", "nwparser.p0", "name=%{fld34->} vendor=%{fld36->} duration=%{p0}"); var select18 = linear_select([ dup23, @@ -1481,8 +1363,7 @@ var all9 = all_match({ var msg42 = msg("av_run", all9); -var part52 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' name='), Field(fld34,true), Constant(' cleaned='), Field(fld35,true), Constant(' vendor='), Field(fld36,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#42:av_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} name=%{fld34->} cleaned=%{fld35->} vendor=%{fld36->} duration=%{duration_string}", processor_chain([ +var part52 = match("MESSAGE#42:av_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} name=%{fld34->} cleaned=%{fld35->} vendor=%{fld36->} duration=%{duration_string}", processor_chain([ dup25, dup9, ])); @@ -1500,24 +1381,21 @@ var msg44 = msg("av_refresh", dup48); var msg45 = msg("av_init", dup48); -var part53 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,false)}" -match("MESSAGE#45:av_load", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5}", processor_chain([ +var part53 = match("MESSAGE#45:av_load", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5}", processor_chain([ dup26, dup9, ])); var msg46 = msg("av_load", part53); -var part54 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' attachment='), Field(fld58,true), Constant(' file='), Field(filename,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#46:access_run:02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} attachment=%{fld58->} file=%{filename->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ +var part54 = match("MESSAGE#46:access_run:02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} attachment=%{fld58->} file=%{filename->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); var msg47 = msg("access_run:02", part54); -var part55 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' attachment='), Field(fld58,true), Constant(' file='), Field(filename,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#47:access_run:04", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} attachment=%{fld58->} file=%{filename->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ +var part55 = match("MESSAGE#47:access_run:04", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} attachment=%{fld58->} file=%{filename->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); @@ -1535,8 +1413,7 @@ var select20 = linear_select([ msg50, ]); -var part56 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' action='), Field(action,true), Constant(' dict='), Field(fld37,true), Constant(' file='), Field(filename,false)}" -match("MESSAGE#50:access_refresh", "nwparser.payload", "%{fld0->} %{severity->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} action=%{action->} dict=%{fld37->} file=%{filename}", processor_chain([ +var part56 = match("MESSAGE#50:access_refresh", "nwparser.payload", "%{fld0->} %{severity->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} action=%{action->} dict=%{fld37->} file=%{filename}", processor_chain([ dup17, dup9, ])); @@ -1556,36 +1433,29 @@ var msg54 = msg("regulation_init", dup51); var msg55 = msg("regulation_refresh", dup51); -var part57 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' policy='), Field(fld38,true), Constant(' score='), Field(fld39,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#55:spam_run:rule/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} spamscore=%{reputation_num->} %{p0}"); +var part57 = match("MESSAGE#55:spam_run:rule/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} spamscore=%{reputation_num->} %{p0}"); -var part58 = // "Pattern{Constant('ipscore='), Field(fld40,true), Constant(' suspectscore='), Field(p0,false)}" -match("MESSAGE#55:spam_run:rule/1_0", "nwparser.p0", "ipscore=%{fld40->} suspectscore=%{p0}"); +var part58 = match("MESSAGE#55:spam_run:rule/1_0", "nwparser.p0", "ipscore=%{fld40->} suspectscore=%{p0}"); -var part59 = // "Pattern{Constant('suspectscore='), Field(p0,false)}" -match("MESSAGE#55:spam_run:rule/1_1", "nwparser.p0", "suspectscore=%{p0}"); +var part59 = match("MESSAGE#55:spam_run:rule/1_1", "nwparser.p0", "suspectscore=%{p0}"); var select22 = linear_select([ part58, part59, ]); -var part60 = // "Pattern{Field(fld41,true), Constant(' phishscore='), Field(fld42,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#55:spam_run:rule/2", "nwparser.p0", "%{fld41->} phishscore=%{fld42->} %{p0}"); +var part60 = match("MESSAGE#55:spam_run:rule/2", "nwparser.p0", "%{fld41->} phishscore=%{fld42->} %{p0}"); -var part61 = // "Pattern{Constant('bulkscore='), Field(fld43,true), Constant(' adultscore='), Field(fld44,true), Constant(' classifier='), Field(p0,false)}" -match("MESSAGE#55:spam_run:rule/3_0", "nwparser.p0", "bulkscore=%{fld43->} adultscore=%{fld44->} classifier=%{p0}"); +var part61 = match("MESSAGE#55:spam_run:rule/3_0", "nwparser.p0", "bulkscore=%{fld43->} adultscore=%{fld44->} classifier=%{p0}"); -var part62 = // "Pattern{Constant('adultscore='), Field(fld44,true), Constant(' bulkscore='), Field(fld43,true), Constant(' classifier='), Field(p0,false)}" -match("MESSAGE#55:spam_run:rule/3_1", "nwparser.p0", "adultscore=%{fld44->} bulkscore=%{fld43->} classifier=%{p0}"); +var part62 = match("MESSAGE#55:spam_run:rule/3_1", "nwparser.p0", "adultscore=%{fld44->} bulkscore=%{fld43->} classifier=%{p0}"); var select23 = linear_select([ part61, part62, ]); -var part63 = // "Pattern{Field(fld45,true), Constant(' adjust='), Field(fld46,true), Constant(' reason='), Field(fld47,true), Constant(' scancount='), Field(fld48,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,true), Constant(' raw='), Field(fld51,true), Constant(' tests='), Field(fld52,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#55:spam_run:rule/4", "nwparser.p0", "%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50->} raw=%{fld51->} tests=%{fld52->} duration=%{duration_string}"); +var part63 = match("MESSAGE#55:spam_run:rule/4", "nwparser.p0", "%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50->} raw=%{fld51->} tests=%{fld52->} duration=%{duration_string}"); var all10 = all_match({ processors: [ @@ -1603,64 +1473,56 @@ var all10 = all_match({ var msg56 = msg("spam_run:rule", all10); -var part64 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' policy='), Field(fld38,true), Constant(' score='), Field(fld39,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' ipscore='), Field(fld40,true), Constant(' suspectscore='), Field(fld41,true), Constant(' phishscore='), Field(fld42,true), Constant(' bulkscore='), Field(fld43,true), Constant(' adultscore='), Field(fld44,true), Constant(' classifier='), Field(fld45,true), Constant(' adjust='), Field(fld46,true), Constant(' reason='), Field(fld47,true), Constant(' scancount='), Field(fld48,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,true), Constant(' raw='), Field(fld51,true), Constant(' tests='), Field(fld52,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#56:spam_run:rule_02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} spamscore=%{reputation_num->} ipscore=%{fld40->} suspectscore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} adultscore=%{fld44->} classifier=%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50->} raw=%{fld51->} tests=%{fld52->} duration=%{duration_string}", processor_chain([ +var part64 = match("MESSAGE#56:spam_run:rule_02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} spamscore=%{reputation_num->} ipscore=%{fld40->} suspectscore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} adultscore=%{fld44->} classifier=%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50->} raw=%{fld51->} tests=%{fld52->} duration=%{duration_string}", processor_chain([ dup27, dup9, ])); var msg57 = msg("spam_run:rule_02", part64); -var part65 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' policy='), Field(fld38,true), Constant(' score='), Field(fld39,true), Constant(' ndrscore='), Field(fld57,true), Constant(' ipscore='), Field(fld40,true), Constant(' suspectscore='), Field(fld41,true), Constant(' phishscore='), Field(fld42,true), Constant(' bulkscore='), Field(fld43,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' adjustscore='), Field(fld58,true), Constant(' adultscore='), Field(fld44,true), Constant(' classifier='), Field(fld45,true), Constant(' adjust='), Field(fld46,true), Constant(' reason='), Field(fld47,true), Constant(' scancount='), Field(fld48,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,true), Constant(' raw='), Field(fld51,true), Constant(' tests='), Field(fld52,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#57:spam_run:rule_03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} ndrscore=%{fld57->} ipscore=%{fld40->} suspectscore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} spamscore=%{reputation_num->} adjustscore=%{fld58->} adultscore=%{fld44->} classifier=%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50->} raw=%{fld51->} tests=%{fld52->} duration=%{duration_string}", processor_chain([ +var part65 = match("MESSAGE#57:spam_run:rule_03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} ndrscore=%{fld57->} ipscore=%{fld40->} suspectscore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} spamscore=%{reputation_num->} adjustscore=%{fld58->} adultscore=%{fld44->} classifier=%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50->} raw=%{fld51->} tests=%{fld52->} duration=%{duration_string}", processor_chain([ dup27, dup9, ])); var msg58 = msg("spam_run:rule_03", part65); -var part66 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' policy='), Field(fld38,true), Constant(' score='), Field(fld39,true), Constant(' kscore.is_bulkscore='), Field(fld57,true), Constant(' kscore.compositescore='), Field(fld40,true), Constant(' circleOfTrustscore='), Field(fld41,true), Constant(' compositescore='), Field(fld42,true), Constant(' urlsuspect_oldscore='), Field(fld43,true), Constant(' suspectscore='), Field(reputation_num,true), Constant(' recipient_domain_to_sender_totalscore='), Field(fld58,true), Constant(' phishscore='), Field(fld44,true), Constant(' bulkscore='), Field(fld45,true), Constant(' kscore.is_spamscore='), Field(fld46,true), Constant(' recipient_to_sender_totalscore='), Field(fld47,true), Constant(' recipient_domain_to_sender_domain_totalscore='), Field(fld48,true), Constant(' rbsscore='), Field(fld49,true), Constant(' spamscore='), Field(fld50,true), Constant(' recipient_to_sender_domain_totalscore='), Field(fld51,true), Constant(' urlsuspectscore='), Field(fld52,true), Constant(' '), Field(fld53,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#58:spam_run:rule_04", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} kscore.is_bulkscore=%{fld57->} kscore.compositescore=%{fld40->} circleOfTrustscore=%{fld41->} compositescore=%{fld42->} urlsuspect_oldscore=%{fld43->} suspectscore=%{reputation_num->} recipient_domain_to_sender_totalscore=%{fld58->} phishscore=%{fld44->} bulkscore=%{fld45->} kscore.is_spamscore=%{fld46->} recipient_to_sender_totalscore=%{fld47->} recipient_domain_to_sender_domain_totalscore=%{fld48->} rbsscore=%{fld49->} spamscore=%{fld50->} recipient_to_sender_domain_totalscore=%{fld51->} urlsuspectscore=%{fld52->} %{fld53->} duration=%{duration_string}", processor_chain([ +var part66 = match("MESSAGE#58:spam_run:rule_04", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} kscore.is_bulkscore=%{fld57->} kscore.compositescore=%{fld40->} circleOfTrustscore=%{fld41->} compositescore=%{fld42->} urlsuspect_oldscore=%{fld43->} suspectscore=%{reputation_num->} recipient_domain_to_sender_totalscore=%{fld58->} phishscore=%{fld44->} bulkscore=%{fld45->} kscore.is_spamscore=%{fld46->} recipient_to_sender_totalscore=%{fld47->} recipient_domain_to_sender_domain_totalscore=%{fld48->} rbsscore=%{fld49->} spamscore=%{fld50->} recipient_to_sender_domain_totalscore=%{fld51->} urlsuspectscore=%{fld52->} %{fld53->} duration=%{duration_string}", processor_chain([ dup27, dup9, ])); var msg59 = msg("spam_run:rule_04", part66); -var part67 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' policy='), Field(fld38,true), Constant(' score='), Field(fld39,true), Constant(' ndrscore='), Field(fld53,true), Constant(' suspectscore='), Field(fld40,true), Constant(' malwarescore='), Field(fld41,true), Constant(' phishscore='), Field(fld42,true), Constant(' bulkscore='), Field(fld43,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' adjustscore='), Field(fld54,true), Constant(' adultscore='), Field(fld44,true), Constant(' classifier='), Field(fld45,true), Constant(' adjust='), Field(fld46,true), Constant(' reason='), Field(fld47,true), Constant(' scancount='), Field(fld48,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,true), Constant(' raw='), Field(fld51,true), Constant(' tests='), Field(fld52,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#59:spam_run:rule_05", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} ndrscore=%{fld53->} suspectscore=%{fld40->} malwarescore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} spamscore=%{reputation_num->} adjustscore=%{fld54->} adultscore=%{fld44->} classifier=%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50->} raw=%{fld51->} tests=%{fld52->} duration=%{duration_string}", processor_chain([ +var part67 = match("MESSAGE#59:spam_run:rule_05", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} ndrscore=%{fld53->} suspectscore=%{fld40->} malwarescore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} spamscore=%{reputation_num->} adjustscore=%{fld54->} adultscore=%{fld44->} classifier=%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50->} raw=%{fld51->} tests=%{fld52->} duration=%{duration_string}", processor_chain([ dup27, dup9, ])); var msg60 = msg("spam_run:rule_05", part67); -var part68 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' mod='), Field(agent,true), Constant(' total_uri_count='), Field(dclass_counter1,true), Constant(' uris_excluded_from_report_info='), Field(dclass_counter2,false)}" -match("MESSAGE#60:spam_run:rule_06", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} mod=%{agent->} total_uri_count=%{dclass_counter1->} uris_excluded_from_report_info=%{dclass_counter2}", processor_chain([ +var part68 = match("MESSAGE#60:spam_run:rule_06", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} mod=%{agent->} total_uri_count=%{dclass_counter1->} uris_excluded_from_report_info=%{dclass_counter2}", processor_chain([ dup27, dup9, ])); var msg61 = msg("spam_run:rule_06", part68); -var part69 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' action='), Field(action,true), Constant(' score='), Field(fld39,true), Constant(' submsgadjust='), Field(fld53,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' ipscore='), Field(fld40,true), Constant(' suspectscore='), Field(fld41,true), Constant(' phishscore='), Field(fld42,true), Constant(' bulkscore='), Field(fld43,true), Constant(' adultscore='), Field(fld44,true), Constant(' tests='), Field(fld52,false)}" -match("MESSAGE#61:spam_run:action_01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} action=%{action->} score=%{fld39->} submsgadjust=%{fld53->} spamscore=%{reputation_num->} ipscore=%{fld40->} suspectscore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} adultscore=%{fld44->} tests=%{fld52}", processor_chain([ +var part69 = match("MESSAGE#61:spam_run:action_01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} action=%{action->} score=%{fld39->} submsgadjust=%{fld53->} spamscore=%{reputation_num->} ipscore=%{fld40->} suspectscore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} adultscore=%{fld44->} tests=%{fld52}", processor_chain([ dup27, dup9, ])); var msg62 = msg("spam_run:action_01", part69); -var part70 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' action='), Field(action,true), Constant(' score='), Field(fld39,true), Constant(' submsgadjust='), Field(fld53,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' ipscore='), Field(fld40,true), Constant(' suspectscore='), Field(fld41,true), Constant(' phishscore='), Field(fld42,true), Constant(' bulkscore='), Field(fld43,true), Constant(' adultscore='), Field(fld44,true), Constant(' tests='), Field(fld52,false)}" -match("MESSAGE#62:spam_run:action", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} action=%{action->} score=%{fld39->} submsgadjust=%{fld53->} spamscore=%{reputation_num->} ipscore=%{fld40->} suspectscore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} adultscore=%{fld44->} tests=%{fld52}", processor_chain([ +var part70 = match("MESSAGE#62:spam_run:action", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} action=%{action->} score=%{fld39->} submsgadjust=%{fld53->} spamscore=%{reputation_num->} ipscore=%{fld40->} suspectscore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} adultscore=%{fld44->} tests=%{fld52}", processor_chain([ dup27, dup9, ])); var msg63 = msg("spam_run:action", part70); -var part71 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' action='), Field(action,true), Constant(' num_domains='), Field(fld53,true), Constant(' num_domains_to_lookup='), Field(fld40,false)}" -match("MESSAGE#63:spam_run:action_02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} action=%{action->} num_domains=%{fld53->} num_domains_to_lookup=%{fld40}", processor_chain([ +var part71 = match("MESSAGE#63:spam_run:action_02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} action=%{action->} num_domains=%{fld53->} num_domains_to_lookup=%{fld40}", processor_chain([ dup27, dup9, ])); @@ -1683,24 +1545,21 @@ var msg65 = msg("spam_refresh", dup53); var msg66 = msg("spam_init", dup53); -var part72 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,false)}" -match("MESSAGE#66:spam_load", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5}", processor_chain([ +var part72 = match("MESSAGE#66:spam_load", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5}", processor_chain([ dup27, dup9, ])); var msg67 = msg("spam_load", part72); -var part73 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' policy='), Field(fld38,true), Constant(' address='), Field(fld54,false)}" -match("MESSAGE#67:batv_run", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} policy=%{fld38->} address=%{fld54}", processor_chain([ +var part73 = match("MESSAGE#67:batv_run", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} policy=%{fld38->} address=%{fld54}", processor_chain([ dup17, dup9, ])); var msg68 = msg("batv_run", part73); -var part74 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' policy='), Field(fld38,true), Constant(' address='), Field(fld54,false)}" -match("MESSAGE#68:batv_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} policy=%{fld38->} address=%{fld54}", processor_chain([ +var part74 = match("MESSAGE#68:batv_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} policy=%{fld38->} address=%{fld54}", processor_chain([ dup17, dup9, ])); @@ -1724,16 +1583,14 @@ var msg73 = msg("zerohour_init", dup54); var msg74 = msg("zerohour_load", dup52); -var part75 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' count='), Field(fld2,true), Constant(' name='), Field(fld34,true), Constant(' init_time='), Field(fld3,true), Constant(' init_virusthreat='), Field(fld4,true), Constant(' virusthreat='), Field(fld5,true), Constant(' virusthreatid='), Field(fld6,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#74:zerohour_run", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} count=%{fld2->} name=%{fld34->} init_time=%{fld3->} init_virusthreat=%{fld4->} virusthreat=%{fld5->} virusthreatid=%{fld6->} duration=%{duration_string}", processor_chain([ +var part75 = match("MESSAGE#74:zerohour_run", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} count=%{fld2->} name=%{fld34->} init_time=%{fld3->} init_virusthreat=%{fld4->} virusthreat=%{fld5->} virusthreatid=%{fld6->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); var msg75 = msg("zerohour_run", part75); -var part76 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' count='), Field(fld2,true), Constant(' name='), Field(fld34,true), Constant(' init_time='), Field(fld3,true), Constant(' init_virusthreat='), Field(fld4,true), Constant(' virusthreat='), Field(fld5,true), Constant(' virusthreatid='), Field(fld6,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#75:zerohour_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} count=%{fld2->} name=%{fld34->} init_time=%{fld3->} init_virusthreat=%{fld4->} virusthreat=%{fld5->} virusthreatid=%{fld6->} duration=%{duration_string}", processor_chain([ +var part76 = match("MESSAGE#75:zerohour_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} count=%{fld2->} name=%{fld34->} init_time=%{fld3->} init_virusthreat=%{fld4->} virusthreat=%{fld5->} virusthreatid=%{fld6->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); @@ -1745,40 +1602,35 @@ var select26 = linear_select([ msg76, ]); -var part77 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#76:service_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} duration=%{duration_string}", processor_chain([ +var part77 = match("MESSAGE#76:service_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); var msg77 = msg("service_refresh", part77); -var part78 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#77:perl_clone", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} duration=%{duration_string}", processor_chain([ +var part78 = match("MESSAGE#77:perl_clone", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); var msg78 = msg("perl_clone", part78); -var part79 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' cset='), Field(fld56,true), Constant(' name='), Field(fld34,true), Constant(' status='), Field(result,true), Constant(' err='), Field(fld58,false)}" -match("MESSAGE#78:cvt_convert", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} cset=%{fld56->} name=%{fld34->} status=%{result->} err=%{fld58}", processor_chain([ +var part79 = match("MESSAGE#78:cvt_convert", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} cset=%{fld56->} name=%{fld34->} status=%{result->} err=%{fld58}", processor_chain([ dup17, dup9, ])); var msg79 = msg("cvt_convert", part79); -var part80 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' cset='), Field(fld56,true), Constant(' name='), Field(fld34,true), Constant(' status='), Field(result,true), Constant(' err='), Field(fld58,false)}" -match("MESSAGE#79:cvt_convert:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} cset=%{fld56->} name=%{fld34->} status=%{result->} err=%{fld58}", processor_chain([ +var part80 = match("MESSAGE#79:cvt_convert:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} cset=%{fld56->} name=%{fld34->} status=%{result->} err=%{fld58}", processor_chain([ dup17, dup9, ])); var msg80 = msg("cvt_convert:01", part80); -var part81 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' pid='), Field(process_id,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' cset='), Field(fld56,true), Constant(' name='), Field(fld34,true), Constant(' status='), Field(result,true), Constant(' err='), Field(fld58,false)}" -match("MESSAGE#80:cvt_convert:02", "nwparser.payload", "%{fld0->} %{severity->} pid=%{process_id->} mod=%{agent->} cmd=%{obj_type->} cset=%{fld56->} name=%{fld34->} status=%{result->} err=%{fld58}", processor_chain([ +var part81 = match("MESSAGE#80:cvt_convert:02", "nwparser.payload", "%{fld0->} %{severity->} pid=%{process_id->} mod=%{agent->} cmd=%{obj_type->} cset=%{fld56->} name=%{fld34->} status=%{result->} err=%{fld58}", processor_chain([ dup17, dup9, ])); @@ -1791,8 +1643,7 @@ var select27 = linear_select([ msg81, ]); -var part82 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' pid='), Field(process_id,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' name='), Field(fld34,true), Constant(' status='), Field(result,true), Constant(' err='), Field(fld58,false)}" -match("MESSAGE#81:cvt_detect", "nwparser.payload", "%{fld0->} %{severity->} pid=%{process_id->} mod=%{agent->} cmd=%{obj_type->} name=%{fld34->} status=%{result->} err=%{fld58}", processor_chain([ +var part82 = match("MESSAGE#81:cvt_detect", "nwparser.payload", "%{fld0->} %{severity->} pid=%{process_id->} mod=%{agent->} cmd=%{obj_type->} name=%{fld34->} status=%{result->} err=%{fld58}", processor_chain([ dup17, dup9, ])); @@ -1808,8 +1659,7 @@ var select28 = linear_select([ msg84, ]); -var part83 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' pid='), Field(fld5,true), Constant(' mod='), Field(agent,true), Constant(' encrypted='), Field(fld6,false)}" -match("MESSAGE#84:cvtd_encrypted", "nwparser.payload", "%{fld0->} %{severity->} pid=%{fld5->} mod=%{agent->} encrypted=%{fld6}", processor_chain([ +var part83 = match("MESSAGE#84:cvtd_encrypted", "nwparser.payload", "%{fld0->} %{severity->} pid=%{fld5->} mod=%{agent->} encrypted=%{fld6}", processor_chain([ dup17, dup9, ])); @@ -1829,8 +1679,7 @@ var msg88 = msg("soap_listen", dup57); var msg89 = msg("http_listen", dup57); -var part84 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' '), Field(event_description,false)}" -match("MESSAGE#89:mltr", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} %{event_description}", processor_chain([ +var part84 = match("MESSAGE#89:mltr", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} %{event_description}", processor_chain([ dup17, dup9, ])); @@ -1843,22 +1692,18 @@ var msg92 = msg("smtpsrv_load", dup52); var msg93 = msg("smtpsrv_listen", dup57); -var part85 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#93:smtpsrv_run", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ +var part85 = match("MESSAGE#93:smtpsrv_run", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); var msg94 = msg("smtpsrv_run", part85); -var part86 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#94:smtpsrv/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} %{p0}"); +var part86 = match("MESSAGE#94:smtpsrv/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} %{p0}"); -var part87 = // "Pattern{Field(result,true), Constant(' err='), Field(fld58,false)}" -match("MESSAGE#94:smtpsrv/1_0", "nwparser.p0", "%{result->} err=%{fld58}"); +var part87 = match("MESSAGE#94:smtpsrv/1_0", "nwparser.p0", "%{result->} err=%{fld58}"); -var part88 = // "Pattern{Field(result,false)}" -match_copy("MESSAGE#94:smtpsrv/1_1", "nwparser.p0", "result"); +var part88 = match_copy("MESSAGE#94:smtpsrv/1_1", "nwparser.p0", "result"); var select30 = linear_select([ part87, @@ -1878,24 +1723,21 @@ var all11 = all_match({ var msg95 = msg("smtpsrv", all11); -var part89 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' cmd='), Field(obj_type,true), Constant(' profile='), Field(fld52,true), Constant(' qid='), Field(fld15,true), Constant(' rcpts='), Field(to,false)}" -match("MESSAGE#95:send", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} cmd=%{obj_type->} profile=%{fld52->} qid=%{fld15->} rcpts=%{to}", processor_chain([ +var part89 = match("MESSAGE#95:send", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} cmd=%{obj_type->} profile=%{fld52->} qid=%{fld15->} rcpts=%{to}", processor_chain([ dup17, dup9, ])); var msg96 = msg("send", part89); -var part90 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' cmd='), Field(obj_type,true), Constant(' profile='), Field(fld52,true), Constant(' qid='), Field(fld15,true), Constant(' rcpts='), Field(to,false)}" -match("MESSAGE#96:send:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} cmd=%{obj_type->} profile=%{fld52->} qid=%{fld15->} rcpts=%{to}", processor_chain([ +var part90 = match("MESSAGE#96:send:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} cmd=%{obj_type->} profile=%{fld52->} qid=%{fld15->} rcpts=%{to}", processor_chain([ dup17, dup9, ])); var msg97 = msg("send:01", part90); -var part91 = // "Pattern{Field(fld0,false), Constant(': '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' cmd='), Field(obj_type,true), Constant(' rcpt='), Field(to,true), Constant(' err='), Field(fld58,false)}" -match("MESSAGE#97:send:02", "nwparser.payload", "%{fld0}: %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} cmd=%{obj_type->} rcpt=%{to->} err=%{fld58}", processor_chain([ +var part91 = match("MESSAGE#97:send:02", "nwparser.payload", "%{fld0}: %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} cmd=%{obj_type->} rcpt=%{to->} err=%{fld58}", processor_chain([ dup17, dup9, ])); @@ -1908,22 +1750,18 @@ var select31 = linear_select([ msg98, ]); -var part92 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld51,false), Constant(': to='), Field(to,false), Constant(', delay='), Field(fld53,false), Constant(', xdelay='), Field(fld54,false), Constant(', mailer='), Field(p0,false)}" -match("MESSAGE#98:queued-alert/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{p0}"); +var part92 = match("MESSAGE#98:queued-alert/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{p0}"); -var part93 = // "Pattern{Field(fld55,true), Constant(' tls_verify='), Field(fld70,false), Constant(', pri='), Field(p0,false)}" -match("MESSAGE#98:queued-alert/1_0", "nwparser.p0", "%{fld55->} tls_verify=%{fld70}, pri=%{p0}"); +var part93 = match("MESSAGE#98:queued-alert/1_0", "nwparser.p0", "%{fld55->} tls_verify=%{fld70}, pri=%{p0}"); -var part94 = // "Pattern{Field(fld55,false), Constant(', pri='), Field(p0,false)}" -match("MESSAGE#98:queued-alert/1_1", "nwparser.p0", "%{fld55}, pri=%{p0}"); +var part94 = match("MESSAGE#98:queued-alert/1_1", "nwparser.p0", "%{fld55}, pri=%{p0}"); var select32 = linear_select([ part93, part94, ]); -var part95 = // "Pattern{Field(fld23,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#98:queued-alert/2", "nwparser.p0", "%{fld23}, relay=%{p0}"); +var part95 = match("MESSAGE#98:queued-alert/2", "nwparser.p0", "%{fld23}, relay=%{p0}"); var all12 = all_match({ processors: [ @@ -1941,11 +1779,9 @@ var all12 = all_match({ var msg99 = msg("queued-alert", all12); -var part96 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': from='), Field(from,false), Constant(', size='), Field(bytes,false), Constant(', class='), Field(fld57,false), Constant(', nrcpts='), Field(fld58,false), Constant(', msgid='), Field(id,false), Constant(', proto='), Field(protocol,false), Constant(', daemon='), Field(fld69,false), Constant(', tls_verify='), Field(fld70,false), Constant(', auth='), Field(authmethod,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#99:queued-alert:01/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, tls_verify=%{fld70}, auth=%{authmethod}, relay=%{p0}"); +var part96 = match("MESSAGE#99:queued-alert:01/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, tls_verify=%{fld70}, auth=%{authmethod}, relay=%{p0}"); -var part97 = // "Pattern{Constant('['), Field(fld50,false), Constant('] ['), Field(daddr,false), Constant(']')}" -match("MESSAGE#99:queued-alert:01/1_0", "nwparser.p0", "[%{fld50}] [%{daddr}]"); +var part97 = match("MESSAGE#99:queued-alert:01/1_0", "nwparser.p0", "[%{fld50}] [%{daddr}]"); var select33 = linear_select([ part97, @@ -1968,8 +1804,7 @@ var all13 = all_match({ var msg100 = msg("queued-alert:01", all13); -var part98 = // "Pattern{Constant('['), Field(fld50,false), Constant('] ['), Field(daddr,false), Constant('],'), Field(p0,false)}" -match("MESSAGE#100:queued-alert:02/1_0", "nwparser.p0", "[%{fld50}] [%{daddr}],%{p0}"); +var part98 = match("MESSAGE#100:queued-alert:02/1_0", "nwparser.p0", "[%{fld50}] [%{daddr}],%{p0}"); var select34 = linear_select([ part98, @@ -1978,8 +1813,7 @@ var select34 = linear_select([ dup31, ]); -var part99 = // "Pattern{Field(,false), Constant('version='), Field(version,false), Constant(', verify='), Field(fld57,false), Constant(', cipher='), Field(s_cipher,false), Constant(', bits='), Field(fld59,false)}" -match("MESSAGE#100:queued-alert:02/2", "nwparser.p0", "%{}version=%{version}, verify=%{fld57}, cipher=%{s_cipher}, bits=%{fld59}"); +var part99 = match("MESSAGE#100:queued-alert:02/2", "nwparser.p0", "%{}version=%{version}, verify=%{fld57}, cipher=%{s_cipher}, bits=%{fld59}"); var all14 = all_match({ processors: [ @@ -2037,8 +1871,7 @@ var msg111 = msg("queued-reinject:02", dup65); var msg112 = msg("queued-reinject:03", dup66); -var part100 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': maxrcpts='), Field(fld56,false), Constant(', rcpts='), Field(fld57,false), Constant(', count='), Field(fld58,false), Constant(', ids='), Field(fld59,false)}" -match("MESSAGE#111:queued-reinject:05", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: maxrcpts=%{fld56}, rcpts=%{fld57}, count=%{fld58}, ids=%{fld59}", processor_chain([ +var part100 = match("MESSAGE#111:queued-reinject:05", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: maxrcpts=%{fld56}, rcpts=%{fld57}, count=%{fld58}, ids=%{fld59}", processor_chain([ dup17, dup9, ])); @@ -2059,8 +1892,7 @@ var select38 = linear_select([ msg115, ]); -var part101 = // "Pattern{Field(,false), Constant('version='), Field(version,false), Constant(', verify='), Field(disposition,false), Constant(', cipher='), Field(fld58,false), Constant(', bits='), Field(fld59,false)}" -match("MESSAGE#114:queued-eurort/2", "nwparser.p0", "%{}version=%{version}, verify=%{disposition}, cipher=%{fld58}, bits=%{fld59}"); +var part101 = match("MESSAGE#114:queued-eurort/2", "nwparser.p0", "%{}version=%{version}, verify=%{disposition}, cipher=%{fld58}, bits=%{fld59}"); var all15 = all_match({ processors: [ @@ -2100,16 +1932,14 @@ var select40 = linear_select([ var msg122 = msg("sm-msp-queue", dup66); -var part102 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: starting daemon ('), Field(fld7,false), Constant('): '), Field(fld6,false)}" -match("MESSAGE#122:sm-msp-queue:01", "nwparser.payload", "%{agent}[%{process_id}]: starting daemon (%{fld7}): %{fld6}", processor_chain([ +var part102 = match("MESSAGE#122:sm-msp-queue:01", "nwparser.payload", "%{agent}[%{process_id}]: starting daemon (%{fld7}): %{fld6}", processor_chain([ setc("eventcategory","1605000000"), dup9, ])); var msg123 = msg("sm-msp-queue:01", part102); -var part103 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': to='), Field(to,false), Constant(', ctladdr='), Field(fld13,false), Constant(', delay='), Field(fld53,false), Constant(', xdelay='), Field(fld54,false), Constant(', mailer='), Field(fld55,false), Constant(', pri='), Field(fld23,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#123:sm-msp-queue:02/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: to=%{to}, ctladdr=%{fld13}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); +var part103 = match("MESSAGE#123:sm-msp-queue:02/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: to=%{to}, ctladdr=%{fld13}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); var all16 = all_match({ processors: [ @@ -2131,14 +1961,11 @@ var select41 = linear_select([ msg124, ]); -var part104 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': to='), Field(to,false), Constant(', delay='), Field(fld53,false), Constant(', xdelay='), Field(fld54,false), Constant(', mailer='), Field(fld55,false), Constant(', tls_verify='), Field(fld24,false), Constant(', pri='), Field(fld23,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#124:sendmail:15/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, tls_verify=%{fld24}, pri=%{fld23}, relay=%{p0}"); +var part104 = match("MESSAGE#124:sendmail:15/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, tls_verify=%{fld24}, pri=%{fld23}, relay=%{p0}"); -var part105 = // "Pattern{Field(dhost,false), Constant('. ['), Field(daddr,false), Constant('],'), Field(p0,false)}" -match("MESSAGE#124:sendmail:15/1_1", "nwparser.p0", "%{dhost}. [%{daddr}],%{p0}"); +var part105 = match("MESSAGE#124:sendmail:15/1_1", "nwparser.p0", "%{dhost}. [%{daddr}],%{p0}"); -var part106 = // "Pattern{Field(dhost,false), Constant('.,'), Field(p0,false)}" -match("MESSAGE#124:sendmail:15/1_2", "nwparser.p0", "%{dhost}.,%{p0}"); +var part106 = match("MESSAGE#124:sendmail:15/1_2", "nwparser.p0", "%{dhost}.,%{p0}"); var select42 = linear_select([ dup28, @@ -2160,14 +1987,11 @@ var all17 = all_match({ var msg125 = msg("sendmail:15", all17); -var part107 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': from='), Field(from,false), Constant(', size='), Field(bytes,false), Constant(', class='), Field(fld54,false), Constant(', nrcpts='), Field(fld55,false), Constant(', msgid='), Field(id,false), Constant(', proto='), Field(protocol,false), Constant(', daemon='), Field(p0,false)}" -match("MESSAGE#125:sendmail:14/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld54}, nrcpts=%{fld55}, msgid=%{id}, proto=%{protocol}, daemon=%{p0}"); +var part107 = match("MESSAGE#125:sendmail:14/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld54}, nrcpts=%{fld55}, msgid=%{id}, proto=%{protocol}, daemon=%{p0}"); -var part108 = // "Pattern{Field(fld69,false), Constant(', tls_verify='), Field(fld70,false), Constant(', auth='), Field(authmethod,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#125:sendmail:14/1_0", "nwparser.p0", "%{fld69}, tls_verify=%{fld70}, auth=%{authmethod}, relay=%{p0}"); +var part108 = match("MESSAGE#125:sendmail:14/1_0", "nwparser.p0", "%{fld69}, tls_verify=%{fld70}, auth=%{authmethod}, relay=%{p0}"); -var part109 = // "Pattern{Field(fld69,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#125:sendmail:14/1_1", "nwparser.p0", "%{fld69}, relay=%{p0}"); +var part109 = match("MESSAGE#125:sendmail:14/1_1", "nwparser.p0", "%{fld69}, relay=%{p0}"); var select43 = linear_select([ part108, @@ -2190,62 +2014,53 @@ var msg126 = msg("sendmail:14", all18); var msg127 = msg("sendmail", dup68); -var part110 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': available mech='), Field(fld2,false), Constant(', allowed mech='), Field(fld3,false)}" -match("MESSAGE#127:sendmail:01", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: available mech=%{fld2}, allowed mech=%{fld3}", processor_chain([ +var part110 = match("MESSAGE#127:sendmail:01", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: available mech=%{fld2}, allowed mech=%{fld3}", processor_chain([ dup17, dup9, ])); var msg128 = msg("sendmail:01", part110); -var part111 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': milter='), Field(fld2,false), Constant(', action='), Field(action,false), Constant(', reject='), Field(fld3,false)}" -match("MESSAGE#128:sendmail:02", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: milter=%{fld2}, action=%{action}, reject=%{fld3}", processor_chain([ +var part111 = match("MESSAGE#128:sendmail:02", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: milter=%{fld2}, action=%{action}, reject=%{fld3}", processor_chain([ dup17, dup9, ])); var msg129 = msg("sendmail:02", part111); -var part112 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld51,false), Constant(': '), Field(fld57,false), Constant(': host='), Field(hostname,false), Constant(', addr='), Field(saddr,false), Constant(', reject='), Field(fld3,false)}" -match("MESSAGE#129:sendmail:03", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: %{fld57}: host=%{hostname}, addr=%{saddr}, reject=%{fld3}", processor_chain([ +var part112 = match("MESSAGE#129:sendmail:03", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: %{fld57}: host=%{hostname}, addr=%{saddr}, reject=%{fld3}", processor_chain([ dup17, dup9, ])); var msg130 = msg("sendmail:03", part112); -var part113 = // "Pattern{Field(fld10,true), Constant(' '), Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': Milter '), Field(action,false), Constant(': '), Field(fld2,false), Constant(': '), Field(fld3,false), Constant(': vendor='), Field(fld36,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,true), Constant(' signatures='), Field(fld94,false)}" -match("MESSAGE#130:sendmail:08", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: %{fld1}: Milter %{action}: %{fld2}: %{fld3}: vendor=%{fld36->} engine=%{fld49->} definitions=%{fld50->} signatures=%{fld94}", processor_chain([ +var part113 = match("MESSAGE#130:sendmail:08", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: %{fld1}: Milter %{action}: %{fld2}: %{fld3}: vendor=%{fld36->} engine=%{fld49->} definitions=%{fld50->} signatures=%{fld94}", processor_chain([ dup17, dup9, ])); var msg131 = msg("sendmail:08", part113); -var part114 = // "Pattern{Field(fld10,true), Constant(' '), Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': Milter '), Field(action,false), Constant(': '), Field(fld2,false), Constant(': '), Field(fld3,false), Constant(': rule='), Field(rulename,true), Constant(' policy='), Field(fld38,true), Constant(' score='), Field(fld39,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' suspectscore='), Field(fld41,true), Constant(' phishscore='), Field(fld42,true), Constant(' adultscore='), Field(fld44,true), Constant(' bulkscore='), Field(fld43,true), Constant(' classifier='), Field(fld45,true), Constant(' adjust='), Field(fld46,true), Constant(' reason='), Field(fld47,true), Constant(' scancount='), Field(fld48,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,false)}" -match("MESSAGE#131:sendmail:09", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: %{fld1}: Milter %{action}: %{fld2}: %{fld3}: rule=%{rulename->} policy=%{fld38->} score=%{fld39->} spamscore=%{reputation_num->} suspectscore=%{fld41->} phishscore=%{fld42->} adultscore=%{fld44->} bulkscore=%{fld43->} classifier=%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50}", processor_chain([ +var part114 = match("MESSAGE#131:sendmail:09", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: %{fld1}: Milter %{action}: %{fld2}: %{fld3}: rule=%{rulename->} policy=%{fld38->} score=%{fld39->} spamscore=%{reputation_num->} suspectscore=%{fld41->} phishscore=%{fld42->} adultscore=%{fld44->} bulkscore=%{fld43->} classifier=%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50}", processor_chain([ dup17, dup9, ])); var msg132 = msg("sendmail:09", part114); -var part115 = // "Pattern{Field(fld10,true), Constant(' '), Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': Milter '), Field(action,false), Constant(': rcpt'), Field(p0,false)}" -match("MESSAGE#132:sendmail:10/0", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: %{fld1}: Milter %{action}: rcpt%{p0}"); +var part115 = match("MESSAGE#132:sendmail:10/0", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: %{fld1}: Milter %{action}: rcpt%{p0}"); -var part116 = // "Pattern{Constant(': '), Field(p0,false)}" -match("MESSAGE#132:sendmail:10/1_0", "nwparser.p0", ": %{p0}"); +var part116 = match("MESSAGE#132:sendmail:10/1_0", "nwparser.p0", ": %{p0}"); -var part117 = // "Pattern{Field(p0,false)}" -match_copy("MESSAGE#132:sendmail:10/1_1", "nwparser.p0", "p0"); +var part117 = match_copy("MESSAGE#132:sendmail:10/1_1", "nwparser.p0", "p0"); var select44 = linear_select([ part116, part117, ]); -var part118 = // "Pattern{Field(,true), Constant(' '), Field(fld2,false)}" -match("MESSAGE#132:sendmail:10/2", "nwparser.p0", "%{} %{fld2}"); +var part118 = match("MESSAGE#132:sendmail:10/2", "nwparser.p0", "%{} %{fld2}"); var all19 = all_match({ processors: [ @@ -2261,8 +2076,7 @@ var all19 = all_match({ var msg133 = msg("sendmail:10", all19); -var part119 = // "Pattern{Field(fld10,true), Constant(' '), Field(agent,false), Constant('['), Field(process_id,false), Constant(']: STARTTLS='), Field(fld1,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#133:sendmail:11/0", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: STARTTLS=%{fld1}, relay=%{p0}"); +var part119 = match("MESSAGE#133:sendmail:11/0", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: STARTTLS=%{fld1}, relay=%{p0}"); var all20 = all_match({ processors: [ @@ -2278,27 +2092,23 @@ var all20 = all_match({ var msg134 = msg("sendmail:11", all20); -var part120 = // "Pattern{Field(fld10,true), Constant(' '), Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': SYSERR('), Field(fld2,false), Constant('): '), Field(action,false), Constant(': '), Field(event_description,true), Constant(' from '), Field(from,false), Constant(', from='), Field(fld3,false)}" -match("MESSAGE#134:sendmail:12", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: %{fld1}: SYSERR(%{fld2}): %{action}: %{event_description->} from %{from}, from=%{fld3}", processor_chain([ +var part120 = match("MESSAGE#134:sendmail:12", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: %{fld1}: SYSERR(%{fld2}): %{action}: %{event_description->} from %{from}, from=%{fld3}", processor_chain([ dup17, dup9, ])); var msg135 = msg("sendmail:12", part120); -var part121 = // "Pattern{Field(fld10,true), Constant(' '), Field(agent,false), Constant(']'), Field(p0,false)}" -match("MESSAGE#135:sendmail:13/0_0", "nwparser.payload", "%{fld10->} %{agent}]%{p0}"); +var part121 = match("MESSAGE#135:sendmail:13/0_0", "nwparser.payload", "%{fld10->} %{agent}]%{p0}"); -var part122 = // "Pattern{Field(agent,false), Constant(']'), Field(p0,false)}" -match("MESSAGE#135:sendmail:13/0_1", "nwparser.payload", "%{agent}]%{p0}"); +var part122 = match("MESSAGE#135:sendmail:13/0_1", "nwparser.payload", "%{agent}]%{p0}"); var select45 = linear_select([ part121, part122, ]); -var part123 = // "Pattern{Field(process_id,false), Constant('[: '), Field(fld1,false), Constant(': SYSERR('), Field(fld2,false), Constant('): '), Field(action,false), Constant(': '), Field(event_description,true), Constant(' file '), Field(filename,false), Constant(': '), Field(fld3,false)}" -match("MESSAGE#135:sendmail:13/1", "nwparser.p0", "%{process_id}[: %{fld1}: SYSERR(%{fld2}): %{action}: %{event_description->} file %{filename}: %{fld3}"); +var part123 = match("MESSAGE#135:sendmail:13/1", "nwparser.p0", "%{process_id}[: %{fld1}: SYSERR(%{fld2}): %{action}: %{event_description->} file %{filename}: %{fld3}"); var all21 = all_match({ processors: [ @@ -2313,27 +2123,23 @@ var all21 = all_match({ var msg136 = msg("sendmail:13", all21); -var part124 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld51,false), Constant(': '), Field(fld57,false), Constant(':'), Field(event_description,false)}" -match("MESSAGE#136:sendmail:04", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: %{fld57}:%{event_description}", processor_chain([ +var part124 = match("MESSAGE#136:sendmail:04", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: %{fld57}:%{event_description}", processor_chain([ dup17, dup9, ])); var msg137 = msg("sendmail:04", part124); -var part125 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld51,false), Constant(':'), Field(event_description,false)}" -match("MESSAGE#137:sendmail:05", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}:%{event_description}", processor_chain([ +var part125 = match("MESSAGE#137:sendmail:05", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}:%{event_description}", processor_chain([ dup17, dup9, ])); var msg138 = msg("sendmail:05", part125); -var part126 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: AUTH='), Field(authmethod,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#169:sendmail:06/0", "nwparser.payload", "%{agent}[%{process_id}]: AUTH=%{authmethod}, relay=%{p0}"); +var part126 = match("MESSAGE#169:sendmail:06/0", "nwparser.payload", "%{agent}[%{process_id}]: AUTH=%{authmethod}, relay=%{p0}"); -var part127 = // "Pattern{Field(,false), Constant('authid='), Field(uid,false), Constant(', mech='), Field(scheme,false), Constant(', bits='), Field(fld59,false)}" -match("MESSAGE#169:sendmail:06/2", "nwparser.p0", "%{}authid=%{uid}, mech=%{scheme}, bits=%{fld59}"); +var part127 = match("MESSAGE#169:sendmail:06/2", "nwparser.p0", "%{}authid=%{uid}, mech=%{scheme}, bits=%{fld59}"); var all22 = all_match({ processors: [ @@ -2370,24 +2176,21 @@ var select46 = linear_select([ msg140, ]); -var part128 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' eid='), Field(fld4,true), Constant(' pid='), Field(process_id,true), Constant(' status='), Field(fld29,false)}" -match("MESSAGE#138:info:eid_pid_status", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} pid=%{process_id->} status=%{fld29}", processor_chain([ +var part128 = match("MESSAGE#138:info:eid_pid_status", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} pid=%{process_id->} status=%{fld29}", processor_chain([ dup17, dup9, ])); var msg141 = msg("info:eid_pid_status", part128); -var part129 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' eid='), Field(fld4,true), Constant(' status='), Field(fld29,false)}" -match("MESSAGE#139:info:eid_status", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} status=%{fld29}", processor_chain([ +var part129 = match("MESSAGE#139:info:eid_status", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} status=%{fld29}", processor_chain([ dup17, dup9, ])); var msg142 = msg("info:eid_status", part129); -var part130 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' eid='), Field(fld4,true), Constant(' '), Field(info,false)}" -match("MESSAGE#140:info:eid", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} %{info}", processor_chain([ +var part130 = match("MESSAGE#140:info:eid", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} %{info}", processor_chain([ dup17, dup9, ])); @@ -2396,17 +2199,13 @@ var msg143 = msg("info:eid", part130); var msg144 = msg("info:pid", dup62); -var part131 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(p0,false)}" -match("MESSAGE#143:info/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{p0}"); +var part131 = match("MESSAGE#143:info/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{p0}"); -var part132 = // "Pattern{Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' ofrom='), Field(from,false)}" -match("MESSAGE#143:info/1_0", "nwparser.p0", "%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} ofrom=%{from}"); +var part132 = match("MESSAGE#143:info/1_0", "nwparser.p0", "%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} ofrom=%{from}"); -var part133 = // "Pattern{Field(sessionid1,true), Constant(' status='), Field(info,true), Constant(' restquery_stage='), Field(fld3,false)}" -match("MESSAGE#143:info/1_1", "nwparser.p0", "%{sessionid1->} status=%{info->} restquery_stage=%{fld3}"); +var part133 = match("MESSAGE#143:info/1_1", "nwparser.p0", "%{sessionid1->} status=%{info->} restquery_stage=%{fld3}"); -var part134 = // "Pattern{Field(sessionid1,false)}" -match_copy("MESSAGE#143:info/1_2", "nwparser.p0", "sessionid1"); +var part134 = match_copy("MESSAGE#143:info/1_2", "nwparser.p0", "sessionid1"); var select47 = linear_select([ part132, @@ -2427,38 +2226,32 @@ var all23 = all_match({ var msg145 = msg("info", all23); -var part135 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' sys='), Field(fld1,true), Constant(' evt='), Field(action,true), Constant(' active='), Field(fld2,true), Constant(' expires='), Field(fld3,true), Constant(' msg='), Field(event_description,false)}" -match("MESSAGE#144:info:02", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} sys=%{fld1->} evt=%{action->} active=%{fld2->} expires=%{fld3->} msg=%{event_description}", processor_chain([ +var part135 = match("MESSAGE#144:info:02", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} sys=%{fld1->} evt=%{action->} active=%{fld2->} expires=%{fld3->} msg=%{event_description}", processor_chain([ dup17, dup9, ])); var msg146 = msg("info:02", part135); -var part136 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' server='), Field(saddr,true), Constant(' elapsed='), Field(duration_string,true), Constant(' avgtime='), Field(fld2,true), Constant(' qname='), Field(fld3,true), Constant(' qtype='), Field(fld4,false)}" -match("MESSAGE#145:info:03", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} server=%{saddr->} elapsed=%{duration_string->} avgtime=%{fld2->} qname=%{fld3->} qtype=%{fld4}", processor_chain([ +var part136 = match("MESSAGE#145:info:03", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} server=%{saddr->} elapsed=%{duration_string->} avgtime=%{fld2->} qname=%{fld3->} qtype=%{fld4}", processor_chain([ dup17, dup9, ])); var msg147 = msg("info:03", part136); -var part137 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' '), Field(web_method,true), Constant(' /'), Field(info,false), Constant(': '), Field(resultcode,false)}" -match("MESSAGE#146:info:01", "nwparser.payload", "%{fld0->} %{severity->} %{web_method->} /%{info}: %{resultcode}", processor_chain([ +var part137 = match("MESSAGE#146:info:01", "nwparser.payload", "%{fld0->} %{severity->} %{web_method->} /%{info}: %{resultcode}", processor_chain([ dup17, dup9, ])); var msg148 = msg("info:01", part137); -var part138 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' sys='), Field(fld1,true), Constant(' evt='), Field(p0,false)}" -match("MESSAGE#147:info:04/0", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} sys=%{fld1->} evt=%{p0}"); +var part138 = match("MESSAGE#147:info:04/0", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} sys=%{fld1->} evt=%{p0}"); -var part139 = // "Pattern{Field(action,true), Constant(' msg='), Field(event_description,false)}" -match("MESSAGE#147:info:04/1_0", "nwparser.p0", "%{action->} msg=%{event_description}"); +var part139 = match("MESSAGE#147:info:04/1_0", "nwparser.p0", "%{action->} msg=%{event_description}"); -var part140 = // "Pattern{Field(action,false)}" -match_copy("MESSAGE#147:info:04/1_1", "nwparser.p0", "action"); +var part140 = match_copy("MESSAGE#147:info:04/1_1", "nwparser.p0", "action"); var select48 = linear_select([ part139, @@ -2478,14 +2271,11 @@ var all24 = all_match({ var msg149 = msg("info:04", all24); -var part141 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#148:info:05/0", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} %{p0}"); +var part141 = match("MESSAGE#148:info:05/0", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} %{p0}"); -var part142 = // "Pattern{Constant('type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,false)}" -match("MESSAGE#148:info:05/1_0", "nwparser.p0", "type=%{fld6->} cmd=%{obj_type->} id=%{fld5}"); +var part142 = match("MESSAGE#148:info:05/1_0", "nwparser.p0", "type=%{fld6->} cmd=%{obj_type->} id=%{fld5}"); -var part143 = // "Pattern{Constant('cmd='), Field(obj_type,false)}" -match("MESSAGE#148:info:05/1_1", "nwparser.p0", "cmd=%{obj_type}"); +var part143 = match("MESSAGE#148:info:05/1_1", "nwparser.p0", "cmd=%{obj_type}"); var select49 = linear_select([ part142, @@ -2520,8 +2310,7 @@ var select50 = linear_select([ var msg151 = msg("note:pid", dup62); -var part144 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' module='), Field(agent,true), Constant(' action='), Field(action,true), Constant(' size='), Field(bytes,false)}" -match("MESSAGE#149:note:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} module=%{agent->} action=%{action->} size=%{bytes}", processor_chain([ +var part144 = match("MESSAGE#149:note:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} module=%{agent->} action=%{action->} size=%{bytes}", processor_chain([ dup17, dup9, ])); @@ -2533,40 +2322,35 @@ var select51 = linear_select([ msg152, ]); -var part145 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' secprofile_name='), Field(fld3,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#150:rprt", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} secprofile_name=%{fld3->} rcpts=%{dclass_counter2->} duration=%{duration_string}", processor_chain([ +var part145 = match("MESSAGE#150:rprt", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} secprofile_name=%{fld3->} rcpts=%{dclass_counter2->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); var msg153 = msg("rprt", part145); -var part146 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' eid='), Field(fld4,true), Constant(' module='), Field(agent,true), Constant(' age='), Field(fld6,true), Constant(' limit='), Field(fld31,false)}" -match("MESSAGE#151:err", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} module=%{agent->} age=%{fld6->} limit=%{fld31}", processor_chain([ +var part146 = match("MESSAGE#151:err", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} module=%{agent->} age=%{fld6->} limit=%{fld31}", processor_chain([ dup17, dup9, ])); var msg154 = msg("err", part146); -var part147 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' eid='), Field(fld4,true), Constant(' result='), Field(result,false)}" -match("MESSAGE#152:warn", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} eid=%{fld4->} result=%{result}", processor_chain([ +var part147 = match("MESSAGE#152:warn", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} eid=%{fld4->} result=%{result}", processor_chain([ dup17, dup9, ])); var msg155 = msg("warn", part147); -var part148 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' eid='), Field(fld4,true), Constant(' status="'), Field(event_state,true), Constant(' file: '), Field(filename,false), Constant('"')}" -match("MESSAGE#153:warn:01", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} status=\"%{event_state->} file: %{filename}\"", processor_chain([ +var part148 = match("MESSAGE#153:warn:01", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} status=\"%{event_state->} file: %{filename}\"", processor_chain([ dup17, dup9, ])); var msg156 = msg("warn:01", part148); -var part149 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' eid='), Field(fld4,true), Constant(' status="'), Field(event_state,true), Constant(' file '), Field(filename,true), Constant(' does not contain enough (or correct) info. Fix this or remove the file."')}" -match("MESSAGE#154:warn:02", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} status=\"%{event_state->} file %{filename->} does not contain enough (or correct) info. Fix this or remove the file.\"", processor_chain([ +var part149 = match("MESSAGE#154:warn:02", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} status=\"%{event_state->} file %{filename->} does not contain enough (or correct) info. Fix this or remove the file.\"", processor_chain([ dup17, dup9, setc("event_description","does not contain enough (or correct) info. Fix this or remove the file"), @@ -2584,14 +2368,11 @@ var msg158 = msg("queued-aglife", dup68); var msg159 = msg("pdr_run", dup50); -var part150 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' ttl='), Field(fld1,true), Constant(' reply="'), Field(p0,false)}" -match("MESSAGE#157:pdr_ttl/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} ttl=%{fld1->} reply=\"%{p0}"); +var part150 = match("MESSAGE#157:pdr_ttl/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} ttl=%{fld1->} reply=\"%{p0}"); -var part151 = // "Pattern{Constant('\"'), Field(fld2,true), Constant(' rscore='), Field(fld3,false), Constant('\""')}" -match("MESSAGE#157:pdr_ttl/1_0", "nwparser.p0", "\\\"%{fld2->} rscore=%{fld3}\\\"\""); +var part151 = match("MESSAGE#157:pdr_ttl/1_0", "nwparser.p0", "\\\"%{fld2->} rscore=%{fld3}\\\"\""); -var part152 = // "Pattern{Field(fld2,false), Constant('"')}" -match("MESSAGE#157:pdr_ttl/1_1", "nwparser.p0", "%{fld2}\""); +var part152 = match("MESSAGE#157:pdr_ttl/1_1", "nwparser.p0", "%{fld2}\""); var select53 = linear_select([ part151, @@ -2611,16 +2392,14 @@ var all26 = all_match({ var msg160 = msg("pdr_ttl", all26); -var part153 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' signature='), Field(fld1,true), Constant(' identity='), Field(sigid_string,true), Constant(' host='), Field(hostname,true), Constant(' result='), Field(result,true), Constant(' result_detail='), Field(fld2,false)}" -match("MESSAGE#158:dkimv_run:signature", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} signature=%{fld1->} identity=%{sigid_string->} host=%{hostname->} result=%{result->} result_detail=%{fld2}", processor_chain([ +var part153 = match("MESSAGE#158:dkimv_run:signature", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} signature=%{fld1->} identity=%{sigid_string->} host=%{hostname->} result=%{result->} result_detail=%{fld2}", processor_chain([ dup17, dup9, ])); var msg161 = msg("dkimv_run:signature", part153); -var part154 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' status="'), Field(info,false), Constant(', '), Field(event_state,false), Constant('"')}" -match("MESSAGE#159:dkimv_run:status", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} status=\"%{info}, %{event_state}\"", processor_chain([ +var part154 = match("MESSAGE#159:dkimv_run:status", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} status=\"%{info}, %{event_state}\"", processor_chain([ dup17, dup9, ])); @@ -2632,8 +2411,7 @@ var select54 = linear_select([ msg162, ]); -var part155 = // "Pattern{Field(fld0,false), Constant(': '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' unexpected response type='), Field(fld1,false)}" -match("MESSAGE#160:dkimv_type", "nwparser.payload", "%{fld0}: %{severity->} mod=%{agent->} unexpected response type=%{fld1}", processor_chain([ +var part155 = match("MESSAGE#160:dkimv_type", "nwparser.payload", "%{fld0}: %{severity->} mod=%{agent->} unexpected response type=%{fld1}", processor_chain([ dup17, dup9, setc("result","unexpected response"), @@ -2641,8 +2419,7 @@ match("MESSAGE#160:dkimv_type", "nwparser.payload", "%{fld0}: %{severity->} mod= var msg163 = msg("dkimv_type", part155); -var part156 = // "Pattern{Field(fld0,false), Constant(': '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld1,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' publickey_cache_entries='), Field(fld6,false)}" -match("MESSAGE#161:dkimv_type:01", "nwparser.payload", "%{fld0}: %{severity->} mod=%{agent->} type=%{fld1->} cmd=%{obj_type->} id=%{fld5->} publickey_cache_entries=%{fld6}", processor_chain([ +var part156 = match("MESSAGE#161:dkimv_type:01", "nwparser.payload", "%{fld0}: %{severity->} mod=%{agent->} type=%{fld1->} cmd=%{obj_type->} id=%{fld5->} publickey_cache_entries=%{fld6}", processor_chain([ dup17, dup9, ])); @@ -2656,8 +2433,7 @@ var select55 = linear_select([ var msg165 = msg("dmarc_run:rule", dup49); -var part157 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' result='), Field(result,true), Constant(' result_detail='), Field(fld2,false)}" -match("MESSAGE#163:dmarc_run:result", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} result=%{result->} result_detail=%{fld2}", processor_chain([ +var part157 = match("MESSAGE#163:dmarc_run:result", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} result=%{result->} result_detail=%{fld2}", processor_chain([ dup17, dup9, ])); @@ -2669,8 +2445,7 @@ var select56 = linear_select([ msg166, ]); -var part158 = // "Pattern{Field(fld0,false), Constant(': '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld1,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' policy_cache_entries='), Field(fld6,false)}" -match("MESSAGE#164:dmarc_type", "nwparser.payload", "%{fld0}: %{severity->} mod=%{agent->} type=%{fld1->} cmd=%{obj_type->} id=%{fld5->} policy_cache_entries=%{fld6}", processor_chain([ +var part158 = match("MESSAGE#164:dmarc_type", "nwparser.payload", "%{fld0}: %{severity->} mod=%{agent->} type=%{fld1->} cmd=%{obj_type->} id=%{fld5->} policy_cache_entries=%{fld6}", processor_chain([ dup17, dup9, ])); @@ -2679,8 +2454,7 @@ var msg167 = msg("dmarc_type", part158); var msg168 = msg("spf_run:rule", dup49); -var part159 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' cmd='), Field(obj_type,true), Constant(' result='), Field(result,false)}" -match("MESSAGE#166:spf_run:cmd", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} cmd=%{obj_type->} result=%{result}", processor_chain([ +var part159 = match("MESSAGE#166:spf_run:cmd", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} cmd=%{obj_type->} result=%{result}", processor_chain([ dup17, dup9, ])); @@ -2692,24 +2466,21 @@ var select57 = linear_select([ msg169, ]); -var part160 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' action='), Field(action,true), Constant(' score='), Field(fld39,true), Constant(' submsgadjust='), Field(fld53,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' suspectscore='), Field(fld41,true), Constant(' malwarescore='), Field(fld49,true), Constant(' phishscore='), Field(fld42,true), Constant(' adultscore='), Field(fld44,true), Constant(' bulkscore='), Field(fld43,true), Constant(' tests='), Field(fld52,false)}" -match("MESSAGE#167:action_checksubmsg", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} action=%{action->} score=%{fld39->} submsgadjust=%{fld53->} spamscore=%{reputation_num->} suspectscore=%{fld41->} malwarescore=%{fld49->} phishscore=%{fld42->} adultscore=%{fld44->} bulkscore=%{fld43->} tests=%{fld52}", processor_chain([ +var part160 = match("MESSAGE#167:action_checksubmsg", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} action=%{action->} score=%{fld39->} submsgadjust=%{fld53->} spamscore=%{reputation_num->} suspectscore=%{fld41->} malwarescore=%{fld49->} phishscore=%{fld42->} adultscore=%{fld44->} bulkscore=%{fld43->} tests=%{fld52}", processor_chain([ dup17, dup9, ])); var msg170 = msg("action_checksubmsg", part160); -var part161 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' authscope='), Field(fld5,true), Constant(' err='), Field(fld58,false)}" -match("MESSAGE#168:rest_oauth", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} authscope=%{fld5->} err=%{fld58}", processor_chain([ +var part161 = match("MESSAGE#168:rest_oauth", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} authscope=%{fld5->} err=%{fld58}", processor_chain([ dup17, dup9, ])); var msg171 = msg("rest_oauth", part161); -var part162 = // "Pattern{Constant('mod='), Field(agent,true), Constant(' type='), Field(fld1,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(id,true), Constant(' load smartid ccard')}" -match("MESSAGE#171:filter_instance1:01", "nwparser.payload", "mod=%{agent->} type=%{fld1->} cmd=%{obj_type->} id=%{id->} load smartid ccard", processor_chain([ +var part162 = match("MESSAGE#171:filter_instance1:01", "nwparser.payload", "mod=%{agent->} type=%{fld1->} cmd=%{obj_type->} id=%{id->} load smartid ccard", processor_chain([ dup17, dup9, setc("event_description","load smartid ccard"), @@ -2718,8 +2489,7 @@ match("MESSAGE#171:filter_instance1:01", "nwparser.payload", "mod=%{agent->} typ var msg172 = msg("filter_instance1:01", part162); -var part163 = // "Pattern{Constant('mod='), Field(agent,true), Constant(' type='), Field(fld1,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(id,true), Constant(' load smartid jcb')}" -match("MESSAGE#172:filter_instance1:02", "nwparser.payload", "mod=%{agent->} type=%{fld1->} cmd=%{obj_type->} id=%{id->} load smartid jcb", processor_chain([ +var part163 = match("MESSAGE#172:filter_instance1:02", "nwparser.payload", "mod=%{agent->} type=%{fld1->} cmd=%{obj_type->} id=%{id->} load smartid jcb", processor_chain([ dup17, dup9, setc("event_description","load smartid jcb"), @@ -2728,22 +2498,18 @@ match("MESSAGE#172:filter_instance1:02", "nwparser.payload", "mod=%{agent->} typ var msg173 = msg("filter_instance1:02", part163); -var part164 = // "Pattern{Constant('s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' attachments='), Field(dclass_counter1,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' size='), Field(bytes,true), Constant(' guid='), Field(fld14,true), Constant(' hdr_mid='), Field(id,true), Constant(' qid='), Field(fld15,true), Constant(' subject="'), Field(subject,false), Constant('" '), Field(p0,false)}" -match("MESSAGE#173:filter_instance1:03/0", "nwparser.payload", "s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=\"%{subject}\" %{p0}"); +var part164 = match("MESSAGE#173:filter_instance1:03/0", "nwparser.payload", "s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=\"%{subject}\" %{p0}"); -var part165 = // "Pattern{Constant('spamscore='), Field(reputation_num,true), Constant(' virusname='), Field(threat_name,true), Constant(' duration='), Field(p0,false)}" -match("MESSAGE#173:filter_instance1:03/1_0", "nwparser.p0", "spamscore=%{reputation_num->} virusname=%{threat_name->} duration=%{p0}"); +var part165 = match("MESSAGE#173:filter_instance1:03/1_0", "nwparser.p0", "spamscore=%{reputation_num->} virusname=%{threat_name->} duration=%{p0}"); -var part166 = // "Pattern{Constant('duration='), Field(p0,false)}" -match("MESSAGE#173:filter_instance1:03/1_1", "nwparser.p0", "duration=%{p0}"); +var part166 = match("MESSAGE#173:filter_instance1:03/1_1", "nwparser.p0", "duration=%{p0}"); var select58 = linear_select([ part165, part166, ]); -var part167 = // "Pattern{Field(fld16,true), Constant(' elapsed='), Field(duration_string,false)}" -match("MESSAGE#173:filter_instance1:03/2", "nwparser.p0", "%{fld16->} elapsed=%{duration_string}"); +var part167 = match("MESSAGE#173:filter_instance1:03/2", "nwparser.p0", "%{fld16->} elapsed=%{duration_string}"); var all27 = all_match({ processors: [ @@ -2762,8 +2528,7 @@ var all27 = all_match({ var msg174 = msg("filter_instance1:03", all27); -var part168 = // "Pattern{Constant('s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' helo='), Field(fld32,true), Constant(' msgs='), Field(fld33,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' duration='), Field(duration_string,true), Constant(' elapsed='), Field(fld16,false)}" -match("MESSAGE#174:filter_instance1:04", "nwparser.payload", "s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} helo=%{fld32->} msgs=%{fld33->} rcpts=%{dclass_counter2->} routes=%{fld4->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ +var part168 = match("MESSAGE#174:filter_instance1:04", "nwparser.payload", "s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} helo=%{fld32->} msgs=%{fld33->} rcpts=%{dclass_counter2->} routes=%{fld4->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ dup17, dup9, dup13, @@ -2772,8 +2537,7 @@ match("MESSAGE#174:filter_instance1:04", "nwparser.payload", "s=%{sessionid->} m var msg175 = msg("filter_instance1:04", part168); -var part169 = // "Pattern{Constant('s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' header.from="\"'), Field(info,false), Constant('\" '), Field(fld4,true), Constant(' <<'), Field(user_address,false), Constant('>"')}" -match("MESSAGE#175:filter_instance1:05", "nwparser.payload", "s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} header.from=\"\\\"%{info}\\\" %{fld4->} \u003c\u003c%{user_address}>\"", processor_chain([ +var part169 = match("MESSAGE#175:filter_instance1:05", "nwparser.payload", "s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} header.from=\"\\\"%{info}\\\" %{fld4->} \u003c\u003c%{user_address}>\"", processor_chain([ dup17, dup9, dup36, @@ -3001,89 +2765,61 @@ var chain1 = processor_chain([ }), ]); -var part171 = // "Pattern{Constant('info'), Field(p0,false)}" -match("HEADER#0:0024/1_0", "nwparser.p0", "info%{p0}"); +var part171 = match("HEADER#0:0024/1_0", "nwparser.p0", "info%{p0}"); -var part172 = // "Pattern{Constant('rprt'), Field(p0,false)}" -match("HEADER#0:0024/1_1", "nwparser.p0", "rprt%{p0}"); +var part172 = match("HEADER#0:0024/1_1", "nwparser.p0", "rprt%{p0}"); -var part173 = // "Pattern{Constant('warn'), Field(p0,false)}" -match("HEADER#0:0024/1_2", "nwparser.p0", "warn%{p0}"); +var part173 = match("HEADER#0:0024/1_2", "nwparser.p0", "warn%{p0}"); -var part174 = // "Pattern{Constant('err'), Field(p0,false)}" -match("HEADER#0:0024/1_3", "nwparser.p0", "err%{p0}"); +var part174 = match("HEADER#0:0024/1_3", "nwparser.p0", "err%{p0}"); -var part175 = // "Pattern{Constant('note'), Field(p0,false)}" -match("HEADER#0:0024/1_4", "nwparser.p0", "note%{p0}"); +var part175 = match("HEADER#0:0024/1_4", "nwparser.p0", "note%{p0}"); -var part176 = // "Pattern{Field(hostip,true), Constant(' sampling='), Field(fld19,false)}" -match("MESSAGE#11:mail_env_from:ofrom/1_0", "nwparser.p0", "%{hostip->} sampling=%{fld19}"); +var part176 = match("MESSAGE#11:mail_env_from:ofrom/1_0", "nwparser.p0", "%{hostip->} sampling=%{fld19}"); -var part177 = // "Pattern{Field(hostip,false)}" -match_copy("MESSAGE#11:mail_env_from:ofrom/1_1", "nwparser.p0", "hostip"); +var part177 = match_copy("MESSAGE#11:mail_env_from:ofrom/1_1", "nwparser.p0", "hostip"); -var part178 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#25:session_judge/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} %{p0}"); +var part178 = match("MESSAGE#25:session_judge/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} %{p0}"); -var part179 = // "Pattern{Constant('attachment='), Field(fld58,true), Constant(' file='), Field(fld1,true), Constant(' mod='), Field(p0,false)}" -match("MESSAGE#25:session_judge/1_0", "nwparser.p0", "attachment=%{fld58->} file=%{fld1->} mod=%{p0}"); +var part179 = match("MESSAGE#25:session_judge/1_0", "nwparser.p0", "attachment=%{fld58->} file=%{fld1->} mod=%{p0}"); -var part180 = // "Pattern{Constant('mod='), Field(p0,false)}" -match("MESSAGE#25:session_judge/1_1", "nwparser.p0", "mod=%{p0}"); +var part180 = match("MESSAGE#25:session_judge/1_1", "nwparser.p0", "mod=%{p0}"); -var part181 = // "Pattern{Constant('vendor='), Field(fld36,true), Constant(' version="'), Field(component_version,false), Constant('" duration='), Field(p0,false)}" -match("MESSAGE#39:av_run:02/1_1", "nwparser.p0", "vendor=%{fld36->} version=\"%{component_version}\" duration=%{p0}"); +var part181 = match("MESSAGE#39:av_run:02/1_1", "nwparser.p0", "vendor=%{fld36->} version=\"%{component_version}\" duration=%{p0}"); -var part182 = // "Pattern{Field(duration_string,false)}" -match_copy("MESSAGE#39:av_run:02/2", "nwparser.p0", "duration_string"); +var part182 = match_copy("MESSAGE#39:av_run:02/2", "nwparser.p0", "duration_string"); -var part183 = // "Pattern{Constant('['), Field(daddr,false), Constant('] ['), Field(daddr,false), Constant('],'), Field(p0,false)}" -match("MESSAGE#98:queued-alert/3_0", "nwparser.p0", "[%{daddr}] [%{daddr}],%{p0}"); +var part183 = match("MESSAGE#98:queued-alert/3_0", "nwparser.p0", "[%{daddr}] [%{daddr}],%{p0}"); -var part184 = // "Pattern{Constant('['), Field(daddr,false), Constant('],'), Field(p0,false)}" -match("MESSAGE#98:queued-alert/3_1", "nwparser.p0", "[%{daddr}],%{p0}"); +var part184 = match("MESSAGE#98:queued-alert/3_1", "nwparser.p0", "[%{daddr}],%{p0}"); -var part185 = // "Pattern{Field(dhost,true), Constant(' ['), Field(daddr,false), Constant('],'), Field(p0,false)}" -match("MESSAGE#98:queued-alert/3_2", "nwparser.p0", "%{dhost->} [%{daddr}],%{p0}"); +var part185 = match("MESSAGE#98:queued-alert/3_2", "nwparser.p0", "%{dhost->} [%{daddr}],%{p0}"); -var part186 = // "Pattern{Field(dhost,false), Constant(','), Field(p0,false)}" -match("MESSAGE#98:queued-alert/3_3", "nwparser.p0", "%{dhost},%{p0}"); +var part186 = match("MESSAGE#98:queued-alert/3_3", "nwparser.p0", "%{dhost},%{p0}"); -var part187 = // "Pattern{Field(,false), Constant('dsn='), Field(resultcode,false), Constant(', stat='), Field(info,false)}" -match("MESSAGE#98:queued-alert/4", "nwparser.p0", "%{}dsn=%{resultcode}, stat=%{info}"); +var part187 = match("MESSAGE#98:queued-alert/4", "nwparser.p0", "%{}dsn=%{resultcode}, stat=%{info}"); -var part188 = // "Pattern{Constant('['), Field(daddr,false), Constant(']')}" -match("MESSAGE#99:queued-alert:01/1_1", "nwparser.p0", "[%{daddr}]"); +var part188 = match("MESSAGE#99:queued-alert:01/1_1", "nwparser.p0", "[%{daddr}]"); -var part189 = // "Pattern{Field(dhost,true), Constant(' ['), Field(daddr,false), Constant(']')}" -match("MESSAGE#99:queued-alert:01/1_2", "nwparser.p0", "%{dhost->} [%{daddr}]"); +var part189 = match("MESSAGE#99:queued-alert:01/1_2", "nwparser.p0", "%{dhost->} [%{daddr}]"); -var part190 = // "Pattern{Field(dhost,false)}" -match_copy("MESSAGE#99:queued-alert:01/1_3", "nwparser.p0", "dhost"); +var part190 = match_copy("MESSAGE#99:queued-alert:01/1_3", "nwparser.p0", "dhost"); -var part191 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: STARTTLS='), Field(fld1,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#100:queued-alert:02/0", "nwparser.payload", "%{agent}[%{process_id}]: STARTTLS=%{fld1}, relay=%{p0}"); +var part191 = match("MESSAGE#100:queued-alert:02/0", "nwparser.payload", "%{agent}[%{process_id}]: STARTTLS=%{fld1}, relay=%{p0}"); -var part192 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld51,false), Constant(': to='), Field(to,false), Constant(', delay='), Field(fld53,false), Constant(', xdelay='), Field(fld54,false), Constant(', mailer='), Field(fld55,false), Constant(', pri='), Field(fld23,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#101:queued-VoltageEncrypt/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); +var part192 = match("MESSAGE#101:queued-VoltageEncrypt/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); -var part193 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': from='), Field(from,false), Constant(', size='), Field(bytes,false), Constant(', class='), Field(fld57,false), Constant(', nrcpts='), Field(fld58,false), Constant(', msgid='), Field(id,false), Constant(', proto='), Field(protocol,false), Constant(', daemon='), Field(fld69,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#120:queued-VoltageEncrypt:01/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, relay=%{p0}"); +var part193 = match("MESSAGE#120:queued-VoltageEncrypt:01/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, relay=%{p0}"); -var part194 = // "Pattern{Constant('['), Field(daddr,false), Constant('] ['), Field(daddr,false), Constant(']')}" -match("MESSAGE#120:queued-VoltageEncrypt:01/1_0", "nwparser.p0", "[%{daddr}] [%{daddr}]"); +var part194 = match("MESSAGE#120:queued-VoltageEncrypt:01/1_0", "nwparser.p0", "[%{daddr}] [%{daddr}]"); -var part195 = // "Pattern{Field(,false), Constant('field='), Field(fld2,false), Constant(', status='), Field(info,false)}" -match("MESSAGE#104:queued-default:02/2", "nwparser.p0", "%{}field=%{fld2}, status=%{info}"); +var part195 = match("MESSAGE#104:queued-default:02/2", "nwparser.p0", "%{}field=%{fld2}, status=%{info}"); -var part196 = // "Pattern{Field(,false), Constant('version='), Field(fld55,false), Constant(', verify='), Field(fld57,false), Constant(', cipher='), Field(fld58,false), Constant(', bits='), Field(fld59,false)}" -match("MESSAGE#105:queued-default:03/2", "nwparser.p0", "%{}version=%{fld55}, verify=%{fld57}, cipher=%{fld58}, bits=%{fld59}"); +var part196 = match("MESSAGE#105:queued-default:03/2", "nwparser.p0", "%{}version=%{fld55}, verify=%{fld57}, cipher=%{fld58}, bits=%{fld59}"); -var part197 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': from='), Field(from,false), Constant(', size='), Field(bytes,false), Constant(', class='), Field(fld57,false), Constant(', nrcpts='), Field(fld58,false), Constant(', msgid='), Field(id,false), Constant(', proto='), Field(protocol,false), Constant(', daemon='), Field(fld69,false), Constant(', tls_verify='), Field(fld70,false), Constant(', auth='), Field(fld71,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#116:queued-eurort:02/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, tls_verify=%{fld70}, auth=%{fld71}, relay=%{p0}"); +var part197 = match("MESSAGE#116:queued-eurort:02/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, tls_verify=%{fld70}, auth=%{fld71}, relay=%{p0}"); -var part198 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': to='), Field(to,false), Constant(', delay='), Field(fld53,false), Constant(', xdelay='), Field(fld54,false), Constant(', mailer='), Field(fld55,false), Constant(', pri='), Field(fld23,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#126:sendmail/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); +var part198 = match("MESSAGE#126:sendmail/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); var select60 = linear_select([ dup1, @@ -3103,62 +2839,52 @@ var select62 = linear_select([ dup20, ]); -var part199 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' vendor='), Field(fld36,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,true), Constant(' signatures='), Field(fld94,false)}" -match("MESSAGE#43:av_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} vendor=%{fld36->} engine=%{fld49->} definitions=%{fld50->} signatures=%{fld94}", processor_chain([ +var part199 = match("MESSAGE#43:av_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} vendor=%{fld36->} engine=%{fld49->} definitions=%{fld50->} signatures=%{fld94}", processor_chain([ dup26, dup9, ])); -var part200 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#48:access_run:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ +var part200 = match("MESSAGE#48:access_run:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); -var part201 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#49:access_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ +var part201 = match("MESSAGE#49:access_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); -var part202 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' action='), Field(action,true), Constant(' dict='), Field(fld37,true), Constant(' file='), Field(filename,false)}" -match("MESSAGE#51:access_refresh:01", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} action=%{action->} dict=%{fld37->} file=%{filename}", processor_chain([ +var part202 = match("MESSAGE#51:access_refresh:01", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} action=%{action->} dict=%{fld37->} file=%{filename}", processor_chain([ dup17, dup9, ])); -var part203 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,false)}" -match("MESSAGE#52:access_load", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5}", processor_chain([ +var part203 = match("MESSAGE#52:access_load", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5}", processor_chain([ dup17, dup9, ])); -var part204 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,false)}" -match("MESSAGE#64:spam_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} engine=%{fld49->} definitions=%{fld50}", processor_chain([ +var part204 = match("MESSAGE#64:spam_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} engine=%{fld49->} definitions=%{fld50}", processor_chain([ dup27, dup9, ])); -var part205 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' version='), Field(fld55,false)}" -match("MESSAGE#71:zerohour_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} version=%{fld55}", processor_chain([ +var part205 = match("MESSAGE#71:zerohour_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} version=%{fld55}", processor_chain([ dup17, dup9, ])); -var part206 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' sig='), Field(fld60,false)}" -match("MESSAGE#82:cvtd:01", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} sig=%{fld60}", processor_chain([ +var part206 = match("MESSAGE#82:cvtd:01", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} sig=%{fld60}", processor_chain([ dup17, dup9, ])); -var part207 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,false)}" -match("MESSAGE#83:cvtd", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type}", processor_chain([ +var part207 = match("MESSAGE#83:cvtd", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type}", processor_chain([ dup17, dup9, ])); -var part208 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' addr='), Field(saddr,false)}" -match("MESSAGE#87:soap_listen", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} addr=%{saddr}", processor_chain([ +var part208 = match("MESSAGE#87:soap_listen", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} addr=%{saddr}", processor_chain([ dup17, dup9, ])); @@ -3177,20 +2903,17 @@ var select64 = linear_select([ dup35, ]); -var part209 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': timeout waiting for input from '), Field(fld11,true), Constant(' during server cmd read')}" -match("MESSAGE#106:queued-default:04", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: timeout waiting for input from %{fld11->} during server cmd read", processor_chain([ +var part209 = match("MESSAGE#106:queued-default:04", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: timeout waiting for input from %{fld11->} during server cmd read", processor_chain([ dup17, dup9, ])); -var part210 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(event_description,false)}" -match("MESSAGE#113:queued-reinject:06", "nwparser.payload", "%{agent}[%{process_id}]: %{event_description}", processor_chain([ +var part210 = match("MESSAGE#113:queued-reinject:06", "nwparser.payload", "%{agent}[%{process_id}]: %{event_description}", processor_chain([ dup17, dup9, ])); -var part211 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' pid='), Field(process_id,true), Constant(' '), Field(web_method,true), Constant(' /'), Field(info,false), Constant(': '), Field(resultcode,false)}" -match("MESSAGE#141:info:pid", "nwparser.payload", "%{fld0->} %{severity->} pid=%{process_id->} %{web_method->} /%{info}: %{resultcode}", processor_chain([ +var part211 = match("MESSAGE#141:info:pid", "nwparser.payload", "%{fld0->} %{severity->} pid=%{process_id->} %{web_method->} /%{info}: %{resultcode}", processor_chain([ dup17, dup9, ])); diff --git a/x-pack/filebeat/module/rabbitmq/log/config/log.yml b/x-pack/filebeat/module/rabbitmq/log/config/log.yml index bc46f2458c8..1f32bbf71cf 100644 --- a/x-pack/filebeat/module/rabbitmq/log/config/log.yml +++ b/x-pack/filebeat/module/rabbitmq/log/config/log.yml @@ -18,4 +18,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/snort/log/config/pipeline.js b/x-pack/filebeat/module/snort/log/config/pipeline.js index d4d6aec1028..18f0ec783e3 100644 --- a/x-pack/filebeat/module/snort/log/config/pipeline.js +++ b/x-pack/filebeat/module/snort/log/config/pipeline.js @@ -46,44 +46,31 @@ var map_getEventLegacyCategoryName = { var dup1 = setc("messageid","FTD_events"); -var dup2 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" -match("HEADER#2:00010/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); +var dup2 = match("HEADER#2:00010/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); -var dup3 = // "Pattern{Constant('"'), Field(hfld10,false), Constant('" [Impact: '), Field(p0,false)}" -match("HEADER#2:00010/1_0", "nwparser.p0", "\"%{hfld10}\" [Impact: %{p0}"); +var dup3 = match("HEADER#2:00010/1_0", "nwparser.p0", "\"%{hfld10}\" [Impact: %{p0}"); -var dup4 = // "Pattern{Field(hfld10,true), Constant(' [Impact: '), Field(p0,false)}" -match("HEADER#2:00010/1_1", "nwparser.p0", "%{hfld10->} [Impact: %{p0}"); +var dup4 = match("HEADER#2:00010/1_1", "nwparser.p0", "%{hfld10->} [Impact: %{p0}"); -var dup5 = // "Pattern{Field(result,false), Constant('] From '), Field(hfld11,true), Constant(' at '), Field(fld9,true), Constant(' '), Field(event_time_string,true), Constant(' [Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" -match("HEADER#3:00011/2", "nwparser.p0", "%{result}] From %{hfld11->} at %{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); +var dup5 = match("HEADER#3:00011/2", "nwparser.p0", "%{result}] From %{hfld11->} at %{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); -var dup6 = // "Pattern{Constant('"'), Field(hfld10,false), Constant('" [Classification: '), Field(p0,false)}" -match("HEADER#4:00012/1_0", "nwparser.p0", "\"%{hfld10}\" [Classification: %{p0}"); +var dup6 = match("HEADER#4:00012/1_0", "nwparser.p0", "\"%{hfld10}\" [Classification: %{p0}"); -var dup7 = // "Pattern{Field(hfld10,true), Constant(' [Classification: '), Field(p0,false)}" -match("HEADER#4:00012/1_1", "nwparser.p0", "%{hfld10->} [Classification: %{p0}"); +var dup7 = match("HEADER#4:00012/1_1", "nwparser.p0", "%{hfld10->} [Classification: %{p0}"); -var dup8 = // "Pattern{Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" -match("HEADER#4:00012/2", "nwparser.p0", "%{sigtype}] [Priority: %{payload}"); +var dup8 = match("HEADER#4:00012/2", "nwparser.p0", "%{sigtype}] [Priority: %{payload}"); -var dup9 = // "Pattern{Constant('"'), Field(hfld10,false), Constant('" ['), Field(p0,false)}" -match("HEADER#5:00013/1_0", "nwparser.p0", "\"%{hfld10}\" [%{p0}"); +var dup9 = match("HEADER#5:00013/1_0", "nwparser.p0", "\"%{hfld10}\" [%{p0}"); -var dup10 = // "Pattern{Field(hfld10,true), Constant(' ['), Field(p0,false)}" -match("HEADER#5:00013/1_1", "nwparser.p0", "%{hfld10->} [%{p0}"); +var dup10 = match("HEADER#5:00013/1_1", "nwparser.p0", "%{hfld10->} [%{p0}"); -var dup11 = // "Pattern{Field(info,false), Constant('] [Priority: '), Field(payload,false)}" -match("HEADER#5:00013/2", "nwparser.p0", "%{info}] [Priority: %{payload}"); +var dup11 = match("HEADER#5:00013/2", "nwparser.p0", "%{info}] [Priority: %{payload}"); -var dup12 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' snort['), Field(hpid,false), Constant(']: ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" -match("HEADER#7:00020/0", "message", "%{month->} %{day->} %{time->} snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); +var dup12 = match("HEADER#7:00020/0", "message", "%{month->} %{day->} %{time->} snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); -var dup13 = // "Pattern{Field(result,false), Constant('] From '), Field(group_object,false), Constant('/'), Field(hfld11,true), Constant(' at '), Field(fld9,true), Constant(' '), Field(event_time_string,true), Constant(' [Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" -match("HEADER#7:00020/2", "nwparser.p0", "%{result}] From %{group_object}/%{hfld11->} at %{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); +var dup13 = match("HEADER#7:00020/2", "nwparser.p0", "%{result}] From %{group_object}/%{hfld11->} at %{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); -var dup14 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' snort: ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" -match("HEADER#11:00030/0", "message", "%{month->} %{day->} %{time->} snort: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); +var dup14 = match("HEADER#11:00030/0", "message", "%{month->} %{day->} %{time->} snort: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); var dup15 = call({ dest: "nwparser.payload", @@ -135,11 +122,9 @@ var dup19 = call({ ], }); -var dup20 = // "Pattern{Constant('at'), Field(p0,false)}" -match("HEADER#26:0011/1_1", "nwparser.p0", "at%{p0}"); +var dup20 = match("HEADER#26:0011/1_1", "nwparser.p0", "at%{p0}"); -var dup21 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" -match("HEADER#26:0011/2", "nwparser.p0", "%{} %{p0}"); +var dup21 = match("HEADER#26:0011/2", "nwparser.p0", "%{} %{p0}"); var dup22 = call({ dest: "nwparser.messageid", @@ -171,19 +156,15 @@ var dup24 = setc("messageid","HMNOTIFY"); var dup25 = setc("messageid","SystemSettings"); -var dup26 = // "Pattern{Constant('['), Field(hpid,false), Constant(']: ['), Field(p0,false)}" -match("HEADER#41:0024/1_0", "nwparser.p0", "[%{hpid}]: [%{p0}"); +var dup26 = match("HEADER#41:0024/1_0", "nwparser.p0", "[%{hpid}]: [%{p0}"); -var dup27 = // "Pattern{Constant(': ['), Field(p0,false)}" -match("HEADER#41:0024/1_1", "nwparser.p0", ": [%{p0}"); +var dup27 = match("HEADER#41:0024/1_1", "nwparser.p0", ": [%{p0}"); -var dup28 = // "Pattern{Constant(']'), Field(hversion,false), Constant(':'), Field(hfld2,false), Constant(':'), Field(hevent_source,true), Constant(' '), Field(payload,false)}" -match("HEADER#41:0024/2", "nwparser.p0", "]%{hversion}:%{hfld2}:%{hevent_source->} %{payload}"); +var dup28 = match("HEADER#41:0024/2", "nwparser.p0", "]%{hversion}:%{hfld2}:%{hevent_source->} %{payload}"); var dup29 = setc("messageid","Snort_AlertLog"); -var dup30 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': ['), Field(hevent_source,false), Constant(':'), Field(hfld2,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" -match("HEADER#43:0023/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hevent_source}:%{hfld2}:%{hversion}] %{p0}"); +var dup30 = match("HEADER#43:0023/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hevent_source}:%{hfld2}:%{hversion}] %{p0}"); var dup31 = date_time({ dest: "event_time", @@ -195,38 +176,27 @@ var dup31 = date_time({ var dup32 = setf("msg","$MSG"); -var dup33 = // "Pattern{Field(threat_val,true), Constant(' ]:alert {'), Field(p0,false)}" -match("MESSAGE#1:0/0_0", "nwparser.payload", "%{threat_val->} ]:alert {%{p0}"); +var dup33 = match("MESSAGE#1:0/0_0", "nwparser.payload", "%{threat_val->} ]:alert {%{p0}"); -var dup34 = // "Pattern{Field(threat_val,true), Constant(' ]: '), Field(fld1,true), Constant(' {'), Field(p0,false)}" -match("MESSAGE#1:0/0_1", "nwparser.payload", "%{threat_val->} ]: %{fld1->} {%{p0}"); +var dup34 = match("MESSAGE#1:0/0_1", "nwparser.payload", "%{threat_val->} ]: %{fld1->} {%{p0}"); -var dup35 = // "Pattern{Field(threat_val,false), Constant(']: {'), Field(p0,false)}" -match("MESSAGE#1:0/0_2", "nwparser.payload", "%{threat_val}]: {%{p0}"); +var dup35 = match("MESSAGE#1:0/0_2", "nwparser.payload", "%{threat_val}]: {%{p0}"); -var dup36 = // "Pattern{Field(threat_val,true), Constant(' ] {'), Field(p0,false)}" -match("MESSAGE#1:0/0_3", "nwparser.payload", "%{threat_val->} ] {%{p0}"); +var dup36 = match("MESSAGE#1:0/0_3", "nwparser.payload", "%{threat_val->} ] {%{p0}"); -var dup37 = // "Pattern{Field(protocol,false), Constant('} '), Field(p0,false)}" -match("MESSAGE#1:0/1", "nwparser.p0", "%{protocol}} %{p0}"); +var dup37 = match("MESSAGE#1:0/1", "nwparser.p0", "%{protocol}} %{p0}"); -var dup38 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(location_src,false), Constant(') -> '), Field(p0,false)}" -match("MESSAGE#1:0/2_0", "nwparser.p0", "%{saddr}:%{sport->} (%{location_src}) -> %{p0}"); +var dup38 = match("MESSAGE#1:0/2_0", "nwparser.p0", "%{saddr}:%{sport->} (%{location_src}) -> %{p0}"); -var dup39 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' -> '), Field(p0,false)}" -match("MESSAGE#1:0/2_1", "nwparser.p0", "%{saddr}:%{sport->} -> %{p0}"); +var dup39 = match("MESSAGE#1:0/2_1", "nwparser.p0", "%{saddr}:%{sport->} -> %{p0}"); -var dup40 = // "Pattern{Field(saddr,true), Constant(' -> '), Field(p0,false)}" -match("MESSAGE#1:0/2_2", "nwparser.p0", "%{saddr->} -> %{p0}"); +var dup40 = match("MESSAGE#1:0/2_2", "nwparser.p0", "%{saddr->} -> %{p0}"); -var dup41 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(location_dst,false), Constant(')')}" -match("MESSAGE#1:0/3_0", "nwparser.p0", "%{daddr}:%{dport->} (%{location_dst})"); +var dup41 = match("MESSAGE#1:0/3_0", "nwparser.p0", "%{daddr}:%{dport->} (%{location_dst})"); -var dup42 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,false)}" -match("MESSAGE#1:0/3_1", "nwparser.p0", "%{daddr}:%{dport}"); +var dup42 = match("MESSAGE#1:0/3_1", "nwparser.p0", "%{daddr}:%{dport}"); -var dup43 = // "Pattern{Field(daddr,false)}" -match_copy("MESSAGE#1:0/3_2", "nwparser.p0", "daddr"); +var dup43 = match_copy("MESSAGE#1:0/3_2", "nwparser.p0", "daddr"); var dup44 = setc("eventcategory","1003030000"); @@ -266,17 +236,13 @@ var dup56 = date_time({ ], }); -var dup57 = // "Pattern{Field(context,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#2:0:01/0", "nwparser.payload", "%{context->} %{p0}"); +var dup57 = match("MESSAGE#2:0:01/0", "nwparser.payload", "%{context->} %{p0}"); -var dup58 = // "Pattern{Constant('<<'), Field(interface,false), Constant('> '), Field(p0,false)}" -match("MESSAGE#2:0:01/1_0", "nwparser.p0", "\u003c\u003c%{interface}> %{p0}"); +var dup58 = match("MESSAGE#2:0:01/1_0", "nwparser.p0", "\u003c\u003c%{interface}> %{p0}"); -var dup59 = // "Pattern{Field(p0,false)}" -match_copy("MESSAGE#2:0:01/1_1", "nwparser.p0", "p0"); +var dup59 = match_copy("MESSAGE#2:0:01/1_1", "nwparser.p0", "p0"); -var dup60 = // "Pattern{Constant('{'), Field(protocol,false), Constant('} '), Field(p0,false)}" -match("MESSAGE#2:0:01/2", "nwparser.p0", "{%{protocol}} %{p0}"); +var dup60 = match("MESSAGE#2:0:01/2", "nwparser.p0", "{%{protocol}} %{p0}"); var dup61 = setc("eventcategory","1103000000"); @@ -288,17 +254,13 @@ var dup64 = setc("eventcategory","1002000000"); var dup65 = setc("eventcategory","1001020200"); -var dup66 = // "Pattern{Field(threat_val,true), Constant(' ]'), Field(p0,false)}" -match("MESSAGE#33:10/0", "nwparser.payload", "%{threat_val->} ]%{p0}"); +var dup66 = match("MESSAGE#33:10/0", "nwparser.payload", "%{threat_val->} ]%{p0}"); -var dup67 = // "Pattern{Constant(' <<'), Field(interface,false), Constant('> '), Field(p0,false)}" -match("MESSAGE#33:10/1_0", "nwparser.p0", " \u003c\u003c%{interface}> %{p0}"); +var dup67 = match("MESSAGE#33:10/1_0", "nwparser.p0", " \u003c\u003c%{interface}> %{p0}"); -var dup68 = // "Pattern{Constant(': '), Field(p0,false)}" -match("MESSAGE#33:10/1_1", "nwparser.p0", ": %{p0}"); +var dup68 = match("MESSAGE#33:10/1_1", "nwparser.p0", ": %{p0}"); -var dup69 = // "Pattern{Constant(' '), Field(p0,false)}" -match("MESSAGE#33:10/1_2", "nwparser.p0", " %{p0}"); +var dup69 = match("MESSAGE#33:10/1_2", "nwparser.p0", " %{p0}"); var dup70 = setc("eventcategory","1001020100"); @@ -310,8 +272,7 @@ var dup73 = setc("ec_activity","Detect"); var dup74 = setc("ec_theme","TEV"); -var dup75 = // "Pattern{Field(context,true), Constant(' <<'), Field(interface,false), Constant('> '), Field(protocol,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#80:103:01/0", "nwparser.payload", "%{context->} \u003c\u003c%{interface}> %{protocol->} %{p0}"); +var dup75 = match("MESSAGE#80:103:01/0", "nwparser.payload", "%{context->} \u003c\u003c%{interface}> %{protocol->} %{p0}"); var dup76 = setf("signame","context"); @@ -387,17 +348,13 @@ var dup111 = setc("eventcategory","1001020307"); var dup112 = setc("eventcategory","1401060000"); -var dup113 = // "Pattern{Field(threat_val,true), Constant(' ]:alert '), Field(p0,false)}" -match("MESSAGE#5535:3086/0_0", "nwparser.payload", "%{threat_val->} ]:alert %{p0}"); +var dup113 = match("MESSAGE#5535:3086/0_0", "nwparser.payload", "%{threat_val->} ]:alert %{p0}"); -var dup114 = // "Pattern{Field(threat_val,false), Constant(']: '), Field(p0,false)}" -match("MESSAGE#5535:3086/0_1", "nwparser.payload", "%{threat_val}]: %{p0}"); +var dup114 = match("MESSAGE#5535:3086/0_1", "nwparser.payload", "%{threat_val}]: %{p0}"); -var dup115 = // "Pattern{Field(threat_val,true), Constant(' ] '), Field(p0,false)}" -match("MESSAGE#5535:3086/0_2", "nwparser.payload", "%{threat_val->} ] %{p0}"); +var dup115 = match("MESSAGE#5535:3086/0_2", "nwparser.payload", "%{threat_val->} ] %{p0}"); -var dup116 = // "Pattern{Constant(''), Field(p0,false)}" -match("MESSAGE#5535:3086/1", "nwparser.p0", "%{p0}"); +var dup116 = match("MESSAGE#5535:3086/1", "nwparser.p0", "%{p0}"); var dup117 = setc("eventcategory","1003050000"); @@ -413,14 +370,11 @@ var dup122 = setc("eventcategory","1603090000"); var dup123 = setc("eventcategory","1003040000"); -var dup124 = // "Pattern{Constant(':alert '), Field(p0,false)}" -match("MESSAGE#30119:28015/1_1", "nwparser.p0", ":alert %{p0}"); +var dup124 = match("MESSAGE#30119:28015/1_1", "nwparser.p0", ":alert %{p0}"); -var dup125 = // "Pattern{Constant(''), Field(saddr,true), Constant(' -> '), Field(p0,false)}" -match("MESSAGE#36377:34596/3_1", "nwparser.p0", "%{saddr->} -> %{p0}"); +var dup125 = match("MESSAGE#36377:34596/3_1", "nwparser.p0", "%{saddr->} -> %{p0}"); -var dup126 = // "Pattern{Constant(''), Field(daddr,false)}" -match("MESSAGE#36377:34596/4_1", "nwparser.p0", "%{daddr}"); +var dup126 = match("MESSAGE#36377:34596/4_1", "nwparser.p0", "%{daddr}"); var dup127 = setc("eventcategory","1605000000"); @@ -434,25 +388,19 @@ var dup129 = date_time({ ], }); -var dup130 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' MAC: '), Field(smacaddr,true), Constant(' TTL '), Field(p0,false)}" -match("MESSAGE#38458:MAC_Information_Change/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} MAC: %{smacaddr->} TTL %{p0}"); +var dup130 = match("MESSAGE#38458:MAC_Information_Change/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} MAC: %{smacaddr->} TTL %{p0}"); -var dup131 = // "Pattern{Field(sinterface,true), Constant(' ('), Field(protocol,true), Constant(' detected)')}" -match("MESSAGE#38458:MAC_Information_Change/1_0", "nwparser.p0", "%{sinterface->} (%{protocol->} detected)"); +var dup131 = match("MESSAGE#38458:MAC_Information_Change/1_0", "nwparser.p0", "%{sinterface->} (%{protocol->} detected)"); -var dup132 = // "Pattern{Field(sinterface,false)}" -match_copy("MESSAGE#38458:MAC_Information_Change/1_1", "nwparser.p0", "sinterface"); +var dup132 = match_copy("MESSAGE#38458:MAC_Information_Change/1_1", "nwparser.p0", "sinterface"); -var dup133 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> '), Field(p0,false)}" -match("MESSAGE#38461:New_Host/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> %{p0}"); +var dup133 = match("MESSAGE#38461:New_Host/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> %{p0}"); -var dup134 = // "Pattern{Field(protocol,false)}" -match_copy("MESSAGE#38462:New_Network_Protocol/2", "nwparser.p0", "protocol"); +var dup134 = match_copy("MESSAGE#38462:New_Network_Protocol/2", "nwparser.p0", "protocol"); var dup135 = setc("eventcategory","1605020000"); -var dup136 = // "Pattern{Field(protocol,true), Constant(' Confidence: '), Field(result,false)}" -match("MESSAGE#38468:TCP_Service_Information_Update/1_0", "nwparser.p0", "%{protocol->} Confidence: %{result}"); +var dup136 = match("MESSAGE#38468:TCP_Service_Information_Update/1_0", "nwparser.p0", "%{protocol->} Confidence: %{result}"); var dup137 = setc("ec_subject","User"); @@ -470,19 +418,15 @@ var dup143 = setf("hostip","hfld2"); var dup144 = setc("ec_activity","Logoff"); -var dup145 = // "Pattern{Constant('>'), Field(p0,false)}" -match("MESSAGE#38495:SystemSettings:09/1_0", "nwparser.p0", ">%{p0}"); +var dup145 = match("MESSAGE#38495:SystemSettings:09/1_0", "nwparser.p0", ">%{p0}"); var dup146 = setc("category","Session Expiration"); -var dup147 = // "Pattern{Field(fld1,false), Constant(']['), Field(policyname,false), Constant('] Connection Type: '), Field(event_state,false), Constant(', User: '), Field(username,false), Constant(', Client: '), Field(application,false), Constant(', Application Protocol: '), Field(protocol,false), Constant(', Web App: '), Field(application,false), Constant(', Access Control Rule Name: '), Field(rulename,false), Constant(', Access Control Rule Action: '), Field(action,false), Constant(', Access Control Rule Reasons: '), Field(result,false), Constant(', URL Category: '), Field(category,false), Constant(', URL Reputation: '), Field(p0,false)}" -match("MESSAGE#38514:Primary_Detection_Engine/0", "nwparser.payload", "%{fld1}][%{policyname}] Connection Type: %{event_state}, User: %{username}, Client: %{application}, Application Protocol: %{protocol}, Web App: %{application}, Access Control Rule Name: %{rulename}, Access Control Rule Action: %{action}, Access Control Rule Reasons: %{result}, URL Category: %{category}, URL Reputation: %{p0}"); +var dup147 = match("MESSAGE#38514:Primary_Detection_Engine/0", "nwparser.payload", "%{fld1}][%{policyname}] Connection Type: %{event_state}, User: %{username}, Client: %{application}, Application Protocol: %{protocol}, Web App: %{application}, Access Control Rule Name: %{rulename}, Access Control Rule Action: %{action}, Access Control Rule Reasons: %{result}, URL Category: %{category}, URL Reputation: %{p0}"); -var dup148 = // "Pattern{Constant('Risk unknown, URL: '), Field(p0,false)}" -match("MESSAGE#38514:Primary_Detection_Engine/1_0", "nwparser.p0", "Risk unknown, URL: %{p0}"); +var dup148 = match("MESSAGE#38514:Primary_Detection_Engine/1_0", "nwparser.p0", "Risk unknown, URL: %{p0}"); -var dup149 = // "Pattern{Field(reputation_num,false), Constant(', URL: '), Field(p0,false)}" -match("MESSAGE#38514:Primary_Detection_Engine/1_1", "nwparser.p0", "%{reputation_num}, URL: %{p0}"); +var dup149 = match("MESSAGE#38514:Primary_Detection_Engine/1_1", "nwparser.p0", "%{reputation_num}, URL: %{p0}"); var dup150 = setc("eventcategory","1801000000"); @@ -490,20 +434,15 @@ var dup151 = setc("dclass_counter1_string","Number of File Events"); var dup152 = setc("dclass_counter2_string","Number of IPS Events"); -var dup153 = // "Pattern{Constant('-*> '), Field(p0,false)}" -match("MESSAGE#38521:Network_Based_Retrospective/1_0", "nwparser.p0", "-*> %{p0}"); +var dup153 = match("MESSAGE#38521:Network_Based_Retrospective/1_0", "nwparser.p0", "-*> %{p0}"); -var dup154 = // "Pattern{Constant('> '), Field(p0,false)}" -match("MESSAGE#38521:Network_Based_Retrospective/1_1", "nwparser.p0", "> %{p0}"); +var dup154 = match("MESSAGE#38521:Network_Based_Retrospective/1_1", "nwparser.p0", "> %{p0}"); -var dup155 = // "Pattern{Constant('From "'), Field(sensor,false), Constant('" at '), Field(p0,false)}" -match("MESSAGE#38522:Network_Based_Retrospective:01/1_0", "nwparser.p0", "From \"%{sensor}\" at %{p0}"); +var dup155 = match("MESSAGE#38522:Network_Based_Retrospective:01/1_0", "nwparser.p0", "From \"%{sensor}\" at %{p0}"); -var dup156 = // "Pattern{Constant('at '), Field(p0,false)}" -match("MESSAGE#38522:Network_Based_Retrospective:01/1_1", "nwparser.p0", "at %{p0}"); +var dup156 = match("MESSAGE#38522:Network_Based_Retrospective:01/1_1", "nwparser.p0", "at %{p0}"); -var dup157 = // "Pattern{Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC '), Field(p0,false)}" -match("MESSAGE#38522:Network_Based_Retrospective:01/2", "nwparser.p0", "%{fld6->} %{event_time_string->} UTC %{p0}"); +var dup157 = match("MESSAGE#38522:Network_Based_Retrospective:01/2", "nwparser.p0", "%{fld6->} %{event_time_string->} UTC %{p0}"); var dup158 = date_time({ dest: "event_time", @@ -513,11 +452,9 @@ var dup158 = date_time({ ], }); -var dup159 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' '), Field(network_service,false)}" -match("MESSAGE#38528:Client_Update/4", "nwparser.p0", "IP Address: %{saddr->} %{network_service}"); +var dup159 = match("MESSAGE#38528:Client_Update/4", "nwparser.p0", "IP Address: %{saddr->} %{network_service}"); -var dup160 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,true), Constant(' Service: '), Field(p0,false)}" -match("MESSAGE#38530:UDP_Server_Information_Update/4", "nwparser.p0", "IP Address: %{saddr->} Port: %{sport->} Service: %{p0}"); +var dup160 = match("MESSAGE#38530:UDP_Server_Information_Update/4", "nwparser.p0", "IP Address: %{saddr->} Port: %{sport->} Service: %{p0}"); var dup161 = date_time({ dest: "event_time", @@ -564,8 +501,7 @@ var dup169 = linear_select([ dup10, ]); -var dup170 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': <<*- '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' '), Field(msgIdPart3,true), Constant(' '), Field(p0,false)}" -match("HEADER#26:0011/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{p0}", processor_chain([ +var dup170 = match("HEADER#26:0011/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{p0}", processor_chain([ dup19, ])); @@ -637,8 +573,7 @@ var dup182 = linear_select([ dup132, ]); -var dup183 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' OS: '), Field(version,true), Constant(' Confidence: '), Field(result,false)}" -match("MESSAGE#38465:OS_Confidence_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} OS: %{version->} Confidence: %{result}", processor_chain([ +var dup183 = match("MESSAGE#38465:OS_Confidence_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} OS: %{version->} Confidence: %{result}", processor_chain([ dup127, dup31, dup32, @@ -646,8 +581,7 @@ match("MESSAGE#38465:OS_Confidence_Update", "nwparser.payload", "%{context->} Fr dup129, ])); -var dup184 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,true), Constant(' Service: '), Field(protocol,true), Constant(' Confidence: '), Field(result,false)}" -match("MESSAGE#38467:TCP_Service_Confidence_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport->} Service: %{protocol->} Confidence: %{result}", processor_chain([ +var dup184 = match("MESSAGE#38467:TCP_Service_Confidence_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport->} Service: %{protocol->} Confidence: %{result}", processor_chain([ dup135, dup31, dup32, @@ -660,8 +594,7 @@ var dup185 = linear_select([ dup134, ]); -var dup186 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' '), Field(product,false)}" -match("MESSAGE#38471:New_Client_Application", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} %{product}", processor_chain([ +var dup186 = match("MESSAGE#38471:New_Client_Application", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} %{product}", processor_chain([ dup135, dup31, dup32, @@ -669,8 +602,7 @@ match("MESSAGE#38471:New_Client_Application", "nwparser.payload", "%{context->} dup129, ])); -var dup187 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,false)}" -match("MESSAGE#38473:New_TCP_Service", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport}", processor_chain([ +var dup187 = match("MESSAGE#38473:New_TCP_Service", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport}", processor_chain([ dup135, dup31, dup32, @@ -678,8 +610,7 @@ match("MESSAGE#38473:New_TCP_Service", "nwparser.payload", "%{context->} From \" dup129, ])); -var dup188 = // "Pattern{Field(context,true), Constant(' From '), Field(sensor,true), Constant(' at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,false)}" -match("MESSAGE#38475:TCP_Port_Timeout", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr}", processor_chain([ +var dup188 = match("MESSAGE#38475:TCP_Port_Timeout", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr}", processor_chain([ dup135, dup31, dup32, @@ -4814,34 +4745,28 @@ var dup356 = all_match({ ]), }); -var hdr1 = // "Pattern{Field(hyear,false), Constant('-'), Field(hmonth,false), Constant('-'), Field(day,false), Constant('T'), Field(time,false), Constant('Z %FTD-'), Field(fld2,false), Constant('-'), Field(hfld3,false), Constant(':'), Field(payload,false)}" -match("HEADER#0:0055", "message", "%{hyear}-%{hmonth}-%{day}T%{time}Z %FTD-%{fld2}-%{hfld3}:%{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0055", "message", "%{hyear}-%{hmonth}-%{day}T%{time}Z %FTD-%{fld2}-%{hfld3}:%{payload}", processor_chain([ setc("header_id","0055"), dup1, ])); -var hdr2 = // "Pattern{Field(hyear,false), Constant('-'), Field(hmonth,false), Constant('-'), Field(day,false), Constant('T'), Field(time,false), Constant('Z '), Field(hostname,true), Constant(' '), Field(fld1,true), Constant(' %NGIPS-'), Field(severity,false), Constant('-'), Field(hfld3,false), Constant(':'), Field(payload,false)}" -match("HEADER#1:0056", "message", "%{hyear}-%{hmonth}-%{day}T%{time}Z %{hostname->} %{fld1->} %NGIPS-%{severity}-%{hfld3}:%{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0056", "message", "%{hyear}-%{hmonth}-%{day}T%{time}Z %{hostname->} %{fld1->} %NGIPS-%{severity}-%{hfld3}:%{payload}", processor_chain([ setc("header_id","0056"), setc("messageid","NGIPS_events"), ])); -var part1 = // "Pattern{Field(result,false), Constant('] From '), Field(p0,false)}" -match("HEADER#2:00010/2", "nwparser.p0", "%{result}] From %{p0}"); +var part1 = match("HEADER#2:00010/2", "nwparser.p0", "%{result}] From %{p0}"); -var part2 = // "Pattern{Constant('"'), Field(group_object,false), Constant('/'), Field(hfld11,false), Constant('" at '), Field(p0,false)}" -match("HEADER#2:00010/3_0", "nwparser.p0", "\"%{group_object}/%{hfld11}\" at %{p0}"); +var part2 = match("HEADER#2:00010/3_0", "nwparser.p0", "\"%{group_object}/%{hfld11}\" at %{p0}"); -var part3 = // "Pattern{Field(group_object,false), Constant('/'), Field(hfld11,true), Constant(' at '), Field(p0,false)}" -match("HEADER#2:00010/3_1", "nwparser.p0", "%{group_object}/%{hfld11->} at %{p0}"); +var part3 = match("HEADER#2:00010/3_1", "nwparser.p0", "%{group_object}/%{hfld11->} at %{p0}"); var select1 = linear_select([ part2, part3, ]); -var part4 = // "Pattern{Field(fld9,true), Constant(' '), Field(event_time_string,true), Constant(' [Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" -match("HEADER#2:00010/4", "nwparser.p0", "%{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); +var part4 = match("HEADER#2:00010/4", "nwparser.p0", "%{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); var all1 = all_match({ processors: [ @@ -4889,8 +4814,7 @@ var all4 = all_match({ ]), }); -var hdr3 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': '), Field(hfld2,false), Constant(':'), Field(hfld3,true), Constant(' at '), Field(hfld4,false), Constant(': ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant(']'), Field(payload,false)}" -match("HEADER#6:0015", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: %{hfld2}:%{hfld3->} at %{hfld4}: [%{hevent_source}:%{messageid}:%{hversion}]%{payload}", processor_chain([ +var hdr3 = match("HEADER#6:0015", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: %{hfld2}:%{hfld3->} at %{hfld4}: [%{hevent_source}:%{messageid}:%{hversion}]%{payload}", processor_chain([ setc("header_id","0015"), ])); @@ -4982,8 +4906,7 @@ var all12 = all_match({ ]), }); -var hdr4 = // "Pattern{Constant('snort['), Field(hpid,false), Constant(']: ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" -match("HEADER#15:0030/0", "message", "snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); +var hdr4 = match("HEADER#15:0030/0", "message", "snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); var all13 = all_match({ processors: [ @@ -4996,64 +4919,53 @@ var all13 = all_match({ ]), }); -var hdr5 = // "Pattern{Constant('snort['), Field(hpid,false), Constant(']: ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(payload,false)}" -match("HEADER#16:0004", "message", "snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ +var hdr5 = match("HEADER#16:0004", "message", "snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ setc("header_id","0004"), ])); -var hdr6 = // "Pattern{Constant('snort: ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(payload,false)}" -match("HEADER#17:0005", "message", "snort: [%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ +var hdr6 = match("HEADER#17:0005", "message", "snort: [%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ setc("header_id","0005"), ])); -var hdr7 = // "Pattern{Constant('snort['), Field(hpid,false), Constant(']: '), Field(messageid,false), Constant(': '), Field(payload,false)}" -match("HEADER#18:0018", "message", "snort[%{hpid}]: %{messageid}: %{payload}", processor_chain([ +var hdr7 = match("HEADER#18:0018", "message", "snort[%{hpid}]: %{messageid}: %{payload}", processor_chain([ setc("header_id","0018"), ])); -var hdr8 = // "Pattern{Constant('snort: '), Field(messageid,false), Constant(': '), Field(payload,false)}" -match("HEADER#19:0006", "message", "snort: %{messageid}: %{payload}", processor_chain([ +var hdr8 = match("HEADER#19:0006", "message", "snort: %{messageid}: %{payload}", processor_chain([ setc("header_id","0006"), ])); -var hdr9 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' snort['), Field(hpid,false), Constant(']: '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#20:0007", "message", "%{month->} %{day->} %{time->} %{host->} snort[%{hpid}]: %{messageid->} %{p0}", processor_chain([ +var hdr9 = match("HEADER#20:0007", "message", "%{month->} %{day->} %{time->} %{host->} snort[%{hpid}]: %{messageid->} %{p0}", processor_chain([ setc("header_id","0007"), dup15, ])); -var hdr10 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' snort['), Field(hpid,false), Constant(']: ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(payload,false)}" -match("HEADER#21:0008", "message", "%{month->} %{day->} %{time->} %{host->} snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ +var hdr10 = match("HEADER#21:0008", "message", "%{month->} %{day->} %{time->} %{host->} snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ setc("header_id","0008"), ])); -var hdr11 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(hostname,true), Constant(' '), Field(hfld1,false), Constant(': [Primary Detection Engine ('), Field(hfld10,false), Constant(')]['), Field(policyname,false), Constant(']['), Field(hfld2,false), Constant(':'), Field(id,false), Constant(':'), Field(hfld3,false), Constant(']'), Field(payload,false)}" -match("HEADER#22:0046", "message", "%{month->} %{day->} %{time->} %{hostname->} %{hfld1}: [Primary Detection Engine (%{hfld10})][%{policyname}][%{hfld2}:%{id}:%{hfld3}]%{payload}", processor_chain([ +var hdr11 = match("HEADER#22:0046", "message", "%{month->} %{day->} %{time->} %{hostname->} %{hfld1}: [Primary Detection Engine (%{hfld10})][%{policyname}][%{hfld2}:%{id}:%{hfld3}]%{payload}", processor_chain([ setc("header_id","0046"), dup16, ])); -var hdr12 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': ['), Field(hpid,false), Constant(']['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(payload,false)}" -match("HEADER#23:0009", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hpid}][%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ +var hdr12 = match("HEADER#23:0009", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hpid}][%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ setc("header_id","0009"), ])); -var hdr13 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hfld2,true), Constant(' '), Field(hfld3,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld5,false), Constant(': '), Field(hfld6,false), Constant(': '), Field(hfld7,false), Constant(': <<*- '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' From '), Field(hsensor,true), Constant(' at '), Field(p0,false)}" -match("HEADER#24:0022", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{host->} %{hfld5}: %{hfld6}: %{hfld7}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} From %{hsensor->} at %{p0}", processor_chain([ +var hdr13 = match("HEADER#24:0022", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{host->} %{hfld5}: %{hfld6}: %{hfld7}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} From %{hsensor->} at %{p0}", processor_chain([ setc("header_id","0022"), dup17, dup18, ])); -var hdr14 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': <<*- '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' From '), Field(hsensor,true), Constant(' at '), Field(p0,false)}" -match("HEADER#25:0010", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} From %{hsensor->} at %{p0}", processor_chain([ +var hdr14 = match("HEADER#25:0010", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} From %{hsensor->} at %{p0}", processor_chain([ setc("header_id","0010"), dup17, dup18, ])); -var part5 = // "Pattern{Constant('From '), Field(hsensor,true), Constant(' at'), Field(p0,false)}" -match("HEADER#26:0011/1_0", "nwparser.p0", "From %{hsensor->} at%{p0}"); +var part5 = match("HEADER#26:0011/1_0", "nwparser.p0", "From %{hsensor->} at%{p0}"); var select2 = linear_select([ part5, @@ -5072,8 +4984,7 @@ var all14 = all_match({ ]), }); -var part6 = // "Pattern{Field(fld10,true), Constant(' From '), Field(hsensor,true), Constant(' at'), Field(p0,false)}" -match("HEADER#27:0014/1_0", "nwparser.p0", "%{fld10->} From %{hsensor->} at%{p0}"); +var part6 = match("HEADER#27:0014/1_0", "nwparser.p0", "%{fld10->} From %{hsensor->} at%{p0}"); var select3 = linear_select([ part6, @@ -5092,8 +5003,7 @@ var all15 = all_match({ ]), }); -var hdr15 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': <<*- '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' '), Field(msgIdPart3,true), Constant(' '), Field(msgIdPart4,true), Constant(' From '), Field(hsensor,true), Constant(' at '), Field(p0,false)}" -match("HEADER#28:0012", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{msgIdPart4->} From %{hsensor->} at %{p0}", processor_chain([ +var hdr15 = match("HEADER#28:0012", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{msgIdPart4->} From %{hsensor->} at %{p0}", processor_chain([ setc("header_id","0012"), dup23, call({ @@ -5115,8 +5025,7 @@ match("HEADER#28:0012", "message", "%{month->} %{day->} %{time->} %{host->} %{hf }), ])); -var hdr16 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': <<*- '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' '), Field(msgIdPart3,true), Constant(' '), Field(msgIdPart4,true), Constant(' '), Field(hfld12,true), Constant(' From '), Field(hsensor,true), Constant(' at '), Field(p0,false)}" -match("HEADER#29:0016", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{msgIdPart4->} %{hfld12->} From %{hsensor->} at %{p0}", processor_chain([ +var hdr16 = match("HEADER#29:0016", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{msgIdPart4->} %{hfld12->} From %{hsensor->} at %{p0}", processor_chain([ setc("header_id","0016"), dup23, call({ @@ -5140,72 +5049,60 @@ match("HEADER#29:0016", "message", "%{month->} %{day->} %{time->} %{host->} %{hf }), ])); -var hdr17 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' snort: '), Field(messageid,false), Constant(':'), Field(payload,false)}" -match("HEADER#30:0013", "message", "%{month->} %{day->} %{time->} %{host->} snort: %{messageid}:%{payload}", processor_chain([ +var hdr17 = match("HEADER#30:0013", "message", "%{month->} %{day->} %{time->} %{host->} snort: %{messageid}:%{payload}", processor_chain([ setc("header_id","0013"), ])); -var hdr18 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(fld,false), Constant(': HMNOTIFY: '), Field(payload,false)}" -match("HEADER#31:0020", "message", "%{month->} %{day->} %{time->} %{host->} %{fld}: HMNOTIFY: %{payload}", processor_chain([ +var hdr18 = match("HEADER#31:0020", "message", "%{month->} %{day->} %{time->} %{host->} %{fld}: HMNOTIFY: %{payload}", processor_chain([ setc("header_id","0020"), dup24, ])); -var hdr19 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' : HMNOTIFY: '), Field(payload,false)}" -match("HEADER#32:0035", "message", "%{month->} %{day->} %{time->} %{host->} : HMNOTIFY: %{payload}", processor_chain([ +var hdr19 = match("HEADER#32:0035", "message", "%{month->} %{day->} %{time->} %{host->} : HMNOTIFY: %{payload}", processor_chain([ setc("header_id","0035"), dup24, ])); -var hdr20 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(fld,false), Constant(': ['), Field(hevent_source,false), Constant(':'), Field(hsigid,false), Constant(':'), Field(hversion,false), Constant('] "'), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#33:0017", "message", "%{month->} %{day->} %{time->} %{host->} %{fld}: [%{hevent_source}:%{hsigid}:%{hversion}] \"%{messageid->} %{p0}", processor_chain([ +var hdr20 = match("HEADER#33:0017", "message", "%{month->} %{day->} %{time->} %{host->} %{fld}: [%{hevent_source}:%{hsigid}:%{hversion}] \"%{messageid->} %{p0}", processor_chain([ setc("header_id","0017"), dup15, ])); -var hdr21 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(fld,false), Constant(': ['), Field(hevent_source,false), Constant(':'), Field(hsigid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#34:0019", "message", "%{month->} %{day->} %{time->} %{host->} %{fld}: [%{hevent_source}:%{hsigid}:%{hversion}] %{messageid->} %{p0}", processor_chain([ +var hdr21 = match("HEADER#34:0019", "message", "%{month->} %{day->} %{time->} %{host->} %{fld}: [%{hevent_source}:%{hsigid}:%{hversion}] %{messageid->} %{p0}", processor_chain([ setc("header_id","0019"), dup15, ])); -var hdr22 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(hostname,true), Constant(' '), Field(hfld1,false), Constant(': [Primary Detection Engine'), Field(payload,false)}" -match("HEADER#35:0041", "message", "%{month->} %{day->} %{time->} %{hostname->} %{hfld1}: [Primary Detection Engine%{payload}", processor_chain([ +var hdr22 = match("HEADER#35:0041", "message", "%{month->} %{day->} %{time->} %{hostname->} %{hfld1}: [Primary Detection Engine%{payload}", processor_chain([ setc("header_id","0041"), dup16, ])); -var hdr23 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': Protocol: '), Field(hprotocol,false), Constant(', '), Field(payload,false)}" -match("HEADER#36:0045", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: Protocol: %{hprotocol}, %{payload}", processor_chain([ +var hdr23 = match("HEADER#36:0045", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: Protocol: %{hprotocol}, %{payload}", processor_chain([ setc("header_id","0045"), setc("messageid","connection_events"), ])); -var hdr24 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(hfld1,false), Constant(': '), Field(hfld4,true), Constant(' '), Field(host,false), Constant(': '), Field(hfld3,false), Constant('@'), Field(hfld2,false), Constant(', '), Field(payload,false)}" -match("HEADER#37:0042", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{hfld4->} %{host}: %{hfld3}@%{hfld2}, %{payload}", processor_chain([ +var hdr24 = match("HEADER#37:0042", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{hfld4->} %{host}: %{hfld3}@%{hfld2}, %{payload}", processor_chain([ setc("header_id","0042"), dup25, ])); -var hdr25 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(hfld1,false), Constant(': ['), Field(hfld5,false), Constant('] '), Field(host,false), Constant(': '), Field(hfld3,false), Constant('@'), Field(hfld2,false), Constant(', '), Field(payload,false)}" -match("HEADER#38:00212", "message", "%{month->} %{day->} %{time->} %{hfld1}: [%{hfld5}] %{host}: %{hfld3}@%{hfld2}, %{payload}", processor_chain([ +var hdr25 = match("HEADER#38:00212", "message", "%{month->} %{day->} %{time->} %{hfld1}: [%{hfld5}] %{host}: %{hfld3}@%{hfld2}, %{payload}", processor_chain([ setc("header_id","00212"), dup25, ])); -var hdr26 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(hfld1,false), Constant(': '), Field(host,false), Constant(': '), Field(hfld3,false), Constant('@'), Field(hfld2,false), Constant(', '), Field(payload,false)}" -match("HEADER#39:0021", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{host}: %{hfld3}@%{hfld2}, %{payload}", processor_chain([ +var hdr26 = match("HEADER#39:0021", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{host}: %{hfld3}@%{hfld2}, %{payload}", processor_chain([ setc("header_id","0021"), dup25, ])); -var hdr27 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,false), Constant(': ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(payload,false)}" -match("HEADER#40:0029", "message", "%{month->} %{day->} %{time->} %{host}: [%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ +var hdr27 = match("HEADER#40:0029", "message", "%{month->} %{day->} %{time->} %{host}: [%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ setc("header_id","0029"), ])); -var hdr28 = // "Pattern{Constant('snort'), Field(p0,false)}" -match("HEADER#41:0024/0", "message", "snort%{p0}"); +var hdr28 = match("HEADER#41:0024/0", "message", "snort%{p0}"); var all16 = all_match({ processors: [ @@ -5219,8 +5116,7 @@ var all16 = all_match({ ]), }); -var hdr29 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' snort'), Field(p0,false)}" -match("HEADER#42:0025/0", "message", "%{month->} %{day->} %{time->} snort%{p0}"); +var hdr29 = match("HEADER#42:0025/0", "message", "%{month->} %{day->} %{time->} snort%{p0}"); var all17 = all_match({ processors: [ @@ -5234,8 +5130,7 @@ var all17 = all_match({ ]), }); -var part7 = // "Pattern{Field(result,false), Constant('] From '), Field(group_object,false), Constant('/'), Field(hfld11,true), Constant(' at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' [Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" -match("HEADER#43:0023/2", "nwparser.p0", "%{result}] From %{group_object}/%{hfld11->} at %{fld6->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); +var part7 = match("HEADER#43:0023/2", "nwparser.p0", "%{result}] From %{group_object}/%{hfld11->} at %{fld6->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); var all18 = all_match({ processors: [ @@ -5249,8 +5144,7 @@ var all18 = all_match({ ]), }); -var part8 = // "Pattern{Field(result,false), Constant('] From '), Field(hfld11,true), Constant(' at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' [Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" -match("HEADER#44:0026/2", "nwparser.p0", "%{result}] From %{hfld11->} at %{fld6->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); +var part8 = match("HEADER#44:0026/2", "nwparser.p0", "%{result}] From %{hfld11->} at %{fld6->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); var all19 = all_match({ processors: [ @@ -5288,8 +5182,7 @@ var all21 = all_match({ ]), }); -var hdr30 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': Sha256:'), Field(hfld2,true), Constant(' Disposition: Malware'), Field(p0,false)}" -match("HEADER#47:0040", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: Sha256:%{hfld2->} Disposition: Malware%{p0}", processor_chain([ +var hdr30 = match("HEADER#47:0040", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: Sha256:%{hfld2->} Disposition: Malware%{p0}", processor_chain([ setc("header_id","0040"), setc("messageid","MALWARE"), call({ @@ -5303,8 +5196,7 @@ match("HEADER#47:0040", "message", "%{month->} %{day->} %{time->} %{host->} %{hf }), ])); -var hdr31 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': <<- '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' '), Field(msgIdPart3,true), Constant(' From '), Field(hsensor,true), Constant(' at '), Field(p0,false)}" -match("HEADER#48:0043", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} From %{hsensor->} at %{p0}", processor_chain([ +var hdr31 = match("HEADER#48:0043", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} From %{hsensor->} at %{p0}", processor_chain([ setc("header_id","0043"), dup22, call({ @@ -5324,27 +5216,22 @@ match("HEADER#48:0043", "message", "%{month->} %{day->} %{time->} %{host->} %{hf }), ])); -var hdr32 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(messageid,false), Constant('['), Field(process_id,false), Constant(']: '), Field(payload,false)}" -match("HEADER#49:0044", "message", "%{month->} %{day->} %{time->} %{host->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ +var hdr32 = match("HEADER#49:0044", "message", "%{month->} %{day->} %{time->} %{host->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ setc("header_id","0044"), ])); -var hdr33 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(hyear,true), Constant(' '), Field(time,true), Constant(' '), Field(p0,false)}" -match("HEADER#50:0057/0", "message", "%{month->} %{day->} %{hyear->} %{time->} %{p0}"); +var hdr33 = match("HEADER#50:0057/0", "message", "%{month->} %{day->} %{hyear->} %{time->} %{p0}"); -var part9 = // "Pattern{Field(hostname,false), Constant(': %FTD-'), Field(p0,false)}" -match("HEADER#50:0057/1_0", "nwparser.p0", "%{hostname}: %FTD-%{p0}"); +var part9 = match("HEADER#50:0057/1_0", "nwparser.p0", "%{hostname}: %FTD-%{p0}"); -var part10 = // "Pattern{Field(hostname,true), Constant(' %FTD-'), Field(p0,false)}" -match("HEADER#50:0057/1_1", "nwparser.p0", "%{hostname->} %FTD-%{p0}"); +var part10 = match("HEADER#50:0057/1_1", "nwparser.p0", "%{hostname->} %FTD-%{p0}"); var select4 = linear_select([ part9, part10, ]); -var part11 = // "Pattern{Field(fld2,false), Constant('-'), Field(hfld3,false), Constant(':'), Field(payload,false)}" -match("HEADER#50:0057/2", "nwparser.p0", "%{fld2}-%{hfld3}:%{payload}"); +var part11 = match("HEADER#50:0057/2", "nwparser.p0", "%{fld2}-%{hfld3}:%{payload}"); var all22 = all_match({ processors: [ @@ -5358,8 +5245,7 @@ var all22 = all_match({ ]), }); -var hdr34 = // "Pattern{Field(hyear,false), Constant('-'), Field(hmonth,false), Constant('-'), Field(day,false), Constant('T'), Field(time,false), Constant('Z '), Field(hostname,true), Constant(' %FTD-'), Field(fld2,false), Constant('-'), Field(hfld3,false), Constant(':'), Field(payload,false)}" -match("HEADER#51:0058", "message", "%{hyear}-%{hmonth}-%{day}T%{time}Z %{hostname->} %FTD-%{fld2}-%{hfld3}:%{payload}", processor_chain([ +var hdr34 = match("HEADER#51:0058", "message", "%{hyear}-%{hmonth}-%{day}T%{time}Z %{hostname->} %FTD-%{fld2}-%{hfld3}:%{payload}", processor_chain([ setc("header_id","0058"), dup1, ])); @@ -5419,8 +5305,7 @@ var select5 = linear_select([ hdr34, ]); -var part12 = // "Pattern{Field(event_type,true), Constant(' (Sensor '), Field(sensor,false), Constant('): Severity:'), Field(severity,false), Constant(': '), Field(result,false)}" -match("MESSAGE#0:HMNOTIFY", "nwparser.payload", "%{event_type->} (Sensor %{sensor}): Severity:%{severity}: %{result}", processor_chain([ +var part12 = match("MESSAGE#0:HMNOTIFY", "nwparser.payload", "%{event_type->} (Sensor %{sensor}): Severity:%{severity}: %{result}", processor_chain([ setc("eventcategory","1604000000"), dup31, dup32, @@ -95633,17 +95518,13 @@ var all66 = all_match({ var msg38452 = msg("snort-sid-template", all66); -var part13 = // "Pattern{Constant('PORTSCAN DETECTED from '), Field(p0,false)}" -match("MESSAGE#38452:spp_portscan/0", "nwparser.payload", "PORTSCAN DETECTED from %{p0}"); +var part13 = match("MESSAGE#38452:spp_portscan/0", "nwparser.payload", "PORTSCAN DETECTED from %{p0}"); -var part14 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(location_src,false), Constant(')(THRESHOLD '), Field(p0,false)}" -match("MESSAGE#38452:spp_portscan/1_0", "nwparser.p0", "%{saddr}:%{sport->} (%{location_src})(THRESHOLD %{p0}"); +var part14 = match("MESSAGE#38452:spp_portscan/1_0", "nwparser.p0", "%{saddr}:%{sport->} (%{location_src})(THRESHOLD %{p0}"); -var part15 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,false), Constant('(THRESHOLD '), Field(p0,false)}" -match("MESSAGE#38452:spp_portscan/1_1", "nwparser.p0", "%{saddr}:%{sport}(THRESHOLD %{p0}"); +var part15 = match("MESSAGE#38452:spp_portscan/1_1", "nwparser.p0", "%{saddr}:%{sport}(THRESHOLD %{p0}"); -var part16 = // "Pattern{Field(saddr,false), Constant('(THRESHOLD '), Field(p0,false)}" -match("MESSAGE#38452:spp_portscan/1_2", "nwparser.p0", "%{saddr}(THRESHOLD %{p0}"); +var part16 = match("MESSAGE#38452:spp_portscan/1_2", "nwparser.p0", "%{saddr}(THRESHOLD %{p0}"); var select2444 = linear_select([ part14, @@ -95651,8 +95532,7 @@ var select2444 = linear_select([ part16, ]); -var part17 = // "Pattern{Field(dclass_counter1,true), Constant(' connections exceeded in '), Field(duration,true), Constant(' seconds)')}" -match("MESSAGE#38452:spp_portscan/2", "nwparser.p0", "%{dclass_counter1->} connections exceeded in %{duration->} seconds)"); +var part17 = match("MESSAGE#38452:spp_portscan/2", "nwparser.p0", "%{dclass_counter1->} connections exceeded in %{duration->} seconds)"); var all67 = all_match({ processors: [ @@ -95676,8 +95556,7 @@ var all67 = all_match({ var msg38453 = msg("spp_portscan", all67); -var part18 = // "Pattern{Constant('portscan status from '), Field(saddr,false), Constant(': '), Field(dclass_counter1,true), Constant(' connections across '), Field(fld1,true), Constant(' hosts: '), Field(fld2,false), Constant(', '), Field(fld3,false)}" -match("MESSAGE#38453:spp_portscan:01", "nwparser.payload", "portscan status from %{saddr}: %{dclass_counter1->} connections across %{fld1->} hosts: %{fld2}, %{fld3}", processor_chain([ +var part18 = match("MESSAGE#38453:spp_portscan:01", "nwparser.payload", "portscan status from %{saddr}: %{dclass_counter1->} connections across %{fld1->} hosts: %{fld2}, %{fld3}", processor_chain([ dup61, dup31, dup32, @@ -95692,8 +95571,7 @@ match("MESSAGE#38453:spp_portscan:01", "nwparser.payload", "portscan status from var msg38454 = msg("spp_portscan:01", part18); -var part19 = // "Pattern{Constant('End of portscan from '), Field(saddr,false), Constant(': TOTAL time('), Field(fld1,false), Constant(') hosts('), Field(fld2,false), Constant(') '), Field(fld3,true), Constant(' '), Field(fld4,false)}" -match("MESSAGE#38454:spp_portscan:02", "nwparser.payload", "End of portscan from %{saddr}: TOTAL time(%{fld1}) hosts(%{fld2}) %{fld3->} %{fld4}", processor_chain([ +var part19 = match("MESSAGE#38454:spp_portscan:02", "nwparser.payload", "End of portscan from %{saddr}: TOTAL time(%{fld1}) hosts(%{fld2}) %{fld3->} %{fld4}", processor_chain([ dup61, dup31, dup32, @@ -95716,8 +95594,7 @@ var select2445 = linear_select([ msg38456, ]); -var part20 = // "Pattern{Constant('Portscan detected from '), Field(saddr,true), Constant(' Talker('), Field(fld1,false), Constant(') Scanner('), Field(fld2,false), Constant(')')}" -match("MESSAGE#38456:Portscan", "nwparser.payload", "Portscan detected from %{saddr->} Talker(%{fld1}) Scanner(%{fld2})", processor_chain([ +var part20 = match("MESSAGE#38456:Portscan", "nwparser.payload", "Portscan detected from %{saddr->} Talker(%{fld1}) Scanner(%{fld2})", processor_chain([ dup61, dup31, dup32, @@ -95725,8 +95602,7 @@ match("MESSAGE#38456:Portscan", "nwparser.payload", "Portscan detected from %{sa var msg38457 = msg("Portscan", part20); -var part21 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Hops: '), Field(result,false)}" -match("MESSAGE#38457:Hops_Change", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Hops: %{result}", processor_chain([ +var part21 = match("MESSAGE#38457:Hops_Change", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Hops: %{result}", processor_chain([ dup127, dup31, dup32, @@ -95740,8 +95616,7 @@ var msg38459 = msg("MAC_Information_Change", dup354); var msg38460 = msg("Additional_MAC_Detected_for", dup354); -var part22 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' NETBIOS Name: '), Field(result,false)}" -match("MESSAGE#38460:NETBIOS_Name_Change", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} NETBIOS Name: %{result}", processor_chain([ +var part22 = match("MESSAGE#38460:NETBIOS_Name_Change", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} NETBIOS Name: %{result}", processor_chain([ dup127, dup31, dup32, @@ -95751,19 +95626,16 @@ match("MESSAGE#38460:NETBIOS_Name_Change", "nwparser.payload", "%{context->} Fro var msg38461 = msg("NETBIOS_Name_Change", part22); -var part23 = // "Pattern{Constant('MAC Address: '), Field(smacaddr,true), Constant(' Host Type: '), Field(p0,false)}" -match("MESSAGE#38461:New_Host/1_0", "nwparser.p0", "MAC Address: %{smacaddr->} Host Type: %{p0}"); +var part23 = match("MESSAGE#38461:New_Host/1_0", "nwparser.p0", "MAC Address: %{smacaddr->} Host Type: %{p0}"); -var part24 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' Host Type: '), Field(p0,false)}" -match("MESSAGE#38461:New_Host/1_1", "nwparser.p0", "IP Address: %{saddr->} Host Type: %{p0}"); +var part24 = match("MESSAGE#38461:New_Host/1_1", "nwparser.p0", "IP Address: %{saddr->} Host Type: %{p0}"); var select2446 = linear_select([ part23, part24, ]); -var part25 = // "Pattern{Field(fld7,false)}" -match_copy("MESSAGE#38461:New_Host/2", "nwparser.p0", "fld7"); +var part25 = match_copy("MESSAGE#38461:New_Host/2", "nwparser.p0", "fld7"); var all68 = all_match({ processors: [ @@ -95782,11 +95654,9 @@ var all68 = all_match({ var msg38462 = msg("New_Host", all68); -var part26 = // "Pattern{Constant('MAC Address: '), Field(smacaddr,true), Constant(' Network Protocol: '), Field(p0,false)}" -match("MESSAGE#38462:New_Network_Protocol/1_0", "nwparser.p0", "MAC Address: %{smacaddr->} Network Protocol: %{p0}"); +var part26 = match("MESSAGE#38462:New_Network_Protocol/1_0", "nwparser.p0", "MAC Address: %{smacaddr->} Network Protocol: %{p0}"); -var part27 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' Network Protocol: '), Field(p0,false)}" -match("MESSAGE#38462:New_Network_Protocol/1_1", "nwparser.p0", "IP Address: %{saddr->} Network Protocol: %{p0}"); +var part27 = match("MESSAGE#38462:New_Network_Protocol/1_1", "nwparser.p0", "IP Address: %{saddr->} Network Protocol: %{p0}"); var select2447 = linear_select([ part26, @@ -95810,8 +95680,7 @@ var all69 = all_match({ var msg38463 = msg("New_Network_Protocol", all69); -var part28 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Port: '), Field(protocol,false)}" -match("MESSAGE#38463:New_UDP_Service", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{protocol}", processor_chain([ +var part28 = match("MESSAGE#38463:New_UDP_Service", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{protocol}", processor_chain([ dup135, dup31, dup32, @@ -95821,8 +95690,7 @@ match("MESSAGE#38463:New_UDP_Service", "nwparser.payload", "%{context->} From \" var msg38464 = msg("New_UDP_Service", part28); -var part29 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Transport Protocol: '), Field(protocol,false)}" -match("MESSAGE#38464:New_Transport_Protocol", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Transport Protocol: %{protocol}", processor_chain([ +var part29 = match("MESSAGE#38464:New_Transport_Protocol", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Transport Protocol: %{protocol}", processor_chain([ dup135, dup31, dup32, @@ -95838,8 +95706,7 @@ var msg38467 = msg("OS_Information_Update", dup183); var msg38468 = msg("TCP_Service_Confidence_Update", dup184); -var part30 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,true), Constant(' Service: '), Field(p0,false)}" -match("MESSAGE#38468:TCP_Service_Information_Update/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport->} Service: %{p0}"); +var part30 = match("MESSAGE#38468:TCP_Service_Information_Update/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport->} Service: %{p0}"); var all70 = all_match({ processors: [ @@ -95857,8 +95724,7 @@ var all70 = all_match({ var msg38469 = msg("TCP_Service_Information_Update", all70); -var part31 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> MAC Address: '), Field(saddr,true), Constant(' VLAN ID: '), Field(sport,true), Constant(' Type: '), Field(protocol,true), Constant(' Priority: '), Field(threat_val,false)}" -match("MESSAGE#38469:VLAN_Tag_Information_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> MAC Address: %{saddr->} VLAN ID: %{sport->} Type: %{protocol->} Priority: %{threat_val}", processor_chain([ +var part31 = match("MESSAGE#38469:VLAN_Tag_Information_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> MAC Address: %{saddr->} VLAN ID: %{sport->} Type: %{protocol->} Priority: %{threat_val}", processor_chain([ dup135, dup31, dup32, @@ -95869,14 +95735,11 @@ match("MESSAGE#38469:VLAN_Tag_Information_Update", "nwparser.payload", "%{contex var msg38470 = msg("VLAN_Tag_Information_Update", part31); -var part32 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' OS: '), Field(p0,false)}" -match("MESSAGE#38470:New_OS/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} OS: %{p0}"); +var part32 = match("MESSAGE#38470:New_OS/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} OS: %{p0}"); -var part33 = // "Pattern{Field(os,true), Constant(' Device Info: '), Field(fld7,false)}" -match("MESSAGE#38470:New_OS/1_0", "nwparser.p0", "%{os->} Device Info: %{fld7}"); +var part33 = match("MESSAGE#38470:New_OS/1_0", "nwparser.p0", "%{os->} Device Info: %{fld7}"); -var part34 = // "Pattern{Field(os,false)}" -match_copy("MESSAGE#38470:New_OS/1_1", "nwparser.p0", "os"); +var part34 = match_copy("MESSAGE#38470:New_OS/1_1", "nwparser.p0", "os"); var select2448 = linear_select([ part33, @@ -95909,8 +95772,7 @@ var msg38475 = msg("TCP_Port_Closed", dup187); var msg38476 = msg("TCP_Port_Timeout", dup188); -var part35 = // "Pattern{Field(context,true), Constant(' From '), Field(sensor,true), Constant(' at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' web browser '), Field(application,false)}" -match("MESSAGE#38476:Client_Application_Timeout", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} web browser %{application}", processor_chain([ +var part35 = match("MESSAGE#38476:Client_Application_Timeout", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} web browser %{application}", processor_chain([ dup135, dup31, dup32, @@ -95922,8 +95784,7 @@ var msg38477 = msg("Client_Application_Timeout", part35); var msg38478 = msg("Host_Timeout", dup188); -var part36 = // "Pattern{Field(context,true), Constant(' From '), Field(sensor,true), Constant(' at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' OS'), Field(os,false)}" -match("MESSAGE#38478:Identity_Timeout", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} OS%{os}", processor_chain([ +var part36 = match("MESSAGE#38478:Identity_Timeout", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} OS%{os}", processor_chain([ dup135, dup31, dup32, @@ -95933,22 +95794,18 @@ match("MESSAGE#38478:Identity_Timeout", "nwparser.payload", "%{context->} From % var msg38479 = msg("Identity_Timeout", part36); -var part37 = // "Pattern{Field(context,true), Constant(' From '), Field(sensor,true), Constant(' at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Serv'), Field(p0,false)}" -match("MESSAGE#38479:Identity_Timeout:01/0", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Serv%{p0}"); +var part37 = match("MESSAGE#38479:Identity_Timeout:01/0", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Serv%{p0}"); -var part38 = // "Pattern{Constant('ice'), Field(p0,false)}" -match("MESSAGE#38479:Identity_Timeout:01/1_0", "nwparser.p0", "ice%{p0}"); +var part38 = match("MESSAGE#38479:Identity_Timeout:01/1_0", "nwparser.p0", "ice%{p0}"); -var part39 = // "Pattern{Constant('er'), Field(p0,false)}" -match("MESSAGE#38479:Identity_Timeout:01/1_1", "nwparser.p0", "er%{p0}"); +var part39 = match("MESSAGE#38479:Identity_Timeout:01/1_1", "nwparser.p0", "er%{p0}"); var select2449 = linear_select([ part38, part39, ]); -var part40 = // "Pattern{Field(,false), Constant('port: '), Field(sport,false), Constant('/'), Field(protocol,true), Constant(' '), Field(network_service,false)}" -match("MESSAGE#38479:Identity_Timeout:01/2", "nwparser.p0", "%{}port: %{sport}/%{protocol->} %{network_service}"); +var part40 = match("MESSAGE#38479:Identity_Timeout:01/2", "nwparser.p0", "%{}port: %{sport}/%{protocol->} %{network_service}"); var all72 = all_match({ processors: [ @@ -95976,8 +95833,7 @@ var msg38481 = msg("UDP_Port_Timeout", dup188); var msg38482 = msg("UDP_Service_Confidence_Update", dup184); -var part41 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,true), Constant(' Service: '), Field(protocol,true), Constant(' Confidence: '), Field(result,true), Constant(' Subtypes: '), Field(fld1,false)}" -match("MESSAGE#38482:UDP_Service_Information_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport->} Service: %{protocol->} Confidence: %{result->} Subtypes: %{fld1}", processor_chain([ +var part41 = match("MESSAGE#38482:UDP_Service_Information_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport->} Service: %{protocol->} Confidence: %{result->} Subtypes: %{fld1}", processor_chain([ dup135, dup31, dup32, @@ -95994,17 +95850,13 @@ var select2451 = linear_select([ msg38484, ]); -var part42 = // "Pattern{Field(context,true), Constant(' ['), Field(p0,false)}" -match("MESSAGE#38484:EmergingThreats/0", "nwparser.payload", "%{context->} [%{p0}"); +var part42 = match("MESSAGE#38484:EmergingThreats/0", "nwparser.payload", "%{context->} [%{p0}"); -var part43 = // "Pattern{Constant('Impact: '), Field(result,false), Constant('] From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' [Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(p0,false)}" -match("MESSAGE#38484:EmergingThreats/1_0", "nwparser.p0", "Impact: %{result}] From \"%{sensor}\" at %{fld6->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{p0}"); +var part43 = match("MESSAGE#38484:EmergingThreats/1_0", "nwparser.p0", "Impact: %{result}] From \"%{sensor}\" at %{fld6->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{p0}"); -var part44 = // "Pattern{Constant('Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(p0,false)}" -match("MESSAGE#38484:EmergingThreats/1_1", "nwparser.p0", "Classification: %{sigtype}] [Priority: %{p0}"); +var part44 = match("MESSAGE#38484:EmergingThreats/1_1", "nwparser.p0", "Classification: %{sigtype}] [Priority: %{p0}"); -var part45 = // "Pattern{Field(info,false), Constant('] [Priority: '), Field(p0,false)}" -match("MESSAGE#38484:EmergingThreats/1_2", "nwparser.p0", "%{info}] [Priority: %{p0}"); +var part45 = match("MESSAGE#38484:EmergingThreats/1_2", "nwparser.p0", "%{info}] [Priority: %{p0}"); var select2452 = linear_select([ part43, @@ -96012,8 +95864,7 @@ var select2452 = linear_select([ part45, ]); -var part46 = // "Pattern{Field(threat_val,true), Constant(' ]'), Field(p0,false)}" -match("MESSAGE#38484:EmergingThreats/2", "nwparser.p0", "%{threat_val->} ]%{p0}"); +var part46 = match("MESSAGE#38484:EmergingThreats/2", "nwparser.p0", "%{threat_val->} ]%{p0}"); var all73 = all_match({ processors: [ @@ -96043,8 +95894,7 @@ var all73 = all_match({ var msg38485 = msg("EmergingThreats", all73); -var part47 = // "Pattern{Constant('Pruned session from cache that was using '), Field(bytes,true), Constant(' bytes ('), Field(result,false), Constant('). '), Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' --> '), Field(daddr,true), Constant(' '), Field(fld2,true), Constant(' ('), Field(fld3,false), Constant(') : '), Field(info,false)}" -match("MESSAGE#38485:S5", "nwparser.payload", "Pruned session from cache that was using %{bytes->} bytes (%{result}). %{saddr->} %{fld1->} --> %{daddr->} %{fld2->} (%{fld3}) : %{info}", processor_chain([ +var part47 = match("MESSAGE#38485:S5", "nwparser.payload", "Pruned session from cache that was using %{bytes->} bytes (%{result}). %{saddr->} %{fld1->} --> %{daddr->} %{fld2->} (%{fld3}) : %{info}", processor_chain([ dup127, dup31, dup32, @@ -96052,8 +95902,7 @@ match("MESSAGE#38485:S5", "nwparser.payload", "Pruned session from cache that wa var msg38486 = msg("S5", part47); -var part48 = // "Pattern{Constant('Session exceeded configured max bytes to queue '), Field(fld4,true), Constant(' using '), Field(bytes,true), Constant(' bytes ('), Field(result,false), Constant('). '), Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' --> '), Field(daddr,true), Constant(' '), Field(fld2,true), Constant(' ('), Field(fld3,false), Constant(') : '), Field(info,false)}" -match("MESSAGE#38486:S5:01", "nwparser.payload", "Session exceeded configured max bytes to queue %{fld4->} using %{bytes->} bytes (%{result}). %{saddr->} %{fld1->} --> %{daddr->} %{fld2->} (%{fld3}) : %{info}", processor_chain([ +var part48 = match("MESSAGE#38486:S5:01", "nwparser.payload", "Session exceeded configured max bytes to queue %{fld4->} using %{bytes->} bytes (%{result}). %{saddr->} %{fld1->} --> %{daddr->} %{fld2->} (%{fld3}) : %{info}", processor_chain([ dup127, dup31, dup32, @@ -96066,8 +95915,7 @@ var select2453 = linear_select([ msg38487, ]); -var part49 = // "Pattern{Constant('Login, Login Success'), Field(,false)}" -match("MESSAGE#38487:SystemSettings:01", "nwparser.payload", "Login, Login Success%{}", processor_chain([ +var part49 = match("MESSAGE#38487:SystemSettings:01", "nwparser.payload", "Login, Login Success%{}", processor_chain([ dup112, dup31, dup32, @@ -96083,8 +95931,7 @@ match("MESSAGE#38487:SystemSettings:01", "nwparser.payload", "Login, Login Succe var msg38488 = msg("SystemSettings:01", part49); -var part50 = // "Pattern{Constant('Logout, Logout Success'), Field(,false)}" -match("MESSAGE#38488:SystemSettings:02", "nwparser.payload", "Logout, Logout Success%{}", processor_chain([ +var part50 = match("MESSAGE#38488:SystemSettings:02", "nwparser.payload", "Logout, Logout Success%{}", processor_chain([ setc("eventcategory","1802000000"), dup31, dup32, @@ -96100,8 +95947,7 @@ match("MESSAGE#38488:SystemSettings:02", "nwparser.payload", "Logout, Logout Suc var msg38489 = msg("SystemSettings:02", part50); -var part51 = // "Pattern{Constant('System > '), Field(info,false)}" -match("MESSAGE#38489:SystemSettings:03", "nwparser.payload", "System > %{info}", processor_chain([ +var part51 = match("MESSAGE#38489:SystemSettings:03", "nwparser.payload", "System > %{info}", processor_chain([ dup127, dup31, dup32, @@ -96114,8 +95960,7 @@ match("MESSAGE#38489:SystemSettings:03", "nwparser.payload", "System > %{info}", var msg38490 = msg("SystemSettings:03", part51); -var part52 = // "Pattern{Constant('Policies > '), Field(info,false)}" -match("MESSAGE#38490:SystemSettings:04", "nwparser.payload", "Policies > %{info}", processor_chain([ +var part52 = match("MESSAGE#38490:SystemSettings:04", "nwparser.payload", "Policies > %{info}", processor_chain([ dup127, dup31, dup32, @@ -96128,8 +95973,7 @@ match("MESSAGE#38490:SystemSettings:04", "nwparser.payload", "Policies > %{info} var msg38491 = msg("SystemSettings:04", part52); -var part53 = // "Pattern{Constant('Object > '), Field(info,false)}" -match("MESSAGE#38491:SystemSettings:05", "nwparser.payload", "Object > %{info}", processor_chain([ +var part53 = match("MESSAGE#38491:SystemSettings:05", "nwparser.payload", "Object > %{info}", processor_chain([ dup127, dup31, dup32, @@ -96141,8 +95985,7 @@ match("MESSAGE#38491:SystemSettings:05", "nwparser.payload", "Object > %{info}", var msg38492 = msg("SystemSettings:05", part53); -var part54 = // "Pattern{Constant('Overview > '), Field(info,false)}" -match("MESSAGE#38492:SystemSettings:06", "nwparser.payload", "Overview > %{info}", processor_chain([ +var part54 = match("MESSAGE#38492:SystemSettings:06", "nwparser.payload", "Overview > %{info}", processor_chain([ dup127, dup31, dup32, @@ -96154,8 +95997,7 @@ match("MESSAGE#38492:SystemSettings:06", "nwparser.payload", "Overview > %{info} var msg38493 = msg("SystemSettings:06", part54); -var part55 = // "Pattern{Constant('Task Queue, '), Field(info,false)}" -match("MESSAGE#38493:SystemSettings:07", "nwparser.payload", "Task Queue, %{info}", processor_chain([ +var part55 = match("MESSAGE#38493:SystemSettings:07", "nwparser.payload", "Task Queue, %{info}", processor_chain([ dup127, dup31, dup32, @@ -96168,8 +96010,7 @@ match("MESSAGE#38493:SystemSettings:07", "nwparser.payload", "Task Queue, %{info var msg38494 = msg("SystemSettings:07", part55); -var part56 = // "Pattern{Constant('Intrusion Policy > '), Field(info,false)}" -match("MESSAGE#38494:SystemSettings:08", "nwparser.payload", "Intrusion Policy > %{info}", processor_chain([ +var part56 = match("MESSAGE#38494:SystemSettings:08", "nwparser.payload", "Intrusion Policy > %{info}", processor_chain([ dup127, dup31, dup32, @@ -96182,19 +96023,16 @@ match("MESSAGE#38494:SystemSettings:08", "nwparser.payload", "Intrusion Policy > var msg38495 = msg("SystemSettings:08", part56); -var part57 = // "Pattern{Constant('Analysis & Reporting '), Field(p0,false)}" -match("MESSAGE#38495:SystemSettings:09/0", "nwparser.payload", "Analysis \u0026 Reporting %{p0}"); +var part57 = match("MESSAGE#38495:SystemSettings:09/0", "nwparser.payload", "Analysis \u0026 Reporting %{p0}"); -var part58 = // "Pattern{Constant(','), Field(p0,false)}" -match("MESSAGE#38495:SystemSettings:09/1_1", "nwparser.p0", ",%{p0}"); +var part58 = match("MESSAGE#38495:SystemSettings:09/1_1", "nwparser.p0", ",%{p0}"); var select2454 = linear_select([ dup145, part58, ]); -var part59 = // "Pattern{Field(,true), Constant(' '), Field(info,false)}" -match("MESSAGE#38495:SystemSettings:09/2", "nwparser.p0", "%{} %{info}"); +var part59 = match("MESSAGE#38495:SystemSettings:09/2", "nwparser.p0", "%{} %{info}"); var all74 = all_match({ processors: [ @@ -96216,8 +96054,7 @@ var all74 = all_match({ var msg38496 = msg("SystemSettings:09", all74); -var part60 = // "Pattern{Constant('Heartbeat, '), Field(info,false)}" -match("MESSAGE#38496:SystemSettings:10", "nwparser.payload", "Heartbeat, %{info}", processor_chain([ +var part60 = match("MESSAGE#38496:SystemSettings:10", "nwparser.payload", "Heartbeat, %{info}", processor_chain([ dup127, dup31, dup32, @@ -96230,8 +96067,7 @@ match("MESSAGE#38496:SystemSettings:10", "nwparser.payload", "Heartbeat, %{info} var msg38497 = msg("SystemSettings:10", part60); -var part61 = // "Pattern{Constant('FailD, '), Field(info,false)}" -match("MESSAGE#38497:SystemSettings:11", "nwparser.payload", "FailD, %{info}", processor_chain([ +var part61 = match("MESSAGE#38497:SystemSettings:11", "nwparser.payload", "FailD, %{info}", processor_chain([ dup127, dup31, dup32, @@ -96243,8 +96079,7 @@ match("MESSAGE#38497:SystemSettings:11", "nwparser.payload", "FailD, %{info}", p var msg38498 = msg("SystemSettings:11", part61); -var part62 = // "Pattern{Constant('Health > '), Field(info,false)}" -match("MESSAGE#38498:SystemSettings:12", "nwparser.payload", "Health > %{info}", processor_chain([ +var part62 = match("MESSAGE#38498:SystemSettings:12", "nwparser.payload", "Health > %{info}", processor_chain([ dup127, dup31, dup32, @@ -96257,8 +96092,7 @@ match("MESSAGE#38498:SystemSettings:12", "nwparser.payload", "Health > %{info}", var msg38499 = msg("SystemSettings:12", part62); -var part63 = // "Pattern{Constant('Session Expiration, '), Field(info,false)}" -match("MESSAGE#38499:SystemSettings:13", "nwparser.payload", "Session Expiration, %{info}", processor_chain([ +var part63 = match("MESSAGE#38499:SystemSettings:13", "nwparser.payload", "Session Expiration, %{info}", processor_chain([ dup127, dup31, dup32, @@ -96271,8 +96105,7 @@ match("MESSAGE#38499:SystemSettings:13", "nwparser.payload", "Session Expiration var msg38500 = msg("SystemSettings:13", part63); -var part64 = // "Pattern{Constant('Analysis '), Field(info,false)}" -match("MESSAGE#38500:SystemSettings:14", "nwparser.payload", "Analysis %{info}", processor_chain([ +var part64 = match("MESSAGE#38500:SystemSettings:14", "nwparser.payload", "Analysis %{info}", processor_chain([ dup127, dup31, dup32, @@ -96285,8 +96118,7 @@ match("MESSAGE#38500:SystemSettings:14", "nwparser.payload", "Analysis %{info}", var msg38501 = msg("SystemSettings:14", part64); -var part65 = // "Pattern{Constant('Devices '), Field(info,false)}" -match("MESSAGE#38501:SystemSettings:15", "nwparser.payload", "Devices %{info}", processor_chain([ +var part65 = match("MESSAGE#38501:SystemSettings:15", "nwparser.payload", "Devices %{info}", processor_chain([ dup127, dup31, dup32, @@ -96299,8 +96131,7 @@ match("MESSAGE#38501:SystemSettings:15", "nwparser.payload", "Devices %{info}", var msg38502 = msg("SystemSettings:15", part65); -var part66 = // "Pattern{Constant('Intrusion Events,'), Field(info,false)}" -match("MESSAGE#38502:SystemSettings:16", "nwparser.payload", "Intrusion Events,%{info}", processor_chain([ +var part66 = match("MESSAGE#38502:SystemSettings:16", "nwparser.payload", "Intrusion Events,%{info}", processor_chain([ dup127, dup31, dup32, @@ -96313,8 +96144,7 @@ match("MESSAGE#38502:SystemSettings:16", "nwparser.payload", "Intrusion Events,% var msg38503 = msg("SystemSettings:16", part66); -var part67 = // "Pattern{Constant('Login, Login Failed'), Field(,false)}" -match("MESSAGE#38503:SystemSettings:17", "nwparser.payload", "Login, Login Failed%{}", processor_chain([ +var part67 = match("MESSAGE#38503:SystemSettings:17", "nwparser.payload", "Login, Login Failed%{}", processor_chain([ dup91, dup31, dup137, @@ -96331,8 +96161,7 @@ match("MESSAGE#38503:SystemSettings:17", "nwparser.payload", "Login, Login Faile var msg38504 = msg("SystemSettings:17", part67); -var part68 = // "Pattern{Constant('Command Line,'), Field(info,false)}" -match("MESSAGE#38504:SystemSettings:18", "nwparser.payload", "Command Line,%{info}", processor_chain([ +var part68 = match("MESSAGE#38504:SystemSettings:18", "nwparser.payload", "Command Line,%{info}", processor_chain([ dup127, dup31, dup32, @@ -96344,8 +96173,7 @@ match("MESSAGE#38504:SystemSettings:18", "nwparser.payload", "Command Line,%{inf var msg38505 = msg("SystemSettings:18", part68); -var part69 = // "Pattern{Constant('Access Control Policy > '), Field(info,false)}" -match("MESSAGE#38505:SystemSettings:19", "nwparser.payload", "Access Control Policy > %{info}", processor_chain([ +var part69 = match("MESSAGE#38505:SystemSettings:19", "nwparser.payload", "Access Control Policy > %{info}", processor_chain([ dup127, dup31, dup32, @@ -96357,8 +96185,7 @@ match("MESSAGE#38505:SystemSettings:19", "nwparser.payload", "Access Control Pol var msg38506 = msg("SystemSettings:19", part69); -var part70 = // "Pattern{Field(info,false)}" -match_copy("MESSAGE#38506:SystemSettings:20", "nwparser.payload", "info", processor_chain([ +var part70 = match_copy("MESSAGE#38506:SystemSettings:20", "nwparser.payload", "info", processor_chain([ dup127, dup31, dup32, @@ -96407,8 +96234,7 @@ var msg38513 = msg("2101867", dup192); var msg38514 = msg("2101918", dup192); -var part71 = // "Pattern{Field(url,false), Constant(', Interface Ingress: '), Field(dinterface,false), Constant(', Interface Egress: '), Field(sinterface,false), Constant(', Security Zone Ingress: '), Field(dst_zone,false), Constant(', Security Zone Egress: '), Field(src_zone,false), Constant(', Security Intelligence Matching IP: '), Field(fld4,false), Constant(', Security Intelligence Category: '), Field(fld5,false), Constant(', Client Version: '), Field(version,false), Constant(', Number of File Events: '), Field(dclass_counter1,false), Constant(', Number of IPS Events: '), Field(dclass_counter2,false), Constant(', TCP Flags: '), Field(fld6,false), Constant(', NetBIOS Domain: '), Field(domain_id,false), Constant(', Initiator Packets: '), Field(fld7,false), Constant(', Responder Packets: '), Field(fld8,false), Constant(', Initiator Bytes: '), Field(rbytes,false), Constant(', Responder Bytes: '), Field(sbytes,false), Constant(', Context: '), Field(context,false), Constant(', SSL Rule Name: '), Field(fld9,false), Constant(', SSL Flow Status: '), Field(fld10,false), Constant(', SSL Cipher Suite: '), Field(fld11,false), Constant(', SSL Certificate: '), Field(fld12,false), Constant(', SSL Subject CN: '), Field(fld13,false), Constant(', SSL Subject Country: '), Field(fld14,false), Constant(', SSL Subject OU: '), Field(fld15,false), Constant(', SSL Subject Org: '), Field(fld16,false), Constant(', SSL Issuer CN: '), Field(fld17,false), Constant(', SSL Issuer Country: '), Field(fld18,false), Constant(', SSL Issuer OU: '), Field(fld19,false), Constant(', SSL Issuer Org: '), Field(fld20,false), Constant(', SSL Valid Start Date: '), Field(fld21,false), Constant(', SSL Valid End Date: '), Field(fld22,false), Constant(', SSL Version: '), Field(fld23,false), Constant(', SSL Server Certificate Status: '), Field(fld24,false), Constant(', SSL Actual Action: '), Field(fld25,false), Constant(', SSL Expected Action: '), Field(fld26,false), Constant(', SSL Server Name: '), Field(fld27,false), Constant(', SSL URL Category: '), Field(fld28,false), Constant(', SSL Session ID: '), Field(fld29,false), Constant(', SSL Ticket Id: '), Field(fld30,false), Constant(', {'), Field(protocol,false), Constant('} '), Field(saddr,true), Constant(' -> '), Field(daddr,false), Constant(', type:'), Field(event_type,false), Constant(', code:'), Field(event_description,false)}" -match("MESSAGE#38514:Primary_Detection_Engine/2", "nwparser.p0", "%{url}, Interface Ingress: %{dinterface}, Interface Egress: %{sinterface}, Security Zone Ingress: %{dst_zone}, Security Zone Egress: %{src_zone}, Security Intelligence Matching IP: %{fld4}, Security Intelligence Category: %{fld5}, Client Version: %{version}, Number of File Events: %{dclass_counter1}, Number of IPS Events: %{dclass_counter2}, TCP Flags: %{fld6}, NetBIOS Domain: %{domain_id}, Initiator Packets: %{fld7}, Responder Packets: %{fld8}, Initiator Bytes: %{rbytes}, Responder Bytes: %{sbytes}, Context: %{context}, SSL Rule Name: %{fld9}, SSL Flow Status: %{fld10}, SSL Cipher Suite: %{fld11}, SSL Certificate: %{fld12}, SSL Subject CN: %{fld13}, SSL Subject Country: %{fld14}, SSL Subject OU: %{fld15}, SSL Subject Org: %{fld16}, SSL Issuer CN: %{fld17}, SSL Issuer Country: %{fld18}, SSL Issuer OU: %{fld19}, SSL Issuer Org: %{fld20}, SSL Valid Start Date: %{fld21}, SSL Valid End Date: %{fld22}, SSL Version: %{fld23}, SSL Server Certificate Status: %{fld24}, SSL Actual Action: %{fld25}, SSL Expected Action: %{fld26}, SSL Server Name: %{fld27}, SSL URL Category: %{fld28}, SSL Session ID: %{fld29}, SSL Ticket Id: %{fld30}, {%{protocol}} %{saddr->} -> %{daddr}, type:%{event_type}, code:%{event_description}"); +var part71 = match("MESSAGE#38514:Primary_Detection_Engine/2", "nwparser.p0", "%{url}, Interface Ingress: %{dinterface}, Interface Egress: %{sinterface}, Security Zone Ingress: %{dst_zone}, Security Zone Egress: %{src_zone}, Security Intelligence Matching IP: %{fld4}, Security Intelligence Category: %{fld5}, Client Version: %{version}, Number of File Events: %{dclass_counter1}, Number of IPS Events: %{dclass_counter2}, TCP Flags: %{fld6}, NetBIOS Domain: %{domain_id}, Initiator Packets: %{fld7}, Responder Packets: %{fld8}, Initiator Bytes: %{rbytes}, Responder Bytes: %{sbytes}, Context: %{context}, SSL Rule Name: %{fld9}, SSL Flow Status: %{fld10}, SSL Cipher Suite: %{fld11}, SSL Certificate: %{fld12}, SSL Subject CN: %{fld13}, SSL Subject Country: %{fld14}, SSL Subject OU: %{fld15}, SSL Subject Org: %{fld16}, SSL Issuer CN: %{fld17}, SSL Issuer Country: %{fld18}, SSL Issuer OU: %{fld19}, SSL Issuer Org: %{fld20}, SSL Valid Start Date: %{fld21}, SSL Valid End Date: %{fld22}, SSL Version: %{fld23}, SSL Server Certificate Status: %{fld24}, SSL Actual Action: %{fld25}, SSL Expected Action: %{fld26}, SSL Server Name: %{fld27}, SSL URL Category: %{fld28}, SSL Session ID: %{fld29}, SSL Ticket Id: %{fld30}, {%{protocol}} %{saddr->} -> %{daddr}, type:%{event_type}, code:%{event_description}"); var all75 = all_match({ processors: [ @@ -96428,8 +96254,7 @@ var all75 = all_match({ var msg38515 = msg("Primary_Detection_Engine", all75); -var part72 = // "Pattern{Field(url,false), Constant(', Interface Ingress: '), Field(dinterface,false), Constant(', Interface Egress: '), Field(sinterface,false), Constant(', Security Zone Ingress: '), Field(dst_zone,false), Constant(', Security Zone Egress: '), Field(src_zone,false), Constant(', Security Intelligence Matching IP: '), Field(fld4,false), Constant(', Security Intelligence Category: '), Field(fld5,false), Constant(', Client Version: '), Field(version,false), Constant(', Number of File Events: '), Field(dclass_counter1,false), Constant(', Number of IPS Events: '), Field(dclass_counter2,false), Constant(', TCP Flags: '), Field(fld6,false), Constant(', NetBIOS Domain: '), Field(domain_id,false), Constant(', Initiator Packets: '), Field(fld7,false), Constant(', Responder Packets: '), Field(fld8,false), Constant(', Initiator Bytes: '), Field(rbytes,false), Constant(', Responder Bytes: '), Field(sbytes,false), Constant(', Context: '), Field(context,false), Constant(', SSL Rule Name: '), Field(fld9,false), Constant(', SSL Flow Status: '), Field(fld10,false), Constant(', SSL Cipher Suite: '), Field(fld11,false), Constant(', SSL Certificate: '), Field(fld12,false), Constant(', SSL Subject CN: '), Field(fld13,false), Constant(', SSL Subject Country: '), Field(fld14,false), Constant(', SSL Subject OU: '), Field(fld15,false), Constant(', SSL Subject Org: '), Field(fld16,false), Constant(', SSL Issuer CN: '), Field(fld17,false), Constant(', SSL Issuer Country: '), Field(fld18,false), Constant(', SSL Issuer OU: '), Field(fld19,false), Constant(', SSL Issuer Org: '), Field(fld20,false), Constant(', SSL Valid Start Date: '), Field(fld21,false), Constant(', SSL Valid End Date: '), Field(fld22,false), Constant(', SSL Version: '), Field(fld23,false), Constant(', SSL Server Certificate Status: '), Field(fld24,false), Constant(', SSL Actual Action: '), Field(fld25,false), Constant(', SSL Expected Action: '), Field(fld26,false), Constant(', SSL Server Name: '), Field(fld27,false), Constant(', SSL URL Category: '), Field(fld28,false), Constant(', SSL Session ID: '), Field(fld29,false), Constant(', SSL Ticket Id: '), Field(fld30,false), Constant(', {'), Field(protocol,false), Constant('} '), Field(p0,false)}" -match("MESSAGE#38515:Primary_Detection_Engine:01/2", "nwparser.p0", "%{url}, Interface Ingress: %{dinterface}, Interface Egress: %{sinterface}, Security Zone Ingress: %{dst_zone}, Security Zone Egress: %{src_zone}, Security Intelligence Matching IP: %{fld4}, Security Intelligence Category: %{fld5}, Client Version: %{version}, Number of File Events: %{dclass_counter1}, Number of IPS Events: %{dclass_counter2}, TCP Flags: %{fld6}, NetBIOS Domain: %{domain_id}, Initiator Packets: %{fld7}, Responder Packets: %{fld8}, Initiator Bytes: %{rbytes}, Responder Bytes: %{sbytes}, Context: %{context}, SSL Rule Name: %{fld9}, SSL Flow Status: %{fld10}, SSL Cipher Suite: %{fld11}, SSL Certificate: %{fld12}, SSL Subject CN: %{fld13}, SSL Subject Country: %{fld14}, SSL Subject OU: %{fld15}, SSL Subject Org: %{fld16}, SSL Issuer CN: %{fld17}, SSL Issuer Country: %{fld18}, SSL Issuer OU: %{fld19}, SSL Issuer Org: %{fld20}, SSL Valid Start Date: %{fld21}, SSL Valid End Date: %{fld22}, SSL Version: %{fld23}, SSL Server Certificate Status: %{fld24}, SSL Actual Action: %{fld25}, SSL Expected Action: %{fld26}, SSL Server Name: %{fld27}, SSL URL Category: %{fld28}, SSL Session ID: %{fld29}, SSL Ticket Id: %{fld30}, {%{protocol}} %{p0}"); +var part72 = match("MESSAGE#38515:Primary_Detection_Engine:01/2", "nwparser.p0", "%{url}, Interface Ingress: %{dinterface}, Interface Egress: %{sinterface}, Security Zone Ingress: %{dst_zone}, Security Zone Egress: %{src_zone}, Security Intelligence Matching IP: %{fld4}, Security Intelligence Category: %{fld5}, Client Version: %{version}, Number of File Events: %{dclass_counter1}, Number of IPS Events: %{dclass_counter2}, TCP Flags: %{fld6}, NetBIOS Domain: %{domain_id}, Initiator Packets: %{fld7}, Responder Packets: %{fld8}, Initiator Bytes: %{rbytes}, Responder Bytes: %{sbytes}, Context: %{context}, SSL Rule Name: %{fld9}, SSL Flow Status: %{fld10}, SSL Cipher Suite: %{fld11}, SSL Certificate: %{fld12}, SSL Subject CN: %{fld13}, SSL Subject Country: %{fld14}, SSL Subject OU: %{fld15}, SSL Subject Org: %{fld16}, SSL Issuer CN: %{fld17}, SSL Issuer Country: %{fld18}, SSL Issuer OU: %{fld19}, SSL Issuer Org: %{fld20}, SSL Valid Start Date: %{fld21}, SSL Valid End Date: %{fld22}, SSL Version: %{fld23}, SSL Server Certificate Status: %{fld24}, SSL Actual Action: %{fld25}, SSL Expected Action: %{fld26}, SSL Server Name: %{fld27}, SSL URL Category: %{fld28}, SSL Session ID: %{fld29}, SSL Ticket Id: %{fld30}, {%{protocol}} %{p0}"); var all76 = all_match({ processors: [ @@ -96451,14 +96276,11 @@ var all76 = all_match({ var msg38516 = msg("Primary_Detection_Engine:01", all76); -var part73 = // "Pattern{Field(url,false), Constant(', Interface Ingress: '), Field(dinterface,false), Constant(', Interface Egress: '), Field(sinterface,false), Constant(', Security Zone Ingress: '), Field(dst_zone,false), Constant(', Security Zone Egress: '), Field(src_zone,false), Constant(', Security Intelligence Matching IP: '), Field(fld4,false), Constant(', Security Intelligence Category: '), Field(fld5,false), Constant(', Client Version: '), Field(version,false), Constant(', Number of File Events: '), Field(dclass_counter1,false), Constant(', Number of IPS Events: '), Field(dclass_counter2,false), Constant(', TCP Flags: '), Field(fld6,false), Constant(', NetBIOS Domain: '), Field(domain_id,false), Constant(', Initiator Packets: '), Field(fld7,false), Constant(', Responder Packets: '), Field(fld8,false), Constant(', Initiator Bytes: '), Field(rbytes,false), Constant(', Responder Bytes: '), Field(p0,false)}" -match("MESSAGE#38516:Primary_Detection_Engine:02/2", "nwparser.p0", "%{url}, Interface Ingress: %{dinterface}, Interface Egress: %{sinterface}, Security Zone Ingress: %{dst_zone}, Security Zone Egress: %{src_zone}, Security Intelligence Matching IP: %{fld4}, Security Intelligence Category: %{fld5}, Client Version: %{version}, Number of File Events: %{dclass_counter1}, Number of IPS Events: %{dclass_counter2}, TCP Flags: %{fld6}, NetBIOS Domain: %{domain_id}, Initiator Packets: %{fld7}, Responder Packets: %{fld8}, Initiator Bytes: %{rbytes}, Responder Bytes: %{p0}"); +var part73 = match("MESSAGE#38516:Primary_Detection_Engine:02/2", "nwparser.p0", "%{url}, Interface Ingress: %{dinterface}, Interface Egress: %{sinterface}, Security Zone Ingress: %{dst_zone}, Security Zone Egress: %{src_zone}, Security Intelligence Matching IP: %{fld4}, Security Intelligence Category: %{fld5}, Client Version: %{version}, Number of File Events: %{dclass_counter1}, Number of IPS Events: %{dclass_counter2}, TCP Flags: %{fld6}, NetBIOS Domain: %{domain_id}, Initiator Packets: %{fld7}, Responder Packets: %{fld8}, Initiator Bytes: %{rbytes}, Responder Bytes: %{p0}"); -var part74 = // "Pattern{Field(sbytes,false), Constant(', Context: '), Field(context,true), Constant(' {'), Field(p0,false)}" -match("MESSAGE#38516:Primary_Detection_Engine:02/3_0", "nwparser.p0", "%{sbytes}, Context: %{context->} {%{p0}"); +var part74 = match("MESSAGE#38516:Primary_Detection_Engine:02/3_0", "nwparser.p0", "%{sbytes}, Context: %{context->} {%{p0}"); -var part75 = // "Pattern{Field(sbytes,true), Constant(' {'), Field(p0,false)}" -match("MESSAGE#38516:Primary_Detection_Engine:02/3_1", "nwparser.p0", "%{sbytes->} {%{p0}"); +var part75 = match("MESSAGE#38516:Primary_Detection_Engine:02/3_1", "nwparser.p0", "%{sbytes->} {%{p0}"); var select2456 = linear_select([ part74, @@ -96487,8 +96309,7 @@ var all77 = all_match({ var msg38517 = msg("Primary_Detection_Engine:02", all77); -var part76 = // "Pattern{Constant('"'), Field(context,false), Constant('" [Classification:'), Field(sigtype,false), Constant('] User:'), Field(username,false), Constant(', Application:'), Field(application,false), Constant(', Client:'), Field(fld12,false), Constant(', App Protocol:'), Field(fld14,false), Constant(', Interface Ingress:'), Field(dinterface,false), Constant(', Interface Egress:'), Field(sinterface,false), Constant(', Security Zone Ingress:'), Field(dst_zone,false), Constant(', Security Zone Egress:'), Field(src_zone,false), Constant(', Context:'), Field(fld13,false), Constant(', SSL Flow Status:'), Field(fld1,false), Constant(', SSL Actual Action:'), Field(fld22,false), Constant(', SSL Certificate:'), Field(fld3,false), Constant(', SSL Subject CN:'), Field(fld4,false), Constant(', SSL Subject Country:'), Field(fld5,false), Constant(', SSL Subject OU:'), Field(fld6,false), Constant(', SSL Subject Org:'), Field(fld7,false), Constant(', SSL Issuer CN:'), Field(fld8,false), Constant(', SSL Issuer Country:'), Field(fld9,false), Constant(', SSL Issuer OU:'), Field(fld10,false), Constant(', SSL Issuer Org:'), Field(fld11,false), Constant(', SSL Valid Start Date:'), Field(fld12,false), Constant(', SSL Valid End Date:'), Field(fld13,false), Constant(', [Priority:'), Field(threat_val,false), Constant('] {'), Field(protocol,false), Constant('}'), Field(saddr,false), Constant(':'), Field(sport,false), Constant('->'), Field(daddr,false), Constant(':'), Field(dport,false)}" -match("MESSAGE#38517:Primary_Detection_Engine:03", "nwparser.payload", "\"%{context}\" [Classification:%{sigtype}] User:%{username}, Application:%{application}, Client:%{fld12}, App Protocol:%{fld14}, Interface Ingress:%{dinterface}, Interface Egress:%{sinterface}, Security Zone Ingress:%{dst_zone}, Security Zone Egress:%{src_zone}, Context:%{fld13}, SSL Flow Status:%{fld1}, SSL Actual Action:%{fld22}, SSL Certificate:%{fld3}, SSL Subject CN:%{fld4}, SSL Subject Country:%{fld5}, SSL Subject OU:%{fld6}, SSL Subject Org:%{fld7}, SSL Issuer CN:%{fld8}, SSL Issuer Country:%{fld9}, SSL Issuer OU:%{fld10}, SSL Issuer Org:%{fld11}, SSL Valid Start Date:%{fld12}, SSL Valid End Date:%{fld13}, [Priority:%{threat_val}] {%{protocol}}%{saddr}:%{sport}->%{daddr}:%{dport}", processor_chain([ +var part76 = match("MESSAGE#38517:Primary_Detection_Engine:03", "nwparser.payload", "\"%{context}\" [Classification:%{sigtype}] User:%{username}, Application:%{application}, Client:%{fld12}, App Protocol:%{fld14}, Interface Ingress:%{dinterface}, Interface Egress:%{sinterface}, Security Zone Ingress:%{dst_zone}, Security Zone Egress:%{src_zone}, Context:%{fld13}, SSL Flow Status:%{fld1}, SSL Actual Action:%{fld22}, SSL Certificate:%{fld3}, SSL Subject CN:%{fld4}, SSL Subject Country:%{fld5}, SSL Subject OU:%{fld6}, SSL Subject Org:%{fld7}, SSL Issuer CN:%{fld8}, SSL Issuer Country:%{fld9}, SSL Issuer OU:%{fld10}, SSL Issuer Org:%{fld11}, SSL Valid Start Date:%{fld12}, SSL Valid End Date:%{fld13}, [Priority:%{threat_val}] {%{protocol}}%{saddr}:%{sport}->%{daddr}:%{dport}", processor_chain([ dup44, dup31, dup32, @@ -96507,8 +96328,7 @@ var select2457 = linear_select([ msg38518, ]); -var part77 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC > Sha256: '), Field(checksum,true), Constant(' Disposition: '), Field(disposition,true), Constant(' Threat name: '), Field(threat_name,true), Constant(' IP Addresses: '), Field(saddr,false), Constant('>'), Field(daddr,false)}" -match("MESSAGE#38518:Network_Based_Malware", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC > Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{saddr}>%{daddr}", processor_chain([ +var part77 = match("MESSAGE#38518:Network_Based_Malware", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC > Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{saddr}>%{daddr}", processor_chain([ dup100, dup31, dup129, @@ -96518,19 +96338,16 @@ match("MESSAGE#38518:Network_Based_Malware", "nwparser.payload", "%{context->} F var msg38519 = msg("Network_Based_Malware", part77); -var part78 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -'), Field(p0,false)}" -match("MESSAGE#38519:Network_Based_Malware:01/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -%{p0}"); +var part78 = match("MESSAGE#38519:Network_Based_Malware:01/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -%{p0}"); -var part79 = // "Pattern{Constant('*>'), Field(p0,false)}" -match("MESSAGE#38519:Network_Based_Malware:01/1_0", "nwparser.p0", "*>%{p0}"); +var part79 = match("MESSAGE#38519:Network_Based_Malware:01/1_0", "nwparser.p0", "*>%{p0}"); var select2458 = linear_select([ part79, dup145, ]); -var part80 = // "Pattern{Field(,true), Constant(' '), Field(space,false), Constant('Sha256: '), Field(checksum,true), Constant(' Disposition: '), Field(disposition,true), Constant(' Threat name: '), Field(threat_name,true), Constant(' IP Addresses: '), Field(daddr,false), Constant('<<-'), Field(saddr,false)}" -match("MESSAGE#38519:Network_Based_Malware:01/2", "nwparser.p0", "%{} %{space}Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{daddr}\u003c\u003c-%{saddr}"); +var part80 = match("MESSAGE#38519:Network_Based_Malware:01/2", "nwparser.p0", "%{} %{space}Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{daddr}\u003c\u003c-%{saddr}"); var all78 = all_match({ processors: [ @@ -96549,8 +96366,7 @@ var all78 = all_match({ var msg38520 = msg("Network_Based_Malware:01", all78); -var part81 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> Sha256: '), Field(checksum,true), Constant(' Disposition: '), Field(disposition,true), Constant(' Threat name: '), Field(threat_name,true), Constant(' IP Addresses: '), Field(saddr,false), Constant('->'), Field(daddr,false)}" -match("MESSAGE#38520:Network_Based_Malware:02", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{saddr}->%{daddr}", processor_chain([ +var part81 = match("MESSAGE#38520:Network_Based_Malware:02", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{saddr}->%{daddr}", processor_chain([ dup100, dup31, dup129, @@ -96566,17 +96382,13 @@ var select2459 = linear_select([ msg38521, ]); -var part82 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC '), Field(p0,false)}" -match("MESSAGE#38521:Network_Based_Retrospective/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC %{p0}"); +var part82 = match("MESSAGE#38521:Network_Based_Retrospective/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC %{p0}"); -var part83 = // "Pattern{Constant('Sha256: '), Field(checksum,true), Constant(' Disposition: '), Field(disposition,true), Constant(' Threat name: '), Field(threat_name,true), Constant(' IP Addresses: '), Field(p0,false)}" -match("MESSAGE#38521:Network_Based_Retrospective/2", "nwparser.p0", "Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{p0}"); +var part83 = match("MESSAGE#38521:Network_Based_Retrospective/2", "nwparser.p0", "Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{p0}"); -var part84 = // "Pattern{Field(saddr,false), Constant('->'), Field(p0,false)}" -match("MESSAGE#38521:Network_Based_Retrospective/3_0", "nwparser.p0", "%{saddr}->%{p0}"); +var part84 = match("MESSAGE#38521:Network_Based_Retrospective/3_0", "nwparser.p0", "%{saddr}->%{p0}"); -var part85 = // "Pattern{Field(saddr,false), Constant('>'), Field(p0,false)}" -match("MESSAGE#38521:Network_Based_Retrospective/3_1", "nwparser.p0", "%{saddr}>%{p0}"); +var part85 = match("MESSAGE#38521:Network_Based_Retrospective/3_1", "nwparser.p0", "%{saddr}>%{p0}"); var select2460 = linear_select([ part84, @@ -96602,14 +96414,11 @@ var all79 = all_match({ var msg38522 = msg("Network_Based_Retrospective", all79); -var part86 = // "Pattern{Constant('Sha256: '), Field(checksum,true), Constant(' Disposition: '), Field(disposition,true), Constant(' Threat name: '), Field(p0,false)}" -match("MESSAGE#38522:Network_Based_Retrospective:01/4", "nwparser.p0", "Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{p0}"); +var part86 = match("MESSAGE#38522:Network_Based_Retrospective:01/4", "nwparser.p0", "Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{p0}"); -var part87 = // "Pattern{Field(threat_name,true), Constant(' IP Addresses: '), Field(daddr,false), Constant('<<-'), Field(saddr,false)}" -match("MESSAGE#38522:Network_Based_Retrospective:01/5_0", "nwparser.p0", "%{threat_name->} IP Addresses: %{daddr}\u003c\u003c-%{saddr}"); +var part87 = match("MESSAGE#38522:Network_Based_Retrospective:01/5_0", "nwparser.p0", "%{threat_name->} IP Addresses: %{daddr}\u003c\u003c-%{saddr}"); -var part88 = // "Pattern{Field(threat_name,false)}" -match_copy("MESSAGE#38522:Network_Based_Retrospective:01/5_1", "nwparser.p0", "threat_name"); +var part88 = match_copy("MESSAGE#38522:Network_Based_Retrospective:01/5_1", "nwparser.p0", "threat_name"); var select2461 = linear_select([ part87, @@ -96641,8 +96450,7 @@ var select2462 = linear_select([ msg38523, ]); -var part89 = // "Pattern{Field(checksum,true), Constant(' Disposition: '), Field(disposition,true), Constant(' Threat name: '), Field(threat_name,true), Constant(' IP Addresses: '), Field(daddr,false), Constant('<<-'), Field(saddr,false)}" -match("MESSAGE#38523:MALWARE:02", "nwparser.payload", "%{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{daddr}\u003c\u003c-%{saddr}", processor_chain([ +var part89 = match("MESSAGE#38523:MALWARE:02", "nwparser.payload", "%{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{daddr}\u003c\u003c-%{saddr}", processor_chain([ dup100, dup32, dup47, @@ -96651,8 +96459,7 @@ match("MESSAGE#38523:MALWARE:02", "nwparser.payload", "%{checksum->} Disposition var msg38524 = msg("MALWARE:02", part89); -var part90 = // "Pattern{Field(checksum,true), Constant(' Disposition: '), Field(disposition,true), Constant(' Threat name: '), Field(threat_name,true), Constant(' IP Addresses: '), Field(saddr,false), Constant('->'), Field(daddr,false)}" -match("MESSAGE#38524:MALWARE:01", "nwparser.payload", "%{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{saddr}->%{daddr}", processor_chain([ +var part90 = match("MESSAGE#38524:MALWARE:01", "nwparser.payload", "%{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{saddr}->%{daddr}", processor_chain([ dup100, dup32, dup47, @@ -96661,8 +96468,7 @@ match("MESSAGE#38524:MALWARE:01", "nwparser.payload", "%{checksum->} Disposition var msg38525 = msg("MALWARE:01", part90); -var part91 = // "Pattern{Field(threat_val,false)}" -match_copy("MESSAGE#38537:MALWARE", "nwparser.payload", "threat_val", processor_chain([ +var part91 = match_copy("MESSAGE#38537:MALWARE", "nwparser.payload", "threat_val", processor_chain([ dup71, dup31, dup45, @@ -96704,14 +96510,11 @@ var all81 = all_match({ var msg38527 = msg("Snort_AlertLog", all81); -var part92 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' Port: '), Field(p0,false)}" -match("MESSAGE#38526:New_TCP_Port/4", "nwparser.p0", "IP Address: %{saddr->} Port: %{p0}"); +var part92 = match("MESSAGE#38526:New_TCP_Port/4", "nwparser.p0", "IP Address: %{saddr->} Port: %{p0}"); -var part93 = // "Pattern{Field(sport,true), Constant(' Service: '), Field(protocol,true), Constant(' Confidence: '), Field(result,false)}" -match("MESSAGE#38526:New_TCP_Port/5_0", "nwparser.p0", "%{sport->} Service: %{protocol->} Confidence: %{result}"); +var part93 = match("MESSAGE#38526:New_TCP_Port/5_0", "nwparser.p0", "%{sport->} Service: %{protocol->} Confidence: %{result}"); -var part94 = // "Pattern{Field(sport,false)}" -match_copy("MESSAGE#38526:New_TCP_Port/5_1", "nwparser.p0", "sport"); +var part94 = match_copy("MESSAGE#38526:New_TCP_Port/5_1", "nwparser.p0", "sport"); var select2464 = linear_select([ part93, @@ -96737,8 +96540,7 @@ var all82 = all_match({ var msg38528 = msg("New_TCP_Port", all82); -var part95 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,false)}" -match("MESSAGE#38527:New_UDP_Port/4", "nwparser.p0", "IP Address: %{saddr->} Port: %{sport}"); +var part95 = match("MESSAGE#38527:New_UDP_Port/4", "nwparser.p0", "IP Address: %{saddr->} Port: %{sport}"); var all83 = all_match({ processors: [ @@ -96766,8 +96568,7 @@ var msg38532 = msg("UDP_Server_Information_Update", dup356); var msg38533 = msg("TCP_Server_Information_Update", dup356); -var part96 = // "Pattern{Constant('From '), Field(sensor,true), Constant(' at '), Field(p0,false)}" -match("MESSAGE#38532:Client_Timeout/1_1", "nwparser.p0", "From %{sensor->} at %{p0}"); +var part96 = match("MESSAGE#38532:Client_Timeout/1_1", "nwparser.p0", "From %{sensor->} at %{p0}"); var select2465 = linear_select([ dup155, @@ -96793,8 +96594,7 @@ var all84 = all_match({ var msg38534 = msg("Client_Timeout", all84); -var part97 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' Category: '), Field(category,true), Constant(' Event Type: '), Field(event_type,false)}" -match("MESSAGE#38533:Host_IOC_Set/4", "nwparser.p0", "IP Address: %{saddr->} Category: %{category->} Event Type: %{event_type}"); +var part97 = match("MESSAGE#38533:Host_IOC_Set/4", "nwparser.p0", "IP Address: %{saddr->} Category: %{category->} Event Type: %{event_type}"); var all85 = all_match({ processors: [ @@ -96814,8 +96614,7 @@ var all85 = all_match({ var msg38535 = msg("Host_IOC_Set", all85); -var part98 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' Host Type: '), Field(fld10,false)}" -match("MESSAGE#38534:Host_Type_Changed/4", "nwparser.p0", "IP Address: %{saddr->} Host Type: %{fld10}"); +var part98 = match("MESSAGE#38534:Host_Type_Changed/4", "nwparser.p0", "IP Address: %{saddr->} Host Type: %{fld10}"); var all86 = all_match({ processors: [ @@ -96835,8 +96634,7 @@ var all86 = all_match({ var msg38536 = msg("Host_Type_Changed", all86); -var part99 = // "Pattern{Constant('Login Success'), Field(,false)}" -match("MESSAGE#38535:Login", "nwparser.payload", "Login Success%{}", processor_chain([ +var part99 = match("MESSAGE#38535:Login", "nwparser.payload", "Login Success%{}", processor_chain([ dup112, dup31, dup32, @@ -96849,8 +96647,7 @@ match("MESSAGE#38535:Login", "nwparser.payload", "Login Success%{}", processor_c var msg38537 = msg("Login", part99); -var part100 = // "Pattern{Constant('Logout Success'), Field(,false)}" -match("MESSAGE#38536:Logout", "nwparser.payload", "Logout Success%{}", processor_chain([ +var part100 = match("MESSAGE#38536:Logout", "nwparser.payload", "Logout Success%{}", processor_chain([ setc("eventcategory","1401070000"), dup31, dup32, @@ -96957,8 +96754,7 @@ var part101 = tagval("MESSAGE#38538:connection_events", "nwparser.payload", tvm, var msg38539 = msg("connection_events", part101); -var part102 = // "Pattern{Constant('SrcIP: '), Field(daddr,false), Constant(', DstIP: '), Field(saddr,false), Constant(', SrcPort: '), Field(dport,false), Constant(', DstPort: '), Field(sport,false), Constant(', Protocol: '), Field(protocol,false), Constant(', FileDirection: Download, FileAction: '), Field(action,false), Constant(', FileSHA256: '), Field(checksum,false), Constant(', SHA_Disposition: '), Field(disposition,false), Constant(', SperoDisposition: '), Field(info,false), Constant(', ThreatName: '), Field(threat_name,false), Constant(', ThreatScore: '), Field(fld1,false), Constant(', FileName: '), Field(filename,false), Constant(', FileType: '), Field(filetype,false), Constant(', FileSize: '), Field(filename_size,false), Constant(', ApplicationProtocol: '), Field(protocol,false), Constant(', Client: '), Field(application,false), Constant(', User: '), Field(username,false), Constant(', FirstPacketSecond: '), Field(fld21,false), Constant(', FilePolicy: '), Field(policyname,false), Constant(', FileSandboxStatus: '), Field(result,false), Constant(', URI: '), Field(url,false)}" -match("MESSAGE#38539:FTD_events_01", "nwparser.payload", "SrcIP: %{daddr}, DstIP: %{saddr}, SrcPort: %{dport}, DstPort: %{sport}, Protocol: %{protocol}, FileDirection: Download, FileAction: %{action}, FileSHA256: %{checksum}, SHA_Disposition: %{disposition}, SperoDisposition: %{info}, ThreatName: %{threat_name}, ThreatScore: %{fld1}, FileName: %{filename}, FileType: %{filetype}, FileSize: %{filename_size}, ApplicationProtocol: %{protocol}, Client: %{application}, User: %{username}, FirstPacketSecond: %{fld21}, FilePolicy: %{policyname}, FileSandboxStatus: %{result}, URI: %{url}", processor_chain([ +var part102 = match("MESSAGE#38539:FTD_events_01", "nwparser.payload", "SrcIP: %{daddr}, DstIP: %{saddr}, SrcPort: %{dport}, DstPort: %{sport}, Protocol: %{protocol}, FileDirection: Download, FileAction: %{action}, FileSHA256: %{checksum}, SHA_Disposition: %{disposition}, SperoDisposition: %{info}, ThreatName: %{threat_name}, ThreatScore: %{fld1}, FileName: %{filename}, FileType: %{filetype}, FileSize: %{filename_size}, ApplicationProtocol: %{protocol}, Client: %{application}, User: %{username}, FirstPacketSecond: %{fld21}, FilePolicy: %{policyname}, FileSandboxStatus: %{result}, URI: %{url}", processor_chain([ dup150, dup161, dup162, @@ -96970,8 +96766,7 @@ match("MESSAGE#38539:FTD_events_01", "nwparser.payload", "SrcIP: %{daddr}, DstIP var msg38540 = msg("FTD_events_01", part102); -var part103 = // "Pattern{Constant('SrcIP: '), Field(saddr,false), Constant(', DstIP: '), Field(daddr,false), Constant(', SrcPort: '), Field(sport,false), Constant(', DstPort: '), Field(dport,false), Constant(', Protocol: '), Field(protocol,false), Constant(', FileDirection: Upload, FileAction: '), Field(action,false), Constant(', FileSHA256: '), Field(checksum,false), Constant(', SHA_Disposition: '), Field(disposition,false), Constant(', SperoDisposition: '), Field(info,false), Constant(', ThreatName: '), Field(threat_name,false), Constant(', ThreatScore: '), Field(fld1,false), Constant(', FileName: '), Field(filename,false), Constant(', FileType: '), Field(filetype,false), Constant(', FileSize: '), Field(filename_size,false), Constant(', ApplicationProtocol: '), Field(protocol,false), Constant(', Client: '), Field(application,false), Constant(', User: '), Field(username,false), Constant(', FirstPacketSecond: '), Field(fld21,false), Constant(', FilePolicy: '), Field(policyname,false), Constant(', FileSandboxStatus: '), Field(result,false), Constant(', URI: '), Field(url,false)}" -match("MESSAGE#38540:FTD_events_02", "nwparser.payload", "SrcIP: %{saddr}, DstIP: %{daddr}, SrcPort: %{sport}, DstPort: %{dport}, Protocol: %{protocol}, FileDirection: Upload, FileAction: %{action}, FileSHA256: %{checksum}, SHA_Disposition: %{disposition}, SperoDisposition: %{info}, ThreatName: %{threat_name}, ThreatScore: %{fld1}, FileName: %{filename}, FileType: %{filetype}, FileSize: %{filename_size}, ApplicationProtocol: %{protocol}, Client: %{application}, User: %{username}, FirstPacketSecond: %{fld21}, FilePolicy: %{policyname}, FileSandboxStatus: %{result}, URI: %{url}", processor_chain([ +var part103 = match("MESSAGE#38540:FTD_events_02", "nwparser.payload", "SrcIP: %{saddr}, DstIP: %{daddr}, SrcPort: %{sport}, DstPort: %{dport}, Protocol: %{protocol}, FileDirection: Upload, FileAction: %{action}, FileSHA256: %{checksum}, SHA_Disposition: %{disposition}, SperoDisposition: %{info}, ThreatName: %{threat_name}, ThreatScore: %{fld1}, FileName: %{filename}, FileType: %{filetype}, FileSize: %{filename_size}, ApplicationProtocol: %{protocol}, Client: %{application}, User: %{username}, FirstPacketSecond: %{fld21}, FilePolicy: %{policyname}, FileSandboxStatus: %{result}, URI: %{url}", processor_chain([ dup150, dup161, dup162, @@ -96983,8 +96778,7 @@ match("MESSAGE#38540:FTD_events_02", "nwparser.payload", "SrcIP: %{saddr}, DstIP var msg38541 = msg("FTD_events_02", part103); -var part104 = // "Pattern{Constant('User ''), Field(username,false), Constant('' executed the ''), Field(fld1,false), Constant('' command.')}" -match("MESSAGE#38541:FTD_events_03", "nwparser.payload", "User '%{username}' executed the '%{fld1}' command.", processor_chain([ +var part104 = match("MESSAGE#38541:FTD_events_03", "nwparser.payload", "User '%{username}' executed the '%{fld1}' command.", processor_chain([ dup150, dup162, dup32, @@ -96993,8 +96787,7 @@ match("MESSAGE#38541:FTD_events_03", "nwparser.payload", "User '%{username}' exe var msg38542 = msg("FTD_events_03", part104); -var part105 = // "Pattern{Constant('User ''), Field(username,false), Constant('', running ''), Field(application,false), Constant('' from IP'), Field(hostip,false), Constant(', executed ''), Field(fld1,false), Constant(''')}" -match("MESSAGE#38542:FTD_events_04", "nwparser.payload", "User '%{username}', running '%{application}' from IP%{hostip}, executed '%{fld1}'", processor_chain([ +var part105 = match("MESSAGE#38542:FTD_events_04", "nwparser.payload", "User '%{username}', running '%{application}' from IP%{hostip}, executed '%{fld1}'", processor_chain([ dup150, dup162, dup32, @@ -97003,8 +96796,7 @@ match("MESSAGE#38542:FTD_events_04", "nwparser.payload", "User '%{username}', ru var msg38543 = msg("FTD_events_04", part105); -var part106 = // "Pattern{Field(dclass_counter1,false), Constant('in use,'), Field(fld2,false), Constant('most used')}" -match("MESSAGE#38543:FTD_events_05", "nwparser.payload", "%{dclass_counter1}in use,%{fld2}most used", processor_chain([ +var part106 = match("MESSAGE#38543:FTD_events_05", "nwparser.payload", "%{dclass_counter1}in use,%{fld2}most used", processor_chain([ dup150, dup162, dup32, @@ -97014,8 +96806,7 @@ match("MESSAGE#38543:FTD_events_05", "nwparser.payload", "%{dclass_counter1}in u var msg38544 = msg("FTD_events_05", part106); -var part107 = // "Pattern{Constant('Offloaded TCP Flow for connection'), Field(connectionid,false), Constant('from'), Field(dinterface,false), Constant(':'), Field(daddr,false), Constant('/'), Field(dport,false), Constant('('), Field(dtransaddr,false), Constant('/'), Field(dtransport,false), Constant(') to'), Field(sinterface,false), Constant(':'), Field(saddr,false), Constant('/'), Field(sport,false), Constant('('), Field(stransaddr,false), Constant('/'), Field(stransport,false), Constant(')')}" -match("MESSAGE#38544:FTD_events_06", "nwparser.payload", "Offloaded TCP Flow for connection%{connectionid}from%{dinterface}:%{daddr}/%{dport}(%{dtransaddr}/%{dtransport}) to%{sinterface}:%{saddr}/%{sport}(%{stransaddr}/%{stransport})", processor_chain([ +var part107 = match("MESSAGE#38544:FTD_events_06", "nwparser.payload", "Offloaded TCP Flow for connection%{connectionid}from%{dinterface}:%{daddr}/%{dport}(%{dtransaddr}/%{dtransport}) to%{sinterface}:%{saddr}/%{sport}(%{stransaddr}/%{stransport})", processor_chain([ dup150, dup162, dup32, @@ -97025,8 +96816,7 @@ match("MESSAGE#38544:FTD_events_06", "nwparser.payload", "Offloaded TCP Flow for var msg38545 = msg("FTD_events_06", part107); -var part108 = // "Pattern{Constant('Failed to locate egress interface for '), Field(protocol,true), Constant(' from '), Field(sinterface,false), Constant(':'), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,false)}" -match("MESSAGE#38545:FTD_events_07", "nwparser.payload", "Failed to locate egress interface for %{protocol->} from %{sinterface}:%{saddr}/%{sport->} to %{daddr}/%{dport}", processor_chain([ +var part108 = match("MESSAGE#38545:FTD_events_07", "nwparser.payload", "Failed to locate egress interface for %{protocol->} from %{sinterface}:%{saddr}/%{sport->} to %{daddr}/%{dport}", processor_chain([ setc("eventcategory","1801010000"), dup162, dup32, @@ -97036,8 +96826,7 @@ match("MESSAGE#38545:FTD_events_07", "nwparser.payload", "Failed to locate egres var msg38546 = msg("FTD_events_07", part108); -var part109 = // "Pattern{Constant('TCP Flow is no longer offloaded for connection '), Field(connectionid,true), Constant(' from '), Field(dinterface,false), Constant(':'), Field(daddr,false), Constant('/'), Field(dport,true), Constant(' ('), Field(dtransaddr,false), Constant('/'), Field(dtransport,false), Constant(') to '), Field(sinterface,false), Constant(':'), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' ('), Field(stransaddr,false), Constant('/'), Field(stransport,false), Constant(')')}" -match("MESSAGE#38546:FTD_events_08", "nwparser.payload", "TCP Flow is no longer offloaded for connection %{connectionid->} from %{dinterface}:%{daddr}/%{dport->} (%{dtransaddr}/%{dtransport}) to %{sinterface}:%{saddr}/%{sport->} (%{stransaddr}/%{stransport})", processor_chain([ +var part109 = match("MESSAGE#38546:FTD_events_08", "nwparser.payload", "TCP Flow is no longer offloaded for connection %{connectionid->} from %{dinterface}:%{daddr}/%{dport->} (%{dtransaddr}/%{dtransport}) to %{sinterface}:%{saddr}/%{sport->} (%{stransaddr}/%{stransport})", processor_chain([ dup150, dup162, dup32, @@ -97047,8 +96836,7 @@ match("MESSAGE#38546:FTD_events_08", "nwparser.payload", "TCP Flow is no longer var msg38547 = msg("FTD_events_08", part109); -var part110 = // "Pattern{Constant('CLOCK: System clock set, source: '), Field(event_source,false), Constant(', IP: '), Field(hostip,false), Constant(', before: '), Field(change_old,false), Constant(', after: '), Field(change_new,false)}" -match("MESSAGE#38547:FTD_events_09", "nwparser.payload", "CLOCK: System clock set, source: %{event_source}, IP: %{hostip}, before: %{change_old}, after: %{change_new}", processor_chain([ +var part110 = match("MESSAGE#38547:FTD_events_09", "nwparser.payload", "CLOCK: System clock set, source: %{event_source}, IP: %{hostip}, before: %{change_old}, after: %{change_new}", processor_chain([ dup150, dup162, dup32, @@ -97148,19 +96936,16 @@ var select2466 = linear_select([ msg38549, ]); -var part112 = // "Pattern{Constant('AccessControlRuleAction:'), Field(action,false), Constant(', AccessControlRuleReason:'), Field(result,false), Constant(', SrcIP:'), Field(saddr,false), Constant(', DstIP:'), Field(daddr,false), Constant(', SrcPort:'), Field(sport,false), Constant(', DstPort:'), Field(dport,false), Constant(', Protocol: '), Field(protocol,false), Constant(', IngressInterface: '), Field(dinterface,false), Constant(', IngressZone:'), Field(dst_zone,false), Constant(', ACPolicy:'), Field(fld44,false), Constant(', AccessControlRuleName:'), Field(rulename,false), Constant(', Prefilter Policy:'), Field(fld2,false), Constant(', User:'), Field(fld48,false), Constant(', Client:'), Field(application,false), Constant(', ApplicationProtocol:'), Field(protocol,false), Constant(', InitiatorPackets:'), Field(fld14,false), Constant(', ResponderPackets:'), Field(fld13,false), Constant(', InitiatorBytes:'), Field(sbytes,false), Constant(', ResponderBytes:'), Field(rbytes,false), Constant(', NAPPolicy:'), Field(policyname,false), Constant(', DNSQuery:'), Field(hostname,false), Constant(', DNSRecordType: a host address,'), Field(p0,false)}" -match("MESSAGE#38549:NGIPS_events_01/0", "nwparser.payload", "AccessControlRuleAction:%{action}, AccessControlRuleReason:%{result}, SrcIP:%{saddr}, DstIP:%{daddr}, SrcPort:%{sport}, DstPort:%{dport}, Protocol: %{protocol}, IngressInterface: %{dinterface}, IngressZone:%{dst_zone}, ACPolicy:%{fld44}, AccessControlRuleName:%{rulename}, Prefilter Policy:%{fld2}, User:%{fld48}, Client:%{application}, ApplicationProtocol:%{protocol}, InitiatorPackets:%{fld14}, ResponderPackets:%{fld13}, InitiatorBytes:%{sbytes}, ResponderBytes:%{rbytes}, NAPPolicy:%{policyname}, DNSQuery:%{hostname}, DNSRecordType: a host address,%{p0}"); +var part112 = match("MESSAGE#38549:NGIPS_events_01/0", "nwparser.payload", "AccessControlRuleAction:%{action}, AccessControlRuleReason:%{result}, SrcIP:%{saddr}, DstIP:%{daddr}, SrcPort:%{sport}, DstPort:%{dport}, Protocol: %{protocol}, IngressInterface: %{dinterface}, IngressZone:%{dst_zone}, ACPolicy:%{fld44}, AccessControlRuleName:%{rulename}, Prefilter Policy:%{fld2}, User:%{fld48}, Client:%{application}, ApplicationProtocol:%{protocol}, InitiatorPackets:%{fld14}, ResponderPackets:%{fld13}, InitiatorBytes:%{sbytes}, ResponderBytes:%{rbytes}, NAPPolicy:%{policyname}, DNSQuery:%{hostname}, DNSRecordType: a host address,%{p0}"); -var part113 = // "Pattern{Constant(' DNS_TTL: '), Field(fld7,false), Constant(','), Field(p0,false)}" -match("MESSAGE#38549:NGIPS_events_01/1_0", "nwparser.p0", " DNS_TTL: %{fld7},%{p0}"); +var part113 = match("MESSAGE#38549:NGIPS_events_01/1_0", "nwparser.p0", " DNS_TTL: %{fld7},%{p0}"); var select2467 = linear_select([ part113, dup59, ]); -var part114 = // "Pattern{Field(,false), Constant('DNSSICategory:'), Field(category,false)}" -match("MESSAGE#38549:NGIPS_events_01/2", "nwparser.p0", "%{}DNSSICategory:%{category}"); +var part114 = match("MESSAGE#38549:NGIPS_events_01/2", "nwparser.p0", "%{}DNSSICategory:%{category}"); var all87 = all_match({ processors: [ @@ -133327,194 +133112,131 @@ var chain1 = processor_chain([ }), ]); -var hdr35 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" -match("HEADER#2:00010/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); +var hdr35 = match("HEADER#2:00010/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); -var part116 = // "Pattern{Constant('"'), Field(hfld10,false), Constant('" [Impact: '), Field(p0,false)}" -match("HEADER#2:00010/1_0", "nwparser.p0", "\"%{hfld10}\" [Impact: %{p0}"); +var part116 = match("HEADER#2:00010/1_0", "nwparser.p0", "\"%{hfld10}\" [Impact: %{p0}"); -var part117 = // "Pattern{Field(hfld10,true), Constant(' [Impact: '), Field(p0,false)}" -match("HEADER#2:00010/1_1", "nwparser.p0", "%{hfld10->} [Impact: %{p0}"); +var part117 = match("HEADER#2:00010/1_1", "nwparser.p0", "%{hfld10->} [Impact: %{p0}"); -var part118 = // "Pattern{Field(result,false), Constant('] From '), Field(hfld11,true), Constant(' at '), Field(fld9,true), Constant(' '), Field(event_time_string,true), Constant(' [Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" -match("HEADER#3:00011/2", "nwparser.p0", "%{result}] From %{hfld11->} at %{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); +var part118 = match("HEADER#3:00011/2", "nwparser.p0", "%{result}] From %{hfld11->} at %{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); -var part119 = // "Pattern{Constant('"'), Field(hfld10,false), Constant('" [Classification: '), Field(p0,false)}" -match("HEADER#4:00012/1_0", "nwparser.p0", "\"%{hfld10}\" [Classification: %{p0}"); +var part119 = match("HEADER#4:00012/1_0", "nwparser.p0", "\"%{hfld10}\" [Classification: %{p0}"); -var part120 = // "Pattern{Field(hfld10,true), Constant(' [Classification: '), Field(p0,false)}" -match("HEADER#4:00012/1_1", "nwparser.p0", "%{hfld10->} [Classification: %{p0}"); +var part120 = match("HEADER#4:00012/1_1", "nwparser.p0", "%{hfld10->} [Classification: %{p0}"); -var part121 = // "Pattern{Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" -match("HEADER#4:00012/2", "nwparser.p0", "%{sigtype}] [Priority: %{payload}"); +var part121 = match("HEADER#4:00012/2", "nwparser.p0", "%{sigtype}] [Priority: %{payload}"); -var part122 = // "Pattern{Constant('"'), Field(hfld10,false), Constant('" ['), Field(p0,false)}" -match("HEADER#5:00013/1_0", "nwparser.p0", "\"%{hfld10}\" [%{p0}"); +var part122 = match("HEADER#5:00013/1_0", "nwparser.p0", "\"%{hfld10}\" [%{p0}"); -var part123 = // "Pattern{Field(hfld10,true), Constant(' ['), Field(p0,false)}" -match("HEADER#5:00013/1_1", "nwparser.p0", "%{hfld10->} [%{p0}"); +var part123 = match("HEADER#5:00013/1_1", "nwparser.p0", "%{hfld10->} [%{p0}"); -var part124 = // "Pattern{Field(info,false), Constant('] [Priority: '), Field(payload,false)}" -match("HEADER#5:00013/2", "nwparser.p0", "%{info}] [Priority: %{payload}"); +var part124 = match("HEADER#5:00013/2", "nwparser.p0", "%{info}] [Priority: %{payload}"); -var hdr36 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' snort['), Field(hpid,false), Constant(']: ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" -match("HEADER#7:00020/0", "message", "%{month->} %{day->} %{time->} snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); +var hdr36 = match("HEADER#7:00020/0", "message", "%{month->} %{day->} %{time->} snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); -var part125 = // "Pattern{Field(result,false), Constant('] From '), Field(group_object,false), Constant('/'), Field(hfld11,true), Constant(' at '), Field(fld9,true), Constant(' '), Field(event_time_string,true), Constant(' [Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" -match("HEADER#7:00020/2", "nwparser.p0", "%{result}] From %{group_object}/%{hfld11->} at %{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); +var part125 = match("HEADER#7:00020/2", "nwparser.p0", "%{result}] From %{group_object}/%{hfld11->} at %{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); -var hdr37 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' snort: ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" -match("HEADER#11:00030/0", "message", "%{month->} %{day->} %{time->} snort: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); +var hdr37 = match("HEADER#11:00030/0", "message", "%{month->} %{day->} %{time->} snort: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); -var part126 = // "Pattern{Constant('at'), Field(p0,false)}" -match("HEADER#26:0011/1_1", "nwparser.p0", "at%{p0}"); +var part126 = match("HEADER#26:0011/1_1", "nwparser.p0", "at%{p0}"); -var part127 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" -match("HEADER#26:0011/2", "nwparser.p0", "%{} %{p0}"); +var part127 = match("HEADER#26:0011/2", "nwparser.p0", "%{} %{p0}"); -var part128 = // "Pattern{Constant('['), Field(hpid,false), Constant(']: ['), Field(p0,false)}" -match("HEADER#41:0024/1_0", "nwparser.p0", "[%{hpid}]: [%{p0}"); +var part128 = match("HEADER#41:0024/1_0", "nwparser.p0", "[%{hpid}]: [%{p0}"); -var part129 = // "Pattern{Constant(': ['), Field(p0,false)}" -match("HEADER#41:0024/1_1", "nwparser.p0", ": [%{p0}"); +var part129 = match("HEADER#41:0024/1_1", "nwparser.p0", ": [%{p0}"); -var part130 = // "Pattern{Constant(']'), Field(hversion,false), Constant(':'), Field(hfld2,false), Constant(':'), Field(hevent_source,true), Constant(' '), Field(payload,false)}" -match("HEADER#41:0024/2", "nwparser.p0", "]%{hversion}:%{hfld2}:%{hevent_source->} %{payload}"); +var part130 = match("HEADER#41:0024/2", "nwparser.p0", "]%{hversion}:%{hfld2}:%{hevent_source->} %{payload}"); -var hdr38 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': ['), Field(hevent_source,false), Constant(':'), Field(hfld2,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" -match("HEADER#43:0023/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hevent_source}:%{hfld2}:%{hversion}] %{p0}"); +var hdr38 = match("HEADER#43:0023/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hevent_source}:%{hfld2}:%{hversion}] %{p0}"); -var part131 = // "Pattern{Field(threat_val,true), Constant(' ]:alert {'), Field(p0,false)}" -match("MESSAGE#1:0/0_0", "nwparser.payload", "%{threat_val->} ]:alert {%{p0}"); +var part131 = match("MESSAGE#1:0/0_0", "nwparser.payload", "%{threat_val->} ]:alert {%{p0}"); -var part132 = // "Pattern{Field(threat_val,true), Constant(' ]: '), Field(fld1,true), Constant(' {'), Field(p0,false)}" -match("MESSAGE#1:0/0_1", "nwparser.payload", "%{threat_val->} ]: %{fld1->} {%{p0}"); +var part132 = match("MESSAGE#1:0/0_1", "nwparser.payload", "%{threat_val->} ]: %{fld1->} {%{p0}"); -var part133 = // "Pattern{Field(threat_val,false), Constant(']: {'), Field(p0,false)}" -match("MESSAGE#1:0/0_2", "nwparser.payload", "%{threat_val}]: {%{p0}"); +var part133 = match("MESSAGE#1:0/0_2", "nwparser.payload", "%{threat_val}]: {%{p0}"); -var part134 = // "Pattern{Field(threat_val,true), Constant(' ] {'), Field(p0,false)}" -match("MESSAGE#1:0/0_3", "nwparser.payload", "%{threat_val->} ] {%{p0}"); +var part134 = match("MESSAGE#1:0/0_3", "nwparser.payload", "%{threat_val->} ] {%{p0}"); -var part135 = // "Pattern{Field(protocol,false), Constant('} '), Field(p0,false)}" -match("MESSAGE#1:0/1", "nwparser.p0", "%{protocol}} %{p0}"); +var part135 = match("MESSAGE#1:0/1", "nwparser.p0", "%{protocol}} %{p0}"); -var part136 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(location_src,false), Constant(') -> '), Field(p0,false)}" -match("MESSAGE#1:0/2_0", "nwparser.p0", "%{saddr}:%{sport->} (%{location_src}) -> %{p0}"); +var part136 = match("MESSAGE#1:0/2_0", "nwparser.p0", "%{saddr}:%{sport->} (%{location_src}) -> %{p0}"); -var part137 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' -> '), Field(p0,false)}" -match("MESSAGE#1:0/2_1", "nwparser.p0", "%{saddr}:%{sport->} -> %{p0}"); +var part137 = match("MESSAGE#1:0/2_1", "nwparser.p0", "%{saddr}:%{sport->} -> %{p0}"); -var part138 = // "Pattern{Field(saddr,true), Constant(' -> '), Field(p0,false)}" -match("MESSAGE#1:0/2_2", "nwparser.p0", "%{saddr->} -> %{p0}"); +var part138 = match("MESSAGE#1:0/2_2", "nwparser.p0", "%{saddr->} -> %{p0}"); -var part139 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(location_dst,false), Constant(')')}" -match("MESSAGE#1:0/3_0", "nwparser.p0", "%{daddr}:%{dport->} (%{location_dst})"); +var part139 = match("MESSAGE#1:0/3_0", "nwparser.p0", "%{daddr}:%{dport->} (%{location_dst})"); -var part140 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,false)}" -match("MESSAGE#1:0/3_1", "nwparser.p0", "%{daddr}:%{dport}"); +var part140 = match("MESSAGE#1:0/3_1", "nwparser.p0", "%{daddr}:%{dport}"); -var part141 = // "Pattern{Field(daddr,false)}" -match_copy("MESSAGE#1:0/3_2", "nwparser.p0", "daddr"); +var part141 = match_copy("MESSAGE#1:0/3_2", "nwparser.p0", "daddr"); -var part142 = // "Pattern{Field(context,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#2:0:01/0", "nwparser.payload", "%{context->} %{p0}"); +var part142 = match("MESSAGE#2:0:01/0", "nwparser.payload", "%{context->} %{p0}"); -var part143 = // "Pattern{Constant('<<'), Field(interface,false), Constant('> '), Field(p0,false)}" -match("MESSAGE#2:0:01/1_0", "nwparser.p0", "\u003c\u003c%{interface}> %{p0}"); +var part143 = match("MESSAGE#2:0:01/1_0", "nwparser.p0", "\u003c\u003c%{interface}> %{p0}"); -var part144 = // "Pattern{Field(p0,false)}" -match_copy("MESSAGE#2:0:01/1_1", "nwparser.p0", "p0"); +var part144 = match_copy("MESSAGE#2:0:01/1_1", "nwparser.p0", "p0"); -var part145 = // "Pattern{Constant('{'), Field(protocol,false), Constant('} '), Field(p0,false)}" -match("MESSAGE#2:0:01/2", "nwparser.p0", "{%{protocol}} %{p0}"); +var part145 = match("MESSAGE#2:0:01/2", "nwparser.p0", "{%{protocol}} %{p0}"); -var part146 = // "Pattern{Field(threat_val,true), Constant(' ]'), Field(p0,false)}" -match("MESSAGE#33:10/0", "nwparser.payload", "%{threat_val->} ]%{p0}"); +var part146 = match("MESSAGE#33:10/0", "nwparser.payload", "%{threat_val->} ]%{p0}"); -var part147 = // "Pattern{Constant(' <<'), Field(interface,false), Constant('> '), Field(p0,false)}" -match("MESSAGE#33:10/1_0", "nwparser.p0", " \u003c\u003c%{interface}> %{p0}"); +var part147 = match("MESSAGE#33:10/1_0", "nwparser.p0", " \u003c\u003c%{interface}> %{p0}"); -var part148 = // "Pattern{Constant(': '), Field(p0,false)}" -match("MESSAGE#33:10/1_1", "nwparser.p0", ": %{p0}"); +var part148 = match("MESSAGE#33:10/1_1", "nwparser.p0", ": %{p0}"); -var part149 = // "Pattern{Constant(' '), Field(p0,false)}" -match("MESSAGE#33:10/1_2", "nwparser.p0", " %{p0}"); +var part149 = match("MESSAGE#33:10/1_2", "nwparser.p0", " %{p0}"); -var part150 = // "Pattern{Field(context,true), Constant(' <<'), Field(interface,false), Constant('> '), Field(protocol,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#80:103:01/0", "nwparser.payload", "%{context->} \u003c\u003c%{interface}> %{protocol->} %{p0}"); +var part150 = match("MESSAGE#80:103:01/0", "nwparser.payload", "%{context->} \u003c\u003c%{interface}> %{protocol->} %{p0}"); -var part151 = // "Pattern{Field(threat_val,true), Constant(' ]:alert '), Field(p0,false)}" -match("MESSAGE#5535:3086/0_0", "nwparser.payload", "%{threat_val->} ]:alert %{p0}"); +var part151 = match("MESSAGE#5535:3086/0_0", "nwparser.payload", "%{threat_val->} ]:alert %{p0}"); -var part152 = // "Pattern{Field(threat_val,false), Constant(']: '), Field(p0,false)}" -match("MESSAGE#5535:3086/0_1", "nwparser.payload", "%{threat_val}]: %{p0}"); +var part152 = match("MESSAGE#5535:3086/0_1", "nwparser.payload", "%{threat_val}]: %{p0}"); -var part153 = // "Pattern{Field(threat_val,true), Constant(' ] '), Field(p0,false)}" -match("MESSAGE#5535:3086/0_2", "nwparser.payload", "%{threat_val->} ] %{p0}"); +var part153 = match("MESSAGE#5535:3086/0_2", "nwparser.payload", "%{threat_val->} ] %{p0}"); -var part154 = // "Pattern{Constant(''), Field(p0,false)}" -match("MESSAGE#5535:3086/1", "nwparser.p0", "%{p0}"); +var part154 = match("MESSAGE#5535:3086/1", "nwparser.p0", "%{p0}"); -var part155 = // "Pattern{Constant(':alert '), Field(p0,false)}" -match("MESSAGE#30119:28015/1_1", "nwparser.p0", ":alert %{p0}"); +var part155 = match("MESSAGE#30119:28015/1_1", "nwparser.p0", ":alert %{p0}"); -var part156 = // "Pattern{Constant(''), Field(saddr,true), Constant(' -> '), Field(p0,false)}" -match("MESSAGE#36377:34596/3_1", "nwparser.p0", "%{saddr->} -> %{p0}"); +var part156 = match("MESSAGE#36377:34596/3_1", "nwparser.p0", "%{saddr->} -> %{p0}"); -var part157 = // "Pattern{Constant(''), Field(daddr,false)}" -match("MESSAGE#36377:34596/4_1", "nwparser.p0", "%{daddr}"); +var part157 = match("MESSAGE#36377:34596/4_1", "nwparser.p0", "%{daddr}"); -var part158 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' MAC: '), Field(smacaddr,true), Constant(' TTL '), Field(p0,false)}" -match("MESSAGE#38458:MAC_Information_Change/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} MAC: %{smacaddr->} TTL %{p0}"); +var part158 = match("MESSAGE#38458:MAC_Information_Change/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} MAC: %{smacaddr->} TTL %{p0}"); -var part159 = // "Pattern{Field(sinterface,true), Constant(' ('), Field(protocol,true), Constant(' detected)')}" -match("MESSAGE#38458:MAC_Information_Change/1_0", "nwparser.p0", "%{sinterface->} (%{protocol->} detected)"); +var part159 = match("MESSAGE#38458:MAC_Information_Change/1_0", "nwparser.p0", "%{sinterface->} (%{protocol->} detected)"); -var part160 = // "Pattern{Field(sinterface,false)}" -match_copy("MESSAGE#38458:MAC_Information_Change/1_1", "nwparser.p0", "sinterface"); +var part160 = match_copy("MESSAGE#38458:MAC_Information_Change/1_1", "nwparser.p0", "sinterface"); -var part161 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> '), Field(p0,false)}" -match("MESSAGE#38461:New_Host/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> %{p0}"); +var part161 = match("MESSAGE#38461:New_Host/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> %{p0}"); -var part162 = // "Pattern{Field(protocol,false)}" -match_copy("MESSAGE#38462:New_Network_Protocol/2", "nwparser.p0", "protocol"); +var part162 = match_copy("MESSAGE#38462:New_Network_Protocol/2", "nwparser.p0", "protocol"); -var part163 = // "Pattern{Field(protocol,true), Constant(' Confidence: '), Field(result,false)}" -match("MESSAGE#38468:TCP_Service_Information_Update/1_0", "nwparser.p0", "%{protocol->} Confidence: %{result}"); +var part163 = match("MESSAGE#38468:TCP_Service_Information_Update/1_0", "nwparser.p0", "%{protocol->} Confidence: %{result}"); -var part164 = // "Pattern{Constant('>'), Field(p0,false)}" -match("MESSAGE#38495:SystemSettings:09/1_0", "nwparser.p0", ">%{p0}"); +var part164 = match("MESSAGE#38495:SystemSettings:09/1_0", "nwparser.p0", ">%{p0}"); -var part165 = // "Pattern{Field(fld1,false), Constant(']['), Field(policyname,false), Constant('] Connection Type: '), Field(event_state,false), Constant(', User: '), Field(username,false), Constant(', Client: '), Field(application,false), Constant(', Application Protocol: '), Field(protocol,false), Constant(', Web App: '), Field(application,false), Constant(', Access Control Rule Name: '), Field(rulename,false), Constant(', Access Control Rule Action: '), Field(action,false), Constant(', Access Control Rule Reasons: '), Field(result,false), Constant(', URL Category: '), Field(category,false), Constant(', URL Reputation: '), Field(p0,false)}" -match("MESSAGE#38514:Primary_Detection_Engine/0", "nwparser.payload", "%{fld1}][%{policyname}] Connection Type: %{event_state}, User: %{username}, Client: %{application}, Application Protocol: %{protocol}, Web App: %{application}, Access Control Rule Name: %{rulename}, Access Control Rule Action: %{action}, Access Control Rule Reasons: %{result}, URL Category: %{category}, URL Reputation: %{p0}"); +var part165 = match("MESSAGE#38514:Primary_Detection_Engine/0", "nwparser.payload", "%{fld1}][%{policyname}] Connection Type: %{event_state}, User: %{username}, Client: %{application}, Application Protocol: %{protocol}, Web App: %{application}, Access Control Rule Name: %{rulename}, Access Control Rule Action: %{action}, Access Control Rule Reasons: %{result}, URL Category: %{category}, URL Reputation: %{p0}"); -var part166 = // "Pattern{Constant('Risk unknown, URL: '), Field(p0,false)}" -match("MESSAGE#38514:Primary_Detection_Engine/1_0", "nwparser.p0", "Risk unknown, URL: %{p0}"); +var part166 = match("MESSAGE#38514:Primary_Detection_Engine/1_0", "nwparser.p0", "Risk unknown, URL: %{p0}"); -var part167 = // "Pattern{Field(reputation_num,false), Constant(', URL: '), Field(p0,false)}" -match("MESSAGE#38514:Primary_Detection_Engine/1_1", "nwparser.p0", "%{reputation_num}, URL: %{p0}"); +var part167 = match("MESSAGE#38514:Primary_Detection_Engine/1_1", "nwparser.p0", "%{reputation_num}, URL: %{p0}"); -var part168 = // "Pattern{Constant('-*> '), Field(p0,false)}" -match("MESSAGE#38521:Network_Based_Retrospective/1_0", "nwparser.p0", "-*> %{p0}"); +var part168 = match("MESSAGE#38521:Network_Based_Retrospective/1_0", "nwparser.p0", "-*> %{p0}"); -var part169 = // "Pattern{Constant('> '), Field(p0,false)}" -match("MESSAGE#38521:Network_Based_Retrospective/1_1", "nwparser.p0", "> %{p0}"); +var part169 = match("MESSAGE#38521:Network_Based_Retrospective/1_1", "nwparser.p0", "> %{p0}"); -var part170 = // "Pattern{Constant('From "'), Field(sensor,false), Constant('" at '), Field(p0,false)}" -match("MESSAGE#38522:Network_Based_Retrospective:01/1_0", "nwparser.p0", "From \"%{sensor}\" at %{p0}"); +var part170 = match("MESSAGE#38522:Network_Based_Retrospective:01/1_0", "nwparser.p0", "From \"%{sensor}\" at %{p0}"); -var part171 = // "Pattern{Constant('at '), Field(p0,false)}" -match("MESSAGE#38522:Network_Based_Retrospective:01/1_1", "nwparser.p0", "at %{p0}"); +var part171 = match("MESSAGE#38522:Network_Based_Retrospective:01/1_1", "nwparser.p0", "at %{p0}"); -var part172 = // "Pattern{Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC '), Field(p0,false)}" -match("MESSAGE#38522:Network_Based_Retrospective:01/2", "nwparser.p0", "%{fld6->} %{event_time_string->} UTC %{p0}"); +var part172 = match("MESSAGE#38522:Network_Based_Retrospective:01/2", "nwparser.p0", "%{fld6->} %{event_time_string->} UTC %{p0}"); -var part173 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' '), Field(network_service,false)}" -match("MESSAGE#38528:Client_Update/4", "nwparser.p0", "IP Address: %{saddr->} %{network_service}"); +var part173 = match("MESSAGE#38528:Client_Update/4", "nwparser.p0", "IP Address: %{saddr->} %{network_service}"); -var part174 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,true), Constant(' Service: '), Field(p0,false)}" -match("MESSAGE#38530:UDP_Server_Information_Update/4", "nwparser.p0", "IP Address: %{saddr->} Port: %{sport->} Service: %{p0}"); +var part174 = match("MESSAGE#38530:UDP_Server_Information_Update/4", "nwparser.p0", "IP Address: %{saddr->} Port: %{sport->} Service: %{p0}"); var select2469 = linear_select([ dup3, @@ -133531,8 +133253,7 @@ var select2471 = linear_select([ dup10, ]); -var hdr39 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': <<*- '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' '), Field(msgIdPart3,true), Constant(' '), Field(p0,false)}" -match("HEADER#26:0011/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{p0}", processor_chain([ +var hdr39 = match("HEADER#26:0011/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{p0}", processor_chain([ dup19, ])); @@ -133604,8 +133325,7 @@ var select2483 = linear_select([ dup132, ]); -var part175 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' OS: '), Field(version,true), Constant(' Confidence: '), Field(result,false)}" -match("MESSAGE#38465:OS_Confidence_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} OS: %{version->} Confidence: %{result}", processor_chain([ +var part175 = match("MESSAGE#38465:OS_Confidence_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} OS: %{version->} Confidence: %{result}", processor_chain([ dup127, dup31, dup32, @@ -133613,8 +133333,7 @@ match("MESSAGE#38465:OS_Confidence_Update", "nwparser.payload", "%{context->} Fr dup129, ])); -var part176 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,true), Constant(' Service: '), Field(protocol,true), Constant(' Confidence: '), Field(result,false)}" -match("MESSAGE#38467:TCP_Service_Confidence_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport->} Service: %{protocol->} Confidence: %{result}", processor_chain([ +var part176 = match("MESSAGE#38467:TCP_Service_Confidence_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport->} Service: %{protocol->} Confidence: %{result}", processor_chain([ dup135, dup31, dup32, @@ -133627,8 +133346,7 @@ var select2484 = linear_select([ dup134, ]); -var part177 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' '), Field(product,false)}" -match("MESSAGE#38471:New_Client_Application", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} %{product}", processor_chain([ +var part177 = match("MESSAGE#38471:New_Client_Application", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} %{product}", processor_chain([ dup135, dup31, dup32, @@ -133636,8 +133354,7 @@ match("MESSAGE#38471:New_Client_Application", "nwparser.payload", "%{context->} dup129, ])); -var part178 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,false)}" -match("MESSAGE#38473:New_TCP_Service", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport}", processor_chain([ +var part178 = match("MESSAGE#38473:New_TCP_Service", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport}", processor_chain([ dup135, dup31, dup32, @@ -133645,8 +133362,7 @@ match("MESSAGE#38473:New_TCP_Service", "nwparser.payload", "%{context->} From \" dup129, ])); -var part179 = // "Pattern{Field(context,true), Constant(' From '), Field(sensor,true), Constant(' at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,false)}" -match("MESSAGE#38475:TCP_Port_Timeout", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr}", processor_chain([ +var part179 = match("MESSAGE#38475:TCP_Port_Timeout", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr}", processor_chain([ dup135, dup31, dup32, diff --git a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json index f0150dcb87f..d1a9aa8535f 100644 --- a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json +++ b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json @@ -61,8 +61,8 @@ "uptatev4292.www.invalid" ], "related.ip": [ - "10.212.11.114", - "10.38.77.13" + "10.38.77.13", + "10.212.11.114" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "uam", @@ -826,8 +826,8 @@ "apari5002.api.test" ], "related.ip": [ - "10.9.200.197", - "10.182.213.195" + "10.182.213.195", + "10.9.200.197" ], "rsa.crypto.sig_type": "fugiatnu", "rsa.internal.messageid": "27813", @@ -1006,8 +1006,8 @@ "unturmag6190.api.lan" ], "related.ip": [ - "10.52.190.18", - "10.238.223.171" + "10.238.223.171", + "10.52.190.18" ], "rsa.crypto.sig_type": "Finibus", "rsa.internal.messageid": "16539", @@ -1209,8 +1209,8 @@ "iqu4858.mail.invalid" ], "related.ip": [ - "10.213.100.153", - "10.116.175.84" + "10.116.175.84", + "10.213.100.153" ], "rsa.crypto.sig_type": "exercit", "rsa.internal.messageid": "11634", @@ -1643,8 +1643,8 @@ "urau1660.www.lan" ], "related.ip": [ - "10.201.132.114", - "10.140.209.249" + "10.140.209.249", + "10.201.132.114" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "lor", @@ -1731,8 +1731,8 @@ "nofde7732.internal.test" ], "related.ip": [ - "10.198.44.231", - "10.36.122.169" + "10.36.122.169", + "10.198.44.231" ], "rsa.crypto.sig_type": "umquam", "rsa.internal.messageid": "13228", @@ -2113,8 +2113,8 @@ "uovol2459.www5.invalid" ], "related.ip": [ - "10.60.137.215", - "10.28.105.106" + "10.28.105.106", + "10.60.137.215" ], "rsa.crypto.sig_type": "tionu", "rsa.internal.messageid": "5155", @@ -2229,10 +2229,10 @@ "Loremips5368.www5.corp" ], "related.ip": [ + "10.20.167.114", "10.49.190.163", - "10.166.40.137", "10.65.144.119", - "10.20.167.114" + "10.166.40.137" ], "rsa.internal.event_desc": "Offloaded TCP Flow for connection", "rsa.internal.messageid": "FTD_events", @@ -2361,8 +2361,8 @@ "magn3657.api.invalid" ], "related.ip": [ - "10.180.28.156", - "10.234.234.205" + "10.234.234.205", + "10.180.28.156" ], "rsa.crypto.sig_type": "mnihil", "rsa.internal.messageid": "5315", @@ -2578,8 +2578,8 @@ "laparia5374.api.domain" ], "related.ip": [ - "10.147.155.100", - "10.232.67.182" + "10.232.67.182", + "10.147.155.100" ], "rsa.crypto.sig_type": "eufugi", "rsa.internal.messageid": "26152", @@ -2828,8 +2828,8 @@ "borios1685.www.localhost" ], "related.ip": [ - "10.231.10.63", - "10.38.22.60" + "10.38.22.60", + "10.231.10.63" ], "rsa.crypto.sig_type": "taliquip", "rsa.internal.messageid": "10329", @@ -2886,8 +2886,8 @@ "Bonoru5658.mail.invalid" ], "related.ip": [ - "10.29.231.11", - "10.46.57.181" + "10.46.57.181", + "10.29.231.11" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "remape", @@ -3160,8 +3160,8 @@ "onsecte5119.www.invalid" ], "related.ip": [ - "10.198.207.31", - "10.5.88.183" + "10.5.88.183", + "10.198.207.31" ], "rsa.internal.event_desc": "Failed to locate egress interface", "rsa.internal.messageid": "FTD_events", @@ -3836,9 +3836,9 @@ "erunt3957.internal.lan" ], "related.ip": [ - "10.118.103.185", "10.32.195.34", "10.240.77.10", + "10.118.103.185", "10.125.130.61" ], "rsa.internal.event_desc": "TCP Flow is no longer offloaded for connection", diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json index 9f972c2e6fc..37d6d4325b7 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json @@ -28,6 +28,7 @@ "source.as.organization.name": "Orange", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "FR", + "source.geo.country_name": "France", "source.geo.location.lat": 48.8582, "source.geo.location.lon": 2.3387, "source.ip": [ @@ -95,6 +96,7 @@ "source.as.organization.name": "Orange", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "FR", + "source.geo.country_name": "France", "source.geo.location.lat": 48.8582, "source.geo.location.lon": 2.3387, "source.ip": [ @@ -243,6 +245,7 @@ "source.as.organization.name": "Orange", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "FR", + "source.geo.country_name": "France", "source.geo.location.lat": 48.8582, "source.geo.location.lon": 2.3387, "source.ip": [ @@ -310,6 +313,7 @@ "source.as.organization.name": "Orange", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "FR", + "source.geo.country_name": "France", "source.geo.location.lat": 48.8582, "source.geo.location.lon": 2.3387, "source.ip": [ @@ -347,6 +351,7 @@ "service.type": "sonicwall", "source.geo.continent_name": "Oceania", "source.geo.country_iso_code": "NZ", + "source.geo.country_name": "New Zealand", "source.geo.location.lat": -41.0, "source.geo.location.lon": 174.0, "source.ip": [ @@ -436,6 +441,7 @@ "source.as.organization.name": "Cloudflare, Inc.", "source.geo.continent_name": "Oceania", "source.geo.country_iso_code": "AU", + "source.geo.country_name": "Australia", "source.geo.location.lat": -33.494, "source.geo.location.lon": 143.2104, "source.ip": [ diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json index 5b84648b930..bd92a3aa08a 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -23,8 +23,8 @@ "oreetdol1714.internal.corp" ], "related.ip": [ - "10.49.111.67", - "10.92.136.230" + "10.92.136.230", + "10.49.111.67" ], "rsa.internal.messageid": "914", "rsa.internal.msg": "lupt", @@ -86,8 +86,8 @@ "observer.vendor": "Sonicwall", "related.ip": [ "10.227.15.1", - "10.149.203.46", - "10.150.156.22" + "10.150.156.22", + "10.149.203.46" ], "rsa.internal.event_desc": "ctetur", "rsa.internal.messageid": "1369", @@ -171,8 +171,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.13.70.213", - "10.95.245.65" + "10.95.245.65", + "10.13.70.213" ], "rsa.internal.messageid": "372", "rsa.internal.msg": "llu", @@ -478,8 +478,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.78.151.178", - "10.157.161.103" + "10.157.161.103", + "10.78.151.178" ], "rsa.internal.event_desc": "taut", "rsa.internal.messageid": "24", @@ -551,9 +551,9 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.34.161.166", "10.245.200.97", - "10.219.116.137" + "10.219.116.137", + "10.34.161.166" ], "rsa.internal.event_desc": "rehend", "rsa.internal.messageid": "428", @@ -599,8 +599,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.118.80.140", - "10.252.122.195" + "10.252.122.195", + "10.118.80.140" ], "rsa.internal.messageid": "401", "rsa.internal.msg": "inesci", @@ -845,8 +845,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.248.101.25", - "10.60.129.15" + "10.60.129.15", + "10.248.101.25" ], "rsa.internal.messageid": "372", "rsa.internal.msg": "ommodico", @@ -1006,8 +1006,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.101.74.44", - "10.251.20.13" + "10.251.20.13", + "10.101.74.44" ], "related.user": [ "rsitv" @@ -1219,8 +1219,8 @@ "ise5905.www.local" ], "related.ip": [ - "10.97.124.211", - "10.53.113.23" + "10.53.113.23", + "10.97.124.211" ], "rsa.identity.user_sid_dst": "iumdol", "rsa.internal.messageid": "1154", @@ -1279,8 +1279,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.187.201.250", - "10.64.229.79" + "10.64.229.79", + "10.187.201.250" ], "rsa.db.index": "rumwrit", "rsa.internal.messageid": "83", @@ -1389,8 +1389,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.31.190.145", - "10.147.88.219" + "10.147.88.219", + "10.31.190.145" ], "related.user": [ "corpori" @@ -1431,9 +1431,9 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.108.84.24", "10.251.248.228", - "10.113.100.237" + "10.113.100.237", + "10.108.84.24" ], "rsa.internal.event_desc": "volupt", "rsa.internal.messageid": "606", @@ -1777,8 +1777,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.165.48.224", - "10.191.242.168" + "10.191.242.168", + "10.165.48.224" ], "rsa.internal.event_desc": "equep", "rsa.internal.messageid": "995", @@ -1831,8 +1831,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.185.37.32", - "10.116.173.79" + "10.116.173.79", + "10.185.37.32" ], "rsa.internal.messageid": "178", "rsa.internal.msg": "ende", @@ -1863,8 +1863,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.57.85.98", - "10.219.42.212" + "10.219.42.212", + "10.57.85.98" ], "rsa.internal.event_desc": "mquisno", "rsa.internal.messageid": "995", @@ -1917,8 +1917,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.135.70.159", - "10.195.223.82" + "10.195.223.82", + "10.135.70.159" ], "rsa.internal.messageid": "351", "rsa.internal.msg": "CSe", @@ -2068,8 +2068,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.56.10.84", - "10.12.54.142" + "10.12.54.142", + "10.56.10.84" ], "rsa.internal.messageid": "658", "rsa.internal.msg": "osquirat", @@ -2105,8 +2105,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.117.63.181", - "10.222.169.140" + "10.222.169.140", + "10.117.63.181" ], "rsa.internal.messageid": "195", "rsa.internal.msg": "magnaal", @@ -2247,8 +2247,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.129.101.147", - "10.206.229.61" + "10.206.229.61", + "10.129.101.147" ], "rsa.internal.messageid": "413", "rsa.internal.msg": "upta", @@ -2383,8 +2383,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.29.120.226", - "10.203.146.137" + "10.203.146.137", + "10.29.120.226" ], "rsa.internal.messageid": "712", "rsa.misc.action": [ diff --git a/x-pack/filebeat/module/sophos/utm/config/pipeline.js b/x-pack/filebeat/module/sophos/utm/config/pipeline.js index 8b482480f25..47802f0ee26 100644 --- a/x-pack/filebeat/module/sophos/utm/config/pipeline.js +++ b/x-pack/filebeat/module/sophos/utm/config/pipeline.js @@ -105,8 +105,7 @@ var dup17 = setc("eventcategory","1702000000"); var dup18 = setc("comments","server certificate has a different hostname from actual hostname"); -var dup19 = // "Pattern{Field(p0,false)}" -match_copy("MESSAGE#44:reverseproxy:07/1_0", "nwparser.p0", "p0"); +var dup19 = match_copy("MESSAGE#44:reverseproxy:07/1_0", "nwparser.p0", "p0"); var dup20 = setc("eventcategory","1603060000"); @@ -170,35 +169,29 @@ var dup46 = lookup({ key: dup15, }); -var hdr1 = // "Pattern{Field(hfld1,true), Constant(' '), Field(messageid,false), Constant('['), Field(process_id,false), Constant(']: '), Field(payload,false)}" -match("HEADER#0:0001", "message", "%{hfld1->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%{hfld1->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ setc("header_id","0001"), ])); -var hdr2 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hostname,true), Constant(' '), Field(messageid,false), Constant('['), Field(process_id,false), Constant(']: '), Field(payload,false)}" -match("HEADER#1:0002", "message", "%{hfld1->} %{hostname->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{hostname->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ setc("header_id","0002"), ])); -var hdr3 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hostname,true), Constant(' reverseproxy: '), Field(payload,false)}" -match("HEADER#2:0003", "message", "%{hfld1->} %{hostname->} reverseproxy: %{payload}", processor_chain([ +var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hostname->} reverseproxy: %{payload}", processor_chain([ setc("header_id","0003"), setc("messageid","reverseproxy"), ])); -var hdr4 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hostname,true), Constant(' '), Field(messageid,false), Constant(': '), Field(payload,false)}" -match("HEADER#3:0005", "message", "%{hfld1->} %{hostname->} %{messageid}: %{payload}", processor_chain([ +var hdr4 = match("HEADER#3:0005", "message", "%{hfld1->} %{hostname->} %{messageid}: %{payload}", processor_chain([ setc("header_id","0005"), ])); -var hdr5 = // "Pattern{Field(hfld1,true), Constant(' '), Field(id,false), Constant('['), Field(process_id,false), Constant(']: '), Field(payload,false)}" -match("HEADER#4:0004", "message", "%{hfld1->} %{id}[%{process_id}]: %{payload}", processor_chain([ +var hdr5 = match("HEADER#4:0004", "message", "%{hfld1->} %{id}[%{process_id}]: %{payload}", processor_chain([ setc("header_id","0004"), setc("messageid","astarosg_TVM"), ])); -var hdr6 = // "Pattern{Constant('device="'), Field(product,false), Constant('" date='), Field(hdate,true), Constant(' time='), Field(htime,true), Constant(' timezone="'), Field(timezone,false), Constant('" device_name="'), Field(device,false), Constant('" device_id='), Field(hardware_id,true), Constant(' log_id='), Field(id,true), Constant(' '), Field(payload,false)}" -match("HEADER#5:0006", "message", "device=\"%{product}\" date=%{hdate->} time=%{htime->} timezone=\"%{timezone}\" device_name=\"%{device}\" device_id=%{hardware_id->} log_id=%{id->} %{payload}", processor_chain([ +var hdr6 = match("HEADER#5:0006", "message", "device=\"%{product}\" date=%{hdate->} time=%{htime->} timezone=\"%{timezone}\" device_name=\"%{device}\" device_id=%{hardware_id->} log_id=%{id->} %{payload}", processor_chain([ setc("header_id","0006"), setc("messageid","Sophos_Firewall"), ])); @@ -212,8 +205,7 @@ var select1 = linear_select([ hdr6, ]); -var part1 = // "Pattern{Constant('received control channel command ''), Field(action,false), Constant(''')}" -match("MESSAGE#0:named:01", "nwparser.payload", "received control channel command '%{action}'", processor_chain([ +var part1 = match("MESSAGE#0:named:01", "nwparser.payload", "received control channel command '%{action}'", processor_chain([ dup1, dup2, dup3, @@ -221,8 +213,7 @@ match("MESSAGE#0:named:01", "nwparser.payload", "received control channel comman var msg1 = msg("named:01", part1); -var part2 = // "Pattern{Constant('flushing caches in all views '), Field(disposition,false)}" -match("MESSAGE#1:named:02", "nwparser.payload", "flushing caches in all views %{disposition}", processor_chain([ +var part2 = match("MESSAGE#1:named:02", "nwparser.payload", "flushing caches in all views %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -230,8 +221,7 @@ match("MESSAGE#1:named:02", "nwparser.payload", "flushing caches in all views %{ var msg2 = msg("named:02", part2); -var part3 = // "Pattern{Constant('error ('), Field(result,false), Constant(') resolving ''), Field(dhost,false), Constant('': '), Field(daddr,false), Constant('#'), Field(dport,false)}" -match("MESSAGE#2:named:03", "nwparser.payload", "error (%{result}) resolving '%{dhost}': %{daddr}#%{dport}", processor_chain([ +var part3 = match("MESSAGE#2:named:03", "nwparser.payload", "error (%{result}) resolving '%{dhost}': %{daddr}#%{dport}", processor_chain([ dup4, dup2, dup3, @@ -239,8 +229,7 @@ match("MESSAGE#2:named:03", "nwparser.payload", "error (%{result}) resolving '%{ var msg3 = msg("named:03", part3); -var part4 = // "Pattern{Constant('received '), Field(action,true), Constant(' signal to '), Field(fld3,false)}" -match("MESSAGE#3:named:04", "nwparser.payload", "received %{action->} signal to %{fld3}", processor_chain([ +var part4 = match("MESSAGE#3:named:04", "nwparser.payload", "received %{action->} signal to %{fld3}", processor_chain([ dup5, dup2, dup3, @@ -248,8 +237,7 @@ match("MESSAGE#3:named:04", "nwparser.payload", "received %{action->} signal to var msg4 = msg("named:04", part4); -var part5 = // "Pattern{Constant('loading configuration from ''), Field(filename,false), Constant(''')}" -match("MESSAGE#4:named:05", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ +var part5 = match("MESSAGE#4:named:05", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ dup6, dup2, dup3, @@ -257,8 +245,7 @@ match("MESSAGE#4:named:05", "nwparser.payload", "loading configuration from '%{f var msg5 = msg("named:05", part5); -var part6 = // "Pattern{Constant('no '), Field(protocol,true), Constant(' interfaces found')}" -match("MESSAGE#5:named:06", "nwparser.payload", "no %{protocol->} interfaces found", processor_chain([ +var part6 = match("MESSAGE#5:named:06", "nwparser.payload", "no %{protocol->} interfaces found", processor_chain([ setc("eventcategory","1804000000"), dup2, dup3, @@ -266,8 +253,7 @@ match("MESSAGE#5:named:06", "nwparser.payload", "no %{protocol->} interfaces fou var msg6 = msg("named:06", part6); -var part7 = // "Pattern{Constant('sizing zone task pool based on '), Field(fld3,true), Constant(' zones')}" -match("MESSAGE#6:named:07", "nwparser.payload", "sizing zone task pool based on %{fld3->} zones", processor_chain([ +var part7 = match("MESSAGE#6:named:07", "nwparser.payload", "sizing zone task pool based on %{fld3->} zones", processor_chain([ dup7, dup2, dup3, @@ -275,8 +261,7 @@ match("MESSAGE#6:named:07", "nwparser.payload", "sizing zone task pool based on var msg7 = msg("named:07", part7); -var part8 = // "Pattern{Constant('automatic empty zone: view '), Field(fld3,false), Constant(': '), Field(dns_ptr_record,false)}" -match("MESSAGE#7:named:08", "nwparser.payload", "automatic empty zone: view %{fld3}: %{dns_ptr_record}", processor_chain([ +var part8 = match("MESSAGE#7:named:08", "nwparser.payload", "automatic empty zone: view %{fld3}: %{dns_ptr_record}", processor_chain([ dup8, dup2, dup3, @@ -284,8 +269,7 @@ match("MESSAGE#7:named:08", "nwparser.payload", "automatic empty zone: view %{fl var msg8 = msg("named:08", part8); -var part9 = // "Pattern{Constant('reloading '), Field(obj_type,true), Constant(' '), Field(disposition,false)}" -match("MESSAGE#8:named:09", "nwparser.payload", "reloading %{obj_type->} %{disposition}", processor_chain([ +var part9 = match("MESSAGE#8:named:09", "nwparser.payload", "reloading %{obj_type->} %{disposition}", processor_chain([ dup7, dup2, dup3, @@ -294,8 +278,7 @@ match("MESSAGE#8:named:09", "nwparser.payload", "reloading %{obj_type->} %{dispo var msg9 = msg("named:09", part9); -var part10 = // "Pattern{Constant('zone '), Field(dhost,false), Constant('/'), Field(fld3,false), Constant(': loaded serial '), Field(operation_id,false)}" -match("MESSAGE#9:named:10", "nwparser.payload", "zone %{dhost}/%{fld3}: loaded serial %{operation_id}", processor_chain([ +var part10 = match("MESSAGE#9:named:10", "nwparser.payload", "zone %{dhost}/%{fld3}: loaded serial %{operation_id}", processor_chain([ dup7, dup9, dup2, @@ -304,8 +287,7 @@ match("MESSAGE#9:named:10", "nwparser.payload", "zone %{dhost}/%{fld3}: loaded s var msg10 = msg("named:10", part10); -var part11 = // "Pattern{Constant('all zones loaded'), Field(,false)}" -match("MESSAGE#10:named:11", "nwparser.payload", "all zones loaded%{}", processor_chain([ +var part11 = match("MESSAGE#10:named:11", "nwparser.payload", "all zones loaded%{}", processor_chain([ dup7, dup9, dup2, @@ -315,8 +297,7 @@ match("MESSAGE#10:named:11", "nwparser.payload", "all zones loaded%{}", processo var msg11 = msg("named:11", part11); -var part12 = // "Pattern{Constant('running'), Field(,false)}" -match("MESSAGE#11:named:12", "nwparser.payload", "running%{}", processor_chain([ +var part12 = match("MESSAGE#11:named:12", "nwparser.payload", "running%{}", processor_chain([ dup7, setc("disposition","running"), dup2, @@ -326,8 +307,7 @@ match("MESSAGE#11:named:12", "nwparser.payload", "running%{}", processor_chain([ var msg12 = msg("named:12", part12); -var part13 = // "Pattern{Constant('using built-in root key for view '), Field(fld3,false)}" -match("MESSAGE#12:named:13", "nwparser.payload", "using built-in root key for view %{fld3}", processor_chain([ +var part13 = match("MESSAGE#12:named:13", "nwparser.payload", "using built-in root key for view %{fld3}", processor_chain([ dup7, setc("context","built-in root key"), dup2, @@ -336,8 +316,7 @@ match("MESSAGE#12:named:13", "nwparser.payload", "using built-in root key for vi var msg13 = msg("named:13", part13); -var part14 = // "Pattern{Constant('zone '), Field(dns_ptr_record,false), Constant('/'), Field(fld3,false), Constant(': ('), Field(username,false), Constant(') '), Field(action,false)}" -match("MESSAGE#13:named:14", "nwparser.payload", "zone %{dns_ptr_record}/%{fld3}: (%{username}) %{action}", processor_chain([ +var part14 = match("MESSAGE#13:named:14", "nwparser.payload", "zone %{dns_ptr_record}/%{fld3}: (%{username}) %{action}", processor_chain([ dup8, dup2, dup3, @@ -345,8 +324,7 @@ match("MESSAGE#13:named:14", "nwparser.payload", "zone %{dns_ptr_record}/%{fld3} var msg14 = msg("named:14", part14); -var part15 = // "Pattern{Constant('too many timeouts resolving ''), Field(fld3,false), Constant('' ('), Field(fld4,false), Constant('): disabling EDNS')}" -match("MESSAGE#14:named:15", "nwparser.payload", "too many timeouts resolving '%{fld3}' (%{fld4}): disabling EDNS", processor_chain([ +var part15 = match("MESSAGE#14:named:15", "nwparser.payload", "too many timeouts resolving '%{fld3}' (%{fld4}): disabling EDNS", processor_chain([ dup10, setc("event_description","named:too many timeouts resolving DNS."), dup11, @@ -355,8 +333,7 @@ match("MESSAGE#14:named:15", "nwparser.payload", "too many timeouts resolving '% var msg15 = msg("named:15", part15); -var part16 = // "Pattern{Constant('FORMERR resolving ''), Field(hostname,false), Constant('': '), Field(saddr,false), Constant('#'), Field(fld3,false)}" -match("MESSAGE#15:named:16", "nwparser.payload", "FORMERR resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ +var part16 = match("MESSAGE#15:named:16", "nwparser.payload", "FORMERR resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ dup10, setc("event_description","named:FORMERR resolving DNS."), dup11, @@ -365,8 +342,7 @@ match("MESSAGE#15:named:16", "nwparser.payload", "FORMERR resolving '%{hostname} var msg16 = msg("named:16", part16); -var part17 = // "Pattern{Constant('unexpected RCODE (SERVFAIL) resolving ''), Field(hostname,false), Constant('': '), Field(saddr,false), Constant('#'), Field(fld3,false)}" -match("MESSAGE#16:named:17", "nwparser.payload", "unexpected RCODE (SERVFAIL) resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ +var part17 = match("MESSAGE#16:named:17", "nwparser.payload", "unexpected RCODE (SERVFAIL) resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ dup10, setc("event_description","named:unexpected RCODE (SERVFAIL) resolving DNS."), dup11, @@ -395,8 +371,7 @@ var select2 = linear_select([ msg17, ]); -var part18 = // "Pattern{Constant('Integrated HTTP-Proxy '), Field(version,false)}" -match("MESSAGE#17:httpproxy:09", "nwparser.payload", "Integrated HTTP-Proxy %{version}", processor_chain([ +var part18 = match("MESSAGE#17:httpproxy:09", "nwparser.payload", "Integrated HTTP-Proxy %{version}", processor_chain([ dup12, setc("event_description","httpproxy:Integrated HTTP-Proxy."), dup11, @@ -405,8 +380,7 @@ match("MESSAGE#17:httpproxy:09", "nwparser.payload", "Integrated HTTP-Proxy %{ve var msg18 = msg("httpproxy:09", part18); -var part19 = // "Pattern{Constant('['), Field(fld2,false), Constant('] parse_address ('), Field(fld3,false), Constant(') getaddrinfo: passthrough.fw-notify.net: Name or service not known')}" -match("MESSAGE#18:httpproxy:10", "nwparser.payload", "[%{fld2}] parse_address (%{fld3}) getaddrinfo: passthrough.fw-notify.net: Name or service not known", processor_chain([ +var part19 = match("MESSAGE#18:httpproxy:10", "nwparser.payload", "[%{fld2}] parse_address (%{fld3}) getaddrinfo: passthrough.fw-notify.net: Name or service not known", processor_chain([ dup10, setc("event_description","httpproxy:Name or service not known."), dup11, @@ -415,8 +389,7 @@ match("MESSAGE#18:httpproxy:10", "nwparser.payload", "[%{fld2}] parse_address (% var msg19 = msg("httpproxy:10", part19); -var part20 = // "Pattern{Constant('['), Field(fld2,false), Constant('] confd_config_filter ('), Field(fld3,false), Constant(') failed to resolve passthrough.fw-notify.net, using '), Field(saddr,false)}" -match("MESSAGE#19:httpproxy:11", "nwparser.payload", "[%{fld2}] confd_config_filter (%{fld3}) failed to resolve passthrough.fw-notify.net, using %{saddr}", processor_chain([ +var part20 = match("MESSAGE#19:httpproxy:11", "nwparser.payload", "[%{fld2}] confd_config_filter (%{fld3}) failed to resolve passthrough.fw-notify.net, using %{saddr}", processor_chain([ dup10, setc("event_description","httpproxy:failed to resolve passthrough."), dup11, @@ -425,8 +398,7 @@ match("MESSAGE#19:httpproxy:11", "nwparser.payload", "[%{fld2}] confd_config_fil var msg20 = msg("httpproxy:11", part20); -var part21 = // "Pattern{Constant('['), Field(fld2,false), Constant('] ssl_log_errors ('), Field(fld3,false), Constant(') '), Field(fld4,false), Constant('ssl handshake failure'), Field(fld5,false)}" -match("MESSAGE#20:httpproxy:12", "nwparser.payload", "[%{fld2}] ssl_log_errors (%{fld3}) %{fld4}ssl handshake failure%{fld5}", processor_chain([ +var part21 = match("MESSAGE#20:httpproxy:12", "nwparser.payload", "[%{fld2}] ssl_log_errors (%{fld3}) %{fld4}ssl handshake failure%{fld5}", processor_chain([ dup10, setc("event_description","httpproxy:ssl handshake failure."), dup11, @@ -435,8 +407,7 @@ match("MESSAGE#20:httpproxy:12", "nwparser.payload", "[%{fld2}] ssl_log_errors ( var msg21 = msg("httpproxy:12", part21); -var part22 = // "Pattern{Constant('['), Field(fld2,false), Constant('] sc_decrypt ('), Field(fld3,false), Constant(') EVP_DecryptFinal failed')}" -match("MESSAGE#21:httpproxy:13", "nwparser.payload", "[%{fld2}] sc_decrypt (%{fld3}) EVP_DecryptFinal failed", processor_chain([ +var part22 = match("MESSAGE#21:httpproxy:13", "nwparser.payload", "[%{fld2}] sc_decrypt (%{fld3}) EVP_DecryptFinal failed", processor_chain([ dup10, setc("event_description","httpproxy:EVP_DecryptFinal failed."), dup11, @@ -445,8 +416,7 @@ match("MESSAGE#21:httpproxy:13", "nwparser.payload", "[%{fld2}] sc_decrypt (%{fl var msg22 = msg("httpproxy:13", part22); -var part23 = // "Pattern{Constant('['), Field(fld2,false), Constant('] sc_server_cmd ('), Field(fld3,false), Constant(') decrypt failed')}" -match("MESSAGE#22:httpproxy:14", "nwparser.payload", "[%{fld2}] sc_server_cmd (%{fld3}) decrypt failed", processor_chain([ +var part23 = match("MESSAGE#22:httpproxy:14", "nwparser.payload", "[%{fld2}] sc_server_cmd (%{fld3}) decrypt failed", processor_chain([ dup10, setc("event_description","httpproxy:decrypt failed."), dup11, @@ -455,8 +425,7 @@ match("MESSAGE#22:httpproxy:14", "nwparser.payload", "[%{fld2}] sc_server_cmd (% var msg23 = msg("httpproxy:14", part23); -var part24 = // "Pattern{Constant('['), Field(fld2,false), Constant('] clamav_reload ('), Field(fld3,false), Constant(') '), Field(info,false)}" -match("MESSAGE#23:httpproxy:15", "nwparser.payload", "[%{fld2}] clamav_reload (%{fld3}) %{info}", processor_chain([ +var part24 = match("MESSAGE#23:httpproxy:15", "nwparser.payload", "[%{fld2}] clamav_reload (%{fld3}) %{info}", processor_chain([ dup12, setc("event_description","httpproxy:reloading av pattern"), dup11, @@ -465,8 +434,7 @@ match("MESSAGE#23:httpproxy:15", "nwparser.payload", "[%{fld2}] clamav_reload (% var msg24 = msg("httpproxy:15", part24); -var part25 = // "Pattern{Constant('['), Field(fld2,false), Constant('] sc_check_servers ('), Field(fld3,false), Constant(') server ''), Field(hostname,false), Constant('' access time: '), Field(fld4,false)}" -match("MESSAGE#24:httpproxy:16", "nwparser.payload", "[%{fld2}] sc_check_servers (%{fld3}) server '%{hostname}' access time: %{fld4}", processor_chain([ +var part25 = match("MESSAGE#24:httpproxy:16", "nwparser.payload", "[%{fld2}] sc_check_servers (%{fld3}) server '%{hostname}' access time: %{fld4}", processor_chain([ dup12, setc("event_description","httpproxy:sc_check_servers.Server checked."), dup11, @@ -475,8 +443,7 @@ match("MESSAGE#24:httpproxy:16", "nwparser.payload", "[%{fld2}] sc_check_servers var msg25 = msg("httpproxy:16", part25); -var part26 = // "Pattern{Constant('['), Field(fld2,false), Constant('] main ('), Field(fld3,false), Constant(') shutdown finished, exiting')}" -match("MESSAGE#25:httpproxy:17", "nwparser.payload", "[%{fld2}] main (%{fld3}) shutdown finished, exiting", processor_chain([ +var part26 = match("MESSAGE#25:httpproxy:17", "nwparser.payload", "[%{fld2}] main (%{fld3}) shutdown finished, exiting", processor_chain([ dup12, setc("event_description","httpproxy:shutdown finished, exiting."), dup11, @@ -485,8 +452,7 @@ match("MESSAGE#25:httpproxy:17", "nwparser.payload", "[%{fld2}] main (%{fld3}) s var msg26 = msg("httpproxy:17", part26); -var part27 = // "Pattern{Constant('['), Field(fld2,false), Constant('] main ('), Field(fld3,false), Constant(') reading configuration')}" -match("MESSAGE#26:httpproxy:18", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading configuration", processor_chain([ +var part27 = match("MESSAGE#26:httpproxy:18", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading configuration", processor_chain([ dup12, setc("event_description","httpproxy:"), dup11, @@ -495,8 +461,7 @@ match("MESSAGE#26:httpproxy:18", "nwparser.payload", "[%{fld2}] main (%{fld3}) r var msg27 = msg("httpproxy:18", part27); -var part28 = // "Pattern{Constant('['), Field(fld2,false), Constant('] main ('), Field(fld3,false), Constant(') reading profiles')}" -match("MESSAGE#27:httpproxy:19", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading profiles", processor_chain([ +var part28 = match("MESSAGE#27:httpproxy:19", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading profiles", processor_chain([ dup12, setc("event_description","httpproxy:reading profiles"), dup11, @@ -505,8 +470,7 @@ match("MESSAGE#27:httpproxy:19", "nwparser.payload", "[%{fld2}] main (%{fld3}) r var msg28 = msg("httpproxy:19", part28); -var part29 = // "Pattern{Constant('['), Field(fld2,false), Constant('] main ('), Field(fld3,false), Constant(') finished startup')}" -match("MESSAGE#28:httpproxy:20", "nwparser.payload", "[%{fld2}] main (%{fld3}) finished startup", processor_chain([ +var part29 = match("MESSAGE#28:httpproxy:20", "nwparser.payload", "[%{fld2}] main (%{fld3}) finished startup", processor_chain([ dup12, setc("event_description","httpproxy:finished startup"), dup11, @@ -515,8 +479,7 @@ match("MESSAGE#28:httpproxy:20", "nwparser.payload", "[%{fld2}] main (%{fld3}) f var msg29 = msg("httpproxy:20", part29); -var part30 = // "Pattern{Constant('['), Field(fld2,false), Constant('] read_request_headers ('), Field(fld3,false), Constant(') '), Field(info,false)}" -match("MESSAGE#29:httpproxy:21", "nwparser.payload", "[%{fld2}] read_request_headers (%{fld3}) %{info}", processor_chain([ +var part30 = match("MESSAGE#29:httpproxy:21", "nwparser.payload", "[%{fld2}] read_request_headers (%{fld3}) %{info}", processor_chain([ dup12, setc("event_description","httpproxy:read_request_headers related message."), dup11, @@ -525,8 +488,7 @@ match("MESSAGE#29:httpproxy:21", "nwparser.payload", "[%{fld2}] read_request_hea var msg30 = msg("httpproxy:21", part30); -var part31 = // "Pattern{Constant('['), Field(fld2,false), Constant('] epoll_loop ('), Field(fld3,false), Constant(') '), Field(info,false)}" -match("MESSAGE#30:httpproxy:22", "nwparser.payload", "[%{fld2}] epoll_loop (%{fld3}) %{info}", processor_chain([ +var part31 = match("MESSAGE#30:httpproxy:22", "nwparser.payload", "[%{fld2}] epoll_loop (%{fld3}) %{info}", processor_chain([ dup12, setc("event_description","httpproxy:epoll_loop related message."), dup11, @@ -535,8 +497,7 @@ match("MESSAGE#30:httpproxy:22", "nwparser.payload", "[%{fld2}] epoll_loop (%{fl var msg31 = msg("httpproxy:22", part31); -var part32 = // "Pattern{Constant('['), Field(fld2,false), Constant('] scan_exit ('), Field(fld3,false), Constant(') '), Field(info,false)}" -match("MESSAGE#31:httpproxy:23", "nwparser.payload", "[%{fld2}] scan_exit (%{fld3}) %{info}", processor_chain([ +var part32 = match("MESSAGE#31:httpproxy:23", "nwparser.payload", "[%{fld2}] scan_exit (%{fld3}) %{info}", processor_chain([ dup12, setc("event_description","httpproxy:scan_exit related message."), dup11, @@ -545,8 +506,7 @@ match("MESSAGE#31:httpproxy:23", "nwparser.payload", "[%{fld2}] scan_exit (%{fld var msg32 = msg("httpproxy:23", part32); -var part33 = // "Pattern{Constant('['), Field(fld2,false), Constant('] epoll_exit ('), Field(fld3,false), Constant(') '), Field(info,false)}" -match("MESSAGE#32:httpproxy:24", "nwparser.payload", "[%{fld2}] epoll_exit (%{fld3}) %{info}", processor_chain([ +var part33 = match("MESSAGE#32:httpproxy:24", "nwparser.payload", "[%{fld2}] epoll_exit (%{fld3}) %{info}", processor_chain([ dup12, setc("event_description","httpproxy:epoll_exit related message."), dup11, @@ -555,8 +515,7 @@ match("MESSAGE#32:httpproxy:24", "nwparser.payload", "[%{fld2}] epoll_exit (%{fl var msg33 = msg("httpproxy:24", part33); -var part34 = // "Pattern{Constant('['), Field(fld2,false), Constant('] disk_cache_exit ('), Field(fld3,false), Constant(') '), Field(info,false)}" -match("MESSAGE#33:httpproxy:25", "nwparser.payload", "[%{fld2}] disk_cache_exit (%{fld3}) %{info}", processor_chain([ +var part34 = match("MESSAGE#33:httpproxy:25", "nwparser.payload", "[%{fld2}] disk_cache_exit (%{fld3}) %{info}", processor_chain([ dup12, setc("event_description","httpproxy:disk_cache_exit related message."), dup11, @@ -565,8 +524,7 @@ match("MESSAGE#33:httpproxy:25", "nwparser.payload", "[%{fld2}] disk_cache_exit var msg34 = msg("httpproxy:25", part34); -var part35 = // "Pattern{Constant('['), Field(fld2,false), Constant('] disk_cache_zap ('), Field(fld3,false), Constant(') '), Field(info,false)}" -match("MESSAGE#34:httpproxy:26", "nwparser.payload", "[%{fld2}] disk_cache_zap (%{fld3}) %{info}", processor_chain([ +var part35 = match("MESSAGE#34:httpproxy:26", "nwparser.payload", "[%{fld2}] disk_cache_zap (%{fld3}) %{info}", processor_chain([ dup12, setc("event_description","httpproxy:disk_cache_zap related message."), dup11, @@ -575,8 +533,7 @@ match("MESSAGE#34:httpproxy:26", "nwparser.payload", "[%{fld2}] disk_cache_zap ( var msg35 = msg("httpproxy:26", part35); -var part36 = // "Pattern{Constant('['), Field(fld2,false), Constant('] scanner_init ('), Field(fld3,false), Constant(') '), Field(info,false)}" -match("MESSAGE#35:httpproxy:27", "nwparser.payload", "[%{fld2}] scanner_init (%{fld3}) %{info}", processor_chain([ +var part36 = match("MESSAGE#35:httpproxy:27", "nwparser.payload", "[%{fld2}] scanner_init (%{fld3}) %{info}", processor_chain([ dup12, setc("event_description","httpproxy:scanner_init related message."), dup11, @@ -663,8 +620,7 @@ var select3 = linear_select([ msg37, ]); -var part38 = // "Pattern{Constant('T='), Field(fld3,true), Constant(' ------ 1 - [exit] '), Field(action,false), Constant(': '), Field(disposition,false)}" -match("MESSAGE#37:URID:01", "nwparser.payload", "T=%{fld3->} ------ 1 - [exit] %{action}: %{disposition}", processor_chain([ +var part38 = match("MESSAGE#37:URID:01", "nwparser.payload", "T=%{fld3->} ------ 1 - [exit] %{action}: %{disposition}", processor_chain([ dup16, dup2, dup3, @@ -711,8 +667,7 @@ var part39 = tagval("MESSAGE#38:ulogd:01", "nwparser.payload", tvm, { var msg39 = msg("ulogd:01", part39); -var part40 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] ModSecurity for Apache/'), Field(fld5,true), Constant(' ('), Field(fld6,false), Constant(') configured.')}" -match("MESSAGE#39:reverseproxy:01", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity for Apache/%{fld5->} (%{fld6}) configured.", processor_chain([ +var part40 = match("MESSAGE#39:reverseproxy:01", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity for Apache/%{fld5->} (%{fld6}) configured.", processor_chain([ dup6, setc("disposition","configured"), dup2, @@ -721,8 +676,7 @@ match("MESSAGE#39:reverseproxy:01", "nwparser.payload", "[%{fld3}] [%{event_log} var msg40 = msg("reverseproxy:01", part40); -var part41 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] ModSecurity: '), Field(fld5,true), Constant(' compiled version="'), Field(fld6,false), Constant('"; loaded version="'), Field(fld7,false), Constant('"')}" -match("MESSAGE#40:reverseproxy:02", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"; loaded version=\"%{fld7}\"", processor_chain([ +var part41 = match("MESSAGE#40:reverseproxy:02", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"; loaded version=\"%{fld7}\"", processor_chain([ dup17, dup2, dup3, @@ -730,8 +684,7 @@ match("MESSAGE#40:reverseproxy:02", "nwparser.payload", "[%{fld3}] [%{event_log} var msg41 = msg("reverseproxy:02", part41); -var part42 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] ModSecurity: '), Field(fld5,true), Constant(' compiled version="'), Field(fld6,false), Constant('"')}" -match("MESSAGE#41:reverseproxy:03", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"", processor_chain([ +var part42 = match("MESSAGE#41:reverseproxy:03", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"", processor_chain([ dup17, dup2, dup3, @@ -739,8 +692,7 @@ match("MESSAGE#41:reverseproxy:03", "nwparser.payload", "[%{fld3}] [%{event_log} var msg42 = msg("reverseproxy:03", part42); -var part43 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] '), Field(fld5,true), Constant(' configured -- '), Field(disposition,true), Constant(' normal operations')}" -match("MESSAGE#42:reverseproxy:04", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] %{fld5->} configured -- %{disposition->} normal operations", processor_chain([ +var part43 = match("MESSAGE#42:reverseproxy:04", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] %{fld5->} configured -- %{disposition->} normal operations", processor_chain([ dup17, setc("event_id","AH00292"), dup2, @@ -749,8 +701,7 @@ match("MESSAGE#42:reverseproxy:04", "nwparser.payload", "[%{fld3}] [%{event_log} var msg43 = msg("reverseproxy:04", part43); -var part44 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] ['), Field(fld5,false), Constant('] Hostname in '), Field(network_service,true), Constant(' request ('), Field(fld6,false), Constant(') does not match the server name ('), Field(ddomain,false), Constant(')')}" -match("MESSAGE#43:reverseproxy:06", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [%{fld5}] Hostname in %{network_service->} request (%{fld6}) does not match the server name (%{ddomain})", processor_chain([ +var part44 = match("MESSAGE#43:reverseproxy:06", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [%{fld5}] Hostname in %{network_service->} request (%{fld6}) does not match the server name (%{ddomain})", processor_chain([ setc("eventcategory","1805010000"), dup18, dup2, @@ -759,15 +710,13 @@ match("MESSAGE#43:reverseproxy:06", "nwparser.payload", "[%{fld3}] [%{event_log} var msg44 = msg("reverseproxy:06", part44); -var part45 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH00297: '), Field(action,true), Constant(' received. Doing'), Field(p0,false)}" -match("MESSAGE#44:reverseproxy:07/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00297: %{action->} received. Doing%{p0}"); +var part45 = match("MESSAGE#44:reverseproxy:07/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00297: %{action->} received. Doing%{p0}"); var select4 = linear_select([ dup19, ]); -var part46 = // "Pattern{Field(,false), Constant('graceful '), Field(disposition,false)}" -match("MESSAGE#44:reverseproxy:07/2", "nwparser.p0", "%{}graceful %{disposition}"); +var part46 = match("MESSAGE#44:reverseproxy:07/2", "nwparser.p0", "%{}graceful %{disposition}"); var all1 = all_match({ processors: [ @@ -785,8 +734,7 @@ var all1 = all_match({ var msg45 = msg("reverseproxy:07", all1); -var part47 = // "Pattern{Constant('AH00112: Warning: DocumentRoot ['), Field(web_root,false), Constant('] does not exist')}" -match("MESSAGE#45:reverseproxy:08", "nwparser.payload", "AH00112: Warning: DocumentRoot [%{web_root}] does not exist", processor_chain([ +var part47 = match("MESSAGE#45:reverseproxy:08", "nwparser.payload", "AH00112: Warning: DocumentRoot [%{web_root}] does not exist", processor_chain([ dup4, setc("event_id","AH00112"), dup2, @@ -795,8 +743,7 @@ match("MESSAGE#45:reverseproxy:08", "nwparser.payload", "AH00112: Warning: Docum var msg46 = msg("reverseproxy:08", part47); -var part48 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH00094: Command line: ''), Field(web_root,false), Constant(''')}" -match("MESSAGE#46:reverseproxy:09", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00094: Command line: '%{web_root}'", processor_chain([ +var part48 = match("MESSAGE#46:reverseproxy:09", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00094: Command line: '%{web_root}'", processor_chain([ setc("eventcategory","1605010000"), setc("event_id","AH00094"), dup2, @@ -805,8 +752,7 @@ match("MESSAGE#46:reverseproxy:09", "nwparser.payload", "[%{fld3}] [%{event_log} var msg47 = msg("reverseproxy:09", part48); -var part49 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH00291: long lost child came home! (pid '), Field(fld5,false), Constant(')')}" -match("MESSAGE#47:reverseproxy:10", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00291: long lost child came home! (pid %{fld5})", processor_chain([ +var part49 = match("MESSAGE#47:reverseproxy:10", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00291: long lost child came home! (pid %{fld5})", processor_chain([ dup12, setc("event_id","AH00291"), dup2, @@ -815,8 +761,7 @@ match("MESSAGE#47:reverseproxy:10", "nwparser.payload", "[%{fld3}] [%{event_log} var msg48 = msg("reverseproxy:10", part49); -var part50 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH02572: Failed to configure at least one certificate and key for '), Field(fld5,false), Constant(':'), Field(fld6,false)}" -match("MESSAGE#48:reverseproxy:11", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02572: Failed to configure at least one certificate and key for %{fld5}:%{fld6}", processor_chain([ +var part50 = match("MESSAGE#48:reverseproxy:11", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02572: Failed to configure at least one certificate and key for %{fld5}:%{fld6}", processor_chain([ dup20, setc("event_id","AH02572"), dup2, @@ -825,8 +770,7 @@ match("MESSAGE#48:reverseproxy:11", "nwparser.payload", "[%{fld3}] [%{event_log} var msg49 = msg("reverseproxy:11", part50); -var part51 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] SSL Library Error: error:'), Field(resultcode,false), Constant(':'), Field(result,false)}" -match("MESSAGE#49:reverseproxy:12", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] SSL Library Error: error:%{resultcode}:%{result}", processor_chain([ +var part51 = match("MESSAGE#49:reverseproxy:12", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] SSL Library Error: error:%{resultcode}:%{result}", processor_chain([ dup20, setc("context","SSL Library Error"), dup2, @@ -835,8 +779,7 @@ match("MESSAGE#49:reverseproxy:12", "nwparser.payload", "[%{fld3}] [%{event_log} var msg50 = msg("reverseproxy:12", part51); -var part52 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH02312: Fatal error initialising mod_ssl, '), Field(disposition,false), Constant('.')}" -match("MESSAGE#50:reverseproxy:13", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02312: Fatal error initialising mod_ssl, %{disposition}.", processor_chain([ +var part52 = match("MESSAGE#50:reverseproxy:13", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02312: Fatal error initialising mod_ssl, %{disposition}.", processor_chain([ dup20, setc("result","Fatal error"), setc("event_id","AH02312"), @@ -846,8 +789,7 @@ match("MESSAGE#50:reverseproxy:13", "nwparser.payload", "[%{fld3}] [%{event_log} var msg51 = msg("reverseproxy:13", part52); -var part53 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH00020: Configuration Failed, '), Field(disposition,false)}" -match("MESSAGE#51:reverseproxy:14", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00020: Configuration Failed, %{disposition}", processor_chain([ +var part53 = match("MESSAGE#51:reverseproxy:14", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00020: Configuration Failed, %{disposition}", processor_chain([ dup20, setc("result","Configuration Failed"), setc("event_id","AH00020"), @@ -857,8 +799,7 @@ match("MESSAGE#51:reverseproxy:14", "nwparser.payload", "[%{fld3}] [%{event_log} var msg52 = msg("reverseproxy:14", part53); -var part54 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH00098: pid file '), Field(filename,true), Constant(' overwritten -- Unclean shutdown of previous Apache run?')}" -match("MESSAGE#52:reverseproxy:15", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00098: pid file %{filename->} overwritten -- Unclean shutdown of previous Apache run?", processor_chain([ +var part54 = match("MESSAGE#52:reverseproxy:15", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00098: pid file %{filename->} overwritten -- Unclean shutdown of previous Apache run?", processor_chain([ setc("eventcategory","1609000000"), setc("context","Unclean shutdown"), setc("event_id","AH00098"), @@ -868,8 +809,7 @@ match("MESSAGE#52:reverseproxy:15", "nwparser.payload", "[%{fld3}] [%{event_log} var msg53 = msg("reverseproxy:15", part54); -var part55 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH00295: caught '), Field(action,false), Constant(', '), Field(disposition,false)}" -match("MESSAGE#53:reverseproxy:16", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00295: caught %{action}, %{disposition}", processor_chain([ +var part55 = match("MESSAGE#53:reverseproxy:16", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00295: caught %{action}, %{disposition}", processor_chain([ dup16, setc("event_id","AH00295"), dup2, @@ -878,19 +818,16 @@ match("MESSAGE#53:reverseproxy:16", "nwparser.payload", "[%{fld3}] [%{event_log} var msg54 = msg("reverseproxy:16", part55); -var part56 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(result,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ModSecurity: Warning. '), Field(rulename,true), Constant(' [file "'), Field(filename,false), Constant('"] [line "'), Field(fld5,false), Constant('"] [id "'), Field(rule,false), Constant('"]'), Field(p0,false)}" -match("MESSAGE#54:reverseproxy:17/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{result}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"]%{p0}"); +var part56 = match("MESSAGE#54:reverseproxy:17/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{result}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"]%{p0}"); -var part57 = // "Pattern{Constant(' [rev "'), Field(fld6,false), Constant('"]'), Field(p0,false)}" -match("MESSAGE#54:reverseproxy:17/1_0", "nwparser.p0", " [rev \"%{fld6}\"]%{p0}"); +var part57 = match("MESSAGE#54:reverseproxy:17/1_0", "nwparser.p0", " [rev \"%{fld6}\"]%{p0}"); var select5 = linear_select([ part57, dup19, ]); -var part58 = // "Pattern{Field(,false), Constant('[msg "'), Field(comments,false), Constant('"] [data "'), Field(daddr,false), Constant('"] [severity "'), Field(severity,false), Constant('"] [ver "'), Field(policyname,false), Constant('"] [maturity "'), Field(fld7,false), Constant('"] [accuracy "'), Field(fld8,false), Constant('"] '), Field(context,true), Constant(' [hostname "'), Field(dhost,false), Constant('"] [uri "'), Field(web_root,false), Constant('"] [unique_id "'), Field(operation_id,false), Constant('"]')}" -match("MESSAGE#54:reverseproxy:17/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"%{daddr}\"] [severity \"%{severity}\"] [ver \"%{policyname}\"] [maturity \"%{fld7}\"] [accuracy \"%{fld8}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); +var part58 = match("MESSAGE#54:reverseproxy:17/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"%{daddr}\"] [severity \"%{severity}\"] [ver \"%{policyname}\"] [maturity \"%{fld7}\"] [accuracy \"%{fld8}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); var all2 = all_match({ processors: [ @@ -907,8 +844,7 @@ var all2 = all_match({ var msg55 = msg("reverseproxy:17", all2); -var part59 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] No signature found, cookie: '), Field(fld5,false)}" -match("MESSAGE#55:reverseproxy:18", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] No signature found, cookie: %{fld5}", processor_chain([ +var part59 = match("MESSAGE#55:reverseproxy:18", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] No signature found, cookie: %{fld5}", processor_chain([ dup4, dup22, dup2, @@ -917,8 +853,7 @@ match("MESSAGE#55:reverseproxy:18", "nwparser.payload", "[%{fld3}] [%{event_log} var msg56 = msg("reverseproxy:18", part59); -var part60 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] '), Field(disposition,true), Constant(' ''), Field(fld5,false), Constant('' from request due to missing/invalid signature')}" -match("MESSAGE#56:reverseproxy:19", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] %{disposition->} '%{fld5}' from request due to missing/invalid signature", processor_chain([ +var part60 = match("MESSAGE#56:reverseproxy:19", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] %{disposition->} '%{fld5}' from request due to missing/invalid signature", processor_chain([ dup23, dup22, dup2, @@ -927,8 +862,7 @@ match("MESSAGE#56:reverseproxy:19", "nwparser.payload", "[%{fld3}] [%{event_log} var msg57 = msg("reverseproxy:19", part60); -var part61 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ModSecurity: Warning. '), Field(rulename,true), Constant(' [file "'), Field(filename,false), Constant('"] [line "'), Field(fld5,false), Constant('"] [id "'), Field(rule,false), Constant('"] [msg "'), Field(comments,false), Constant('"] [hostname "'), Field(dhost,false), Constant('"] [uri "'), Field(web_root,false), Constant('"] [unique_id "'), Field(operation_id,false), Constant('"]')}" -match("MESSAGE#57:reverseproxy:20", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [msg \"%{comments}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ +var part61 = match("MESSAGE#57:reverseproxy:20", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [msg \"%{comments}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ dup21, dup2, dup3, @@ -936,8 +870,7 @@ match("MESSAGE#57:reverseproxy:20", "nwparser.payload", "[%{fld3}] [%{event_log} var msg58 = msg("reverseproxy:20", part61); -var part62 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH01909: '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(':'), Field(fld5,true), Constant(' server certificate does NOT include an ID which matches the server name')}" -match("MESSAGE#58:reverseproxy:21", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01909: %{daddr}:%{dport}:%{fld5->} server certificate does NOT include an ID which matches the server name", processor_chain([ +var part62 = match("MESSAGE#58:reverseproxy:21", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01909: %{daddr}:%{dport}:%{fld5->} server certificate does NOT include an ID which matches the server name", processor_chain([ dup20, dup18, setc("event_id","AH01909"), @@ -947,8 +880,7 @@ match("MESSAGE#58:reverseproxy:21", "nwparser.payload", "[%{fld3}] [%{event_log} var msg59 = msg("reverseproxy:21", part62); -var part63 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH01915: Init: ('), Field(daddr,false), Constant(':'), Field(dport,false), Constant(') You configured '), Field(network_service,false), Constant('('), Field(fld5,false), Constant(') on the '), Field(fld6,false), Constant('('), Field(fld7,false), Constant(') port!')}" -match("MESSAGE#59:reverseproxy:22", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01915: Init: (%{daddr}:%{dport}) You configured %{network_service}(%{fld5}) on the %{fld6}(%{fld7}) port!", processor_chain([ +var part63 = match("MESSAGE#59:reverseproxy:22", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01915: Init: (%{daddr}:%{dport}) You configured %{network_service}(%{fld5}) on the %{fld6}(%{fld7}) port!", processor_chain([ dup20, setc("comments","Invalid port configuration"), dup2, @@ -957,8 +889,7 @@ match("MESSAGE#59:reverseproxy:22", "nwparser.payload", "[%{fld3}] [%{event_log} var msg60 = msg("reverseproxy:22", part63); -var part64 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ModSecurity: Rule '), Field(rulename,true), Constant(' [id "'), Field(rule,false), Constant('"][file "'), Field(filename,false), Constant('"][line "'), Field(fld5,false), Constant('"] - Execution error - PCRE limits exceeded ('), Field(fld6,false), Constant('): ('), Field(fld7,false), Constant('). [hostname "'), Field(dhost,false), Constant('"] [uri "'), Field(web_root,false), Constant('"] [unique_id "'), Field(operation_id,false), Constant('"]')}" -match("MESSAGE#60:reverseproxy:23", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Rule %{rulename->} [id \"%{rule}\"][file \"%{filename}\"][line \"%{fld5}\"] - Execution error - PCRE limits exceeded (%{fld6}): (%{fld7}). [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ +var part64 = match("MESSAGE#60:reverseproxy:23", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Rule %{rulename->} [id \"%{rule}\"][file \"%{filename}\"][line \"%{fld5}\"] - Execution error - PCRE limits exceeded (%{fld6}): (%{fld7}). [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ dup21, dup2, dup3, @@ -966,8 +897,7 @@ match("MESSAGE#60:reverseproxy:23", "nwparser.payload", "[%{fld3}] [%{event_log} var msg61 = msg("reverseproxy:23", part64); -var part65 = // "Pattern{Constant('rManage\\x22,\\x22manageLiveSystemSettings\\x22,\\x22accessViewJobs\\x22,\\x22exportList\\..."] [ver "'), Field(policyname,false), Constant('"] [maturity "'), Field(fld3,false), Constant('"] [accuracy "'), Field(fld4,false), Constant('"] '), Field(context,true), Constant(' [hostname "'), Field(dhost,false), Constant('"] [uri "'), Field(web_root,false), Constant('"] [unique_id "'), Field(operation_id,false), Constant('"]')}" -match("MESSAGE#61:reverseproxy:24", "nwparser.payload", "rManage\\\\x22,\\\\x22manageLiveSystemSettings\\\\x22,\\\\x22accessViewJobs\\\\x22,\\\\x22exportList\\\\...\"] [ver \"%{policyname}\"] [maturity \"%{fld3}\"] [accuracy \"%{fld4}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ +var part65 = match("MESSAGE#61:reverseproxy:24", "nwparser.payload", "rManage\\\\x22,\\\\x22manageLiveSystemSettings\\\\x22,\\\\x22accessViewJobs\\\\x22,\\\\x22exportList\\\\...\"] [ver \"%{policyname}\"] [maturity \"%{fld3}\"] [accuracy \"%{fld4}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ dup21, dup2, dup3, @@ -975,8 +905,7 @@ match("MESSAGE#61:reverseproxy:24", "nwparser.payload", "rManage\\\\x22,\\\\x22m var msg62 = msg("reverseproxy:24", part65); -var part66 = // "Pattern{Constant('ARGS:userPermissions: [\\x22dashletAccessAlertingRecentAlertsPanel\\x22,\\x22dashletAccessAlerterTopAlertsDashlet\\x22,\\x22accessViewRules\\x22,\\x22deployLiveResources\\x22,\\x22vi..."] [severity [hostname "'), Field(dhost,false), Constant('"] [uri "'), Field(web_root,false), Constant('"] [unique_id "'), Field(operation_id,false), Constant('"]')}" -match("MESSAGE#62:reverseproxy:25", "nwparser.payload", "ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ +var part66 = match("MESSAGE#62:reverseproxy:25", "nwparser.payload", "ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ dup21, dup2, dup3, @@ -984,33 +913,27 @@ match("MESSAGE#62:reverseproxy:25", "nwparser.payload", "ARGS:userPermissions: [ var msg63 = msg("reverseproxy:25", part66); -var part67 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ModSecurity: '), Field(disposition,true), Constant(' with code '), Field(resultcode,true), Constant(' ('), Field(fld5,false), Constant('). '), Field(rulename,true), Constant(' [file "'), Field(filename,false), Constant('"] [line "'), Field(fld6,false), Constant('"] [id "'), Field(rule,false), Constant('"]'), Field(p0,false)}" -match("MESSAGE#63:reverseproxy:26/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: %{disposition->} with code %{resultcode->} (%{fld5}). %{rulename->} [file \"%{filename}\"] [line \"%{fld6}\"] [id \"%{rule}\"]%{p0}"); +var part67 = match("MESSAGE#63:reverseproxy:26/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: %{disposition->} with code %{resultcode->} (%{fld5}). %{rulename->} [file \"%{filename}\"] [line \"%{fld6}\"] [id \"%{rule}\"]%{p0}"); -var part68 = // "Pattern{Constant(' [rev "'), Field(fld7,false), Constant('"]'), Field(p0,false)}" -match("MESSAGE#63:reverseproxy:26/1_0", "nwparser.p0", " [rev \"%{fld7}\"]%{p0}"); +var part68 = match("MESSAGE#63:reverseproxy:26/1_0", "nwparser.p0", " [rev \"%{fld7}\"]%{p0}"); var select6 = linear_select([ part68, dup19, ]); -var part69 = // "Pattern{Field(,false), Constant('[msg "'), Field(comments,false), Constant('"] [data "Last Matched Data: '), Field(p0,false)}" -match("MESSAGE#63:reverseproxy:26/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"Last Matched Data: %{p0}"); +var part69 = match("MESSAGE#63:reverseproxy:26/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"Last Matched Data: %{p0}"); -var part70 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,false), Constant('"] [hostname "'), Field(p0,false)}" -match("MESSAGE#63:reverseproxy:26/3_0", "nwparser.p0", "%{daddr}:%{dport}\"] [hostname \"%{p0}"); +var part70 = match("MESSAGE#63:reverseproxy:26/3_0", "nwparser.p0", "%{daddr}:%{dport}\"] [hostname \"%{p0}"); -var part71 = // "Pattern{Field(daddr,false), Constant('"] [hostname "'), Field(p0,false)}" -match("MESSAGE#63:reverseproxy:26/3_1", "nwparser.p0", "%{daddr}\"] [hostname \"%{p0}"); +var part71 = match("MESSAGE#63:reverseproxy:26/3_1", "nwparser.p0", "%{daddr}\"] [hostname \"%{p0}"); var select7 = linear_select([ part70, part71, ]); -var part72 = // "Pattern{Field(dhost,false), Constant('"] [uri "'), Field(web_root,false), Constant('"] [unique_id "'), Field(operation_id,false), Constant('"]')}" -match("MESSAGE#63:reverseproxy:26/4", "nwparser.p0", "%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); +var part72 = match("MESSAGE#63:reverseproxy:26/4", "nwparser.p0", "%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); var all3 = all_match({ processors: [ @@ -1029,8 +952,7 @@ var all3 = all_match({ var msg64 = msg("reverseproxy:26", all3); -var part73 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] '), Field(disposition,true), Constant(' while reading reply from cssd, referer: '), Field(web_referer,false)}" -match("MESSAGE#64:reverseproxy:27", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] %{disposition->} while reading reply from cssd, referer: %{web_referer}", processor_chain([ +var part73 = match("MESSAGE#64:reverseproxy:27", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] %{disposition->} while reading reply from cssd, referer: %{web_referer}", processor_chain([ dup25, dup2, dup3, @@ -1038,8 +960,7 @@ match("MESSAGE#64:reverseproxy:27", "nwparser.payload", "[%{fld3}] [%{event_log} var msg65 = msg("reverseproxy:27", part73); -var part74 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] virus daemon error found in request '), Field(web_root,false), Constant(', referer: '), Field(web_referer,false)}" -match("MESSAGE#65:reverseproxy:28", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon error found in request %{web_root}, referer: %{web_referer}", processor_chain([ +var part74 = match("MESSAGE#65:reverseproxy:28", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon error found in request %{web_root}, referer: %{web_referer}", processor_chain([ dup26, setc("result","virus daemon error"), dup2, @@ -1048,8 +969,7 @@ match("MESSAGE#65:reverseproxy:28", "nwparser.payload", "[%{fld3}] [%{event_log} var msg66 = msg("reverseproxy:28", part74); -var part75 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] mod_avscan_input_filter: virus found, referer: '), Field(web_referer,false)}" -match("MESSAGE#66:reverseproxy:29", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found, referer: %{web_referer}", processor_chain([ +var part75 = match("MESSAGE#66:reverseproxy:29", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found, referer: %{web_referer}", processor_chain([ dup27, setc("result","virus found"), dup2, @@ -1058,8 +978,7 @@ match("MESSAGE#66:reverseproxy:29", "nwparser.payload", "[%{fld3}] [%{event_log} var msg67 = msg("reverseproxy:29", part75); -var part76 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] (13)'), Field(result,false), Constant(': [client '), Field(gateway,false), Constant('] AH01095: prefetch request body failed to '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(fld5,false), Constant(') from '), Field(fld6,true), Constant(' (), referer: '), Field(web_referer,false)}" -match("MESSAGE#67:reverseproxy:30", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} (), referer: %{web_referer}", processor_chain([ +var part76 = match("MESSAGE#67:reverseproxy:30", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} (), referer: %{web_referer}", processor_chain([ dup24, dup28, dup2, @@ -1068,8 +987,7 @@ match("MESSAGE#67:reverseproxy:30", "nwparser.payload", "[%{fld3}] [%{event_log} var msg68 = msg("reverseproxy:30", part76); -var part77 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] cannot read reply: Operation now in progress (115), referer: '), Field(web_referer,false)}" -match("MESSAGE#68:reverseproxy:31", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot read reply: Operation now in progress (115), referer: %{web_referer}", processor_chain([ +var part77 = match("MESSAGE#68:reverseproxy:31", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot read reply: Operation now in progress (115), referer: %{web_referer}", processor_chain([ dup25, setc("result","Cannot read reply"), dup2, @@ -1078,8 +996,7 @@ match("MESSAGE#68:reverseproxy:31", "nwparser.payload", "[%{fld3}] [%{event_log} var msg69 = msg("reverseproxy:31", part77); -var part78 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] cannot connect: '), Field(result,true), Constant(' (111), referer: '), Field(web_referer,false)}" -match("MESSAGE#69:reverseproxy:32", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111), referer: %{web_referer}", processor_chain([ +var part78 = match("MESSAGE#69:reverseproxy:32", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111), referer: %{web_referer}", processor_chain([ dup25, dup2, dup3, @@ -1087,8 +1004,7 @@ match("MESSAGE#69:reverseproxy:32", "nwparser.payload", "[%{fld3}] [%{event_log} var msg70 = msg("reverseproxy:32", part78); -var part79 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] cannot connect: '), Field(result,true), Constant(' (111)')}" -match("MESSAGE#70:reverseproxy:33", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111)", processor_chain([ +var part79 = match("MESSAGE#70:reverseproxy:33", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111)", processor_chain([ dup25, dup2, dup3, @@ -1096,8 +1012,7 @@ match("MESSAGE#70:reverseproxy:33", "nwparser.payload", "[%{fld3}] [%{event_log} var msg71 = msg("reverseproxy:33", part79); -var part80 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] virus daemon connection problem found in request '), Field(url,false), Constant(', referer: '), Field(web_referer,false)}" -match("MESSAGE#71:reverseproxy:34", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}, referer: %{web_referer}", processor_chain([ +var part80 = match("MESSAGE#71:reverseproxy:34", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}, referer: %{web_referer}", processor_chain([ dup26, dup29, dup2, @@ -1106,8 +1021,7 @@ match("MESSAGE#71:reverseproxy:34", "nwparser.payload", "[%{fld3}] [%{event_log} var msg72 = msg("reverseproxy:34", part80); -var part81 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] virus daemon connection problem found in request '), Field(url,false)}" -match("MESSAGE#72:reverseproxy:35", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}", processor_chain([ +var part81 = match("MESSAGE#72:reverseproxy:35", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}", processor_chain([ dup26, dup29, dup2, @@ -1116,8 +1030,7 @@ match("MESSAGE#72:reverseproxy:35", "nwparser.payload", "[%{fld3}] [%{event_log} var msg73 = msg("reverseproxy:35", part81); -var part82 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] mod_avscan_input_filter: virus found')}" -match("MESSAGE#73:reverseproxy:36", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found", processor_chain([ +var part82 = match("MESSAGE#73:reverseproxy:36", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found", processor_chain([ dup27, setc("result","Virus found"), dup2, @@ -1126,8 +1039,7 @@ match("MESSAGE#73:reverseproxy:36", "nwparser.payload", "[%{fld3}] [%{event_log} var msg74 = msg("reverseproxy:36", part82); -var part83 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] (13)'), Field(result,false), Constant(': [client '), Field(gateway,false), Constant('] AH01095: prefetch request body failed to '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(fld5,false), Constant(') from '), Field(fld6,true), Constant(' ()')}" -match("MESSAGE#74:reverseproxy:37", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} ()", processor_chain([ +var part83 = match("MESSAGE#74:reverseproxy:37", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} ()", processor_chain([ dup24, dup28, dup2, @@ -1136,8 +1048,7 @@ match("MESSAGE#74:reverseproxy:37", "nwparser.payload", "[%{fld3}] [%{event_log} var msg75 = msg("reverseproxy:37", part83); -var part84 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] Invalid signature, cookie: JSESSIONID')}" -match("MESSAGE#75:reverseproxy:38", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Invalid signature, cookie: JSESSIONID", processor_chain([ +var part84 = match("MESSAGE#75:reverseproxy:38", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Invalid signature, cookie: JSESSIONID", processor_chain([ dup25, dup2, dup3, @@ -1145,8 +1056,7 @@ match("MESSAGE#75:reverseproxy:38", "nwparser.payload", "[%{fld3}] [%{event_log} var msg76 = msg("reverseproxy:38", part84); -var part85 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] Form validation failed: Received unhardened form data, referer: '), Field(web_referer,false)}" -match("MESSAGE#76:reverseproxy:39", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Form validation failed: Received unhardened form data, referer: %{web_referer}", processor_chain([ +var part85 = match("MESSAGE#76:reverseproxy:39", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Form validation failed: Received unhardened form data, referer: %{web_referer}", processor_chain([ dup23, setc("result","Form validation failed"), dup2, @@ -1155,8 +1065,7 @@ match("MESSAGE#76:reverseproxy:39", "nwparser.payload", "[%{fld3}] [%{event_log} var msg77 = msg("reverseproxy:39", part85); -var part86 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] sending trickle failed: 103')}" -match("MESSAGE#77:reverseproxy:40", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] sending trickle failed: 103", processor_chain([ +var part86 = match("MESSAGE#77:reverseproxy:40", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] sending trickle failed: 103", processor_chain([ dup25, setc("result","Sending trickle failed"), dup2, @@ -1165,8 +1074,7 @@ match("MESSAGE#77:reverseproxy:40", "nwparser.payload", "[%{fld3}] [%{event_log} var msg78 = msg("reverseproxy:40", part86); -var part87 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] client requesting '), Field(web_root,true), Constant(' has '), Field(disposition,false)}" -match("MESSAGE#78:reverseproxy:41", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] client requesting %{web_root->} has %{disposition}", processor_chain([ +var part87 = match("MESSAGE#78:reverseproxy:41", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] client requesting %{web_root->} has %{disposition}", processor_chain([ dup30, dup2, dup3, @@ -1174,8 +1082,7 @@ match("MESSAGE#78:reverseproxy:41", "nwparser.payload", "[%{fld3}] [%{event_log} var msg79 = msg("reverseproxy:41", part87); -var part88 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] mod_avscan_check_file_single_part() called with parameter filename='), Field(filename,false)}" -match("MESSAGE#79:reverseproxy:42", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] mod_avscan_check_file_single_part() called with parameter filename=%{filename}", processor_chain([ +var part88 = match("MESSAGE#79:reverseproxy:42", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] mod_avscan_check_file_single_part() called with parameter filename=%{filename}", processor_chain([ setc("eventcategory","1603050000"), dup2, dup3, @@ -1183,8 +1090,7 @@ match("MESSAGE#79:reverseproxy:42", "nwparser.payload", "[%{fld3}] [%{event_log} var msg80 = msg("reverseproxy:42", part88); -var part89 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] (70007)The '), Field(disposition,true), Constant(' specified has expired: [client '), Field(gateway,false), Constant('] AH01110: error reading response')}" -match("MESSAGE#80:reverseproxy:43", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (70007)The %{disposition->} specified has expired: [client %{gateway}] AH01110: error reading response", processor_chain([ +var part89 = match("MESSAGE#80:reverseproxy:43", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (70007)The %{disposition->} specified has expired: [client %{gateway}] AH01110: error reading response", processor_chain([ dup30, setc("event_id","AH01110"), setc("result","Error reading response"), @@ -1194,8 +1100,7 @@ match("MESSAGE#80:reverseproxy:43", "nwparser.payload", "[%{fld3}] [%{event_log} var msg81 = msg("reverseproxy:43", part89); -var part90 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] (22)'), Field(result,false), Constant(': [client '), Field(gateway,false), Constant('] No form context found when parsing '), Field(fld5,true), Constant(' tag, referer: '), Field(web_referer,false)}" -match("MESSAGE#81:reverseproxy:44", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (22)%{result}: [client %{gateway}] No form context found when parsing %{fld5->} tag, referer: %{web_referer}", processor_chain([ +var part90 = match("MESSAGE#81:reverseproxy:44", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (22)%{result}: [client %{gateway}] No form context found when parsing %{fld5->} tag, referer: %{web_referer}", processor_chain([ setc("eventcategory","1601020000"), setc("result","No form context found"), dup2, @@ -1204,8 +1109,7 @@ match("MESSAGE#81:reverseproxy:44", "nwparser.payload", "[%{fld3}] [%{event_log} var msg82 = msg("reverseproxy:44", part90); -var part91 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] (111)'), Field(result,false), Constant(': AH00957: '), Field(network_service,false), Constant(': attempt to connect to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld5,false), Constant(') failed')}" -match("MESSAGE#82:reverseproxy:45", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (111)%{result}: AH00957: %{network_service}: attempt to connect to %{daddr}:%{dport->} (%{fld5}) failed", processor_chain([ +var part91 = match("MESSAGE#82:reverseproxy:45", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (111)%{result}: AH00957: %{network_service}: attempt to connect to %{daddr}:%{dport->} (%{fld5}) failed", processor_chain([ dup25, setc("event_id","AH00957"), dup2, @@ -1214,8 +1118,7 @@ match("MESSAGE#82:reverseproxy:45", "nwparser.payload", "[%{fld3}] [%{event_log} var msg83 = msg("reverseproxy:45", part91); -var part92 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH00959: ap_proxy_connect_backend disabling worker for ('), Field(daddr,false), Constant(') for '), Field(processing_time,false), Constant('s')}" -match("MESSAGE#83:reverseproxy:46", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00959: ap_proxy_connect_backend disabling worker for (%{daddr}) for %{processing_time}s", processor_chain([ +var part92 = match("MESSAGE#83:reverseproxy:46", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00959: ap_proxy_connect_backend disabling worker for (%{daddr}) for %{processing_time}s", processor_chain([ dup16, setc("event_id","AH00959"), setc("result","disabling worker"), @@ -1225,8 +1128,7 @@ match("MESSAGE#83:reverseproxy:46", "nwparser.payload", "[%{fld3}] [%{event_log} var msg84 = msg("reverseproxy:46", part92); -var part93 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] not all the file sent to the client: '), Field(fld6,false), Constant(', referer: '), Field(web_referer,false)}" -match("MESSAGE#84:reverseproxy:47", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] not all the file sent to the client: %{fld6}, referer: %{web_referer}", processor_chain([ +var part93 = match("MESSAGE#84:reverseproxy:47", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] not all the file sent to the client: %{fld6}, referer: %{web_referer}", processor_chain([ setc("eventcategory","1801000000"), setc("context","Not all file sent to client"), dup2, @@ -1235,8 +1137,7 @@ match("MESSAGE#84:reverseproxy:47", "nwparser.payload", "[%{fld3}] [%{event_log} var msg85 = msg("reverseproxy:47", part93); -var part94 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] AH01114: '), Field(network_service,false), Constant(': failed to make connection to backend: '), Field(daddr,false), Constant(', referer: '), Field(web_referer,false)}" -match("MESSAGE#85:reverseproxy:48", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}, referer: %{web_referer}", processor_chain([ +var part94 = match("MESSAGE#85:reverseproxy:48", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}, referer: %{web_referer}", processor_chain([ dup25, dup31, dup32, @@ -1246,8 +1147,7 @@ match("MESSAGE#85:reverseproxy:48", "nwparser.payload", "[%{fld3}] [%{event_log} var msg86 = msg("reverseproxy:48", part94); -var part95 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] AH01114: '), Field(network_service,false), Constant(': failed to make connection to backend: '), Field(daddr,false)}" -match("MESSAGE#86:reverseproxy:49", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}", processor_chain([ +var part95 = match("MESSAGE#86:reverseproxy:49", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}", processor_chain([ dup25, dup31, dup32, @@ -1376,8 +1276,7 @@ var part98 = tagval("MESSAGE#89:confd:01", "nwparser.payload", tvm, { var msg90 = msg("confd:01", part98); -var part99 = // "Pattern{Constant('Frox started'), Field(,false)}" -match("MESSAGE#90:frox", "nwparser.payload", "Frox started%{}", processor_chain([ +var part99 = match("MESSAGE#90:frox", "nwparser.payload", "Frox started%{}", processor_chain([ dup12, setc("event_description","frox:FTP Proxy Frox started."), dup11, @@ -1386,8 +1285,7 @@ match("MESSAGE#90:frox", "nwparser.payload", "Frox started%{}", processor_chain( var msg91 = msg("frox", part99); -var part100 = // "Pattern{Constant('Listening on '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#91:frox:01", "nwparser.payload", "Listening on %{saddr}:%{sport}", processor_chain([ +var part100 = match("MESSAGE#91:frox:01", "nwparser.payload", "Listening on %{saddr}:%{sport}", processor_chain([ dup12, setc("event_description","frox:FTP Proxy listening on port."), dup11, @@ -1396,8 +1294,7 @@ match("MESSAGE#91:frox:01", "nwparser.payload", "Listening on %{saddr}:%{sport}" var msg92 = msg("frox:01", part100); -var part101 = // "Pattern{Constant('Dropped privileges'), Field(,false)}" -match("MESSAGE#92:frox:02", "nwparser.payload", "Dropped privileges%{}", processor_chain([ +var part101 = match("MESSAGE#92:frox:02", "nwparser.payload", "Dropped privileges%{}", processor_chain([ dup12, setc("event_description","frox:FTP Proxy dropped priveleges."), dup11, @@ -1412,8 +1309,7 @@ var select9 = linear_select([ msg93, ]); -var part102 = // "Pattern{Constant('Classifier configuration reloaded successfully'), Field(,false)}" -match("MESSAGE#93:afcd", "nwparser.payload", "Classifier configuration reloaded successfully%{}", processor_chain([ +var part102 = match("MESSAGE#93:afcd", "nwparser.payload", "Classifier configuration reloaded successfully%{}", processor_chain([ dup12, setc("event_description","afcd: IM/P2P Classifier configuration reloaded successfully."), dup11, @@ -1422,8 +1318,7 @@ match("MESSAGE#93:afcd", "nwparser.payload", "Classifier configuration reloaded var msg94 = msg("afcd", part102); -var part103 = // "Pattern{Constant('Starting strongSwan '), Field(fld2,true), Constant(' IPsec [starter]...')}" -match("MESSAGE#94:ipsec_starter", "nwparser.payload", "Starting strongSwan %{fld2->} IPsec [starter]...", processor_chain([ +var part103 = match("MESSAGE#94:ipsec_starter", "nwparser.payload", "Starting strongSwan %{fld2->} IPsec [starter]...", processor_chain([ dup12, setc("event_description","ipsec_starter: Starting strongSwan 4.2.3 IPsec [starter]..."), dup11, @@ -1432,8 +1327,7 @@ match("MESSAGE#94:ipsec_starter", "nwparser.payload", "Starting strongSwan %{fld var msg95 = msg("ipsec_starter", part103); -var part104 = // "Pattern{Constant('IP address or index of physical interface changed -> reinit of ipsec interface'), Field(,false)}" -match("MESSAGE#95:ipsec_starter:01", "nwparser.payload", "IP address or index of physical interface changed -> reinit of ipsec interface%{}", processor_chain([ +var part104 = match("MESSAGE#95:ipsec_starter:01", "nwparser.payload", "IP address or index of physical interface changed -> reinit of ipsec interface%{}", processor_chain([ dup12, setc("event_description","ipsec_starter: IP address or index of physical interface changed."), dup11, @@ -1447,8 +1341,7 @@ var select10 = linear_select([ msg96, ]); -var part105 = // "Pattern{Constant('Starting Pluto ('), Field(info,false), Constant(')')}" -match("MESSAGE#96:pluto", "nwparser.payload", "Starting Pluto (%{info})", processor_chain([ +var part105 = match("MESSAGE#96:pluto", "nwparser.payload", "Starting Pluto (%{info})", processor_chain([ dup12, setc("event_description","pluto: Starting Pluto."), dup11, @@ -1457,8 +1350,7 @@ match("MESSAGE#96:pluto", "nwparser.payload", "Starting Pluto (%{info})", proces var msg97 = msg("pluto", part105); -var part106 = // "Pattern{Constant('including NAT-Traversal patch ('), Field(info,false), Constant(')')}" -match("MESSAGE#97:pluto:01", "nwparser.payload", "including NAT-Traversal patch (%{info})", processor_chain([ +var part106 = match("MESSAGE#97:pluto:01", "nwparser.payload", "including NAT-Traversal patch (%{info})", processor_chain([ dup12, setc("event_description","pluto: including NAT-Traversal patch."), dup11, @@ -1467,8 +1359,7 @@ match("MESSAGE#97:pluto:01", "nwparser.payload", "including NAT-Traversal patch var msg98 = msg("pluto:01", part106); -var part107 = // "Pattern{Constant('ike_alg: Activating '), Field(info,true), Constant(' encryption: Ok')}" -match("MESSAGE#98:pluto:02", "nwparser.payload", "ike_alg: Activating %{info->} encryption: Ok", processor_chain([ +var part107 = match("MESSAGE#98:pluto:02", "nwparser.payload", "ike_alg: Activating %{info->} encryption: Ok", processor_chain([ dup33, setc("event_description","pluto: Activating encryption algorithm."), dup11, @@ -1477,8 +1368,7 @@ match("MESSAGE#98:pluto:02", "nwparser.payload", "ike_alg: Activating %{info->} var msg99 = msg("pluto:02", part107); -var part108 = // "Pattern{Constant('ike_alg: Activating '), Field(info,true), Constant(' hash: Ok')}" -match("MESSAGE#99:pluto:03", "nwparser.payload", "ike_alg: Activating %{info->} hash: Ok", processor_chain([ +var part108 = match("MESSAGE#99:pluto:03", "nwparser.payload", "ike_alg: Activating %{info->} hash: Ok", processor_chain([ dup33, setc("event_description","pluto: Activating hash algorithm."), dup11, @@ -1487,8 +1377,7 @@ match("MESSAGE#99:pluto:03", "nwparser.payload", "ike_alg: Activating %{info->} var msg100 = msg("pluto:03", part108); -var part109 = // "Pattern{Constant('Testing registered IKE encryption algorithms:'), Field(,false)}" -match("MESSAGE#100:pluto:04", "nwparser.payload", "Testing registered IKE encryption algorithms:%{}", processor_chain([ +var part109 = match("MESSAGE#100:pluto:04", "nwparser.payload", "Testing registered IKE encryption algorithms:%{}", processor_chain([ dup12, setc("event_description","pluto: Testing registered IKE encryption algorithms"), dup11, @@ -1497,8 +1386,7 @@ match("MESSAGE#100:pluto:04", "nwparser.payload", "Testing registered IKE encryp var msg101 = msg("pluto:04", part109); -var part110 = // "Pattern{Field(info,true), Constant(' self-test not available')}" -match("MESSAGE#101:pluto:05", "nwparser.payload", "%{info->} self-test not available", processor_chain([ +var part110 = match("MESSAGE#101:pluto:05", "nwparser.payload", "%{info->} self-test not available", processor_chain([ dup12, setc("event_description","pluto: Algorithm self-test not available."), dup11, @@ -1507,8 +1395,7 @@ match("MESSAGE#101:pluto:05", "nwparser.payload", "%{info->} self-test not avail var msg102 = msg("pluto:05", part110); -var part111 = // "Pattern{Field(info,true), Constant(' self-test passed')}" -match("MESSAGE#102:pluto:06", "nwparser.payload", "%{info->} self-test passed", processor_chain([ +var part111 = match("MESSAGE#102:pluto:06", "nwparser.payload", "%{info->} self-test passed", processor_chain([ dup12, setc("event_description","pluto: Algorithm self-test passed."), dup11, @@ -1517,8 +1404,7 @@ match("MESSAGE#102:pluto:06", "nwparser.payload", "%{info->} self-test passed", var msg103 = msg("pluto:06", part111); -var part112 = // "Pattern{Constant('Using KLIPS IPsec interface code'), Field(,false)}" -match("MESSAGE#103:pluto:07", "nwparser.payload", "Using KLIPS IPsec interface code%{}", processor_chain([ +var part112 = match("MESSAGE#103:pluto:07", "nwparser.payload", "Using KLIPS IPsec interface code%{}", processor_chain([ dup12, setc("event_description","pluto: Using KLIPS IPsec interface code"), dup11, @@ -1527,8 +1413,7 @@ match("MESSAGE#103:pluto:07", "nwparser.payload", "Using KLIPS IPsec interface c var msg104 = msg("pluto:07", part112); -var part113 = // "Pattern{Constant('adding interface '), Field(interface,true), Constant(' '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#104:pluto:08", "nwparser.payload", "adding interface %{interface->} %{saddr}:%{sport}", processor_chain([ +var part113 = match("MESSAGE#104:pluto:08", "nwparser.payload", "adding interface %{interface->} %{saddr}:%{sport}", processor_chain([ dup12, setc("event_description","pluto: adding interface"), dup11, @@ -1537,8 +1422,7 @@ match("MESSAGE#104:pluto:08", "nwparser.payload", "adding interface %{interface- var msg105 = msg("pluto:08", part113); -var part114 = // "Pattern{Constant('loading secrets from "'), Field(filename,false), Constant('"')}" -match("MESSAGE#105:pluto:09", "nwparser.payload", "loading secrets from \"%{filename}\"", processor_chain([ +var part114 = match("MESSAGE#105:pluto:09", "nwparser.payload", "loading secrets from \"%{filename}\"", processor_chain([ dup34, setc("event_description","pluto: loading secrets"), dup11, @@ -1547,8 +1431,7 @@ match("MESSAGE#105:pluto:09", "nwparser.payload", "loading secrets from \"%{file var msg106 = msg("pluto:09", part114); -var part115 = // "Pattern{Constant('loaded private key file ''), Field(filename,false), Constant('' ('), Field(filename_size,true), Constant(' bytes)')}" -match("MESSAGE#106:pluto:10", "nwparser.payload", "loaded private key file '%{filename}' (%{filename_size->} bytes)", processor_chain([ +var part115 = match("MESSAGE#106:pluto:10", "nwparser.payload", "loaded private key file '%{filename}' (%{filename_size->} bytes)", processor_chain([ dup34, setc("event_description","pluto: loaded private key file"), dup11, @@ -1557,8 +1440,7 @@ match("MESSAGE#106:pluto:10", "nwparser.payload", "loaded private key file '%{fi var msg107 = msg("pluto:10", part115); -var part116 = // "Pattern{Constant('added connection description "'), Field(fld2,false), Constant('"')}" -match("MESSAGE#107:pluto:11", "nwparser.payload", "added connection description \"%{fld2}\"", processor_chain([ +var part116 = match("MESSAGE#107:pluto:11", "nwparser.payload", "added connection description \"%{fld2}\"", processor_chain([ dup12, setc("event_description","pluto: added connection description"), dup11, @@ -1567,8 +1449,7 @@ match("MESSAGE#107:pluto:11", "nwparser.payload", "added connection description var msg108 = msg("pluto:11", part116); -var part117 = // "Pattern{Constant('"'), Field(fld2,false), Constant('" #'), Field(fld3,false), Constant(': initiating Main Mode')}" -match("MESSAGE#108:pluto:12", "nwparser.payload", "\"%{fld2}\" #%{fld3}: initiating Main Mode", processor_chain([ +var part117 = match("MESSAGE#108:pluto:12", "nwparser.payload", "\"%{fld2}\" #%{fld3}: initiating Main Mode", processor_chain([ dup12, dup35, dup11, @@ -1577,8 +1458,7 @@ match("MESSAGE#108:pluto:12", "nwparser.payload", "\"%{fld2}\" #%{fld3}: initiat var msg109 = msg("pluto:12", part117); -var part118 = // "Pattern{Constant('"'), Field(fld2,false), Constant('" #'), Field(fld3,false), Constant(': max number of retransmissions ('), Field(fld4,false), Constant(') reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message')}" -match("MESSAGE#109:pluto:13", "nwparser.payload", "\"%{fld2}\" #%{fld3}: max number of retransmissions (%{fld4}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ +var part118 = match("MESSAGE#109:pluto:13", "nwparser.payload", "\"%{fld2}\" #%{fld3}: max number of retransmissions (%{fld4}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ dup10, dup36, dup11, @@ -1587,8 +1467,7 @@ match("MESSAGE#109:pluto:13", "nwparser.payload", "\"%{fld2}\" #%{fld3}: max num var msg110 = msg("pluto:13", part118); -var part119 = // "Pattern{Constant('"'), Field(fld2,false), Constant('" #'), Field(fld3,false), Constant(': starting keying attempt '), Field(fld4,true), Constant(' of an unlimited number')}" -match("MESSAGE#110:pluto:14", "nwparser.payload", "\"%{fld2}\" #%{fld3}: starting keying attempt %{fld4->} of an unlimited number", processor_chain([ +var part119 = match("MESSAGE#110:pluto:14", "nwparser.payload", "\"%{fld2}\" #%{fld3}: starting keying attempt %{fld4->} of an unlimited number", processor_chain([ dup12, dup37, dup11, @@ -1597,8 +1476,7 @@ match("MESSAGE#110:pluto:14", "nwparser.payload", "\"%{fld2}\" #%{fld3}: startin var msg111 = msg("pluto:14", part119); -var part120 = // "Pattern{Constant('forgetting secrets'), Field(,false)}" -match("MESSAGE#111:pluto:15", "nwparser.payload", "forgetting secrets%{}", processor_chain([ +var part120 = match("MESSAGE#111:pluto:15", "nwparser.payload", "forgetting secrets%{}", processor_chain([ dup12, setc("event_description","pluto:forgetting secrets"), dup11, @@ -1607,8 +1485,7 @@ match("MESSAGE#111:pluto:15", "nwparser.payload", "forgetting secrets%{}", proce var msg112 = msg("pluto:15", part120); -var part121 = // "Pattern{Constant('Changing to directory ''), Field(directory,false), Constant(''')}" -match("MESSAGE#112:pluto:17", "nwparser.payload", "Changing to directory '%{directory}'", processor_chain([ +var part121 = match("MESSAGE#112:pluto:17", "nwparser.payload", "Changing to directory '%{directory}'", processor_chain([ dup12, setc("event_description","pluto:Changing to directory"), dup11, @@ -1617,8 +1494,7 @@ match("MESSAGE#112:pluto:17", "nwparser.payload", "Changing to directory '%{dire var msg113 = msg("pluto:17", part121); -var part122 = // "Pattern{Constant('| *time to handle event'), Field(,false)}" -match("MESSAGE#113:pluto:18", "nwparser.payload", "| *time to handle event%{}", processor_chain([ +var part122 = match("MESSAGE#113:pluto:18", "nwparser.payload", "| *time to handle event%{}", processor_chain([ dup12, setc("event_description","pluto:*time to handle event"), dup11, @@ -1627,8 +1503,7 @@ match("MESSAGE#113:pluto:18", "nwparser.payload", "| *time to handle event%{}", var msg114 = msg("pluto:18", part122); -var part123 = // "Pattern{Constant('| *received kernel message'), Field(,false)}" -match("MESSAGE#114:pluto:19", "nwparser.payload", "| *received kernel message%{}", processor_chain([ +var part123 = match("MESSAGE#114:pluto:19", "nwparser.payload", "| *received kernel message%{}", processor_chain([ dup12, setc("event_description","pluto:*received kernel message"), dup11, @@ -1637,8 +1512,7 @@ match("MESSAGE#114:pluto:19", "nwparser.payload", "| *received kernel message%{} var msg115 = msg("pluto:19", part123); -var part124 = // "Pattern{Constant('| rejected packet:'), Field(,false)}" -match("MESSAGE#115:pluto:20", "nwparser.payload", "| rejected packet:%{}", processor_chain([ +var part124 = match("MESSAGE#115:pluto:20", "nwparser.payload", "| rejected packet:%{}", processor_chain([ dup25, setc("event_description","pluto:rejected packet"), dup11, @@ -1647,8 +1521,7 @@ match("MESSAGE#115:pluto:20", "nwparser.payload", "| rejected packet:%{}", proce var msg116 = msg("pluto:20", part124); -var part125 = // "Pattern{Constant('| next event '), Field(event_type,true), Constant(' in '), Field(fld2,true), Constant(' seconds for #'), Field(fld3,false)}" -match("MESSAGE#116:pluto:21", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ +var part125 = match("MESSAGE#116:pluto:21", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ dup12, dup11, dup2, @@ -1656,8 +1529,7 @@ match("MESSAGE#116:pluto:21", "nwparser.payload", "| next event %{event_type->} var msg117 = msg("pluto:21", part125); -var part126 = // "Pattern{Constant('| next event '), Field(event_type,true), Constant(' in '), Field(fld2,true), Constant(' seconds')}" -match("MESSAGE#117:pluto:22", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds", processor_chain([ +var part126 = match("MESSAGE#117:pluto:22", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds", processor_chain([ dup12, dup11, dup2, @@ -1665,8 +1537,7 @@ match("MESSAGE#117:pluto:22", "nwparser.payload", "| next event %{event_type->} var msg118 = msg("pluto:22", part126); -var part127 = // "Pattern{Constant('| inserting event '), Field(event_type,true), Constant(' in '), Field(fld2,true), Constant(' seconds for #'), Field(fld3,false)}" -match("MESSAGE#118:pluto:23", "nwparser.payload", "| inserting event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ +var part127 = match("MESSAGE#118:pluto:23", "nwparser.payload", "| inserting event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ dup12, dup11, dup2, @@ -1674,8 +1545,7 @@ match("MESSAGE#118:pluto:23", "nwparser.payload", "| inserting event %{event_typ var msg119 = msg("pluto:23", part127); -var part128 = // "Pattern{Constant('| event after this is '), Field(event_type,true), Constant(' in '), Field(fld2,true), Constant(' seconds')}" -match("MESSAGE#119:pluto:24", "nwparser.payload", "| event after this is %{event_type->} in %{fld2->} seconds", processor_chain([ +var part128 = match("MESSAGE#119:pluto:24", "nwparser.payload", "| event after this is %{event_type->} in %{fld2->} seconds", processor_chain([ dup12, dup11, dup2, @@ -1683,8 +1553,7 @@ match("MESSAGE#119:pluto:24", "nwparser.payload", "| event after this is %{event var msg120 = msg("pluto:24", part128); -var part129 = // "Pattern{Constant('| recent '), Field(action,true), Constant(' activity '), Field(fld2,true), Constant(' seconds ago, '), Field(info,false)}" -match("MESSAGE#120:pluto:25", "nwparser.payload", "| recent %{action->} activity %{fld2->} seconds ago, %{info}", processor_chain([ +var part129 = match("MESSAGE#120:pluto:25", "nwparser.payload", "| recent %{action->} activity %{fld2->} seconds ago, %{info}", processor_chain([ dup12, dup11, dup2, @@ -1692,8 +1561,7 @@ match("MESSAGE#120:pluto:25", "nwparser.payload", "| recent %{action->} activity var msg121 = msg("pluto:25", part129); -var part130 = // "Pattern{Constant('| *received '), Field(rbytes,true), Constant(' bytes from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' on '), Field(dinterface,false)}" -match("MESSAGE#121:pluto:26", "nwparser.payload", "| *received %{rbytes->} bytes from %{saddr}:%{sport->} on %{dinterface}", processor_chain([ +var part130 = match("MESSAGE#121:pluto:26", "nwparser.payload", "| *received %{rbytes->} bytes from %{saddr}:%{sport->} on %{dinterface}", processor_chain([ dup12, dup11, dup2, @@ -1701,8 +1569,7 @@ match("MESSAGE#121:pluto:26", "nwparser.payload", "| *received %{rbytes->} bytes var msg122 = msg("pluto:26", part130); -var part131 = // "Pattern{Constant('| received '), Field(action,true), Constant(' notification '), Field(msg,true), Constant(' with seqno = '), Field(fld2,false)}" -match("MESSAGE#122:pluto:27", "nwparser.payload", "| received %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ +var part131 = match("MESSAGE#122:pluto:27", "nwparser.payload", "| received %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ dup12, dup11, dup2, @@ -1710,8 +1577,7 @@ match("MESSAGE#122:pluto:27", "nwparser.payload", "| received %{action->} notifi var msg123 = msg("pluto:27", part131); -var part132 = // "Pattern{Constant('| sent '), Field(action,true), Constant(' notification '), Field(msg,true), Constant(' with seqno = '), Field(fld2,false)}" -match("MESSAGE#123:pluto:28", "nwparser.payload", "| sent %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ +var part132 = match("MESSAGE#123:pluto:28", "nwparser.payload", "| sent %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ dup12, dup11, dup2, @@ -1719,8 +1585,7 @@ match("MESSAGE#123:pluto:28", "nwparser.payload", "| sent %{action->} notificati var msg124 = msg("pluto:28", part132); -var part133 = // "Pattern{Constant('| inserting event '), Field(event_type,false), Constant(', timeout in '), Field(fld2,true), Constant(' seconds')}" -match("MESSAGE#124:pluto:29", "nwparser.payload", "| inserting event %{event_type}, timeout in %{fld2->} seconds", processor_chain([ +var part133 = match("MESSAGE#124:pluto:29", "nwparser.payload", "| inserting event %{event_type}, timeout in %{fld2->} seconds", processor_chain([ dup12, dup11, dup2, @@ -1728,8 +1593,7 @@ match("MESSAGE#124:pluto:29", "nwparser.payload", "| inserting event %{event_typ var msg125 = msg("pluto:29", part133); -var part134 = // "Pattern{Constant('| handling event '), Field(event_type,true), Constant(' for '), Field(saddr,true), Constant(' "'), Field(fld2,false), Constant('" #'), Field(fld3,false)}" -match("MESSAGE#125:pluto:30", "nwparser.payload", "| handling event %{event_type->} for %{saddr->} \"%{fld2}\" #%{fld3}", processor_chain([ +var part134 = match("MESSAGE#125:pluto:30", "nwparser.payload", "| handling event %{event_type->} for %{saddr->} \"%{fld2}\" #%{fld3}", processor_chain([ dup12, dup11, dup2, @@ -1737,8 +1601,7 @@ match("MESSAGE#125:pluto:30", "nwparser.payload", "| handling event %{event_type var msg126 = msg("pluto:30", part134); -var part135 = // "Pattern{Constant('| '), Field(event_description,false)}" -match("MESSAGE#126:pluto:31", "nwparser.payload", "| %{event_description}", processor_chain([ +var part135 = match("MESSAGE#126:pluto:31", "nwparser.payload", "| %{event_description}", processor_chain([ dup12, dup11, dup2, @@ -1746,8 +1609,7 @@ match("MESSAGE#126:pluto:31", "nwparser.payload", "| %{event_description}", proc var msg127 = msg("pluto:31", part135); -var part136 = // "Pattern{Field(fld2,false), Constant(': asynchronous network error report on '), Field(interface,true), Constant(' for message to '), Field(daddr,true), Constant(' port '), Field(dport,false), Constant(', complainant '), Field(saddr,false), Constant(': Connection refused [errno '), Field(fld4,false), Constant(', origin ICMP type '), Field(icmptype,true), Constant(' code '), Field(icmpcode,true), Constant(' (not authenticated)]')}" -match("MESSAGE#127:pluto:32", "nwparser.payload", "%{fld2}: asynchronous network error report on %{interface->} for message to %{daddr->} port %{dport}, complainant %{saddr}: Connection refused [errno %{fld4}, origin ICMP type %{icmptype->} code %{icmpcode->} (not authenticated)]", processor_chain([ +var part136 = match("MESSAGE#127:pluto:32", "nwparser.payload", "%{fld2}: asynchronous network error report on %{interface->} for message to %{daddr->} port %{dport}, complainant %{saddr}: Connection refused [errno %{fld4}, origin ICMP type %{icmptype->} code %{icmpcode->} (not authenticated)]", processor_chain([ dup12, setc("event_description","not authenticated"), dup11, @@ -1756,8 +1618,7 @@ match("MESSAGE#127:pluto:32", "nwparser.payload", "%{fld2}: asynchronous network var msg128 = msg("pluto:32", part136); -var part137 = // "Pattern{Constant('"'), Field(fld2,false), Constant('"['), Field(fld4,false), Constant('] '), Field(saddr,true), Constant(' #'), Field(fld3,false), Constant(': initiating Main Mode')}" -match("MESSAGE#128:pluto:33", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: initiating Main Mode", processor_chain([ +var part137 = match("MESSAGE#128:pluto:33", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: initiating Main Mode", processor_chain([ dup12, dup35, dup11, @@ -1766,8 +1627,7 @@ match("MESSAGE#128:pluto:33", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr- var msg129 = msg("pluto:33", part137); -var part138 = // "Pattern{Constant('"'), Field(fld2,false), Constant('"['), Field(fld4,false), Constant('] '), Field(saddr,true), Constant(' #'), Field(fld3,false), Constant(': max number of retransmissions ('), Field(fld5,false), Constant(') reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message')}" -match("MESSAGE#129:pluto:34", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: max number of retransmissions (%{fld5}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ +var part138 = match("MESSAGE#129:pluto:34", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: max number of retransmissions (%{fld5}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ dup12, dup36, dup11, @@ -1776,8 +1636,7 @@ match("MESSAGE#129:pluto:34", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr- var msg130 = msg("pluto:34", part138); -var part139 = // "Pattern{Constant('"'), Field(fld2,false), Constant('"['), Field(fld4,false), Constant('] '), Field(saddr,true), Constant(' #'), Field(fld3,false), Constant(': starting keying attempt '), Field(fld5,true), Constant(' of an unlimited number')}" -match("MESSAGE#130:pluto:35", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: starting keying attempt %{fld5->} of an unlimited number", processor_chain([ +var part139 = match("MESSAGE#130:pluto:35", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: starting keying attempt %{fld5->} of an unlimited number", processor_chain([ dup12, dup37, dup11, @@ -1824,8 +1683,7 @@ var select11 = linear_select([ msg131, ]); -var part140 = // "Pattern{Constant('This binary does not support kernel L2TP.'), Field(,false)}" -match("MESSAGE#131:xl2tpd", "nwparser.payload", "This binary does not support kernel L2TP.%{}", processor_chain([ +var part140 = match("MESSAGE#131:xl2tpd", "nwparser.payload", "This binary does not support kernel L2TP.%{}", processor_chain([ setc("eventcategory","1607000000"), setc("event_description","xl2tpd:This binary does not support kernel L2TP."), dup11, @@ -1834,8 +1692,7 @@ match("MESSAGE#131:xl2tpd", "nwparser.payload", "This binary does not support ke var msg132 = msg("xl2tpd", part140); -var part141 = // "Pattern{Constant('xl2tpd version '), Field(version,true), Constant(' started on PID:'), Field(fld2,false)}" -match("MESSAGE#132:xl2tpd:01", "nwparser.payload", "xl2tpd version %{version->} started on PID:%{fld2}", processor_chain([ +var part141 = match("MESSAGE#132:xl2tpd:01", "nwparser.payload", "xl2tpd version %{version->} started on PID:%{fld2}", processor_chain([ dup12, setc("event_description","xl2tpd:xl2tpd started."), dup11, @@ -1844,8 +1701,7 @@ match("MESSAGE#132:xl2tpd:01", "nwparser.payload", "xl2tpd version %{version->} var msg133 = msg("xl2tpd:01", part141); -var part142 = // "Pattern{Constant('Written by '), Field(info,false)}" -match("MESSAGE#133:xl2tpd:02", "nwparser.payload", "Written by %{info}", processor_chain([ +var part142 = match("MESSAGE#133:xl2tpd:02", "nwparser.payload", "Written by %{info}", processor_chain([ dup12, dup38, dup11, @@ -1854,8 +1710,7 @@ match("MESSAGE#133:xl2tpd:02", "nwparser.payload", "Written by %{info}", process var msg134 = msg("xl2tpd:02", part142); -var part143 = // "Pattern{Constant('Forked by '), Field(info,false)}" -match("MESSAGE#134:xl2tpd:03", "nwparser.payload", "Forked by %{info}", processor_chain([ +var part143 = match("MESSAGE#134:xl2tpd:03", "nwparser.payload", "Forked by %{info}", processor_chain([ dup12, dup38, dup11, @@ -1864,8 +1719,7 @@ match("MESSAGE#134:xl2tpd:03", "nwparser.payload", "Forked by %{info}", processo var msg135 = msg("xl2tpd:03", part143); -var part144 = // "Pattern{Constant('Inherited by '), Field(info,false)}" -match("MESSAGE#135:xl2tpd:04", "nwparser.payload", "Inherited by %{info}", processor_chain([ +var part144 = match("MESSAGE#135:xl2tpd:04", "nwparser.payload", "Inherited by %{info}", processor_chain([ dup12, dup38, dup11, @@ -1874,8 +1728,7 @@ match("MESSAGE#135:xl2tpd:04", "nwparser.payload", "Inherited by %{info}", proce var msg136 = msg("xl2tpd:04", part144); -var part145 = // "Pattern{Constant('Listening on IP address '), Field(saddr,false), Constant(', port '), Field(sport,false)}" -match("MESSAGE#136:xl2tpd:05", "nwparser.payload", "Listening on IP address %{saddr}, port %{sport}", processor_chain([ +var part145 = match("MESSAGE#136:xl2tpd:05", "nwparser.payload", "Listening on IP address %{saddr}, port %{sport}", processor_chain([ dup12, dup38, dup11, @@ -1893,8 +1746,7 @@ var select12 = linear_select([ msg137, ]); -var part146 = // "Pattern{Constant('Exiting'), Field(,false)}" -match("MESSAGE#137:barnyard:01", "nwparser.payload", "Exiting%{}", processor_chain([ +var part146 = match("MESSAGE#137:barnyard:01", "nwparser.payload", "Exiting%{}", processor_chain([ dup12, setc("event_description","barnyard: Exiting"), dup11, @@ -1903,8 +1755,7 @@ match("MESSAGE#137:barnyard:01", "nwparser.payload", "Exiting%{}", processor_cha var msg138 = msg("barnyard:01", part146); -var part147 = // "Pattern{Constant('Initializing daemon mode'), Field(,false)}" -match("MESSAGE#138:barnyard:02", "nwparser.payload", "Initializing daemon mode%{}", processor_chain([ +var part147 = match("MESSAGE#138:barnyard:02", "nwparser.payload", "Initializing daemon mode%{}", processor_chain([ dup12, setc("event_description","barnyard:Initializing daemon mode"), dup11, @@ -1913,8 +1764,7 @@ match("MESSAGE#138:barnyard:02", "nwparser.payload", "Initializing daemon mode%{ var msg139 = msg("barnyard:02", part147); -var part148 = // "Pattern{Constant('Opened spool file ''), Field(filename,false), Constant(''')}" -match("MESSAGE#139:barnyard:03", "nwparser.payload", "Opened spool file '%{filename}'", processor_chain([ +var part148 = match("MESSAGE#139:barnyard:03", "nwparser.payload", "Opened spool file '%{filename}'", processor_chain([ dup12, setc("event_description","barnyard:Opened spool file."), dup11, @@ -1923,8 +1773,7 @@ match("MESSAGE#139:barnyard:03", "nwparser.payload", "Opened spool file '%{filen var msg140 = msg("barnyard:03", part148); -var part149 = // "Pattern{Constant('Waiting for new data'), Field(,false)}" -match("MESSAGE#140:barnyard:04", "nwparser.payload", "Waiting for new data%{}", processor_chain([ +var part149 = match("MESSAGE#140:barnyard:04", "nwparser.payload", "Waiting for new data%{}", processor_chain([ dup12, setc("event_description","barnyard:Waiting for new data"), dup11, @@ -1940,8 +1789,7 @@ var select13 = linear_select([ msg141, ]); -var part150 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' SMTP connection from localhost ('), Field(hostname,false), Constant(') ['), Field(saddr,false), Constant(']:'), Field(sport,true), Constant(' closed by QUIT')}" -match("MESSAGE#141:exim:01", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from localhost (%{hostname}) [%{saddr}]:%{sport->} closed by QUIT", processor_chain([ +var part150 = match("MESSAGE#141:exim:01", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from localhost (%{hostname}) [%{saddr}]:%{sport->} closed by QUIT", processor_chain([ dup12, setc("event_description","exim:SMTP connection from localhost closed by QUIT"), dup11, @@ -1950,8 +1798,7 @@ match("MESSAGE#141:exim:01", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg142 = msg("exim:01", part150); -var part151 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' ['), Field(saddr,false), Constant('] F=<<'), Field(from,false), Constant('> R=<<'), Field(to,false), Constant('> Accepted: '), Field(info,false)}" -match("MESSAGE#142:exim:02", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} [%{saddr}] F=\u003c\u003c%{from}> R=\u003c\u003c%{to}> Accepted: %{info}", processor_chain([ +var part151 = match("MESSAGE#142:exim:02", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} [%{saddr}] F=\u003c\u003c%{from}> R=\u003c\u003c%{to}> Accepted: %{info}", processor_chain([ setc("eventcategory","1207010000"), setc("event_description","exim:e-mail accepted from relay."), dup11, @@ -1960,8 +1807,7 @@ match("MESSAGE#142:exim:02", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg143 = msg("exim:02", part151); -var part152 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' '), Field(fld8,true), Constant(' <<= '), Field(from,true), Constant(' H=localhost ('), Field(hostname,false), Constant(') ['), Field(saddr,false), Constant(']:'), Field(sport,true), Constant(' P='), Field(protocol,true), Constant(' S='), Field(fld9,true), Constant(' id='), Field(info,false)}" -match("MESSAGE#143:exim:03", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} \u003c\u003c= %{from->} H=localhost (%{hostname}) [%{saddr}]:%{sport->} P=%{protocol->} S=%{fld9->} id=%{info}", processor_chain([ +var part152 = match("MESSAGE#143:exim:03", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} \u003c\u003c= %{from->} H=localhost (%{hostname}) [%{saddr}]:%{sport->} P=%{protocol->} S=%{fld9->} id=%{info}", processor_chain([ setc("eventcategory","1207000000"), setc("event_description","exim: e-mail sent."), dup11, @@ -1970,8 +1816,7 @@ match("MESSAGE#143:exim:03", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg144 = msg("exim:03", part152); -var part153 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' '), Field(fld8,true), Constant(' == '), Field(from,true), Constant(' R=dnslookup defer ('), Field(fld9,false), Constant('): host lookup did not complete')}" -match("MESSAGE#144:exim:04", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} R=dnslookup defer (%{fld9}): host lookup did not complete", processor_chain([ +var part153 = match("MESSAGE#144:exim:04", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} R=dnslookup defer (%{fld9}): host lookup did not complete", processor_chain([ dup39, setc("event_description","exim: e-mail host lookup did not complete in DNS."), dup11, @@ -1980,8 +1825,7 @@ match("MESSAGE#144:exim:04", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg145 = msg("exim:04", part153); -var part154 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' '), Field(fld8,true), Constant(' == '), Field(from,true), Constant(' routing defer ('), Field(fld9,false), Constant('): retry time not reached')}" -match("MESSAGE#145:exim:05", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} routing defer (%{fld9}): retry time not reached", processor_chain([ +var part154 = match("MESSAGE#145:exim:05", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} routing defer (%{fld9}): retry time not reached", processor_chain([ dup39, setc("event_description","exim: e-mail routing defer:retry time not reached."), dup11, @@ -1990,8 +1834,7 @@ match("MESSAGE#145:exim:05", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg146 = msg("exim:05", part154); -var part155 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' exim '), Field(version,true), Constant(' daemon started: pid='), Field(fld8,false), Constant(', no queue runs, listening for SMTP on port '), Field(sport,true), Constant(' ('), Field(info,false), Constant(') port '), Field(fld9,true), Constant(' ('), Field(fld10,false), Constant(') and for SMTPS on port '), Field(fld11,true), Constant(' ('), Field(fld12,false), Constant(')')}" -match("MESSAGE#146:exim:06", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} exim %{version->} daemon started: pid=%{fld8}, no queue runs, listening for SMTP on port %{sport->} (%{info}) port %{fld9->} (%{fld10}) and for SMTPS on port %{fld11->} (%{fld12})", processor_chain([ +var part155 = match("MESSAGE#146:exim:06", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} exim %{version->} daemon started: pid=%{fld8}, no queue runs, listening for SMTP on port %{sport->} (%{info}) port %{fld9->} (%{fld10}) and for SMTPS on port %{fld11->} (%{fld12})", processor_chain([ dup12, setc("event_description","exim: exim daemon started."), dup11, @@ -2000,8 +1843,7 @@ match("MESSAGE#146:exim:06", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg147 = msg("exim:06", part155); -var part156 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' Start queue run: pid='), Field(fld8,false)}" -match("MESSAGE#147:exim:07", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} Start queue run: pid=%{fld8}", processor_chain([ +var part156 = match("MESSAGE#147:exim:07", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} Start queue run: pid=%{fld8}", processor_chain([ dup12, setc("event_description","exim: Start queue run."), dup11, @@ -2010,8 +1852,7 @@ match("MESSAGE#147:exim:07", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg148 = msg("exim:07", part156); -var part157 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' pid '), Field(fld8,false), Constant(': SIGHUP received: re-exec daemon')}" -match("MESSAGE#148:exim:08", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} pid %{fld8}: SIGHUP received: re-exec daemon", processor_chain([ +var part157 = match("MESSAGE#148:exim:08", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} pid %{fld8}: SIGHUP received: re-exec daemon", processor_chain([ dup12, setc("event_description","exim: SIGHUP received: re-exec daemon."), dup11, @@ -2020,8 +1861,7 @@ match("MESSAGE#148:exim:08", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg149 = msg("exim:08", part157); -var part158 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' SMTP connection from ['), Field(saddr,false), Constant(']:'), Field(sport,true), Constant(' '), Field(info,false)}" -match("MESSAGE#149:exim:09", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ +var part158 = match("MESSAGE#149:exim:09", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ dup12, setc("event_description","exim: SMTP connection from host."), dup11, @@ -2030,8 +1870,7 @@ match("MESSAGE#149:exim:09", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg150 = msg("exim:09", part158); -var part159 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' rejected EHLO from ['), Field(saddr,false), Constant(']:'), Field(sport,true), Constant(' '), Field(info,false)}" -match("MESSAGE#150:exim:10", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} rejected EHLO from [%{saddr}]:%{sport->} %{info}", processor_chain([ +var part159 = match("MESSAGE#150:exim:10", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} rejected EHLO from [%{saddr}]:%{sport->} %{info}", processor_chain([ dup12, setc("event_description","exim:rejected EHLO from host."), dup11, @@ -2040,8 +1879,7 @@ match("MESSAGE#150:exim:10", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg151 = msg("exim:10", part159); -var part160 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' SMTP protocol synchronization error ('), Field(result,false), Constant('): '), Field(fld8,true), Constant(' H=['), Field(saddr,false), Constant(']:'), Field(sport,true), Constant(' '), Field(info,false)}" -match("MESSAGE#151:exim:11", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP protocol synchronization error (%{result}): %{fld8->} H=[%{saddr}]:%{sport->} %{info}", processor_chain([ +var part160 = match("MESSAGE#151:exim:11", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP protocol synchronization error (%{result}): %{fld8->} H=[%{saddr}]:%{sport->} %{info}", processor_chain([ dup12, setc("event_description","exim:SMTP protocol synchronization error rejected connection from host."), dup11, @@ -2050,8 +1888,7 @@ match("MESSAGE#151:exim:11", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg152 = msg("exim:11", part160); -var part161 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' TLS error on connection from ['), Field(saddr,false), Constant(']:'), Field(sport,true), Constant(' '), Field(info,false)}" -match("MESSAGE#152:exim:12", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} TLS error on connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ +var part161 = match("MESSAGE#152:exim:12", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} TLS error on connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ dup12, setc("event_description","exim:TLS error on connection from host."), dup11, @@ -2060,8 +1897,7 @@ match("MESSAGE#152:exim:12", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg153 = msg("exim:12", part161); -var part162 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' '), Field(fld10,true), Constant(' == '), Field(hostname,true), Constant(' R='), Field(fld8,true), Constant(' T='), Field(fld9,false), Constant(': '), Field(info,false)}" -match("MESSAGE#153:exim:13", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} == %{hostname->} R=%{fld8->} T=%{fld9}: %{info}", processor_chain([ +var part162 = match("MESSAGE#153:exim:13", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} == %{hostname->} R=%{fld8->} T=%{fld9}: %{info}", processor_chain([ dup12, dup40, dup11, @@ -2070,8 +1906,7 @@ match("MESSAGE#153:exim:13", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg154 = msg("exim:13", part162); -var part163 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' '), Field(fld10,true), Constant(' '), Field(hostname,true), Constant(' ['), Field(saddr,false), Constant(']:'), Field(sport,true), Constant(' '), Field(info,false)}" -match("MESSAGE#154:exim:14", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} %{hostname->} [%{saddr}]:%{sport->} %{info}", processor_chain([ +var part163 = match("MESSAGE#154:exim:14", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} %{hostname->} [%{saddr}]:%{sport->} %{info}", processor_chain([ dup12, dup40, dup11, @@ -2080,8 +1915,7 @@ match("MESSAGE#154:exim:14", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg155 = msg("exim:14", part163); -var part164 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' End queue run: '), Field(info,false)}" -match("MESSAGE#155:exim:15", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} End queue run: %{info}", processor_chain([ +var part164 = match("MESSAGE#155:exim:15", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} End queue run: %{info}", processor_chain([ dup12, dup40, dup11, @@ -2090,8 +1924,7 @@ match("MESSAGE#155:exim:15", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg156 = msg("exim:15", part164); -var part165 = // "Pattern{Field(fld2,true), Constant(' '), Field(fld3,false)}" -match("MESSAGE#156:exim:16", "nwparser.payload", "%{fld2->} %{fld3}", processor_chain([ +var part165 = match("MESSAGE#156:exim:16", "nwparser.payload", "%{fld2->} %{fld3}", processor_chain([ dup12, dup11, dup2, @@ -2118,8 +1951,7 @@ var select14 = linear_select([ msg157, ]); -var part166 = // "Pattern{Constant('QMGR['), Field(fld2,false), Constant(']: '), Field(fld3,true), Constant(' moved to work queue')}" -match("MESSAGE#157:smtpd:01", "nwparser.payload", "QMGR[%{fld2}]: %{fld3->} moved to work queue", processor_chain([ +var part166 = match("MESSAGE#157:smtpd:01", "nwparser.payload", "QMGR[%{fld2}]: %{fld3->} moved to work queue", processor_chain([ dup12, setc("event_description","smtpd: Process moved to work queue."), dup11, @@ -2128,8 +1960,7 @@ match("MESSAGE#157:smtpd:01", "nwparser.payload", "QMGR[%{fld2}]: %{fld3->} move var msg158 = msg("smtpd:01", part166); -var part167 = // "Pattern{Constant('SCANNER['), Field(fld3,false), Constant(']: id="1000" severity="'), Field(severity,false), Constant('" sys="'), Field(fld4,false), Constant('" sub="'), Field(service,false), Constant('" name="'), Field(event_description,false), Constant('" srcip="'), Field(saddr,false), Constant('" from="'), Field(from,false), Constant('" to="'), Field(to,false), Constant('" subject="'), Field(subject,false), Constant('" queueid="'), Field(fld5,false), Constant('" size="'), Field(rbytes,false), Constant('"')}" -match("MESSAGE#158:smtpd:02", "nwparser.payload", "SCANNER[%{fld3}]: id=\"1000\" severity=\"%{severity}\" sys=\"%{fld4}\" sub=\"%{service}\" name=\"%{event_description}\" srcip=\"%{saddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" queueid=\"%{fld5}\" size=\"%{rbytes}\"", processor_chain([ +var part167 = match("MESSAGE#158:smtpd:02", "nwparser.payload", "SCANNER[%{fld3}]: id=\"1000\" severity=\"%{severity}\" sys=\"%{fld4}\" sub=\"%{service}\" name=\"%{event_description}\" srcip=\"%{saddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" queueid=\"%{fld5}\" size=\"%{rbytes}\"", processor_chain([ setc("eventcategory","1207010100"), dup11, dup2, @@ -2137,8 +1968,7 @@ match("MESSAGE#158:smtpd:02", "nwparser.payload", "SCANNER[%{fld3}]: id=\"1000\" var msg159 = msg("smtpd:02", part167); -var part168 = // "Pattern{Constant('SCANNER['), Field(fld3,false), Constant(']: Nothing to do, exiting.')}" -match("MESSAGE#159:smtpd:03", "nwparser.payload", "SCANNER[%{fld3}]: Nothing to do, exiting.", processor_chain([ +var part168 = match("MESSAGE#159:smtpd:03", "nwparser.payload", "SCANNER[%{fld3}]: Nothing to do, exiting.", processor_chain([ dup12, setc("event_description","smtpd: SCANNER: Nothing to do,exiting."), dup11, @@ -2147,8 +1977,7 @@ match("MESSAGE#159:smtpd:03", "nwparser.payload", "SCANNER[%{fld3}]: Nothing to var msg160 = msg("smtpd:03", part168); -var part169 = // "Pattern{Constant('MASTER['), Field(fld3,false), Constant(']: QR globally disabled, status two set to 'disabled'')}" -match("MESSAGE#160:smtpd:04", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status two set to 'disabled'", processor_chain([ +var part169 = match("MESSAGE#160:smtpd:04", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status two set to 'disabled'", processor_chain([ dup12, setc("event_description","smtpd: MASTER:QR globally disabled, status two set to disabled."), dup11, @@ -2157,8 +1986,7 @@ match("MESSAGE#160:smtpd:04", "nwparser.payload", "MASTER[%{fld3}]: QR globally var msg161 = msg("smtpd:04", part169); -var part170 = // "Pattern{Constant('MASTER['), Field(fld3,false), Constant(']: QR globally disabled, status one set to 'disabled'')}" -match("MESSAGE#161:smtpd:07", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status one set to 'disabled'", processor_chain([ +var part170 = match("MESSAGE#161:smtpd:07", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status one set to 'disabled'", processor_chain([ dup12, setc("event_description","smtpd: MASTER:QR globally disabled, status one set to disabled."), dup11, @@ -2167,8 +1995,7 @@ match("MESSAGE#161:smtpd:07", "nwparser.payload", "MASTER[%{fld3}]: QR globally var msg162 = msg("smtpd:07", part170); -var part171 = // "Pattern{Constant('MASTER['), Field(fld3,false), Constant(']: (Re-)loading configuration from Confd')}" -match("MESSAGE#162:smtpd:05", "nwparser.payload", "MASTER[%{fld3}]: (Re-)loading configuration from Confd", processor_chain([ +var part171 = match("MESSAGE#162:smtpd:05", "nwparser.payload", "MASTER[%{fld3}]: (Re-)loading configuration from Confd", processor_chain([ dup12, setc("event_description","smtpd: MASTER:(Re-)loading configuration from Confd."), dup11, @@ -2177,8 +2004,7 @@ match("MESSAGE#162:smtpd:05", "nwparser.payload", "MASTER[%{fld3}]: (Re-)loading var msg163 = msg("smtpd:05", part171); -var part172 = // "Pattern{Constant('MASTER['), Field(fld3,false), Constant(']: Sending QR one')}" -match("MESSAGE#163:smtpd:06", "nwparser.payload", "MASTER[%{fld3}]: Sending QR one", processor_chain([ +var part172 = match("MESSAGE#163:smtpd:06", "nwparser.payload", "MASTER[%{fld3}]: Sending QR one", processor_chain([ dup12, setc("event_description","smtpd: MASTER:Sending QR one."), dup11, @@ -2197,8 +2023,7 @@ var select15 = linear_select([ msg164, ]); -var part173 = // "Pattern{Constant('Did not receive identification string from '), Field(fld18,false)}" -match("MESSAGE#164:sshd:01", "nwparser.payload", "Did not receive identification string from %{fld18}", processor_chain([ +var part173 = match("MESSAGE#164:sshd:01", "nwparser.payload", "Did not receive identification string from %{fld18}", processor_chain([ dup10, setc("event_description","sshd: Did not receive identification string."), dup11, @@ -2207,8 +2032,7 @@ match("MESSAGE#164:sshd:01", "nwparser.payload", "Did not receive identification var msg165 = msg("sshd:01", part173); -var part174 = // "Pattern{Constant('Received SIGHUP; restarting.'), Field(,false)}" -match("MESSAGE#165:sshd:02", "nwparser.payload", "Received SIGHUP; restarting.%{}", processor_chain([ +var part174 = match("MESSAGE#165:sshd:02", "nwparser.payload", "Received SIGHUP; restarting.%{}", processor_chain([ dup12, setc("event_description","sshd:Received SIGHUP restarting."), dup11, @@ -2217,8 +2041,7 @@ match("MESSAGE#165:sshd:02", "nwparser.payload", "Received SIGHUP; restarting.%{ var msg166 = msg("sshd:02", part174); -var part175 = // "Pattern{Constant('Server listening on '), Field(saddr,true), Constant(' port '), Field(sport,false), Constant('.')}" -match("MESSAGE#166:sshd:03", "nwparser.payload", "Server listening on %{saddr->} port %{sport}.", processor_chain([ +var part175 = match("MESSAGE#166:sshd:03", "nwparser.payload", "Server listening on %{saddr->} port %{sport}.", processor_chain([ dup12, setc("event_description","sshd:Server listening; restarting."), dup11, @@ -2227,8 +2050,7 @@ match("MESSAGE#166:sshd:03", "nwparser.payload", "Server listening on %{saddr->} var msg167 = msg("sshd:03", part175); -var part176 = // "Pattern{Constant('Invalid user admin from '), Field(fld18,false)}" -match("MESSAGE#167:sshd:04", "nwparser.payload", "Invalid user admin from %{fld18}", processor_chain([ +var part176 = match("MESSAGE#167:sshd:04", "nwparser.payload", "Invalid user admin from %{fld18}", processor_chain([ dup41, setc("event_description","sshd:Invalid user admin."), dup11, @@ -2237,8 +2059,7 @@ match("MESSAGE#167:sshd:04", "nwparser.payload", "Invalid user admin from %{fld1 var msg168 = msg("sshd:04", part176); -var part177 = // "Pattern{Constant('Failed none for invalid user admin from '), Field(saddr,true), Constant(' port '), Field(sport,true), Constant(' '), Field(fld3,false)}" -match("MESSAGE#168:sshd:05", "nwparser.payload", "Failed none for invalid user admin from %{saddr->} port %{sport->} %{fld3}", processor_chain([ +var part177 = match("MESSAGE#168:sshd:05", "nwparser.payload", "Failed none for invalid user admin from %{saddr->} port %{sport->} %{fld3}", processor_chain([ dup41, setc("event_description","sshd:Failed none for invalid user admin."), dup11, @@ -2247,8 +2068,7 @@ match("MESSAGE#168:sshd:05", "nwparser.payload", "Failed none for invalid user a var msg169 = msg("sshd:05", part177); -var part178 = // "Pattern{Constant('error: Could not get shadow information for NOUSER'), Field(,false)}" -match("MESSAGE#169:sshd:06", "nwparser.payload", "error: Could not get shadow information for NOUSER%{}", processor_chain([ +var part178 = match("MESSAGE#169:sshd:06", "nwparser.payload", "error: Could not get shadow information for NOUSER%{}", processor_chain([ dup10, setc("event_description","sshd:error:Could not get shadow information for NOUSER"), dup11, @@ -2257,8 +2077,7 @@ match("MESSAGE#169:sshd:06", "nwparser.payload", "error: Could not get shadow in var msg170 = msg("sshd:06", part178); -var part179 = // "Pattern{Constant('Failed password for root from '), Field(saddr,true), Constant(' port '), Field(sport,true), Constant(' '), Field(fld3,false)}" -match("MESSAGE#170:sshd:07", "nwparser.payload", "Failed password for root from %{saddr->} port %{sport->} %{fld3}", processor_chain([ +var part179 = match("MESSAGE#170:sshd:07", "nwparser.payload", "Failed password for root from %{saddr->} port %{sport->} %{fld3}", processor_chain([ dup41, setc("event_description","sshd:Failed password for root."), dup11, @@ -2267,8 +2086,7 @@ match("MESSAGE#170:sshd:07", "nwparser.payload", "Failed password for root from var msg171 = msg("sshd:07", part179); -var part180 = // "Pattern{Constant('Accepted password for loginuser from '), Field(saddr,true), Constant(' port '), Field(sport,true), Constant(' '), Field(fld3,false)}" -match("MESSAGE#171:sshd:08", "nwparser.payload", "Accepted password for loginuser from %{saddr->} port %{sport->} %{fld3}", processor_chain([ +var part180 = match("MESSAGE#171:sshd:08", "nwparser.payload", "Accepted password for loginuser from %{saddr->} port %{sport->} %{fld3}", processor_chain([ setc("eventcategory","1302000000"), setc("event_description","sshd:Accepted password for loginuser."), dup11, @@ -2277,8 +2095,7 @@ match("MESSAGE#171:sshd:08", "nwparser.payload", "Accepted password for loginuse var msg172 = msg("sshd:08", part180); -var part181 = // "Pattern{Constant('subsystem request for sftp failed, subsystem not found'), Field(,false)}" -match("MESSAGE#172:sshd:09", "nwparser.payload", "subsystem request for sftp failed, subsystem not found%{}", processor_chain([ +var part181 = match("MESSAGE#172:sshd:09", "nwparser.payload", "subsystem request for sftp failed, subsystem not found%{}", processor_chain([ dup10, setc("event_description","sshd:subsystem request for sftp failed,subsystem not found."), dup11, @@ -2319,8 +2136,7 @@ var part182 = tagval("MESSAGE#173:aua:01", "nwparser.payload", tvm, { var msg174 = msg("aua:01", part182); -var part183 = // "Pattern{Constant('created new negotiatorchild'), Field(,false)}" -match("MESSAGE#174:sockd:01", "nwparser.payload", "created new negotiatorchild%{}", processor_chain([ +var part183 = match("MESSAGE#174:sockd:01", "nwparser.payload", "created new negotiatorchild%{}", processor_chain([ dup12, setc("event_description","sockd: created new negotiatorchild."), dup11, @@ -2329,8 +2145,7 @@ match("MESSAGE#174:sockd:01", "nwparser.payload", "created new negotiatorchild%{ var msg175 = msg("sockd:01", part183); -var part184 = // "Pattern{Constant('dante/server '), Field(version,true), Constant(' running')}" -match("MESSAGE#175:sockd:02", "nwparser.payload", "dante/server %{version->} running", processor_chain([ +var part184 = match("MESSAGE#175:sockd:02", "nwparser.payload", "dante/server %{version->} running", processor_chain([ dup12, setc("event_description","sockd:dante/server running."), dup11, @@ -2339,8 +2154,7 @@ match("MESSAGE#175:sockd:02", "nwparser.payload", "dante/server %{version->} run var msg176 = msg("sockd:02", part184); -var part185 = // "Pattern{Constant('sockdexit(): terminating on signal '), Field(fld2,false)}" -match("MESSAGE#176:sockd:03", "nwparser.payload", "sockdexit(): terminating on signal %{fld2}", processor_chain([ +var part185 = match("MESSAGE#176:sockd:03", "nwparser.payload", "sockdexit(): terminating on signal %{fld2}", processor_chain([ dup12, setc("event_description","sockd:sockdexit():terminating on signal."), dup11, @@ -2355,8 +2169,7 @@ var select17 = linear_select([ msg177, ]); -var part186 = // "Pattern{Constant('Master started'), Field(,false)}" -match("MESSAGE#177:pop3proxy", "nwparser.payload", "Master started%{}", processor_chain([ +var part186 = match("MESSAGE#177:pop3proxy", "nwparser.payload", "Master started%{}", processor_chain([ dup12, setc("event_description","pop3proxy:Master started."), dup11, @@ -2546,8 +2359,7 @@ var part188 = tagval("MESSAGE#179:httpd", "nwparser.payload", tvm, { var msg180 = msg("httpd", part188); -var part189 = // "Pattern{Constant('['), Field(event_log,false), Constant(':'), Field(result,false), Constant('] [pid '), Field(fld3,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ModSecurity: Warning. '), Field(rulename,true), Constant(' [file "'), Field(filename,false), Constant('"] [line "'), Field(fld5,false), Constant('"] [id "'), Field(rule,false), Constant('"] [rev "'), Field(fld2,false), Constant('"] [msg "'), Field(event_description,false), Constant('"] [severity "'), Field(severity,false), Constant('"] [ver "'), Field(version,false), Constant('"] [maturity "'), Field(fld22,false), Constant('"] [accuracy "'), Field(fld23,false), Constant('"] [tag "'), Field(fld24,false), Constant('"] [hostname "'), Field(dhost,false), Constant('"] [uri "'), Field(web_root,false), Constant('"] [unique_id "'), Field(operation_id,false), Constant('"]'), Field(fld25,false)}" -match("MESSAGE#180:httpd:01", "nwparser.payload", "[%{event_log}:%{result}] [pid %{fld3}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [rev \"%{fld2}\"] [msg \"%{event_description}\"] [severity \"%{severity}\"] [ver \"%{version}\"] [maturity \"%{fld22}\"] [accuracy \"%{fld23}\"] [tag \"%{fld24}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]%{fld25}", processor_chain([ +var part189 = match("MESSAGE#180:httpd:01", "nwparser.payload", "[%{event_log}:%{result}] [pid %{fld3}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [rev \"%{fld2}\"] [msg \"%{event_description}\"] [severity \"%{severity}\"] [ver \"%{version}\"] [maturity \"%{fld22}\"] [accuracy \"%{fld23}\"] [tag \"%{fld24}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]%{fld25}", processor_chain([ setc("eventcategory","1502000000"), dup2, dup3, @@ -2663,5 +2475,4 @@ var chain1 = processor_chain([ }), ]); -var part191 = // "Pattern{Field(p0,false)}" -match_copy("MESSAGE#44:reverseproxy:07/1_0", "nwparser.p0", "p0"); +var part191 = match_copy("MESSAGE#44:reverseproxy:07/1_0", "nwparser.p0", "p0"); diff --git a/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json b/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json index b57ab7067ab..392ac679e44 100644 --- a/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json @@ -59,9 +59,9 @@ "10.57.170.140" ], "related.user": [ - "sunt", + "dexeac", "icistatuscode=giatquov", - "dexeac" + "sunt" ], "rsa.db.index": "run", "rsa.identity.logon_type": "nofdeF", @@ -70,8 +70,8 @@ "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.misc.action": [ - "block", - "ugiatnu" + "ugiatnu", + "block" ], "rsa.misc.comments": "colabo", "rsa.misc.content_type": "sedd", @@ -163,8 +163,8 @@ "10.106.239.55" ], "related.user": [ - "itquiin", - "eaq" + "eaq", + "itquiin" ], "rsa.identity.logon_type": "stquidol", "rsa.internal.event_desc": "bor", @@ -638,8 +638,8 @@ "10.54.169.175" ], "related.user": [ - "taspe", - "scipit" + "scipit", + "taspe" ], "rsa.identity.logon_type": "olores", "rsa.internal.event_desc": "secil", @@ -974,8 +974,8 @@ "10.232.108.32" ], "related.user": [ - "rsp", - "llum" + "llum", + "rsp" ], "rsa.identity.logon_type": "ntut", "rsa.internal.event_desc": "ittenb", @@ -1033,13 +1033,13 @@ "Duis583.api.local" ], "related.ip": [ - "10.17.51.153", - "10.89.41.97" + "10.89.41.97", + "10.17.51.153" ], "related.user": [ - "tcustatuscode=eumiu", "tio", - "pteurs" + "pteurs", + "tcustatuscode=eumiu" ], "rsa.db.index": "eavolupt", "rsa.identity.logon_type": "ursintoc", @@ -1610,8 +1610,8 @@ "10.244.96.61" ], "related.user": [ - "itsedqui", - "iumt" + "iumt", + "itsedqui" ], "rsa.identity.logon_type": "psamvolu", "rsa.internal.event_desc": "orroqui", @@ -1851,13 +1851,13 @@ "tenbyCi4371.www5.localdomain" ], "related.ip": [ - "10.98.126.206", - "10.214.167.164" + "10.214.167.164", + "10.98.126.206" ], "related.user": [ - "hen", + "amremapstatuscode=dolorsit", "isnostru", - "amremapstatuscode=dolorsit" + "hen" ], "rsa.db.index": "spernatu", "rsa.identity.logon_type": "untutl", @@ -1866,8 +1866,8 @@ "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.misc.action": [ - "nsectetu", - "block" + "block", + "nsectetu" ], "rsa.misc.comments": "uaer", "rsa.misc.content_type": "eaqu", @@ -1924,8 +1924,8 @@ "observer.vendor": "Sophos", "process.pid": 6722, "related.ip": [ - "10.32.236.117", - "10.203.157.250" + "10.203.157.250", + "10.32.236.117" ], "rsa.internal.event_desc": "Packet", "rsa.internal.messageid": "ulogd", @@ -2033,10 +2033,10 @@ "10.92.93.236" ], "related.user": [ - "ulpaq", + "ntoccae", "Sedutper", "dolorsistatuscode=acc", - "ntoccae" + "ulpaq" ], "rsa.db.index": "snisiut", "rsa.identity.logon_type": "umdol", @@ -2045,8 +2045,8 @@ "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.misc.action": [ - "icons", - "block" + "block", + "icons" ], "rsa.misc.comments": "porincid", "rsa.misc.content_type": "temvele", @@ -2124,9 +2124,9 @@ "10.202.65.2" ], "related.user": [ - "atatno", "iscivelistatuscode=urve", - "tasu" + "tasu", + "atatno" ], "rsa.db.index": "amrem", "rsa.identity.logon_type": "nulamcol", @@ -2314,13 +2314,13 @@ "obea2960.mail.corp" ], "related.ip": [ - "10.33.138.154", - "10.45.12.53" + "10.45.12.53", + "10.33.138.154" ], "related.user": [ - "eturadip", + "porincid", "umqustatuscode=ntexpli", - "porincid" + "eturadip" ], "rsa.db.index": "dolor", "rsa.identity.logon_type": "eturadi", @@ -2481,8 +2481,8 @@ "10.32.85.21" ], "related.user": [ - "antium", - "etconsec" + "etconsec", + "antium" ], "rsa.identity.logon_type": "umiurere", "rsa.internal.event_desc": "serro", @@ -2628,14 +2628,14 @@ "nisiuta4810.api.test" ], "related.ip": [ - "10.85.200.58", - "10.210.175.52" + "10.210.175.52", + "10.85.200.58" ], "related.user": [ - "Loremi", - "rExce", "reetd", - "inimastatuscode=emipsum" + "inimastatuscode=emipsum", + "Loremi", + "rExce" ], "rsa.db.index": "apa", "rsa.identity.logon_type": "sedquia", @@ -2644,8 +2644,8 @@ "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.misc.action": [ - "cancel", - "odte" + "odte", + "cancel" ], "rsa.misc.comments": "emquia", "rsa.misc.content_type": "sauteir", @@ -3619,8 +3619,8 @@ "10.96.200.83" ], "related.user": [ - "lapariat", - "acommod" + "acommod", + "lapariat" ], "rsa.identity.logon_type": "remeumf", "rsa.internal.event_desc": "dol", diff --git a/x-pack/filebeat/module/sophos/xg/config/config.yml b/x-pack/filebeat/module/sophos/xg/config/config.yml index 86c12e9ec08..8585ff4a19c 100644 --- a/x-pack/filebeat/module/sophos/xg/config/config.yml +++ b/x-pack/filebeat/module/sophos/xg/config/config.yml @@ -27,7 +27,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 - add_fields: target: '_conf' fields: diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json index 90a40d0b095..a78e3c1ccb0 100644 --- a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json @@ -70,6 +70,7 @@ "destination.geo.city_name": "Saint-Prex", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "CH", + "destination.geo.country_name": "Switzerland", "destination.geo.location.lat": 46.4796, "destination.geo.location.lon": 6.4599, "destination.geo.region_iso_code": "CH-VD", @@ -131,6 +132,7 @@ "source.geo.city_name": "Miami", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 25.7806, "source.geo.location.lon": -80.1826, "source.geo.region_iso_code": "US-FL", @@ -154,6 +156,7 @@ "destination.geo.city_name": "Saint-Prex", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "CH", + "destination.geo.country_name": "Switzerland", "destination.geo.location.lat": 46.4796, "destination.geo.location.lon": 6.4599, "destination.geo.region_iso_code": "CH-VD", @@ -217,6 +220,7 @@ "source.geo.city_name": "Cabreuva", "source.geo.continent_name": "South America", "source.geo.country_iso_code": "BR", + "source.geo.country_name": "Brazil", "source.geo.location.lat": -23.3149, "source.geo.location.lon": -47.0763, "source.geo.region_iso_code": "BR-SP", @@ -240,6 +244,7 @@ "destination.geo.city_name": "Saint-Prex", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "CH", + "destination.geo.country_name": "Switzerland", "destination.geo.location.lat": 46.4796, "destination.geo.location.lon": 6.4599, "destination.geo.region_iso_code": "CH-VD", @@ -302,6 +307,7 @@ "source.domain": "ELTOBGI.COM", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", "source.geo.location.lat": 51.4964, "source.geo.location.lon": -0.1224, "source.ip": "77.72.3.56", diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json index a78e27fa46e..42590edbb33 100644 --- a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json @@ -10,6 +10,7 @@ "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 47.6348, "destination.geo.location.lon": -122.3451, "destination.geo.region_iso_code": "US-WA", @@ -87,6 +88,7 @@ "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 47.6348, "destination.geo.location.lon": -122.3451, "destination.geo.region_iso_code": "US-WA", @@ -163,6 +165,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "South America", "destination.geo.country_iso_code": "UY", + "destination.geo.country_name": "Uruguay", "destination.geo.location.lat": -33.0, "destination.geo.location.lon": -56.0, "destination.ip": "186.8.209.194", @@ -225,6 +228,7 @@ "source.bytes": 0, "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 51.2993, "source.geo.location.lon": 9.491, "source.ip": "82.165.194.211", @@ -246,6 +250,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 51.2993, "destination.geo.location.lon": 9.491, "destination.ip": "185.7.209.194", @@ -309,6 +314,7 @@ "source.geo.city_name": "Seattle", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 47.4902, "source.geo.location.lon": -122.3004, "source.geo.region_iso_code": "US-WA", diff --git a/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json index 7dbb6289456..38c2694478e 100644 --- a/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json @@ -7,6 +7,7 @@ "destination.as.organization.name": "Petersburg Internet Network ltd.", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", "destination.geo.location.lat": 55.7386, "destination.geo.location.lon": 37.6068, "destination.ip": "46.161.30.47", @@ -76,6 +77,7 @@ "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 47.6348, "destination.geo.location.lon": -122.3451, "destination.geo.region_iso_code": "US-WA", @@ -143,6 +145,7 @@ "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 47.6348, "destination.geo.location.lon": -122.3451, "destination.geo.region_iso_code": "US-WA", @@ -209,6 +212,7 @@ "destination.as.organization.name": "Accelerated IT Services & Consulting GmbH", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 51.2993, "destination.geo.location.lon": 9.491, "destination.ip": "82.211.30.202", diff --git a/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json index a82d4550f57..84dc15e1aeb 100644 --- a/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json @@ -7,6 +7,7 @@ "destination.as.organization.name": "BHARTI Airtel Ltd.", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "IN", + "destination.geo.country_name": "India", "destination.geo.location.lat": 20.0, "destination.geo.location.lon": 77.0, "destination.ip": "182.79.221.19", @@ -78,6 +79,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.4043, "destination.geo.location.lon": -122.0748, "destination.geo.region_iso_code": "US-CA", @@ -134,6 +136,7 @@ "source.as.organization.name": "Telefonica Germany", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 51.2993, "source.geo.location.lon": 9.491, "source.ip": "5.5.5.15", @@ -153,6 +156,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "74.125.130.188", @@ -213,6 +217,7 @@ "source.as.organization.name": "Telefonica Germany", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 51.2993, "source.geo.location.lon": 9.491, "source.ip": "5.5.5.15", @@ -231,6 +236,7 @@ "destination.geo.city_name": "Dublin", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IE", + "destination.geo.country_name": "Ireland", "destination.geo.location.lat": 53.3338, "destination.geo.location.lon": -6.2488, "destination.geo.region_iso_code": "IE-L", @@ -302,6 +308,7 @@ "destination.geo.city_name": "Washington", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.7095, "destination.geo.location.lon": -78.1539, "destination.geo.region_iso_code": "US-VA", @@ -375,6 +382,7 @@ "destination.geo.city_name": "Bratislava", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "SK", + "destination.geo.country_name": "Slovakia", "destination.geo.location.lat": 48.15, "destination.geo.location.lon": 17.1078, "destination.geo.region_iso_code": "SK-BL", @@ -498,6 +506,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "64.233.189.147", @@ -569,6 +578,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "64.233.188.94", diff --git a/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json index d14c2bb9924..89d6878ec6f 100644 --- a/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json @@ -59,6 +59,7 @@ "destination.as.organization.name": "DoD Network Information Center", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "214.167.51.66", @@ -105,6 +106,7 @@ "source.geo.city_name": "Elblag", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PL", + "source.geo.country_name": "Poland", "source.geo.location.lat": 54.172, "source.geo.location.lon": 19.4195, "source.geo.region_iso_code": "PL-28", @@ -199,6 +201,7 @@ "source.geo.city_name": "August\u00f3w", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PL", + "source.geo.country_name": "Poland", "source.geo.location.lat": 53.845, "source.geo.location.lon": 22.985, "source.geo.region_iso_code": "PL-20", @@ -336,6 +339,7 @@ "source.geo.city_name": "Schleidweiler", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.8808, "source.geo.location.lon": 6.6593, "source.geo.region_iso_code": "DE-RP", @@ -438,6 +442,7 @@ "source.geo.city_name": "Fell", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.7667, "source.geo.location.lon": 6.7833, "source.geo.region_iso_code": "DE-RP", @@ -522,6 +527,7 @@ "sophos.xg.status": "Failed", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "172.66.35.15", diff --git a/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json index d392790d795..7f1e5d9190b 100644 --- a/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json @@ -13,6 +13,7 @@ "destination.geo.city_name": "Bratislava", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "SK", + "destination.geo.country_name": "Slovakia", "destination.geo.location.lat": 48.15, "destination.geo.location.lon": 17.1078, "destination.geo.region_iso_code": "SK-BL", @@ -98,6 +99,7 @@ "source.bytes": 459, "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7386, "source.geo.location.lon": 37.6068, "source.ip": "172.17.34.15", @@ -125,6 +127,7 @@ "destination.geo.city_name": "Bratislava", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "SK", + "destination.geo.country_name": "Slovakia", "destination.geo.location.lat": 48.15, "destination.geo.location.lon": 17.1078, "destination.geo.region_iso_code": "SK-BL", @@ -211,6 +214,7 @@ "source.geo.city_name": "Saint-Prex", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "CH", + "source.geo.country_name": "Switzerland", "source.geo.location.lat": 46.4796, "source.geo.location.lon": 6.4599, "source.geo.region_iso_code": "CH-VD", @@ -410,6 +414,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 51.2993, "destination.geo.location.lon": 9.491, "destination.ip": "185.7.209.207", @@ -481,6 +486,7 @@ "source.geo.city_name": "Warsaw", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PL", + "source.geo.country_name": "Poland", "source.geo.location.lat": 52.25, "source.geo.location.lon": 21.0, "source.geo.region_iso_code": "PL-14", @@ -1030,6 +1036,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1437,6 +1444,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1687,6 +1695,7 @@ "destination.geo.city_name": "Richardson", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 32.9473, "destination.geo.location.lon": -96.7028, "destination.geo.region_iso_code": "US-TX", diff --git a/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json index 7caee4d72eb..d92a2b2e7e4 100644 --- a/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json @@ -61,6 +61,7 @@ "source.as.organization.name": "Bestnet Service SRL", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RO", + "source.geo.country_name": "Romania", "source.geo.location.lat": 46.0, "source.geo.location.lon": 25.0, "source.ip": "89.40.182.58", @@ -132,6 +133,7 @@ "source.as.organization.name": "China Unicom Beijing Province Network", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 31.0449, "source.geo.location.lon": 121.4012, "source.geo.region_iso_code": "CN-SH", @@ -205,6 +207,7 @@ "source.as.organization.name": "KPN B.V.", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "NL", + "source.geo.country_name": "Netherlands", "source.geo.location.lat": 52.3824, "source.geo.location.lon": 4.8995, "source.ip": "77.61.185.101", diff --git a/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json index fe6af644611..ceed76baef1 100644 --- a/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json @@ -9,6 +9,7 @@ "destination.geo.city_name": "Saint-Prex", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "CH", + "destination.geo.country_name": "Switzerland", "destination.geo.location.lat": 46.4796, "destination.geo.location.lon": 6.4599, "destination.geo.region_iso_code": "CH-VD", @@ -66,6 +67,7 @@ "source.geo.city_name": "Gdynia", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PL", + "source.geo.country_name": "Poland", "source.geo.location.lat": 54.5055, "source.geo.location.lon": 18.5403, "source.geo.region_iso_code": "PL-22", @@ -88,6 +90,7 @@ "destination.geo.city_name": "Saint-Prex", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "CH", + "destination.geo.country_name": "Switzerland", "destination.geo.location.lat": 46.4796, "destination.geo.location.lon": 6.4599, "destination.geo.region_iso_code": "CH-VD", @@ -146,6 +149,7 @@ "source.geo.city_name": "Gdynia", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PL", + "source.geo.country_name": "Poland", "source.geo.location.lat": 54.5055, "source.geo.location.lon": 18.5403, "source.geo.region_iso_code": "PL-22", @@ -303,6 +307,7 @@ "destination.bytes": 403, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "216.167.51.72", @@ -359,6 +364,7 @@ "source.geo.city_name": "Bucharest", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RO", + "source.geo.country_name": "Romania", "source.geo.location.lat": 44.4176, "source.geo.location.lon": 26.1708, "source.geo.region_iso_code": "RO-B", diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json index 26b891ba4f1..e9284eed554 100644 --- a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json @@ -5,6 +5,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -36,8 +37,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -67,6 +68,7 @@ "destination.geo.city_name": "Falls Church", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9307, "destination.geo.location.lon": -77.1673, "destination.geo.region_iso_code": "US-VA", @@ -89,8 +91,8 @@ "www.goonernews.com" ], "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -101,8 +103,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -132,6 +134,7 @@ "destination.geo.city_name": "Falls Church", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9307, "destination.geo.location.lon": -77.1673, "destination.geo.region_iso_code": "US-VA", @@ -155,8 +158,8 @@ "www.goonernews.com" ], "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -167,8 +170,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -220,8 +223,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -273,8 +276,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "text/javascript", "rsa.misc.result_code": "200", @@ -304,6 +307,7 @@ "destination.geo.city_name": "Falls Church", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9307, "destination.geo.location.lon": -77.1673, "destination.geo.region_iso_code": "US-VA", @@ -338,8 +342,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -368,6 +372,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -389,8 +394,8 @@ "www.google-analytics.com" ], "related.ip": [ - "10.105.21.199", - "66.102.9.147" + "66.102.9.147", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -401,8 +406,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -432,6 +437,7 @@ "destination.geo.city_name": "Falls Church", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9307, "destination.geo.location.lon": -77.1673, "destination.geo.region_iso_code": "US-VA", @@ -455,8 +461,8 @@ "www.goonernews.com" ], "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -467,8 +473,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -498,6 +504,7 @@ "destination.geo.city_name": "Falls Church", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9307, "destination.geo.location.lon": -77.1673, "destination.geo.region_iso_code": "US-VA", @@ -521,8 +528,8 @@ "www.goonernews.com" ], "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -533,8 +540,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -564,6 +571,7 @@ "destination.geo.city_name": "Falls Church", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9307, "destination.geo.location.lon": -77.1673, "destination.geo.region_iso_code": "US-VA", @@ -652,8 +660,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -683,6 +691,7 @@ "destination.geo.city_name": "Dallas", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 32.9379, "destination.geo.location.lon": -96.8384, "destination.geo.region_iso_code": "US-TX", @@ -706,8 +715,8 @@ "as.casalemedia.com" ], "related.ip": [ - "10.105.21.199", - "209.85.16.38" + "209.85.16.38", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -746,6 +755,7 @@ "@timestamp": "2006-09-08T04:22:06.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -766,8 +776,8 @@ "us.bc.yahoo.com" ], "related.ip": [ - "10.105.21.199", - "68.142.213.132" + "68.142.213.132", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -777,8 +787,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -807,6 +817,7 @@ "destination.as.organization.name": "Telia Company AB", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "SE", + "destination.geo.country_name": "Sweden", "destination.geo.location.lat": 59.3247, "destination.geo.location.lon": 18.056, "destination.ip": [ @@ -840,8 +851,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -871,6 +882,7 @@ "destination.geo.city_name": "Los Angeles", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 34.0675, "destination.geo.location.lon": -118.3521, "destination.geo.region_iso_code": "US-CA", @@ -894,8 +906,8 @@ "4.adbrite.com" ], "related.ip": [ - "10.105.21.199", - "206.169.136.22" + "206.169.136.22", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -959,8 +971,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -990,6 +1002,7 @@ "destination.geo.city_name": "Falls Church", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9307, "destination.geo.location.lon": -77.1673, "destination.geo.region_iso_code": "US-VA", @@ -1013,8 +1026,8 @@ "www.goonernews.com" ], "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -1025,8 +1038,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -1056,6 +1069,7 @@ "destination.geo.city_name": "Falls Church", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9307, "destination.geo.location.lon": -77.1673, "destination.geo.region_iso_code": "US-VA", @@ -1079,8 +1093,8 @@ "www.goonernews.com" ], "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -1119,6 +1133,7 @@ "@timestamp": "2006-09-08T04:22:10.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -1140,8 +1155,8 @@ "4.adbrite.com" ], "related.ip": [ - "10.105.21.199", - "64.127.126.178" + "64.127.126.178", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -1152,8 +1167,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1183,6 +1198,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -1206,8 +1222,8 @@ "ff.connextra.com" ], "related.ip": [ - "213.160.98.161", - "10.105.21.199" + "10.105.21.199", + "213.160.98.161" ], "related.user": [ "badeyek" @@ -1218,8 +1234,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "302", @@ -1249,6 +1265,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -1284,8 +1301,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -1336,8 +1353,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1366,6 +1383,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -1397,8 +1415,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1480,6 +1498,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -1542,6 +1561,7 @@ "destination.geo.city_name": "Victoria", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "CA", + "destination.geo.country_name": "Canada", "destination.geo.location.lat": 48.4267, "destination.geo.location.lon": -123.3655, "destination.geo.region_iso_code": "CA-BC", @@ -1607,6 +1627,7 @@ "destination.geo.city_name": "Victoria", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "CA", + "destination.geo.country_name": "Canada", "destination.geo.location.lat": 48.4267, "destination.geo.location.lon": -123.3655, "destination.geo.region_iso_code": "CA-BC", @@ -1630,8 +1651,8 @@ "hi5.com" ], "related.ip": [ - "10.105.47.218", - "204.13.51.238" + "204.13.51.238", + "10.105.47.218" ], "related.user": [ "nazsoau" @@ -1672,6 +1693,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -1692,8 +1714,8 @@ "shttp.msg.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -1809,8 +1831,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -1862,8 +1884,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -1893,6 +1915,7 @@ "destination.geo.city_name": "Victoria", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "CA", + "destination.geo.country_name": "Canada", "destination.geo.location.lat": 48.4267, "destination.geo.location.lon": -123.3655, "destination.geo.region_iso_code": "CA-BC", @@ -1915,8 +1938,8 @@ "hi5.com" ], "related.ip": [ - "204.13.51.238", - "10.105.47.218" + "10.105.47.218", + "204.13.51.238" ], "related.user": [ "nazsoau" @@ -1958,6 +1981,7 @@ "destination.geo.city_name": "Victoria", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "CA", + "destination.geo.country_name": "Canada", "destination.geo.location.lat": 48.4267, "destination.geo.location.lon": -123.3655, "destination.geo.region_iso_code": "CA-BC", @@ -1993,8 +2017,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -2023,6 +2047,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2054,8 +2079,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -2082,6 +2107,7 @@ "@timestamp": "2006-09-08T04:22:33.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2102,8 +2128,8 @@ "insider.msg.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "68.142.194.14" + "68.142.194.14", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2114,8 +2140,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2144,6 +2170,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2165,8 +2192,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2177,8 +2204,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2207,6 +2234,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2266,6 +2294,7 @@ "@timestamp": "2006-09-08T04:22:35.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2330,6 +2359,7 @@ "destination.geo.city_name": "Sacramento", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.6415, "destination.geo.location.lon": -121.5114, "destination.geo.region_iso_code": "US-CA", @@ -2395,6 +2425,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2455,6 +2486,7 @@ "@timestamp": "2006-09-08T04:22:37.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2487,8 +2519,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -2538,8 +2570,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "CONNECT" + "CONNECT", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2642,8 +2674,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "POST" + "POST", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2723,6 +2755,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2837,6 +2870,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2900,6 +2934,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2920,8 +2955,8 @@ "shttp.msg.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2961,6 +2996,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2994,8 +3030,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3024,6 +3060,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -3057,8 +3094,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3109,8 +3146,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "POST" + "POST", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -3161,8 +3198,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_DENIED" + "TCP_DENIED", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -3191,6 +3228,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -3224,8 +3262,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3254,6 +3292,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -3287,8 +3326,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3317,6 +3356,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -3338,8 +3378,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3350,8 +3390,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3380,6 +3420,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -3401,8 +3442,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3413,8 +3454,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3466,8 +3507,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -3519,8 +3560,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -3572,8 +3613,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3602,6 +3643,7 @@ "destination.as.organization.name": "BBC", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.4964, "destination.geo.location.lon": -0.1224, "destination.ip": [ @@ -3623,8 +3665,8 @@ "newsrss.bbc.co.uk" ], "related.ip": [ - "212.58.226.33", - "10.105.21.199" + "10.105.21.199", + "212.58.226.33" ], "related.user": [ "badeyek" @@ -3665,6 +3707,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -3834,6 +3877,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -3855,8 +3899,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3866,8 +3910,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -3897,6 +3941,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -3962,6 +4007,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -3983,8 +4029,8 @@ "radio.music.yahoo.com" ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3995,8 +4041,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4025,6 +4071,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4046,8 +4093,8 @@ "radio.music.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4058,8 +4105,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4088,6 +4135,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4121,8 +4169,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -4227,8 +4275,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -4258,6 +4306,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -4281,8 +4330,8 @@ "us.news1.yimg.com" ], "related.ip": [ - "10.105.33.214", - "213.160.98.159" + "213.160.98.159", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4293,8 +4342,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -4323,6 +4372,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4344,8 +4394,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -4386,6 +4436,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4450,6 +4501,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -4473,8 +4525,8 @@ "us.a2.yimg.com" ], "related.ip": [ - "10.105.33.214", - "213.160.98.152" + "213.160.98.152", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4515,6 +4567,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4536,8 +4589,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4576,6 +4629,7 @@ "@timestamp": "2006-09-08T04:22:54.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4597,8 +4651,8 @@ "us.bc.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "68.142.213.132" + "68.142.213.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4637,6 +4691,7 @@ "@timestamp": "2006-09-08T04:22:56.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4698,6 +4753,7 @@ "@timestamp": "2006-09-08T04:22:57.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4782,8 +4838,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "304", @@ -4813,6 +4869,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -4836,8 +4893,8 @@ "a1568.g.akamai.net" ], "related.ip": [ - "10.105.33.214", - "213.160.98.159" + "213.160.98.159", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4879,6 +4936,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -4914,8 +4972,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4944,6 +5002,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4964,8 +5023,8 @@ "login.yahoo.com" ], "related.ip": [ - "209.73.177.115", - "10.105.21.199" + "10.105.21.199", + "209.73.177.115" ], "related.user": [ "badeyek" @@ -4975,8 +5034,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5006,6 +5065,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -5072,6 +5132,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -5095,8 +5156,8 @@ "a1568.g.akamai.net" ], "related.ip": [ - "213.160.98.159", - "10.105.33.214" + "10.105.33.214", + "213.160.98.159" ], "related.user": [ "adeolaegbedokun" @@ -5191,6 +5252,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -5257,6 +5319,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -5323,6 +5386,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -5346,8 +5410,8 @@ "a1568.g.akamai.net" ], "related.ip": [ - "10.105.33.214", - "213.160.98.167" + "213.160.98.167", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -5358,8 +5422,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -5411,8 +5475,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5492,6 +5556,7 @@ "@timestamp": "2006-09-08T04:23:01.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -5513,8 +5578,8 @@ "launch.adserver.yahoo.com" ], "related.ip": [ - "216.109.125.112", - "10.105.33.214" + "10.105.33.214", + "216.109.125.112" ], "related.user": [ "adeolaegbedokun" @@ -5525,8 +5590,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -5555,6 +5620,7 @@ "destination.as.organization.name": "Yahoo! UK Services Limited", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.4964, "destination.geo.location.lon": -0.1224, "destination.ip": [ @@ -5576,8 +5642,8 @@ "uk.f250.mail.yahoo.com" ], "related.ip": [ - "217.12.10.96", - "10.105.21.199" + "10.105.21.199", + "217.12.10.96" ], "related.user": [ "badeyek" @@ -5639,8 +5705,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "CONNECT" + "CONNECT", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5670,6 +5736,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -5693,8 +5760,8 @@ "us.js2.yimg.com" ], "related.ip": [ - "213.160.98.169", - "10.105.21.199" + "10.105.21.199", + "213.160.98.169" ], "related.user": [ "badeyek" @@ -5789,6 +5856,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json index 68412b504dc..a63e2fd592a 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json @@ -9,6 +9,7 @@ "destination.geo.city_name": "Norwell", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.1596, "destination.geo.location.lon": -70.8217, "destination.geo.region_iso_code": "US-MA", @@ -89,6 +90,7 @@ "destination.geo.city_name": "Norwell", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.1596, "destination.geo.location.lon": -70.8217, "destination.geo.region_iso_code": "US-MA", @@ -169,6 +171,7 @@ "destination.geo.city_name": "Norwell", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.1596, "destination.geo.location.lon": -70.8217, "destination.geo.region_iso_code": "US-MA", @@ -249,6 +252,7 @@ "destination.geo.city_name": "Norwell", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.1596, "destination.geo.location.lon": -70.8217, "destination.geo.region_iso_code": "US-MA", @@ -329,6 +333,7 @@ "destination.geo.city_name": "Norwell", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.1596, "destination.geo.location.lon": -70.8217, "destination.geo.region_iso_code": "US-MA", @@ -409,6 +414,7 @@ "destination.geo.city_name": "Norwell", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.1596, "destination.geo.location.lon": -70.8217, "destination.geo.region_iso_code": "US-MA", @@ -489,6 +495,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5132, "destination.geo.location.lon": -0.0961, "destination.geo.region_iso_code": "GB-ENG", @@ -569,6 +576,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -649,6 +657,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -729,6 +738,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5132, "destination.geo.location.lon": -0.0961, "destination.geo.region_iso_code": "GB-ENG", @@ -809,6 +819,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5132, "destination.geo.location.lon": -0.0961, "destination.geo.region_iso_code": "GB-ENG", @@ -889,6 +900,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5132, "destination.geo.location.lon": -0.0961, "destination.geo.region_iso_code": "GB-ENG", @@ -969,6 +981,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -1049,6 +1062,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -1129,6 +1143,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -1209,6 +1224,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -1289,6 +1305,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -1369,6 +1386,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -1449,6 +1467,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -1528,6 +1547,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json index 5d113c8d370..4851f2db826 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json @@ -415,6 +415,7 @@ "destination.domain": "p33-btmmdns.icloud.com", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "17.142.164.13", diff --git a/x-pack/filebeat/module/symantec/endpointprotection/config/pipeline.js b/x-pack/filebeat/module/symantec/endpointprotection/config/pipeline.js index 8ad35b18ca1..f05bc1b7497 100644 --- a/x-pack/filebeat/module/symantec/endpointprotection/config/pipeline.js +++ b/x-pack/filebeat/module/symantec/endpointprotection/config/pipeline.js @@ -143,11 +143,9 @@ var dup8 = call({ ], }); -var dup9 = // "Pattern{Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#0:Active/1_0", "nwparser.p0", "%{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); +var dup9 = match("MESSAGE#0:Active/1_0", "nwparser.p0", "%{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); -var dup10 = // "Pattern{Field(domain,false)}" -match_copy("MESSAGE#0:Active/1_1", "nwparser.p0", "domain"); +var dup10 = match_copy("MESSAGE#0:Active/1_1", "nwparser.p0", "domain"); var dup11 = setc("eventcategory","1001020100"); @@ -257,8 +255,7 @@ var dup48 = setc("fld14","1"); var dup49 = field("fld14"); -var dup50 = // "Pattern{Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#15:Somebody:01/1_0", "nwparser.p0", "%{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); +var dup50 = match("MESSAGE#15:Somebody:01/1_0", "nwparser.p0", "%{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); var dup51 = setc("fld14","0"); @@ -282,29 +279,23 @@ var dup57 = setc("event_description","Proactive Threat Protection has been disab var dup58 = setc("event_description","Application has changed since the last time you opened it"); -var dup59 = // "Pattern{Constant('"Intrusion URL: '), Field(url,false), Constant('",Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#27:Application:06/1_0", "nwparser.p0", "\"Intrusion URL: %{url}\",Intrusion Payload URL:%{fld25}"); +var dup59 = match("MESSAGE#27:Application:06/1_0", "nwparser.p0", "\"Intrusion URL: %{url}\",Intrusion Payload URL:%{fld25}"); -var dup60 = // "Pattern{Constant('Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#27:Application:06/1_1", "nwparser.p0", "Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); +var dup60 = match("MESSAGE#27:Application:06/1_1", "nwparser.p0", "Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); -var dup61 = // "Pattern{Constant('Intrusion URL: '), Field(url,false)}" -match("MESSAGE#27:Application:06/1_2", "nwparser.p0", "Intrusion URL: %{url}"); +var dup61 = match("MESSAGE#27:Application:06/1_2", "nwparser.p0", "Intrusion URL: %{url}"); var dup62 = setc("event_description","Traffic has been blocked from application."); -var dup63 = // "Pattern{Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#31:scanning:01/1_0", "nwparser.p0", "%{url},Intrusion Payload URL:%{fld25}"); +var dup63 = match("MESSAGE#31:scanning:01/1_0", "nwparser.p0", "%{url},Intrusion Payload URL:%{fld25}"); -var dup64 = // "Pattern{Field(url,false)}" -match_copy("MESSAGE#31:scanning:01/1_1", "nwparser.p0", "url"); +var dup64 = match_copy("MESSAGE#31:scanning:01/1_1", "nwparser.p0", "url"); var dup65 = setc("eventcategory","1401000000"); var dup66 = setc("event_description","Somebody is scanning your computer."); -var dup67 = // "Pattern{Constant('Domain:'), Field(p0,false)}" -match("MESSAGE#33:Informational/1_1", "nwparser.p0", "Domain:%{p0}"); +var dup67 = match("MESSAGE#33:Informational/1_1", "nwparser.p0", "Domain:%{p0}"); var dup68 = setc("event_description","Informational: File Download Hash."); @@ -312,8 +303,7 @@ var dup69 = setc("eventcategory","1001030000"); var dup70 = setc("event_description","Web Attack : Malvertisement Website Redirect"); -var dup71 = // "Pattern{Constant(':'), Field(p0,false)}" -match("MESSAGE#38:Web_Attack:16/1_1", "nwparser.p0", ":%{p0}"); +var dup71 = match("MESSAGE#38:Web_Attack:16/1_1", "nwparser.p0", ":%{p0}"); var dup72 = setc("event_description","Web Attack: Mass Injection Website."); @@ -323,23 +313,17 @@ var dup74 = setc("eventcategory","1603110000"); var dup75 = setc("event_description","The most recent Host Integrity content has not completed a download or cannot be authenticated."); -var dup76 = // "Pattern{Constant('"'), Field(p0,false)}" -match("MESSAGE#307:process:12/1_0", "nwparser.p0", "\"%{p0}"); +var dup76 = match("MESSAGE#307:process:12/1_0", "nwparser.p0", "\"%{p0}"); -var dup77 = // "Pattern{Field(p0,false)}" -match_copy("MESSAGE#307:process:12/1_1", "nwparser.p0", "p0"); +var dup77 = match_copy("MESSAGE#307:process:12/1_1", "nwparser.p0", "p0"); -var dup78 = // "Pattern{Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(','), Field(p0,false)}" -match("MESSAGE#307:process:12/4", "nwparser.p0", ",Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},%{p0}"); +var dup78 = match("MESSAGE#307:process:12/4", "nwparser.p0", ",Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},%{p0}"); -var dup79 = // "Pattern{Constant('Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(p0,false)}" -match("MESSAGE#307:process:12/5_0", "nwparser.p0", "Intrusion ID: %{fld33},Begin: %{p0}"); +var dup79 = match("MESSAGE#307:process:12/5_0", "nwparser.p0", "Intrusion ID: %{fld33},Begin: %{p0}"); -var dup80 = // "Pattern{Field(fld33,false), Constant(',Begin: '), Field(p0,false)}" -match("MESSAGE#307:process:12/5_1", "nwparser.p0", "%{fld33},Begin: %{p0}"); +var dup80 = match("MESSAGE#307:process:12/5_1", "nwparser.p0", "%{fld33},Begin: %{p0}"); -var dup81 = // "Pattern{Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#307:process:12/6", "nwparser.p0", "%{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var dup81 = match("MESSAGE#307:process:12/6", "nwparser.p0", "%{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var dup82 = setc("result","Traffic has not been blocked from application."); @@ -357,11 +341,9 @@ var dup88 = setc("event_description","Host Integrity check passed"); var dup89 = setc("event_description","Host Integrity check failed."); -var dup90 = // "Pattern{Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#21:Applied/1_0", "nwparser.p0", ",Event time:%{fld17->} %{fld18}"); +var dup90 = match("MESSAGE#21:Applied/1_0", "nwparser.p0", ",Event time:%{fld17->} %{fld18}"); -var dup91 = // "Pattern{}" -match_copy("MESSAGE#21:Applied/1_1", "nwparser.p0", ""); +var dup91 = match_copy("MESSAGE#21:Applied/1_1", "nwparser.p0", ""); var dup92 = setc("eventcategory","1702010000"); @@ -381,39 +363,29 @@ var dup96 = setc("ec_activity","Create"); var dup97 = setc("ec_theme","Configuration"); -var dup98 = // "Pattern{Constant('"Location: '), Field(p0,false)}" -match("MESSAGE#23:blocked:01/1_0", "nwparser.p0", "\"Location: %{p0}"); +var dup98 = match("MESSAGE#23:blocked:01/1_0", "nwparser.p0", "\"Location: %{p0}"); -var dup99 = // "Pattern{Constant('Location: '), Field(p0,false)}" -match("MESSAGE#23:blocked:01/1_1", "nwparser.p0", "Location: %{p0}"); +var dup99 = match("MESSAGE#23:blocked:01/1_1", "nwparser.p0", "Location: %{p0}"); -var dup100 = // "Pattern{Constant(''), Field(fld2,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#52:blocked/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain}"); +var dup100 = match("MESSAGE#52:blocked/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain}"); -var dup101 = // "Pattern{Field(fld4,false), Constant(',MD-5:'), Field(fld5,false), Constant(',Local:'), Field(p0,false)}" -match("MESSAGE#190:Local::01/0_0", "nwparser.payload", "%{fld4},MD-5:%{fld5},Local:%{p0}"); +var dup101 = match("MESSAGE#190:Local::01/0_0", "nwparser.payload", "%{fld4},MD-5:%{fld5},Local:%{p0}"); -var dup102 = // "Pattern{Constant('Local:'), Field(p0,false)}" -match("MESSAGE#190:Local::01/0_1", "nwparser.payload", "Local:%{p0}"); +var dup102 = match("MESSAGE#190:Local::01/0_1", "nwparser.payload", "Local:%{p0}"); var dup103 = setc("event_description","Active Response"); var dup104 = setc("dclass_counter1_string","Occurrences"); -var dup105 = // "Pattern{Constant('Rule: '), Field(rulename,false), Constant(',Location: '), Field(p0,false)}" -match("MESSAGE#192:Local:/1_0", "nwparser.p0", "Rule: %{rulename},Location: %{p0}"); +var dup105 = match("MESSAGE#192:Local:/1_0", "nwparser.p0", "Rule: %{rulename},Location: %{p0}"); -var dup106 = // "Pattern{Constant(' "Rule: '), Field(rulename,false), Constant('",Location: '), Field(p0,false)}" -match("MESSAGE#192:Local:/1_1", "nwparser.p0", " \"Rule: %{rulename}\",Location: %{p0}"); +var dup106 = match("MESSAGE#192:Local:/1_1", "nwparser.p0", " \"Rule: %{rulename}\",Location: %{p0}"); -var dup107 = // "Pattern{Field(fld11,false), Constant(',User: '), Field(username,false), Constant(','), Field(p0,false)}" -match("MESSAGE#192:Local:/2", "nwparser.p0", "%{fld11},User: %{username},%{p0}"); +var dup107 = match("MESSAGE#192:Local:/2", "nwparser.p0", "%{fld11},User: %{username},%{p0}"); -var dup108 = // "Pattern{Constant('Domain: '), Field(domain,false), Constant(',Action: '), Field(action,false)}" -match("MESSAGE#192:Local:/3_0", "nwparser.p0", "Domain: %{domain},Action: %{action}"); +var dup108 = match("MESSAGE#192:Local:/3_0", "nwparser.p0", "Domain: %{domain},Action: %{action}"); -var dup109 = // "Pattern{Constant(' Domain: '), Field(domain,false)}" -match("MESSAGE#192:Local:/3_1", "nwparser.p0", " Domain: %{domain}"); +var dup109 = match("MESSAGE#192:Local:/3_1", "nwparser.p0", " Domain: %{domain}"); var dup110 = setc("eventcategory","1003010000"); @@ -427,27 +399,21 @@ var dup111 = call({ ], }); -var dup112 = // "Pattern{Constant('"Intrusion URL: '), Field(url,false), Constant('",Intrusion Payload URL:'), Field(p0,false)}" -match("MESSAGE#198:Local::04/1_0", "nwparser.p0", "\"Intrusion URL: %{url}\",Intrusion Payload URL:%{p0}"); +var dup112 = match("MESSAGE#198:Local::04/1_0", "nwparser.p0", "\"Intrusion URL: %{url}\",Intrusion Payload URL:%{p0}"); -var dup113 = // "Pattern{Constant('Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(p0,false)}" -match("MESSAGE#198:Local::04/1_1", "nwparser.p0", "Intrusion URL: %{url},Intrusion Payload URL:%{p0}"); +var dup113 = match("MESSAGE#198:Local::04/1_1", "nwparser.p0", "Intrusion URL: %{url},Intrusion Payload URL:%{p0}"); -var dup114 = // "Pattern{Field(fld25,false)}" -match_copy("MESSAGE#198:Local::04/2", "nwparser.p0", "fld25"); +var dup114 = match_copy("MESSAGE#198:Local::04/2", "nwparser.p0", "fld25"); var dup115 = setc("ec_subject","Virus"); var dup116 = setc("ec_activity","Detect"); -var dup117 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(network_service,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#205:Local::07/0", "nwparser.payload", "%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{network_service},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); +var dup117 = match("MESSAGE#205:Local::07/0", "nwparser.payload", "%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{network_service},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); -var dup118 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(network_service,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#206:Local::19/0", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{network_service},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); +var dup118 = match("MESSAGE#206:Local::19/0", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{network_service},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); -var dup119 = // "Pattern{Constant(''), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#209:Local::03/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain}"); +var dup119 = match("MESSAGE#209:Local::03/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain}"); var dup120 = setc("eventcategory","1801000000"); @@ -499,14 +465,11 @@ var dup137 = setf("domain","hdomain"); var dup138 = setc("event_description","The client has downloaded file successfully."); -var dup139 = // "Pattern{Constant('The client will block traffic from IP address '), Field(fld14,true), Constant(' for the next '), Field(duration_string,true), Constant(' (from '), Field(fld13,false), Constant(')'), Field(p0,false)}" -match("MESSAGE#64:client:05/0", "nwparser.payload", "The client will block traffic from IP address %{fld14->} for the next %{duration_string->} (from %{fld13})%{p0}"); +var dup139 = match("MESSAGE#64:client:05/0", "nwparser.payload", "The client will block traffic from IP address %{fld14->} for the next %{duration_string->} (from %{fld13})%{p0}"); -var dup140 = // "Pattern{Constant('.,'), Field(p0,false)}" -match("MESSAGE#64:client:05/1_0", "nwparser.p0", ".,%{p0}"); +var dup140 = match("MESSAGE#64:client:05/1_0", "nwparser.p0", ".,%{p0}"); -var dup141 = // "Pattern{Constant(' . ,'), Field(p0,false)}" -match("MESSAGE#64:client:05/1_1", "nwparser.p0", " . ,%{p0}"); +var dup141 = match("MESSAGE#64:client:05/1_1", "nwparser.p0", " . ,%{p0}"); var dup142 = setf("shost","hclient"); @@ -514,26 +477,19 @@ var dup143 = setc("event_description","The client will block traffic."); var dup144 = setc("event_description","The client has successfully downloaded and applied a license file"); -var dup145 = // "Pattern{Constant('Commercial application detected,Computer name: '), Field(p0,false)}" -match("MESSAGE#70:Commercial/0", "nwparser.payload", "Commercial application detected,Computer name: %{p0}"); +var dup145 = match("MESSAGE#70:Commercial/0", "nwparser.payload", "Commercial application detected,Computer name: %{p0}"); -var dup146 = // "Pattern{Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant(',Detection type: '), Field(p0,false)}" -match("MESSAGE#70:Commercial/1_0", "nwparser.p0", "%{shost},IP Address: %{saddr},Detection type: %{p0}"); +var dup146 = match("MESSAGE#70:Commercial/1_0", "nwparser.p0", "%{shost},IP Address: %{saddr},Detection type: %{p0}"); -var dup147 = // "Pattern{Field(shost,false), Constant(',Detection type: '), Field(p0,false)}" -match("MESSAGE#70:Commercial/1_1", "nwparser.p0", "%{shost},Detection type: %{p0}"); +var dup147 = match("MESSAGE#70:Commercial/1_1", "nwparser.p0", "%{shost},Detection type: %{p0}"); -var dup148 = // "Pattern{Field(severity,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld6,false), Constant(',Detection score:'), Field(fld7,false), Constant(',Submission recommendation: '), Field(fld8,false), Constant(',Permitted application reason: '), Field(fld9,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(fld1,false), Constant(','), Field(p0,false)}" -match("MESSAGE#70:Commercial/2", "nwparser.p0", "%{severity},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); +var dup148 = match("MESSAGE#70:Commercial/2", "nwparser.p0", "%{severity},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); -var dup149 = // "Pattern{Constant('"'), Field(filename,false), Constant('",Actual action: '), Field(p0,false)}" -match("MESSAGE#70:Commercial/3_0", "nwparser.p0", "\"%{filename}\",Actual action: %{p0}"); +var dup149 = match("MESSAGE#70:Commercial/3_0", "nwparser.p0", "\"%{filename}\",Actual action: %{p0}"); -var dup150 = // "Pattern{Field(filename,false), Constant(',Actual action: '), Field(p0,false)}" -match("MESSAGE#70:Commercial/3_1", "nwparser.p0", "%{filename},Actual action: %{p0}"); +var dup150 = match("MESSAGE#70:Commercial/3_1", "nwparser.p0", "%{filename},Actual action: %{p0}"); -var dup151 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#70:Commercial/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); +var dup151 = match("MESSAGE#70:Commercial/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); var dup152 = setf("threat_name","virusname"); @@ -557,19 +513,15 @@ var dup155 = setc("event_description","Commercial application detected"); var dup156 = setc("eventcategory","1701030000"); -var dup157 = // "Pattern{Constant('IP Address: '), Field(hostip,false), Constant(',Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(p0,false)}" -match("MESSAGE#76:Computer/0", "nwparser.payload", "IP Address: %{hostip},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{p0}"); +var dup157 = match("MESSAGE#76:Computer/0", "nwparser.payload", "IP Address: %{hostip},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{p0}"); var dup158 = setf("administrator","husername"); -var dup159 = // "Pattern{Constant('"'), Field(filename,false), Constant('",'), Field(p0,false)}" -match("MESSAGE#78:Computer:03/1_0", "nwparser.p0", "\"%{filename}\",%{p0}"); +var dup159 = match("MESSAGE#78:Computer:03/1_0", "nwparser.p0", "\"%{filename}\",%{p0}"); -var dup160 = // "Pattern{Field(filename,false), Constant(','), Field(p0,false)}" -match("MESSAGE#78:Computer:03/1_1", "nwparser.p0", "%{filename},%{p0}"); +var dup160 = match("MESSAGE#78:Computer:03/1_1", "nwparser.p0", "%{filename},%{p0}"); -var dup161 = // "Pattern{Field(severity,false), Constant(',First Seen: '), Field(fld55,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld13,false), Constant(',Detection score:'), Field(fld7,false), Constant(',COH Engine Version: '), Field(fld41,false), Constant(','), Field(fld53,false), Constant(',Permitted application reason: '), Field(fld54,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',Risk Level: '), Field(fld50,false), Constant(',Detection Source: '), Field(fld52,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(fld22,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#79:Computer:02/2", "nwparser.p0", "%{severity},First Seen: %{fld55},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld13},Detection score:%{fld7},COH Engine Version: %{fld41},%{fld53},Permitted application reason: %{fld54},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},Risk Level: %{fld50},Detection Source: %{fld52},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); +var dup161 = match("MESSAGE#79:Computer:02/2", "nwparser.p0", "%{severity},First Seen: %{fld55},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld13},Detection score:%{fld7},COH Engine Version: %{fld41},%{fld53},Permitted application reason: %{fld54},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},Risk Level: %{fld50},Detection Source: %{fld52},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); var dup162 = setc("event_description","Security risk found"); @@ -617,8 +569,7 @@ var dup174 = setc("eventcategory","1301000000"); var dup175 = setc("event_description","Failed to Login to Remote Site"); -var dup176 = // "Pattern{Constant('"'), Field(,false)}" -match("MESSAGE#250:Network:24/1_0", "nwparser.p0", "\"%{}"); +var dup176 = match("MESSAGE#250:Network:24/1_0", "nwparser.p0", "\"%{}"); var dup177 = setc("ec_subject","Group"); @@ -630,18 +581,15 @@ var dup180 = setc("event_description","Host Integrity check is disabled."); var dup181 = setc("event_description","Host Integrity failed but reported as pass"); -var dup182 = // "Pattern{Constant(' Domain:'), Field(p0,false)}" -match("MESSAGE#134:Host:09/1_1", "nwparser.p0", " Domain:%{p0}"); +var dup182 = match("MESSAGE#134:Host:09/1_1", "nwparser.p0", " Domain:%{p0}"); -var dup183 = // "Pattern{Constant('is '), Field(p0,false)}" -match("MESSAGE#135:Intrusion/1_0", "nwparser.p0", "is %{p0}"); +var dup183 = match("MESSAGE#135:Intrusion/1_0", "nwparser.p0", "is %{p0}"); var dup184 = setc("event_description","LiveUpdate"); var dup185 = setc("event_description","Submitting information to Symantec failed."); -var dup186 = // "Pattern{Constant('.,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#145:LiveUpdate:10/1_0", "nwparser.p0", ".,Event time:%{fld17->} %{fld18}"); +var dup186 = match("MESSAGE#145:LiveUpdate:10/1_0", "nwparser.p0", ".,Event time:%{fld17->} %{fld18}"); var dup187 = setc("ec_outcome","Error"); @@ -651,8 +599,7 @@ var dup189 = setf("hostid","hhost"); var dup190 = setc("event_description","The latest SONAR Definitions update failed to load."); -var dup191 = // "Pattern{Constant('",Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#179:LiveUpdate:40/1_0", "nwparser.p0", "\",Event time:%{fld17->} %{fld18}"); +var dup191 = match("MESSAGE#179:LiveUpdate:40/1_0", "nwparser.p0", "\",Event time:%{fld17->} %{fld18}"); var dup192 = date_time({ dest: "event_time", @@ -664,59 +611,43 @@ var dup192 = date_time({ var dup193 = setc("event_description","Virus Found"); -var dup194 = // "Pattern{Constant(' '), Field(p0,false)}" -match("MESSAGE#432:Virus:02/1_1", "nwparser.p0", " %{p0}"); +var dup194 = match("MESSAGE#432:Virus:02/1_1", "nwparser.p0", " %{p0}"); var dup195 = setc("event_description","Virus Definition File Update"); var dup196 = setf("event_description","hfld1"); -var dup197 = // "Pattern{Constant('Virus found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(p0,false)}" -match("MESSAGE#436:Virus:12/0", "nwparser.payload", "Virus found,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{p0}"); +var dup197 = match("MESSAGE#436:Virus:12/0", "nwparser.payload", "Virus found,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{p0}"); -var dup198 = // "Pattern{Constant('"'), Field(fld1,false), Constant('",Actual action: '), Field(p0,false)}" -match("MESSAGE#436:Virus:12/1_0", "nwparser.p0", "\"%{fld1}\",Actual action: %{p0}"); +var dup198 = match("MESSAGE#436:Virus:12/1_0", "nwparser.p0", "\"%{fld1}\",Actual action: %{p0}"); -var dup199 = // "Pattern{Field(fld1,false), Constant(',Actual action: '), Field(p0,false)}" -match("MESSAGE#436:Virus:12/1_1", "nwparser.p0", "%{fld1},Actual action: %{p0}"); +var dup199 = match("MESSAGE#436:Virus:12/1_1", "nwparser.p0", "%{fld1},Actual action: %{p0}"); var dup200 = setc("event_description","Virus found"); -var dup201 = // "Pattern{Constant('Intensive Protection Level: '), Field(fld61,false), Constant(',Certificate issuer: '), Field(fld60,false), Constant(',Certificate signer: '), Field(fld62,false), Constant(',Certificate thumbprint: '), Field(fld63,false), Constant(',Signing timestamp: '), Field(fld64,false), Constant(',Certificate serial number: '), Field(fld65,false), Constant(',Source: '), Field(p0,false)}" -match("MESSAGE#437:Virus:15/1_0", "nwparser.p0", "Intensive Protection Level: %{fld61},Certificate issuer: %{fld60},Certificate signer: %{fld62},Certificate thumbprint: %{fld63},Signing timestamp: %{fld64},Certificate serial number: %{fld65},Source: %{p0}"); +var dup201 = match("MESSAGE#437:Virus:15/1_0", "nwparser.p0", "Intensive Protection Level: %{fld61},Certificate issuer: %{fld60},Certificate signer: %{fld62},Certificate thumbprint: %{fld63},Signing timestamp: %{fld64},Certificate serial number: %{fld65},Source: %{p0}"); -var dup202 = // "Pattern{Constant('Source: '), Field(p0,false)}" -match("MESSAGE#437:Virus:15/1_1", "nwparser.p0", "Source: %{p0}"); +var dup202 = match("MESSAGE#437:Virus:15/1_1", "nwparser.p0", "Source: %{p0}"); -var dup203 = // "Pattern{Constant('"Group: '), Field(group,false), Constant('",Server: '), Field(p0,false)}" -match("MESSAGE#438:Virus:13/3_0", "nwparser.p0", "\"Group: %{group}\",Server: %{p0}"); +var dup203 = match("MESSAGE#438:Virus:13/3_0", "nwparser.p0", "\"Group: %{group}\",Server: %{p0}"); -var dup204 = // "Pattern{Constant('Group: '), Field(group,false), Constant(',Server: '), Field(p0,false)}" -match("MESSAGE#438:Virus:13/3_1", "nwparser.p0", "Group: %{group},Server: %{p0}"); +var dup204 = match("MESSAGE#438:Virus:13/3_1", "nwparser.p0", "Group: %{group},Server: %{p0}"); -var dup205 = // "Pattern{Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',,First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld52,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(p0,false)}" -match("MESSAGE#438:Virus:13/4", "nwparser.p0", "%{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{p0}"); +var dup205 = match("MESSAGE#438:Virus:13/4", "nwparser.p0", "%{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{p0}"); -var dup206 = // "Pattern{Field(filename_size,false), Constant(',Category set: '), Field(category,false), Constant(',Category type: '), Field(event_type,false)}" -match("MESSAGE#438:Virus:13/5_0", "nwparser.p0", "%{filename_size},Category set: %{category},Category type: %{event_type}"); +var dup206 = match("MESSAGE#438:Virus:13/5_0", "nwparser.p0", "%{filename_size},Category set: %{category},Category type: %{event_type}"); -var dup207 = // "Pattern{Field(filename_size,false)}" -match_copy("MESSAGE#438:Virus:13/5_1", "nwparser.p0", "filename_size"); +var dup207 = match_copy("MESSAGE#438:Virus:13/5_1", "nwparser.p0", "filename_size"); -var dup208 = // "Pattern{Constant('Virus found,Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(p0,false)}" -match("MESSAGE#440:Virus:14/0", "nwparser.payload", "Virus found,Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{p0}"); +var dup208 = match("MESSAGE#440:Virus:14/0", "nwparser.payload", "Virus found,Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{p0}"); -var dup209 = // "Pattern{Constant('"'), Field(info,false), Constant('",Actual action: '), Field(p0,false)}" -match("MESSAGE#441:Virus:05/1_0", "nwparser.p0", "\"%{info}\",Actual action: %{p0}"); +var dup209 = match("MESSAGE#441:Virus:05/1_0", "nwparser.p0", "\"%{info}\",Actual action: %{p0}"); -var dup210 = // "Pattern{Field(info,false), Constant(',Actual action: '), Field(p0,false)}" -match("MESSAGE#441:Virus:05/1_1", "nwparser.p0", "%{info},Actual action: %{p0}"); +var dup210 = match("MESSAGE#441:Virus:05/1_1", "nwparser.p0", "%{info},Actual action: %{p0}"); -var dup211 = // "Pattern{Constant(''), Field(info,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#218:Location/3_0", "nwparser.p0", "%{info},Event time:%{fld17->} %{fld18}"); +var dup211 = match("MESSAGE#218:Location/3_0", "nwparser.p0", "%{info},Event time:%{fld17->} %{fld18}"); -var dup212 = // "Pattern{Field(info,false)}" -match_copy("MESSAGE#218:Location/3_1", "nwparser.p0", "info"); +var dup212 = match_copy("MESSAGE#218:Location/3_1", "nwparser.p0", "info"); var dup213 = setc("eventcategory","1701060000"); @@ -724,8 +655,7 @@ var dup214 = setc("event_description","Network Audit Search Unagented Hosts From var dup215 = setc("event_description","Network Intrusion Prevention is malfunctioning"); -var dup216 = // "Pattern{Constant(' by policy'), Field(,false)}" -match("MESSAGE#253:Network:27/1_0", "nwparser.p0", " by policy%{}"); +var dup216 = match("MESSAGE#253:Network:27/1_0", "nwparser.p0", " by policy%{}"); var dup217 = setc("event_description","Generic Exploit Mitigation"); @@ -745,16 +675,13 @@ var dup224 = setc("event_description","Policy has been added"); var dup225 = setc("event_description","Policy has been edited"); -var dup226 = // "Pattern{Constant(','), Field(p0,false)}" -match("MESSAGE#296:Policy:deleted/1_0", "nwparser.p0", ",%{p0}"); +var dup226 = match("MESSAGE#296:Policy:deleted/1_0", "nwparser.p0", ",%{p0}"); var dup227 = setc("event_description","Potential risk found"); -var dup228 = // "Pattern{Constant('Potential risk found,Computer name: '), Field(p0,false)}" -match("MESSAGE#298:Potential:02/0", "nwparser.payload", "Potential risk found,Computer name: %{p0}"); +var dup228 = match("MESSAGE#298:Potential:02/0", "nwparser.payload", "Potential risk found,Computer name: %{p0}"); -var dup229 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld20,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#299:Potential/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld20},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); +var dup229 = match("MESSAGE#299:Potential/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld20},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); var dup230 = date_time({ dest: "recorded_time", @@ -764,8 +691,7 @@ var dup230 = date_time({ ], }); -var dup231 = // "Pattern{Field(event_description,false), Constant(', process id: '), Field(process_id,true), Constant(' Filename: '), Field(filename,true), Constant(' The change was denied by user'), Field(fld6,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#308:process:03/0", "nwparser.payload", "%{event_description}, process id: %{process_id->} Filename: %{filename->} The change was denied by user%{fld6}\"%{p0}"); +var dup231 = match("MESSAGE#308:process:03/0", "nwparser.payload", "%{event_description}, process id: %{process_id->} Filename: %{filename->} The change was denied by user%{fld6}\"%{p0}"); var dup232 = setc("eventcategory","1606000000"); @@ -807,17 +733,13 @@ var dup247 = setc("dclass_counter1_string","Risk Count."); var dup248 = setc("dclass_counter2_string","Scan Count."); -var dup249 = // "Pattern{Constant('''), Field(context,false), Constant('','), Field(p0,false)}" -match("MESSAGE#340:Scan:12/1_0", "nwparser.p0", "'%{context}',%{p0}"); +var dup249 = match("MESSAGE#340:Scan:12/1_0", "nwparser.p0", "'%{context}',%{p0}"); -var dup250 = // "Pattern{Constant('Security risk found,Computer name: '), Field(p0,false)}" -match("MESSAGE#343:Security:03/0", "nwparser.payload", "Security risk found,Computer name: %{p0}"); +var dup250 = match("MESSAGE#343:Security:03/0", "nwparser.payload", "Security risk found,Computer name: %{p0}"); -var dup251 = // "Pattern{Constant('Security risk found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(','), Field(p0,false)}" -match("MESSAGE#345:Security:05/0", "nwparser.payload", "Security risk found,IP Address: %{saddr},Computer name: %{shost},%{p0}"); +var dup251 = match("MESSAGE#345:Security:05/0", "nwparser.payload", "Security risk found,IP Address: %{saddr},Computer name: %{shost},%{p0}"); -var dup252 = // "Pattern{Field(filename_size,false), Constant(',Category set: '), Field(category,false), Constant(',Category type: '), Field(vendor_event_cat,false)}" -match("MESSAGE#345:Security:05/7_0", "nwparser.p0", "%{filename_size},Category set: %{category},Category type: %{vendor_event_cat}"); +var dup252 = match("MESSAGE#345:Security:05/7_0", "nwparser.p0", "%{filename_size},Category set: %{category},Category type: %{vendor_event_cat}"); var dup253 = setc("event_description","Compressed File"); @@ -833,39 +755,29 @@ var dup258 = setc("event_description","services failed to start"); var dup259 = setc("eventcategory","1608010000"); -var dup260 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',Symantec AntiVirus,'), Field(p0,false)}" -match("MESSAGE#388:Symantec:26/0", "nwparser.payload", "Category: %{fld22},Symantec AntiVirus,%{p0}"); +var dup260 = match("MESSAGE#388:Symantec:26/0", "nwparser.payload", "Category: %{fld22},Symantec AntiVirus,%{p0}"); -var dup261 = // "Pattern{Constant('[Antivirus'), Field(p0,false)}" -match("MESSAGE#388:Symantec:26/1_0", "nwparser.p0", "[Antivirus%{p0}"); +var dup261 = match("MESSAGE#388:Symantec:26/1_0", "nwparser.p0", "[Antivirus%{p0}"); -var dup262 = // "Pattern{Constant('"[Antivirus'), Field(p0,false)}" -match("MESSAGE#388:Symantec:26/1_1", "nwparser.p0", "\"[Antivirus%{p0}"); +var dup262 = match("MESSAGE#388:Symantec:26/1_1", "nwparser.p0", "\"[Antivirus%{p0}"); -var dup263 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#389:Symantec:39/2", "nwparser.p0", "%{} %{p0}"); +var dup263 = match("MESSAGE#389:Symantec:39/2", "nwparser.p0", "%{} %{p0}"); -var dup264 = // "Pattern{Constant('detection'), Field(p0,false)}" -match("MESSAGE#389:Symantec:39/3_0", "nwparser.p0", "detection%{p0}"); +var dup264 = match("MESSAGE#389:Symantec:39/3_0", "nwparser.p0", "detection%{p0}"); -var dup265 = // "Pattern{Constant('advanced heuristic detection'), Field(p0,false)}" -match("MESSAGE#389:Symantec:39/3_1", "nwparser.p0", "advanced heuristic detection%{p0}"); +var dup265 = match("MESSAGE#389:Symantec:39/3_1", "nwparser.p0", "advanced heuristic detection%{p0}"); -var dup266 = // "Pattern{Constant(' Size (bytes): '), Field(filename_size,false), Constant('.",Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#389:Symantec:39/5_0", "nwparser.p0", " Size (bytes): %{filename_size}.\",Event time:%{fld17->} %{fld18}"); +var dup266 = match("MESSAGE#389:Symantec:39/5_0", "nwparser.p0", " Size (bytes): %{filename_size}.\",Event time:%{fld17->} %{fld18}"); -var dup267 = // "Pattern{Constant('Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#389:Symantec:39/5_2", "nwparser.p0", "Event time:%{fld17->} %{fld18}"); +var dup267 = match("MESSAGE#389:Symantec:39/5_2", "nwparser.p0", "Event time:%{fld17->} %{fld18}"); var dup268 = setc("ec_theme","Communication"); -var dup269 = // "Pattern{Constant(','), Field(p0,false)}" -match("MESSAGE#410:Terminated/0_1", "nwparser.payload", ",%{p0}"); +var dup269 = match("MESSAGE#410:Terminated/0_1", "nwparser.payload", ",%{p0}"); var dup270 = setc("event_description","Traffic from IP address is blocked."); -var dup271 = // "Pattern{Constant(''), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#416:Traffic:02/2", "nwparser.p0", "%{fld6},User: %{username},Domain: %{domain}"); +var dup271 = match("MESSAGE#416:Traffic:02/2", "nwparser.p0", "%{fld6},User: %{username},Domain: %{domain}"); var dup272 = setc("event_description","Unexpected server error."); @@ -873,26 +785,21 @@ var dup273 = setc("event_description","Unsolicited incoming ARP reply detected." var dup274 = setc("event_description","Windows Version info."); -var dup275 = // "Pattern{Constant('"'), Field(filename,false), Constant('",User: '), Field(p0,false)}" -match("MESSAGE#455:Allowed:09/2_0", "nwparser.p0", "\"%{filename}\",User: %{p0}"); +var dup275 = match("MESSAGE#455:Allowed:09/2_0", "nwparser.p0", "\"%{filename}\",User: %{p0}"); -var dup276 = // "Pattern{Field(filename,false), Constant(',User: '), Field(p0,false)}" -match("MESSAGE#455:Allowed:09/2_1", "nwparser.p0", "%{filename},User: %{p0}"); +var dup276 = match("MESSAGE#455:Allowed:09/2_1", "nwparser.p0", "%{filename},User: %{p0}"); var dup277 = setc("event_description","File Write"); -var dup278 = // "Pattern{Field(fld46,false), Constant(',File size ('), Field(fld10,false), Constant('): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#457:Allowed:10/3_0", "nwparser.p0", "%{fld46},File size (%{fld10}): %{filename_size},Device ID: %{device}"); +var dup278 = match("MESSAGE#457:Allowed:10/3_0", "nwparser.p0", "%{fld46},File size (%{fld10}): %{filename_size},Device ID: %{device}"); var dup279 = setc("event_description","File Delete"); var dup280 = setc("event_description","File Delete Begin."); -var dup281 = // "Pattern{Constant('""'), Field(action,true), Constant(' . Description: '), Field(p0,false)}" -match("MESSAGE#505:Ping/0_0", "nwparser.payload", "\"\"%{action->} . Description: %{p0}"); +var dup281 = match("MESSAGE#505:Ping/0_0", "nwparser.payload", "\"\"%{action->} . Description: %{p0}"); -var dup282 = // "Pattern{Field(action,true), Constant(' . Description: '), Field(p0,false)}" -match("MESSAGE#505:Ping/0_1", "nwparser.payload", "%{action->} . Description: %{p0}"); +var dup282 = match("MESSAGE#505:Ping/0_1", "nwparser.payload", "%{action->} . Description: %{p0}"); var dup283 = setc("dclass_counter1_string","Virus Count."); @@ -920,17 +827,13 @@ var dup288 = setc("ec_subject","Configuration"); var dup289 = setc("eventcategory","1801030000"); -var dup290 = // "Pattern{Field(event_description,true), Constant(' [name]:'), Field(obj_name,true), Constant(' [class]:'), Field(obj_type,true), Constant(' [guid]:'), Field(hardware_id,true), Constant(' [deviceID]:'), Field(info,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#639:303235080/1_0", "nwparser.p0", "%{event_description->} [name]:%{obj_name->} [class]:%{obj_type->} [guid]:%{hardware_id->} [deviceID]:%{info}^^%{p0}"); +var dup290 = match("MESSAGE#639:303235080/1_0", "nwparser.p0", "%{event_description->} [name]:%{obj_name->} [class]:%{obj_type->} [guid]:%{hardware_id->} [deviceID]:%{info}^^%{p0}"); -var dup291 = // "Pattern{Field(event_description,false), Constant('. '), Field(info,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#639:303235080/1_1", "nwparser.p0", "%{event_description}. %{info}^^%{p0}"); +var dup291 = match("MESSAGE#639:303235080/1_1", "nwparser.p0", "%{event_description}. %{info}^^%{p0}"); -var dup292 = // "Pattern{Field(event_description,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#639:303235080/1_2", "nwparser.p0", "%{event_description}^^%{p0}"); +var dup292 = match("MESSAGE#639:303235080/1_2", "nwparser.p0", "%{event_description}^^%{p0}"); -var dup293 = // "Pattern{Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#639:303235080/2", "nwparser.p0", "%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}"); +var dup293 = match("MESSAGE#639:303235080/2", "nwparser.p0", "%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}"); var dup294 = setc("eventcategory","1803000000"); @@ -966,8 +869,7 @@ var dup303 = setc("event_description","Block Local File Sharing to external comp var dup304 = setc("event_description","Block all other traffic"); -var dup305 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#674:238/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{p0}"); +var dup305 = match("MESSAGE#674:238/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{p0}"); var dup306 = field("fld11"); @@ -1139,55 +1041,47 @@ var dup341 = linear_select([ dup282, ]); -var dup342 = // "Pattern{Field(id,false), Constant('^^'), Field(event_description,false)}" -match("MESSAGE#524:1281", "nwparser.payload", "%{id}^^%{event_description}", processor_chain([ +var dup342 = match("MESSAGE#524:1281", "nwparser.payload", "%{id}^^%{event_description}", processor_chain([ dup53, dup15, ])); -var dup343 = // "Pattern{Field(id,false), Constant('^^'), Field(event_description,false)}" -match("MESSAGE#546:4868", "nwparser.payload", "%{id}^^%{event_description}", processor_chain([ +var dup343 = match("MESSAGE#546:4868", "nwparser.payload", "%{id}^^%{event_description}", processor_chain([ dup43, dup15, ])); -var dup344 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#549:302449153", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var dup344 = match("MESSAGE#549:302449153", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup43, dup15, dup287, ])); -var dup345 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#550:302449153:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var dup345 = match("MESSAGE#550:302449153:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup43, dup15, dup287, ])); -var dup346 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#553:302449155", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var dup346 = match("MESSAGE#553:302449155", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup74, dup15, dup287, ])); -var dup347 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#554:302449155:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var dup347 = match("MESSAGE#554:302449155:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup74, dup15, dup287, ])); -var dup348 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#585:302450432", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var dup348 = match("MESSAGE#585:302450432", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup168, dup15, dup287, ])); -var dup349 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#586:302450432:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var dup349 = match("MESSAGE#586:302450432:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup168, dup15, dup287, @@ -1235,8 +1129,7 @@ var dup356 = lookup({ key: dup306, }); -var dup357 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" -match("MESSAGE#664:206", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ +var dup357 = match("MESSAGE#664:206", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ dup294, dup295, dup37, @@ -1250,8 +1143,7 @@ match("MESSAGE#664:206", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hos dup302, ])); -var dup358 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#665:206:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var dup358 = match("MESSAGE#665:206:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup294, dup295, dup37, @@ -1265,8 +1157,7 @@ match("MESSAGE#665:206:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{ dup302, ])); -var dup359 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" -match("MESSAGE#669:210", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ +var dup359 = match("MESSAGE#669:210", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ dup43, dup15, dup353, @@ -1277,8 +1168,7 @@ match("MESSAGE#669:210", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hos dup302, ])); -var dup360 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(parent_pid,false), Constant('^^'), Field(parent_process,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(param,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(fld31,false), Constant('^^'), Field(filename_size,false), Constant('^^'), Field(fld32,false), Constant('^^'), Field(fld33,false)}" -match("MESSAGE#676:501", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{username}^^%{sdomain}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}^^%{fld31}^^%{filename_size}^^%{fld32}^^%{fld33}", processor_chain([ +var dup360 = match("MESSAGE#676:501", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{username}^^%{sdomain}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}^^%{fld31}^^%{filename_size}^^%{fld32}^^%{fld33}", processor_chain([ dup43, dup15, dup355, @@ -1289,8 +1179,7 @@ match("MESSAGE#676:501", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id} dup308, ])); -var dup361 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(parent_pid,false), Constant('^^'), Field(parent_process,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(param,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(fld30,false)}" -match("MESSAGE#677:501:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{username}^^%{sdomain}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}", processor_chain([ +var dup361 = match("MESSAGE#677:501:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{username}^^%{sdomain}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}", processor_chain([ dup43, dup15, dup355, @@ -1301,20 +1190,15 @@ match("MESSAGE#677:501:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{ dup308, ])); -var hdr1 = // "Pattern{Constant('%SYMANTECAV '), Field(p0,false)}" -match("HEADER#0:0001/0", "message", "%SYMANTECAV %{p0}"); +var hdr1 = match("HEADER#0:0001/0", "message", "%SYMANTECAV %{p0}"); -var part1 = // "Pattern{Constant('Delete '), Field(p0,false)}" -match("HEADER#0:0001/1_0", "nwparser.p0", "Delete %{p0}"); +var part1 = match("HEADER#0:0001/1_0", "nwparser.p0", "Delete %{p0}"); -var part2 = // "Pattern{Constant('Leave Alone '), Field(p0,false)}" -match("HEADER#0:0001/1_1", "nwparser.p0", "Leave Alone %{p0}"); +var part2 = match("HEADER#0:0001/1_1", "nwparser.p0", "Leave Alone %{p0}"); -var part3 = // "Pattern{Constant('Quarantine '), Field(p0,false)}" -match("HEADER#0:0001/1_2", "nwparser.p0", "Quarantine %{p0}"); +var part3 = match("HEADER#0:0001/1_2", "nwparser.p0", "Quarantine %{p0}"); -var part4 = // "Pattern{Constant('Undefined '), Field(p0,false)}" -match("HEADER#0:0001/1_3", "nwparser.p0", "Undefined %{p0}"); +var part4 = match("HEADER#0:0001/1_3", "nwparser.p0", "Undefined %{p0}"); var select1 = linear_select([ part1, @@ -1323,8 +1207,7 @@ var select1 = linear_select([ part4, ]); -var part5 = // "Pattern{Field(,false), Constant('..Alert: '), Field(messageid,true), Constant(' '), Field(data,false), Constant('..'), Field(p0,false)}" -match("HEADER#0:0001/2", "nwparser.p0", "%{}..Alert: %{messageid->} %{data}..%{p0}", processor_chain([ +var part5 = match("HEADER#0:0001/2", "nwparser.p0", "%{}..Alert: %{messageid->} %{data}..%{p0}", processor_chain([ dup1, ])); @@ -1339,20 +1222,17 @@ var all1 = all_match({ ]), }); -var hdr2 = // "Pattern{Constant('%SYMANTECAV Alert: '), Field(messageid,true), Constant(' '), Field(data,false), Constant('..'), Field(p0,false)}" -match("HEADER#1:0002", "message", "%SYMANTECAV Alert: %{messageid->} %{data}..%{p0}", processor_chain([ +var hdr2 = match("HEADER#1:0002", "message", "%SYMANTECAV Alert: %{messageid->} %{data}..%{p0}", processor_chain([ setc("header_id","0002"), dup1, ])); -var hdr3 = // "Pattern{Constant('%SYMANTECAV ..'), Field(messageid,true), Constant(' '), Field(data,false), Constant('..'), Field(p0,false)}" -match("HEADER#2:0003", "message", "%SYMANTECAV ..%{messageid->} %{data}..%{p0}", processor_chain([ +var hdr3 = match("HEADER#2:0003", "message", "%SYMANTECAV ..%{messageid->} %{data}..%{p0}", processor_chain([ setc("header_id","0003"), dup1, ])); -var hdr4 = // "Pattern{Constant('%SYMANTECAV '), Field(hfld1,true), Constant(' ..'), Field(messageid,true), Constant(' '), Field(hfld2,false), Constant('.. '), Field(p0,false)}" -match("HEADER#3:0004", "message", "%SYMANTECAV %{hfld1->} ..%{messageid->} %{hfld2}.. %{p0}", processor_chain([ +var hdr4 = match("HEADER#3:0004", "message", "%SYMANTECAV %{hfld1->} ..%{messageid->} %{hfld2}.. %{p0}", processor_chain([ setc("header_id","0004"), call({ dest: "nwparser.payload", @@ -1367,8 +1247,7 @@ match("HEADER#3:0004", "message", "%SYMANTECAV %{hfld1->} ..%{messageid->} %{hfl }), ])); -var hdr5 = // "Pattern{Constant('%SYMANTECAV '), Field(hfld1,true), Constant(' '), Field(messageid,true), Constant(' Found '), Field(p0,false)}" -match("HEADER#4:0005", "message", "%SYMANTECAV %{hfld1->} %{messageid->} Found %{p0}", processor_chain([ +var hdr5 = match("HEADER#4:0005", "message", "%SYMANTECAV %{hfld1->} %{messageid->} Found %{p0}", processor_chain([ setc("header_id","0005"), call({ dest: "nwparser.payload", @@ -1381,8 +1260,7 @@ match("HEADER#4:0005", "message", "%SYMANTECAV %{hfld1->} %{messageid->} Found % }), ])); -var hdr6 = // "Pattern{Constant('%SYMANTECAV '), Field(messageid,true), Constant(' '), Field(hfld1,false), Constant('..'), Field(p0,false)}" -match("HEADER#5:0006", "message", "%SYMANTECAV %{messageid->} %{hfld1}..%{p0}", processor_chain([ +var hdr6 = match("HEADER#5:0006", "message", "%SYMANTECAV %{messageid->} %{hfld1}..%{p0}", processor_chain([ setc("header_id","0006"), call({ dest: "nwparser.payload", @@ -1397,242 +1275,202 @@ match("HEADER#5:0006", "message", "%SYMANTECAV %{messageid->} %{hfld1}..%{p0}", }), ])); -var hdr7 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',Domain: '), Field(hdomain,false), Constant(',Admin: '), Field(husername,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#6:00081", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},Admin: %{husername},%{messageid->} %{p0}", processor_chain([ +var hdr7 = match("HEADER#6:00081", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},Admin: %{husername},%{messageid->} %{p0}", processor_chain([ setc("header_id","00081"), dup2, ])); -var hdr8 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',Domain: '), Field(hdomain,false), Constant(',Admin: '), Field(husername,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#7:0008", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},Admin: %{husername},%{messageid->} %{p0}", processor_chain([ +var hdr8 = match("HEADER#7:0008", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},Admin: %{husername},%{messageid->} %{p0}", processor_chain([ setc("header_id","0008"), dup2, ])); -var hdr9 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',Domain: '), Field(hdomain,false), Constant(',The '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#8:00091", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},The %{messageid->} %{p0}", processor_chain([ +var hdr9 = match("HEADER#8:00091", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},The %{messageid->} %{p0}", processor_chain([ setc("header_id","00091"), dup2, ])); -var hdr10 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',Domain: '), Field(hdomain,false), Constant(',The '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#9:0009", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},The %{messageid->} %{p0}", processor_chain([ +var hdr10 = match("HEADER#9:0009", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},The %{messageid->} %{p0}", processor_chain([ setc("header_id","0009"), dup2, ])); -var hdr11 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',Domain: '), Field(hdomain,false), Constant(',Admin: '), Field(husername,false), Constant(',The '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#10:00421", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},Admin: %{husername},The %{messageid->} %{p0}", processor_chain([ +var hdr11 = match("HEADER#10:00421", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},Admin: %{husername},The %{messageid->} %{p0}", processor_chain([ setc("header_id","00421"), dup2, ])); -var hdr12 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',Domain: '), Field(hdomain,false), Constant(',Admin: '), Field(husername,false), Constant(',The '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#11:0042", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},Admin: %{husername},The %{messageid->} %{p0}", processor_chain([ +var hdr12 = match("HEADER#11:0042", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},Admin: %{husername},The %{messageid->} %{p0}", processor_chain([ setc("header_id","0042"), dup2, ])); -var hdr13 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',Domain: '), Field(hdomain,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#12:99991", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},%{messageid->} %{p0}", processor_chain([ +var hdr13 = match("HEADER#12:99991", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},%{messageid->} %{p0}", processor_chain([ setc("header_id","99991"), dup2, ])); -var hdr14 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',Domain: '), Field(hdomain,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#13:9999", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},%{messageid->} %{p0}", processor_chain([ +var hdr14 = match("HEADER#13:9999", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},%{messageid->} %{p0}", processor_chain([ setc("header_id","9999"), dup2, ])); -var hdr15 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',"'), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#14:00101", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},\"%{messageid->} %{p0}", processor_chain([ +var hdr15 = match("HEADER#14:00101", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},\"%{messageid->} %{p0}", processor_chain([ setc("header_id","00101"), dup2, ])); -var hdr16 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',"'), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#15:0010", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},\"%{messageid->} %{p0}", processor_chain([ +var hdr16 = match("HEADER#15:0010", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},\"%{messageid->} %{p0}", processor_chain([ setc("header_id","0010"), dup2, ])); -var hdr17 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(','), Field(messageid,false), Constant('.'), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("HEADER#16:00111", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},%{messageid}.%{fld2->} %{p0}", processor_chain([ +var hdr17 = match("HEADER#16:00111", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},%{messageid}.%{fld2->} %{p0}", processor_chain([ setc("header_id","00111"), dup3, ])); -var hdr18 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(','), Field(messageid,false), Constant('.'), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("HEADER#17:0011", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},%{messageid}.%{fld2->} %{p0}", processor_chain([ +var hdr18 = match("HEADER#17:0011", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},%{messageid}.%{fld2->} %{p0}", processor_chain([ setc("header_id","0011"), dup3, ])); -var hdr19 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#18:00121", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},%{messageid->} %{p0}", processor_chain([ +var hdr19 = match("HEADER#18:00121", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},%{messageid->} %{p0}", processor_chain([ setc("header_id","00121"), dup2, ])); -var hdr20 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#19:0012", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},%{messageid->} %{p0}", processor_chain([ +var hdr20 = match("HEADER#19:0012", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},%{messageid->} %{p0}", processor_chain([ setc("header_id","0012"), dup2, ])); -var hdr21 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(','), Field(fld20,true), Constant(' '), Field(fld21,true), Constant(' '), Field(fld23,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#20:11111", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},%{fld20->} %{fld21->} %{fld23->} %{messageid->} %{p0}", processor_chain([ +var hdr21 = match("HEADER#20:11111", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},%{fld20->} %{fld21->} %{fld23->} %{messageid->} %{p0}", processor_chain([ setc("header_id","11111"), dup2, ])); -var hdr22 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(','), Field(fld20,true), Constant(' '), Field(fld21,true), Constant(' '), Field(fld23,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#21:1111", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},%{fld20->} %{fld21->} %{fld23->} %{messageid->} %{p0}", processor_chain([ +var hdr22 = match("HEADER#21:1111", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},%{fld20->} %{fld21->} %{fld23->} %{messageid->} %{p0}", processor_chain([ setc("header_id","1111"), dup2, ])); -var hdr23 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',Category: '), Field(hdata,false), Constant(','), Field(hfld1,false), Constant(',"'), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#22:13131", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},Category: %{hdata},%{hfld1},\"%{messageid->} %{p0}", processor_chain([ +var hdr23 = match("HEADER#22:13131", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},Category: %{hdata},%{hfld1},\"%{messageid->} %{p0}", processor_chain([ setc("header_id","13131"), dup2, ])); -var hdr24 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(',Category: '), Field(hdata,false), Constant(','), Field(hfld1,false), Constant(',"'), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#23:1313", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},Category: %{hdata},%{hfld1},\"%{messageid->} %{p0}", processor_chain([ +var hdr24 = match("HEADER#23:1313", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},Category: %{hdata},%{hfld1},\"%{messageid->} %{p0}", processor_chain([ setc("header_id","1313"), dup2, ])); -var hdr25 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',Category: '), Field(hdata,false), Constant(','), Field(hfld1,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#24:00131", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},Category: %{hdata},%{hfld1},%{messageid->} %{p0}", processor_chain([ +var hdr25 = match("HEADER#24:00131", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},Category: %{hdata},%{hfld1},%{messageid->} %{p0}", processor_chain([ setc("header_id","00131"), dup2, ])); -var hdr26 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(',Category: '), Field(hdata,false), Constant(','), Field(hfld1,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#25:0013", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},Category: %{hdata},%{hfld1},%{messageid->} %{p0}", processor_chain([ +var hdr26 = match("HEADER#25:0013", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},Category: %{hdata},%{hfld1},%{messageid->} %{p0}", processor_chain([ setc("header_id","0013"), dup2, ])); -var hdr27 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',"[SID: '), Field(hfld1,false), Constant('] '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#26:13142", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},SHA-256:%{checksum},MD-5:%{checksum},\"[SID: %{hfld1}] %{messageid->} %{p0}", processor_chain([ +var hdr27 = match("HEADER#26:13142", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},SHA-256:%{checksum},MD-5:%{checksum},\"[SID: %{hfld1}] %{messageid->} %{p0}", processor_chain([ setc("header_id","13142"), dup2, ])); -var hdr28 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',"[SID: '), Field(hfld1,false), Constant('] '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#27:13141", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},\"[SID: %{hfld1}] %{messageid->} %{p0}", processor_chain([ +var hdr28 = match("HEADER#27:13141", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},\"[SID: %{hfld1}] %{messageid->} %{p0}", processor_chain([ setc("header_id","13141"), dup2, ])); -var hdr29 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(',"[SID: '), Field(hfld1,false), Constant('] '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#28:1314", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},\"[SID: %{hfld1}] %{messageid->} %{p0}", processor_chain([ +var hdr29 = match("HEADER#28:1314", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},\"[SID: %{hfld1}] %{messageid->} %{p0}", processor_chain([ setc("header_id","1314"), dup2, ])); -var hdr30 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',[SID: '), Field(hdata,false), Constant('] '), Field(hfld1,false), Constant('. Traffic has been '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#29:00141", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},[SID: %{hdata}] %{hfld1}. Traffic has been %{messageid->} %{p0}", processor_chain([ +var hdr30 = match("HEADER#29:00141", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},[SID: %{hdata}] %{hfld1}. Traffic has been %{messageid->} %{p0}", processor_chain([ setc("header_id","00141"), dup4, ])); -var hdr31 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(',[SID: '), Field(hdata,false), Constant('] '), Field(hfld1,false), Constant('. Traffic has been '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#30:0014", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},[SID: %{hdata}] %{hfld1}. Traffic has been %{messageid->} %{p0}", processor_chain([ +var hdr31 = match("HEADER#30:0014", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},[SID: %{hdata}] %{hfld1}. Traffic has been %{messageid->} %{p0}", processor_chain([ setc("header_id","0014"), dup4, ])); -var hdr32 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#31:00161", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{messageid->} %{p0}", processor_chain([ +var hdr32 = match("HEADER#31:00161", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{messageid->} %{p0}", processor_chain([ setc("header_id","00161"), dup2, ])); -var hdr33 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#32:0016", "message", "%{htime->} SymantecServer %{hhost}: %{messageid->} %{p0}", processor_chain([ +var hdr33 = match("HEADER#32:0016", "message", "%{htime->} SymantecServer %{hhost}: %{messageid->} %{p0}", processor_chain([ setc("header_id","0016"), dup2, ])); -var hdr34 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(','), Field(fld1,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#33:29292", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},SHA-256:%{checksum},MD-5:%{checksum},%{fld1->} %{messageid->} %{p0}", processor_chain([ +var hdr34 = match("HEADER#33:29292", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},SHA-256:%{checksum},MD-5:%{checksum},%{fld1->} %{messageid->} %{p0}", processor_chain([ setc("header_id","29292"), dup5, ])); -var hdr35 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(','), Field(fld1,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#34:29291", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{fld1->} %{messageid->} %{p0}", processor_chain([ +var hdr35 = match("HEADER#34:29291", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{fld1->} %{messageid->} %{p0}", processor_chain([ setc("header_id","29291"), dup5, ])); -var hdr36 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(','), Field(fld1,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#35:2929", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},%{fld1->} %{messageid->} %{p0}", processor_chain([ +var hdr36 = match("HEADER#35:2929", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},%{fld1->} %{messageid->} %{p0}", processor_chain([ setc("header_id","2929"), dup5, ])); -var hdr37 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(fld1,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#36:00291", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{fld1->} %{messageid->} %{p0}", processor_chain([ +var hdr37 = match("HEADER#36:00291", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{fld1->} %{messageid->} %{p0}", processor_chain([ setc("header_id","00291"), dup5, ])); -var hdr38 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(fld1,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#37:0029", "message", "%{htime->} SymantecServer %{hhost}: %{fld1->} %{messageid->} %{p0}", processor_chain([ +var hdr38 = match("HEADER#37:0029", "message", "%{htime->} SymantecServer %{hhost}: %{fld1->} %{messageid->} %{p0}", processor_chain([ setc("header_id","0029"), dup5, ])); -var hdr39 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhostip,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#38:00173", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhostip->} %{hhost->} SymantecServer: %{hshost},SHA-256:%{checksum},MD-5:%{checksum},%{messageid->} %{p0}", processor_chain([ +var hdr39 = match("HEADER#38:00173", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhostip->} %{hhost->} SymantecServer: %{hshost},SHA-256:%{checksum},MD-5:%{checksum},%{messageid->} %{p0}", processor_chain([ setc("header_id","00173"), dup2, ])); -var hdr40 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#39:00172", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},SHA-256:%{checksum},MD-5:%{checksum},%{messageid->} %{p0}", processor_chain([ +var hdr40 = match("HEADER#39:00172", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},SHA-256:%{checksum},MD-5:%{checksum},%{messageid->} %{p0}", processor_chain([ setc("header_id","00172"), dup2, ])); -var hdr41 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#40:00171", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{messageid->} %{p0}", processor_chain([ +var hdr41 = match("HEADER#40:00171", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{messageid->} %{p0}", processor_chain([ setc("header_id","00171"), dup2, ])); -var hdr42 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#41:0017", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},%{messageid->} %{p0}", processor_chain([ +var hdr42 = match("HEADER#41:0017", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},%{messageid->} %{p0}", processor_chain([ setc("header_id","0017"), dup2, ])); -var hdr43 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(','), Field(hname,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#42:00151", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{hname},%{messageid->} %{p0}", processor_chain([ +var hdr43 = match("HEADER#42:00151", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{hname},%{messageid->} %{p0}", processor_chain([ setc("header_id","00151"), dup6, ])); -var hdr44 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(','), Field(hname,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#43:0015", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},%{hname},%{messageid->} %{p0}", processor_chain([ +var hdr44 = match("HEADER#43:0015", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},%{hname},%{messageid->} %{p0}", processor_chain([ setc("header_id","0015"), dup6, ])); -var hdr45 = // "Pattern{Constant('%SYMANTECAV Actual Name: '), Field(hfld1,true), Constant(' ..Alert: '), Field(messageid,true), Constant(' '), Field(data,false), Constant('..'), Field(p0,false)}" -match("HEADER#44:0018", "message", "%SYMANTECAV Actual Name: %{hfld1->} ..Alert: %{messageid->} %{data}..%{p0}", processor_chain([ +var hdr45 = match("HEADER#44:0018", "message", "%SYMANTECAV Actual Name: %{hfld1->} ..Alert: %{messageid->} %{data}..%{p0}", processor_chain([ setc("header_id","0018"), dup1, ])); -var hdr46 = // "Pattern{Constant('%SYMANTECAV '), Field(hfld1,true), Constant(' '), Field(hfld2,true), Constant(' '), Field(messageid,true), Constant(' '), Field(hfld3,true), Constant(' '), Field(p0,false)}" -match("HEADER#45:0021", "message", "%SYMANTECAV %{hfld1->} %{hfld2->} %{messageid->} %{hfld3->} %{p0}", processor_chain([ +var hdr46 = match("HEADER#45:0021", "message", "%SYMANTECAV %{hfld1->} %{hfld2->} %{messageid->} %{hfld3->} %{p0}", processor_chain([ setc("header_id","0021"), call({ dest: "nwparser.payload", @@ -1651,8 +1489,7 @@ match("HEADER#45:0021", "message", "%SYMANTECAV %{hfld1->} %{hfld2->} %{messagei }), ])); -var hdr47 = // "Pattern{Constant('%SYMANTECAV '), Field(hfld1,true), Constant(' '), Field(hfld2,true), Constant(' '), Field(hfld3,true), Constant(' '), Field(messageid,true), Constant(' '), Field(hfld4,true), Constant(' '), Field(p0,false)}" -match("HEADER#46:0022", "message", "%SYMANTECAV %{hfld1->} %{hfld2->} %{hfld3->} %{messageid->} %{hfld4->} %{p0}", processor_chain([ +var hdr47 = match("HEADER#46:0022", "message", "%SYMANTECAV %{hfld1->} %{hfld2->} %{hfld3->} %{messageid->} %{hfld4->} %{p0}", processor_chain([ setc("header_id","0022"), call({ dest: "nwparser.payload", @@ -1673,74 +1510,61 @@ match("HEADER#46:0022", "message", "%SYMANTECAV %{hfld1->} %{hfld2->} %{hfld3->} }), ])); -var hdr48 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',Category: '), Field(hdata,false), Constant(','), Field(hfld1,false), Constant(','), Field(fld40,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#47:00191", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},Category: %{hdata},%{hfld1},%{fld40->} %{messageid->} %{p0}", processor_chain([ +var hdr48 = match("HEADER#47:00191", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},Category: %{hdata},%{hfld1},%{fld40->} %{messageid->} %{p0}", processor_chain([ setc("header_id","00191"), dup7, ])); -var hdr49 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(',Category: '), Field(hdata,false), Constant(','), Field(hfld1,false), Constant(','), Field(fld40,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#48:0019", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},Category: %{hdata},%{hfld1},%{fld40->} %{messageid->} %{p0}", processor_chain([ +var hdr49 = match("HEADER#48:0019", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},Category: %{hdata},%{hfld1},%{fld40->} %{messageid->} %{p0}", processor_chain([ setc("header_id","0019"), dup7, ])); -var hdr50 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',The '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#49:00201", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},The %{messageid->} %{p0}", processor_chain([ +var hdr50 = match("HEADER#49:00201", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},The %{messageid->} %{p0}", processor_chain([ setc("header_id","00201"), dup2, ])); -var hdr51 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',The '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#50:0020", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},The %{messageid->} %{p0}", processor_chain([ +var hdr51 = match("HEADER#50:0020", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},The %{messageid->} %{p0}", processor_chain([ setc("header_id","0020"), dup2, ])); -var hdr52 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',"'), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#51:00231", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},\"%{messageid->} %{p0}", processor_chain([ +var hdr52 = match("HEADER#51:00231", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},\"%{messageid->} %{p0}", processor_chain([ setc("header_id","00231"), dup2, ])); -var hdr53 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(',"'), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#52:0023", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},\"%{messageid->} %{p0}", processor_chain([ +var hdr53 = match("HEADER#52:0023", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},\"%{messageid->} %{p0}", processor_chain([ setc("header_id","0023"), dup2, ])); -var hdr54 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(','), Field(messageid,false), Constant(','), Field(payload,false)}" -match("HEADER#53:00241", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{messageid},%{payload}", processor_chain([ +var hdr54 = match("HEADER#53:00241", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{messageid},%{payload}", processor_chain([ setc("header_id","00241"), ])); -var hdr55 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(','), Field(messageid,false), Constant(','), Field(payload,false)}" -match("HEADER#54:0024", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},%{messageid},%{payload}", processor_chain([ +var hdr55 = match("HEADER#54:0024", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},%{messageid},%{payload}", processor_chain([ setc("header_id","0024"), ])); -var hdr56 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',"'), Field(haction,true), Constant(' """"'), Field(messageid,true), Constant(' of Death"" '), Field(payload,false)}" -match("HEADER#55:00261", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},\"%{haction->} \"\"\"\"%{messageid->} of Death\"\" %{payload}", processor_chain([ +var hdr56 = match("HEADER#55:00261", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},\"%{haction->} \"\"\"\"%{messageid->} of Death\"\" %{payload}", processor_chain([ setc("header_id","00261"), ])); -var hdr57 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(',"'), Field(haction,true), Constant(' """"'), Field(messageid,true), Constant(' of Death"" '), Field(payload,false)}" -match("HEADER#56:0026", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},\"%{haction->} \"\"\"\"%{messageid->} of Death\"\" %{payload}", processor_chain([ +var hdr57 = match("HEADER#56:0026", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},\"%{haction->} \"\"\"\"%{messageid->} of Death\"\" %{payload}", processor_chain([ setc("header_id","0026"), ])); -var hdr58 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',"'), Field(haction,true), Constant(' ""'), Field(messageid,true), Constant(' of Death"" '), Field(payload,false)}" -match("HEADER#57:00371", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},\"%{haction->} \"\"%{messageid->} of Death\"\" %{payload}", processor_chain([ +var hdr58 = match("HEADER#57:00371", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},\"%{haction->} \"\"%{messageid->} of Death\"\" %{payload}", processor_chain([ setc("header_id","00371"), ])); -var hdr59 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(',"'), Field(haction,true), Constant(' ""'), Field(messageid,true), Constant(' of Death"" '), Field(payload,false)}" -match("HEADER#58:0037", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},\"%{haction->} \"\"%{messageid->} of Death\"\" %{payload}", processor_chain([ +var hdr59 = match("HEADER#58:0037", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},\"%{haction->} \"\"%{messageid->} of Death\"\" %{payload}", processor_chain([ setc("header_id","0037"), ])); -var hdr60 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hsite,false), Constant(','), Field(messageid,false), Constant(': '), Field(p0,false)}" -match("HEADER#59:00271", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hsite},%{messageid}: %{p0}", processor_chain([ +var hdr60 = match("HEADER#59:00271", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hsite},%{messageid}: %{p0}", processor_chain([ setc("header_id","00271"), call({ dest: "nwparser.payload", @@ -1757,8 +1581,7 @@ match("HEADER#59:00271", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hs }), ])); -var hdr61 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hsite,false), Constant(','), Field(messageid,false), Constant(': '), Field(p0,false)}" -match("HEADER#60:0027", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hsite},%{messageid}: %{p0}", processor_chain([ +var hdr61 = match("HEADER#60:0027", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hsite},%{messageid}: %{p0}", processor_chain([ setc("header_id","0027"), call({ dest: "nwparser.payload", @@ -1775,23 +1598,19 @@ match("HEADER#60:0027", "message", "%{htime->} SymantecServer %{hhost}: Site: %{ }), ])); -var hdr62 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(','), Field(messageid,false), Constant(': '), Field(payload,false)}" -match("HEADER#61:00301", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{messageid}: %{payload}", processor_chain([ +var hdr62 = match("HEADER#61:00301", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{messageid}: %{payload}", processor_chain([ setc("header_id","00301"), ])); -var hdr63 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(','), Field(messageid,false), Constant(': '), Field(payload,false)}" -match("HEADER#62:0030", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},%{messageid}: %{payload}", processor_chain([ +var hdr63 = match("HEADER#62:0030", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},%{messageid}: %{payload}", processor_chain([ setc("header_id","0030"), ])); -var hdr64 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(','), Field(hsaddr,false), Constant(','), Field(messageid,false), Constant(','), Field(payload,false)}" -match("HEADER#63:00242", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{hsaddr},%{messageid},%{payload}", processor_chain([ +var hdr64 = match("HEADER#63:00242", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{hsaddr},%{messageid},%{payload}", processor_chain([ setc("header_id","00242"), ])); -var hdr65 = // "Pattern{Field(htime,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(','), Field(hsaddr,false), Constant(','), Field(hfld1,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#64:00243", "message", "%{htime->} %{hhost->} SymantecServer: %{hshost},%{hsaddr},%{hfld1},%{messageid->} %{p0}", processor_chain([ +var hdr65 = match("HEADER#64:00243", "message", "%{htime->} %{hhost->} SymantecServer: %{hshost},%{hsaddr},%{hfld1},%{messageid->} %{p0}", processor_chain([ setc("header_id","00243"), call({ dest: "nwparser.payload", @@ -1806,25 +1625,21 @@ match("HEADER#64:00243", "message", "%{htime->} %{hhost->} SymantecServer: %{hsh }), ])); -var hdr66 = // "Pattern{Field(htime,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(','), Field(hsaddr,false), Constant(','), Field(messageid,false), Constant(','), Field(payload,false)}" -match("HEADER#65:00244", "message", "%{htime->} %{hhost->} SymantecServer: %{hshost},%{hsaddr},%{messageid},%{payload}", processor_chain([ +var hdr66 = match("HEADER#65:00244", "message", "%{htime->} %{hhost->} SymantecServer: %{hshost},%{hsaddr},%{messageid},%{payload}", processor_chain([ setc("header_id","00244"), ])); -var hdr67 = // "Pattern{Constant('%SymantecEP: '), Field(messageid,false), Constant('^^'), Field(hhost,false), Constant('^^'), Field(p0,false)}" -match("HEADER#66:0031", "message", "%SymantecEP: %{messageid}^^%{hhost}^^%{p0}", processor_chain([ +var hdr67 = match("HEADER#66:0031", "message", "%SymantecEP: %{messageid}^^%{hhost}^^%{p0}", processor_chain([ setc("header_id","0031"), dup8, ])); -var hdr68 = // "Pattern{Constant('%SymantecEP-'), Field(hevent,false), Constant(': '), Field(hdomain,false), Constant('^^'), Field(hlevel,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#67:0032", "message", "%SymantecEP-%{hevent}: %{hdomain}^^%{hlevel}^^%{fld1}^^%{messageid->} %{p0}", processor_chain([ +var hdr68 = match("HEADER#67:0032", "message", "%SymantecEP-%{hevent}: %{hdomain}^^%{hlevel}^^%{fld1}^^%{messageid->} %{p0}", processor_chain([ setc("header_id","0032"), dup2, ])); -var hdr69 = // "Pattern{Constant('%SymantecEP-'), Field(hfld1,false), Constant(': '), Field(hfld2,false), Constant('^^'), Field(hfld3,false), Constant('^^'), Field(hfld4,false), Constant('^^'), Field(hfld5,false), Constant('^^'), Field(hfld6,false), Constant('^^'), Field(hfld7,false), Constant('^^'), Field(messageid,false), Constant('^^'), Field(p0,false)}" -match("HEADER#68:0040", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{hfld5}^^%{hfld6}^^%{hfld7}^^%{messageid}^^%{p0}", processor_chain([ +var hdr69 = match("HEADER#68:0040", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{hfld5}^^%{hfld6}^^%{hfld7}^^%{messageid}^^%{p0}", processor_chain([ setc("header_id","0040"), call({ dest: "nwparser.payload", @@ -1849,14 +1664,12 @@ match("HEADER#68:0040", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{ }), ])); -var hdr70 = // "Pattern{Constant('%SymantecEP-'), Field(hevent,false), Constant(': '), Field(hdomain,false), Constant('^^'), Field(hlevel,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(messageid,false), Constant('.'), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("HEADER#69:0033", "message", "%SymantecEP-%{hevent}: %{hdomain}^^%{hlevel}^^%{fld1}^^%{messageid}.%{fld2->} %{p0}", processor_chain([ +var hdr70 = match("HEADER#69:0033", "message", "%SymantecEP-%{hevent}: %{hdomain}^^%{hlevel}^^%{fld1}^^%{messageid}.%{fld2->} %{p0}", processor_chain([ setc("header_id","0033"), dup3, ])); -var hdr71 = // "Pattern{Constant('%SymantecEP-'), Field(hevent,false), Constant(': '), Field(hdomain,false), Constant('^^'), Field(hlevel,false), Constant('^^'), Field(messageid,false), Constant('^^'), Field(p0,false)}" -match("HEADER#70:0034", "message", "%SymantecEP-%{hevent}: %{hdomain}^^%{hlevel}^^%{messageid}^^%{p0}", processor_chain([ +var hdr71 = match("HEADER#70:0034", "message", "%SymantecEP-%{hevent}: %{hdomain}^^%{hlevel}^^%{messageid}^^%{p0}", processor_chain([ setc("header_id","0034"), call({ dest: "nwparser.payload", @@ -1869,14 +1682,12 @@ match("HEADER#70:0034", "message", "%SymantecEP-%{hevent}: %{hdomain}^^%{hlevel} }), ])); -var hdr72 = // "Pattern{Constant('%SymantecEP-'), Field(hfld1,false), Constant(': '), Field(messageid,false), Constant('^^'), Field(hhost,false), Constant('^^'), Field(p0,false)}" -match("HEADER#71:0035", "message", "%SymantecEP-%{hfld1}: %{messageid}^^%{hhost}^^%{p0}", processor_chain([ +var hdr72 = match("HEADER#71:0035", "message", "%SymantecEP-%{hfld1}: %{messageid}^^%{hhost}^^%{p0}", processor_chain([ setc("header_id","0035"), dup8, ])); -var hdr73 = // "Pattern{Constant('%SymantecEP-'), Field(hfld1,false), Constant(': '), Field(hfld2,false), Constant('^^'), Field(hfld3,false), Constant('^^'), Field(hfld4,false), Constant('^^'), Field(hfld5,false), Constant('^^'), Field(hfld6,false), Constant('^^'), Field(messageid,false), Constant('^^'), Field(p0,false)}" -match("HEADER#72:0038", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{hfld5}^^%{hfld6}^^%{messageid}^^%{p0}", processor_chain([ +var hdr73 = match("HEADER#72:0038", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{hfld5}^^%{hfld6}^^%{messageid}^^%{p0}", processor_chain([ setc("header_id","0038"), call({ dest: "nwparser.payload", @@ -1899,8 +1710,7 @@ match("HEADER#72:0038", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{ }), ])); -var hdr74 = // "Pattern{Constant('%SymantecEP-'), Field(hfld1,false), Constant(': '), Field(hfld2,false), Constant('^^'), Field(hfld3,false), Constant('^^'), Field(hfld4,false), Constant('^^'), Field(messageid,false), Constant('^^'), Field(p0,false)}" -match("HEADER#73:0041", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{messageid}^^%{p0}", processor_chain([ +var hdr74 = match("HEADER#73:0041", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{messageid}^^%{p0}", processor_chain([ setc("header_id","0041"), call({ dest: "nwparser.payload", @@ -1919,8 +1729,7 @@ match("HEADER#73:0041", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{ }), ])); -var hdr75 = // "Pattern{Constant('%SymantecEP-'), Field(hfld1,false), Constant(': '), Field(hfld2,false), Constant('^^'), Field(hfld3,false), Constant('^^'), Field(hfld4,false), Constant('^^'), Field(hfld7,false), Constant('^^'), Field(messageid,false), Constant('^^'), Field(p0,false)}" -match("HEADER#74:0043", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{hfld7}^^%{messageid}^^%{p0}", processor_chain([ +var hdr75 = match("HEADER#74:0043", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{hfld7}^^%{messageid}^^%{p0}", processor_chain([ setc("header_id","0043"), call({ dest: "nwparser.payload", @@ -1941,8 +1750,7 @@ match("HEADER#74:0043", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{ }), ])); -var hdr76 = // "Pattern{Constant('%SymantecEP-'), Field(hfld1,false), Constant(': '), Field(hfld2,false), Constant('^^'), Field(hfld3,false), Constant('^^'), Field(hfld4,false), Constant('^^'), Field(hfld5,false), Constant('^^'), Field(hfld6,false), Constant('^^'), Field(hfld7,false), Constant('^^'), Field(hfld8,false), Constant('^^'), Field(messageid,false), Constant('^^'), Field(p0,false)}" -match("HEADER#75:0039", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{hfld5}^^%{hfld6}^^%{hfld7}^^%{hfld8}^^%{messageid}^^%{p0}", processor_chain([ +var hdr76 = match("HEADER#75:0039", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{hfld5}^^%{hfld6}^^%{hfld7}^^%{hfld8}^^%{messageid}^^%{p0}", processor_chain([ setc("header_id","0039"), call({ dest: "nwparser.payload", @@ -1969,8 +1777,7 @@ match("HEADER#75:0039", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{ }), ])); -var hdr77 = // "Pattern{Constant('%SymantecEP-'), Field(hfld1,false), Constant(': '), Field(hfld2,false), Constant('^^'), Field(hfld3,false), Constant('^^'), Field(hfld4,false), Constant('^^'), Field(hfld7,false), Constant('^^'), Field(hfld8,false), Constant('^^'), Field(messageid,false), Constant('^^'), Field(p0,false)}" -match("HEADER#76:0044", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{hfld7}^^%{hfld8}^^%{messageid}^^%{p0}", processor_chain([ +var hdr77 = match("HEADER#76:0044", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{hfld7}^^%{hfld8}^^%{messageid}^^%{p0}", processor_chain([ setc("header_id","0044"), call({ dest: "nwparser.payload", @@ -1993,8 +1800,7 @@ match("HEADER#76:0044", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{ }), ])); -var hdr78 = // "Pattern{Constant('%NICWIN-4-'), Field(msgIdPart1,false), Constant('_'), Field(msgIdPart2,false), Constant('_Symantec: '), Field(payload,false)}" -match("HEADER#77:0045", "message", "%NICWIN-4-%{msgIdPart1}_%{msgIdPart2}_Symantec: %{payload}", processor_chain([ +var hdr78 = match("HEADER#77:0045", "message", "%NICWIN-4-%{msgIdPart1}_%{msgIdPart2}_Symantec: %{payload}", processor_chain([ setc("header_id","0045"), call({ dest: "nwparser.messageid", @@ -2007,8 +1813,7 @@ match("HEADER#77:0045", "message", "%NICWIN-4-%{msgIdPart1}_%{msgIdPart2}_Symant }), ])); -var hdr79 = // "Pattern{Constant('%NICWIN-4-'), Field(messageid,false), Constant('_'), Field(hfld2,false), Constant('_Symantec AntiVirus: '), Field(payload,false)}" -match("HEADER#78:0046", "message", "%NICWIN-4-%{messageid}_%{hfld2}_Symantec AntiVirus: %{payload}", processor_chain([ +var hdr79 = match("HEADER#78:0046", "message", "%NICWIN-4-%{messageid}_%{hfld2}_Symantec AntiVirus: %{payload}", processor_chain([ setc("header_id","0046"), ])); @@ -2094,8 +1899,7 @@ var select2 = linear_select([ hdr79, ]); -var part6 = // "Pattern{Constant('Active Response that started at '), Field(fld1,true), Constant(' is disengaged. The traffic from IP address '), Field(hostip,true), Constant(' was blocked for '), Field(fld2,true), Constant(' second(s).,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld7,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(','), Field(direction,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(', Domain: '), Field(p0,false)}" -match("MESSAGE#0:Active/0", "nwparser.payload", "Active Response that started at %{fld1->} is disengaged. The traffic from IP address %{hostip->} was blocked for %{fld2->} second(s).,Local: %{saddr},Local: %{fld7},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},%{protocol},%{direction},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username}, Domain: %{p0}"); +var part6 = match("MESSAGE#0:Active/0", "nwparser.payload", "Active Response that started at %{fld1->} is disengaged. The traffic from IP address %{hostip->} was blocked for %{fld2->} second(s).,Local: %{saddr},Local: %{fld7},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},%{protocol},%{direction},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username}, Domain: %{p0}"); var all2 = all_match({ processors: [ @@ -2117,8 +1921,7 @@ var all2 = all_match({ var msg1 = msg("Active", all2); -var part7 = // "Pattern{Constant('Active Response that started at '), Field(fld1,true), Constant(' is disengaged. The traffic from IP address '), Field(hostip,true), Constant(' was blocked for '), Field(duration,true), Constant(' second(s). ,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld7,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(','), Field(direction,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(', Domain: '), Field(p0,false)}" -match("MESSAGE#1:Active:01/0", "nwparser.payload", "Active Response that started at %{fld1->} is disengaged. The traffic from IP address %{hostip->} was blocked for %{duration->} second(s). ,Local: %{saddr},Local: %{fld7},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},%{protocol},%{direction},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username}, Domain: %{p0}"); +var part7 = match("MESSAGE#1:Active:01/0", "nwparser.payload", "Active Response that started at %{fld1->} is disengaged. The traffic from IP address %{hostip->} was blocked for %{duration->} second(s). ,Local: %{saddr},Local: %{fld7},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},%{protocol},%{direction},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username}, Domain: %{p0}"); var all3 = all_match({ processors: [ @@ -2145,8 +1948,7 @@ var select3 = linear_select([ msg2, ]); -var part8 = // "Pattern{Constant('Administrator logout'), Field(,false)}" -match("MESSAGE#2:Administrator", "nwparser.payload", "Administrator logout%{}", processor_chain([ +var part8 = match("MESSAGE#2:Administrator", "nwparser.payload", "Administrator logout%{}", processor_chain([ setc("eventcategory","1401070000"), dup12, dup13, @@ -2162,8 +1964,7 @@ match("MESSAGE#2:Administrator", "nwparser.payload", "Administrator logout%{}", var msg3 = msg("Administrator", part8); -var part9 = // "Pattern{Constant('Administrator'), Field(space,false), Constant('log on failed')}" -match("MESSAGE#3:Administrator:01", "nwparser.payload", "Administrator%{space}log on failed", processor_chain([ +var part9 = match("MESSAGE#3:Administrator:01", "nwparser.payload", "Administrator%{space}log on failed", processor_chain([ setc("eventcategory","1401030000"), dup12, dup13, @@ -2179,8 +1980,7 @@ match("MESSAGE#3:Administrator:01", "nwparser.payload", "Administrator%{space}lo var msg4 = msg("Administrator:01", part9); -var part10 = // "Pattern{Constant('Administrator'), Field(space,false), Constant('log on succeeded')}" -match("MESSAGE#4:Administrator:02", "nwparser.payload", "Administrator%{space}log on succeeded", processor_chain([ +var part10 = match("MESSAGE#4:Administrator:02", "nwparser.payload", "Administrator%{space}log on succeeded", processor_chain([ setc("eventcategory","1401060000"), dup12, dup13, @@ -2202,8 +2002,7 @@ var select4 = linear_select([ msg5, ]); -var part11 = // "Pattern{Constant('password of System administrator ''), Field(username,false), Constant('' has been changed.')}" -match("MESSAGE#5:Administrator:03", "nwparser.payload", "password of System administrator '%{username}' has been changed.", processor_chain([ +var part11 = match("MESSAGE#5:Administrator:03", "nwparser.payload", "password of System administrator '%{username}' has been changed.", processor_chain([ dup26, dup12, dup13, @@ -2219,8 +2018,7 @@ match("MESSAGE#5:Administrator:03", "nwparser.payload", "password of System admi var msg6 = msg("Administrator:03", part11); -var part12 = // "Pattern{Constant('password of administrator "'), Field(c_username,false), Constant('" was changed')}" -match("MESSAGE#290:password", "nwparser.payload", "password of administrator \"%{c_username}\" was changed", processor_chain([ +var part12 = match("MESSAGE#290:password", "nwparser.payload", "password of administrator \"%{c_username}\" was changed", processor_chain([ dup26, dup12, dup13, @@ -2236,8 +2034,7 @@ match("MESSAGE#290:password", "nwparser.payload", "password of administrator \"% var msg7 = msg("password", part12); -var part13 = // "Pattern{Constant('password of System administrator "'), Field(c_username,false), Constant('" has been changed')}" -match("MESSAGE#291:password:01", "nwparser.payload", "password of System administrator \"%{c_username}\" has been changed", processor_chain([ +var part13 = match("MESSAGE#291:password:01", "nwparser.payload", "password of System administrator \"%{c_username}\" has been changed", processor_chain([ dup26, dup12, dup13, @@ -2259,8 +2056,7 @@ var select5 = linear_select([ msg8, ]); -var part14 = // "Pattern{Field(fld6,true), Constant(' detected. Traffic has been allowed from this application: '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld7,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID:'), Field(fld23,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#6:allowed", "nwparser.payload", "%{fld6->} detected. Traffic has been allowed from this application: %{fld1},Local: %{daddr},Local: %{fld7},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID:%{fld23},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain}", processor_chain([ +var part14 = match("MESSAGE#6:allowed", "nwparser.payload", "%{fld6->} detected. Traffic has been allowed from this application: %{fld1},Local: %{daddr},Local: %{fld7},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID:%{fld23},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain}", processor_chain([ dup32, dup12, dup13, @@ -2275,8 +2071,7 @@ match("MESSAGE#6:allowed", "nwparser.payload", "%{fld6->} detected. Traffic has var msg9 = msg("allowed", part14); -var part15 = // "Pattern{Field(fld6,true), Constant(' detected. Traffic has been allowed from this application: '), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld7,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID:'), Field(fld23,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#7:allowed:11", "nwparser.payload", "%{fld6->} detected. Traffic has been allowed from this application: %{fld1},Local: %{saddr},Local: %{fld7},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID:%{fld23},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain}", processor_chain([ +var part15 = match("MESSAGE#7:allowed:11", "nwparser.payload", "%{fld6->} detected. Traffic has been allowed from this application: %{fld1},Local: %{saddr},Local: %{fld7},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID:%{fld23},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain}", processor_chain([ dup32, dup12, dup13, @@ -2296,8 +2091,7 @@ var select6 = linear_select([ msg10, ]); -var part16 = // "Pattern{Constant('Malicious Site: Malicious Web Site, Domain, or URL ('), Field(fld11,false), Constant(') attack blocked. Traffic has been blocked for this application: '), Field(fld12,false), Constant('",Local: '), Field(daddr,false), Constant(',Local: '), Field(fld7,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID:'), Field(fld23,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld39,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',!ExternalLoggingTask.localport! '), Field(dport,false), Constant(',!ExternalLoggingTask.remoteport! '), Field(sport,false), Constant(',!ExternalLoggingTask.cidssignid! '), Field(sigid,false), Constant(',"!ExternalLoggingTask.strcidssignid! '), Field(sigid_string,false), Constant('",!ExternalLoggingTask.cidssignsubid! '), Field(sigid1,false), Constant(',!ExternalLoggingTask.intrusionurl! '), Field(url,false), Constant(',!ExternalLoggingTask.intrusionpayloadurl! '), Field(fld33,false)}" -match("MESSAGE#8:Malicious", "nwparser.payload", "Malicious Site: Malicious Web Site, Domain, or URL (%{fld11}) attack blocked. Traffic has been blocked for this application: %{fld12}\",Local: %{daddr},Local: %{fld7},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID:%{fld23},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld39},User: %{username},Domain: %{domain},!ExternalLoggingTask.localport! %{dport},!ExternalLoggingTask.remoteport! %{sport},!ExternalLoggingTask.cidssignid! %{sigid},\"!ExternalLoggingTask.strcidssignid! %{sigid_string}\",!ExternalLoggingTask.cidssignsubid! %{sigid1},!ExternalLoggingTask.intrusionurl! %{url},!ExternalLoggingTask.intrusionpayloadurl! %{fld33}", processor_chain([ +var part16 = match("MESSAGE#8:Malicious", "nwparser.payload", "Malicious Site: Malicious Web Site, Domain, or URL (%{fld11}) attack blocked. Traffic has been blocked for this application: %{fld12}\",Local: %{daddr},Local: %{fld7},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID:%{fld23},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld39},User: %{username},Domain: %{domain},!ExternalLoggingTask.localport! %{dport},!ExternalLoggingTask.remoteport! %{sport},!ExternalLoggingTask.cidssignid! %{sigid},\"!ExternalLoggingTask.strcidssignid! %{sigid_string}\",!ExternalLoggingTask.cidssignsubid! %{sigid1},!ExternalLoggingTask.intrusionurl! %{url},!ExternalLoggingTask.intrusionpayloadurl! %{fld33}", processor_chain([ dup36, dup12, dup13, @@ -2314,8 +2108,7 @@ match("MESSAGE#8:Malicious", "nwparser.payload", "Malicious Site: Malicious Web var msg11 = msg("Malicious", part16); -var part17 = // "Pattern{Constant('Malicious Site: Malicious Web Site, Domain, or URL ('), Field(fld11,false), Constant(') attack blocked. Traffic has been blocked for this application: '), Field(fld12,false), Constant('",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld7,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID:'), Field(fld23,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld39,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',!ExternalLoggingTask.localport! '), Field(sport,false), Constant(',!ExternalLoggingTask.remoteport! '), Field(dport,false), Constant(',!ExternalLoggingTask.cidssignid! '), Field(sigid,false), Constant(',"!ExternalLoggingTask.strcidssignid! '), Field(sigid_string,false), Constant('",!ExternalLoggingTask.cidssignsubid! '), Field(sigid1,false), Constant(',!ExternalLoggingTask.intrusionurl! '), Field(url,false), Constant(',!ExternalLoggingTask.intrusionpayloadurl! '), Field(fld33,false)}" -match("MESSAGE#9:Malicious:01", "nwparser.payload", "Malicious Site: Malicious Web Site, Domain, or URL (%{fld11}) attack blocked. Traffic has been blocked for this application: %{fld12}\",Local: %{saddr},Local: %{fld7},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID:%{fld23},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld39},User: %{username},Domain: %{domain},!ExternalLoggingTask.localport! %{sport},!ExternalLoggingTask.remoteport! %{dport},!ExternalLoggingTask.cidssignid! %{sigid},\"!ExternalLoggingTask.strcidssignid! %{sigid_string}\",!ExternalLoggingTask.cidssignsubid! %{sigid1},!ExternalLoggingTask.intrusionurl! %{url},!ExternalLoggingTask.intrusionpayloadurl! %{fld33}", processor_chain([ +var part17 = match("MESSAGE#9:Malicious:01", "nwparser.payload", "Malicious Site: Malicious Web Site, Domain, or URL (%{fld11}) attack blocked. Traffic has been blocked for this application: %{fld12}\",Local: %{saddr},Local: %{fld7},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID:%{fld23},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld39},User: %{username},Domain: %{domain},!ExternalLoggingTask.localport! %{sport},!ExternalLoggingTask.remoteport! %{dport},!ExternalLoggingTask.cidssignid! %{sigid},\"!ExternalLoggingTask.strcidssignid! %{sigid_string}\",!ExternalLoggingTask.cidssignsubid! %{sigid1},!ExternalLoggingTask.intrusionurl! %{url},!ExternalLoggingTask.intrusionpayloadurl! %{fld33}", processor_chain([ dup36, dup12, dup13, @@ -2332,22 +2125,18 @@ match("MESSAGE#9:Malicious:01", "nwparser.payload", "Malicious Site: Malicious W var msg12 = msg("Malicious:01", part17); -var part18 = // "Pattern{Constant('Malicious Site: Malicious Web Site, Domain, or URL ('), Field(fld11,false), Constant(') attack blocked. Traffic has been blocked for this application: '), Field(fld12,false), Constant('",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld7,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(p0,false)}" -match("MESSAGE#10:Malicious:02/0", "nwparser.payload", "Malicious Site: Malicious Web Site, Domain, or URL (%{fld11}) attack blocked. Traffic has been blocked for this application: %{fld12}\",Local: %{saddr},Local: %{fld7},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Inbound,%{p0}"); +var part18 = match("MESSAGE#10:Malicious:02/0", "nwparser.payload", "Malicious Site: Malicious Web Site, Domain, or URL (%{fld11}) attack blocked. Traffic has been blocked for this application: %{fld12}\",Local: %{saddr},Local: %{fld7},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Inbound,%{p0}"); -var part19 = // "Pattern{Field(protocol,false), Constant(',Intrusion ID:'), Field(fld23,false), Constant(',Begin: '), Field(p0,false)}" -match("MESSAGE#10:Malicious:02/1_0", "nwparser.p0", "%{protocol},Intrusion ID:%{fld23},Begin: %{p0}"); +var part19 = match("MESSAGE#10:Malicious:02/1_0", "nwparser.p0", "%{protocol},Intrusion ID:%{fld23},Begin: %{p0}"); -var part20 = // "Pattern{Field(protocol,false), Constant(',Begin: '), Field(p0,false)}" -match("MESSAGE#10:Malicious:02/1_1", "nwparser.p0", "%{protocol},Begin: %{p0}"); +var part20 = match("MESSAGE#10:Malicious:02/1_1", "nwparser.p0", "%{protocol},Begin: %{p0}"); var select7 = linear_select([ part19, part20, ]); -var part21 = // "Pattern{Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld39,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',"CIDS Signature string: '), Field(sigid_string,false), Constant('",CIDS Signature SubID: '), Field(fld29,false), Constant(',Intrusion URL:'), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#10:Malicious:02/2", "nwparser.p0", "%{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld39},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},\"CIDS Signature string: %{sigid_string}\",CIDS Signature SubID: %{fld29},Intrusion URL:%{fld24},Intrusion Payload URL:%{fld25}"); +var part21 = match("MESSAGE#10:Malicious:02/2", "nwparser.p0", "%{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld39},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},\"CIDS Signature string: %{sigid_string}\",CIDS Signature SubID: %{fld29},Intrusion URL:%{fld24},Intrusion Payload URL:%{fld25}"); var all4 = all_match({ processors: [ @@ -2377,8 +2166,7 @@ var select8 = linear_select([ msg13, ]); -var part22 = // "Pattern{Field(product,true), Constant(' definitions '), Field(info,true), Constant(' failed to update.')}" -match("MESSAGE#11:Antivirus", "nwparser.payload", "%{product->} definitions %{info->} failed to update.", processor_chain([ +var part22 = match("MESSAGE#11:Antivirus", "nwparser.payload", "%{product->} definitions %{info->} failed to update.", processor_chain([ dup43, dup12, dup13, @@ -2393,8 +2181,7 @@ match("MESSAGE#11:Antivirus", "nwparser.payload", "%{product->} definitions %{in var msg14 = msg("Antivirus", part22); -var part23 = // "Pattern{Field(product,true), Constant(' definitions '), Field(info,true), Constant(' is up-to-date.')}" -match("MESSAGE#12:Antivirus:01", "nwparser.payload", "%{product->} definitions %{info->} is up-to-date.", processor_chain([ +var part23 = match("MESSAGE#12:Antivirus:01", "nwparser.payload", "%{product->} definitions %{info->} is up-to-date.", processor_chain([ dup43, dup12, dup13, @@ -2405,8 +2192,7 @@ match("MESSAGE#12:Antivirus:01", "nwparser.payload", "%{product->} definitions % var msg15 = msg("Antivirus:01", part23); -var part24 = // "Pattern{Field(product,true), Constant(' definitions '), Field(info,true), Constant(' was successfully updated.')}" -match("MESSAGE#13:Antivirus:02", "nwparser.payload", "%{product->} definitions %{info->} was successfully updated.", processor_chain([ +var part24 = match("MESSAGE#13:Antivirus:02", "nwparser.payload", "%{product->} definitions %{info->} was successfully updated.", processor_chain([ dup43, dup44, dup45, @@ -2424,8 +2210,7 @@ var select9 = linear_select([ msg16, ]); -var part25 = // "Pattern{Field(event_description,false), Constant('",Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',1,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(', Domain: '), Field(p0,false)}" -match("MESSAGE#14:Somebody/0", "nwparser.payload", "%{event_description}\",Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},1,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username}, Domain: %{p0}"); +var part25 = match("MESSAGE#14:Somebody/0", "nwparser.payload", "%{event_description}\",Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},1,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username}, Domain: %{p0}"); var all5 = all_match({ processors: [ @@ -2448,8 +2233,7 @@ var all5 = all_match({ var msg17 = msg("Somebody", all5); -var part26 = // "Pattern{Field(event_description,false), Constant('",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',0,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(', Domain: '), Field(p0,false)}" -match("MESSAGE#15:Somebody:01/0", "nwparser.payload", "%{event_description}\",Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},0,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username}, Domain: %{p0}"); +var part26 = match("MESSAGE#15:Somebody:01/0", "nwparser.payload", "%{event_description}\",Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},0,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username}, Domain: %{p0}"); var all6 = all_match({ processors: [ @@ -2472,8 +2256,7 @@ var all6 = all_match({ var msg18 = msg("Somebody:01", all6); -var part27 = // "Pattern{Field(event_description,false), Constant('",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',2,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(', Domain: '), Field(p0,false)}" -match("MESSAGE#16:Somebody:02/0", "nwparser.payload", "%{event_description}\",Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},2,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username}, Domain: %{p0}"); +var part27 = match("MESSAGE#16:Somebody:02/0", "nwparser.payload", "%{event_description}\",Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},2,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username}, Domain: %{p0}"); var all7 = all_match({ processors: [ @@ -2502,11 +2285,9 @@ var select10 = linear_select([ msg19, ]); -var part28 = // "Pattern{Field(fld44,false), Constant(',Application and Device Control is ready,'), Field(fld8,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(fld6,false), Constant(','), Field(fld7,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(p0,false)}" -match("MESSAGE#17:Application/0", "nwparser.payload", "%{fld44},Application and Device Control is ready,%{fld8},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{fld4},%{fld5},%{fld6},%{fld7},User: %{username},Domain: %{p0}"); +var part28 = match("MESSAGE#17:Application/0", "nwparser.payload", "%{fld44},Application and Device Control is ready,%{fld8},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{fld4},%{fld5},%{fld6},%{fld7},User: %{username},Domain: %{p0}"); -var part29 = // "Pattern{Field(domain,false), Constant(',Action Type:'), Field(fld46,false), Constant(',File size ('), Field(fld10,false), Constant('): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#17:Application/1_0", "nwparser.p0", "%{domain},Action Type:%{fld46},File size (%{fld10}): %{filename_size},Device ID: %{device}"); +var part29 = match("MESSAGE#17:Application/1_0", "nwparser.p0", "%{domain},Action Type:%{fld46},File size (%{fld10}): %{filename_size},Device ID: %{device}"); var select11 = linear_select([ part29, @@ -2531,8 +2312,7 @@ var all8 = all_match({ var msg20 = msg("Application", all8); -var part30 = // "Pattern{Field(fld44,false), Constant(',Application and Device Control engine is not verified,'), Field(fld1,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(fld6,false), Constant(','), Field(fld7,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#18:Application:01", "nwparser.payload", "%{fld44},Application and Device Control engine is not verified,%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{fld4},%{fld5},%{fld6},%{fld7},User: %{username},Domain: %{domain}", processor_chain([ +var part30 = match("MESSAGE#18:Application:01", "nwparser.payload", "%{fld44},Application and Device Control engine is not verified,%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{fld4},%{fld5},%{fld6},%{fld7},User: %{username},Domain: %{domain}", processor_chain([ dup53, dup12, dup13, @@ -2545,8 +2325,7 @@ match("MESSAGE#18:Application:01", "nwparser.payload", "%{fld44},Application and var msg21 = msg("Application:01", part30); -var part31 = // "Pattern{Field(fld44,false), Constant('Blocked,['), Field(fld5,false), Constant('] '), Field(event_description,true), Constant(' - Caller MD5='), Field(fld6,false), Constant(',Create Process,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld45,false)}" -match("MESSAGE#19:Application:02", "nwparser.payload", "%{fld44}Blocked,[%{fld5}] %{event_description->} - Caller MD5=%{fld6},Create Process,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld45}", processor_chain([ +var part31 = match("MESSAGE#19:Application:02", "nwparser.payload", "%{fld44}Blocked,[%{fld5}] %{event_description->} - Caller MD5=%{fld6},Create Process,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld45}", processor_chain([ dup53, dup12, dup13, @@ -2559,8 +2338,7 @@ match("MESSAGE#19:Application:02", "nwparser.payload", "%{fld44}Blocked,[%{fld5} var msg22 = msg("Application:02", part31); -var part32 = // "Pattern{Constant('Application,rn='), Field(fld1,true), Constant(' cid='), Field(fld2,true), Constant(' eid='), Field(fld3,false), Constant(','), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(','), Field(fld6,false), Constant(',Symantec AntiVirus,'), Field(hostname,false), Constant(',Classic,'), Field(shost,false), Constant(','), Field(event_description,false), Constant(',, Scan Complete: Risks: '), Field(fld7,true), Constant(' Scanned: '), Field(fld8,true), Constant(' Omitted: '), Field(fld9,true), Constant(' Trusted Files Skipped: '), Field(fld10,false)}" -match("MESSAGE#683:Application:03", "nwparser.payload", "Application,rn=%{fld1->} cid=%{fld2->} eid=%{fld3},%{fld4->} %{fld5},%{fld6},Symantec AntiVirus,%{hostname},Classic,%{shost},%{event_description},, Scan Complete: Risks: %{fld7->} Scanned: %{fld8->} Omitted: %{fld9->} Trusted Files Skipped: %{fld10}", processor_chain([ +var part32 = match("MESSAGE#683:Application:03", "nwparser.payload", "Application,rn=%{fld1->} cid=%{fld2->} eid=%{fld3},%{fld4->} %{fld5},%{fld6},Symantec AntiVirus,%{hostname},Classic,%{shost},%{event_description},, Scan Complete: Risks: %{fld7->} Scanned: %{fld8->} Omitted: %{fld9->} Trusted Files Skipped: %{fld10}", processor_chain([ dup43, dup15, dup55, @@ -2568,8 +2346,7 @@ match("MESSAGE#683:Application:03", "nwparser.payload", "Application,rn=%{fld1-> var msg23 = msg("Application:03", part32); -var part33 = // "Pattern{Constant('Application,rn='), Field(fld1,true), Constant(' cid='), Field(fld2,true), Constant(' eid='), Field(fld3,false), Constant(','), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(','), Field(fld6,false), Constant(',Symantec AntiVirus,'), Field(hostname,false), Constant(',Classic,'), Field(shost,false), Constant(','), Field(event_description,false), Constant(',, '), Field(info,false), Constant('.')}" -match("MESSAGE#684:Application:04", "nwparser.payload", "Application,rn=%{fld1->} cid=%{fld2->} eid=%{fld3},%{fld4->} %{fld5},%{fld6},Symantec AntiVirus,%{hostname},Classic,%{shost},%{event_description},, %{info}.", processor_chain([ +var part33 = match("MESSAGE#684:Application:04", "nwparser.payload", "Application,rn=%{fld1->} cid=%{fld2->} eid=%{fld3},%{fld4->} %{fld5},%{fld6},Symantec AntiVirus,%{hostname},Classic,%{shost},%{event_description},, %{info}.", processor_chain([ dup43, dup15, dup55, @@ -2577,8 +2354,7 @@ match("MESSAGE#684:Application:04", "nwparser.payload", "Application,rn=%{fld1-> var msg24 = msg("Application:04", part33); -var part34 = // "Pattern{Constant('Application,rn='), Field(fld1,true), Constant(' cid='), Field(fld2,true), Constant(' eid='), Field(fld3,false), Constant(','), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(','), Field(fld6,false), Constant(',Symantec AntiVirus,'), Field(hostname,false), Constant(',Classic,'), Field(shost,false), Constant(','), Field(fld22,false), Constant(',,'), Field(space,false), Constant('Proactive Threat Protection has been disabled')}" -match("MESSAGE#685:Application:05", "nwparser.payload", "Application,rn=%{fld1->} cid=%{fld2->} eid=%{fld3},%{fld4->} %{fld5},%{fld6},Symantec AntiVirus,%{hostname},Classic,%{shost},%{fld22},,%{space}Proactive Threat Protection has been disabled", processor_chain([ +var part34 = match("MESSAGE#685:Application:05", "nwparser.payload", "Application,rn=%{fld1->} cid=%{fld2->} eid=%{fld3},%{fld4->} %{fld5},%{fld6},Symantec AntiVirus,%{hostname},Classic,%{shost},%{fld22},,%{space}Proactive Threat Protection has been disabled", processor_chain([ dup43, dup56, dup15, @@ -2597,8 +2373,7 @@ var select12 = linear_select([ msg25, ]); -var part35 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',"Application has changed since the last time you opened it, process id:'), Field(process_id,true), Constant(' Filename: '), Field(fld8,true), Constant(' The change was denied by user.",Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld15,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld11,false), Constant(',Inbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#20:Application:07", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},\"Application has changed since the last time you opened it, process id:%{process_id->} Filename: %{fld8->} The change was denied by user.\",Local: %{daddr},Local: %{fld12},Remote: %{fld15},Remote: %{saddr},Remote: %{fld11},Inbound,%{protocol},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ +var part35 = match("MESSAGE#20:Application:07", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},\"Application has changed since the last time you opened it, process id:%{process_id->} Filename: %{fld8->} The change was denied by user.\",Local: %{daddr},Local: %{fld12},Remote: %{fld15},Remote: %{saddr},Remote: %{fld11},Inbound,%{protocol},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ dup53, dup34, dup58, @@ -2613,8 +2388,7 @@ match("MESSAGE#20:Application:07", "nwparser.payload", "SHA-256:%{checksum},MD-5 var msg26 = msg("Application:07", part35); -var part36 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',"Application has changed since the last time you opened it, process id: '), Field(process_id,true), Constant(' Filename: '), Field(filename,true), Constant(' '), Field(fld1,false), Constant('",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#27:Application:06/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},\"Application has changed since the last time you opened it, process id: %{process_id->} Filename: %{filename->} %{fld1}\",Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part36 = match("MESSAGE#27:Application:06/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},\"Application has changed since the last time you opened it, process id: %{process_id->} Filename: %{filename->} %{fld1}\",Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all9 = all_match({ processors: [ @@ -2637,8 +2411,7 @@ var all9 = all_match({ var msg27 = msg("Application:06", all9); -var part37 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',REMEDIATION WAS NEEDED - '), Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Unknown,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#28:REMEDIATION/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},REMEDIATION WAS NEEDED - %{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Unknown,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part37 = match("MESSAGE#28:REMEDIATION/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},REMEDIATION WAS NEEDED - %{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Unknown,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all10 = all_match({ processors: [ @@ -2658,8 +2431,7 @@ var all10 = all_match({ var msg28 = msg("REMEDIATION", all10); -var part38 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,true), Constant(' Traffic has been blocked for this application:'), Field(fld27,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#29:blocked:06/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part38 = match("MESSAGE#29:blocked:06/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all11 = all_match({ processors: [ @@ -2682,8 +2454,7 @@ var all11 = all_match({ var msg29 = msg("blocked:06", all11); -var part39 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,true), Constant(' Traffic has been blocked for this application:'), Field(fld27,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#30:blocked:16/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part39 = match("MESSAGE#30:blocked:16/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all12 = all_match({ processors: [ @@ -2706,8 +2477,7 @@ var all12 = all_match({ var msg30 = msg("blocked:16", all12); -var part40 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,"Somebody is scanning your computer. Your computer's TCP ports: '), Field(fld60,false), Constant(', '), Field(fld61,false), Constant(', '), Field(fld62,false), Constant(', '), Field(fld63,true), Constant(' and '), Field(fld64,true), Constant(' have been scanned from '), Field(fld65,false), Constant('.",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#31:scanning:01/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum->} ,\"Somebody is scanning your computer. Your computer's TCP ports: %{fld60}, %{fld61}, %{fld62}, %{fld63->} and %{fld64->} have been scanned from %{fld65}.\",Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part40 = match("MESSAGE#31:scanning:01/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum->} ,\"Somebody is scanning your computer. Your computer's TCP ports: %{fld60}, %{fld61}, %{fld62}, %{fld63->} and %{fld64->} have been scanned from %{fld65}.\",Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all13 = all_match({ processors: [ @@ -2730,8 +2500,7 @@ var all13 = all_match({ var msg31 = msg("scanning:01", all13); -var part41 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,"Somebody is scanning your computer. Your computer's TCP ports: '), Field(fld60,false), Constant(', '), Field(fld61,false), Constant(', '), Field(fld62,false), Constant(', '), Field(fld63,true), Constant(' and '), Field(fld64,true), Constant(' have been scanned from '), Field(fld65,false), Constant('.",Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#32:scanning/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum->} ,\"Somebody is scanning your computer. Your computer's TCP ports: %{fld60}, %{fld61}, %{fld62}, %{fld63->} and %{fld64->} have been scanned from %{fld65}.\",Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part41 = match("MESSAGE#32:scanning/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum->} ,\"Somebody is scanning your computer. Your computer's TCP ports: %{fld60}, %{fld61}, %{fld62}, %{fld63->} and %{fld64->} have been scanned from %{fld65}.\",Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all14 = all_match({ processors: [ @@ -2754,19 +2523,16 @@ var all14 = all_match({ var msg32 = msg("scanning", all14); -var part42 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,Informational: File Download Hash,Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(','), Field(p0,false)}" -match("MESSAGE#33:Informational/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum->} ,Informational: File Download Hash,Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},%{p0}"); +var part42 = match("MESSAGE#33:Informational/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum->} ,Informational: File Download Hash,Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},%{p0}"); -var part43 = // "Pattern{Constant(' Domain: '), Field(p0,false)}" -match("MESSAGE#33:Informational/1_0", "nwparser.p0", " Domain: %{p0}"); +var part43 = match("MESSAGE#33:Informational/1_0", "nwparser.p0", " Domain: %{p0}"); var select13 = linear_select([ part43, dup67, ]); -var part44 = // "Pattern{Field(,true), Constant(' '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#33:Informational/2", "nwparser.p0", "%{} %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part44 = match("MESSAGE#33:Informational/2", "nwparser.p0", "%{} %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all15 = all_match({ processors: [ @@ -2791,8 +2557,7 @@ var all15 = all_match({ var msg33 = msg("Informational", all15); -var part45 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,Informational: File Download Hash,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#34:Informational:01/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum->} ,Informational: File Download Hash,Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part45 = match("MESSAGE#34:Informational:01/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum->} ,Informational: File Download Hash,Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all16 = all_match({ processors: [ @@ -2815,8 +2580,7 @@ var all16 = all_match({ var msg34 = msg("Informational:01", all16); -var part46 = // "Pattern{Field(shost,false), Constant(', SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',CCD Notification: REMEDIATION NOT REQUIRED,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote:'), Field(fld2,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld3,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application:'), Field(fld6,false), Constant(',Location: '), Field(fld7,false), Constant(',User: '), Field(username,false), Constant(', Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string:'), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL:'), Field(url,false), Constant(',Intrusion Payload URL:')}" -match("MESSAGE#35:SHA-256::01", "nwparser.payload", "%{shost}, SHA-256:%{checksum},MD-5:%{checksum},CCD Notification: REMEDIATION NOT REQUIRED,Local: %{saddr},Local: %{fld1},Remote:%{fld2},Remote: %{daddr},Remote: %{fld3},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application:%{fld6},Location: %{fld7},User: %{username}, Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string:%{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{url},Intrusion Payload URL:", processor_chain([ +var part46 = match("MESSAGE#35:SHA-256::01", "nwparser.payload", "%{shost}, SHA-256:%{checksum},MD-5:%{checksum},CCD Notification: REMEDIATION NOT REQUIRED,Local: %{saddr},Local: %{fld1},Remote:%{fld2},Remote: %{daddr},Remote: %{fld3},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application:%{fld6},Location: %{fld7},User: %{username}, Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string:%{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{url},Intrusion Payload URL:", processor_chain([ dup53, dup12, dup13, @@ -2831,8 +2595,7 @@ match("MESSAGE#35:SHA-256::01", "nwparser.payload", "%{shost}, SHA-256:%{checksu var msg35 = msg("SHA-256::01", part46); -var part47 = // "Pattern{Field(fld3,false), Constant(', SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,Web Attack : Malvertisement Website Redirect '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#36:Web_Attack/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum->} ,Web Attack : Malvertisement Website Redirect %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part47 = match("MESSAGE#36:Web_Attack/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum->} ,Web Attack : Malvertisement Website Redirect %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all17 = all_match({ processors: [ @@ -2855,8 +2618,7 @@ var all17 = all_match({ var msg36 = msg("Web_Attack", all17); -var part48 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Web Attack: Fake Flash Player Download '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#37:Web_Attack:13/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Web Attack: Fake Flash Player Download %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part48 = match("MESSAGE#37:Web_Attack:13/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Web Attack: Fake Flash Player Download %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all18 = all_match({ processors: [ @@ -2879,19 +2641,16 @@ var all18 = all_match({ var msg37 = msg("Web_Attack:13", all18); -var part49 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld26,false), Constant('] Web Attack'), Field(p0,false)}" -match("MESSAGE#38:Web_Attack:16/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] Web Attack%{p0}"); +var part49 = match("MESSAGE#38:Web_Attack:16/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] Web Attack%{p0}"); -var part50 = // "Pattern{Constant(' : '), Field(p0,false)}" -match("MESSAGE#38:Web_Attack:16/1_0", "nwparser.p0", " : %{p0}"); +var part50 = match("MESSAGE#38:Web_Attack:16/1_0", "nwparser.p0", " : %{p0}"); var select14 = linear_select([ part50, dup71, ]); -var part51 = // "Pattern{Field(,false), Constant('JSCoinminer Download '), Field(fld21,true), Constant(' attack blocked. Traffic has been blocked for this application: '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',"Intrusion URL: '), Field(url,false), Constant('",Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#38:Web_Attack:16/2", "nwparser.p0", "%{}JSCoinminer Download %{fld21->} attack blocked. Traffic has been blocked for this application: %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,OTHERS,,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},\"Intrusion URL: %{url}\",Intrusion Payload URL:%{fld25}"); +var part51 = match("MESSAGE#38:Web_Attack:16/2", "nwparser.p0", "%{}JSCoinminer Download %{fld21->} attack blocked. Traffic has been blocked for this application: %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,OTHERS,,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},\"Intrusion URL: %{url}\",Intrusion Payload URL:%{fld25}"); var all19 = all_match({ processors: [ @@ -2915,8 +2674,7 @@ var all19 = all_match({ var msg38 = msg("Web_Attack:16", all19); -var part52 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,[SID: '), Field(fld26,false), Constant('] Web Attack: Apache Struts2 devMode OGNL Execution attack detected but not blocked. '), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',"Intrusion URL: '), Field(url,false), Constant('",Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#39:Web_Attack:03", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum->} ,[SID: %{fld26}] Web Attack: Apache Struts2 devMode OGNL Execution attack detected but not blocked. %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},\"Intrusion URL: %{url}\",Intrusion Payload URL:%{fld25}", processor_chain([ +var part52 = match("MESSAGE#39:Web_Attack:03", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum->} ,[SID: %{fld26}] Web Attack: Apache Struts2 devMode OGNL Execution attack detected but not blocked. %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},\"Intrusion URL: %{url}\",Intrusion Payload URL:%{fld25}", processor_chain([ dup69, dup12, dup13, @@ -2931,8 +2689,7 @@ match("MESSAGE#39:Web_Attack:03", "nwparser.payload", "SHA-256:%{checksum},MD-5: var msg39 = msg("Web_Attack:03", part52); -var part53 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld26,false), Constant('] Web Attack : Malvertisement Website Redirect '), Field(fld2,true), Constant(' attack blocked. Traffic has been blocked for this application: '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',"Intrusion URL: '), Field(url,false), Constant('",Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#40:Web_Attack:15", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] Web Attack : Malvertisement Website Redirect %{fld2->} attack blocked. Traffic has been blocked for this application: %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,OTHERS,,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},\"Intrusion URL: %{url}\",Intrusion Payload URL:%{fld25}", processor_chain([ +var part53 = match("MESSAGE#40:Web_Attack:15", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] Web Attack : Malvertisement Website Redirect %{fld2->} attack blocked. Traffic has been blocked for this application: %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,OTHERS,,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},\"Intrusion URL: %{url}\",Intrusion Payload URL:%{fld25}", processor_chain([ dup69, dup12, dup13, @@ -2947,8 +2704,7 @@ match("MESSAGE#40:Web_Attack:15", "nwparser.payload", "SHA-256:%{checksum},MD-5: var msg40 = msg("Web_Attack:15", part53); -var part54 = // "Pattern{Field(fld3,false), Constant(', SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,Web Attack : Malvertisement Website Redirect '), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#41:Web_Attack:11/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum->} ,Web Attack : Malvertisement Website Redirect %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part54 = match("MESSAGE#41:Web_Attack:11/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum->} ,Web Attack : Malvertisement Website Redirect %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all20 = all_match({ processors: [ @@ -2971,8 +2727,7 @@ var all20 = all_match({ var msg41 = msg("Web_Attack:11", all20); -var part55 = // "Pattern{Field(fld3,false), Constant(', SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,Web Attack: Mass Injection Website '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#42:Web_Attack:01/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum->} ,Web Attack: Mass Injection Website %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part55 = match("MESSAGE#42:Web_Attack:01/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum->} ,Web Attack: Mass Injection Website %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all21 = all_match({ processors: [ @@ -2995,8 +2750,7 @@ var all21 = all_match({ var msg42 = msg("Web_Attack:01", all21); -var part56 = // "Pattern{Field(fld3,false), Constant(', SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,Web Attack: Mass Injection Website '), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#43:Web_Attack:12/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum->} ,Web Attack: Mass Injection Website %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part56 = match("MESSAGE#43:Web_Attack:12/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum->} ,Web Attack: Mass Injection Website %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all22 = all_match({ processors: [ @@ -3019,8 +2773,7 @@ var all22 = all_match({ var msg43 = msg("Web_Attack:12", all22); -var part57 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Web Attack: Mass Injection Website '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#44:Web_Attack:14/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Web Attack: Mass Injection Website %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part57 = match("MESSAGE#44:Web_Attack:14/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Web Attack: Mass Injection Website %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all23 = all_match({ processors: [ @@ -3043,8 +2796,7 @@ var all23 = all_match({ var msg44 = msg("Web_Attack:14", all23); -var part58 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Web Attack : Malvertisement Website Redirect '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#45:Web_Attack:17/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Web Attack : Malvertisement Website Redirect %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part58 = match("MESSAGE#45:Web_Attack:17/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Web Attack : Malvertisement Website Redirect %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all24 = all_match({ processors: [ @@ -3067,8 +2819,7 @@ var all24 = all_match({ var msg45 = msg("Web_Attack:17", all24); -var part59 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Web Attack: Fake Tech Support Website '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#46:Web_Attack:18/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Web Attack: Fake Tech Support Website %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part59 = match("MESSAGE#46:Web_Attack:18/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Web Attack: Fake Tech Support Website %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all25 = all_match({ processors: [ @@ -3091,8 +2842,7 @@ var all25 = all_match({ var msg46 = msg("Web_Attack:18", all25); -var part60 = // "Pattern{Field(fld3,false), Constant(', SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Fake App Attack: Misleading Application Website'), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#47:App_Attack/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum},Fake App Attack: Misleading Application Website%{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part60 = match("MESSAGE#47:App_Attack/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum},Fake App Attack: Misleading Application Website%{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all26 = all_match({ processors: [ @@ -3115,8 +2865,7 @@ var all26 = all_match({ var msg47 = msg("App_Attack", all26); -var part61 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Fake App Attack: Misleading Application Website'), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#48:App_Attack:02/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Fake App Attack: Misleading Application Website%{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part61 = match("MESSAGE#48:App_Attack:02/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Fake App Attack: Misleading Application Website%{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all27 = all_match({ processors: [ @@ -3139,8 +2888,7 @@ var all27 = all_match({ var msg48 = msg("App_Attack:02", all27); -var part62 = // "Pattern{Field(fld3,false), Constant(', SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,Fake App Attack: Misleading Application Website'), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#49:App_Attack:01/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum->} ,Fake App Attack: Misleading Application Website%{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part62 = match("MESSAGE#49:App_Attack:01/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum->} ,Fake App Attack: Misleading Application Website%{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all28 = all_match({ processors: [ @@ -3163,8 +2911,7 @@ var all28 = all_match({ var msg49 = msg("App_Attack:01", all28); -var part63 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',The most recent Host Integrity content has not completed a download or cannot be authenticated.,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Unknown,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#50:Host_Integrity/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},The most recent Host Integrity content has not completed a download or cannot be authenticated.,Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Unknown,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part63 = match("MESSAGE#50:Host_Integrity/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},The most recent Host Integrity content has not completed a download or cannot be authenticated.,Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Unknown,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all29 = all_match({ processors: [ @@ -3186,11 +2933,9 @@ var all29 = all_match({ var msg50 = msg("Host_Integrity", all29); -var part64 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',"'), Field(p0,false)}" -match("MESSAGE#307:process:12/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},\"%{p0}"); +var part64 = match("MESSAGE#307:process:12/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},\"%{p0}"); -var part65 = // "Pattern{Field(event_description,false), Constant(', process id: '), Field(process_id,true), Constant(' Filename: '), Field(filename,true), Constant(' The change was allowed by profile'), Field(fld6,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#307:process:12/2", "nwparser.p0", "%{event_description}, process id: %{process_id->} Filename: %{filename->} The change was allowed by profile%{fld6}\"%{p0}"); +var part65 = match("MESSAGE#307:process:12/2", "nwparser.p0", "%{event_description}, process id: %{process_id->} Filename: %{filename->} The change was allowed by profile%{fld6}\"%{p0}"); var all30 = all_match({ processors: [ @@ -3218,8 +2963,7 @@ var all30 = all_match({ var msg51 = msg("process:12", all30); -var part66 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,false), Constant('attack detected but not blocked. Application path:'), Field(fld27,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#461:Audit:01/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description}attack detected but not blocked. Application path:%{fld27},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part66 = match("MESSAGE#461:Audit:01/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description}attack detected but not blocked. Application path:%{fld27},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all31 = all_match({ processors: [ @@ -3242,8 +2986,7 @@ var all31 = all_match({ var msg52 = msg("Audit:01", all31); -var part67 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,false), Constant('attack detected but not blocked. Application path:'), Field(fld27,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#462:Audit:11/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description}attack detected but not blocked. Application path:%{fld27},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part67 = match("MESSAGE#462:Audit:11/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description}attack detected but not blocked. Application path:%{fld27},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all32 = all_match({ processors: [ @@ -3266,8 +3009,7 @@ var all32 = all_match({ var msg53 = msg("Audit:11", all32); -var part68 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,false), Constant('. Traffic has been blocked for this application:'), Field(fld27,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(','), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#463:Audit:02/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description}. Traffic has been blocked for this application:%{fld27},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},%{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part68 = match("MESSAGE#463:Audit:02/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description}. Traffic has been blocked for this application:%{fld27},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},%{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all33 = all_match({ processors: [ @@ -3290,8 +3032,7 @@ var all33 = all_match({ var msg54 = msg("Audit:02", all33); -var part69 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,false), Constant('. Traffic has been blocked for this application:'), Field(fld27,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(','), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#464:Audit:12/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description}. Traffic has been blocked for this application:%{fld27},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},%{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part69 = match("MESSAGE#464:Audit:12/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description}. Traffic has been blocked for this application:%{fld27},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},%{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all34 = all_match({ processors: [ @@ -3314,8 +3055,7 @@ var all34 = all_match({ var msg55 = msg("Audit:12", all34); -var part70 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld111,false), Constant('] '), Field(category,false), Constant(':'), Field(event_description,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#507:Attack:03/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld111}] %{category}:%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part70 = match("MESSAGE#507:Attack:03/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld111}] %{category}:%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all35 = all_match({ processors: [ @@ -3337,8 +3077,7 @@ var all35 = all_match({ var msg56 = msg("Attack:03", all35); -var part71 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld111,false), Constant('] '), Field(category,false), Constant(':'), Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#508:Attack:02/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld111}] %{category}:%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part71 = match("MESSAGE#508:Attack:02/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld111}] %{category}:%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all36 = all_match({ processors: [ @@ -3360,8 +3099,7 @@ var all36 = all_match({ var msg57 = msg("Attack:02", all36); -var part72 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Auto-Block Event,Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#710:Auto-block/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Auto-Block Event,Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part72 = match("MESSAGE#710:Auto-block/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Auto-Block Event,Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all37 = all_match({ processors: [ @@ -3383,8 +3121,7 @@ var all37 = all_match({ var msg58 = msg("Auto-block", all37); -var part73 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Denial of Service 'Smurf' attack detected. Description: '), Field(info,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#711:Denial/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Denial of Service 'Smurf' attack detected. Description: %{info},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part73 = match("MESSAGE#711:Denial/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Denial of Service 'Smurf' attack detected. Description: %{info},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all38 = all_match({ processors: [ @@ -3407,8 +3144,7 @@ var all38 = all_match({ var msg59 = msg("Denial", all38); -var part74 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Denial of Service 'Smurf' attack detected. Description: '), Field(info,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#712:Denial:01/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Denial of Service 'Smurf' attack detected. Description: %{info},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part74 = match("MESSAGE#712:Denial:01/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Denial of Service 'Smurf' attack detected. Description: %{info},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all39 = all_match({ processors: [ @@ -3431,8 +3167,7 @@ var all39 = all_match({ var msg60 = msg("Denial:01", all39); -var part75 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(','Denial of Service ''Smurf'' attack detected. Description: '), Field(info,false), Constant('',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#713:Denial:02/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},'Denial of Service ''Smurf'' attack detected. Description: %{info}',Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part75 = match("MESSAGE#713:Denial:02/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},'Denial of Service ''Smurf'' attack detected. Description: %{info}',Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all40 = all_match({ processors: [ @@ -3455,8 +3190,7 @@ var all40 = all_match({ var msg61 = msg("Denial:02", all40); -var part76 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(','Denial of Service ''Smurf'' attack detected. Description: '), Field(info,false), Constant('',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#714:Denial:03/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},'Denial of Service ''Smurf'' attack detected. Description: %{info}',Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part76 = match("MESSAGE#714:Denial:03/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},'Denial of Service ''Smurf'' attack detected. Description: %{info}',Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all41 = all_match({ processors: [ @@ -3479,8 +3213,7 @@ var all41 = all_match({ var msg62 = msg("Denial:03", all41); -var part77 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(','Host Integrity check passed'), Field(space,false), Constant('Requirement: '), Field(fld11,true), Constant(' passed ',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld41,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld55,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL:'), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#715:Host:18", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},'Host Integrity check passed%{space}Requirement: %{fld11->} passed ',Local: %{saddr},Local: %{fld3},Remote: %{fld41},Remote: %{daddr},Remote: %{fld55},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ +var part77 = match("MESSAGE#715:Host:18", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},'Host Integrity check passed%{space}Requirement: %{fld11->} passed ',Local: %{saddr},Local: %{fld3},Remote: %{fld41},Remote: %{daddr},Remote: %{fld55},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ dup86, dup87, dup12, @@ -3494,8 +3227,7 @@ match("MESSAGE#715:Host:18", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{che var msg63 = msg("Host:18", part77); -var part78 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(','Host Integrity check failed Requirement: '''), Field(fld11,false), Constant(''' passed Requirement: '''), Field(fld12,false), Constant(''' failed ',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld41,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld55,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL:'), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#716:Host:19", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},'Host Integrity check failed Requirement: ''%{fld11}'' passed Requirement: ''%{fld12}'' failed ',Local: %{saddr},Local: %{fld3},Remote: %{fld41},Remote: %{daddr},Remote: %{fld55},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ +var part78 = match("MESSAGE#716:Host:19", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},'Host Integrity check failed Requirement: ''%{fld11}'' passed Requirement: ''%{fld12}'' failed ',Local: %{saddr},Local: %{fld3},Remote: %{fld41},Remote: %{daddr},Remote: %{fld55},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ dup86, dup12, dup13, @@ -3508,8 +3240,7 @@ match("MESSAGE#716:Host:19", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{che var msg64 = msg("Host:19", part78); -var part79 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',DLP version is latest,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld41,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld55,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL:'), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#719:DLP_version", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},DLP version is latest,Local: %{saddr},Local: %{fld3},Remote: %{fld41},Remote: %{daddr},Remote: %{fld55},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ +var part79 = match("MESSAGE#719:DLP_version", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},DLP version is latest,Local: %{saddr},Local: %{fld3},Remote: %{fld41},Remote: %{daddr},Remote: %{fld55},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ dup53, dup12, dup13, @@ -3524,8 +3255,7 @@ match("MESSAGE#719:DLP_version", "nwparser.payload", "SHA-256:%{checksum},MD-5:% var msg65 = msg("DLP_version", part79); -var part80 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Brute force remote login,Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld27,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#720:Brute_force/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Brute force remote login,Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld27},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part80 = match("MESSAGE#720:Brute_force/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Brute force remote login,Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld27},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all42 = all_match({ processors: [ @@ -3592,8 +3322,7 @@ var select15 = linear_select([ msg66, ]); -var part81 = // "Pattern{Constant('Applied new policy with '), Field(info,false), Constant('successfully.'), Field(p0,false)}" -match("MESSAGE#21:Applied/0", "nwparser.payload", "Applied new policy with %{info}successfully.%{p0}"); +var part81 = match("MESSAGE#21:Applied/0", "nwparser.payload", "Applied new policy with %{info}successfully.%{p0}"); var all43 = all_match({ processors: [ @@ -3613,8 +3342,7 @@ var all43 = all_match({ var msg67 = msg("Applied", all43); -var part82 = // "Pattern{Constant('Applied new profile with serial number '), Field(fld23,true), Constant(' successfully.')}" -match("MESSAGE#700:Smc:04", "nwparser.payload", "Applied new profile with serial number %{fld23->} successfully.", processor_chain([ +var part82 = match("MESSAGE#700:Smc:04", "nwparser.payload", "Applied new profile with serial number %{fld23->} successfully.", processor_chain([ dup53, dup94, dup13, @@ -3630,8 +3358,7 @@ var select16 = linear_select([ msg68, ]); -var part83 = // "Pattern{Constant('Add shared policy upon system install,LiveUpdate Settings policy'), Field(,false)}" -match("MESSAGE#22:Add", "nwparser.payload", "Add shared policy upon system install,LiveUpdate Settings policy%{}", processor_chain([ +var part83 = match("MESSAGE#22:Add", "nwparser.payload", "Add shared policy upon system install,LiveUpdate Settings policy%{}", processor_chain([ dup95, dup12, dup13, @@ -3645,11 +3372,9 @@ match("MESSAGE#22:Add", "nwparser.payload", "Add shared policy upon system insta var msg69 = msg("Add", part83); -var part84 = // "Pattern{Constant('System Infected: '), Field(threat_name,true), Constant(' detected. Traffic has been blocked from this application: '), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld15,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld51,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#23:blocked:01/0", "nwparser.payload", "System Infected: %{threat_name->} detected. Traffic has been blocked from this application: %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld15},Remote: %{daddr},Remote: %{fld51},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); +var part84 = match("MESSAGE#23:blocked:01/0", "nwparser.payload", "System Infected: %{threat_name->} detected. Traffic has been blocked from this application: %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld15},Remote: %{daddr},Remote: %{fld51},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); -var part85 = // "Pattern{Constant(''), Field(fld2,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#23:blocked:01/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}"); +var part85 = match("MESSAGE#23:blocked:01/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}"); var all44 = all_match({ processors: [ @@ -3673,11 +3398,9 @@ var all44 = all_match({ var msg70 = msg("blocked:01", all44); -var part86 = // "Pattern{Constant('System Infected: '), Field(threat_name,true), Constant(' detected. Traffic has been blocked from this application: '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld15,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld51,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#24:blocked:12/0", "nwparser.payload", "System Infected: %{threat_name->} detected. Traffic has been blocked from this application: %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld15},Remote: %{saddr},Remote: %{fld51},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); +var part86 = match("MESSAGE#24:blocked:12/0", "nwparser.payload", "System Infected: %{threat_name->} detected. Traffic has been blocked from this application: %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld15},Remote: %{saddr},Remote: %{fld51},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); -var part87 = // "Pattern{Constant(''), Field(fld2,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#24:blocked:12/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}"); +var part87 = match("MESSAGE#24:blocked:12/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}"); var all45 = all_match({ processors: [ @@ -3701,11 +3424,9 @@ var all45 = all_match({ var msg71 = msg("blocked:12", all45); -var part88 = // "Pattern{Field(fld28,true), Constant(' detected. Traffic has been blocked from this application: '), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Remote: '), Field(fld51,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#25:blocked:05/0", "nwparser.payload", "%{fld28->} detected. Traffic has been blocked from this application: %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{daddr},Remote: %{fld15},Remote: %{fld51},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); +var part88 = match("MESSAGE#25:blocked:05/0", "nwparser.payload", "%{fld28->} detected. Traffic has been blocked from this application: %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{daddr},Remote: %{fld15},Remote: %{fld51},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); -var part89 = // "Pattern{Constant(''), Field(fld2,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#25:blocked:05/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); +var part89 = match("MESSAGE#25:blocked:05/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); var all46 = all_match({ processors: [ @@ -3729,11 +3450,9 @@ var all46 = all_match({ var msg72 = msg("blocked:05", all46); -var part90 = // "Pattern{Field(fld28,true), Constant(' detected. Traffic has been blocked from this application: '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Remote: '), Field(fld51,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#26:blocked:15/0", "nwparser.payload", "%{fld28->} detected. Traffic has been blocked from this application: %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{saddr},Remote: %{fld15},Remote: %{fld51},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); +var part90 = match("MESSAGE#26:blocked:15/0", "nwparser.payload", "%{fld28->} detected. Traffic has been blocked from this application: %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{saddr},Remote: %{fld15},Remote: %{fld51},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); -var part91 = // "Pattern{Constant(''), Field(fld2,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#26:blocked:15/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); +var part91 = match("MESSAGE#26:blocked:15/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); var all47 = all_match({ processors: [ @@ -3757,8 +3476,7 @@ var all47 = all_match({ var msg73 = msg("blocked:15", all47); -var part92 = // "Pattern{Field(fld28,true), Constant(' detected. Traffic has been blocked from this application: '), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld15,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld51,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#52:blocked/0", "nwparser.payload", "%{fld28->} detected. Traffic has been blocked from this application: %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld15},Remote: %{daddr},Remote: %{fld51},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); +var part92 = match("MESSAGE#52:blocked/0", "nwparser.payload", "%{fld28->} detected. Traffic has been blocked from this application: %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld15},Remote: %{daddr},Remote: %{fld51},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); var all48 = all_match({ processors: [ @@ -3782,8 +3500,7 @@ var all48 = all_match({ var msg74 = msg("blocked", all48); -var part93 = // "Pattern{Field(fld28,true), Constant(' detected. Traffic has been blocked from this application: '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld15,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld51,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#53:blocked:11/0", "nwparser.payload", "%{fld28->} detected. Traffic has been blocked from this application: %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld15},Remote: %{saddr},Remote: %{fld51},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); +var part93 = match("MESSAGE#53:blocked:11/0", "nwparser.payload", "%{fld28->} detected. Traffic has been blocked from this application: %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld15},Remote: %{saddr},Remote: %{fld51},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); var all49 = all_match({ processors: [ @@ -3816,8 +3533,7 @@ var select17 = linear_select([ msg75, ]); -var part94 = // "Pattern{Constant('The most recent Host Integrity content has not completed a download or cannot be authenticated.,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Unknown,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#51:Host_Integrity:01/0", "nwparser.payload", "The most recent Host Integrity content has not completed a download or cannot be authenticated.,Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Unknown,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part94 = match("MESSAGE#51:Host_Integrity:01/0", "nwparser.payload", "The most recent Host Integrity content has not completed a download or cannot be authenticated.,Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Unknown,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all50 = all_match({ processors: [ @@ -3839,8 +3555,7 @@ var all50 = all_match({ var msg76 = msg("Host_Integrity:01", all50); -var part95 = // "Pattern{Field(,true), Constant(' '), Field(daddr,false), Constant(',Local: '), Field(dport,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(sport,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(',Inbound,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Rule: '), Field(rulename,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action: '), Field(action,false)}" -match("MESSAGE#190:Local::01/1", "nwparser.p0", "%{} %{daddr},Local: %{dport},Local: %{fld12},Remote: %{saddr},Remote: %{fld13},Remote: %{sport},Remote: %{fld15},%{protocol},Inbound,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Rule: %{rulename},Location: %{fld11},User: %{username},Domain: %{domain},Action: %{action}"); +var part95 = match("MESSAGE#190:Local::01/1", "nwparser.p0", "%{} %{daddr},Local: %{dport},Local: %{fld12},Remote: %{saddr},Remote: %{fld13},Remote: %{sport},Remote: %{fld15},%{protocol},Inbound,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Rule: %{rulename},Location: %{fld11},User: %{username},Domain: %{domain},Action: %{action}"); var all51 = all_match({ processors: [ @@ -3863,8 +3578,7 @@ var all51 = all_match({ var msg77 = msg("Local::01", all51); -var part96 = // "Pattern{Field(,true), Constant(' '), Field(saddr,false), Constant(',Local: '), Field(sport,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(dport,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(',Outbound,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Rule: '), Field(rulename,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action: '), Field(action,false)}" -match("MESSAGE#191:Local::13/1", "nwparser.p0", "%{} %{saddr},Local: %{sport},Local: %{fld12},Remote: %{daddr},Remote: %{fld13},Remote: %{dport},Remote: %{fld15},%{protocol},Outbound,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Rule: %{rulename},Location: %{fld11},User: %{username},Domain: %{domain},Action: %{action}"); +var part96 = match("MESSAGE#191:Local::13/1", "nwparser.p0", "%{} %{saddr},Local: %{sport},Local: %{fld12},Remote: %{daddr},Remote: %{fld13},Remote: %{dport},Remote: %{fld15},%{protocol},Outbound,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Rule: %{rulename},Location: %{fld11},User: %{username},Domain: %{domain},Action: %{action}"); var all52 = all_match({ processors: [ @@ -3887,8 +3601,7 @@ var all52 = all_match({ var msg78 = msg("Local::13", all52); -var part97 = // "Pattern{Constant('Local: '), Field(saddr,false), Constant(',Local: '), Field(sport,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(dport,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(',Outbound,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(','), Field(p0,false)}" -match("MESSAGE#192:Local:/0", "nwparser.payload", "Local: %{saddr},Local: %{sport},Local: %{fld12},Remote: %{daddr},Remote: %{fld13},Remote: %{dport},Remote: %{fld15},%{protocol},Outbound,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},%{p0}"); +var part97 = match("MESSAGE#192:Local:/0", "nwparser.payload", "Local: %{saddr},Local: %{sport},Local: %{fld12},Remote: %{daddr},Remote: %{fld13},Remote: %{dport},Remote: %{fld15},%{protocol},Outbound,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},%{p0}"); var all53 = all_match({ processors: [ @@ -3913,8 +3626,7 @@ var all53 = all_match({ var msg79 = msg("Local:", all53); -var part98 = // "Pattern{Constant('Local: '), Field(daddr,false), Constant(',Local: '), Field(dport,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(sport,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(',Inbound,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(','), Field(p0,false)}" -match("MESSAGE#193:Local:11/0", "nwparser.payload", "Local: %{daddr},Local: %{dport},Local: %{fld12},Remote: %{saddr},Remote: %{fld13},Remote: %{sport},Remote: %{fld15},%{protocol},Inbound,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},%{p0}"); +var part98 = match("MESSAGE#193:Local:11/0", "nwparser.payload", "Local: %{daddr},Local: %{dport},Local: %{fld12},Remote: %{saddr},Remote: %{fld13},Remote: %{sport},Remote: %{fld15},%{protocol},Inbound,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},%{p0}"); var all54 = all_match({ processors: [ @@ -3939,8 +3651,7 @@ var all54 = all_match({ var msg80 = msg("Local:11", all54); -var part99 = // "Pattern{Constant('[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,true), Constant(' Traffic has been blocked for this application:'), Field(fld27,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,true), Constant(' CVE-'), Field(cve,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#194:Local::09", "nwparser.payload", "[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string->} CVE-%{cve},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ +var part99 = match("MESSAGE#194:Local::09", "nwparser.payload", "[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string->} CVE-%{cve},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ dup110, dup12, dup13, @@ -3955,8 +3666,7 @@ match("MESSAGE#194:Local::09", "nwparser.payload", "[SID: %{fld26}] %{category}: var msg81 = msg("Local::09", part99); -var part100 = // "Pattern{Constant('[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,true), Constant(' Traffic has been blocked for this application:'), Field(fld27,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,true), Constant(' CVE-'), Field(cve,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#195:Local::20", "nwparser.payload", "[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string->} CVE-%{cve},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ +var part100 = match("MESSAGE#195:Local::20", "nwparser.payload", "[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string->} CVE-%{cve},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ dup110, dup12, dup13, @@ -3971,8 +3681,7 @@ match("MESSAGE#195:Local::20", "nwparser.payload", "[SID: %{fld26}] %{category}: var msg82 = msg("Local::20", part100); -var part101 = // "Pattern{Constant('[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,true), Constant(' Traffic has been blocked for this application:'), Field(fld27,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#196:Local::08", "nwparser.payload", "[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ +var part101 = match("MESSAGE#196:Local::08", "nwparser.payload", "[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ dup110, dup12, dup13, @@ -3986,8 +3695,7 @@ match("MESSAGE#196:Local::08", "nwparser.payload", "[SID: %{fld26}] %{category}: var msg83 = msg("Local::08", part101); -var part102 = // "Pattern{Constant('[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,true), Constant(' Traffic has been blocked for this application:'), Field(fld27,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#197:Local::18", "nwparser.payload", "[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ +var part102 = match("MESSAGE#197:Local::18", "nwparser.payload", "[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ dup110, dup12, dup13, @@ -4001,8 +3709,7 @@ match("MESSAGE#197:Local::18", "nwparser.payload", "[SID: %{fld26}] %{category}: var msg84 = msg("Local::18", part102); -var part103 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#198:Local::04/0", "nwparser.payload", "%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part103 = match("MESSAGE#198:Local::04/0", "nwparser.payload", "%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all55 = all_match({ processors: [ @@ -4028,8 +3735,7 @@ var all55 = all_match({ var msg85 = msg("Local::04", all55); -var part104 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#199:Local::17/0", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part104 = match("MESSAGE#199:Local::17/0", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all56 = all_match({ processors: [ @@ -4055,8 +3761,7 @@ var all56 = all_match({ var msg86 = msg("Local::17", all56); -var part105 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant('Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',!ExternalLoggingTask.localport! '), Field(dport,false), Constant(',!ExternalLoggingTask.remoteport! '), Field(sport,false), Constant(',!ExternalLoggingTask.cidssignid! '), Field(sigid,false), Constant(',!ExternalLoggingTask.strcidssignid! '), Field(sigid_string,false), Constant(',!ExternalLoggingTask.cidssignsubid! '), Field(sigid1,false), Constant(',!ExternalLoggingTask.intrusionurl! '), Field(url,false), Constant(',!ExternalLoggingTask.intrusionpayloadurl! '), Field(fld23,false)}" -match("MESSAGE#200:Local::06", "nwparser.payload", "%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol}Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},!ExternalLoggingTask.localport! %{dport},!ExternalLoggingTask.remoteport! %{sport},!ExternalLoggingTask.cidssignid! %{sigid},!ExternalLoggingTask.strcidssignid! %{sigid_string},!ExternalLoggingTask.cidssignsubid! %{sigid1},!ExternalLoggingTask.intrusionurl! %{url},!ExternalLoggingTask.intrusionpayloadurl! %{fld23}", processor_chain([ +var part105 = match("MESSAGE#200:Local::06", "nwparser.payload", "%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol}Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},!ExternalLoggingTask.localport! %{dport},!ExternalLoggingTask.remoteport! %{sport},!ExternalLoggingTask.cidssignid! %{sigid},!ExternalLoggingTask.strcidssignid! %{sigid_string},!ExternalLoggingTask.cidssignsubid! %{sigid1},!ExternalLoggingTask.intrusionurl! %{url},!ExternalLoggingTask.intrusionpayloadurl! %{fld23}", processor_chain([ dup86, dup12, dup13, @@ -4070,8 +3775,7 @@ match("MESSAGE#200:Local::06", "nwparser.payload", "%{event_description},Local: var msg87 = msg("Local::06", part105); -var part106 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',!ExternalLoggingTask.localport! '), Field(sport,false), Constant(',!ExternalLoggingTask.remoteport! '), Field(dport,false), Constant(',!ExternalLoggingTask.cidssignid! '), Field(sigid,false), Constant(',!ExternalLoggingTask.strcidssignid! '), Field(sigid_string,false), Constant(',!ExternalLoggingTask.cidssignsubid! '), Field(sigid1,false), Constant(',!ExternalLoggingTask.intrusionurl! '), Field(url,false), Constant(',!ExternalLoggingTask.intrusionpayloadurl! '), Field(fld23,false)}" -match("MESSAGE#201:Local::16", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},!ExternalLoggingTask.localport! %{sport},!ExternalLoggingTask.remoteport! %{dport},!ExternalLoggingTask.cidssignid! %{sigid},!ExternalLoggingTask.strcidssignid! %{sigid_string},!ExternalLoggingTask.cidssignsubid! %{sigid1},!ExternalLoggingTask.intrusionurl! %{url},!ExternalLoggingTask.intrusionpayloadurl! %{fld23}", processor_chain([ +var part106 = match("MESSAGE#201:Local::16", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},!ExternalLoggingTask.localport! %{sport},!ExternalLoggingTask.remoteport! %{dport},!ExternalLoggingTask.cidssignid! %{sigid},!ExternalLoggingTask.strcidssignid! %{sigid_string},!ExternalLoggingTask.cidssignsubid! %{sigid1},!ExternalLoggingTask.intrusionurl! %{url},!ExternalLoggingTask.intrusionpayloadurl! %{fld23}", processor_chain([ dup86, dup12, dup13, @@ -4085,8 +3789,7 @@ match("MESSAGE#201:Local::16", "nwparser.payload", "%{event_description},Local: var msg88 = msg("Local::16", part106); -var part107 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(',0,Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#202:Local::02", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},%{protocol},0,Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain}", processor_chain([ +var part107 = match("MESSAGE#202:Local::02", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},%{protocol},0,Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain}", processor_chain([ dup86, dup12, dup13, @@ -4101,8 +3804,7 @@ match("MESSAGE#202:Local::02", "nwparser.payload", "%{event_description},Local: var msg89 = msg("Local::02", part107); -var part108 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(',1,Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#203:Local::22", "nwparser.payload", "%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},%{protocol},1,Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain}", processor_chain([ +var part108 = match("MESSAGE#203:Local::22", "nwparser.payload", "%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},%{protocol},1,Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain}", processor_chain([ dup86, dup12, dup13, @@ -4117,8 +3819,7 @@ match("MESSAGE#203:Local::22", "nwparser.payload", "%{event_description},Local: var msg90 = msg("Local::22", part108); -var part109 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(',2,Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#204:Local::23", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},%{protocol},2,Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain}", processor_chain([ +var part109 = match("MESSAGE#204:Local::23", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},%{protocol},2,Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain}", processor_chain([ dup86, dup12, dup13, @@ -4133,8 +3834,7 @@ match("MESSAGE#204:Local::23", "nwparser.payload", "%{event_description},Local: var msg91 = msg("Local::23", part109); -var part110 = // "Pattern{Constant(''), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(': '), Field(fld22,true), Constant(' CVE-'), Field(cve,true), Constant(' '), Field(fld26,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#205:Local::07/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string}: %{fld22->} CVE-%{cve->} %{fld26},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); +var part110 = match("MESSAGE#205:Local::07/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string}: %{fld22->} CVE-%{cve->} %{fld26},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); var all57 = all_match({ processors: [ @@ -4157,8 +3857,7 @@ var all57 = all_match({ var msg92 = msg("Local::07", all57); -var part111 = // "Pattern{Constant(''), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(': '), Field(fld22,true), Constant(' CVE-'), Field(cve,true), Constant(' '), Field(fld26,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#206:Local::19/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string}: %{fld22->} CVE-%{cve->} %{fld26},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); +var part111 = match("MESSAGE#206:Local::19/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string}: %{fld22->} CVE-%{cve->} %{fld26},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); var all58 = all_match({ processors: [ @@ -4181,8 +3880,7 @@ var all58 = all_match({ var msg93 = msg("Local::19", all58); -var part112 = // "Pattern{Constant(''), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#207:Local::05/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}"); +var part112 = match("MESSAGE#207:Local::05/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}"); var all59 = all_match({ processors: [ @@ -4208,8 +3906,7 @@ var all59 = all_match({ var msg94 = msg("Local::05", all59); -var part113 = // "Pattern{Constant(''), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#208:Local::15/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}"); +var part113 = match("MESSAGE#208:Local::15/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}"); var all60 = all_match({ processors: [ @@ -4283,8 +3980,7 @@ var all62 = all_match({ var msg97 = msg("Local::14", all62); -var part114 = // "Pattern{Constant('Local: '), Field(daddr,false), Constant(',Local: '), Field(dport,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(sport,false), Constant(',Inbound,Application: '), Field(application,false), Constant(',Action: '), Field(action,false)}" -match("MESSAGE#211:Local::10", "nwparser.payload", "Local: %{daddr},Local: %{dport},Remote: %{saddr},Remote: %{fld13},Remote: %{sport},Inbound,Application: %{application},Action: %{action}", processor_chain([ +var part114 = match("MESSAGE#211:Local::10", "nwparser.payload", "Local: %{daddr},Local: %{dport},Remote: %{saddr},Remote: %{fld13},Remote: %{sport},Inbound,Application: %{application},Action: %{action}", processor_chain([ dup86, dup12, dup13, @@ -4296,8 +3992,7 @@ match("MESSAGE#211:Local::10", "nwparser.payload", "Local: %{daddr},Local: %{dpo var msg98 = msg("Local::10", part114); -var part115 = // "Pattern{Constant('Local: '), Field(saddr,false), Constant(',Local: '), Field(sport,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(dport,false), Constant(',Outbound,Application: '), Field(application,false), Constant(',Action: '), Field(action,false)}" -match("MESSAGE#212:Local::21", "nwparser.payload", "Local: %{saddr},Local: %{sport},Remote: %{daddr},Remote: %{fld13},Remote: %{dport},Outbound,Application: %{application},Action: %{action}", processor_chain([ +var part115 = match("MESSAGE#212:Local::21", "nwparser.payload", "Local: %{saddr},Local: %{sport},Remote: %{daddr},Remote: %{fld13},Remote: %{dport},Outbound,Application: %{application},Action: %{action}", processor_chain([ dup86, dup12, dup13, @@ -4309,8 +4004,7 @@ match("MESSAGE#212:Local::21", "nwparser.payload", "Local: %{saddr},Local: %{spo var msg99 = msg("Local::21", part115); -var part116 = // "Pattern{Constant('Event Description: '), Field(event_description,false), Constant(',Local: '), Field(daddr,false), Constant(',Local Host MAC: '), Field(dmacaddr,false), Constant(',Remote Host Name: '), Field(fld3,false), Constant(',Remote Host IP: '), Field(saddr,false), Constant(',Remote Host MAC: '), Field(smacaddr,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: 0,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port: '), Field(dport,false), Constant(',Remote Port: '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL: '), Field(fld12,false), Constant(',SHA-256: '), Field(checksum,false), Constant(',MD-5: '), Field(checksum,false)}" -match("MESSAGE#213:Local::24", "nwparser.payload", "Event Description: %{event_description},Local: %{daddr},Local Host MAC: %{dmacaddr},Remote Host Name: %{fld3},Remote Host IP: %{saddr},Remote Host MAC: %{smacaddr},Inbound,%{protocol},Intrusion ID: 0,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port: %{dport},Remote Port: %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL: %{fld12},SHA-256: %{checksum},MD-5: %{checksum}", processor_chain([ +var part116 = match("MESSAGE#213:Local::24", "nwparser.payload", "Event Description: %{event_description},Local: %{daddr},Local Host MAC: %{dmacaddr},Remote Host Name: %{fld3},Remote Host IP: %{saddr},Remote Host MAC: %{smacaddr},Inbound,%{protocol},Intrusion ID: 0,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port: %{dport},Remote Port: %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL: %{fld12},SHA-256: %{checksum},MD-5: %{checksum}", processor_chain([ dup120, dup12, dup13, @@ -4321,8 +4015,7 @@ match("MESSAGE#213:Local::24", "nwparser.payload", "Event Description: %{event_d var msg100 = msg("Local::24", part116); -var part117 = // "Pattern{Constant('Event Description: '), Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local Host MAC: '), Field(smacaddr,false), Constant(',Remote Host Name: '), Field(fld3,false), Constant(',Remote Host IP: '), Field(daddr,false), Constant(',Remote Host MAC: '), Field(dmacaddr,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: 0,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port: '), Field(sport,false), Constant(',Remote Port: '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL: '), Field(fld12,false), Constant(',SHA-256: '), Field(checksum,false), Constant(',MD-5: '), Field(checksum,false)}" -match("MESSAGE#214:Local::25", "nwparser.payload", "Event Description: %{event_description},Local: %{saddr},Local Host MAC: %{smacaddr},Remote Host Name: %{fld3},Remote Host IP: %{daddr},Remote Host MAC: %{dmacaddr},Outbound,%{protocol},Intrusion ID: 0,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port: %{sport},Remote Port: %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL: %{fld12},SHA-256: %{checksum},MD-5: %{checksum}", processor_chain([ +var part117 = match("MESSAGE#214:Local::25", "nwparser.payload", "Event Description: %{event_description},Local: %{saddr},Local Host MAC: %{smacaddr},Remote Host Name: %{fld3},Remote Host IP: %{daddr},Remote Host MAC: %{dmacaddr},Outbound,%{protocol},Intrusion ID: 0,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port: %{sport},Remote Port: %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL: %{fld12},SHA-256: %{checksum},MD-5: %{checksum}", processor_chain([ dup36, dup12, dup13, @@ -4333,8 +4026,7 @@ match("MESSAGE#214:Local::25", "nwparser.payload", "Event Description: %{event_d var msg101 = msg("Local::25", part117); -var part118 = // "Pattern{Constant('Event Description: '), Field(event_description,true), Constant(' [Volume]: '), Field(disk_volume,true), Constant(' [Model]: '), Field(product,true), Constant(' [Access]: '), Field(accesses,false), Constant(',Local: '), Field(saddr,false), Constant(',Local Host MAC: '), Field(smacaddr,false), Constant(',Remote Host Name: '), Field(fld3,false), Constant(',Remote Host IP: '), Field(daddr,false), Constant(',Remote Host MAC: '), Field(dmacaddr,false), Constant(','), Field(direction,false), Constant(','), Field(fld2,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port: '), Field(sport,false), Constant(',Remote Port: '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL: '), Field(fld12,false), Constant(',SHA-256: '), Field(checksum,false), Constant(',MD-5: '), Field(checksum,false)}" -match("MESSAGE#215:Local::26", "nwparser.payload", "Event Description: %{event_description->} [Volume]: %{disk_volume->} [Model]: %{product->} [Access]: %{accesses},Local: %{saddr},Local Host MAC: %{smacaddr},Remote Host Name: %{fld3},Remote Host IP: %{daddr},Remote Host MAC: %{dmacaddr},%{direction},%{fld2},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port: %{sport},Remote Port: %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL: %{fld12},SHA-256: %{checksum},MD-5: %{checksum}", processor_chain([ +var part118 = match("MESSAGE#215:Local::26", "nwparser.payload", "Event Description: %{event_description->} [Volume]: %{disk_volume->} [Model]: %{product->} [Access]: %{accesses},Local: %{saddr},Local Host MAC: %{smacaddr},Remote Host Name: %{fld3},Remote Host IP: %{daddr},Remote Host MAC: %{dmacaddr},%{direction},%{fld2},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port: %{sport},Remote Port: %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL: %{fld12},SHA-256: %{checksum},MD-5: %{checksum}", processor_chain([ dup53, dup12, dup13, @@ -4374,8 +4066,7 @@ var select18 = linear_select([ msg102, ]); -var part119 = // "Pattern{Constant('Blocked Attack: Memory Heap Spray attack against '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld15,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld51,false), Constant(',Inbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld2,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#54:Blocked:13/0", "nwparser.payload", "Blocked Attack: Memory Heap Spray attack against %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld15},Remote: %{saddr},Remote: %{fld51},Inbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld2},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part119 = match("MESSAGE#54:Blocked:13/0", "nwparser.payload", "Blocked Attack: Memory Heap Spray attack against %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld15},Remote: %{saddr},Remote: %{fld51},Inbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld2},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all63 = all_match({ processors: [ @@ -4398,8 +4089,7 @@ var all63 = all_match({ var msg103 = msg("Blocked:13", all63); -var part120 = // "Pattern{Constant('"'), Field(fld23,false), Constant(',",File Read,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#483:File:01", "nwparser.payload", "\"%{fld23},\",File Read,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain}", processor_chain([ +var part120 = match("MESSAGE#483:File:01", "nwparser.payload", "\"%{fld23},\",File Read,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain}", processor_chain([ dup121, dup12, dup13, @@ -4415,8 +4105,7 @@ match("MESSAGE#483:File:01", "nwparser.payload", "\"%{fld23},\",File Read,Begin: var msg104 = msg("File:01", part120); -var part121 = // "Pattern{Constant('"'), Field(info,false), Constant('",Create Process,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld1,false), Constant(','), Field(process,false), Constant(','), Field(fld3,false), Constant(','), Field(fld4,false), Constant(','), Field(application,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld6,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#484:File:11", "nwparser.payload", "\"%{info}\",Create Process,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld1},%{process},%{fld3},%{fld4},%{application},User: %{username},Domain: %{domain},Action Type:%{fld6},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ +var part121 = match("MESSAGE#484:File:11", "nwparser.payload", "\"%{info}\",Create Process,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld1},%{process},%{fld3},%{fld4},%{application},User: %{username},Domain: %{domain},Action Type:%{fld6},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ dup121, dup12, dup13, @@ -4429,8 +4118,7 @@ match("MESSAGE#484:File:11", "nwparser.payload", "\"%{info}\",Create Process,Beg var msg105 = msg("File:11", part121); -var part122 = // "Pattern{Constant('"'), Field(info,false), Constant('",Create Process,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld1,false), Constant(','), Field(process,false), Constant(','), Field(fld3,false), Constant(','), Field(fld4,false), Constant(','), Field(application,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#485:File:02", "nwparser.payload", "\"%{info}\",Create Process,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld1},%{process},%{fld3},%{fld4},%{application},User: %{username},Domain: %{domain}", processor_chain([ +var part122 = match("MESSAGE#485:File:02", "nwparser.payload", "\"%{info}\",Create Process,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld1},%{process},%{fld3},%{fld4},%{application},User: %{username},Domain: %{domain}", processor_chain([ dup121, dup12, dup13, @@ -4443,8 +4131,7 @@ match("MESSAGE#485:File:02", "nwparser.payload", "\"%{info}\",Create Process,Beg var msg106 = msg("File:02", part122); -var part123 = // "Pattern{Field(fld1,false), Constant(',File Write,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#486:File:03", "nwparser.payload", "%{fld1},File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain}", processor_chain([ +var part123 = match("MESSAGE#486:File:03", "nwparser.payload", "%{fld1},File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain}", processor_chain([ dup121, dup12, dup13, @@ -4459,8 +4146,7 @@ match("MESSAGE#486:File:03", "nwparser.payload", "%{fld1},File Write,Begin: %{fl var msg107 = msg("File:03", part123); -var part124 = // "Pattern{Field(info,false), Constant('.'), Field(fld1,false), Constant(',File Read,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld46,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#487:Blocked:04", "nwparser.payload", "%{info}.%{fld1},File Read,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain},Action Type:%{fld46},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ +var part124 = match("MESSAGE#487:Blocked:04", "nwparser.payload", "%{info}.%{fld1},File Read,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain},Action Type:%{fld46},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ dup121, dup12, dup13, @@ -4476,8 +4162,7 @@ match("MESSAGE#487:Blocked:04", "nwparser.payload", "%{info}.%{fld1},File Read,B var msg108 = msg("Blocked:04", part124); -var part125 = // "Pattern{Field(fld1,false), Constant(',File Read,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld46,false)}" -match("MESSAGE#488:File:05", "nwparser.payload", "%{fld1},File Read,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain},Action Type:%{fld46}", processor_chain([ +var part125 = match("MESSAGE#488:File:05", "nwparser.payload", "%{fld1},File Read,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain},Action Type:%{fld46}", processor_chain([ dup121, dup12, dup13, @@ -4492,8 +4177,7 @@ match("MESSAGE#488:File:05", "nwparser.payload", "%{fld1},File Read,Begin: %{fld var msg109 = msg("File:05", part125); -var part126 = // "Pattern{Constant('"'), Field(fld23,false), Constant('",,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#489:File:04", "nwparser.payload", "\"%{fld23}\",,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},,%{filename},User: %{username},Domain: %{domain}", processor_chain([ +var part126 = match("MESSAGE#489:File:04", "nwparser.payload", "\"%{fld23}\",,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},,%{filename},User: %{username},Domain: %{domain}", processor_chain([ dup121, dup12, dup13, @@ -4507,8 +4191,7 @@ match("MESSAGE#489:File:04", "nwparser.payload", "\"%{fld23}\",,Begin: %{fld50-> var msg110 = msg("File:04", part126); -var part127 = // "Pattern{Field(fld1,false), Constant(',File Write,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',"Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#490:File:06", "nwparser.payload", "%{fld1},File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},\"Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain}", processor_chain([ +var part127 = match("MESSAGE#490:File:06", "nwparser.payload", "%{fld1},File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},\"Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain}", processor_chain([ dup121, dup12, dup13, @@ -4523,8 +4206,7 @@ match("MESSAGE#490:File:06", "nwparser.payload", "%{fld1},File Write,Begin: %{fl var msg111 = msg("File:06", part127); -var part128 = // "Pattern{Constant('''), Field(fld23,false), Constant('',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#491:File:07", "nwparser.payload", "'%{fld23}',,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},,%{filename},User: %{username},Domain: %{domain}", processor_chain([ +var part128 = match("MESSAGE#491:File:07", "nwparser.payload", "'%{fld23}',,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},,%{filename},User: %{username},Domain: %{domain}", processor_chain([ dup121, dup12, dup13, @@ -4538,8 +4220,7 @@ match("MESSAGE#491:File:07", "nwparser.payload", "'%{fld23}',,Begin: %{fld50->} var msg112 = msg("File:07", part128); -var part129 = // "Pattern{Field(fld23,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(process_id,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld6,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#492:File:12", "nwparser.payload", "%{fld23},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{process_id},%{process},%{fld4},,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld6},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ +var part129 = match("MESSAGE#492:File:12", "nwparser.payload", "%{fld23},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{process_id},%{process},%{fld4},,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld6},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ dup121, dup12, dup13, @@ -4550,8 +4231,7 @@ match("MESSAGE#492:File:12", "nwparser.payload", "%{fld23},,Begin: %{fld50->} %{ var msg113 = msg("File:12", part129); -var part130 = // "Pattern{Field(fld1,false), Constant(','), Field(fld7,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',"Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#493:File:08", "nwparser.payload", "%{fld1},%{fld7},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},\"Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain}", processor_chain([ +var part130 = match("MESSAGE#493:File:08", "nwparser.payload", "%{fld1},%{fld7},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},\"Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain}", processor_chain([ dup121, dup12, dup13, @@ -4564,8 +4244,7 @@ match("MESSAGE#493:File:08", "nwparser.payload", "%{fld1},%{fld7},Begin: %{fld50 var msg114 = msg("File:08", part130); -var part131 = // "Pattern{Field(fld1,false), Constant(',File Delete,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld6,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#494:File:09", "nwparser.payload", "%{fld1},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain},Action Type:%{fld6},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ +var part131 = match("MESSAGE#494:File:09", "nwparser.payload", "%{fld1},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain},Action Type:%{fld6},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ dup121, dup12, dup13, @@ -4580,8 +4259,7 @@ match("MESSAGE#494:File:09", "nwparser.payload", "%{fld1},File Delete,Begin: %{f var msg115 = msg("File:09", part131); -var part132 = // "Pattern{Constant('Unauthorized NT call rejected by protection driver.,'), Field(fld22,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(filename,false), Constant(','), Field(fld4,false), Constant(','), Field(fld23,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#496:Blocked", "nwparser.payload", "Unauthorized NT call rejected by protection driver.,%{fld22},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},%{fld23},User: %{username},Domain: %{domain}", processor_chain([ +var part132 = match("MESSAGE#496:Blocked", "nwparser.payload", "Unauthorized NT call rejected by protection driver.,%{fld22},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},%{fld23},User: %{username},Domain: %{domain}", processor_chain([ dup121, dup12, dup13, @@ -4596,8 +4274,7 @@ match("MESSAGE#496:Blocked", "nwparser.payload", "Unauthorized NT call rejected var msg116 = msg("Blocked", part132); -var part133 = // "Pattern{Constant(',Create Process,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld4,false), Constant(','), Field(process,false), Constant(','), Field(fld5,false), Constant(','), Field(fld6,false), Constant(','), Field(info,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type: '), Field(fld8,false)}" -match("MESSAGE#497:Blocked:01", "nwparser.payload", ",Create Process,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld4},%{process},%{fld5},%{fld6},%{info},User: %{username},Domain: %{domain},Action Type: %{fld8}", processor_chain([ +var part133 = match("MESSAGE#497:Blocked:01", "nwparser.payload", ",Create Process,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld4},%{process},%{fld5},%{fld6},%{info},User: %{username},Domain: %{domain},Action Type: %{fld8}", processor_chain([ dup121, dup12, dup13, @@ -4610,8 +4287,7 @@ match("MESSAGE#497:Blocked:01", "nwparser.payload", ",Create Process,Begin: %{fl var msg117 = msg("Blocked:01", part133); -var part134 = // "Pattern{Field(fld5,true), Constant(' - Caller MD5='), Field(fld6,false), Constant(',Registry Write,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,false)}" -match("MESSAGE#498:Blocked:02", "nwparser.payload", "%{fld5->} - Caller MD5=%{fld6},Registry Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ +var part134 = match("MESSAGE#498:Blocked:02", "nwparser.payload", "%{fld5->} - Caller MD5=%{fld6},Registry Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ dup121, dup12, dup13, @@ -4624,19 +4300,16 @@ match("MESSAGE#498:Blocked:02", "nwparser.payload", "%{fld5->} - Caller MD5=%{fl var msg118 = msg("Blocked:02", part134); -var part135 = // "Pattern{Field(fld21,true), Constant(' - Caller MD5='), Field(fld22,false), Constant(',Create Process'), Field(p0,false)}" -match("MESSAGE#499:Blocked:03/0_0", "nwparser.payload", "%{fld21->} - Caller MD5=%{fld22},Create Process%{p0}"); +var part135 = match("MESSAGE#499:Blocked:03/0_0", "nwparser.payload", "%{fld21->} - Caller MD5=%{fld22},Create Process%{p0}"); -var part136 = // "Pattern{Field(fld23,false), Constant(',Load Dll'), Field(p0,false)}" -match("MESSAGE#499:Blocked:03/0_1", "nwparser.payload", "%{fld23},Load Dll%{p0}"); +var part136 = match("MESSAGE#499:Blocked:03/0_1", "nwparser.payload", "%{fld23},Load Dll%{p0}"); var select19 = linear_select([ part135, part136, ]); -var part137 = // "Pattern{Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld24,false), Constant(','), Field(process,false), Constant(','), Field(fld25,false), Constant(','), Field(fld26,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type: '), Field(fld8,false), Constant(',File size (bytes):'), Field(filename_size,false), Constant(',Device ID:'), Field(device,false)}" -match("MESSAGE#499:Blocked:03/1", "nwparser.p0", ",Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld24},%{process},%{fld25},%{fld26},%{filename},User: %{username},Domain: %{domain},Action Type: %{fld8},File size (bytes):%{filename_size},Device ID:%{device}"); +var part137 = match("MESSAGE#499:Blocked:03/1", "nwparser.p0", ",Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld24},%{process},%{fld25},%{fld26},%{filename},User: %{username},Domain: %{domain},Action Type: %{fld8},File size (bytes):%{filename_size},Device ID:%{device}"); var all64 = all_match({ processors: [ @@ -4658,8 +4331,7 @@ var all64 = all_match({ var msg119 = msg("Blocked:03", all64); -var part138 = // "Pattern{Field(event_description,true), Constant(' - Caller MD5='), Field(checksum,false), Constant(','), Field(fld1,false), Constant(',Begin: '), Field(fld2,true), Constant(' '), Field(fld3,false), Constant(',End: '), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(process_id,false), Constant(','), Field(process,false), Constant(','), Field(fld6,false), Constant(','), Field(fld7,false), Constant(','), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(sdomain,false), Constant(',Action Type: '), Field(fld9,false), Constant(',File size ('), Field(fld10,false), Constant('): '), Field(filename_size,false), Constant(',Device ID:')}" -match("MESSAGE#500:Blocked:05", "nwparser.payload", "%{event_description->} - Caller MD5=%{checksum},%{fld1},Begin: %{fld2->} %{fld3},End: %{fld4->} %{fld5},Rule: %{rulename},%{process_id},%{process},%{fld6},%{fld7},%{fld8},User: %{username},Domain: %{sdomain},Action Type: %{fld9},File size (%{fld10}): %{filename_size},Device ID:", processor_chain([ +var part138 = match("MESSAGE#500:Blocked:05", "nwparser.payload", "%{event_description->} - Caller MD5=%{checksum},%{fld1},Begin: %{fld2->} %{fld3},End: %{fld4->} %{fld5},Rule: %{rulename},%{process_id},%{process},%{fld6},%{fld7},%{fld8},User: %{username},Domain: %{sdomain},Action Type: %{fld9},File size (%{fld10}): %{filename_size},Device ID:", processor_chain([ dup121, dup12, dup13, @@ -4671,8 +4343,7 @@ match("MESSAGE#500:Blocked:05", "nwparser.payload", "%{event_description->} - Ca var msg120 = msg("Blocked:05", part138); -var part139 = // "Pattern{Constant('['), Field(id,false), Constant('] '), Field(event_description,true), Constant(' - '), Field(fld11,false), Constant(','), Field(fld1,false), Constant(',Begin: '), Field(fld2,true), Constant(' '), Field(fld3,false), Constant(',End: '), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(process_id,false), Constant(','), Field(process,false), Constant(','), Field(fld6,false), Constant(','), Field(fld7,false), Constant(','), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type: '), Field(fld9,false), Constant(',File size ('), Field(fld10,false), Constant('): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#501:Blocked:06", "nwparser.payload", "[%{id}] %{event_description->} - %{fld11},%{fld1},Begin: %{fld2->} %{fld3},End: %{fld4->} %{fld5},Rule: %{rulename},%{process_id},%{process},%{fld6},%{fld7},%{fld8},User: %{username},Domain: %{domain},Action Type: %{fld9},File size (%{fld10}): %{filename_size},Device ID: %{device}", processor_chain([ +var part139 = match("MESSAGE#501:Blocked:06", "nwparser.payload", "[%{id}] %{event_description->} - %{fld11},%{fld1},Begin: %{fld2->} %{fld3},End: %{fld4->} %{fld5},Rule: %{rulename},%{process_id},%{process},%{fld6},%{fld7},%{fld8},User: %{username},Domain: %{domain},Action Type: %{fld9},File size (%{fld10}): %{filename_size},Device ID: %{device}", processor_chain([ dup121, dup12, dup13, @@ -4684,8 +4355,7 @@ match("MESSAGE#501:Blocked:06", "nwparser.payload", "[%{id}] %{event_description var msg121 = msg("Blocked:06", part139); -var part140 = // "Pattern{Constant('['), Field(id,false), Constant('] '), Field(event_description,false), Constant(','), Field(fld1,false), Constant(',Begin: '), Field(fld2,true), Constant(' '), Field(fld3,false), Constant(',End: '), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(process_id,false), Constant(','), Field(process,false), Constant(','), Field(fld6,false), Constant(','), Field(fld7,false), Constant(','), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type: '), Field(fld9,false), Constant(',File size ('), Field(fld10,false), Constant('): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#502:Blocked:07", "nwparser.payload", "[%{id}] %{event_description},%{fld1},Begin: %{fld2->} %{fld3},End: %{fld4->} %{fld5},Rule: %{rulename},%{process_id},%{process},%{fld6},%{fld7},%{fld8},User: %{username},Domain: %{domain},Action Type: %{fld9},File size (%{fld10}): %{filename_size},Device ID: %{device}", processor_chain([ +var part140 = match("MESSAGE#502:Blocked:07", "nwparser.payload", "[%{id}] %{event_description},%{fld1},Begin: %{fld2->} %{fld3},End: %{fld4->} %{fld5},Rule: %{rulename},%{process_id},%{process},%{fld6},%{fld7},%{fld8},User: %{username},Domain: %{domain},Action Type: %{fld9},File size (%{fld10}): %{filename_size},Device ID: %{device}", processor_chain([ dup121, dup12, dup13, @@ -4697,23 +4367,17 @@ match("MESSAGE#502:Blocked:07", "nwparser.payload", "[%{id}] %{event_description var msg122 = msg("Blocked:07", part140); -var part141 = // "Pattern{Field(fld11,true), Constant(' - Target MD5='), Field(fld6,true), Constant(' - Target Arguments='), Field(fld7,false), Constant('/service''), Field(fld33,true), Constant(' ,Create Process,Begin: '), Field(p0,false)}" -match("MESSAGE#504:Blocked:09/0_0", "nwparser.payload", "%{fld11->} - Target MD5=%{fld6->} - Target Arguments=%{fld7}/service'%{fld33->} ,Create Process,Begin: %{p0}"); +var part141 = match("MESSAGE#504:Blocked:09/0_0", "nwparser.payload", "%{fld11->} - Target MD5=%{fld6->} - Target Arguments=%{fld7}/service'%{fld33->} ,Create Process,Begin: %{p0}"); -var part142 = // "Pattern{Field(fld11,true), Constant(' - Target MD5='), Field(fld6,true), Constant(' - Target Arguments='), Field(fld7,false), Constant('chrome-extension:'), Field(fld99,false), Constant('''), Field(fld33,true), Constant(' ,Create Process,Begin: '), Field(p0,false)}" -match("MESSAGE#504:Blocked:09/0_1", "nwparser.payload", "%{fld11->} - Target MD5=%{fld6->} - Target Arguments=%{fld7}chrome-extension:%{fld99}'%{fld33->} ,Create Process,Begin: %{p0}"); +var part142 = match("MESSAGE#504:Blocked:09/0_1", "nwparser.payload", "%{fld11->} - Target MD5=%{fld6->} - Target Arguments=%{fld7}chrome-extension:%{fld99}'%{fld33->} ,Create Process,Begin: %{p0}"); -var part143 = // "Pattern{Field(fld11,true), Constant(' - Target MD5='), Field(fld6,true), Constant(' - Target Arguments='), Field(fld7,false), Constant('-ServerName:'), Field(hostid,false), Constant('''), Field(fld33,true), Constant(' ,Create Process,Begin: '), Field(p0,false)}" -match("MESSAGE#504:Blocked:09/0_2", "nwparser.payload", "%{fld11->} - Target MD5=%{fld6->} - Target Arguments=%{fld7}-ServerName:%{hostid}'%{fld33->} ,Create Process,Begin: %{p0}"); +var part143 = match("MESSAGE#504:Blocked:09/0_2", "nwparser.payload", "%{fld11->} - Target MD5=%{fld6->} - Target Arguments=%{fld7}-ServerName:%{hostid}'%{fld33->} ,Create Process,Begin: %{p0}"); -var part144 = // "Pattern{Constant('- Target MD5='), Field(fld6,true), Constant(' - Target Arguments='), Field(fld7,false), Constant('-ServerName:'), Field(hostid,false), Constant('' ,Create Process,Begin: '), Field(p0,false)}" -match("MESSAGE#504:Blocked:09/0_3", "nwparser.payload", "- Target MD5=%{fld6->} - Target Arguments=%{fld7}-ServerName:%{hostid}' ,Create Process,Begin: %{p0}"); +var part144 = match("MESSAGE#504:Blocked:09/0_3", "nwparser.payload", "- Target MD5=%{fld6->} - Target Arguments=%{fld7}-ServerName:%{hostid}' ,Create Process,Begin: %{p0}"); -var part145 = // "Pattern{Field(fld11,true), Constant(' - Target MD5='), Field(fld6,true), Constant(' - Target Arguments='), Field(fld7,true), Constant(' ,Create Process,Begin: '), Field(p0,false)}" -match("MESSAGE#504:Blocked:09/0_4", "nwparser.payload", "%{fld11->} - Target MD5=%{fld6->} - Target Arguments=%{fld7->} ,Create Process,Begin: %{p0}"); +var part145 = match("MESSAGE#504:Blocked:09/0_4", "nwparser.payload", "%{fld11->} - Target MD5=%{fld6->} - Target Arguments=%{fld7->} ,Create Process,Begin: %{p0}"); -var part146 = // "Pattern{Constant('- Target MD5='), Field(fld6,false), Constant(',Create Process,Begin: '), Field(p0,false)}" -match("MESSAGE#504:Blocked:09/0_5", "nwparser.payload", "- Target MD5=%{fld6},Create Process,Begin: %{p0}"); +var part146 = match("MESSAGE#504:Blocked:09/0_5", "nwparser.payload", "- Target MD5=%{fld6},Create Process,Begin: %{p0}"); var select20 = linear_select([ part141, @@ -4724,8 +4388,7 @@ var select20 = linear_select([ part146, ]); -var part147 = // "Pattern{Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,true), Constant(' ,File size ('), Field(fld10,false), Constant('):'), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#504:Blocked:09/1", "nwparser.p0", "%{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44->} ,File size (%{fld10}):%{filename_size},Device ID: %{device}"); +var part147 = match("MESSAGE#504:Blocked:09/1", "nwparser.p0", "%{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44->} ,File size (%{fld10}):%{filename_size},Device ID: %{device}"); var all65 = all_match({ processors: [ @@ -4770,8 +4433,7 @@ var select21 = linear_select([ msg123, ]); -var part148 = // "Pattern{Constant('Changed value ''), Field(change_attribute,false), Constant('' from ''), Field(change_old,false), Constant('' to ''), Field(change_new,false), Constant('''), Field(p0,false)}" -match("MESSAGE#55:Changed/0", "nwparser.payload", "Changed value '%{change_attribute}' from '%{change_old}' to '%{change_new}'%{p0}"); +var part148 = match("MESSAGE#55:Changed/0", "nwparser.payload", "Changed value '%{change_attribute}' from '%{change_old}' to '%{change_new}'%{p0}"); var all66 = all_match({ processors: [ @@ -4795,8 +4457,7 @@ var all66 = all_match({ var msg124 = msg("Changed", all66); -var part149 = // "Pattern{Constant('Cleaned up '), Field(dclass_counter1,true), Constant(' LiveUpdate downloaded content')}" -match("MESSAGE#56:Cleaned", "nwparser.payload", "Cleaned up %{dclass_counter1->} LiveUpdate downloaded content", processor_chain([ +var part149 = match("MESSAGE#56:Cleaned", "nwparser.payload", "Cleaned up %{dclass_counter1->} LiveUpdate downloaded content", processor_chain([ dup43, dup12, dup13, @@ -4808,8 +4469,7 @@ match("MESSAGE#56:Cleaned", "nwparser.payload", "Cleaned up %{dclass_counter1->} var msg125 = msg("Cleaned", part149); -var part150 = // "Pattern{Constant('Client has downloaded the issued Command,'), Field(username,false)}" -match("MESSAGE#57:Client", "nwparser.payload", "Client has downloaded the issued Command,%{username}", processor_chain([ +var part150 = match("MESSAGE#57:Client", "nwparser.payload", "Client has downloaded the issued Command,%{username}", processor_chain([ dup53, dup12, dup13, @@ -4821,14 +4481,11 @@ match("MESSAGE#57:Client", "nwparser.payload", "Client has downloaded the issued var msg126 = msg("Client", part150); -var part151 = // "Pattern{Field(event_description,false), Constant(', type SymDelta version'), Field(version,true), Constant(' filesize'), Field(filename_size,false), Constant('.",Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#58:Client:01/0_0", "nwparser.payload", "%{event_description}, type SymDelta version%{version->} filesize%{filename_size}.\",Event time:%{fld17->} %{fld18}"); +var part151 = match("MESSAGE#58:Client:01/0_0", "nwparser.payload", "%{event_description}, type SymDelta version%{version->} filesize%{filename_size}.\",Event time:%{fld17->} %{fld18}"); -var part152 = // "Pattern{Field(event_description,false), Constant(', type full version'), Field(version,true), Constant(' filesize'), Field(filename_size,false), Constant('.",Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#58:Client:01/0_1", "nwparser.payload", "%{event_description}, type full version%{version->} filesize%{filename_size}.\",Event time:%{fld17->} %{fld18}"); +var part152 = match("MESSAGE#58:Client:01/0_1", "nwparser.payload", "%{event_description}, type full version%{version->} filesize%{filename_size}.\",Event time:%{fld17->} %{fld18}"); -var part153 = // "Pattern{Field(event_description,false)}" -match_copy("MESSAGE#58:Client:01/0_2", "nwparser.payload", "event_description"); +var part153 = match_copy("MESSAGE#58:Client:01/0_2", "nwparser.payload", "event_description"); var select22 = linear_select([ part151, @@ -4857,17 +4514,13 @@ var select23 = linear_select([ msg127, ]); -var part154 = // "Pattern{Constant('client has downloaded the '), Field(p0,false)}" -match("MESSAGE#59:client/0", "nwparser.payload", "client has downloaded the %{p0}"); +var part154 = match("MESSAGE#59:client/0", "nwparser.payload", "client has downloaded the %{p0}"); -var part155 = // "Pattern{Constant('content package'), Field(p0,false)}" -match("MESSAGE#59:client/1_0", "nwparser.p0", "content package%{p0}"); +var part155 = match("MESSAGE#59:client/1_0", "nwparser.p0", "content package%{p0}"); -var part156 = // "Pattern{Constant('policy'), Field(p0,false)}" -match("MESSAGE#59:client/1_1", "nwparser.p0", "policy%{p0}"); +var part156 = match("MESSAGE#59:client/1_1", "nwparser.p0", "policy%{p0}"); -var part157 = // "Pattern{Constant('Intrusion Prevention policy'), Field(p0,false)}" -match("MESSAGE#59:client/1_2", "nwparser.p0", "Intrusion Prevention policy%{p0}"); +var part157 = match("MESSAGE#59:client/1_2", "nwparser.p0", "Intrusion Prevention policy%{p0}"); var select24 = linear_select([ part155, @@ -4875,8 +4528,7 @@ var select24 = linear_select([ part157, ]); -var part158 = // "Pattern{Field(,false), Constant('successfully,'), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(group,false)}" -match("MESSAGE#59:client/2", "nwparser.p0", "%{}successfully,%{shost},%{username},%{group}"); +var part158 = match("MESSAGE#59:client/2", "nwparser.p0", "%{}successfully,%{shost},%{username},%{group}"); var all68 = all_match({ processors: [ @@ -4896,8 +4548,7 @@ var all68 = all_match({ var msg128 = msg("client", all68); -var part159 = // "Pattern{Constant('client has reconnected with the management server,'), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(group,false)}" -match("MESSAGE#60:client:01", "nwparser.payload", "client has reconnected with the management server,%{shost},%{username},%{group}", processor_chain([ +var part159 = match("MESSAGE#60:client:01", "nwparser.payload", "client has reconnected with the management server,%{shost},%{username},%{group}", processor_chain([ dup43, dup12, dup13, @@ -4908,8 +4559,7 @@ match("MESSAGE#60:client:01", "nwparser.payload", "client has reconnected with t var msg129 = msg("client:01", part159); -var part160 = // "Pattern{Constant('client has downloaded '), Field(filename,true), Constant(' successfully,'), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(group,false)}" -match("MESSAGE#61:client:02", "nwparser.payload", "client has downloaded %{filename->} successfully,%{shost},%{username},%{group}", processor_chain([ +var part160 = match("MESSAGE#61:client:02", "nwparser.payload", "client has downloaded %{filename->} successfully,%{shost},%{username},%{group}", processor_chain([ dup43, dup12, dup13, @@ -4920,8 +4570,7 @@ match("MESSAGE#61:client:02", "nwparser.payload", "client has downloaded %{filen var msg130 = msg("client:02", part160); -var part161 = // "Pattern{Constant('client registered with the management server successfully,'), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(group,false)}" -match("MESSAGE#62:client:03", "nwparser.payload", "client registered with the management server successfully,%{shost},%{username},%{group}", processor_chain([ +var part161 = match("MESSAGE#62:client:03", "nwparser.payload", "client registered with the management server successfully,%{shost},%{username},%{group}", processor_chain([ dup43, dup12, dup13, @@ -4932,8 +4581,7 @@ match("MESSAGE#62:client:03", "nwparser.payload", "client registered with the ma var msg131 = msg("client:03", part161); -var part162 = // "Pattern{Constant('client has downloaded '), Field(filename,false), Constant(','), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(group,false)}" -match("MESSAGE#63:client:04", "nwparser.payload", "client has downloaded %{filename},%{shost},%{username},%{group}", processor_chain([ +var part162 = match("MESSAGE#63:client:04", "nwparser.payload", "client has downloaded %{filename},%{shost},%{username},%{group}", processor_chain([ dup43, dup12, dup13, @@ -4944,8 +4592,7 @@ match("MESSAGE#63:client:04", "nwparser.payload", "client has downloaded %{filen var msg132 = msg("client:04", part162); -var part163 = // "Pattern{Constant('Local: '), Field(daddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld25,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld3,false), Constant(',Inbound,'), Field(fld5,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld12,false)}" -match("MESSAGE#64:client:05/2", "nwparser.p0", "Local: %{daddr},Local: %{fld1},Remote: %{fld25},Remote: %{saddr},Remote: %{fld3},Inbound,%{fld5},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld12}"); +var part163 = match("MESSAGE#64:client:05/2", "nwparser.p0", "Local: %{daddr},Local: %{fld1},Remote: %{fld25},Remote: %{saddr},Remote: %{fld3},Inbound,%{fld5},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld12}"); var all69 = all_match({ processors: [ @@ -4970,8 +4617,7 @@ var all69 = all_match({ var msg133 = msg("client:05", all69); -var part164 = // "Pattern{Constant('Local: '), Field(saddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld25,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld3,false), Constant(',Outbound,'), Field(fld5,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld12,false)}" -match("MESSAGE#65:client:15/2", "nwparser.p0", "Local: %{saddr},Local: %{fld1},Remote: %{fld25},Remote: %{daddr},Remote: %{fld3},Outbound,%{fld5},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld12}"); +var part164 = match("MESSAGE#65:client:15/2", "nwparser.p0", "Local: %{saddr},Local: %{fld1},Remote: %{fld25},Remote: %{daddr},Remote: %{fld3},Outbound,%{fld5},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld12}"); var all70 = all_match({ processors: [ @@ -4996,8 +4642,7 @@ var all70 = all_match({ var msg134 = msg("client:15", all70); -var part165 = // "Pattern{Constant('client computer has been added to the group,'), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(group,false)}" -match("MESSAGE#66:client:06", "nwparser.payload", "client computer has been added to the group,%{shost},%{username},%{group}", processor_chain([ +var part165 = match("MESSAGE#66:client:06", "nwparser.payload", "client computer has been added to the group,%{shost},%{username},%{group}", processor_chain([ dup43, dup12, dup13, @@ -5008,8 +4653,7 @@ match("MESSAGE#66:client:06", "nwparser.payload", "client computer has been adde var msg135 = msg("client:06", part165); -var part166 = // "Pattern{Constant('client computer has been renamed,'), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(sdomain,false)}" -match("MESSAGE#67:client:07", "nwparser.payload", "client computer has been renamed,%{shost},%{username},%{sdomain}", processor_chain([ +var part166 = match("MESSAGE#67:client:07", "nwparser.payload", "client computer has been renamed,%{shost},%{username},%{sdomain}", processor_chain([ dup43, dup12, dup13, @@ -5020,8 +4664,7 @@ match("MESSAGE#67:client:07", "nwparser.payload", "client computer has been rena var msg136 = msg("client:07", part166); -var part167 = // "Pattern{Constant('The client does not have a paid license. The current license cannot be used to obtain a client authentication token.,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#68:client:08", "nwparser.payload", "The client does not have a paid license. The current license cannot be used to obtain a client authentication token.,Event time: %{event_time_string}", processor_chain([ +var part167 = match("MESSAGE#68:client:08", "nwparser.payload", "The client does not have a paid license. The current license cannot be used to obtain a client authentication token.,Event time: %{event_time_string}", processor_chain([ dup43, dup12, dup13, @@ -5032,8 +4675,7 @@ match("MESSAGE#68:client:08", "nwparser.payload", "The client does not have a pa var msg137 = msg("client:08", part167); -var part168 = // "Pattern{Constant('The client has successfully downloaded and applied a license from the server.,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#69:client:09", "nwparser.payload", "The client has successfully downloaded and applied a license from the server.,Event time: %{event_time_string}", processor_chain([ +var part168 = match("MESSAGE#69:client:09", "nwparser.payload", "The client has successfully downloaded and applied a license from the server.,Event time: %{event_time_string}", processor_chain([ dup43, dup12, dup13, @@ -5050,22 +4692,18 @@ match("MESSAGE#69:client:09", "nwparser.payload", "The client has successfully d var msg138 = msg("client:09", part168); -var part169 = // "Pattern{Constant('The client opted to download a full definitions package for AV definitions from the management server or GUP '), Field(p0,false)}" -match("MESSAGE#693:SYLINK:01/0", "nwparser.payload", "The client opted to download a full definitions package for AV definitions from the management server or GUP %{p0}"); +var part169 = match("MESSAGE#693:SYLINK:01/0", "nwparser.payload", "The client opted to download a full definitions package for AV definitions from the management server or GUP %{p0}"); -var part170 = // "Pattern{Constant('because LiveUpdate had no AV updates available'), Field(p0,false)}" -match("MESSAGE#693:SYLINK:01/1_0", "nwparser.p0", "because LiveUpdate had no AV updates available%{p0}"); +var part170 = match("MESSAGE#693:SYLINK:01/1_0", "nwparser.p0", "because LiveUpdate had no AV updates available%{p0}"); -var part171 = // "Pattern{Constant('rather than download a large package from LiveUpdate'), Field(p0,false)}" -match("MESSAGE#693:SYLINK:01/1_1", "nwparser.p0", "rather than download a large package from LiveUpdate%{p0}"); +var part171 = match("MESSAGE#693:SYLINK:01/1_1", "nwparser.p0", "rather than download a large package from LiveUpdate%{p0}"); var select25 = linear_select([ part170, part171, ]); -var part172 = // "Pattern{Constant('.'), Field(p0,false)}" -match("MESSAGE#693:SYLINK:01/2", "nwparser.p0", ".%{p0}"); +var part172 = match("MESSAGE#693:SYLINK:01/2", "nwparser.p0", ".%{p0}"); var all71 = all_match({ processors: [ @@ -5084,8 +4722,7 @@ var all71 = all_match({ var msg139 = msg("SYLINK:01", all71); -var part173 = // "Pattern{Constant('The client opted to download an update for AV definitions from LiveUpdate rather than download a full definitions package from the management server or GUP.'), Field(,false)}" -match("MESSAGE#694:SYLINK:02", "nwparser.payload", "The client opted to download an update for AV definitions from LiveUpdate rather than download a full definitions package from the management server or GUP.%{}", processor_chain([ +var part173 = match("MESSAGE#694:SYLINK:02", "nwparser.payload", "The client opted to download an update for AV definitions from LiveUpdate rather than download a full definitions package from the management server or GUP.%{}", processor_chain([ dup43, dup15, setc("event_description","The client opted to download an update for AV definitions from LiveUpdate"), @@ -5093,8 +4730,7 @@ match("MESSAGE#694:SYLINK:02", "nwparser.payload", "The client opted to download var msg140 = msg("SYLINK:02", part173); -var part174 = // "Pattern{Constant('The client has obtained an invalid license file ('), Field(filename,false), Constant(') from the server.,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#695:SYLINK:04", "nwparser.payload", "The client has obtained an invalid license file (%{filename}) from the server.,Event time:%{fld17->} %{fld18}", processor_chain([ +var part174 = match("MESSAGE#695:SYLINK:04", "nwparser.payload", "The client has obtained an invalid license file (%{filename}) from the server.,Event time:%{fld17->} %{fld18}", processor_chain([ dup121, dup12, dup13, @@ -5105,8 +4741,7 @@ match("MESSAGE#695:SYLINK:04", "nwparser.payload", "The client has obtained an i var msg141 = msg("SYLINK:04", part174); -var part175 = // "Pattern{Constant('The client has successfully downloaded a license file ('), Field(filename,false), Constant(') from the server.')}" -match("MESSAGE#697:Smc", "nwparser.payload", "The client has successfully downloaded a license file (%{filename}) from the server.", processor_chain([ +var part175 = match("MESSAGE#697:Smc", "nwparser.payload", "The client has successfully downloaded a license file (%{filename}) from the server.", processor_chain([ dup121, dup12, dup13, @@ -5117,8 +4752,7 @@ match("MESSAGE#697:Smc", "nwparser.payload", "The client has successfully downlo var msg142 = msg("Smc", part175); -var part176 = // "Pattern{Constant('The client has successfully downloaded and applied a license file ('), Field(filename,false), Constant(') from the server.'), Field(p0,false)}" -match("MESSAGE#698:Smc:01/0", "nwparser.payload", "The client has successfully downloaded and applied a license file (%{filename}) from the server.%{p0}"); +var part176 = match("MESSAGE#698:Smc:01/0", "nwparser.payload", "The client has successfully downloaded and applied a license file (%{filename}) from the server.%{p0}"); var all72 = all_match({ processors: [ @@ -5138,8 +4772,7 @@ var all72 = all_match({ var msg143 = msg("Smc:01", all72); -var part177 = // "Pattern{Constant('"The client has successfully downloaded and applied a license file ('), Field(filename,false), Constant(', Serial: '), Field(serial_number,false), Constant(') from the server."'), Field(p0,false)}" -match("MESSAGE#701:Smc:05/0", "nwparser.payload", "\"The client has successfully downloaded and applied a license file (%{filename}, Serial: %{serial_number}) from the server.\"%{p0}"); +var part177 = match("MESSAGE#701:Smc:05/0", "nwparser.payload", "\"The client has successfully downloaded and applied a license file (%{filename}, Serial: %{serial_number}) from the server.\"%{p0}"); var all73 = all_match({ processors: [ @@ -5203,19 +4836,16 @@ var all74 = all_match({ var msg145 = msg("Commercial", all74); -var part178 = // "Pattern{Field(severity,false), Constant(',First Seen: '), Field(fld50,false), Constant(',Application name: '), Field(p0,false)}" -match("MESSAGE#71:Commercial:02/2_0", "nwparser.p0", "%{severity},First Seen: %{fld50},Application name: %{p0}"); +var part178 = match("MESSAGE#71:Commercial:02/2_0", "nwparser.p0", "%{severity},First Seen: %{fld50},Application name: %{p0}"); -var part179 = // "Pattern{Field(severity,false), Constant(',Application name: '), Field(p0,false)}" -match("MESSAGE#71:Commercial:02/2_1", "nwparser.p0", "%{severity},Application name: %{p0}"); +var part179 = match("MESSAGE#71:Commercial:02/2_1", "nwparser.p0", "%{severity},Application name: %{p0}"); var select27 = linear_select([ part178, part179, ]); -var part180 = // "Pattern{Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld6,false), Constant(',Detection score:'), Field(fld7,false), Constant(',COH Engine Version: '), Field(fld41,false), Constant(',Detection Submissions No,Permitted application reason: '), Field(fld42,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',Risk Level: '), Field(fld50,false), Constant(',Detection Source: '), Field(fld52,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(fld1,false), Constant(','), Field(p0,false)}" -match("MESSAGE#71:Commercial:02/3", "nwparser.p0", "%{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},COH Engine Version: %{fld41},Detection Submissions No,Permitted application reason: %{fld42},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},Risk Level: %{fld50},Detection Source: %{fld52},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); +var part180 = match("MESSAGE#71:Commercial:02/3", "nwparser.p0", "%{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},COH Engine Version: %{fld41},Detection Submissions No,Permitted application reason: %{fld42},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},Risk Level: %{fld50},Detection Source: %{fld52},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); var all75 = all_match({ processors: [ @@ -5242,8 +4872,7 @@ var all75 = all_match({ var msg146 = msg("Commercial:02", all75); -var part181 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',"Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#72:Commercial:01/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},\"Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); +var part181 = match("MESSAGE#72:Commercial:01/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},\"Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); var all76 = all_match({ processors: [ @@ -5275,8 +4904,7 @@ var select28 = linear_select([ msg147, ]); -var part182 = // "Pattern{Constant('Computer has been deleted'), Field(,false)}" -match("MESSAGE#73:Computer:deleted", "nwparser.payload", "Computer has been deleted%{}", processor_chain([ +var part182 = match("MESSAGE#73:Computer:deleted", "nwparser.payload", "Computer has been deleted%{}", processor_chain([ dup156, dup12, dup13, @@ -5291,8 +4919,7 @@ match("MESSAGE#73:Computer:deleted", "nwparser.payload", "Computer has been dele var msg148 = msg("Computer:deleted", part182); -var part183 = // "Pattern{Constant('Computer has been moved'), Field(,false)}" -match("MESSAGE#74:Computer:moved", "nwparser.payload", "Computer has been moved%{}", processor_chain([ +var part183 = match("MESSAGE#74:Computer:moved", "nwparser.payload", "Computer has been moved%{}", processor_chain([ dup136, dup12, dup13, @@ -5307,8 +4934,7 @@ match("MESSAGE#74:Computer:moved", "nwparser.payload", "Computer has been moved% var msg149 = msg("Computer:moved", part183); -var part184 = // "Pattern{Constant('Computer properties have been changed'), Field(,false)}" -match("MESSAGE#75:Computer:propertieschanged", "nwparser.payload", "Computer properties have been changed%{}", processor_chain([ +var part184 = match("MESSAGE#75:Computer:propertieschanged", "nwparser.payload", "Computer properties have been changed%{}", processor_chain([ dup136, dup12, dup13, @@ -5323,19 +4949,16 @@ match("MESSAGE#75:Computer:propertieschanged", "nwparser.payload", "Computer pro var msg150 = msg("Computer:propertieschanged", part184); -var part185 = // "Pattern{Constant('"'), Field(filename,false), Constant('","'), Field(p0,false)}" -match("MESSAGE#76:Computer/1_0", "nwparser.p0", "\"%{filename}\",\"%{p0}"); +var part185 = match("MESSAGE#76:Computer/1_0", "nwparser.p0", "\"%{filename}\",\"%{p0}"); -var part186 = // "Pattern{Field(filename,false), Constant(',"'), Field(p0,false)}" -match("MESSAGE#76:Computer/1_1", "nwparser.p0", "%{filename},\"%{p0}"); +var part186 = match("MESSAGE#76:Computer/1_1", "nwparser.p0", "%{filename},\"%{p0}"); var select29 = linear_select([ part185, part186, ]); -var part187 = // "Pattern{Field(fld1,false), Constant('",Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Last update time: '), Field(fld52,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld58,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(filename_size,false)}" -match("MESSAGE#76:Computer/2", "nwparser.p0", "%{fld1}\",Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Last update time: %{fld52},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},First Seen: %{fld50},Sensitivity: %{fld58},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size}"); +var part187 = match("MESSAGE#76:Computer/2", "nwparser.p0", "%{fld1}\",Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Last update time: %{fld52},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},First Seen: %{fld50},Sensitivity: %{fld58},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size}"); var all77 = all_match({ processors: [ @@ -5355,19 +4978,16 @@ var all77 = all_match({ var msg151 = msg("Computer", all77); -var part188 = // "Pattern{Constant('"'), Field(filename,false), Constant('",''), Field(p0,false)}" -match("MESSAGE#77:Computer:01/1_0", "nwparser.p0", "\"%{filename}\",'%{p0}"); +var part188 = match("MESSAGE#77:Computer:01/1_0", "nwparser.p0", "\"%{filename}\",'%{p0}"); -var part189 = // "Pattern{Field(filename,false), Constant(',''), Field(p0,false)}" -match("MESSAGE#77:Computer:01/1_1", "nwparser.p0", "%{filename},'%{p0}"); +var part189 = match("MESSAGE#77:Computer:01/1_1", "nwparser.p0", "%{filename},'%{p0}"); var select30 = linear_select([ part188, part189, ]); -var part190 = // "Pattern{Field(fld1,false), Constant('',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Last update time: '), Field(fld52,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld58,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Category set: '), Field(category,false), Constant(',Category type: '), Field(event_type,false)}" -match("MESSAGE#77:Computer:01/2", "nwparser.p0", "%{fld1}',Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Last update time: %{fld52},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},First Seen: %{fld50},Sensitivity: %{fld58},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size},Category set: %{category},Category type: %{event_type}"); +var part190 = match("MESSAGE#77:Computer:01/2", "nwparser.p0", "%{fld1}',Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Last update time: %{fld52},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},First Seen: %{fld50},Sensitivity: %{fld58},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size},Category set: %{category},Category type: %{event_type}"); var all78 = all_match({ processors: [ @@ -5387,11 +5007,9 @@ var all78 = all_match({ var msg152 = msg("Computer:01", all78); -var part191 = // "Pattern{Constant('IP Address: '), Field(hostip,false), Constant(',Computer name: '), Field(shost,false), Constant(',Intensive Protection Level: '), Field(fld55,false), Constant(',Certificate issuer: '), Field(cert_subject,false), Constant(',Certificate signer: '), Field(fld68,false), Constant(',Certificate thumbprint: '), Field(fld57,false), Constant(',Signing timestamp: '), Field(fld69,false), Constant(',Certificate serial number: '), Field(cert.serial,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(p0,false)}" -match("MESSAGE#78:Computer:03/0", "nwparser.payload", "IP Address: %{hostip},Computer name: %{shost},Intensive Protection Level: %{fld55},Certificate issuer: %{cert_subject},Certificate signer: %{fld68},Certificate thumbprint: %{fld57},Signing timestamp: %{fld69},Certificate serial number: %{cert.serial},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{p0}"); +var part191 = match("MESSAGE#78:Computer:03/0", "nwparser.payload", "IP Address: %{hostip},Computer name: %{shost},Intensive Protection Level: %{fld55},Certificate issuer: %{cert_subject},Certificate signer: %{fld68},Certificate thumbprint: %{fld57},Signing timestamp: %{fld69},Certificate serial number: %{cert.serial},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{p0}"); -var part192 = // "Pattern{Field(fld1,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Last update time: '), Field(fld52,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(','), Field(fld67,false), Constant(',First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld58,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Category set: '), Field(category,false), Constant(',Category type: '), Field(event_type,false), Constant(',Location:'), Field(fld65,false)}" -match("MESSAGE#78:Computer:03/2", "nwparser.p0", "%{fld1},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Last update time: %{fld52},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},%{fld67},First Seen: %{fld50},Sensitivity: %{fld58},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size},Category set: %{category},Category type: %{event_type},Location:%{fld65}"); +var part192 = match("MESSAGE#78:Computer:03/2", "nwparser.p0", "%{fld1},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Last update time: %{fld52},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},%{fld67},First Seen: %{fld50},Sensitivity: %{fld58},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size},Category set: %{category},Category type: %{event_type},Location:%{fld65}"); var all79 = all_match({ processors: [ @@ -5411,8 +5029,7 @@ var all79 = all_match({ var msg153 = msg("Computer:03", all79); -var part193 = // "Pattern{Constant('Computer name: '), Field(p0,false)}" -match("MESSAGE#79:Computer:02/0", "nwparser.payload", "Computer name: %{p0}"); +var part193 = match("MESSAGE#79:Computer:02/0", "nwparser.payload", "Computer name: %{p0}"); var all80 = all_match({ processors: [ @@ -5449,8 +5066,7 @@ var select31 = linear_select([ msg154, ]); -var part194 = // "Pattern{Constant('Configuration Change..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Time: '), Field(fld6,false), Constant('..Description: '), Field(event_description,true), Constant(' ..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" -match("MESSAGE#80:Configuration", "nwparser.payload", "Configuration Change..Computer: %{shost}..Date: %{fld5}..Time: %{fld6}..Description: %{event_description->} ..Severity: %{severity}..Source: %{product}", processor_chain([ +var part194 = match("MESSAGE#80:Configuration", "nwparser.payload", "Configuration Change..Computer: %{shost}..Date: %{fld5}..Time: %{fld6}..Description: %{event_description->} ..Severity: %{severity}..Source: %{product}", processor_chain([ dup165, dup166, dup15, @@ -5458,8 +5074,7 @@ match("MESSAGE#80:Configuration", "nwparser.payload", "Configuration Change..Com var msg155 = msg("Configuration", part194); -var part195 = // "Pattern{Constant('Configuration Change..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('........'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,true), Constant(' '), Field(fld7,false), Constant('..')}" -match("MESSAGE#81:Configuration:01", "nwparser.payload", "Configuration Change..%{shost}..%{fld5}........%{severity}..%{product}..%{fld6->} %{fld7}..", processor_chain([ +var part195 = match("MESSAGE#81:Configuration:01", "nwparser.payload", "Configuration Change..%{shost}..%{fld5}........%{severity}..%{product}..%{fld6->} %{fld7}..", processor_chain([ dup165, dup166, setc("event_description","Configuration Change"), @@ -5468,8 +5083,7 @@ match("MESSAGE#81:Configuration:01", "nwparser.payload", "Configuration Change.. var msg156 = msg("Configuration:01", part195); -var part196 = // "Pattern{Constant('Configuration Change..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Description: '), Field(event_description,false), Constant('..Time: '), Field(fld6,true), Constant(' '), Field(fld7,false), Constant('..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" -match("MESSAGE#82:Configuration:02", "nwparser.payload", "Configuration Change..Computer: %{shost}..Date: %{fld5}..Description: %{event_description}..Time: %{fld6->} %{fld7}..Severity: %{severity}..Source: %{product}", processor_chain([ +var part196 = match("MESSAGE#82:Configuration:02", "nwparser.payload", "Configuration Change..Computer: %{shost}..Date: %{fld5}..Description: %{event_description}..Time: %{fld6->} %{fld7}..Severity: %{severity}..Source: %{product}", processor_chain([ dup165, dup166, dup15, @@ -5483,14 +5097,11 @@ var select32 = linear_select([ msg157, ]); -var part197 = // "Pattern{Constant('Connected to Symantec Endpoint Protection Manager '), Field(p0,false)}" -match("MESSAGE#83:Connected/0", "nwparser.payload", "Connected to Symantec Endpoint Protection Manager %{p0}"); +var part197 = match("MESSAGE#83:Connected/0", "nwparser.payload", "Connected to Symantec Endpoint Protection Manager %{p0}"); -var part198 = // "Pattern{Field(fld11,true), Constant(' ,Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#83:Connected/1_0", "nwparser.p0", "%{fld11->} ,Event time: %{fld17->} %{fld18}"); +var part198 = match("MESSAGE#83:Connected/1_0", "nwparser.p0", "%{fld11->} ,Event time: %{fld17->} %{fld18}"); -var part199 = // "Pattern{Constant(''), Field(fld11,false)}" -match("MESSAGE#83:Connected/1_1", "nwparser.p0", "%{fld11}"); +var part199 = match("MESSAGE#83:Connected/1_1", "nwparser.p0", "%{fld11}"); var select33 = linear_select([ part198, @@ -5515,8 +5126,7 @@ var all81 = all_match({ var msg158 = msg("Connected", all81); -var part200 = // "Pattern{Constant('Connected to Management Server '), Field(hostip,false), Constant('.')}" -match("MESSAGE#686:Connected:01", "nwparser.payload", "Connected to Management Server %{hostip}.", processor_chain([ +var part200 = match("MESSAGE#686:Connected:01", "nwparser.payload", "Connected to Management Server %{hostip}.", processor_chain([ dup43, dup12, dup13, @@ -5532,8 +5142,7 @@ var select34 = linear_select([ msg159, ]); -var part201 = // "Pattern{Constant('Connection reset'), Field(,false)}" -match("MESSAGE#84:Connection", "nwparser.payload", "Connection reset%{}", processor_chain([ +var part201 = match("MESSAGE#84:Connection", "nwparser.payload", "Connection reset%{}", processor_chain([ dup43, dup12, dup13, @@ -5544,8 +5153,7 @@ match("MESSAGE#84:Connection", "nwparser.payload", "Connection reset%{}", proces var msg160 = msg("Connection", part201); -var part202 = // "Pattern{Constant('Could '), Field(space,false), Constant('not start Service Engine err='), Field(resultcode,false)}" -match("MESSAGE#85:Could", "nwparser.payload", "Could %{space}not start Service Engine err=%{resultcode}", processor_chain([ +var part202 = match("MESSAGE#85:Could", "nwparser.payload", "Could %{space}not start Service Engine err=%{resultcode}", processor_chain([ dup86, dup12, dup13, @@ -5556,8 +5164,7 @@ match("MESSAGE#85:Could", "nwparser.payload", "Could %{space}not start Service E var msg161 = msg("Could", part202); -var part203 = // "Pattern{Constant('Could not scan '), Field(dclass_counter1,true), Constant(' files inside '), Field(directory,true), Constant(' due to extraction errors encountered by the Decomposer Engines.')}" -match("MESSAGE#86:Could:01", "nwparser.payload", "Could not scan %{dclass_counter1->} files inside %{directory->} due to extraction errors encountered by the Decomposer Engines.", processor_chain([ +var part203 = match("MESSAGE#86:Could:01", "nwparser.payload", "Could not scan %{dclass_counter1->} files inside %{directory->} due to extraction errors encountered by the Decomposer Engines.", processor_chain([ dup86, dup12, dup13, @@ -5574,8 +5181,7 @@ var select35 = linear_select([ msg162, ]); -var part204 = // "Pattern{Constant('Create trident engine failed.'), Field(,false)}" -match("MESSAGE#87:Create", "nwparser.payload", "Create trident engine failed.%{}", processor_chain([ +var part204 = match("MESSAGE#87:Create", "nwparser.payload", "Create trident engine failed.%{}", processor_chain([ dup168, dup12, dup13, @@ -5586,8 +5192,7 @@ match("MESSAGE#87:Create", "nwparser.payload", "Create trident engine failed.%{} var msg163 = msg("Create", part204); -var part205 = // "Pattern{Constant('Database Maintenance Finished Successfully'), Field(,false)}" -match("MESSAGE#88:Database", "nwparser.payload", "Database Maintenance Finished Successfully%{}", processor_chain([ +var part205 = match("MESSAGE#88:Database", "nwparser.payload", "Database Maintenance Finished Successfully%{}", processor_chain([ dup43, dup12, dup13, @@ -5598,8 +5203,7 @@ match("MESSAGE#88:Database", "nwparser.payload", "Database Maintenance Finished var msg164 = msg("Database", part205); -var part206 = // "Pattern{Constant('Database maintenance started.'), Field(,false)}" -match("MESSAGE#89:Database:01", "nwparser.payload", "Database maintenance started.%{}", processor_chain([ +var part206 = match("MESSAGE#89:Database:01", "nwparser.payload", "Database maintenance started.%{}", processor_chain([ dup43, dup15, setc("event_description","Database maintenance started."), @@ -5607,8 +5211,7 @@ match("MESSAGE#89:Database:01", "nwparser.payload", "Database maintenance starte var msg165 = msg("Database:01", part206); -var part207 = // "Pattern{Constant('Database maintenance finished successfully.'), Field(,false)}" -match("MESSAGE#90:Database:02", "nwparser.payload", "Database maintenance finished successfully.%{}", processor_chain([ +var part207 = match("MESSAGE#90:Database:02", "nwparser.payload", "Database maintenance finished successfully.%{}", processor_chain([ dup43, dup15, setc("event_description","Database maintenance finished successfully."), @@ -5616,8 +5219,7 @@ match("MESSAGE#90:Database:02", "nwparser.payload", "Database maintenance finish var msg166 = msg("Database:02", part207); -var part208 = // "Pattern{Constant('Database properties are changed'), Field(,false)}" -match("MESSAGE#91:Database:03", "nwparser.payload", "Database properties are changed%{}", processor_chain([ +var part208 = match("MESSAGE#91:Database:03", "nwparser.payload", "Database properties are changed%{}", processor_chain([ dup43, dup15, setc("event_description","Database properties are changed"), @@ -5632,8 +5234,7 @@ var select36 = linear_select([ msg167, ]); -var part209 = // "Pattern{Constant('Disconnected from Symantec Endpoint Protection Manager. --- server address : '), Field(hostid,false)}" -match("MESSAGE#92:Disconnected", "nwparser.payload", "Disconnected from Symantec Endpoint Protection Manager. --- server address : %{hostid}", processor_chain([ +var part209 = match("MESSAGE#92:Disconnected", "nwparser.payload", "Disconnected from Symantec Endpoint Protection Manager. --- server address : %{hostid}", processor_chain([ dup43, dup12, dup13, @@ -5644,8 +5245,7 @@ match("MESSAGE#92:Disconnected", "nwparser.payload", "Disconnected from Symantec var msg168 = msg("Disconnected", part209); -var part210 = // "Pattern{Constant('Disconnected from Symantec Endpoint Protection Manager ('), Field(hostip,false), Constant(')'), Field(p0,false)}" -match("MESSAGE#93:Disconnected:01/0", "nwparser.payload", "Disconnected from Symantec Endpoint Protection Manager (%{hostip})%{p0}"); +var part210 = match("MESSAGE#93:Disconnected:01/0", "nwparser.payload", "Disconnected from Symantec Endpoint Protection Manager (%{hostip})%{p0}"); var all82 = all_match({ processors: [ @@ -5667,8 +5267,7 @@ var all82 = all_match({ var msg169 = msg("Disconnected:01", all82); -var part211 = // "Pattern{Constant('Disconnected to Management Server '), Field(hostip,false), Constant('.')}" -match("MESSAGE#687:Disconnected:02", "nwparser.payload", "Disconnected to Management Server %{hostip}.", processor_chain([ +var part211 = match("MESSAGE#687:Disconnected:02", "nwparser.payload", "Disconnected to Management Server %{hostip}.", processor_chain([ dup43, dup12, dup13, @@ -5685,8 +5284,7 @@ var select37 = linear_select([ msg170, ]); -var part212 = // "Pattern{Field(event_description,false)}" -match_copy("MESSAGE#94:Decomposer", "nwparser.payload", "event_description", processor_chain([ +var part212 = match_copy("MESSAGE#94:Decomposer", "nwparser.payload", "event_description", processor_chain([ dup92, dup12, dup13, @@ -5696,8 +5294,7 @@ match_copy("MESSAGE#94:Decomposer", "nwparser.payload", "event_description", pro var msg171 = msg("Decomposer", part212); -var part213 = // "Pattern{Constant('Domain "'), Field(domain,false), Constant('" was added')}" -match("MESSAGE#95:Domain:added", "nwparser.payload", "Domain \"%{domain}\" was added", processor_chain([ +var part213 = match("MESSAGE#95:Domain:added", "nwparser.payload", "Domain \"%{domain}\" was added", processor_chain([ dup95, dup12, dup13, @@ -5712,8 +5309,7 @@ match("MESSAGE#95:Domain:added", "nwparser.payload", "Domain \"%{domain}\" was a var msg172 = msg("Domain:added", part213); -var part214 = // "Pattern{Constant('Domain "'), Field(change_old,false), Constant('" was renamed to "'), Field(change_new,false), Constant('"')}" -match("MESSAGE#96:Domain:renamed", "nwparser.payload", "Domain \"%{change_old}\" was renamed to \"%{change_new}\"", processor_chain([ +var part214 = match("MESSAGE#96:Domain:renamed", "nwparser.payload", "Domain \"%{change_old}\" was renamed to \"%{change_new}\"", processor_chain([ dup136, dup12, dup13, @@ -5729,8 +5325,7 @@ match("MESSAGE#96:Domain:renamed", "nwparser.payload", "Domain \"%{change_old}\" var msg173 = msg("Domain:renamed", part214); -var part215 = // "Pattern{Constant('Domain "'), Field(domain,false), Constant('" was deleted!')}" -match("MESSAGE#97:Domain:deleted", "nwparser.payload", "Domain \"%{domain}\" was deleted!", processor_chain([ +var part215 = match("MESSAGE#97:Domain:deleted", "nwparser.payload", "Domain \"%{domain}\" was deleted!", processor_chain([ dup156, dup12, dup13, @@ -5745,8 +5340,7 @@ match("MESSAGE#97:Domain:deleted", "nwparser.payload", "Domain \"%{domain}\" was var msg174 = msg("Domain:deleted", part215); -var part216 = // "Pattern{Constant('Domain administrator "'), Field(username,false), Constant('" was added')}" -match("MESSAGE#98:Domain:administratoradded", "nwparser.payload", "Domain administrator \"%{username}\" was added", processor_chain([ +var part216 = match("MESSAGE#98:Domain:administratoradded", "nwparser.payload", "Domain administrator \"%{username}\" was added", processor_chain([ dup170, dup12, dup13, @@ -5762,8 +5356,7 @@ match("MESSAGE#98:Domain:administratoradded", "nwparser.payload", "Domain admini var msg175 = msg("Domain:administratoradded", part216); -var part217 = // "Pattern{Constant('Domain administrator "'), Field(username,false), Constant('" was deleted')}" -match("MESSAGE#99:Domain:administratordeleted", "nwparser.payload", "Domain administrator \"%{username}\" was deleted", processor_chain([ +var part217 = match("MESSAGE#99:Domain:administratordeleted", "nwparser.payload", "Domain administrator \"%{username}\" was deleted", processor_chain([ dup171, dup12, dup13, @@ -5779,8 +5372,7 @@ match("MESSAGE#99:Domain:administratordeleted", "nwparser.payload", "Domain admi var msg176 = msg("Domain:administratordeleted", part217); -var part218 = // "Pattern{Constant('Domain "'), Field(domain,false), Constant('" was disabled')}" -match("MESSAGE#100:Domain:disabled", "nwparser.payload", "Domain \"%{domain}\" was disabled", processor_chain([ +var part218 = match("MESSAGE#100:Domain:disabled", "nwparser.payload", "Domain \"%{domain}\" was disabled", processor_chain([ dup136, dup12, dup13, @@ -5795,8 +5387,7 @@ match("MESSAGE#100:Domain:disabled", "nwparser.payload", "Domain \"%{domain}\" w var msg177 = msg("Domain:disabled", part218); -var part219 = // "Pattern{Constant('Domain "'), Field(domain,false), Constant('" was enabled')}" -match("MESSAGE#101:Domain:enabled", "nwparser.payload", "Domain \"%{domain}\" was enabled", processor_chain([ +var part219 = match("MESSAGE#101:Domain:enabled", "nwparser.payload", "Domain \"%{domain}\" was enabled", processor_chain([ dup136, dup12, dup13, @@ -5821,8 +5412,7 @@ var select38 = linear_select([ msg178, ]); -var part220 = // "Pattern{Constant('Failed to connect to the server. '), Field(action,false), Constant('. ErrorCode: '), Field(resultcode,false)}" -match("MESSAGE#102:Failed", "nwparser.payload", "Failed to connect to the server. %{action}. ErrorCode: %{resultcode}", processor_chain([ +var part220 = match("MESSAGE#102:Failed", "nwparser.payload", "Failed to connect to the server. %{action}. ErrorCode: %{resultcode}", processor_chain([ dup168, dup12, dup13, @@ -5833,14 +5423,11 @@ match("MESSAGE#102:Failed", "nwparser.payload", "Failed to connect to the server var msg179 = msg("Failed", part220); -var part221 = // "Pattern{Constant('Failed to contact server for more than '), Field(p0,false)}" -match("MESSAGE#103:Failed:01/0", "nwparser.payload", "Failed to contact server for more than %{p0}"); +var part221 = match("MESSAGE#103:Failed:01/0", "nwparser.payload", "Failed to contact server for more than %{p0}"); -var part222 = // "Pattern{Constant(''), Field(fld1,true), Constant(' times.,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#103:Failed:01/1_0", "nwparser.p0", "%{fld1->} times.,Event time:%{fld17->} %{fld18}"); +var part222 = match("MESSAGE#103:Failed:01/1_0", "nwparser.p0", "%{fld1->} times.,Event time:%{fld17->} %{fld18}"); -var part223 = // "Pattern{Field(fld1,true), Constant(' times.')}" -match("MESSAGE#103:Failed:01/1_1", "nwparser.p0", "%{fld1->} times."); +var part223 = match("MESSAGE#103:Failed:01/1_1", "nwparser.p0", "%{fld1->} times."); var select39 = linear_select([ part222, @@ -5865,8 +5452,7 @@ var all83 = all_match({ var msg180 = msg("Failed:01", all83); -var part224 = // "Pattern{Constant('Failed to disable Windows firewall'), Field(,false)}" -match("MESSAGE#104:Failed:02", "nwparser.payload", "Failed to disable Windows firewall%{}", processor_chain([ +var part224 = match("MESSAGE#104:Failed:02", "nwparser.payload", "Failed to disable Windows firewall%{}", processor_chain([ dup168, dup12, dup13, @@ -5877,8 +5463,7 @@ match("MESSAGE#104:Failed:02", "nwparser.payload", "Failed to disable Windows fi var msg181 = msg("Failed:02", part224); -var part225 = // "Pattern{Constant('Failed to install teefer driver'), Field(,false)}" -match("MESSAGE#105:Failed:03", "nwparser.payload", "Failed to install teefer driver%{}", processor_chain([ +var part225 = match("MESSAGE#105:Failed:03", "nwparser.payload", "Failed to install teefer driver%{}", processor_chain([ dup168, dup12, dup13, @@ -5889,8 +5474,7 @@ match("MESSAGE#105:Failed:03", "nwparser.payload", "Failed to install teefer dri var msg182 = msg("Failed:03", part225); -var part226 = // "Pattern{Constant('Failed to connect to '), Field(fld22,false), Constant('. Make sure the server can ping or resolve this domain. ErrorCode: '), Field(resultcode,false)}" -match("MESSAGE#106:Failed:04", "nwparser.payload", "Failed to connect to %{fld22}. Make sure the server can ping or resolve this domain. ErrorCode: %{resultcode}", processor_chain([ +var part226 = match("MESSAGE#106:Failed:04", "nwparser.payload", "Failed to connect to %{fld22}. Make sure the server can ping or resolve this domain. ErrorCode: %{resultcode}", processor_chain([ dup168, dup14, dup15, @@ -5899,8 +5483,7 @@ match("MESSAGE#106:Failed:04", "nwparser.payload", "Failed to connect to %{fld22 var msg183 = msg("Failed:04", part226); -var part227 = // "Pattern{Constant('Failed to download new client upgrade package from the management server. New Version: '), Field(version,true), Constant(' Package size: '), Field(filename_size,true), Constant(' bytes. Package url: '), Field(url,false)}" -match("MESSAGE#107:Failed:05", "nwparser.payload", "Failed to download new client upgrade package from the management server. New Version: %{version->} Package size: %{filename_size->} bytes. Package url: %{url}", processor_chain([ +var part227 = match("MESSAGE#107:Failed:05", "nwparser.payload", "Failed to download new client upgrade package from the management server. New Version: %{version->} Package size: %{filename_size->} bytes. Package url: %{url}", processor_chain([ dup168, dup12, dup13, @@ -5914,8 +5497,7 @@ match("MESSAGE#107:Failed:05", "nwparser.payload", "Failed to download new clien var msg184 = msg("Failed:05", part227); -var part228 = // "Pattern{Constant('Failed to import server policy.'), Field(,false)}" -match("MESSAGE#108:Failed:06", "nwparser.payload", "Failed to import server policy.%{}", processor_chain([ +var part228 = match("MESSAGE#108:Failed:06", "nwparser.payload", "Failed to import server policy.%{}", processor_chain([ dup168, dup12, dup13, @@ -5928,8 +5510,7 @@ match("MESSAGE#108:Failed:06", "nwparser.payload", "Failed to import server poli var msg185 = msg("Failed:06", part228); -var part229 = // "Pattern{Constant('Failed to load plugin:'), Field(filename,false)}" -match("MESSAGE#109:Failed:07", "nwparser.payload", "Failed to load plugin:%{filename}", processor_chain([ +var part229 = match("MESSAGE#109:Failed:07", "nwparser.payload", "Failed to load plugin:%{filename}", processor_chain([ dup168, dup12, dup13, @@ -5942,8 +5523,7 @@ match("MESSAGE#109:Failed:07", "nwparser.payload", "Failed to load plugin:%{file var msg186 = msg("Failed:07", part229); -var part230 = // "Pattern{Constant('Failed to clean up LiveUpdate downloaded content'), Field(,false)}" -match("MESSAGE#110:Failed:08", "nwparser.payload", "Failed to clean up LiveUpdate downloaded content%{}", processor_chain([ +var part230 = match("MESSAGE#110:Failed:08", "nwparser.payload", "Failed to clean up LiveUpdate downloaded content%{}", processor_chain([ dup168, dup12, dup13, @@ -5956,8 +5536,7 @@ match("MESSAGE#110:Failed:08", "nwparser.payload", "Failed to clean up LiveUpdat var msg187 = msg("Failed:08", part230); -var part231 = // "Pattern{Constant('Failed to Login to Remote Site ['), Field(node,false), Constant('] Failed to connect to the server. Make sure that the server is running and your session has not timed out. If you can reach the server but cannot log on, make sure that you provided the correct parameters. If you are experiencing network issues, contact your system administrator.')}" -match("MESSAGE#111:Failed:09", "nwparser.payload", "Failed to Login to Remote Site [%{node}] Failed to connect to the server. Make sure that the server is running and your session has not timed out. If you can reach the server but cannot log on, make sure that you provided the correct parameters. If you are experiencing network issues, contact your system administrator.", processor_chain([ +var part231 = match("MESSAGE#111:Failed:09", "nwparser.payload", "Failed to Login to Remote Site [%{node}] Failed to connect to the server. Make sure that the server is running and your session has not timed out. If you can reach the server but cannot log on, make sure that you provided the correct parameters. If you are experiencing network issues, contact your system administrator.", processor_chain([ dup174, dup12, dup13, @@ -5970,8 +5549,7 @@ match("MESSAGE#111:Failed:09", "nwparser.payload", "Failed to Login to Remote Si var msg188 = msg("Failed:09", part231); -var part232 = // "Pattern{Constant('Failed to Login to Remote Site ['), Field(node,false), Constant('] Replication partnership has been deleted from remote site.')}" -match("MESSAGE#112:Failed:10", "nwparser.payload", "Failed to Login to Remote Site [%{node}] Replication partnership has been deleted from remote site.", processor_chain([ +var part232 = match("MESSAGE#112:Failed:10", "nwparser.payload", "Failed to Login to Remote Site [%{node}] Replication partnership has been deleted from remote site.", processor_chain([ dup174, dup12, dup13, @@ -5984,8 +5562,7 @@ match("MESSAGE#112:Failed:10", "nwparser.payload", "Failed to Login to Remote Si var msg189 = msg("Failed:10", part232); -var part233 = // "Pattern{Constant('Failed to import new policy.,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#113:Failed:11", "nwparser.payload", "Failed to import new policy.,Event time: %{event_time_string}", processor_chain([ +var part233 = match("MESSAGE#113:Failed:11", "nwparser.payload", "Failed to import new policy.,Event time: %{event_time_string}", processor_chain([ setc("eventcategory","1601000000"), dup12, dup13, @@ -5995,8 +5572,7 @@ match("MESSAGE#113:Failed:11", "nwparser.payload", "Failed to import new policy. var msg190 = msg("Failed:11", part233); -var part234 = // "Pattern{Constant('Failed to set a custom action for IPS signature '), Field(sigid,true), Constant(' (errcode=0x'), Field(resultcode,false), Constant('). Most probably, this IPS signature was removed from the IPS content.'), Field(p0,false)}" -match("MESSAGE#250:Network:24/0", "nwparser.payload", "Failed to set a custom action for IPS signature %{sigid->} (errcode=0x%{resultcode}). Most probably, this IPS signature was removed from the IPS content.%{p0}"); +var part234 = match("MESSAGE#250:Network:24/0", "nwparser.payload", "Failed to set a custom action for IPS signature %{sigid->} (errcode=0x%{resultcode}). Most probably, this IPS signature was removed from the IPS content.%{p0}"); var select40 = linear_select([ dup176, @@ -6020,8 +5596,7 @@ var all84 = all_match({ var msg191 = msg("Network:24", all84); -var part235 = // "Pattern{Constant('Failed to connect to all GUPs, now trying to connect SEPM"'), Field(,false)}" -match("MESSAGE#696:SYLINK:03", "nwparser.payload", "Failed to connect to all GUPs, now trying to connect SEPM\"%{}", processor_chain([ +var part235 = match("MESSAGE#696:SYLINK:03", "nwparser.payload", "Failed to connect to all GUPs, now trying to connect SEPM\"%{}", processor_chain([ dup74, dup12, dup13, @@ -6049,8 +5624,7 @@ var select41 = linear_select([ msg192, ]); -var part236 = // "Pattern{Constant('Firewall driver failed to '), Field(info,false)}" -match("MESSAGE#114:Firewall", "nwparser.payload", "Firewall driver failed to %{info}", processor_chain([ +var part236 = match("MESSAGE#114:Firewall", "nwparser.payload", "Firewall driver failed to %{info}", processor_chain([ dup168, dup12, dup13, @@ -6061,8 +5635,7 @@ match("MESSAGE#114:Firewall", "nwparser.payload", "Firewall driver failed to %{i var msg193 = msg("Firewall", part236); -var part237 = // "Pattern{Constant('Firewall is enabled,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#115:Firewall:01", "nwparser.payload", "Firewall is enabled,Event time: %{event_time_string}", processor_chain([ +var part237 = match("MESSAGE#115:Firewall:01", "nwparser.payload", "Firewall is enabled,Event time: %{event_time_string}", processor_chain([ dup168, dup12, dup13, @@ -6073,8 +5646,7 @@ match("MESSAGE#115:Firewall:01", "nwparser.payload", "Firewall is enabled,Event var msg194 = msg("Firewall:01", part237); -var part238 = // "Pattern{Constant('Firewall is disabled by policy,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#116:Firewall:02", "nwparser.payload", "Firewall is disabled by policy,Event time: %{event_time_string}", processor_chain([ +var part238 = match("MESSAGE#116:Firewall:02", "nwparser.payload", "Firewall is disabled by policy,Event time: %{event_time_string}", processor_chain([ dup53, dup12, dup13, @@ -6085,8 +5657,7 @@ match("MESSAGE#116:Firewall:02", "nwparser.payload", "Firewall is disabled by po var msg195 = msg("Firewall:02", part238); -var part239 = // "Pattern{Constant('Firewall is disabled,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#117:Firewall:03", "nwparser.payload", "Firewall is disabled,Event time: %{event_time_string}", processor_chain([ +var part239 = match("MESSAGE#117:Firewall:03", "nwparser.payload", "Firewall is disabled,Event time: %{event_time_string}", processor_chain([ dup53, dup12, dup13, @@ -6104,8 +5675,7 @@ var select42 = linear_select([ msg196, ]); -var part240 = // "Pattern{Constant('Group has been created'), Field(,false)}" -match("MESSAGE#118:Group:created", "nwparser.payload", "Group has been created%{}", processor_chain([ +var part240 = match("MESSAGE#118:Group:created", "nwparser.payload", "Group has been created%{}", processor_chain([ dup95, dup12, dup13, @@ -6121,8 +5691,7 @@ match("MESSAGE#118:Group:created", "nwparser.payload", "Group has been created%{ var msg197 = msg("Group:created", part240); -var part241 = // "Pattern{Constant('Group has been deleted'), Field(,false)}" -match("MESSAGE#119:Group:deleted", "nwparser.payload", "Group has been deleted%{}", processor_chain([ +var part241 = match("MESSAGE#119:Group:deleted", "nwparser.payload", "Group has been deleted%{}", processor_chain([ dup156, dup12, dup13, @@ -6138,8 +5707,7 @@ match("MESSAGE#119:Group:deleted", "nwparser.payload", "Group has been deleted%{ var msg198 = msg("Group:deleted", part241); -var part242 = // "Pattern{Constant('Group ''), Field(group,false), Constant('' was deleted')}" -match("MESSAGE#120:Group:deleted_01", "nwparser.payload", "Group '%{group}' was deleted", processor_chain([ +var part242 = match("MESSAGE#120:Group:deleted_01", "nwparser.payload", "Group '%{group}' was deleted", processor_chain([ dup156, dup12, dup13, @@ -6155,8 +5723,7 @@ match("MESSAGE#120:Group:deleted_01", "nwparser.payload", "Group '%{group}' was var msg199 = msg("Group:deleted_01", part242); -var part243 = // "Pattern{Constant('Group has been moved'), Field(,false)}" -match("MESSAGE#121:Group:moved", "nwparser.payload", "Group has been moved%{}", processor_chain([ +var part243 = match("MESSAGE#121:Group:moved", "nwparser.payload", "Group has been moved%{}", processor_chain([ dup136, dup12, dup13, @@ -6172,8 +5739,7 @@ match("MESSAGE#121:Group:moved", "nwparser.payload", "Group has been moved%{}", var msg200 = msg("Group:moved", part243); -var part244 = // "Pattern{Constant('Group has been renamed'), Field(,false)}" -match("MESSAGE#122:Group:renamed", "nwparser.payload", "Group has been renamed%{}", processor_chain([ +var part244 = match("MESSAGE#122:Group:renamed", "nwparser.payload", "Group has been renamed%{}", processor_chain([ dup136, dup12, dup13, @@ -6189,8 +5755,7 @@ match("MESSAGE#122:Group:renamed", "nwparser.payload", "Group has been renamed%{ var msg201 = msg("Group:renamed", part244); -var part245 = // "Pattern{Constant('Group ''), Field(group,false), Constant('' was added')}" -match("MESSAGE#123:Group:added", "nwparser.payload", "Group '%{group}' was added", processor_chain([ +var part245 = match("MESSAGE#123:Group:added", "nwparser.payload", "Group '%{group}' was added", processor_chain([ dup95, dup12, dup13, @@ -6215,8 +5780,7 @@ var select43 = linear_select([ msg202, ]); -var part246 = // "Pattern{Constant('Host Integrity check is disabled. '), Field(info,true), Constant(' by the '), Field(username,false)}" -match("MESSAGE#124:Host", "nwparser.payload", "Host Integrity check is disabled. %{info->} by the %{username}", processor_chain([ +var part246 = match("MESSAGE#124:Host", "nwparser.payload", "Host Integrity check is disabled. %{info->} by the %{username}", processor_chain([ dup179, dup12, dup13, @@ -6230,8 +5794,7 @@ match("MESSAGE#124:Host", "nwparser.payload", "Host Integrity check is disabled. var msg203 = msg("Host", part246); -var part247 = // "Pattern{Field(info,true), Constant(' up-to-date')}" -match("MESSAGE#125:Host:01", "nwparser.payload", "%{info->} up-to-date", processor_chain([ +var part247 = match("MESSAGE#125:Host:01", "nwparser.payload", "%{info->} up-to-date", processor_chain([ dup92, dup12, dup13, @@ -6242,8 +5805,7 @@ match("MESSAGE#125:Host:01", "nwparser.payload", "%{info->} up-to-date", process var msg204 = msg("Host:01", part247); -var part248 = // "Pattern{Constant('Host Integrity check failed Requirement: "'), Field(fld11,false), Constant('" passed Requirement: "'), Field(fld12,false), Constant('" failed Requirement: "'), Field(fld13,false), Constant('" passed Requirement: "'), Field(fld14,false), Constant('" passed '), Field(fld44,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#126:Host:02", "nwparser.payload", "Host Integrity check failed Requirement: \"%{fld11}\" passed Requirement: \"%{fld12}\" failed Requirement: \"%{fld13}\" passed Requirement: \"%{fld14}\" passed %{fld44},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain}", processor_chain([ +var part248 = match("MESSAGE#126:Host:02", "nwparser.payload", "Host Integrity check failed Requirement: \"%{fld11}\" passed Requirement: \"%{fld12}\" failed Requirement: \"%{fld13}\" passed Requirement: \"%{fld14}\" passed %{fld44},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain}", processor_chain([ dup179, dup12, dup13, @@ -6255,8 +5817,7 @@ match("MESSAGE#126:Host:02", "nwparser.payload", "Host Integrity check failed Re var msg205 = msg("Host:02", part248); -var part249 = // "Pattern{Constant('Host Integrity failed but reported as pass Requirement: "'), Field(fld11,false), Constant('" passed Requirement: "'), Field(fld12,false), Constant('" passed Requirement: "'), Field(fld13,false), Constant('" passed Requirement: "'), Field(fld14,false), Constant('" failed '), Field(fld44,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#127:Host:05", "nwparser.payload", "Host Integrity failed but reported as pass Requirement: \"%{fld11}\" passed Requirement: \"%{fld12}\" passed Requirement: \"%{fld13}\" passed Requirement: \"%{fld14}\" failed %{fld44},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ +var part249 = match("MESSAGE#127:Host:05", "nwparser.payload", "Host Integrity failed but reported as pass Requirement: \"%{fld11}\" passed Requirement: \"%{fld12}\" passed Requirement: \"%{fld13}\" passed Requirement: \"%{fld14}\" failed %{fld44},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ dup179, dup12, dup13, @@ -6268,8 +5829,7 @@ match("MESSAGE#127:Host:05", "nwparser.payload", "Host Integrity failed but repo var msg206 = msg("Host:05", part249); -var part250 = // "Pattern{Constant('Host Integrity failed but reported as pass Requirement: "'), Field(fld11,false), Constant('" '), Field(fld18,true), Constant(' Requirement: "'), Field(fld12,false), Constant('" '), Field(fld17,true), Constant(' Requirement: "'), Field(fld13,false), Constant('" '), Field(fld16,true), Constant(' Requirement: "'), Field(fld14,false), Constant('" '), Field(fld15,true), Constant(' '), Field(fld44,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#128:Host:06", "nwparser.payload", "Host Integrity failed but reported as pass Requirement: \"%{fld11}\" %{fld18->} Requirement: \"%{fld12}\" %{fld17->} Requirement: \"%{fld13}\" %{fld16->} Requirement: \"%{fld14}\" %{fld15->} %{fld44},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ +var part250 = match("MESSAGE#128:Host:06", "nwparser.payload", "Host Integrity failed but reported as pass Requirement: \"%{fld11}\" %{fld18->} Requirement: \"%{fld12}\" %{fld17->} Requirement: \"%{fld13}\" %{fld16->} Requirement: \"%{fld14}\" %{fld15->} %{fld44},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ dup179, dup12, dup13, @@ -6281,8 +5841,7 @@ match("MESSAGE#128:Host:06", "nwparser.payload", "Host Integrity failed but repo var msg207 = msg("Host:06", part250); -var part251 = // "Pattern{Constant('Host Integrity check failed '), Field(result,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#129:Host:04", "nwparser.payload", "Host Integrity check failed %{result},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ +var part251 = match("MESSAGE#129:Host:04", "nwparser.payload", "Host Integrity check failed %{result},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ dup179, dup12, dup13, @@ -6294,8 +5853,7 @@ match("MESSAGE#129:Host:04", "nwparser.payload", "Host Integrity check failed %{ var msg208 = msg("Host:04", part251); -var part252 = // "Pattern{Constant('Host Integrity check passed Requirement: "'), Field(fld11,false), Constant('" passed Requirement: "'), Field(fld12,false), Constant('" passed Requirement: "'), Field(fld13,false), Constant('" passed Requirement: "'), Field(fld14,false), Constant('" passed '), Field(fld44,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#130:Host:03", "nwparser.payload", "Host Integrity check passed Requirement: \"%{fld11}\" passed Requirement: \"%{fld12}\" passed Requirement: \"%{fld13}\" passed Requirement: \"%{fld14}\" passed %{fld44},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ +var part252 = match("MESSAGE#130:Host:03", "nwparser.payload", "Host Integrity check passed Requirement: \"%{fld11}\" passed Requirement: \"%{fld12}\" passed Requirement: \"%{fld13}\" passed Requirement: \"%{fld14}\" passed %{fld44},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ dup179, dup12, dup13, @@ -6307,8 +5865,7 @@ match("MESSAGE#130:Host:03", "nwparser.payload", "Host Integrity check passed Re var msg209 = msg("Host:03", part252); -var part253 = // "Pattern{Constant('Host Integrity check passed'), Field(space,false), Constant('Requirement: ''), Field(fld11,false), Constant('' passed '), Field(fld12,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL:'), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#132:Host:07", "nwparser.payload", "Host Integrity check passed%{space}Requirement: '%{fld11}' passed %{fld12},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ +var part253 = match("MESSAGE#132:Host:07", "nwparser.payload", "Host Integrity check passed%{space}Requirement: '%{fld11}' passed %{fld12},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ dup179, dup87, dup12, @@ -6321,19 +5878,16 @@ match("MESSAGE#132:Host:07", "nwparser.payload", "Host Integrity check passed%{s var msg210 = msg("Host:07", part253); -var part254 = // "Pattern{Field(shost,false), Constant(', Host Integrity check passed '), Field(p0,false)}" -match("MESSAGE#133:Host:08/0_0", "nwparser.payload", "%{shost}, Host Integrity check passed %{p0}"); +var part254 = match("MESSAGE#133:Host:08/0_0", "nwparser.payload", "%{shost}, Host Integrity check passed %{p0}"); -var part255 = // "Pattern{Constant('Host Integrity check passed'), Field(p0,false)}" -match("MESSAGE#133:Host:08/0_1", "nwparser.payload", "Host Integrity check passed%{p0}"); +var part255 = match("MESSAGE#133:Host:08/0_1", "nwparser.payload", "Host Integrity check passed%{p0}"); var select44 = linear_select([ part254, part255, ]); -var part256 = // "Pattern{Field(,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL:'), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#133:Host:08/1", "nwparser.p0", "%{},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{url},Intrusion Payload URL:%{fld25}"); +var part256 = match("MESSAGE#133:Host:08/1", "nwparser.p0", "%{},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{url},Intrusion Payload URL:%{fld25}"); var all85 = all_match({ processors: [ @@ -6355,16 +5909,14 @@ var all85 = all_match({ var msg211 = msg("Host:08", all85); -var part257 = // "Pattern{Field(shost,false), Constant(', Host Integrity check pass.'), Field(info,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(','), Field(p0,false)}" -match("MESSAGE#134:Host:09/0", "nwparser.payload", "%{shost}, Host Integrity check pass.%{info},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},%{p0}"); +var part257 = match("MESSAGE#134:Host:09/0", "nwparser.payload", "%{shost}, Host Integrity check pass.%{info},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},%{p0}"); var select45 = linear_select([ dup67, dup182, ]); -var part258 = // "Pattern{Field(,true), Constant(' '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL:'), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#134:Host:09/2", "nwparser.p0", "%{} %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{url},Intrusion Payload URL:%{fld25}"); +var part258 = match("MESSAGE#134:Host:09/2", "nwparser.p0", "%{} %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{url},Intrusion Payload URL:%{fld25}"); var all86 = all_match({ processors: [ @@ -6385,8 +5937,7 @@ var all86 = all_match({ var msg212 = msg("Host:09", all86); -var part259 = // "Pattern{Constant('Host Integrity check is disabled. Only do Host Integrity checking when connected to the Symantec Endpoint Protection Manager is checked.,Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#702:Smc:06", "nwparser.payload", "Host Integrity check is disabled. Only do Host Integrity checking when connected to the Symantec Endpoint Protection Manager is checked.,Event time: %{fld17->} %{fld18}", processor_chain([ +var part259 = match("MESSAGE#702:Smc:06", "nwparser.payload", "Host Integrity check is disabled. Only do Host Integrity checking when connected to the Symantec Endpoint Protection Manager is checked.,Event time: %{fld17->} %{fld18}", processor_chain([ dup53, dup12, dup13, @@ -6412,8 +5963,7 @@ var select46 = linear_select([ msg213, ]); -var part260 = // "Pattern{Field(fld31,true), Constant(' ??????????????? ??: "'), Field(fld11,false), Constant('"?? ??: "'), Field(fld12,false), Constant('"?? ??: "'), Field(fld13,false), Constant('"?? ??: "'), Field(fld14,false), Constant('"??,??????????? ,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#131:??:", "nwparser.payload", "%{fld31->} ??????????????? ??: \"%{fld11}\"?? ??: \"%{fld12}\"?? ??: \"%{fld13}\"?? ??: \"%{fld14}\"??,??????????? ,Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ +var part260 = match("MESSAGE#131:??:", "nwparser.payload", "%{fld31->} ??????????????? ??: \"%{fld11}\"?? ??: \"%{fld12}\"?? ??: \"%{fld13}\"?? ??: \"%{fld14}\"??,??????????? ,Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ dup179, dup12, dup13, @@ -6423,19 +5973,16 @@ match("MESSAGE#131:??:", "nwparser.payload", "%{fld31->} ??????????????? ??: \"% var msg214 = msg("??:", part260); -var part261 = // "Pattern{Field(info,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#135:Intrusion/0", "nwparser.payload", "%{info->} %{p0}"); +var part261 = match("MESSAGE#135:Intrusion/0", "nwparser.payload", "%{info->} %{p0}"); -var part262 = // "Pattern{Constant('was '), Field(p0,false)}" -match("MESSAGE#135:Intrusion/1_1", "nwparser.p0", "was %{p0}"); +var part262 = match("MESSAGE#135:Intrusion/1_1", "nwparser.p0", "was %{p0}"); var select47 = linear_select([ dup183, part262, ]); -var part263 = // "Pattern{Constant(''), Field(action,false)}" -match("MESSAGE#135:Intrusion/2", "nwparser.p0", "%{action}"); +var part263 = match("MESSAGE#135:Intrusion/2", "nwparser.p0", "%{action}"); var all87 = all_match({ processors: [ @@ -6455,8 +6002,7 @@ var all87 = all_match({ var msg215 = msg("Intrusion", all87); -var part264 = // "Pattern{Field(info,true), Constant(' failed to update')}" -match("MESSAGE#136:Intrusion:01", "nwparser.payload", "%{info->} failed to update", processor_chain([ +var part264 = match("MESSAGE#136:Intrusion:01", "nwparser.payload", "%{info->} failed to update", processor_chain([ dup92, dup12, dup13, @@ -6472,8 +6018,7 @@ var select48 = linear_select([ msg216, ]); -var part265 = // "Pattern{Constant('Invalid log record:'), Field(info,false)}" -match("MESSAGE#137:Invalid", "nwparser.payload", "Invalid log record:%{info}", processor_chain([ +var part265 = match("MESSAGE#137:Invalid", "nwparser.payload", "Invalid log record:%{info}", processor_chain([ dup168, dup12, dup13, @@ -6484,8 +6029,7 @@ match("MESSAGE#137:Invalid", "nwparser.payload", "Invalid log record:%{info}", p var msg217 = msg("Invalid", part265); -var part266 = // "Pattern{Constant('Limited Administrator administrator "'), Field(change_old,false), Constant('" was renamed to "'), Field(change_new,false), Constant('"')}" -match("MESSAGE#138:Limited", "nwparser.payload", "Limited Administrator administrator \"%{change_old}\" was renamed to \"%{change_new}\"", processor_chain([ +var part266 = match("MESSAGE#138:Limited", "nwparser.payload", "Limited Administrator administrator \"%{change_old}\" was renamed to \"%{change_new}\"", processor_chain([ setc("eventcategory","1402020300"), dup12, dup13, @@ -6500,8 +6044,7 @@ match("MESSAGE#138:Limited", "nwparser.payload", "Limited Administrator administ var msg218 = msg("Limited", part266); -var part267 = // "Pattern{Constant('LiveUpdate will start next on '), Field(info,true), Constant(' on '), Field(product,false)}" -match("MESSAGE#139:LiveUpdate:08", "nwparser.payload", "LiveUpdate will start next on %{info->} on %{product}", processor_chain([ +var part267 = match("MESSAGE#139:LiveUpdate:08", "nwparser.payload", "LiveUpdate will start next on %{info->} on %{product}", processor_chain([ dup43, dup15, dup184, @@ -6509,8 +6052,7 @@ match("MESSAGE#139:LiveUpdate:08", "nwparser.payload", "LiveUpdate will start ne var msg219 = msg("LiveUpdate:08", part267); -var part268 = // "Pattern{Constant('LiveUpdate '), Field(info,true), Constant(' on '), Field(product,false), Constant('"')}" -match("MESSAGE#140:LiveUpdate:01", "nwparser.payload", "LiveUpdate %{info->} on %{product}\"", processor_chain([ +var part268 = match("MESSAGE#140:LiveUpdate:01", "nwparser.payload", "LiveUpdate %{info->} on %{product}\"", processor_chain([ dup43, dup12, dup13, @@ -6521,8 +6063,7 @@ match("MESSAGE#140:LiveUpdate:01", "nwparser.payload", "LiveUpdate %{info->} on var msg220 = msg("LiveUpdate:01", part268); -var part269 = // "Pattern{Constant('LiveUpdate failed.'), Field(,false)}" -match("MESSAGE#141:LiveUpdate", "nwparser.payload", "LiveUpdate failed.%{}", processor_chain([ +var part269 = match("MESSAGE#141:LiveUpdate", "nwparser.payload", "LiveUpdate failed.%{}", processor_chain([ dup168, dup12, dup13, @@ -6533,8 +6074,7 @@ match("MESSAGE#141:LiveUpdate", "nwparser.payload", "LiveUpdate failed.%{}", pro var msg221 = msg("LiveUpdate", part269); -var part270 = // "Pattern{Constant('LiveUpdate encountered one or more errors. Return code = '), Field(resultcode,false)}" -match("MESSAGE#142:LiveUpdate:04", "nwparser.payload", "LiveUpdate encountered one or more errors. Return code = %{resultcode}", processor_chain([ +var part270 = match("MESSAGE#142:LiveUpdate:04", "nwparser.payload", "LiveUpdate encountered one or more errors. Return code = %{resultcode}", processor_chain([ dup168, dup15, setc("event_description","LiveUpdate encountered one or more errors"), @@ -6542,8 +6082,7 @@ match("MESSAGE#142:LiveUpdate:04", "nwparser.payload", "LiveUpdate encountered o var msg222 = msg("LiveUpdate:04", part270); -var part271 = // "Pattern{Constant('LiveUpdate succeeded'), Field(,false)}" -match("MESSAGE#143:LiveUpdate:02", "nwparser.payload", "LiveUpdate succeeded%{}", processor_chain([ +var part271 = match("MESSAGE#143:LiveUpdate:02", "nwparser.payload", "LiveUpdate succeeded%{}", processor_chain([ dup43, dup12, dup13, @@ -6554,8 +6093,7 @@ match("MESSAGE#143:LiveUpdate:02", "nwparser.payload", "LiveUpdate succeeded%{}" var msg223 = msg("LiveUpdate:02", part271); -var part272 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,[LiveUpdate error submission] Submitting information to Symantec failed.')}" -match("MESSAGE#144:LiveUpdate:09", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,[LiveUpdate error submission] Submitting information to Symantec failed.", processor_chain([ +var part272 = match("MESSAGE#144:LiveUpdate:09", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,[LiveUpdate error submission] Submitting information to Symantec failed.", processor_chain([ dup43, dup12, dup13, @@ -6566,8 +6104,7 @@ match("MESSAGE#144:LiveUpdate:09", "nwparser.payload", "Category: %{fld22},LiveU var msg224 = msg("LiveUpdate:09", part272); -var part273 = // "Pattern{Constant('LiveUpdate encountered an error: Failed to connect to the LiveUpdate server ('), Field(resultcode,false), Constant(')'), Field(p0,false)}" -match("MESSAGE#145:LiveUpdate:10/0", "nwparser.payload", "LiveUpdate encountered an error: Failed to connect to the LiveUpdate server (%{resultcode})%{p0}"); +var part273 = match("MESSAGE#145:LiveUpdate:10/0", "nwparser.payload", "LiveUpdate encountered an error: Failed to connect to the LiveUpdate server (%{resultcode})%{p0}"); var select49 = linear_select([ dup186, @@ -6592,8 +6129,7 @@ var all88 = all_match({ var msg225 = msg("LiveUpdate:10", all88); -var part274 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,"An update for '), Field(application,true), Constant(' failed to install. Error: '), Field(resultcode,false), Constant(', DuResult:'), Field(fld23,false), Constant('."'), Field(p0,false)}" -match("MESSAGE#146:LiveUpdate:11/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,\"An update for %{application->} failed to install. Error: %{resultcode}, DuResult:%{fld23}.\"%{p0}"); +var part274 = match("MESSAGE#146:LiveUpdate:11/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,\"An update for %{application->} failed to install. Error: %{resultcode}, DuResult:%{fld23}.\"%{p0}"); var all89 = all_match({ processors: [ @@ -6613,8 +6149,7 @@ var all89 = all_match({ var msg226 = msg("LiveUpdate:11", all89); -var part275 = // "Pattern{Constant('LiveUpdate re-run triggered by the download of content catalog.'), Field(,false)}" -match("MESSAGE#147:LiveUpdate:12", "nwparser.payload", "LiveUpdate re-run triggered by the download of content catalog.%{}", processor_chain([ +var part275 = match("MESSAGE#147:LiveUpdate:12", "nwparser.payload", "LiveUpdate re-run triggered by the download of content catalog.%{}", processor_chain([ dup43, dup12, dup13, @@ -6625,8 +6160,7 @@ match("MESSAGE#147:LiveUpdate:12", "nwparser.payload", "LiveUpdate re-run trigge var msg227 = msg("LiveUpdate:12", part275); -var part276 = // "Pattern{Constant('LiveUpdate cannot be run because all licenses have expired.'), Field(,false)}" -match("MESSAGE#148:LiveUpdate:13", "nwparser.payload", "LiveUpdate cannot be run because all licenses have expired.%{}", processor_chain([ +var part276 = match("MESSAGE#148:LiveUpdate:13", "nwparser.payload", "LiveUpdate cannot be run because all licenses have expired.%{}", processor_chain([ dup43, dup14, dup15, @@ -6635,8 +6169,7 @@ match("MESSAGE#148:LiveUpdate:13", "nwparser.payload", "LiveUpdate cannot be run var msg228 = msg("LiveUpdate:13", part276); -var part277 = // "Pattern{Constant('LiveUpdate started.'), Field(,false)}" -match("MESSAGE#149:LiveUpdate::05", "nwparser.payload", "LiveUpdate started.%{}", processor_chain([ +var part277 = match("MESSAGE#149:LiveUpdate::05", "nwparser.payload", "LiveUpdate started.%{}", processor_chain([ dup43, dup15, setc("action","LiveUpdate started."), @@ -6644,8 +6177,7 @@ match("MESSAGE#149:LiveUpdate::05", "nwparser.payload", "LiveUpdate started.%{}" var msg229 = msg("LiveUpdate::05", part277); -var part278 = // "Pattern{Constant('LiveUpdate retry started.'), Field(,false)}" -match("MESSAGE#150:LiveUpdate::06", "nwparser.payload", "LiveUpdate retry started.%{}", processor_chain([ +var part278 = match("MESSAGE#150:LiveUpdate::06", "nwparser.payload", "LiveUpdate retry started.%{}", processor_chain([ dup43, dup15, setc("action","LiveUpdate retry started."), @@ -6653,8 +6185,7 @@ match("MESSAGE#150:LiveUpdate::06", "nwparser.payload", "LiveUpdate retry starte var msg230 = msg("LiveUpdate::06", part278); -var part279 = // "Pattern{Constant('LiveUpdate retry succeeded.'), Field(,false)}" -match("MESSAGE#151:LiveUpdate::07", "nwparser.payload", "LiveUpdate retry succeeded.%{}", processor_chain([ +var part279 = match("MESSAGE#151:LiveUpdate::07", "nwparser.payload", "LiveUpdate retry succeeded.%{}", processor_chain([ dup43, dup15, setc("action","LiveUpdate retry succeeded."), @@ -6662,8 +6193,7 @@ match("MESSAGE#151:LiveUpdate::07", "nwparser.payload", "LiveUpdate retry succee var msg231 = msg("LiveUpdate::07", part279); -var part280 = // "Pattern{Constant('LiveUpdate retry failed. Will try again.'), Field(,false)}" -match("MESSAGE#152:LiveUpdate::08", "nwparser.payload", "LiveUpdate retry failed. Will try again.%{}", processor_chain([ +var part280 = match("MESSAGE#152:LiveUpdate::08", "nwparser.payload", "LiveUpdate retry failed. Will try again.%{}", processor_chain([ dup43, dup12, dup13, @@ -6673,8 +6203,7 @@ match("MESSAGE#152:LiveUpdate::08", "nwparser.payload", "LiveUpdate retry failed var msg232 = msg("LiveUpdate::08", part280); -var part281 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Centralized Reputation Settings from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')')}" -match("MESSAGE#153:LiveUpdate:14", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Centralized Reputation Settings from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ +var part281 = match("MESSAGE#153:LiveUpdate:14", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Centralized Reputation Settings from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ dup43, dup12, dup13, @@ -6685,8 +6214,7 @@ match("MESSAGE#153:LiveUpdate:14", "nwparser.payload", "Category: %{fld11},LiveU var msg233 = msg("LiveUpdate:14", part281); -var part282 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Intrusion Prevention Signatures (hub) from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')')}" -match("MESSAGE#154:LiveUpdate:15", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Intrusion Prevention Signatures (hub) from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ +var part282 = match("MESSAGE#154:LiveUpdate:15", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Intrusion Prevention Signatures (hub) from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ dup43, dup12, dup13, @@ -6700,8 +6228,7 @@ match("MESSAGE#154:LiveUpdate:15", "nwparser.payload", "Category: %{fld11},LiveU var msg234 = msg("LiveUpdate:15", part282); -var part283 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Intrusion Prevention Signatures from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')')}" -match("MESSAGE#155:LiveUpdate:16", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Intrusion Prevention Signatures from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ +var part283 = match("MESSAGE#155:LiveUpdate:16", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Intrusion Prevention Signatures from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ dup43, dup12, dup13, @@ -6715,8 +6242,7 @@ match("MESSAGE#155:LiveUpdate:16", "nwparser.payload", "Category: %{fld11},LiveU var msg235 = msg("LiveUpdate:16", part283); -var part284 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Revocation Data from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')')}" -match("MESSAGE#156:LiveUpdate:17", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Revocation Data from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ +var part284 = match("MESSAGE#156:LiveUpdate:17", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Revocation Data from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ dup43, dup12, dup13, @@ -6727,8 +6253,7 @@ match("MESSAGE#156:LiveUpdate:17", "nwparser.payload", "Category: %{fld11},LiveU var msg236 = msg("LiveUpdate:17", part284); -var part285 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for SONAR Definitions from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')'), Field(p0,false)}" -match("MESSAGE#157:LiveUpdate:18/0", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for SONAR Definitions from LiveUpdate failed to install. Error:%{result}(%{resultcode})%{p0}"); +var part285 = match("MESSAGE#157:LiveUpdate:18/0", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for SONAR Definitions from LiveUpdate failed to install. Error:%{result}(%{resultcode})%{p0}"); var all90 = all_match({ processors: [ @@ -6748,8 +6273,7 @@ var all90 = all_match({ var msg237 = msg("LiveUpdate:18", all90); -var part286 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Symantec Whitelist from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')'), Field(p0,false)}" -match("MESSAGE#158:LiveUpdate:19/0", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Symantec Whitelist from LiveUpdate failed to install. Error:%{result}(%{resultcode})%{p0}"); +var part286 = match("MESSAGE#158:LiveUpdate:19/0", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Symantec Whitelist from LiveUpdate failed to install. Error:%{result}(%{resultcode})%{p0}"); var all91 = all_match({ processors: [ @@ -6769,8 +6293,7 @@ var all91 = all_match({ var msg238 = msg("LiveUpdate:19", all91); -var part287 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Virus and Spyware Definitions Win32 (hub) from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')')}" -match("MESSAGE#159:LiveUpdate:20", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Virus and Spyware Definitions Win32 (hub) from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ +var part287 = match("MESSAGE#159:LiveUpdate:20", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Virus and Spyware Definitions Win32 (hub) from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ dup43, dup12, dup13, @@ -6784,8 +6307,7 @@ match("MESSAGE#159:LiveUpdate:20", "nwparser.payload", "Category: %{fld11},LiveU var msg239 = msg("LiveUpdate:20", part287); -var part288 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Virus and Spyware Definitions Win32 from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')')}" -match("MESSAGE#160:LiveUpdate:21", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Virus and Spyware Definitions Win32 from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ +var part288 = match("MESSAGE#160:LiveUpdate:21", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Virus and Spyware Definitions Win32 from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ dup43, dup12, dup13, @@ -6799,8 +6321,7 @@ match("MESSAGE#160:LiveUpdate:21", "nwparser.payload", "Category: %{fld11},LiveU var msg240 = msg("LiveUpdate:21", part288); -var part289 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Virus and Spyware Definitions Win64 (hub) from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')')}" -match("MESSAGE#161:LiveUpdate:22", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Virus and Spyware Definitions Win64 (hub) from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ +var part289 = match("MESSAGE#161:LiveUpdate:22", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Virus and Spyware Definitions Win64 (hub) from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ dup43, dup12, dup13, @@ -6814,8 +6335,7 @@ match("MESSAGE#161:LiveUpdate:22", "nwparser.payload", "Category: %{fld11},LiveU var msg241 = msg("LiveUpdate:22", part289); -var part290 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Virus and Spyware Definitions Win64 from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')')}" -match("MESSAGE#162:LiveUpdate:23", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Virus and Spyware Definitions Win64 from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ +var part290 = match("MESSAGE#162:LiveUpdate:23", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Virus and Spyware Definitions Win64 from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ dup43, dup94, dup13, @@ -6829,8 +6349,7 @@ match("MESSAGE#162:LiveUpdate:23", "nwparser.payload", "Category: %{fld11},LiveU var msg242 = msg("LiveUpdate:23", part290); -var part291 = // "Pattern{Constant('LiveUpdate encountered an error: '), Field(result,true), Constant(' ('), Field(resultcode,false), Constant(').'), Field(p0,false)}" -match("MESSAGE#163:LiveUpdate:24/0", "nwparser.payload", "LiveUpdate encountered an error: %{result->} (%{resultcode}).%{p0}"); +var part291 = match("MESSAGE#163:LiveUpdate:24/0", "nwparser.payload", "LiveUpdate encountered an error: %{result->} (%{resultcode}).%{p0}"); var all92 = all_match({ processors: [ @@ -6852,8 +6371,7 @@ var all92 = all_match({ var msg243 = msg("LiveUpdate:24", all92); -var part292 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,The latest Revocation Data update failed to load. The component has no valid content and will not function correctly until it is updated.')}" -match("MESSAGE#164:LiveUpdate:25", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest Revocation Data update failed to load. The component has no valid content and will not function correctly until it is updated.", processor_chain([ +var part292 = match("MESSAGE#164:LiveUpdate:25", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest Revocation Data update failed to load. The component has no valid content and will not function correctly until it is updated.", processor_chain([ dup43, dup12, dup13, @@ -6864,8 +6382,7 @@ match("MESSAGE#164:LiveUpdate:25", "nwparser.payload", "Category: %{fld11},LiveU var msg244 = msg("LiveUpdate:25", part292); -var part293 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,The latest Symantec Whitelist update failed to load. The component has no valid content and will not function correctly until it is updated.')}" -match("MESSAGE#165:LiveUpdate:26", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest Symantec Whitelist update failed to load. The component has no valid content and will not function correctly until it is updated.", processor_chain([ +var part293 = match("MESSAGE#165:LiveUpdate:26", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest Symantec Whitelist update failed to load. The component has no valid content and will not function correctly until it is updated.", processor_chain([ dup43, dup12, dup13, @@ -6876,8 +6393,7 @@ match("MESSAGE#165:LiveUpdate:26", "nwparser.payload", "Category: %{fld11},LiveU var msg245 = msg("LiveUpdate:26", part293); -var part294 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,A LiveUpdate session encountered errors. '), Field(fld1,true), Constant(' update(s) were available. '), Field(fld2,true), Constant(' update(s) installed successfully. '), Field(fld3,true), Constant(' update(s) failed to install.'), Field(p0,false)}" -match("MESSAGE#166:LiveUpdate:27/0", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,A LiveUpdate session encountered errors. %{fld1->} update(s) were available. %{fld2->} update(s) installed successfully. %{fld3->} update(s) failed to install.%{p0}"); +var part294 = match("MESSAGE#166:LiveUpdate:27/0", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,A LiveUpdate session encountered errors. %{fld1->} update(s) were available. %{fld2->} update(s) installed successfully. %{fld3->} update(s) failed to install.%{p0}"); var all93 = all_match({ processors: [ @@ -6897,8 +6413,7 @@ var all93 = all_match({ var msg246 = msg("LiveUpdate:27", all93); -var part295 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,The latest Revocation Data update failed to load. The component will continue to use its previous content.'), Field(p0,false)}" -match("MESSAGE#167:LiveUpdate:28/0", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest Revocation Data update failed to load. The component will continue to use its previous content.%{p0}"); +var part295 = match("MESSAGE#167:LiveUpdate:28/0", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest Revocation Data update failed to load. The component will continue to use its previous content.%{p0}"); var all94 = all_match({ processors: [ @@ -6918,8 +6433,7 @@ var all94 = all_match({ var msg247 = msg("LiveUpdate:28", all94); -var part296 = // "Pattern{Field(fld11,false), Constant(': Impossible de se connecter au serveur LiveUpdate '), Field(fld12,false), Constant('.')}" -match("MESSAGE#168:LiveUpdate:29", "nwparser.payload", "%{fld11}: Impossible de se connecter au serveur LiveUpdate %{fld12}.", processor_chain([ +var part296 = match("MESSAGE#168:LiveUpdate:29", "nwparser.payload", "%{fld11}: Impossible de se connecter au serveur LiveUpdate %{fld12}.", processor_chain([ dup43, dup12, dup13, @@ -6930,14 +6444,11 @@ match("MESSAGE#168:LiveUpdate:29", "nwparser.payload", "%{fld11}: Impossible de var msg248 = msg("LiveUpdate:29", part296); -var part297 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,An update for '), Field(application,true), Constant(' was successfully installed.'), Field(space,false), Constant('The new sequence number is '), Field(fld23,false), Constant('.'), Field(p0,false)}" -match("MESSAGE#169:LiveUpdate:30/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,An update for %{application->} was successfully installed.%{space}The new sequence number is %{fld23}.%{p0}"); +var part297 = match("MESSAGE#169:LiveUpdate:30/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,An update for %{application->} was successfully installed.%{space}The new sequence number is %{fld23}.%{p0}"); -var part298 = // "Pattern{Field(space,false), Constant('Content was downloaded from '), Field(url,true), Constant(' ('), Field(sport,false), Constant(').,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#169:LiveUpdate:30/1_0", "nwparser.p0", "%{space}Content was downloaded from %{url->} (%{sport}).,Event time:%{fld17->} %{fld18}"); +var part298 = match("MESSAGE#169:LiveUpdate:30/1_0", "nwparser.p0", "%{space}Content was downloaded from %{url->} (%{sport}).,Event time:%{fld17->} %{fld18}"); -var part299 = // "Pattern{Field(space,false), Constant('Content was downloaded from '), Field(url,true), Constant(' ('), Field(sport,false), Constant(').')}" -match("MESSAGE#169:LiveUpdate:30/1_1", "nwparser.p0", "%{space}Content was downloaded from %{url->} (%{sport})."); +var part299 = match("MESSAGE#169:LiveUpdate:30/1_1", "nwparser.p0", "%{space}Content was downloaded from %{url->} (%{sport})."); var select50 = linear_select([ part298, @@ -6964,8 +6475,7 @@ var all95 = all_match({ var msg249 = msg("LiveUpdate:30", all95); -var part300 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,The latest '), Field(application,true), Constant(' update failed to load. The component will continue to use its previous content.'), Field(p0,false)}" -match("MESSAGE#170:LiveUpdate:31/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest %{application->} update failed to load. The component will continue to use its previous content.%{p0}"); +var part300 = match("MESSAGE#170:LiveUpdate:31/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest %{application->} update failed to load. The component will continue to use its previous content.%{p0}"); var all96 = all_match({ processors: [ @@ -6985,8 +6495,7 @@ var all96 = all_match({ var msg250 = msg("LiveUpdate:31", all96); -var part301 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,Scheduled LiveUpdate switched to '), Field(change_new,false), Constant('.')}" -match("MESSAGE#171:LiveUpdate:32", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,Scheduled LiveUpdate switched to %{change_new}.", processor_chain([ +var part301 = match("MESSAGE#171:LiveUpdate:32", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,Scheduled LiveUpdate switched to %{change_new}.", processor_chain([ dup136, dup12, dup13, @@ -7000,8 +6509,7 @@ match("MESSAGE#171:LiveUpdate:32", "nwparser.payload", "Category: %{fld22},LiveU var msg251 = msg("LiveUpdate:32", part301); -var part302 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,An update for '), Field(application,true), Constant(' from LiveUpdate failed to install. Error: '), Field(result,false), Constant('('), Field(resultcode,false), Constant(')'), Field(p0,false)}" -match("MESSAGE#172:LiveUpdate:33/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,An update for %{application->} from LiveUpdate failed to install. Error: %{result}(%{resultcode})%{p0}"); +var part302 = match("MESSAGE#172:LiveUpdate:33/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,An update for %{application->} from LiveUpdate failed to install. Error: %{result}(%{resultcode})%{p0}"); var all97 = all_match({ processors: [ @@ -7021,8 +6529,7 @@ var all97 = all_match({ var msg252 = msg("LiveUpdate:33", all97); -var part303 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,An update for '), Field(application,true), Constant(' from Intelligent Updater was already installed.')}" -match("MESSAGE#173:LiveUpdate:34", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,An update for %{application->} from Intelligent Updater was already installed.", processor_chain([ +var part303 = match("MESSAGE#173:LiveUpdate:34", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,An update for %{application->} from Intelligent Updater was already installed.", processor_chain([ dup43, dup12, dup13, @@ -7033,33 +6540,27 @@ match("MESSAGE#173:LiveUpdate:34", "nwparser.payload", "Category: %{fld22},LiveU var msg253 = msg("LiveUpdate:34", part303); -var part304 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,'), Field(p0,false)}" -match("MESSAGE#174:LiveUpdate:35/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,%{p0}"); +var part304 = match("MESSAGE#174:LiveUpdate:35/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,%{p0}"); -var part305 = // "Pattern{Constant('A '), Field(p0,false)}" -match("MESSAGE#174:LiveUpdate:35/1_0", "nwparser.p0", "A %{p0}"); +var part305 = match("MESSAGE#174:LiveUpdate:35/1_0", "nwparser.p0", "A %{p0}"); -var part306 = // "Pattern{Constant(' The'), Field(p0,false)}" -match("MESSAGE#174:LiveUpdate:35/1_1", "nwparser.p0", " The%{p0}"); +var part306 = match("MESSAGE#174:LiveUpdate:35/1_1", "nwparser.p0", " The%{p0}"); var select51 = linear_select([ part305, part306, ]); -var part307 = // "Pattern{Field(,false), Constant('LiveUpdate session '), Field(p0,false)}" -match("MESSAGE#174:LiveUpdate:35/2", "nwparser.p0", "%{}LiveUpdate session %{p0}"); +var part307 = match("MESSAGE#174:LiveUpdate:35/2", "nwparser.p0", "%{}LiveUpdate session %{p0}"); -var part308 = // "Pattern{Constant('was'), Field(p0,false)}" -match("MESSAGE#174:LiveUpdate:35/3_1", "nwparser.p0", "was%{p0}"); +var part308 = match("MESSAGE#174:LiveUpdate:35/3_1", "nwparser.p0", "was%{p0}"); var select52 = linear_select([ dup183, part308, ]); -var part309 = // "Pattern{Field(,false), Constant('cancelled.')}" -match("MESSAGE#174:LiveUpdate:35/4", "nwparser.p0", "%{}cancelled."); +var part309 = match("MESSAGE#174:LiveUpdate:35/4", "nwparser.p0", "%{}cancelled."); var all98 = all_match({ processors: [ @@ -7081,8 +6582,7 @@ var all98 = all_match({ var msg254 = msg("LiveUpdate:35", all98); -var part310 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,"A LiveUpdate session is already running, so the scheduled LiveUpdate was skipped."'), Field(p0,false)}" -match("MESSAGE#175:LiveUpdate:36/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,\"A LiveUpdate session is already running, so the scheduled LiveUpdate was skipped.\"%{p0}"); +var part310 = match("MESSAGE#175:LiveUpdate:36/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,\"A LiveUpdate session is already running, so the scheduled LiveUpdate was skipped.\"%{p0}"); var all99 = all_match({ processors: [ @@ -7102,8 +6602,7 @@ var all99 = all_match({ var msg255 = msg("LiveUpdate:36", all99); -var part311 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,Scheduled LiveUpdate keep trying to connect to Server for '), Field(fld23,true), Constant(' times.')}" -match("MESSAGE#176:LiveUpdate:37", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,Scheduled LiveUpdate keep trying to connect to Server for %{fld23->} times.", processor_chain([ +var part311 = match("MESSAGE#176:LiveUpdate:37", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,Scheduled LiveUpdate keep trying to connect to Server for %{fld23->} times.", processor_chain([ dup43, dup94, dup13, @@ -7114,14 +6613,11 @@ match("MESSAGE#176:LiveUpdate:37", "nwparser.payload", "Category: %{fld22},LiveU var msg256 = msg("LiveUpdate:37", part311); -var part312 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,A LiveUpdate session ran successfully. '), Field(p0,false)}" -match("MESSAGE#177:LiveUpdate:38/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,A LiveUpdate session ran successfully. %{p0}"); +var part312 = match("MESSAGE#177:LiveUpdate:38/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,A LiveUpdate session ran successfully. %{p0}"); -var part313 = // "Pattern{Constant(''), Field(fld23,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#177:LiveUpdate:38/1_0", "nwparser.p0", "%{fld23},Event time:%{fld17->} %{fld18}"); +var part313 = match("MESSAGE#177:LiveUpdate:38/1_0", "nwparser.p0", "%{fld23},Event time:%{fld17->} %{fld18}"); -var part314 = // "Pattern{Field(fld23,false)}" -match_copy("MESSAGE#177:LiveUpdate:38/1_1", "nwparser.p0", "fld23"); +var part314 = match_copy("MESSAGE#177:LiveUpdate:38/1_1", "nwparser.p0", "fld23"); var select53 = linear_select([ part313, @@ -7146,8 +6642,7 @@ var all100 = all_match({ var msg257 = msg("LiveUpdate:38", all100); -var part315 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,[LiveUpdate error submission] Information submitted to Symantec.'), Field(p0,false)}" -match("MESSAGE#178:LiveUpdate:39/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,[LiveUpdate error submission] Information submitted to Symantec.%{p0}"); +var part315 = match("MESSAGE#178:LiveUpdate:39/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,[LiveUpdate error submission] Information submitted to Symantec.%{p0}"); var all101 = all_match({ processors: [ @@ -7167,8 +6662,7 @@ var all101 = all_match({ var msg258 = msg("LiveUpdate:39", all101); -var part316 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,The latest Submission Control Thresholds update failed to load. The component has no valid content and will not function correctly until it is updated.')}" -match("MESSAGE#180:LiveUpdate:41", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest Submission Control Thresholds update failed to load. The component has no valid content and will not function correctly until it is updated.", processor_chain([ +var part316 = match("MESSAGE#180:LiveUpdate:41", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest Submission Control Thresholds update failed to load. The component has no valid content and will not function correctly until it is updated.", processor_chain([ dup43, dup12, dup13, @@ -7179,8 +6673,7 @@ match("MESSAGE#180:LiveUpdate:41", "nwparser.payload", "Category: %{fld11},LiveU var msg259 = msg("LiveUpdate:41", part316); -var part317 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,The latest SONAR Definitions update failed to load. The component has no valid content and will not function correctly until it is updated.')}" -match("MESSAGE#181:LiveUpdate:42", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest SONAR Definitions update failed to load. The component has no valid content and will not function correctly until it is updated.", processor_chain([ +var part317 = match("MESSAGE#181:LiveUpdate:42", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest SONAR Definitions update failed to load. The component has no valid content and will not function correctly until it is updated.", processor_chain([ dup43, dup12, dup13, @@ -7191,8 +6684,7 @@ match("MESSAGE#181:LiveUpdate:42", "nwparser.payload", "Category: %{fld11},LiveU var msg260 = msg("LiveUpdate:42", part317); -var part318 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,The latest Endpoint Detection and Response update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#182:LiveUpdate:43", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest Endpoint Detection and Response update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ +var part318 = match("MESSAGE#182:LiveUpdate:43", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest Endpoint Detection and Response update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ dup43, dup12, dup13, @@ -7203,8 +6695,7 @@ match("MESSAGE#182:LiveUpdate:43", "nwparser.payload", "Category: %{fld11},LiveU var msg261 = msg("LiveUpdate:43", part318); -var part319 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,"[LiveUpdate error submission] Submitting information to Symantec failed. Network error : ''), Field(result,false), Constant('''), Field(fld23,false), Constant('",Event time: '), Field(event_time_string,false)}" -match("MESSAGE#183:LiveUpdate:44", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,\"[LiveUpdate error submission] Submitting information to Symantec failed. Network error : '%{result}'%{fld23}\",Event time: %{event_time_string}", processor_chain([ +var part319 = match("MESSAGE#183:LiveUpdate:44", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,\"[LiveUpdate error submission] Submitting information to Symantec failed. Network error : '%{result}'%{fld23}\",Event time: %{event_time_string}", processor_chain([ dup86, dup12, dup13, @@ -7214,8 +6705,7 @@ match("MESSAGE#183:LiveUpdate:44", "nwparser.payload", "Category: %{fld22},LiveU var msg262 = msg("LiveUpdate:44", part319); -var part320 = // "Pattern{Constant('LiveUpdate encountered an error.,Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#184:LiveUpdate:45", "nwparser.payload", "LiveUpdate encountered an error.,Event time: %{fld17->} %{fld18}", processor_chain([ +var part320 = match("MESSAGE#184:LiveUpdate:45", "nwparser.payload", "LiveUpdate encountered an error.,Event time: %{fld17->} %{fld18}", processor_chain([ dup86, dup12, dup13, @@ -7226,8 +6716,7 @@ match("MESSAGE#184:LiveUpdate:45", "nwparser.payload", "LiveUpdate encountered a var msg263 = msg("LiveUpdate:45", part320); -var part321 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,The latest AP Portal List update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#185:LiveUpdate:46", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest AP Portal List update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ +var part321 = match("MESSAGE#185:LiveUpdate:46", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest AP Portal List update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ dup86, dup12, dup13, @@ -7237,8 +6726,7 @@ match("MESSAGE#185:LiveUpdate:46", "nwparser.payload", "Category: %{fld22},LiveU var msg264 = msg("LiveUpdate:46", part321); -var part322 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,The latest Centralized Reputation Settings update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#186:LiveUpdate:47", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest Centralized Reputation Settings update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ +var part322 = match("MESSAGE#186:LiveUpdate:47", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest Centralized Reputation Settings update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ dup86, dup12, dup13, @@ -7248,8 +6736,7 @@ match("MESSAGE#186:LiveUpdate:47", "nwparser.payload", "Category: %{fld22},LiveU var msg265 = msg("LiveUpdate:47", part322); -var part323 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,The latest Power Eraser Definitions update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#187:LiveUpdate:48", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest Power Eraser Definitions update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ +var part323 = match("MESSAGE#187:LiveUpdate:48", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest Power Eraser Definitions update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ dup86, dup12, dup13, @@ -7259,8 +6746,7 @@ match("MESSAGE#187:LiveUpdate:48", "nwparser.payload", "Category: %{fld22},LiveU var msg266 = msg("LiveUpdate:48", part323); -var part324 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,The latest Common Network Transport Library and Configuration update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#188:LiveUpdate:49", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest Common Network Transport Library and Configuration update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ +var part324 = match("MESSAGE#188:LiveUpdate:49", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest Common Network Transport Library and Configuration update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ dup86, dup12, dup13, @@ -7270,8 +6756,7 @@ match("MESSAGE#188:LiveUpdate:49", "nwparser.payload", "Category: %{fld22},LiveU var msg267 = msg("LiveUpdate:49", part324); -var part325 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,The latest Extended File Attributes and Signatures update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#189:LiveUpdate:50", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest Extended File Attributes and Signatures update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ +var part325 = match("MESSAGE#189:LiveUpdate:50", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest Extended File Attributes and Signatures update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ dup86, dup12, dup13, @@ -7334,8 +6819,7 @@ var select54 = linear_select([ msg268, ]); -var part326 = // "Pattern{Constant('Virus and Spyware Definitions were updated recently, so the scheduled LiveUpdate was skipped.'), Field(p0,false)}" -match("MESSAGE#179:LiveUpdate:40/0", "nwparser.payload", "Virus and Spyware Definitions were updated recently, so the scheduled LiveUpdate was skipped.%{p0}"); +var part326 = match("MESSAGE#179:LiveUpdate:40/0", "nwparser.payload", "Virus and Spyware Definitions were updated recently, so the scheduled LiveUpdate was skipped.%{p0}"); var select55 = linear_select([ dup191, @@ -7360,8 +6844,7 @@ var all102 = all_match({ var msg269 = msg("LiveUpdate:40", all102); -var part327 = // "Pattern{Constant('Virus Found..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Time: '), Field(fld6,false), Constant('..Virus Name: '), Field(virusname,false), Constant('..Path: '), Field(filename,false), Constant('..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" -match("MESSAGE#430:Virus", "nwparser.payload", "Virus Found..Computer: %{shost}..Date: %{fld5}..Time: %{fld6}..Virus Name: %{virusname}..Path: %{filename}..Severity: %{severity}..Source: %{product}", processor_chain([ +var part327 = match("MESSAGE#430:Virus", "nwparser.payload", "Virus Found..Computer: %{shost}..Date: %{fld5}..Time: %{fld6}..Virus Name: %{virusname}..Path: %{filename}..Severity: %{severity}..Source: %{product}", processor_chain([ dup110, dup115, dup116, @@ -7374,8 +6857,7 @@ match("MESSAGE#430:Virus", "nwparser.payload", "Virus Found..Computer: %{shost}. var msg270 = msg("Virus", part327); -var part328 = // "Pattern{Constant('Virus Found..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Time: '), Field(fld6,false), Constant('..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" -match("MESSAGE#431:Virus:01", "nwparser.payload", "Virus Found..Computer: %{shost}..Date: %{fld5}..Time: %{fld6}..Severity: %{severity}..Source: %{product}", processor_chain([ +var part328 = match("MESSAGE#431:Virus:01", "nwparser.payload", "Virus Found..Computer: %{shost}..Date: %{fld5}..Time: %{fld6}..Severity: %{severity}..Source: %{product}", processor_chain([ dup110, dup192, dup15, @@ -7384,19 +6866,16 @@ match("MESSAGE#431:Virus:01", "nwparser.payload", "Virus Found..Computer: %{shos var msg271 = msg("Virus:01", part328); -var part329 = // "Pattern{Constant('Virus Definition File Update..'), Field(fld4,false), Constant('..'), Field(fld5,false), Constant('..Update to computer '), Field(shost,true), Constant(' of virus definition file '), Field(fld6,true), Constant(' failed. Status '), Field(fld7,true), Constant(' ..'), Field(p0,false)}" -match("MESSAGE#432:Virus:02/0", "nwparser.payload", "Virus Definition File Update..%{fld4}..%{fld5}..Update to computer %{shost->} of virus definition file %{fld6->} failed. Status %{fld7->} ..%{p0}"); +var part329 = match("MESSAGE#432:Virus:02/0", "nwparser.payload", "Virus Definition File Update..%{fld4}..%{fld5}..Update to computer %{shost->} of virus definition file %{fld6->} failed. Status %{fld7->} ..%{p0}"); -var part330 = // "Pattern{Constant('. '), Field(p0,false)}" -match("MESSAGE#432:Virus:02/1_0", "nwparser.p0", ". %{p0}"); +var part330 = match("MESSAGE#432:Virus:02/1_0", "nwparser.p0", ". %{p0}"); var select56 = linear_select([ part330, dup194, ]); -var part331 = // "Pattern{Constant(''), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld8,false)}" -match("MESSAGE#432:Virus:02/2", "nwparser.p0", "%{severity}..%{product}..%{fld8}"); +var part331 = match("MESSAGE#432:Virus:02/2", "nwparser.p0", "%{severity}..%{product}..%{fld8}"); var all103 = all_match({ processors: [ @@ -7424,8 +6903,7 @@ var all103 = all_match({ var msg272 = msg("Virus:02", all103); -var part332 = // "Pattern{Constant('Virus Definition File Update..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('..'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,false)}" -match("MESSAGE#433:Virus:03", "nwparser.payload", "Virus Definition File Update..%{shost}..%{fld5}..%{severity}..%{product}..%{fld6}", processor_chain([ +var part332 = match("MESSAGE#433:Virus:03", "nwparser.payload", "Virus Definition File Update..%{shost}..%{fld5}..%{severity}..%{product}..%{fld6}", processor_chain([ dup43, dup44, dup45, @@ -7438,8 +6916,7 @@ match("MESSAGE#433:Virus:03", "nwparser.payload", "Virus Definition File Update. var msg273 = msg("Virus:03", part332); -var part333 = // "Pattern{Constant('Virus Found..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('..'), Field(filename,false), Constant('.....'), Field(info,false), Constant('..'), Field(action,false), Constant('....'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,false), Constant('..'), Field(username,false), Constant('..'), Field(virusname,false)}" -match("MESSAGE#434:Virus:09", "nwparser.payload", "Virus Found..%{shost}..%{fld5}..%{filename}.....%{info}..%{action}....%{severity}..%{product}..%{fld6}..%{username}..%{virusname}", processor_chain([ +var part333 = match("MESSAGE#434:Virus:09", "nwparser.payload", "Virus Found..%{shost}..%{fld5}..%{filename}.....%{info}..%{action}....%{severity}..%{product}..%{fld6}..%{username}..%{virusname}", processor_chain([ dup110, dup115, dup116, @@ -7452,8 +6929,7 @@ match("MESSAGE#434:Virus:09", "nwparser.payload", "Virus Found..%{shost}..%{fld5 var msg274 = msg("Virus:09", part333); -var part334 = // "Pattern{Constant('Virus Found..'), Field(fld12,false), Constant('..'), Field(fld5,false), Constant('..'), Field(filename,false), Constant('..'), Field(info,false), Constant('..'), Field(action,false), Constant('..'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,false), Constant('..'), Field(username,false), Constant('..'), Field(virusname,false)}" -match("MESSAGE#435:Virus:04", "nwparser.payload", "Virus Found..%{fld12}..%{fld5}..%{filename}..%{info}..%{action}..%{severity}..%{product}..%{fld6}..%{username}..%{virusname}", processor_chain([ +var part334 = match("MESSAGE#435:Virus:04", "nwparser.payload", "Virus Found..%{fld12}..%{fld5}..%{filename}..%{info}..%{action}..%{severity}..%{product}..%{fld6}..%{username}..%{virusname}", processor_chain([ dup110, dup115, dup116, @@ -7466,8 +6942,7 @@ match("MESSAGE#435:Virus:04", "nwparser.payload", "Virus Found..%{fld12}..%{fld5 var msg275 = msg("Virus:04", part334); -var part335 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',,First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld52,false), Constant(',0,Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(filename_size,false)}" -match("MESSAGE#436:Virus:12/2", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},0,Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size}"); +var part335 = match("MESSAGE#436:Virus:12/2", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},0,Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size}"); var all104 = all_match({ processors: [ @@ -7493,14 +6968,11 @@ var all104 = all_match({ var msg276 = msg("Virus:12", all104); -var part336 = // "Pattern{Constant('Virus found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(','), Field(p0,false)}" -match("MESSAGE#437:Virus:15/0", "nwparser.payload", "Virus found,IP Address: %{saddr},Computer name: %{shost},%{p0}"); +var part336 = match("MESSAGE#437:Virus:15/0", "nwparser.payload", "Virus found,IP Address: %{saddr},Computer name: %{shost},%{p0}"); -var part337 = // "Pattern{Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(p0,false)}" -match("MESSAGE#437:Virus:15/2", "nwparser.p0", "%{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{p0}"); +var part337 = match("MESSAGE#437:Virus:15/2", "nwparser.p0", "%{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{p0}"); -var part338 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(url,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(filename,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',,First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld52,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Category set: '), Field(category,false), Constant(',Category type: '), Field(event_type,false)}" -match("MESSAGE#437:Virus:15/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{url},Web domain: %{fld45},Downloaded by: %{filename},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size},Category set: %{category},Category type: %{event_type}"); +var part338 = match("MESSAGE#437:Virus:15/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{url},Web domain: %{fld45},Downloaded by: %{filename},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size},Category set: %{category},Category type: %{event_type}"); var all105 = all_match({ processors: [ @@ -7528,8 +7000,7 @@ var all105 = all_match({ var msg277 = msg("Virus:15", all105); -var part339 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(','), Field(p0,false)}" -match("MESSAGE#438:Virus:13/2", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},%{p0}"); +var part339 = match("MESSAGE#438:Virus:13/2", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},%{p0}"); var all106 = all_match({ processors: [ @@ -7558,8 +7029,7 @@ var all106 = all_match({ var msg278 = msg("Virus:13", all106); -var part340 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false)}" -match("MESSAGE#439:Virus:10/2", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31}"); +var part340 = match("MESSAGE#439:Virus:10/2", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31}"); var all107 = all_match({ processors: [ @@ -7585,19 +7055,16 @@ var all107 = all_match({ var msg279 = msg("Virus:10", all107); -var part341 = // "Pattern{Constant('"'), Field(fld22,false), Constant('",Actual action: '), Field(p0,false)}" -match("MESSAGE#440:Virus:14/1_0", "nwparser.p0", "\"%{fld22}\",Actual action: %{p0}"); +var part341 = match("MESSAGE#440:Virus:14/1_0", "nwparser.p0", "\"%{fld22}\",Actual action: %{p0}"); -var part342 = // "Pattern{Field(fld22,false), Constant(',Actual action: '), Field(p0,false)}" -match("MESSAGE#440:Virus:14/1_1", "nwparser.p0", "%{fld22},Actual action: %{p0}"); +var part342 = match("MESSAGE#440:Virus:14/1_1", "nwparser.p0", "%{fld22},Actual action: %{p0}"); var select57 = linear_select([ part341, part342, ]); -var part343 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld58,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(filename_size,false)}" -match("MESSAGE#440:Virus:14/2", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},First Seen: %{fld50},Sensitivity: %{fld58},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size}"); +var part343 = match("MESSAGE#440:Virus:14/2", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},First Seen: %{fld50},Sensitivity: %{fld58},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size}"); var all108 = all_match({ processors: [ @@ -7649,8 +7116,7 @@ var all109 = all_match({ var msg281 = msg("Virus:05", all109); -var part344 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',"Group: '), Field(group,false), Constant('",Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#442:Virus:11/2", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},\"Group: %{group}\",Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); +var part344 = match("MESSAGE#442:Virus:11/2", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},\"Group: %{group}\",Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); var all110 = all_match({ processors: [ @@ -7677,22 +7143,18 @@ var all110 = all_match({ var msg282 = msg("Virus:11", all110); -var part345 = // "Pattern{Constant('Virus Found..Computer: '), Field(shost,false), Constant('..'), Field(p0,false)}" -match("MESSAGE#443:Virus:06/0", "nwparser.payload", "Virus Found..Computer: %{shost}..%{p0}"); +var part345 = match("MESSAGE#443:Virus:06/0", "nwparser.payload", "Virus Found..Computer: %{shost}..%{p0}"); -var part346 = // "Pattern{Constant('Date: '), Field(fld5,false), Constant('..File Path:'), Field(p0,false)}" -match("MESSAGE#443:Virus:06/1_0", "nwparser.p0", "Date: %{fld5}..File Path:%{p0}"); +var part346 = match("MESSAGE#443:Virus:06/1_0", "nwparser.p0", "Date: %{fld5}..File Path:%{p0}"); -var part347 = // "Pattern{Field(fld5,false), Constant('..File Path:'), Field(p0,false)}" -match("MESSAGE#443:Virus:06/1_1", "nwparser.p0", "%{fld5}..File Path:%{p0}"); +var part347 = match("MESSAGE#443:Virus:06/1_1", "nwparser.p0", "%{fld5}..File Path:%{p0}"); var select58 = linear_select([ part346, part347, ]); -var part348 = // "Pattern{Field(filename,false), Constant('..'), Field(info,false), Constant('..Requested Action:'), Field(action,false), Constant('..Severity:'), Field(severity,false), Constant('..Source:'), Field(product,false), Constant('..Time:'), Field(fld6,false), Constant('..User:'), Field(username,false)}" -match("MESSAGE#443:Virus:06/2", "nwparser.p0", "%{filename}..%{info}..Requested Action:%{action}..Severity:%{severity}..Source:%{product}..Time:%{fld6}..User:%{username}"); +var part348 = match("MESSAGE#443:Virus:06/2", "nwparser.p0", "%{filename}..%{info}..Requested Action:%{action}..Severity:%{severity}..Source:%{product}..Time:%{fld6}..User:%{username}"); var all111 = all_match({ processors: [ @@ -7713,8 +7175,7 @@ var all111 = all_match({ var msg283 = msg("Virus:06", all111); -var part349 = // "Pattern{Field(fld1,true), Constant(' Virus Found '), Field(shost,true), Constant(' '), Field(fld5,true), Constant(' '), Field(filename,true), Constant(' Forward from '), Field(info,true), Constant(' '), Field(action,true), Constant(' '), Field(severity,true), Constant(' '), Field(product,true), Constant(' Edition '), Field(version,true), Constant(' '), Field(virusname,false)}" -match("MESSAGE#444:Virus:07", "nwparser.payload", "%{fld1->} Virus Found %{shost->} %{fld5->} %{filename->} Forward from %{info->} %{action->} %{severity->} %{product->} Edition %{version->} %{virusname}", processor_chain([ +var part349 = match("MESSAGE#444:Virus:07", "nwparser.payload", "%{fld1->} Virus Found %{shost->} %{fld5->} %{filename->} Forward from %{info->} %{action->} %{severity->} %{product->} Edition %{version->} %{virusname}", processor_chain([ dup110, dup115, dup116, @@ -7727,8 +7188,7 @@ match("MESSAGE#444:Virus:07", "nwparser.payload", "%{fld1->} Virus Found %{shost var msg284 = msg("Virus:07", part349); -var part350 = // "Pattern{Field(product,true), Constant(' definitions '), Field(info,false)}" -match("MESSAGE#445:Virus:08", "nwparser.payload", "%{product->} definitions %{info}", processor_chain([ +var part350 = match("MESSAGE#445:Virus:08", "nwparser.payload", "%{product->} definitions %{info}", processor_chain([ dup43, dup12, dup13, @@ -7759,8 +7219,7 @@ var select59 = linear_select([ msg285, ]); -var part351 = // "Pattern{Field(shost,false), Constant(', Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#216:Local:01", "nwparser.payload", "%{shost}, Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ +var part351 = match("MESSAGE#216:Local:01", "nwparser.payload", "%{shost}, Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ dup53, dup12, dup15, @@ -7769,8 +7228,7 @@ match("MESSAGE#216:Local:01", "nwparser.payload", "%{shost}, Local Port %{sport} var msg286 = msg("Local:01", part351); -var part352 = // "Pattern{Constant('Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#217:Local:02", "nwparser.payload", "Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ +var part352 = match("MESSAGE#217:Local:02", "nwparser.payload", "Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ dup53, dup12, dup13, @@ -7785,22 +7243,18 @@ var select60 = linear_select([ msg287, ]); -var part353 = // "Pattern{Constant('Location has been '), Field(p0,false)}" -match("MESSAGE#218:Location/0", "nwparser.payload", "Location has been %{p0}"); +var part353 = match("MESSAGE#218:Location/0", "nwparser.payload", "Location has been %{p0}"); -var part354 = // "Pattern{Constant('changed '), Field(p0,false)}" -match("MESSAGE#218:Location/1_0", "nwparser.p0", "changed %{p0}"); +var part354 = match("MESSAGE#218:Location/1_0", "nwparser.p0", "changed %{p0}"); -var part355 = // "Pattern{Constant('switched'), Field(p0,false)}" -match("MESSAGE#218:Location/1_1", "nwparser.p0", "switched%{p0}"); +var part355 = match("MESSAGE#218:Location/1_1", "nwparser.p0", "switched%{p0}"); var select61 = linear_select([ part354, part355, ]); -var part356 = // "Pattern{Field(,false), Constant('to '), Field(p0,false)}" -match("MESSAGE#218:Location/2", "nwparser.p0", "%{}to %{p0}"); +var part356 = match("MESSAGE#218:Location/2", "nwparser.p0", "%{}to %{p0}"); var all112 = all_match({ processors: [ @@ -7825,8 +7279,7 @@ var all112 = all_match({ var msg288 = msg("Location", all112); -var part357 = // "Pattern{Field(event_description,false)}" -match_copy("MESSAGE#219:LUALL", "nwparser.payload", "event_description", processor_chain([ +var part357 = match_copy("MESSAGE#219:LUALL", "nwparser.payload", "event_description", processor_chain([ dup43, dup12, dup13, @@ -7835,8 +7288,7 @@ match_copy("MESSAGE#219:LUALL", "nwparser.payload", "event_description", process var msg289 = msg("LUALL", part357); -var part358 = // "Pattern{Constant('Management server started up successfully'), Field(,false)}" -match("MESSAGE#220:Management", "nwparser.payload", "Management server started up successfully%{}", processor_chain([ +var part358 = match("MESSAGE#220:Management", "nwparser.payload", "Management server started up successfully%{}", processor_chain([ dup43, dup12, dup13, @@ -7847,8 +7299,7 @@ match("MESSAGE#220:Management", "nwparser.payload", "Management server started u var msg290 = msg("Management", part358); -var part359 = // "Pattern{Constant('Management server shut down gracefully'), Field(,false)}" -match("MESSAGE#221:Management:01", "nwparser.payload", "Management server shut down gracefully%{}", processor_chain([ +var part359 = match("MESSAGE#221:Management:01", "nwparser.payload", "Management server shut down gracefully%{}", processor_chain([ dup43, dup12, dup13, @@ -7859,8 +7310,7 @@ match("MESSAGE#221:Management:01", "nwparser.payload", "Management server shut d var msg291 = msg("Management:01", part359); -var part360 = // "Pattern{Constant('Management Server has detected and ignored one or more duplicate entries.Please check the following entries in your directory server:'), Field(fld12,false)}" -match("MESSAGE#222:Management:02", "nwparser.payload", "Management Server has detected and ignored one or more duplicate entries.Please check the following entries in your directory server:%{fld12}", processor_chain([ +var part360 = match("MESSAGE#222:Management:02", "nwparser.payload", "Management Server has detected and ignored one or more duplicate entries.Please check the following entries in your directory server:%{fld12}", processor_chain([ dup43, dup12, dup13, @@ -7877,8 +7327,7 @@ var select62 = linear_select([ msg292, ]); -var part361 = // "Pattern{Constant('management server received the client log successfully,'), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(group,false)}" -match("MESSAGE#223:management", "nwparser.payload", "management server received the client log successfully,%{shost},%{username},%{group}", processor_chain([ +var part361 = match("MESSAGE#223:management", "nwparser.payload", "management server received the client log successfully,%{shost},%{username},%{group}", processor_chain([ dup53, dup12, dup13, @@ -7889,8 +7338,7 @@ match("MESSAGE#223:management", "nwparser.payload", "management server received var msg293 = msg("management", part361); -var part362 = // "Pattern{Constant('management server received a report that the client computer changed its hardware identity,'), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(group,false)}" -match("MESSAGE#224:management:01", "nwparser.payload", "management server received a report that the client computer changed its hardware identity,%{shost},%{username},%{group}", processor_chain([ +var part362 = match("MESSAGE#224:management:01", "nwparser.payload", "management server received a report that the client computer changed its hardware identity,%{shost},%{username},%{group}", processor_chain([ dup53, dup12, dup13, @@ -7906,22 +7354,18 @@ var select63 = linear_select([ msg294, ]); -var part363 = // "Pattern{Constant('Network Threat Protection --'), Field(p0,false)}" -match("MESSAGE#225:Network/0", "nwparser.payload", "Network Threat Protection --%{p0}"); +var part363 = match("MESSAGE#225:Network/0", "nwparser.payload", "Network Threat Protection --%{p0}"); -var part364 = // "Pattern{Constant('-- Engine version'), Field(p0,false)}" -match("MESSAGE#225:Network/1_0", "nwparser.p0", "-- Engine version%{p0}"); +var part364 = match("MESSAGE#225:Network/1_0", "nwparser.p0", "-- Engine version%{p0}"); -var part365 = // "Pattern{Constant(' Engine version'), Field(p0,false)}" -match("MESSAGE#225:Network/1_1", "nwparser.p0", " Engine version%{p0}"); +var part365 = match("MESSAGE#225:Network/1_1", "nwparser.p0", " Engine version%{p0}"); var select64 = linear_select([ part364, part365, ]); -var part366 = // "Pattern{Field(,false), Constant(': '), Field(version,true), Constant(' Windows Version info: Operating System: '), Field(os,true), Constant(' Network info:'), Field(info,false)}" -match("MESSAGE#225:Network/2", "nwparser.p0", "%{}: %{version->} Windows Version info: Operating System: %{os->} Network info:%{info}"); +var part366 = match("MESSAGE#225:Network/2", "nwparser.p0", "%{}: %{version->} Windows Version info: Operating System: %{os->} Network info:%{info}"); var all113 = all_match({ processors: [ @@ -7941,8 +7385,7 @@ var all113 = all_match({ var msg295 = msg("Network", all113); -var part367 = // "Pattern{Constant('Network Threat Protection has been activated'), Field(,false)}" -match("MESSAGE#226:Network:01", "nwparser.payload", "Network Threat Protection has been activated%{}", processor_chain([ +var part367 = match("MESSAGE#226:Network:01", "nwparser.payload", "Network Threat Protection has been activated%{}", processor_chain([ dup213, dup12, dup13, @@ -7956,22 +7399,18 @@ match("MESSAGE#226:Network:01", "nwparser.payload", "Network Threat Protection h var msg296 = msg("Network:01", part367); -var part368 = // "Pattern{Constant('Network Threat Protection applied a new IPS '), Field(p0,false)}" -match("MESSAGE#227:Network:02/0", "nwparser.payload", "Network Threat Protection applied a new IPS %{p0}"); +var part368 = match("MESSAGE#227:Network:02/0", "nwparser.payload", "Network Threat Protection applied a new IPS %{p0}"); -var part369 = // "Pattern{Constant('Library'), Field(p0,false)}" -match("MESSAGE#227:Network:02/1_0", "nwparser.p0", "Library%{p0}"); +var part369 = match("MESSAGE#227:Network:02/1_0", "nwparser.p0", "Library%{p0}"); -var part370 = // "Pattern{Constant('library'), Field(p0,false)}" -match("MESSAGE#227:Network:02/1_1", "nwparser.p0", "library%{p0}"); +var part370 = match("MESSAGE#227:Network:02/1_1", "nwparser.p0", "library%{p0}"); var select65 = linear_select([ part369, part370, ]); -var part371 = // "Pattern{Field(,false), Constant('.')}" -match("MESSAGE#227:Network:02/2", "nwparser.p0", "%{}."); +var part371 = match("MESSAGE#227:Network:02/2", "nwparser.p0", "%{}."); var all114 = all_match({ processors: [ @@ -7991,8 +7430,7 @@ var all114 = all_match({ var msg297 = msg("Network:02", all114); -var part372 = // "Pattern{Constant('The Network Threat Protection already has the newest policy.'), Field(,false)}" -match("MESSAGE#228:Network:03", "nwparser.payload", "The Network Threat Protection already has the newest policy.%{}", processor_chain([ +var part372 = match("MESSAGE#228:Network:03", "nwparser.payload", "The Network Threat Protection already has the newest policy.%{}", processor_chain([ dup92, dup12, dup13, @@ -8003,8 +7441,7 @@ match("MESSAGE#228:Network:03", "nwparser.payload", "The Network Threat Protecti var msg298 = msg("Network:03", part372); -var part373 = // "Pattern{Constant('The Network Threat Protection is unable to download the newest policy from the Symantec Endpoint Protection Manager.'), Field(,false)}" -match("MESSAGE#229:Network:04", "nwparser.payload", "The Network Threat Protection is unable to download the newest policy from the Symantec Endpoint Protection Manager.%{}", processor_chain([ +var part373 = match("MESSAGE#229:Network:04", "nwparser.payload", "The Network Threat Protection is unable to download the newest policy from the Symantec Endpoint Protection Manager.%{}", processor_chain([ dup43, dup12, dup13, @@ -8015,8 +7452,7 @@ match("MESSAGE#229:Network:04", "nwparser.payload", "The Network Threat Protecti var msg299 = msg("Network:04", part373); -var part374 = // "Pattern{Constant('Network Threat Protection's firewall and Intrusion Prevention features are disabled'), Field(,false)}" -match("MESSAGE#230:Network:05", "nwparser.payload", "Network Threat Protection's firewall and Intrusion Prevention features are disabled%{}", processor_chain([ +var part374 = match("MESSAGE#230:Network:05", "nwparser.payload", "Network Threat Protection's firewall and Intrusion Prevention features are disabled%{}", processor_chain([ dup92, dup12, dup13, @@ -8027,8 +7463,7 @@ match("MESSAGE#230:Network:05", "nwparser.payload", "Network Threat Protection's var msg300 = msg("Network:05", part374); -var part375 = // "Pattern{Constant('The Network Threat Protection is unable to communicate with the Symantec Endpoint Protection Manager.'), Field(,false)}" -match("MESSAGE#231:Network:06", "nwparser.payload", "The Network Threat Protection is unable to communicate with the Symantec Endpoint Protection Manager.%{}", processor_chain([ +var part375 = match("MESSAGE#231:Network:06", "nwparser.payload", "The Network Threat Protection is unable to communicate with the Symantec Endpoint Protection Manager.%{}", processor_chain([ dup92, dup12, dup13, @@ -8039,8 +7474,7 @@ match("MESSAGE#231:Network:06", "nwparser.payload", "The Network Threat Protecti var msg301 = msg("Network:06", part375); -var part376 = // "Pattern{Constant('Network Audit Search Unagented Hosts Started'), Field(,false)}" -match("MESSAGE#232:Network:07", "nwparser.payload", "Network Audit Search Unagented Hosts Started%{}", processor_chain([ +var part376 = match("MESSAGE#232:Network:07", "nwparser.payload", "Network Audit Search Unagented Hosts Started%{}", processor_chain([ dup92, dup12, dup13, @@ -8051,8 +7485,7 @@ match("MESSAGE#232:Network:07", "nwparser.payload", "Network Audit Search Unagen var msg302 = msg("Network:07", part376); -var part377 = // "Pattern{Constant('Network Audit Search Unagented Hosts From NST Finished Abnormally'), Field(,false)}" -match("MESSAGE#233:Network:08", "nwparser.payload", "Network Audit Search Unagented Hosts From NST Finished Abnormally%{}", processor_chain([ +var part377 = match("MESSAGE#233:Network:08", "nwparser.payload", "Network Audit Search Unagented Hosts From NST Finished Abnormally%{}", processor_chain([ dup92, dup12, dup13, @@ -8063,8 +7496,7 @@ match("MESSAGE#233:Network:08", "nwparser.payload", "Network Audit Search Unagen var msg303 = msg("Network:08", part377); -var part378 = // "Pattern{Constant('Network Audit Search Unagented Hosts From NST Finished Normally'), Field(,false)}" -match("MESSAGE#234:Network:09", "nwparser.payload", "Network Audit Search Unagented Hosts From NST Finished Normally%{}", processor_chain([ +var part378 = match("MESSAGE#234:Network:09", "nwparser.payload", "Network Audit Search Unagented Hosts From NST Finished Normally%{}", processor_chain([ dup92, dup12, dup13, @@ -8075,8 +7507,7 @@ match("MESSAGE#234:Network:09", "nwparser.payload", "Network Audit Search Unagen var msg304 = msg("Network:09", part378); -var part379 = // "Pattern{Constant('Network Audit Client Remote Pushing Install Started'), Field(,false)}" -match("MESSAGE#235:Network:10", "nwparser.payload", "Network Audit Client Remote Pushing Install Started%{}", processor_chain([ +var part379 = match("MESSAGE#235:Network:10", "nwparser.payload", "Network Audit Client Remote Pushing Install Started%{}", processor_chain([ dup92, dup12, dup13, @@ -8087,8 +7518,7 @@ match("MESSAGE#235:Network:10", "nwparser.payload", "Network Audit Client Remote var msg305 = msg("Network:10", part379); -var part380 = // "Pattern{Constant('Network Audit Client Remote Pushing Install Finished Normally'), Field(,false)}" -match("MESSAGE#236:Network:11", "nwparser.payload", "Network Audit Client Remote Pushing Install Finished Normally%{}", processor_chain([ +var part380 = match("MESSAGE#236:Network:11", "nwparser.payload", "Network Audit Client Remote Pushing Install Finished Normally%{}", processor_chain([ dup92, dup12, dup13, @@ -8099,8 +7529,7 @@ match("MESSAGE#236:Network:11", "nwparser.payload", "Network Audit Client Remote var msg306 = msg("Network:11", part380); -var part381 = // "Pattern{Constant('Network Intrusion Prevention is malfunctioning, '), Field(result,false), Constant('"')}" -match("MESSAGE#237:Network:12", "nwparser.payload", "Network Intrusion Prevention is malfunctioning, %{result}\"", processor_chain([ +var part381 = match("MESSAGE#237:Network:12", "nwparser.payload", "Network Intrusion Prevention is malfunctioning, %{result}\"", processor_chain([ dup92, dup12, dup13, @@ -8112,8 +7541,7 @@ match("MESSAGE#237:Network:12", "nwparser.payload", "Network Intrusion Preventio var msg307 = msg("Network:12", part381); -var part382 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',Network Intrusion Protection Sys,Browser Intrusion Prevention is malfunctioning. Browser type: '), Field(obj_name,false), Constant('.Try to update the signatures Browser path: '), Field(filename,false)}" -match("MESSAGE#238:Network:13", "nwparser.payload", "Category: %{fld11},Network Intrusion Protection Sys,Browser Intrusion Prevention is malfunctioning. Browser type: %{obj_name}.Try to update the signatures Browser path: %{filename}", processor_chain([ +var part382 = match("MESSAGE#238:Network:13", "nwparser.payload", "Category: %{fld11},Network Intrusion Protection Sys,Browser Intrusion Prevention is malfunctioning. Browser type: %{obj_name}.Try to update the signatures Browser path: %{filename}", processor_chain([ dup92, dup12, dup13, @@ -8125,8 +7553,7 @@ match("MESSAGE#238:Network:13", "nwparser.payload", "Category: %{fld11},Network var msg308 = msg("Network:13", part382); -var part383 = // "Pattern{Constant('Network Intrusion Prevention and Browser Intrusion Prevention are malfunctioning because their content is not installed. The IPS content is going to be installed automatically'), Field(,false)}" -match("MESSAGE#241:Network:16", "nwparser.payload", "Network Intrusion Prevention and Browser Intrusion Prevention are malfunctioning because their content is not installed. The IPS content is going to be installed automatically%{}", processor_chain([ +var part383 = match("MESSAGE#241:Network:16", "nwparser.payload", "Network Intrusion Prevention and Browser Intrusion Prevention are malfunctioning because their content is not installed. The IPS content is going to be installed automatically%{}", processor_chain([ dup92, dup12, dup13, @@ -8138,8 +7565,7 @@ match("MESSAGE#241:Network:16", "nwparser.payload", "Network Intrusion Preventio var msg309 = msg("Network:16", part383); -var part384 = // "Pattern{Constant('Network Intrusion Prevention is malfunctioning'), Field(,false)}" -match("MESSAGE#242:Network:17", "nwparser.payload", "Network Intrusion Prevention is malfunctioning%{}", processor_chain([ +var part384 = match("MESSAGE#242:Network:17", "nwparser.payload", "Network Intrusion Prevention is malfunctioning%{}", processor_chain([ dup92, dup12, dup13, @@ -8151,8 +7577,7 @@ match("MESSAGE#242:Network:17", "nwparser.payload", "Network Intrusion Preventio var msg310 = msg("Network:17", part384); -var part385 = // "Pattern{Constant('Network Intrusion Prevention is not protecting machine because its driver was unloaded'), Field(,false)}" -match("MESSAGE#243:Network:18", "nwparser.payload", "Network Intrusion Prevention is not protecting machine because its driver was unloaded%{}", processor_chain([ +var part385 = match("MESSAGE#243:Network:18", "nwparser.payload", "Network Intrusion Prevention is not protecting machine because its driver was unloaded%{}", processor_chain([ dup92, dup12, dup13, @@ -8163,8 +7588,7 @@ match("MESSAGE#243:Network:18", "nwparser.payload", "Network Intrusion Preventio var msg311 = msg("Network:18", part385); -var part386 = // "Pattern{Constant('Network Threat Protection's firewall is disabled by policy'), Field(,false)}" -match("MESSAGE#244:Network:19", "nwparser.payload", "Network Threat Protection's firewall is disabled by policy%{}", processor_chain([ +var part386 = match("MESSAGE#244:Network:19", "nwparser.payload", "Network Threat Protection's firewall is disabled by policy%{}", processor_chain([ dup92, dup12, dup13, @@ -8175,8 +7599,7 @@ match("MESSAGE#244:Network:19", "nwparser.payload", "Network Threat Protection's var msg312 = msg("Network:19", part386); -var part387 = // "Pattern{Field(service,true), Constant(' has been restored and '), Field(result,false)}" -match("MESSAGE#246:Network:21", "nwparser.payload", "%{service->} has been restored and %{result}", processor_chain([ +var part387 = match("MESSAGE#246:Network:21", "nwparser.payload", "%{service->} has been restored and %{result}", processor_chain([ dup92, dup12, dup13, @@ -8187,8 +7610,7 @@ match("MESSAGE#246:Network:21", "nwparser.payload", "%{service->} has been resto var msg313 = msg("Network:21", part387); -var part388 = // "Pattern{Field(service,true), Constant(' is not protecting machine because its driver was disabled,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#247:Network:33", "nwparser.payload", "%{service->} is not protecting machine because its driver was disabled,Event time: %{event_time_string}", processor_chain([ +var part388 = match("MESSAGE#247:Network:33", "nwparser.payload", "%{service->} is not protecting machine because its driver was disabled,Event time: %{event_time_string}", processor_chain([ dup86, dup12, dup13, @@ -8198,8 +7620,7 @@ match("MESSAGE#247:Network:33", "nwparser.payload", "%{service->} is not protect var msg314 = msg("Network:33", part388); -var part389 = // "Pattern{Constant('Network Threat Protection's firewall is enabled'), Field(p0,false)}" -match("MESSAGE#251:Network:25/0", "nwparser.payload", "Network Threat Protection's firewall is enabled%{p0}"); +var part389 = match("MESSAGE#251:Network:25/0", "nwparser.payload", "Network Threat Protection's firewall is enabled%{p0}"); var all115 = all_match({ processors: [ @@ -8219,8 +7640,7 @@ var all115 = all_match({ var msg315 = msg("Network:25", all115); -var part390 = // "Pattern{Constant('Network Intrusion Prevention disabled'), Field(p0,false)}" -match("MESSAGE#253:Network:27/0", "nwparser.payload", "Network Intrusion Prevention disabled%{p0}"); +var part390 = match("MESSAGE#253:Network:27/0", "nwparser.payload", "Network Intrusion Prevention disabled%{p0}"); var all116 = all_match({ processors: [ @@ -8239,8 +7659,7 @@ var all116 = all_match({ var msg316 = msg("Network:27", all116); -var part391 = // "Pattern{Constant('Network Intrusion Prevention enabled'), Field(p0,false)}" -match("MESSAGE#254:Network:28/0", "nwparser.payload", "Network Intrusion Prevention enabled%{p0}"); +var part391 = match("MESSAGE#254:Network:28/0", "nwparser.payload", "Network Intrusion Prevention enabled%{p0}"); var all117 = all_match({ processors: [ @@ -8260,8 +7679,7 @@ var all117 = all_match({ var msg317 = msg("Network:28", all117); -var part392 = // "Pattern{Constant('Network Audit Client Remote Pushing Install Finished Abnormally in Pusing Stage'), Field(,false)}" -match("MESSAGE#257:Network:30", "nwparser.payload", "Network Audit Client Remote Pushing Install Finished Abnormally in Pusing Stage%{}", processor_chain([ +var part392 = match("MESSAGE#257:Network:30", "nwparser.payload", "Network Audit Client Remote Pushing Install Finished Abnormally in Pusing Stage%{}", processor_chain([ dup92, dup12, dup13, @@ -8299,8 +7717,7 @@ var select66 = linear_select([ msg318, ]); -var part393 = // "Pattern{Constant('Firefox Browser Intrusion Prevention is malfunctioning'), Field(,false)}" -match("MESSAGE#239:Network:14", "nwparser.payload", "Firefox Browser Intrusion Prevention is malfunctioning%{}", processor_chain([ +var part393 = match("MESSAGE#239:Network:14", "nwparser.payload", "Firefox Browser Intrusion Prevention is malfunctioning%{}", processor_chain([ dup92, dup12, dup13, @@ -8312,8 +7729,7 @@ match("MESSAGE#239:Network:14", "nwparser.payload", "Firefox Browser Intrusion P var msg319 = msg("Network:14", part393); -var part394 = // "Pattern{Constant('Firefox Browser Intrusion Prevention disabled'), Field(p0,false)}" -match("MESSAGE#245:Network:20/0", "nwparser.payload", "Firefox Browser Intrusion Prevention disabled%{p0}"); +var part394 = match("MESSAGE#245:Network:20/0", "nwparser.payload", "Firefox Browser Intrusion Prevention disabled%{p0}"); var all118 = all_match({ processors: [ @@ -8332,8 +7748,7 @@ var all118 = all_match({ var msg320 = msg("Network:20", all118); -var part395 = // "Pattern{Constant('Firefox Browser Intrusion Prevention enabled'), Field(p0,false)}" -match("MESSAGE#252:Network:26/0", "nwparser.payload", "Firefox Browser Intrusion Prevention enabled%{p0}"); +var part395 = match("MESSAGE#252:Network:26/0", "nwparser.payload", "Firefox Browser Intrusion Prevention enabled%{p0}"); var all119 = all_match({ processors: [ @@ -8359,8 +7774,7 @@ var select67 = linear_select([ msg321, ]); -var part396 = // "Pattern{Constant('Internet Explorer Browser Intrusion Prevention is malfunctioning'), Field(,false)}" -match("MESSAGE#240:Network:15", "nwparser.payload", "Internet Explorer Browser Intrusion Prevention is malfunctioning%{}", processor_chain([ +var part396 = match("MESSAGE#240:Network:15", "nwparser.payload", "Internet Explorer Browser Intrusion Prevention is malfunctioning%{}", processor_chain([ dup92, dup12, dup13, @@ -8372,8 +7786,7 @@ match("MESSAGE#240:Network:15", "nwparser.payload", "Internet Explorer Browser I var msg322 = msg("Network:15", part396); -var part397 = // "Pattern{Constant('Internet Explorer Browser Intrusion Prevention enabled'), Field(p0,false)}" -match("MESSAGE#248:Network:22/0", "nwparser.payload", "Internet Explorer Browser Intrusion Prevention enabled%{p0}"); +var part397 = match("MESSAGE#248:Network:22/0", "nwparser.payload", "Internet Explorer Browser Intrusion Prevention enabled%{p0}"); var all120 = all_match({ processors: [ @@ -8393,8 +7806,7 @@ var all120 = all_match({ var msg323 = msg("Network:22", all120); -var part398 = // "Pattern{Constant('Internet Explorer Browser Intrusion Prevention disabled'), Field(p0,false)}" -match("MESSAGE#249:Network:23/0", "nwparser.payload", "Internet Explorer Browser Intrusion Prevention disabled%{p0}"); +var part398 = match("MESSAGE#249:Network:23/0", "nwparser.payload", "Internet Explorer Browser Intrusion Prevention disabled%{p0}"); var all121 = all_match({ processors: [ @@ -8419,17 +7831,13 @@ var select68 = linear_select([ msg324, ]); -var part399 = // "Pattern{Constant('Generic Exploit Mitigation '), Field(p0,false)}" -match("MESSAGE#255:Network:29/0", "nwparser.payload", "Generic Exploit Mitigation %{p0}"); +var part399 = match("MESSAGE#255:Network:29/0", "nwparser.payload", "Generic Exploit Mitigation %{p0}"); -var part400 = // "Pattern{Constant('enabled'), Field(p0,false)}" -match("MESSAGE#255:Network:29/1_0", "nwparser.p0", "enabled%{p0}"); +var part400 = match("MESSAGE#255:Network:29/1_0", "nwparser.p0", "enabled%{p0}"); -var part401 = // "Pattern{Constant('disabled'), Field(p0,false)}" -match("MESSAGE#255:Network:29/1_1", "nwparser.p0", "disabled%{p0}"); +var part401 = match("MESSAGE#255:Network:29/1_1", "nwparser.p0", "disabled%{p0}"); -var part402 = // "Pattern{Constant('is malfunctioning'), Field(p0,false)}" -match("MESSAGE#255:Network:29/1_2", "nwparser.p0", "is malfunctioning%{p0}"); +var part402 = match("MESSAGE#255:Network:29/1_2", "nwparser.p0", "is malfunctioning%{p0}"); var select69 = linear_select([ part400, @@ -8437,8 +7845,7 @@ var select69 = linear_select([ part402, ]); -var part403 = // "Pattern{Constant(',Event time: '), Field(event_time_string,false)}" -match("MESSAGE#255:Network:29/2", "nwparser.p0", ",Event time: %{event_time_string}"); +var part403 = match("MESSAGE#255:Network:29/2", "nwparser.p0", ",Event time: %{event_time_string}"); var all122 = all_match({ processors: [ @@ -8458,8 +7865,7 @@ var all122 = all_match({ var msg325 = msg("Network:29", all122); -var part404 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',Generic Exploit Mitigation Syste,Already running process (PID:'), Field(process_id,false), Constant(') ''), Field(process,false), Constant('' is affected by a change to the application rules.,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#256:Network:31", "nwparser.payload", "Category: %{fld22},Generic Exploit Mitigation Syste,Already running process (PID:%{process_id}) '%{process}' is affected by a change to the application rules.,Event time: %{event_time_string}", processor_chain([ +var part404 = match("MESSAGE#256:Network:31", "nwparser.payload", "Category: %{fld22},Generic Exploit Mitigation Syste,Already running process (PID:%{process_id}) '%{process}' is affected by a change to the application rules.,Event time: %{event_time_string}", processor_chain([ dup92, dup12, dup13, @@ -8475,8 +7881,7 @@ var select70 = linear_select([ msg326, ]); -var part405 = // "Pattern{Field(event_description,false), Constant(',Event time: '), Field(event_time_string,false)}" -match("MESSAGE#258:Network:32", "nwparser.payload", "%{event_description},Event time: %{event_time_string}", processor_chain([ +var part405 = match("MESSAGE#258:Network:32", "nwparser.payload", "%{event_description},Event time: %{event_time_string}", processor_chain([ dup43, dup12, dup13, @@ -8486,14 +7891,11 @@ match("MESSAGE#258:Network:32", "nwparser.payload", "%{event_description},Event var msg327 = msg("Network:32", part405); -var part406 = // "Pattern{Constant('New virus definition file loaded. Version: '), Field(p0,false)}" -match("MESSAGE#259:New/0", "nwparser.payload", "New virus definition file loaded. Version: %{p0}"); +var part406 = match("MESSAGE#259:New/0", "nwparser.payload", "New virus definition file loaded. Version: %{p0}"); -var part407 = // "Pattern{Field(version,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#259:New/1_0", "nwparser.p0", "%{version},Event time:%{fld17->} %{fld18}"); +var part407 = match("MESSAGE#259:New/1_0", "nwparser.p0", "%{version},Event time:%{fld17->} %{fld18}"); -var part408 = // "Pattern{Field(version,false)}" -match_copy("MESSAGE#259:New/1_1", "nwparser.p0", "version"); +var part408 = match_copy("MESSAGE#259:New/1_1", "nwparser.p0", "version"); var select71 = linear_select([ part407, @@ -8522,8 +7924,7 @@ var all123 = all_match({ var msg328 = msg("New", all123); -var part409 = // "Pattern{Constant('New Value ''), Field(change_attribute,false), Constant('' = ''), Field(change_new,false), Constant('''), Field(p0,false)}" -match("MESSAGE#260:New:01/0", "nwparser.payload", "New Value '%{change_attribute}' = '%{change_new}'%{p0}"); +var part409 = match("MESSAGE#260:New:01/0", "nwparser.payload", "New Value '%{change_attribute}' = '%{change_new}'%{p0}"); var all124 = all_match({ processors: [ @@ -8547,8 +7948,7 @@ var all124 = all_match({ var msg329 = msg("New:01", all124); -var part410 = // "Pattern{Constant('New AgentGUID = '), Field(fld22,false)}" -match("MESSAGE#261:New:02", "nwparser.payload", "New AgentGUID = %{fld22}", processor_chain([ +var part410 = match("MESSAGE#261:New:02", "nwparser.payload", "New AgentGUID = %{fld22}", processor_chain([ dup43, dup12, dup13, @@ -8560,8 +7960,7 @@ match("MESSAGE#261:New:02", "nwparser.payload", "New AgentGUID = %{fld22}", proc var msg330 = msg("New:02", part410); -var part411 = // "Pattern{Constant('New policy has been imported.'), Field(,false)}" -match("MESSAGE#262:New:03", "nwparser.payload", "New policy has been imported.%{}", processor_chain([ +var part411 = match("MESSAGE#262:New:03", "nwparser.payload", "New policy has been imported.%{}", processor_chain([ dup43, dup12, dup13, @@ -8573,11 +7972,9 @@ match("MESSAGE#262:New:03", "nwparser.payload", "New policy has been imported.%{ var msg331 = msg("New:03", part411); -var part412 = // "Pattern{Constant('New content update failed to download from the management server. Remote file path: '), Field(p0,false)}" -match("MESSAGE#263:New:04/0", "nwparser.payload", "New content update failed to download from the management server. Remote file path: %{p0}"); +var part412 = match("MESSAGE#263:New:04/0", "nwparser.payload", "New content update failed to download from the management server. Remote file path: %{p0}"); -var part413 = // "Pattern{Field(url,false), Constant(',Event time: '), Field(event_time_string,false)}" -match("MESSAGE#263:New:04/1_0", "nwparser.p0", "%{url},Event time: %{event_time_string}"); +var part413 = match("MESSAGE#263:New:04/1_0", "nwparser.p0", "%{url},Event time: %{event_time_string}"); var select72 = linear_select([ part413, @@ -8602,8 +7999,7 @@ var all125 = all_match({ var msg332 = msg("New:04", all125); -var part414 = // "Pattern{Constant('New content update failed to download from Group Update Provider. Remote file path: '), Field(url,false)}" -match("MESSAGE#264:New:05", "nwparser.payload", "New content update failed to download from Group Update Provider. Remote file path: %{url}", processor_chain([ +var part414 = match("MESSAGE#264:New:05", "nwparser.payload", "New content update failed to download from Group Update Provider. Remote file path: %{url}", processor_chain([ dup43, dup12, dup13, @@ -8624,8 +8020,7 @@ var select73 = linear_select([ msg333, ]); -var part415 = // "Pattern{Constant('No '), Field(virusname,true), Constant(' virus found events got swept.')}" -match("MESSAGE#265:No", "nwparser.payload", "No %{virusname->} virus found events got swept.", processor_chain([ +var part415 = match("MESSAGE#265:No", "nwparser.payload", "No %{virusname->} virus found events got swept.", processor_chain([ dup43, dup12, dup13, @@ -8637,8 +8032,7 @@ match("MESSAGE#265:No", "nwparser.payload", "No %{virusname->} virus found event var msg334 = msg("No", part415); -var part416 = // "Pattern{Constant('No clients got swept.'), Field(,false)}" -match("MESSAGE#266:No:01", "nwparser.payload", "No clients got swept.%{}", processor_chain([ +var part416 = match("MESSAGE#266:No:01", "nwparser.payload", "No clients got swept.%{}", processor_chain([ dup43, dup15, setc("event_description","No clients got swept."), @@ -8646,8 +8040,7 @@ match("MESSAGE#266:No:01", "nwparser.payload", "No clients got swept.%{}", proce var msg335 = msg("No:01", part416); -var part417 = // "Pattern{Constant('No objects got swept.'), Field(,false)}" -match("MESSAGE#267:No:02", "nwparser.payload", "No objects got swept.%{}", processor_chain([ +var part417 = match("MESSAGE#267:No:02", "nwparser.payload", "No objects got swept.%{}", processor_chain([ dup43, dup15, dup218, @@ -8655,8 +8048,7 @@ match("MESSAGE#267:No:02", "nwparser.payload", "No objects got swept.%{}", proce var msg336 = msg("No:02", part417); -var part418 = // "Pattern{Constant('No clients got swept [Domain: '), Field(sdomain,false), Constant('].')}" -match("MESSAGE#268:No:06", "nwparser.payload", "No clients got swept [Domain: %{sdomain}].", processor_chain([ +var part418 = match("MESSAGE#268:No:06", "nwparser.payload", "No clients got swept [Domain: %{sdomain}].", processor_chain([ dup43, dup12, dup13, @@ -8666,8 +8058,7 @@ match("MESSAGE#268:No:06", "nwparser.payload", "No clients got swept [Domain: %{ var msg337 = msg("No:06", part418); -var part419 = // "Pattern{Constant('No old risk events got swept.'), Field(,false)}" -match("MESSAGE#269:No:03", "nwparser.payload", "No old risk events got swept.%{}", processor_chain([ +var part419 = match("MESSAGE#269:No:03", "nwparser.payload", "No old risk events got swept.%{}", processor_chain([ dup43, dup15, setc("event_description","No old risk events got swept."), @@ -8675,8 +8066,7 @@ match("MESSAGE#269:No:03", "nwparser.payload", "No old risk events got swept.%{} var msg338 = msg("No:03", part419); -var part420 = // "Pattern{Constant('No physical files got swept.'), Field(,false)}" -match("MESSAGE#270:No:04", "nwparser.payload", "No physical files got swept.%{}", processor_chain([ +var part420 = match("MESSAGE#270:No:04", "nwparser.payload", "No physical files got swept.%{}", processor_chain([ dup43, dup15, setc("event_description","No physical files got swept."), @@ -8684,8 +8074,7 @@ match("MESSAGE#270:No:04", "nwparser.payload", "No physical files got swept.%{}" var msg339 = msg("No:04", part420); -var part421 = // "Pattern{Constant('No risk events from deleted clients got swept.'), Field(,false)}" -match("MESSAGE#271:No:05", "nwparser.payload", "No risk events from deleted clients got swept.%{}", processor_chain([ +var part421 = match("MESSAGE#271:No:05", "nwparser.payload", "No risk events from deleted clients got swept.%{}", processor_chain([ dup43, dup15, setc("event_description","No risk events from deleted clients got swept."), @@ -8693,8 +8082,7 @@ match("MESSAGE#271:No:05", "nwparser.payload", "No risk events from deleted clie var msg340 = msg("No:05", part421); -var part422 = // "Pattern{Constant('No updates found for '), Field(application,false), Constant('.')}" -match("MESSAGE#272:No:07", "nwparser.payload", "No updates found for %{application}.", processor_chain([ +var part422 = match("MESSAGE#272:No:07", "nwparser.payload", "No updates found for %{application}.", processor_chain([ dup43, dup12, dup13, @@ -8715,8 +8103,7 @@ var select74 = linear_select([ msg341, ]); -var part423 = // "Pattern{Constant('Organization Unit or Container importing finished successfully'), Field(,false)}" -match("MESSAGE#273:Organization:03", "nwparser.payload", "Organization Unit or Container importing finished successfully%{}", processor_chain([ +var part423 = match("MESSAGE#273:Organization:03", "nwparser.payload", "Organization Unit or Container importing finished successfully%{}", processor_chain([ dup53, dup12, dup13, @@ -8727,8 +8114,7 @@ match("MESSAGE#273:Organization:03", "nwparser.payload", "Organization Unit or C var msg342 = msg("Organization:03", part423); -var part424 = // "Pattern{Constant('Organization Unit or Container importing started'), Field(,false)}" -match("MESSAGE#274:Organization:02", "nwparser.payload", "Organization Unit or Container importing started%{}", processor_chain([ +var part424 = match("MESSAGE#274:Organization:02", "nwparser.payload", "Organization Unit or Container importing started%{}", processor_chain([ dup53, dup12, dup13, @@ -8739,8 +8125,7 @@ match("MESSAGE#274:Organization:02", "nwparser.payload", "Organization Unit or C var msg343 = msg("Organization:02", part424); -var part425 = // "Pattern{Constant('Organization importing finished successfully'), Field(,false)}" -match("MESSAGE#275:Organization:01", "nwparser.payload", "Organization importing finished successfully%{}", processor_chain([ +var part425 = match("MESSAGE#275:Organization:01", "nwparser.payload", "Organization importing finished successfully%{}", processor_chain([ dup53, dup12, dup13, @@ -8751,8 +8136,7 @@ match("MESSAGE#275:Organization:01", "nwparser.payload", "Organization importing var msg344 = msg("Organization:01", part425); -var part426 = // "Pattern{Constant('Organization importing started'), Field(,false)}" -match("MESSAGE#276:Organization", "nwparser.payload", "Organization importing started%{}", processor_chain([ +var part426 = match("MESSAGE#276:Organization", "nwparser.payload", "Organization importing started%{}", processor_chain([ dup53, dup12, dup13, @@ -8770,8 +8154,7 @@ var select75 = linear_select([ msg345, ]); -var part427 = // "Pattern{Constant('Number of '), Field(virusname,true), Constant(' virus found events swept: '), Field(dclass_counter1,false)}" -match("MESSAGE#277:Number:01", "nwparser.payload", "Number of %{virusname->} virus found events swept: %{dclass_counter1}", processor_chain([ +var part427 = match("MESSAGE#277:Number:01", "nwparser.payload", "Number of %{virusname->} virus found events swept: %{dclass_counter1}", processor_chain([ dup43, dup152, dup15, @@ -8781,8 +8164,7 @@ match("MESSAGE#277:Number:01", "nwparser.payload", "Number of %{virusname->} vir var msg346 = msg("Number:01", part427); -var part428 = // "Pattern{Constant('Number of virus definition records swept: '), Field(dclass_counter1,false)}" -match("MESSAGE#278:Number", "nwparser.payload", "Number of virus definition records swept: %{dclass_counter1}", processor_chain([ +var part428 = match("MESSAGE#278:Number", "nwparser.payload", "Number of virus definition records swept: %{dclass_counter1}", processor_chain([ dup43, dup12, dup13, @@ -8794,8 +8176,7 @@ match("MESSAGE#278:Number", "nwparser.payload", "Number of virus definition reco var msg347 = msg("Number", part428); -var part429 = // "Pattern{Constant('Number of scan events swept: '), Field(dclass_counter1,false)}" -match("MESSAGE#279:Number:02", "nwparser.payload", "Number of scan events swept: %{dclass_counter1}", processor_chain([ +var part429 = match("MESSAGE#279:Number:02", "nwparser.payload", "Number of scan events swept: %{dclass_counter1}", processor_chain([ dup43, dup15, setc("event_description","Number of scan events swept."), @@ -8804,8 +8185,7 @@ match("MESSAGE#279:Number:02", "nwparser.payload", "Number of scan events swept: var msg348 = msg("Number:02", part429); -var part430 = // "Pattern{Constant('Number of clients swept: '), Field(dclass_counter1,false)}" -match("MESSAGE#280:Number:04", "nwparser.payload", "Number of clients swept: %{dclass_counter1}", processor_chain([ +var part430 = match("MESSAGE#280:Number:04", "nwparser.payload", "Number of clients swept: %{dclass_counter1}", processor_chain([ dup43, dup12, dup13, @@ -8816,8 +8196,7 @@ match("MESSAGE#280:Number:04", "nwparser.payload", "Number of clients swept: %{d var msg349 = msg("Number:04", part430); -var part431 = // "Pattern{Constant('Number of old risk events swept: '), Field(dclass_counter1,false)}" -match("MESSAGE#281:Number:05", "nwparser.payload", "Number of old risk events swept: %{dclass_counter1}", processor_chain([ +var part431 = match("MESSAGE#281:Number:05", "nwparser.payload", "Number of old risk events swept: %{dclass_counter1}", processor_chain([ dup43, dup12, dup13, @@ -8828,8 +8207,7 @@ match("MESSAGE#281:Number:05", "nwparser.payload", "Number of old risk events sw var msg350 = msg("Number:05", part431); -var part432 = // "Pattern{Constant('Number of unacknowledged notifications swept: '), Field(dclass_counter1,false)}" -match("MESSAGE#282:Number:06", "nwparser.payload", "Number of unacknowledged notifications swept: %{dclass_counter1}", processor_chain([ +var part432 = match("MESSAGE#282:Number:06", "nwparser.payload", "Number of unacknowledged notifications swept: %{dclass_counter1}", processor_chain([ dup43, dup12, dup13, @@ -8840,8 +8218,7 @@ match("MESSAGE#282:Number:06", "nwparser.payload", "Number of unacknowledged not var msg351 = msg("Number:06", part432); -var part433 = // "Pattern{Constant('Number of objects swept: '), Field(dclass_counter1,false)}" -match("MESSAGE#283:Number:07", "nwparser.payload", "Number of objects swept: %{dclass_counter1}", processor_chain([ +var part433 = match("MESSAGE#283:Number:07", "nwparser.payload", "Number of objects swept: %{dclass_counter1}", processor_chain([ dup43, dup12, dup13, @@ -8852,8 +8229,7 @@ match("MESSAGE#283:Number:07", "nwparser.payload", "Number of objects swept: %{d var msg352 = msg("Number:07", part433); -var part434 = // "Pattern{Constant('Number of risk events from deleted clients swept: '), Field(dclass_counter1,false)}" -match("MESSAGE#284:Number:08", "nwparser.payload", "Number of risk events from deleted clients swept: %{dclass_counter1}", processor_chain([ +var part434 = match("MESSAGE#284:Number:08", "nwparser.payload", "Number of risk events from deleted clients swept: %{dclass_counter1}", processor_chain([ dup43, dup12, dup13, @@ -8864,8 +8240,7 @@ match("MESSAGE#284:Number:08", "nwparser.payload", "Number of risk events from d var msg353 = msg("Number:08", part434); -var part435 = // "Pattern{Constant('Number of old risk events compressed: '), Field(dclass_counter1,false)}" -match("MESSAGE#285:Number:09", "nwparser.payload", "Number of old risk events compressed: %{dclass_counter1}", processor_chain([ +var part435 = match("MESSAGE#285:Number:09", "nwparser.payload", "Number of old risk events compressed: %{dclass_counter1}", processor_chain([ dup43, dup12, dup13, @@ -8876,8 +8251,7 @@ match("MESSAGE#285:Number:09", "nwparser.payload", "Number of old risk events co var msg354 = msg("Number:09", part435); -var part436 = // "Pattern{Constant('Number of compressed risk events swept: '), Field(dclass_counter1,false)}" -match("MESSAGE#286:Number:10", "nwparser.payload", "Number of compressed risk events swept: %{dclass_counter1}", processor_chain([ +var part436 = match("MESSAGE#286:Number:10", "nwparser.payload", "Number of compressed risk events swept: %{dclass_counter1}", processor_chain([ dup43, dup12, dup13, @@ -8888,14 +8262,11 @@ match("MESSAGE#286:Number:10", "nwparser.payload", "Number of compressed risk ev var msg355 = msg("Number:10", part436); -var part437 = // "Pattern{Constant('Number of '), Field(info,true), Constant(' in the policy: '), Field(p0,false)}" -match("MESSAGE#287:Number:11/0", "nwparser.payload", "Number of %{info->} in the policy: %{p0}"); +var part437 = match("MESSAGE#287:Number:11/0", "nwparser.payload", "Number of %{info->} in the policy: %{p0}"); -var part438 = // "Pattern{Field(dclass_counter1,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#287:Number:11/1_0", "nwparser.p0", "%{dclass_counter1},Event time:%{fld17->} %{fld18}"); +var part438 = match("MESSAGE#287:Number:11/1_0", "nwparser.p0", "%{dclass_counter1},Event time:%{fld17->} %{fld18}"); -var part439 = // "Pattern{Field(dclass_counter1,false)}" -match_copy("MESSAGE#287:Number:11/1_1", "nwparser.p0", "dclass_counter1"); +var part439 = match_copy("MESSAGE#287:Number:11/1_1", "nwparser.p0", "dclass_counter1"); var select76 = linear_select([ part438, @@ -8920,8 +8291,7 @@ var all126 = all_match({ var msg356 = msg("Number:11", all126); -var part440 = // "Pattern{Constant('Number of physical files swept: '), Field(dclass_counter1,false)}" -match("MESSAGE#288:Number:12", "nwparser.payload", "Number of physical files swept: %{dclass_counter1}", processor_chain([ +var part440 = match("MESSAGE#288:Number:12", "nwparser.payload", "Number of physical files swept: %{dclass_counter1}", processor_chain([ dup43, dup12, dup13, @@ -8932,8 +8302,7 @@ match("MESSAGE#288:Number:12", "nwparser.payload", "Number of physical files swe var msg357 = msg("Number:12", part440); -var part441 = // "Pattern{Constant('Number of '), Field(fld1,true), Constant(' swept: '), Field(dclass_counter1,false)}" -match("MESSAGE#289:Number:13", "nwparser.payload", "Number of %{fld1->} swept: %{dclass_counter1}", processor_chain([ +var part441 = match("MESSAGE#289:Number:13", "nwparser.payload", "Number of %{fld1->} swept: %{dclass_counter1}", processor_chain([ dup43, dup15, dup12, @@ -8978,8 +8347,7 @@ var select77 = linear_select([ msg358, ]); -var part442 = // "Pattern{Constant('Policy has been added,'), Field(info,false)}" -match("MESSAGE#292:Policy:added", "nwparser.payload", "Policy has been added,%{info}", processor_chain([ +var part442 = match("MESSAGE#292:Policy:added", "nwparser.payload", "Policy has been added,%{info}", processor_chain([ dup95, dup12, dup13, @@ -8994,8 +8362,7 @@ match("MESSAGE#292:Policy:added", "nwparser.payload", "Policy has been added,%{i var msg359 = msg("Policy:added", part442); -var part443 = // "Pattern{Constant('Policy has been added:'), Field(info,false)}" -match("MESSAGE#293:Policy:added_01", "nwparser.payload", "Policy has been added:%{info}", processor_chain([ +var part443 = match("MESSAGE#293:Policy:added_01", "nwparser.payload", "Policy has been added:%{info}", processor_chain([ dup95, dup12, dup13, @@ -9010,8 +8377,7 @@ match("MESSAGE#293:Policy:added_01", "nwparser.payload", "Policy has been added: var msg360 = msg("Policy:added_01", part443); -var part444 = // "Pattern{Constant('Policy has been edited,'), Field(info,false)}" -match("MESSAGE#294:Policy:edited", "nwparser.payload", "Policy has been edited,%{info}", processor_chain([ +var part444 = match("MESSAGE#294:Policy:edited", "nwparser.payload", "Policy has been edited,%{info}", processor_chain([ dup136, dup12, dup13, @@ -9026,8 +8392,7 @@ match("MESSAGE#294:Policy:edited", "nwparser.payload", "Policy has been edited,% var msg361 = msg("Policy:edited", part444); -var part445 = // "Pattern{Constant('Policy has been edited:'), Field(info,false), Constant(','), Field(fld1,false)}" -match("MESSAGE#295:Policy:edited_01", "nwparser.payload", "Policy has been edited:%{info},%{fld1}", processor_chain([ +var part445 = match("MESSAGE#295:Policy:edited_01", "nwparser.payload", "Policy has been edited:%{info},%{fld1}", processor_chain([ dup136, dup12, dup13, @@ -9042,8 +8407,7 @@ match("MESSAGE#295:Policy:edited_01", "nwparser.payload", "Policy has been edite var msg362 = msg("Policy:edited_01", part445); -var part446 = // "Pattern{Constant('Policy has been deleted'), Field(p0,false)}" -match("MESSAGE#296:Policy:deleted/0", "nwparser.payload", "Policy has been deleted%{p0}"); +var part446 = match("MESSAGE#296:Policy:deleted/0", "nwparser.payload", "Policy has been deleted%{p0}"); var select78 = linear_select([ dup226, @@ -9080,8 +8444,7 @@ var select79 = linear_select([ msg363, ]); -var part447 = // "Pattern{Constant('Potential risk found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(',Intensive Protection Level: '), Field(fld61,false), Constant(',Certificate issuer: '), Field(fld60,false), Constant(',Certificate signer: '), Field(fld62,false), Constant(',Certificate thumbprint: '), Field(fld63,false), Constant(',Signing timestamp: '), Field(fld64,false), Constant(',Certificate serial number: '), Field(fld65,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(fld1,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Last update time: '), Field(fld53,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld100,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',,First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld52,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Category set: '), Field(category,false), Constant(',Category type: '), Field(vendor_event_cat,false), Constant(',Location:'), Field(fld55,false)}" -match("MESSAGE#297:Potential:03", "nwparser.payload", "Potential risk found,IP Address: %{saddr},Computer name: %{shost},Intensive Protection Level: %{fld61},Certificate issuer: %{fld60},Certificate signer: %{fld62},Certificate thumbprint: %{fld63},Signing timestamp: %{fld64},Certificate serial number: %{fld65},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld1},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Last update time: %{fld53},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld100},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size},Category set: %{category},Category type: %{vendor_event_cat},Location:%{fld55}", processor_chain([ +var part447 = match("MESSAGE#297:Potential:03", "nwparser.payload", "Potential risk found,IP Address: %{saddr},Computer name: %{shost},Intensive Protection Level: %{fld61},Certificate issuer: %{fld60},Certificate signer: %{fld62},Certificate thumbprint: %{fld63},Signing timestamp: %{fld64},Certificate serial number: %{fld65},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld1},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Last update time: %{fld53},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld100},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size},Category set: %{category},Category type: %{vendor_event_cat},Location:%{fld55}", processor_chain([ dup110, dup12, dup152, @@ -9096,11 +8459,9 @@ match("MESSAGE#297:Potential:03", "nwparser.payload", "Potential risk found,IP A var msg364 = msg("Potential:03", part447); -var part448 = // "Pattern{Field(severity,false), Constant(',First Seen:'), Field(fld55,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld6,false), Constant(',Detection score:'), Field(fld7,false), Constant(',COH Engine Version: '), Field(fld41,false), Constant(',Detection Submissions No,Permitted application reason: '), Field(fld42,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',Risk Level: '), Field(fld50,false), Constant(',Detection Source: '), Field(fld52,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(p0,false)}" -match("MESSAGE#298:Potential:02/2", "nwparser.p0", "%{severity},First Seen:%{fld55},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},COH Engine Version: %{fld41},Detection Submissions No,Permitted application reason: %{fld42},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},Risk Level: %{fld50},Detection Source: %{fld52},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{p0}"); +var part448 = match("MESSAGE#298:Potential:02/2", "nwparser.p0", "%{severity},First Seen:%{fld55},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},COH Engine Version: %{fld41},Detection Submissions No,Permitted application reason: %{fld42},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},Risk Level: %{fld50},Detection Source: %{fld52},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{p0}"); -var part449 = // "Pattern{Field(fld1,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#298:Potential:02/4", "nwparser.p0", "%{fld1},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); +var part449 = match("MESSAGE#298:Potential:02/4", "nwparser.p0", "%{fld1},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); var all128 = all_match({ processors: [ @@ -9126,8 +8487,7 @@ var all128 = all_match({ var msg365 = msg("Potential:02", all128); -var part450 = // "Pattern{Field(fld23,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld6,false), Constant(',Detection score:'), Field(fld7,false), Constant(',Submission recommendation: '), Field(fld8,false), Constant(',Permitted application reason: '), Field(fld9,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(fld1,false), Constant(','), Field(p0,false)}" -match("MESSAGE#299:Potential/2", "nwparser.p0", "%{fld23},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); +var part450 = match("MESSAGE#299:Potential/2", "nwparser.p0", "%{fld23},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); var all129 = all_match({ processors: [ @@ -9156,8 +8516,7 @@ var all129 = all_match({ var msg366 = msg("Potential", all129); -var part451 = // "Pattern{Constant('Potential risk found,Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(fld1,false), Constant(','), Field(p0,false)}" -match("MESSAGE#300:Potential:01/0", "nwparser.payload", "Potential risk found,Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); +var part451 = match("MESSAGE#300:Potential:01/0", "nwparser.payload", "Potential risk found,Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); var all130 = all_match({ processors: [ @@ -9191,8 +8550,7 @@ var select80 = linear_select([ msg367, ]); -var part452 = // "Pattern{Constant('Previous virus definition file loaded. Version: '), Field(version,false)}" -match("MESSAGE#301:Previous", "nwparser.payload", "Previous virus definition file loaded. Version: %{version}", processor_chain([ +var part452 = match("MESSAGE#301:Previous", "nwparser.payload", "Previous virus definition file loaded. Version: %{version}", processor_chain([ dup92, dup12, dup13, @@ -9203,8 +8561,7 @@ match("MESSAGE#301:Previous", "nwparser.payload", "Previous virus definition fil var msg368 = msg("Previous", part452); -var part453 = // "Pattern{Constant('Proactive Threat Scan '), Field(info,true), Constant(' failed to update.')}" -match("MESSAGE#302:Proactive", "nwparser.payload", "Proactive Threat Scan %{info->} failed to update.", processor_chain([ +var part453 = match("MESSAGE#302:Proactive", "nwparser.payload", "Proactive Threat Scan %{info->} failed to update.", processor_chain([ setc("eventcategory","1703020000"), dup12, dup13, @@ -9215,8 +8572,7 @@ match("MESSAGE#302:Proactive", "nwparser.payload", "Proactive Threat Scan %{info var msg369 = msg("Proactive", part453); -var part454 = // "Pattern{Constant('Proactive Threat Scan whitelist '), Field(info,true), Constant(' is up-to-date.')}" -match("MESSAGE#303:Proactive:01", "nwparser.payload", "Proactive Threat Scan whitelist %{info->} is up-to-date.", processor_chain([ +var part454 = match("MESSAGE#303:Proactive:01", "nwparser.payload", "Proactive Threat Scan whitelist %{info->} is up-to-date.", processor_chain([ dup92, dup12, dup13, @@ -9227,8 +8583,7 @@ match("MESSAGE#303:Proactive:01", "nwparser.payload", "Proactive Threat Scan whi var msg370 = msg("Proactive:01", part454); -var part455 = // "Pattern{Constant('Proactive Threat Protection has been enabled'), Field(p0,false)}" -match("MESSAGE#399:Symantec:38/0", "nwparser.payload", "Proactive Threat Protection has been enabled%{p0}"); +var part455 = match("MESSAGE#399:Symantec:38/0", "nwparser.payload", "Proactive Threat Protection has been enabled%{p0}"); var all131 = all_match({ processors: [ @@ -9247,8 +8602,7 @@ var all131 = all_match({ var msg371 = msg("Symantec:38", all131); -var part456 = // "Pattern{Constant('Proactive Threat Protection has been disabled'), Field(,false)}" -match("MESSAGE#400:Symantec:42", "nwparser.payload", "Proactive Threat Protection has been disabled%{}", processor_chain([ +var part456 = match("MESSAGE#400:Symantec:42", "nwparser.payload", "Proactive Threat Protection has been disabled%{}", processor_chain([ dup43, dup56, dup12, @@ -9266,8 +8620,7 @@ var select81 = linear_select([ msg372, ]); -var part457 = // "Pattern{Constant('process '), Field(process,true), Constant(' can not lock the process status table. The process status has been locked by the server '), Field(info,true), Constant(' since '), Field(fld50,false), Constant('.')}" -match("MESSAGE#304:process", "nwparser.payload", "process %{process->} can not lock the process status table. The process status has been locked by the server %{info->} since %{fld50}.", processor_chain([ +var part457 = match("MESSAGE#304:process", "nwparser.payload", "process %{process->} can not lock the process status table. The process status has been locked by the server %{info->} since %{fld50}.", processor_chain([ dup168, dup12, dup13, @@ -9278,8 +8631,7 @@ match("MESSAGE#304:process", "nwparser.payload", "process %{process->} can not l var msg373 = msg("process", part457); -var part458 = // "Pattern{Constant('"Application has changed since the last time you opened it, process id: '), Field(process_id,true), Constant(' Filename: '), Field(filename,true), Constant(' The change was allowed by profile.",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld25,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld3,false), Constant(',Outbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld12,false)}" -match("MESSAGE#305:process:01", "nwparser.payload", "\"Application has changed since the last time you opened it, process id: %{process_id->} Filename: %{filename->} The change was allowed by profile.\",Local: %{saddr},Local: %{fld1},Remote: %{fld25},Remote: %{daddr},Remote: %{fld3},Outbound,%{protocol},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld12}", processor_chain([ +var part458 = match("MESSAGE#305:process:01", "nwparser.payload", "\"Application has changed since the last time you opened it, process id: %{process_id->} Filename: %{filename->} The change was allowed by profile.\",Local: %{saddr},Local: %{fld1},Remote: %{fld25},Remote: %{daddr},Remote: %{fld3},Outbound,%{protocol},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld12}", processor_chain([ dup168, dup12, dup13, @@ -9294,8 +8646,7 @@ match("MESSAGE#305:process:01", "nwparser.payload", "\"Application has changed s var msg374 = msg("process:01", part458); -var part459 = // "Pattern{Constant('"Application has changed since the last time you opened it, process id: '), Field(process_id,true), Constant(' Filename: '), Field(filename,true), Constant(' The change was allowed by profile.",Local: '), Field(daddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld25,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld3,false), Constant(',Inbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld12,false)}" -match("MESSAGE#306:process:11", "nwparser.payload", "\"Application has changed since the last time you opened it, process id: %{process_id->} Filename: %{filename->} The change was allowed by profile.\",Local: %{daddr},Local: %{fld1},Remote: %{fld25},Remote: %{saddr},Remote: %{fld3},Inbound,%{protocol},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld12}", processor_chain([ +var part459 = match("MESSAGE#306:process:11", "nwparser.payload", "\"Application has changed since the last time you opened it, process id: %{process_id->} Filename: %{filename->} The change was allowed by profile.\",Local: %{daddr},Local: %{fld1},Remote: %{fld25},Remote: %{saddr},Remote: %{fld3},Inbound,%{protocol},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld12}", processor_chain([ dup168, dup12, dup13, @@ -9310,11 +8661,9 @@ match("MESSAGE#306:process:11", "nwparser.payload", "\"Application has changed s var msg375 = msg("process:11", part459); -var part460 = // "Pattern{Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(','), Field(p0,false)}" -match("MESSAGE#308:process:03/2", "nwparser.p0", ",Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},%{p0}"); +var part460 = match("MESSAGE#308:process:03/2", "nwparser.p0", ",Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},%{p0}"); -var part461 = // "Pattern{Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#308:process:03/4", "nwparser.p0", "%{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part461 = match("MESSAGE#308:process:03/4", "nwparser.p0", "%{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all132 = all_match({ processors: [ @@ -9372,22 +8721,18 @@ var select82 = linear_select([ msg377, ]); -var part462 = // "Pattern{Constant('properties of domain '), Field(p0,false)}" -match("MESSAGE#310:properties/0", "nwparser.payload", "properties of domain %{p0}"); +var part462 = match("MESSAGE#310:properties/0", "nwparser.payload", "properties of domain %{p0}"); -var part463 = // "Pattern{Constant('"'), Field(domain,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#310:properties/1_0", "nwparser.p0", "\"%{domain}\"%{p0}"); +var part463 = match("MESSAGE#310:properties/1_0", "nwparser.p0", "\"%{domain}\"%{p0}"); -var part464 = // "Pattern{Constant('''), Field(domain,false), Constant('''), Field(p0,false)}" -match("MESSAGE#310:properties/1_1", "nwparser.p0", "'%{domain}'%{p0}"); +var part464 = match("MESSAGE#310:properties/1_1", "nwparser.p0", "'%{domain}'%{p0}"); var select83 = linear_select([ part463, part464, ]); -var part465 = // "Pattern{Field(,false), Constant('were changed')}" -match("MESSAGE#310:properties/2", "nwparser.p0", "%{}were changed"); +var part465 = match("MESSAGE#310:properties/2", "nwparser.p0", "%{}were changed"); var all134 = all_match({ processors: [ @@ -9410,22 +8755,18 @@ var all134 = all_match({ var msg378 = msg("properties", all134); -var part466 = // "Pattern{Constant('properties for system administrator '), Field(p0,false)}" -match("MESSAGE#311:properties:01/0", "nwparser.payload", "properties for system administrator %{p0}"); +var part466 = match("MESSAGE#311:properties:01/0", "nwparser.payload", "properties for system administrator %{p0}"); -var part467 = // "Pattern{Constant('"'), Field(c_username,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#311:properties:01/1_0", "nwparser.p0", "\"%{c_username}\"%{p0}"); +var part467 = match("MESSAGE#311:properties:01/1_0", "nwparser.p0", "\"%{c_username}\"%{p0}"); -var part468 = // "Pattern{Constant('''), Field(c_username,false), Constant('''), Field(p0,false)}" -match("MESSAGE#311:properties:01/1_1", "nwparser.p0", "'%{c_username}'%{p0}"); +var part468 = match("MESSAGE#311:properties:01/1_1", "nwparser.p0", "'%{c_username}'%{p0}"); var select84 = linear_select([ part467, part468, ]); -var part469 = // "Pattern{Field(,false), Constant('have been changed')}" -match("MESSAGE#311:properties:01/2", "nwparser.p0", "%{}have been changed"); +var part469 = match("MESSAGE#311:properties:01/2", "nwparser.p0", "%{}have been changed"); var all135 = all_match({ processors: [ @@ -9453,8 +8794,7 @@ var select85 = linear_select([ msg379, ]); -var part470 = // "Pattern{Constant('PTS has generated an error: code '), Field(resultcode,false), Constant(': description: '), Field(info,false)}" -match("MESSAGE#312:PTS", "nwparser.payload", "PTS has generated an error: code %{resultcode}: description: %{info}", processor_chain([ +var part470 = match("MESSAGE#312:PTS", "nwparser.payload", "PTS has generated an error: code %{resultcode}: description: %{info}", processor_chain([ dup168, dup12, dup13, @@ -9465,11 +8805,9 @@ match("MESSAGE#312:PTS", "nwparser.payload", "PTS has generated an error: code % var msg380 = msg("PTS", part470); -var part471 = // "Pattern{Constant('Received a new policy with '), Field(p0,false)}" -match("MESSAGE#313:Received/0", "nwparser.payload", "Received a new policy with %{p0}"); +var part471 = match("MESSAGE#313:Received/0", "nwparser.payload", "Received a new policy with %{p0}"); -var part472 = // "Pattern{Field(info,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#313:Received/1_0", "nwparser.p0", "%{info},Event time: %{fld17->} %{fld18}"); +var part472 = match("MESSAGE#313:Received/1_0", "nwparser.p0", "%{info},Event time: %{fld17->} %{fld18}"); var select86 = linear_select([ part472, @@ -9494,8 +8832,7 @@ var all136 = all_match({ var msg381 = msg("Received", all136); -var part473 = // "Pattern{Constant('Received a new profile with serial number '), Field(fld23,true), Constant(' from Symantec Endpoint Protection Manager.')}" -match("MESSAGE#699:Smc:03", "nwparser.payload", "Received a new profile with serial number %{fld23->} from Symantec Endpoint Protection Manager.", processor_chain([ +var part473 = match("MESSAGE#699:Smc:03", "nwparser.payload", "Received a new profile with serial number %{fld23->} from Symantec Endpoint Protection Manager.", processor_chain([ dup53, dup94, dup13, @@ -9511,8 +8848,7 @@ var select87 = linear_select([ msg382, ]); -var part474 = // "Pattern{Constant('Reconfiguring Symantec Management Client....'), Field(,false)}" -match("MESSAGE#314:Reconfiguring", "nwparser.payload", "Reconfiguring Symantec Management Client....%{}", processor_chain([ +var part474 = match("MESSAGE#314:Reconfiguring", "nwparser.payload", "Reconfiguring Symantec Management Client....%{}", processor_chain([ dup136, dup12, dup13, @@ -9526,8 +8862,7 @@ match("MESSAGE#314:Reconfiguring", "nwparser.payload", "Reconfiguring Symantec M var msg383 = msg("Reconfiguring", part474); -var part475 = // "Pattern{Constant('Reconnected to server after server was unreacheable.'), Field(p0,false)}" -match("MESSAGE#315:Reconnected/0", "nwparser.payload", "Reconnected to server after server was unreacheable.%{p0}"); +var part475 = match("MESSAGE#315:Reconnected/0", "nwparser.payload", "Reconnected to server after server was unreacheable.%{p0}"); var all137 = all_match({ processors: [ @@ -9547,8 +8882,7 @@ var all137 = all_match({ var msg384 = msg("Reconnected", all137); -var part476 = // "Pattern{Constant('Please restart your computer to enable '), Field(info,true), Constant(' changes.'), Field(p0,false)}" -match("MESSAGE#316:restart/0", "nwparser.payload", "Please restart your computer to enable %{info->} changes.%{p0}"); +var part476 = match("MESSAGE#316:restart/0", "nwparser.payload", "Please restart your computer to enable %{info->} changes.%{p0}"); var all138 = all_match({ processors: [ @@ -9568,8 +8902,7 @@ var all138 = all_match({ var msg385 = msg("restart", all138); -var part477 = // "Pattern{Constant('Retry '), Field(info,false), Constant('"')}" -match("MESSAGE#317:Retry", "nwparser.payload", "Retry %{info}\"", processor_chain([ +var part477 = match("MESSAGE#317:Retry", "nwparser.payload", "Retry %{info}\"", processor_chain([ dup43, dup12, dup13, @@ -9580,8 +8913,7 @@ match("MESSAGE#317:Retry", "nwparser.payload", "Retry %{info}\"", processor_chai var msg386 = msg("Retry", part477); -var part478 = // "Pattern{Constant('Retry timestamp is equal or over the next schedule time, switching to regular schedule run.'), Field(,false)}" -match("MESSAGE#318:Retry:01", "nwparser.payload", "Retry timestamp is equal or over the next schedule time, switching to regular schedule run.%{}", processor_chain([ +var part478 = match("MESSAGE#318:Retry:01", "nwparser.payload", "Retry timestamp is equal or over the next schedule time, switching to regular schedule run.%{}", processor_chain([ dup43, dup15, setc("action","Retry timestamp is equal or over the next schedule time, switching to regular schedule run."), @@ -9589,8 +8921,7 @@ match("MESSAGE#318:Retry:01", "nwparser.payload", "Retry timestamp is equal or o var msg387 = msg("Retry:01", part478); -var part479 = // "Pattern{Constant('Retry timestamp is over the maximum retry window, switching to regular schedule run.'), Field(,false)}" -match("MESSAGE#319:Retry:02", "nwparser.payload", "Retry timestamp is over the maximum retry window, switching to regular schedule run.%{}", processor_chain([ +var part479 = match("MESSAGE#319:Retry:02", "nwparser.payload", "Retry timestamp is over the maximum retry window, switching to regular schedule run.%{}", processor_chain([ dup43, dup233, dup15, @@ -9604,8 +8935,7 @@ var select88 = linear_select([ msg388, ]); -var part480 = // "Pattern{Constant('Successfully downloaded the '), Field(application,true), Constant(' security definitions from LiveUpdate. The security definitions are now available for deployment.')}" -match("MESSAGE#320:Successfully", "nwparser.payload", "Successfully downloaded the %{application->} security definitions from LiveUpdate. The security definitions are now available for deployment.", processor_chain([ +var part480 = match("MESSAGE#320:Successfully", "nwparser.payload", "Successfully downloaded the %{application->} security definitions from LiveUpdate. The security definitions are now available for deployment.", processor_chain([ dup43, setc("event_description","Successfully Downloaded."), dup15, @@ -9613,8 +8943,7 @@ match("MESSAGE#320:Successfully", "nwparser.payload", "Successfully downloaded t var msg389 = msg("Successfully", part480); -var part481 = // "Pattern{Constant('Successfully deleted the client install package ''), Field(info,false), Constant(''.')}" -match("MESSAGE#321:Successfully:01", "nwparser.payload", "Successfully deleted the client install package '%{info}'.", processor_chain([ +var part481 = match("MESSAGE#321:Successfully:01", "nwparser.payload", "Successfully deleted the client install package '%{info}'.", processor_chain([ dup43, dup234, dup15, @@ -9622,8 +8951,7 @@ match("MESSAGE#321:Successfully:01", "nwparser.payload", "Successfully deleted t var msg390 = msg("Successfully:01", part481); -var part482 = // "Pattern{Constant('Successfully imported the Symantec Endpoint Protection version '), Field(version,true), Constant(' for '), Field(fld3,true), Constant(' package during the server upgrade. This package is now available for deployment.')}" -match("MESSAGE#322:Successfully:02", "nwparser.payload", "Successfully imported the Symantec Endpoint Protection version %{version->} for %{fld3->} package during the server upgrade. This package is now available for deployment.", processor_chain([ +var part482 = match("MESSAGE#322:Successfully:02", "nwparser.payload", "Successfully imported the Symantec Endpoint Protection version %{version->} for %{fld3->} package during the server upgrade. This package is now available for deployment.", processor_chain([ dup43, dup234, dup15, @@ -9637,8 +8965,7 @@ var select89 = linear_select([ msg391, ]); -var part483 = // "Pattern{Constant('Risk Repair Failed..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Time: '), Field(fld6,true), Constant(' '), Field(fld7,true), Constant(' ..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" -match("MESSAGE#323:Risk:01", "nwparser.payload", "Risk Repair Failed..Computer: %{shost}..Date: %{fld5}..Time: %{fld6->} %{fld7->} ..Severity: %{severity}..Source: %{product}", processor_chain([ +var part483 = match("MESSAGE#323:Risk:01", "nwparser.payload", "Risk Repair Failed..Computer: %{shost}..Date: %{fld5}..Time: %{fld6->} %{fld7->} ..Severity: %{severity}..Source: %{product}", processor_chain([ dup110, dup166, dup15, @@ -9647,8 +8974,7 @@ match("MESSAGE#323:Risk:01", "nwparser.payload", "Risk Repair Failed..Computer: var msg392 = msg("Risk:01", part483); -var part484 = // "Pattern{Constant('Risk Repair Failed..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('..'), Field(filename,false), Constant('..'), Field(info,false), Constant('..'), Field(action,false), Constant('..'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,true), Constant(' '), Field(fld7,false), Constant('..'), Field(username,false), Constant('..'), Field(virusname,false)}" -match("MESSAGE#324:Risk:02", "nwparser.payload", "Risk Repair Failed..%{shost}..%{fld5}..%{filename}..%{info}..%{action}..%{severity}..%{product}..%{fld6->} %{fld7}..%{username}..%{virusname}", processor_chain([ +var part484 = match("MESSAGE#324:Risk:02", "nwparser.payload", "Risk Repair Failed..%{shost}..%{fld5}..%{filename}..%{info}..%{action}..%{severity}..%{product}..%{fld6->} %{fld7}..%{username}..%{virusname}", processor_chain([ dup110, dup152, dup166, @@ -9658,8 +8984,7 @@ match("MESSAGE#324:Risk:02", "nwparser.payload", "Risk Repair Failed..%{shost}.. var msg393 = msg("Risk:02", part484); -var part485 = // "Pattern{Constant('Risk Repaired..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Time: '), Field(fld6,true), Constant(' '), Field(fld7,false), Constant('..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" -match("MESSAGE#325:Risk:03", "nwparser.payload", "Risk Repaired..Computer: %{shost}..Date: %{fld5}..Time: %{fld6->} %{fld7}..Severity: %{severity}..Source: %{product}", processor_chain([ +var part485 = match("MESSAGE#325:Risk:03", "nwparser.payload", "Risk Repaired..Computer: %{shost}..Date: %{fld5}..Time: %{fld6->} %{fld7}..Severity: %{severity}..Source: %{product}", processor_chain([ dup110, dup166, dup15, @@ -9668,8 +8993,7 @@ match("MESSAGE#325:Risk:03", "nwparser.payload", "Risk Repaired..Computer: %{sho var msg394 = msg("Risk:03", part485); -var part486 = // "Pattern{Constant('Risk Repaired..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('..'), Field(filename,false), Constant('..'), Field(info,false), Constant('..'), Field(action,false), Constant('..'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,true), Constant(' '), Field(fld7,false), Constant('..'), Field(username,false), Constant('..'), Field(virusname,false)}" -match("MESSAGE#326:Risk:04", "nwparser.payload", "Risk Repaired..%{shost}..%{fld5}..%{filename}..%{info}..%{action}..%{severity}..%{product}..%{fld6->} %{fld7}..%{username}..%{virusname}", processor_chain([ +var part486 = match("MESSAGE#326:Risk:04", "nwparser.payload", "Risk Repaired..%{shost}..%{fld5}..%{filename}..%{info}..%{action}..%{severity}..%{product}..%{fld6->} %{fld7}..%{username}..%{virusname}", processor_chain([ dup110, dup152, dup166, @@ -9679,14 +9003,11 @@ match("MESSAGE#326:Risk:04", "nwparser.payload", "Risk Repaired..%{shost}..%{fld var msg395 = msg("Risk:04", part486); -var part487 = // "Pattern{Constant('Risk sample submitted to Symantec,Computer name: '), Field(p0,false)}" -match("MESSAGE#327:Risk:05/0", "nwparser.payload", "Risk sample submitted to Symantec,Computer name: %{p0}"); +var part487 = match("MESSAGE#327:Risk:05/0", "nwparser.payload", "Risk sample submitted to Symantec,Computer name: %{p0}"); -var part488 = // "Pattern{Field(event_type,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld6,false), Constant(',Detection score:'), Field(fld7,false), Constant(',Submission recommendation: '), Field(fld8,false), Constant(',Permitted application reason: '), Field(fld9,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(fld1,false), Constant(','), Field(p0,false)}" -match("MESSAGE#327:Risk:05/2", "nwparser.p0", "%{event_type},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); +var part488 = match("MESSAGE#327:Risk:05/2", "nwparser.p0", "%{event_type},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); -var part489 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld16,true), Constant(' '), Field(fld17,false), Constant(',Inserted: '), Field(fld20,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#327:Risk:05/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld16->} %{fld17},Inserted: %{fld20},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); +var part489 = match("MESSAGE#327:Risk:05/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld16->} %{fld17},Inserted: %{fld20},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); var all139 = all_match({ processors: [ @@ -9726,8 +9047,7 @@ var select90 = linear_select([ msg396, ]); -var part490 = // "Pattern{Constant('Scan Start/Stop..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('..'), Field(filename,false), Constant('..'), Field(info,false), Constant('..'), Field(fld22,false), Constant('..'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,false), Constant('..'), Field(username,false), Constant('..'), Field(virusname,false)}" -match("MESSAGE#328:Scan", "nwparser.payload", "Scan Start/Stop..%{shost}..%{fld5}..%{filename}..%{info}..%{fld22}..%{severity}..%{product}..%{fld6}..%{username}..%{virusname}", processor_chain([ +var part490 = match("MESSAGE#328:Scan", "nwparser.payload", "Scan Start/Stop..%{shost}..%{fld5}..%{filename}..%{info}..%{fld22}..%{severity}..%{product}..%{fld6}..%{username}..%{virusname}", processor_chain([ dup43, dup152, dup166, @@ -9737,8 +9057,7 @@ match("MESSAGE#328:Scan", "nwparser.payload", "Scan Start/Stop..%{shost}..%{fld5 var msg397 = msg("Scan", part490); -var part491 = // "Pattern{Constant('Scan Start/Stop..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('..'), Field(info,false), Constant('..'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,false), Constant('..'), Field(username,false)}" -match("MESSAGE#329:Scan:01", "nwparser.payload", "Scan Start/Stop..%{shost}..%{fld5}..%{info}..%{severity}..%{product}..%{fld6}..%{username}", processor_chain([ +var part491 = match("MESSAGE#329:Scan:01", "nwparser.payload", "Scan Start/Stop..%{shost}..%{fld5}..%{info}..%{severity}..%{product}..%{fld6}..%{username}", processor_chain([ dup43, dup166, dup15, @@ -9747,8 +9066,7 @@ match("MESSAGE#329:Scan:01", "nwparser.payload", "Scan Start/Stop..%{shost}..%{f var msg398 = msg("Scan:01", part491); -var part492 = // "Pattern{Constant('Scan ID: '), Field(fld11,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,false), Constant(','), Field(disposition,false), Constant(',Duration (seconds): '), Field(duration_string,false), Constant(',User1: '), Field(username,false), Constant(',User2: '), Field(fld3,false), Constant(',"'), Field(info,false), Constant('","'), Field(context,false), Constant('",Command: Not a command scan (),Threats: '), Field(dclass_counter3,false), Constant(',Infected: '), Field(dclass_counter1,false), Constant(',Total files: '), Field(dclass_counter2,false), Constant(',Omitted: '), Field(fld4,false), Constant('Computer: '), Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant('Domain: '), Field(domain,false), Constant('Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false)}" -match("MESSAGE#330:Scan:02", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld50->} %{fld52},End: %{fld51},%{disposition},Duration (seconds): %{duration_string},User1: %{username},User2: %{fld3},\"%{info}\",\"%{context}\",Command: Not a command scan (),Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{dclass_counter2},Omitted: %{fld4}Computer: %{shost},IP Address: %{saddr}Domain: %{domain}Group: %{group},Server: %{hostid}", processor_chain([ +var part492 = match("MESSAGE#330:Scan:02", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld50->} %{fld52},End: %{fld51},%{disposition},Duration (seconds): %{duration_string},User1: %{username},User2: %{fld3},\"%{info}\",\"%{context}\",Command: Not a command scan (),Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{dclass_counter2},Omitted: %{fld4}Computer: %{shost},IP Address: %{saddr}Domain: %{domain}Group: %{group},Server: %{hostid}", processor_chain([ dup43, dup12, dup14, @@ -9762,8 +9080,7 @@ match("MESSAGE#330:Scan:02", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld var msg399 = msg("Scan:02", part492); -var part493 = // "Pattern{Constant('Scan ID: '), Field(fld11,false), Constant(',Begin: '), Field(fld1,false), Constant(',End: '), Field(fld2,false), Constant(','), Field(disposition,false), Constant(',Duration (seconds): '), Field(duration_string,false), Constant(',User1: '), Field(username,false), Constant(',User2: '), Field(fld3,false), Constant(','), Field(fld22,false), Constant(',,Command: '), Field(fld4,false), Constant(',Threats: '), Field(dclass_counter3,false), Constant(',Infected: '), Field(dclass_counter1,false), Constant(',Total files: '), Field(fld5,false), Constant(',Omitted: '), Field(fld21,false), Constant(',Computer: '), Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant(',"Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false)}" -match("MESSAGE#331:Scan:09", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld1},End: %{fld2},%{disposition},Duration (seconds): %{duration_string},User1: %{username},User2: %{fld3},%{fld22},,Command: %{fld4},Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{fld5},Omitted: %{fld21},Computer: %{shost},IP Address: %{saddr},\"Group: %{group},Server: %{hostid}", processor_chain([ +var part493 = match("MESSAGE#331:Scan:09", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld1},End: %{fld2},%{disposition},Duration (seconds): %{duration_string},User1: %{username},User2: %{fld3},%{fld22},,Command: %{fld4},Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{fld5},Omitted: %{fld21},Computer: %{shost},IP Address: %{saddr},\"Group: %{group},Server: %{hostid}", processor_chain([ dup43, dup12, dup14, @@ -9777,11 +9094,9 @@ match("MESSAGE#331:Scan:09", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld var msg400 = msg("Scan:09", part493); -var part494 = // "Pattern{Constant('Scan ID: '), Field(fld11,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,false), Constant(','), Field(disposition,false), Constant(',Duration (seconds): '), Field(duration_string,false), Constant(',User1: '), Field(username,false), Constant(',User2: '), Field(fld22,false), Constant(','), Field(info,false), Constant(',Command: Not a command scan (),Threats: '), Field(dclass_counter3,false), Constant(',Infected: '), Field(dclass_counter1,false), Constant(',Total files: '), Field(dclass_counter2,false), Constant(',Omitted: '), Field(fld21,false), Constant('Computer: '), Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant(',Domain: '), Field(domain,false), Constant(','), Field(p0,false)}" -match("MESSAGE#332:Scan:03/0", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld50->} %{fld52},End: %{fld51},%{disposition},Duration (seconds): %{duration_string},User1: %{username},User2: %{fld22},%{info},Command: Not a command scan (),Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{dclass_counter2},Omitted: %{fld21}Computer: %{shost},IP Address: %{saddr},Domain: %{domain},%{p0}"); +var part494 = match("MESSAGE#332:Scan:03/0", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld50->} %{fld52},End: %{fld51},%{disposition},Duration (seconds): %{duration_string},User1: %{username},User2: %{fld22},%{info},Command: Not a command scan (),Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{dclass_counter2},Omitted: %{fld21}Computer: %{shost},IP Address: %{saddr},Domain: %{domain},%{p0}"); -var part495 = // "Pattern{Field(hostid,false)}" -match_copy("MESSAGE#332:Scan:03/2", "nwparser.p0", "hostid"); +var part495 = match_copy("MESSAGE#332:Scan:03/2", "nwparser.p0", "hostid"); var all140 = all_match({ processors: [ @@ -9804,8 +9119,7 @@ var all140 = all_match({ var msg401 = msg("Scan:03", all140); -var part496 = // "Pattern{Constant('Scan ID: '), Field(fld11,false), Constant(',Begin: '), Field(fld1,false), Constant(',End: '), Field(fld2,false), Constant(','), Field(disposition,false), Constant(',Duration (seconds): '), Field(duration_string,false), Constant(',User1: '), Field(username,false), Constant(',User2: '), Field(fld3,false), Constant(',Files scanned: '), Field(dclass_counter2,false), Constant(',,Command: '), Field(fld4,false), Constant(',Threats: '), Field(dclass_counter3,false), Constant(',Infected: '), Field(dclass_counter1,false), Constant(',Total files: '), Field(fld5,false), Constant(',Omitted: '), Field(fld21,false), Constant(',Computer: '), Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false)}" -match("MESSAGE#333:Scan:08", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld1},End: %{fld2},%{disposition},Duration (seconds): %{duration_string},User1: %{username},User2: %{fld3},Files scanned: %{dclass_counter2},,Command: %{fld4},Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{fld5},Omitted: %{fld21},Computer: %{shost},IP Address: %{saddr},Domain: %{domain},Group: %{group},Server: %{hostid}", processor_chain([ +var part496 = match("MESSAGE#333:Scan:08", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld1},End: %{fld2},%{disposition},Duration (seconds): %{duration_string},User1: %{username},User2: %{fld3},Files scanned: %{dclass_counter2},,Command: %{fld4},Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{fld5},Omitted: %{fld21},Computer: %{shost},IP Address: %{saddr},Domain: %{domain},Group: %{group},Server: %{hostid}", processor_chain([ dup43, dup12, dup14, @@ -9819,14 +9133,11 @@ match("MESSAGE#333:Scan:08", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld var msg402 = msg("Scan:08", part496); -var part497 = // "Pattern{Constant('Scan Delayed: Risks: '), Field(dclass_counter1,true), Constant(' Scanned: '), Field(dclass_counter2,true), Constant(' Files/Folders/Drives Omitted: '), Field(p0,false)}" -match("MESSAGE#334:Scan:04/0", "nwparser.payload", "Scan Delayed: Risks: %{dclass_counter1->} Scanned: %{dclass_counter2->} Files/Folders/Drives Omitted: %{p0}"); +var part497 = match("MESSAGE#334:Scan:04/0", "nwparser.payload", "Scan Delayed: Risks: %{dclass_counter1->} Scanned: %{dclass_counter2->} Files/Folders/Drives Omitted: %{p0}"); -var part498 = // "Pattern{Field(dclass_counter3,true), Constant(' Trusted Files Skipped: '), Field(fld1,false)}" -match("MESSAGE#334:Scan:04/1_0", "nwparser.p0", "%{dclass_counter3->} Trusted Files Skipped: %{fld1}"); +var part498 = match("MESSAGE#334:Scan:04/1_0", "nwparser.p0", "%{dclass_counter3->} Trusted Files Skipped: %{fld1}"); -var part499 = // "Pattern{Field(dclass_counter3,false)}" -match_copy("MESSAGE#334:Scan:04/1_1", "nwparser.p0", "dclass_counter3"); +var part499 = match_copy("MESSAGE#334:Scan:04/1_1", "nwparser.p0", "dclass_counter3"); var select91 = linear_select([ part498, @@ -9855,8 +9166,7 @@ var all141 = all_match({ var msg403 = msg("Scan:04", all141); -var part500 = // "Pattern{Field(action,false), Constant('..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Description: '), Field(event_description,false), Constant(': Risks: '), Field(dclass_counter1,true), Constant(' Scanned: '), Field(dclass_counter2,true), Constant(' Files/Folders/Drives Omitted: '), Field(dclass_counter3,false), Constant('..Time: '), Field(fld6,true), Constant(' '), Field(fld4,false), Constant('..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" -match("MESSAGE#335:Scan:05", "nwparser.payload", "%{action}..Computer: %{shost}..Date: %{fld5}..Description: %{event_description}: Risks: %{dclass_counter1->} Scanned: %{dclass_counter2->} Files/Folders/Drives Omitted: %{dclass_counter3}..Time: %{fld6->} %{fld4}..Severity: %{severity}..Source: %{product}", processor_chain([ +var part500 = match("MESSAGE#335:Scan:05", "nwparser.payload", "%{action}..Computer: %{shost}..Date: %{fld5}..Description: %{event_description}: Risks: %{dclass_counter1->} Scanned: %{dclass_counter2->} Files/Folders/Drives Omitted: %{dclass_counter3}..Time: %{fld6->} %{fld4}..Severity: %{severity}..Source: %{product}", processor_chain([ dup43, dup166, dup15, @@ -9867,8 +9177,7 @@ match("MESSAGE#335:Scan:05", "nwparser.payload", "%{action}..Computer: %{shost}. var msg404 = msg("Scan:05", part500); -var part501 = // "Pattern{Field(action,false), Constant('..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Description: '), Field(event_description,false), Constant('...Time: '), Field(fld6,true), Constant(' '), Field(fld4,false), Constant('..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" -match("MESSAGE#336:Scan:06", "nwparser.payload", "%{action}..Computer: %{shost}..Date: %{fld5}..Description: %{event_description}...Time: %{fld6->} %{fld4}..Severity: %{severity}..Source: %{product}", processor_chain([ +var part501 = match("MESSAGE#336:Scan:06", "nwparser.payload", "%{action}..Computer: %{shost}..Date: %{fld5}..Description: %{event_description}...Time: %{fld6->} %{fld4}..Severity: %{severity}..Source: %{product}", processor_chain([ dup43, dup166, dup15, @@ -9876,8 +9185,7 @@ match("MESSAGE#336:Scan:06", "nwparser.payload", "%{action}..Computer: %{shost}. var msg405 = msg("Scan:06", part501); -var part502 = // "Pattern{Constant('Scan started on all drives and all extensions.'), Field(,false)}" -match("MESSAGE#337:Scan:07", "nwparser.payload", "Scan started on all drives and all extensions.%{}", processor_chain([ +var part502 = match("MESSAGE#337:Scan:07", "nwparser.payload", "Scan started on all drives and all extensions.%{}", processor_chain([ dup43, dup12, dup13, @@ -9888,8 +9196,7 @@ match("MESSAGE#337:Scan:07", "nwparser.payload", "Scan started on all drives and var msg406 = msg("Scan:07", part502); -var part503 = // "Pattern{Constant('Scan Suspended: '), Field(info,false)}" -match("MESSAGE#338:Scan:11", "nwparser.payload", "Scan Suspended: %{info}", processor_chain([ +var part503 = match("MESSAGE#338:Scan:11", "nwparser.payload", "Scan Suspended: %{info}", processor_chain([ dup43, dup12, dup13, @@ -9900,8 +9207,7 @@ match("MESSAGE#338:Scan:11", "nwparser.payload", "Scan Suspended: %{info}", proc var msg407 = msg("Scan:11", part503); -var part504 = // "Pattern{Constant('Scan resumed on all drives and all extensions.'), Field(,false)}" -match("MESSAGE#339:Scan:10", "nwparser.payload", "Scan resumed on all drives and all extensions.%{}", processor_chain([ +var part504 = match("MESSAGE#339:Scan:10", "nwparser.payload", "Scan resumed on all drives and all extensions.%{}", processor_chain([ dup43, dup12, dup13, @@ -9912,11 +9218,9 @@ match("MESSAGE#339:Scan:10", "nwparser.payload", "Scan resumed on all drives and var msg408 = msg("Scan:10", part504); -var part505 = // "Pattern{Constant('Scan ID: '), Field(fld11,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,false), Constant(','), Field(disposition,false), Constant(',Duration (seconds): '), Field(duration_string,false), Constant(',User1: '), Field(uid,false), Constant(',User2: '), Field(fld3,false), Constant(',''), Field(info,false), Constant('','), Field(p0,false)}" -match("MESSAGE#340:Scan:12/0", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld50->} %{fld52},End: %{fld51},%{disposition},Duration (seconds): %{duration_string},User1: %{uid},User2: %{fld3},'%{info}',%{p0}"); +var part505 = match("MESSAGE#340:Scan:12/0", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld50->} %{fld52},End: %{fld51},%{disposition},Duration (seconds): %{duration_string},User1: %{uid},User2: %{fld3},'%{info}',%{p0}"); -var part506 = // "Pattern{Constant('Command: Update Content and Scan Active,Threats: '), Field(dclass_counter3,false), Constant(',Infected: '), Field(dclass_counter1,false), Constant(',Total files: '), Field(dclass_counter2,false), Constant(',Omitted: '), Field(fld4,false), Constant('Computer: '), Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false)}" -match("MESSAGE#340:Scan:12/2", "nwparser.p0", "Command: Update Content and Scan Active,Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{dclass_counter2},Omitted: %{fld4}Computer: %{shost},IP Address: %{saddr},Domain: %{domain},Group: %{group},Server: %{hostid}"); +var part506 = match("MESSAGE#340:Scan:12/2", "nwparser.p0", "Command: Update Content and Scan Active,Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{dclass_counter2},Omitted: %{fld4}Computer: %{shost},IP Address: %{saddr},Domain: %{domain},Group: %{group},Server: %{hostid}"); var all142 = all_match({ processors: [ @@ -9939,11 +9243,9 @@ var all142 = all_match({ var msg409 = msg("Scan:12", all142); -var part507 = // "Pattern{Constant('Scan ID: '), Field(fld11,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End:'), Field(fld51,false), Constant(','), Field(disposition,false), Constant(',Duration (seconds): '), Field(duration_string,false), Constant(',User1: '), Field(uid,false), Constant(',User2:'), Field(fld3,false), Constant(',''), Field(info,false), Constant('','), Field(p0,false)}" -match("MESSAGE#341:Scan:13/0", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld50->} %{fld52},End:%{fld51},%{disposition},Duration (seconds): %{duration_string},User1: %{uid},User2:%{fld3},'%{info}',%{p0}"); +var part507 = match("MESSAGE#341:Scan:13/0", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld50->} %{fld52},End:%{fld51},%{disposition},Duration (seconds): %{duration_string},User1: %{uid},User2:%{fld3},'%{info}',%{p0}"); -var part508 = // "Pattern{Constant('Command: Full Scan,Threats: '), Field(dclass_counter3,false), Constant(',Infected: '), Field(dclass_counter1,false), Constant(',Total files: '), Field(dclass_counter2,false), Constant(',Omitted: '), Field(fld4,false), Constant('Computer: '), Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false)}" -match("MESSAGE#341:Scan:13/2", "nwparser.p0", "Command: Full Scan,Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{dclass_counter2},Omitted: %{fld4}Computer: %{shost},IP Address: %{saddr},Domain: %{domain},Group: %{group},Server: %{hostid}"); +var part508 = match("MESSAGE#341:Scan:13/2", "nwparser.p0", "Command: Full Scan,Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{dclass_counter2},Omitted: %{fld4}Computer: %{shost},IP Address: %{saddr},Domain: %{domain},Group: %{group},Server: %{hostid}"); var all143 = all_match({ processors: [ @@ -9966,33 +9268,27 @@ var all143 = all_match({ var msg410 = msg("Scan:13", all143); -var part509 = // "Pattern{Constant('Scan ID: '), Field(fld11,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,false), Constant(','), Field(disposition,false), Constant(',Duration (seconds): '), Field(duration_string,false), Constant(',User1: '), Field(username,false), Constant(',User2: '), Field(fld3,false), Constant(','), Field(p0,false)}" -match("MESSAGE#342:Scan:14/0", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld50->} %{fld52},End: %{fld51},%{disposition},Duration (seconds): %{duration_string},User1: %{username},User2: %{fld3},%{p0}"); +var part509 = match("MESSAGE#342:Scan:14/0", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld50->} %{fld52},End: %{fld51},%{disposition},Duration (seconds): %{duration_string},User1: %{username},User2: %{fld3},%{p0}"); -var part510 = // "Pattern{Field(info,false), Constant('","'), Field(p0,false)}" -match("MESSAGE#342:Scan:14/2_0", "nwparser.p0", "%{info}\",\"%{p0}"); +var part510 = match("MESSAGE#342:Scan:14/2_0", "nwparser.p0", "%{info}\",\"%{p0}"); -var part511 = // "Pattern{Field(info,false), Constant(','), Field(p0,false)}" -match("MESSAGE#342:Scan:14/2_1", "nwparser.p0", "%{info},%{p0}"); +var part511 = match("MESSAGE#342:Scan:14/2_1", "nwparser.p0", "%{info},%{p0}"); var select92 = linear_select([ part510, part511, ]); -var part512 = // "Pattern{Field(context,false), Constant('",'), Field(p0,false)}" -match("MESSAGE#342:Scan:14/3_0", "nwparser.p0", "%{context}\",%{p0}"); +var part512 = match("MESSAGE#342:Scan:14/3_0", "nwparser.p0", "%{context}\",%{p0}"); -var part513 = // "Pattern{Field(context,false), Constant(','), Field(p0,false)}" -match("MESSAGE#342:Scan:14/3_1", "nwparser.p0", "%{context},%{p0}"); +var part513 = match("MESSAGE#342:Scan:14/3_1", "nwparser.p0", "%{context},%{p0}"); var select93 = linear_select([ part512, part513, ]); -var part514 = // "Pattern{Constant('Command: '), Field(fld10,false), Constant(',Threats: '), Field(dclass_counter3,false), Constant(',Infected: '), Field(dclass_counter1,false), Constant(',Total files: '), Field(dclass_counter2,false), Constant(',Omitted: '), Field(fld4,false), Constant(',Computer: '), Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false)}" -match("MESSAGE#342:Scan:14/4", "nwparser.p0", "Command: %{fld10},Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{dclass_counter2},Omitted: %{fld4},Computer: %{shost},IP Address: %{saddr},Domain: %{domain},Group: %{group},Server: %{hostid}"); +var part514 = match("MESSAGE#342:Scan:14/4", "nwparser.p0", "Command: %{fld10},Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{dclass_counter2},Omitted: %{fld4},Computer: %{shost},IP Address: %{saddr},Domain: %{domain},Group: %{group},Server: %{hostid}"); var all144 = all_match({ processors: [ @@ -10035,8 +9331,7 @@ var select94 = linear_select([ msg411, ]); -var part515 = // "Pattern{Field(severity,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld13,false), Constant(',Detection score:'), Field(fld7,false), Constant(',Submission recommendation: '), Field(fld8,false), Constant(',Permitted application reason: '), Field(fld9,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(info,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#343:Security:03/2", "nwparser.p0", "%{severity},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld13},Detection score:%{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); +var part515 = match("MESSAGE#343:Security:03/2", "nwparser.p0", "%{severity},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld13},Detection score:%{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); var all145 = all_match({ processors: [ @@ -10088,33 +9383,27 @@ var all146 = all_match({ var msg413 = msg("Security:06", all146); -var part516 = // "Pattern{Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Cookie:'), Field(filename,false), Constant(','), Field(fld22,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Last update time: '), Field(fld57,false), Constant(',Domain: '), Field(domain,true), Constant(' ,'), Field(p0,false)}" -match("MESSAGE#345:Security:05/2", "nwparser.p0", "%{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},Cookie:%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Last update time: %{fld57},Domain: %{domain->} ,%{p0}"); +var part516 = match("MESSAGE#345:Security:05/2", "nwparser.p0", "%{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},Cookie:%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Last update time: %{fld57},Domain: %{domain->} ,%{p0}"); -var part517 = // "Pattern{Constant('" '), Field(p0,false)}" -match("MESSAGE#345:Security:05/3_0", "nwparser.p0", "\" %{p0}"); +var part517 = match("MESSAGE#345:Security:05/3_0", "nwparser.p0", "\" %{p0}"); var select95 = linear_select([ part517, dup194, ]); -var part518 = // "Pattern{Constant('Group: '), Field(group,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#345:Security:05/4", "nwparser.p0", "Group: %{group->} %{p0}"); +var part518 = match("MESSAGE#345:Security:05/4", "nwparser.p0", "Group: %{group->} %{p0}"); -var part519 = // "Pattern{Constant('", '), Field(p0,false)}" -match("MESSAGE#345:Security:05/5_0", "nwparser.p0", "\", %{p0}"); +var part519 = match("MESSAGE#345:Security:05/5_0", "nwparser.p0", "\", %{p0}"); -var part520 = // "Pattern{Constant(', '), Field(p0,false)}" -match("MESSAGE#345:Security:05/5_1", "nwparser.p0", ", %{p0}"); +var part520 = match("MESSAGE#345:Security:05/5_1", "nwparser.p0", ", %{p0}"); var select96 = linear_select([ part519, part520, ]); -var part521 = // "Pattern{Constant('Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',,First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld52,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(', File size (bytes): '), Field(p0,false)}" -match("MESSAGE#345:Security:05/6", "nwparser.p0", "Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type}, File size (bytes): %{p0}"); +var part521 = match("MESSAGE#345:Security:05/6", "nwparser.p0", "Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type}, File size (bytes): %{p0}"); var all147 = all_match({ processors: [ @@ -10146,8 +9435,7 @@ var all147 = all_match({ var msg414 = msg("Security:05", all147); -var part522 = // "Pattern{Constant('Security risk found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(fld22,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',,First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld52,false), Constant(',0,Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(filename_size,false)}" -match("MESSAGE#346:Security:04", "nwparser.payload", "Security risk found,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},0,Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size}", processor_chain([ +var part522 = match("MESSAGE#346:Security:04", "nwparser.payload", "Security risk found,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},0,Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size}", processor_chain([ dup110, dup12, dup115, @@ -10165,8 +9453,7 @@ match("MESSAGE#346:Security:04", "nwparser.payload", "Security risk found,IP Add var msg415 = msg("Security:04", part522); -var part523 = // "Pattern{Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(fld22,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Last update time: '), Field(fld57,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',,First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld52,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(', File size (bytes): '), Field(p0,false)}" -match("MESSAGE#347:Security:07/2", "nwparser.p0", "%{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Last update time: %{fld57},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type}, File size (bytes): %{p0}"); +var part523 = match("MESSAGE#347:Security:07/2", "nwparser.p0", "%{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Last update time: %{fld57},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type}, File size (bytes): %{p0}"); var all148 = all_match({ processors: [ @@ -10194,19 +9481,16 @@ var all148 = all_match({ var msg416 = msg("Security:07", all148); -var part524 = // "Pattern{Constant('Security risk found,Computer name: '), Field(shost,false), Constant(','), Field(p0,false)}" -match("MESSAGE#348:Security:13/0", "nwparser.payload", "Security risk found,Computer name: %{shost},%{p0}"); +var part524 = match("MESSAGE#348:Security:13/0", "nwparser.payload", "Security risk found,Computer name: %{shost},%{p0}"); -var part525 = // "Pattern{Constant('Intensive Protection Level: '), Field(fld61,false), Constant(',Certificate issuer: '), Field(fld60,false), Constant(',Certificate signer: '), Field(fld62,false), Constant(',Certificate thumbprint: '), Field(fld63,false), Constant(',Signing timestamp: '), Field(fld64,false), Constant(',Certificate serial number: '), Field(fld65,false), Constant(','), Field(p0,false)}" -match("MESSAGE#348:Security:13/1_0", "nwparser.p0", "Intensive Protection Level: %{fld61},Certificate issuer: %{fld60},Certificate signer: %{fld62},Certificate thumbprint: %{fld63},Signing timestamp: %{fld64},Certificate serial number: %{fld65},%{p0}"); +var part525 = match("MESSAGE#348:Security:13/1_0", "nwparser.p0", "Intensive Protection Level: %{fld61},Certificate issuer: %{fld60},Certificate signer: %{fld62},Certificate thumbprint: %{fld63},Signing timestamp: %{fld64},Certificate serial number: %{fld65},%{p0}"); var select97 = linear_select([ part525, dup77, ]); -var part526 = // "Pattern{Constant('IP Address: '), Field(saddr,false), Constant(',Detection type: '), Field(severity,false), Constant(',First Seen: '), Field(fld1,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,true), Constant(' ,Hash type: '), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld3,true), Constant(' ,File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld4,false), Constant(',Detection score: '), Field(fld5,false), Constant(',COH Engine Version: '), Field(fld6,false), Constant(','), Field(fld7,false), Constant(',Permitted application reason: '), Field(fld8,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld10,false), Constant(',Web domain:'), Field(fld11,true), Constant(' ,Downloaded by: '), Field(fld12,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld15,false), Constant(',Risk Level: '), Field(fld16,false), Constant(',Risk type: '), Field(fld17,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name:'), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(fld18,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld19,true), Constant(' '), Field(fld20,false), Constant(',Inserted: '), Field(fld21,false), Constant(',End: '), Field(fld22,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld23,false), Constant(',Source IP: '), Field(fld24,false)}" -match("MESSAGE#348:Security:13/2", "nwparser.p0", "IP Address: %{saddr},Detection type: %{severity},First Seen: %{fld1},Application name: %{application},Application type: %{obj_type},Application version:%{version->} ,Hash type: %{encryption_type},Application hash: %{checksum},Company name: %{fld3->} ,File size (bytes): %{filename_size},Sensitivity: %{fld4},Detection score: %{fld5},COH Engine Version: %{fld6},%{fld7},Permitted application reason: %{fld8},Disposition: %{result},Download site: %{fld10},Web domain:%{fld11->} ,Downloaded by: %{fld12},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld15},Risk Level: %{fld16},Risk type: %{fld17},Source: %{event_source},Risk name:%{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld18},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld19->} %{fld20},Inserted: %{fld21},End: %{fld22},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld23},Source IP: %{fld24}"); +var part526 = match("MESSAGE#348:Security:13/2", "nwparser.p0", "IP Address: %{saddr},Detection type: %{severity},First Seen: %{fld1},Application name: %{application},Application type: %{obj_type},Application version:%{version->} ,Hash type: %{encryption_type},Application hash: %{checksum},Company name: %{fld3->} ,File size (bytes): %{filename_size},Sensitivity: %{fld4},Detection score: %{fld5},COH Engine Version: %{fld6},%{fld7},Permitted application reason: %{fld8},Disposition: %{result},Download site: %{fld10},Web domain:%{fld11->} ,Downloaded by: %{fld12},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld15},Risk Level: %{fld16},Risk type: %{fld17},Source: %{event_source},Risk name:%{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld18},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld19->} %{fld20},Inserted: %{fld21},End: %{fld22},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld23},Source IP: %{fld24}"); var all149 = all_match({ processors: [ @@ -10249,8 +9533,7 @@ var all149 = all_match({ var msg417 = msg("Security:13", all149); -var part527 = // "Pattern{Constant('Security risk found,Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(info,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#349:Security", "nwparser.payload", "Security risk found,Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}", processor_chain([ +var part527 = match("MESSAGE#349:Security", "nwparser.payload", "Security risk found,Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}", processor_chain([ dup110, dup12, dup115, @@ -10268,8 +9551,7 @@ match("MESSAGE#349:Security", "nwparser.payload", "Security risk found,Computer var msg418 = msg("Security", part527); -var part528 = // "Pattern{Constant('Security risk found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Cookie: '), Field(fld1,false), Constant(','), Field(info,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false)}" -match("MESSAGE#350:Security:01", "nwparser.payload", "Security risk found,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},Cookie: %{fld1},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31}", processor_chain([ +var part528 = match("MESSAGE#350:Security:01", "nwparser.payload", "Security risk found,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},Cookie: %{fld1},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31}", processor_chain([ dup110, dup12, dup115, @@ -10286,8 +9568,7 @@ match("MESSAGE#350:Security:01", "nwparser.payload", "Security risk found,IP Add var msg419 = msg("Security:01", part528); -var part529 = // "Pattern{Constant('Security risk found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(info,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false)}" -match("MESSAGE#351:Security:02", "nwparser.payload", "Security risk found,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31}", processor_chain([ +var part529 = match("MESSAGE#351:Security:02", "nwparser.payload", "Security risk found,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31}", processor_chain([ dup110, dup12, dup115, @@ -10317,8 +9598,7 @@ var select98 = linear_select([ msg420, ]); -var part530 = // "Pattern{Constant('Compressed File,Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(info,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#352:Compressed", "nwparser.payload", "Compressed File,Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}", processor_chain([ +var part530 = match("MESSAGE#352:Compressed", "nwparser.payload", "Compressed File,Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}", processor_chain([ dup110, dup12, dup152, @@ -10333,11 +9613,9 @@ match("MESSAGE#352:Compressed", "nwparser.payload", "Compressed File,Computer na var msg421 = msg("Compressed", part530); -var part531 = // "Pattern{Constant('Compressed File,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(','), Field(p0,false)}" -match("MESSAGE#353:Compressed:02/0", "nwparser.payload", "Compressed File,IP Address: %{saddr},Computer name: %{shost},%{p0}"); +var part531 = match("MESSAGE#353:Compressed:02/0", "nwparser.payload", "Compressed File,IP Address: %{saddr},Computer name: %{shost},%{p0}"); -var part532 = // "Pattern{Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(fld22,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(','), Field(p0,false)}" -match("MESSAGE#353:Compressed:02/2", "nwparser.p0", "%{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},%{p0}"); +var part532 = match("MESSAGE#353:Compressed:02/2", "nwparser.p0", "%{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},%{p0}"); var all150 = all_match({ processors: [ @@ -10364,8 +9642,7 @@ var all150 = all_match({ var msg422 = msg("Compressed:02", all150); -var part533 = // "Pattern{Constant('Compressed File,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(info,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false)}" -match("MESSAGE#354:Compressed:01", "nwparser.payload", "Compressed File,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31}", processor_chain([ +var part533 = match("MESSAGE#354:Compressed:01", "nwparser.payload", "Compressed File,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31}", processor_chain([ dup110, dup12, dup152, @@ -10386,8 +9663,7 @@ var select99 = linear_select([ msg423, ]); -var part534 = // "Pattern{Constant('Stop serving as the Group Update Provider (proxy server)'), Field(,false)}" -match("MESSAGE#355:Stop", "nwparser.payload", "Stop serving as the Group Update Provider (proxy server)%{}", processor_chain([ +var part534 = match("MESSAGE#355:Stop", "nwparser.payload", "Stop serving as the Group Update Provider (proxy server)%{}", processor_chain([ dup43, dup12, dup13, @@ -10398,8 +9674,7 @@ match("MESSAGE#355:Stop", "nwparser.payload", "Stop serving as the Group Update var msg424 = msg("Stop", part534); -var part535 = // "Pattern{Constant('Stop Symantec Network Access Control client.'), Field(,false)}" -match("MESSAGE#356:Stop:01", "nwparser.payload", "Stop Symantec Network Access Control client.%{}", processor_chain([ +var part535 = match("MESSAGE#356:Stop:01", "nwparser.payload", "Stop Symantec Network Access Control client.%{}", processor_chain([ dup43, dup12, dup13, @@ -10410,8 +9685,7 @@ match("MESSAGE#356:Stop:01", "nwparser.payload", "Stop Symantec Network Access C var msg425 = msg("Stop:01", part535); -var part536 = // "Pattern{Constant('Stop using Group Update Provider (proxy server) @ '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('.')}" -match("MESSAGE#357:Stop:02", "nwparser.payload", "Stop using Group Update Provider (proxy server) @ %{saddr}:%{sport}.", processor_chain([ +var part536 = match("MESSAGE#357:Stop:02", "nwparser.payload", "Stop using Group Update Provider (proxy server) @ %{saddr}:%{sport}.", processor_chain([ dup43, dup12, dup13, @@ -10428,8 +9702,7 @@ var select100 = linear_select([ msg426, ]); -var part537 = // "Pattern{Constant('Stopping Symantec Management Client....'), Field(p0,false)}" -match("MESSAGE#358:Stopping/0", "nwparser.payload", "Stopping Symantec Management Client....%{p0}"); +var part537 = match("MESSAGE#358:Stopping/0", "nwparser.payload", "Stopping Symantec Management Client....%{p0}"); var all151 = all_match({ processors: [ @@ -10452,8 +9725,7 @@ var all151 = all_match({ var msg427 = msg("Stopping", all151); -var part538 = // "Pattern{Constant('Submission Control signatures '), Field(version,true), Constant(' is up-to-date.')}" -match("MESSAGE#359:Submission", "nwparser.payload", "Submission Control signatures %{version->} is up-to-date.", processor_chain([ +var part538 = match("MESSAGE#359:Submission", "nwparser.payload", "Submission Control signatures %{version->} is up-to-date.", processor_chain([ dup92, dup12, dup13, @@ -10464,8 +9736,7 @@ match("MESSAGE#359:Submission", "nwparser.payload", "Submission Control signatur var msg428 = msg("Submission", part538); -var part539 = // "Pattern{Constant('Switched to server control.'), Field(,false)}" -match("MESSAGE#360:Switched", "nwparser.payload", "Switched to server control.%{}", processor_chain([ +var part539 = match("MESSAGE#360:Switched", "nwparser.payload", "Switched to server control.%{}", processor_chain([ dup136, dup12, dup13, @@ -10479,8 +9750,7 @@ match("MESSAGE#360:Switched", "nwparser.payload", "Switched to server control.%{ var msg429 = msg("Switched", part539); -var part540 = // "Pattern{Constant('Symantec Endpoint Protection Manager Content Catalog '), Field(version,true), Constant(' is up-to-date.')}" -match("MESSAGE#361:Symantec:18", "nwparser.payload", "Symantec Endpoint Protection Manager Content Catalog %{version->} is up-to-date.", processor_chain([ +var part540 = match("MESSAGE#361:Symantec:18", "nwparser.payload", "Symantec Endpoint Protection Manager Content Catalog %{version->} is up-to-date.", processor_chain([ dup86, dup15, setc("event_description","Symantec Endpoint Protection Manager Content Catalog is up to date."), @@ -10488,8 +9758,7 @@ match("MESSAGE#361:Symantec:18", "nwparser.payload", "Symantec Endpoint Protecti var msg430 = msg("Symantec:18", part540); -var part541 = // "Pattern{Constant('Symantec Endpoint Protection Manager could not update TruScan proactive threat scan commercial application list '), Field(application,false), Constant('.')}" -match("MESSAGE#362:Symantec:33", "nwparser.payload", "Symantec Endpoint Protection Manager could not update TruScan proactive threat scan commercial application list %{application}.", processor_chain([ +var part541 = match("MESSAGE#362:Symantec:33", "nwparser.payload", "Symantec Endpoint Protection Manager could not update TruScan proactive threat scan commercial application list %{application}.", processor_chain([ dup43, dup15, setc("event_description","Symantec Endpoint Protection Manager could not update TruScan proactive threat scan."), @@ -10497,8 +9766,7 @@ match("MESSAGE#362:Symantec:33", "nwparser.payload", "Symantec Endpoint Protecti var msg431 = msg("Symantec:33", part541); -var part542 = // "Pattern{Constant('Symantec Endpoint Protection '), Field(application,true), Constant(' '), Field(version,true), Constant(' ('), Field(info,false), Constant(') is up-to-date.')}" -match("MESSAGE#363:Symantec:17", "nwparser.payload", "Symantec Endpoint Protection %{application->} %{version->} (%{info}) is up-to-date.", processor_chain([ +var part542 = match("MESSAGE#363:Symantec:17", "nwparser.payload", "Symantec Endpoint Protection %{application->} %{version->} (%{info}) is up-to-date.", processor_chain([ dup86, dup15, setc("event_description","Symantec Endpoint Protection is up to date."), @@ -10506,8 +9774,7 @@ match("MESSAGE#363:Symantec:17", "nwparser.payload", "Symantec Endpoint Protecti var msg432 = msg("Symantec:17", part542); -var part543 = // "Pattern{Constant('Symantec Endpoint Protection '), Field(application,true), Constant(' '), Field(version,true), Constant(' ('), Field(info,false), Constant(') failed to update.')}" -match("MESSAGE#364:Symantec:20", "nwparser.payload", "Symantec Endpoint Protection %{application->} %{version->} (%{info}) failed to update.", processor_chain([ +var part543 = match("MESSAGE#364:Symantec:20", "nwparser.payload", "Symantec Endpoint Protection %{application->} %{version->} (%{info}) failed to update.", processor_chain([ dup86, dup12, dup13, @@ -10517,8 +9784,7 @@ match("MESSAGE#364:Symantec:20", "nwparser.payload", "Symantec Endpoint Protecti var msg433 = msg("Symantec:20", part543); -var part544 = // "Pattern{Constant('Symantec Endpoint Protection Microsoft Exchange E-mail Auto-Protect Disabled'), Field(p0,false)}" -match("MESSAGE#365:Symantec:16/0", "nwparser.payload", "Symantec Endpoint Protection Microsoft Exchange E-mail Auto-Protect Disabled%{p0}"); +var part544 = match("MESSAGE#365:Symantec:16/0", "nwparser.payload", "Symantec Endpoint Protection Microsoft Exchange E-mail Auto-Protect Disabled%{p0}"); var all152 = all_match({ processors: [ @@ -10537,8 +9803,7 @@ var all152 = all_match({ var msg434 = msg("Symantec:16", all152); -var part545 = // "Pattern{Constant('Symantec Network Access Control client started.'), Field(,false)}" -match("MESSAGE#366:Symantec:15", "nwparser.payload", "Symantec Network Access Control client started.%{}", processor_chain([ +var part545 = match("MESSAGE#366:Symantec:15", "nwparser.payload", "Symantec Network Access Control client started.%{}", processor_chain([ dup43, dup12, dup13, @@ -10548,8 +9813,7 @@ match("MESSAGE#366:Symantec:15", "nwparser.payload", "Symantec Network Access Co var msg435 = msg("Symantec:15", part545); -var part546 = // "Pattern{Constant('Symantec Endpoint Protection Tamper Protection Disabled'), Field(,false)}" -match("MESSAGE#367:Symantec:11", "nwparser.payload", "Symantec Endpoint Protection Tamper Protection Disabled%{}", processor_chain([ +var part546 = match("MESSAGE#367:Symantec:11", "nwparser.payload", "Symantec Endpoint Protection Tamper Protection Disabled%{}", processor_chain([ dup168, dup12, dup13, @@ -10560,8 +9824,7 @@ match("MESSAGE#367:Symantec:11", "nwparser.payload", "Symantec Endpoint Protecti var msg436 = msg("Symantec:11", part546); -var part547 = // "Pattern{Constant('Symantec AntiVirus Startup/Shutdown..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Time: '), Field(fld6,false), Constant('..Description: '), Field(info,false), Constant('..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" -match("MESSAGE#368:Symantec", "nwparser.payload", "Symantec AntiVirus Startup/Shutdown..Computer: %{shost}..Date: %{fld5}..Time: %{fld6}..Description: %{info}..Severity: %{severity}..Source: %{product}", processor_chain([ +var part547 = match("MESSAGE#368:Symantec", "nwparser.payload", "Symantec AntiVirus Startup/Shutdown..Computer: %{shost}..Date: %{fld5}..Time: %{fld6}..Description: %{info}..Severity: %{severity}..Source: %{product}", processor_chain([ dup43, dup166, dup15, @@ -10570,8 +9833,7 @@ match("MESSAGE#368:Symantec", "nwparser.payload", "Symantec AntiVirus Startup/Sh var msg437 = msg("Symantec", part547); -var part548 = // "Pattern{Constant('Symantec AntiVirus Startup/Shutdown..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('........'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,false)}" -match("MESSAGE#369:Symantec:01", "nwparser.payload", "Symantec AntiVirus Startup/Shutdown..%{shost}..%{fld5}........%{severity}..%{product}..%{fld6}", processor_chain([ +var part548 = match("MESSAGE#369:Symantec:01", "nwparser.payload", "Symantec AntiVirus Startup/Shutdown..%{shost}..%{fld5}........%{severity}..%{product}..%{fld6}", processor_chain([ dup43, dup166, dup15, @@ -10580,8 +9842,7 @@ match("MESSAGE#369:Symantec:01", "nwparser.payload", "Symantec AntiVirus Startup var msg438 = msg("Symantec:01", part548); -var part549 = // "Pattern{Constant('Symantec AntiVirus Startup/Shutdown..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('..'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,false)}" -match("MESSAGE#370:Symantec:02", "nwparser.payload", "Symantec AntiVirus Startup/Shutdown..%{shost}..%{fld5}..%{severity}..%{product}..%{fld6}", processor_chain([ +var part549 = match("MESSAGE#370:Symantec:02", "nwparser.payload", "Symantec AntiVirus Startup/Shutdown..%{shost}..%{fld5}..%{severity}..%{product}..%{fld6}", processor_chain([ dup43, dup166, dup15, @@ -10590,22 +9851,18 @@ match("MESSAGE#370:Symantec:02", "nwparser.payload", "Symantec AntiVirus Startup var msg439 = msg("Symantec:02", part549); -var part550 = // "Pattern{Constant('Symantec Endpoint Protection Manager Content Catalog '), Field(version,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#371:Symantec:03/0", "nwparser.payload", "Symantec Endpoint Protection Manager Content Catalog %{version->} %{p0}"); +var part550 = match("MESSAGE#371:Symantec:03/0", "nwparser.payload", "Symantec Endpoint Protection Manager Content Catalog %{version->} %{p0}"); -var part551 = // "Pattern{Constant('is up-to-date '), Field(p0,false)}" -match("MESSAGE#371:Symantec:03/1_0", "nwparser.p0", "is up-to-date %{p0}"); +var part551 = match("MESSAGE#371:Symantec:03/1_0", "nwparser.p0", "is up-to-date %{p0}"); -var part552 = // "Pattern{Constant('was successfully updated '), Field(p0,false)}" -match("MESSAGE#371:Symantec:03/1_1", "nwparser.p0", "was successfully updated %{p0}"); +var part552 = match("MESSAGE#371:Symantec:03/1_1", "nwparser.p0", "was successfully updated %{p0}"); var select101 = linear_select([ part551, part552, ]); -var part553 = // "Pattern{Constant('.'), Field(,false)}" -match("MESSAGE#371:Symantec:03/2", "nwparser.p0", ".%{}"); +var part553 = match("MESSAGE#371:Symantec:03/2", "nwparser.p0", ".%{}"); var all153 = all_match({ processors: [ @@ -10625,8 +9882,7 @@ var all153 = all_match({ var msg440 = msg("Symantec:03", all153); -var part554 = // "Pattern{Constant('Symantec Endpoint Protection services shutdown was successful.'), Field(p0,false)}" -match("MESSAGE#372:Symantec:04/0", "nwparser.payload", "Symantec Endpoint Protection services shutdown was successful.%{p0}"); +var part554 = match("MESSAGE#372:Symantec:04/0", "nwparser.payload", "Symantec Endpoint Protection services shutdown was successful.%{p0}"); var all154 = all_match({ processors: [ @@ -10646,8 +9902,7 @@ var all154 = all_match({ var msg441 = msg("Symantec:04", all154); -var part555 = // "Pattern{Constant('Symantec Endpoint Protection services startup was successful.'), Field(p0,false)}" -match("MESSAGE#373:Symantec:05/0", "nwparser.payload", "Symantec Endpoint Protection services startup was successful.%{p0}"); +var part555 = match("MESSAGE#373:Symantec:05/0", "nwparser.payload", "Symantec Endpoint Protection services startup was successful.%{p0}"); var all155 = all_match({ processors: [ @@ -10667,8 +9922,7 @@ var all155 = all_match({ var msg442 = msg("Symantec:05", all155); -var part556 = // "Pattern{Constant('Symantec Management Client is stopped.'), Field(p0,false)}" -match("MESSAGE#374:Symantec:06/0", "nwparser.payload", "Symantec Management Client is stopped.%{p0}"); +var part556 = match("MESSAGE#374:Symantec:06/0", "nwparser.payload", "Symantec Management Client is stopped.%{p0}"); var all156 = all_match({ processors: [ @@ -10688,22 +9942,18 @@ var all156 = all_match({ var msg443 = msg("Symantec:06", all156); -var part557 = // "Pattern{Constant('Symantec Management Client has been '), Field(p0,false)}" -match("MESSAGE#375:Symantec:07/0", "nwparser.payload", "Symantec Management Client has been %{p0}"); +var part557 = match("MESSAGE#375:Symantec:07/0", "nwparser.payload", "Symantec Management Client has been %{p0}"); -var part558 = // "Pattern{Constant('started'), Field(p0,false)}" -match("MESSAGE#375:Symantec:07/1_0", "nwparser.p0", "started%{p0}"); +var part558 = match("MESSAGE#375:Symantec:07/1_0", "nwparser.p0", "started%{p0}"); -var part559 = // "Pattern{Constant('activated'), Field(p0,false)}" -match("MESSAGE#375:Symantec:07/1_1", "nwparser.p0", "activated%{p0}"); +var part559 = match("MESSAGE#375:Symantec:07/1_1", "nwparser.p0", "activated%{p0}"); var select102 = linear_select([ part558, part559, ]); -var part560 = // "Pattern{Constant(' .'), Field(,false)}" -match("MESSAGE#375:Symantec:07/2_1", "nwparser.p0", " .%{}"); +var part560 = match("MESSAGE#375:Symantec:07/2_1", "nwparser.p0", " .%{}"); var select103 = linear_select([ dup186, @@ -10729,8 +9979,7 @@ var all157 = all_match({ var msg444 = msg("Symantec:07", all157); -var part561 = // "Pattern{Constant('Symantec Management Client has been '), Field(info,false)}" -match("MESSAGE#376:Symantec:08", "nwparser.payload", "Symantec Management Client has been %{info}", processor_chain([ +var part561 = match("MESSAGE#376:Symantec:08", "nwparser.payload", "Symantec Management Client has been %{info}", processor_chain([ dup257, dup12, dup13, @@ -10741,8 +9990,7 @@ match("MESSAGE#376:Symantec:08", "nwparser.payload", "Symantec Management Client var msg445 = msg("Symantec:08", part561); -var part562 = // "Pattern{Constant('Symantec Endpoint Protection Auto-Protect failed to load.'), Field(,false)}" -match("MESSAGE#377:Symantec:09", "nwparser.payload", "Symantec Endpoint Protection Auto-Protect failed to load.%{}", processor_chain([ +var part562 = match("MESSAGE#377:Symantec:09", "nwparser.payload", "Symantec Endpoint Protection Auto-Protect failed to load.%{}", processor_chain([ dup43, dup12, dup13, @@ -10753,8 +10001,7 @@ match("MESSAGE#377:Symantec:09", "nwparser.payload", "Symantec Endpoint Protecti var msg446 = msg("Symantec:09", part562); -var part563 = // "Pattern{Constant('Symantec Endpoint Protection has determined that the virus definitions are missing on this computer. '), Field(p0,false)}" -match("MESSAGE#378:Symantec:10/0", "nwparser.payload", "Symantec Endpoint Protection has determined that the virus definitions are missing on this computer. %{p0}"); +var part563 = match("MESSAGE#378:Symantec:10/0", "nwparser.payload", "Symantec Endpoint Protection has determined that the virus definitions are missing on this computer. %{p0}"); var all158 = all_match({ processors: [ @@ -10774,8 +10021,7 @@ var all158 = all_match({ var msg447 = msg("Symantec:10", all158); -var part564 = // "Pattern{Constant('Symantec AntiVirus services startup was successful'), Field(,false)}" -match("MESSAGE#379:Symantec:12", "nwparser.payload", "Symantec AntiVirus services startup was successful%{}", processor_chain([ +var part564 = match("MESSAGE#379:Symantec:12", "nwparser.payload", "Symantec AntiVirus services startup was successful%{}", processor_chain([ dup53, dup12, dup13, @@ -10786,8 +10032,7 @@ match("MESSAGE#379:Symantec:12", "nwparser.payload", "Symantec AntiVirus service var msg448 = msg("Symantec:12", part564); -var part565 = // "Pattern{Constant('Symantec AntiVirus services shutdown was successful'), Field(,false)}" -match("MESSAGE#380:Symantec:13", "nwparser.payload", "Symantec AntiVirus services shutdown was successful%{}", processor_chain([ +var part565 = match("MESSAGE#380:Symantec:13", "nwparser.payload", "Symantec AntiVirus services shutdown was successful%{}", processor_chain([ dup53, dup12, dup13, @@ -10798,8 +10043,7 @@ match("MESSAGE#380:Symantec:13", "nwparser.payload", "Symantec AntiVirus service var msg449 = msg("Symantec:13", part565); -var part566 = // "Pattern{Constant('Symantec AntiVirus services failed to start. '), Field(space,true), Constant(' ('), Field(resultcode,false), Constant(')')}" -match("MESSAGE#381:Symantec:14", "nwparser.payload", "Symantec AntiVirus services failed to start. %{space->} (%{resultcode})", processor_chain([ +var part566 = match("MESSAGE#381:Symantec:14", "nwparser.payload", "Symantec AntiVirus services failed to start. %{space->} (%{resultcode})", processor_chain([ dup86, dup12, dup13, @@ -10810,8 +10054,7 @@ match("MESSAGE#381:Symantec:14", "nwparser.payload", "Symantec AntiVirus service var msg450 = msg("Symantec:14", part566); -var part567 = // "Pattern{Constant('Symantec Endpoint Protection services failed to start. '), Field(space,true), Constant(' ('), Field(resultcode,false), Constant(')')}" -match("MESSAGE#382:Symantec:19", "nwparser.payload", "Symantec Endpoint Protection services failed to start. %{space->} (%{resultcode})", processor_chain([ +var part567 = match("MESSAGE#382:Symantec:19", "nwparser.payload", "Symantec Endpoint Protection services failed to start. %{space->} (%{resultcode})", processor_chain([ dup86, dup12, dup13, @@ -10822,8 +10065,7 @@ match("MESSAGE#382:Symantec:19", "nwparser.payload", "Symantec Endpoint Protecti var msg451 = msg("Symantec:19", part567); -var part568 = // "Pattern{Constant('Symantec Endpoint Protection Manager server started with trial license.'), Field(,false)}" -match("MESSAGE#383:Symantec:21", "nwparser.payload", "Symantec Endpoint Protection Manager server started with trial license.%{}", processor_chain([ +var part568 = match("MESSAGE#383:Symantec:21", "nwparser.payload", "Symantec Endpoint Protection Manager server started with trial license.%{}", processor_chain([ dup43, dup15, setc("event_description","Symantec Endpoint Protection Manager server started with trial license."), @@ -10831,8 +10073,7 @@ match("MESSAGE#383:Symantec:21", "nwparser.payload", "Symantec Endpoint Protecti var msg452 = msg("Symantec:21", part568); -var part569 = // "Pattern{Constant('Symantec trial license has expired.'), Field(,false)}" -match("MESSAGE#384:Symantec:22", "nwparser.payload", "Symantec trial license has expired.%{}", processor_chain([ +var part569 = match("MESSAGE#384:Symantec:22", "nwparser.payload", "Symantec trial license has expired.%{}", processor_chain([ dup259, dup15, setc("event_description","Symantec trial license has expired."), @@ -10840,8 +10081,7 @@ match("MESSAGE#384:Symantec:22", "nwparser.payload", "Symantec trial license has var msg453 = msg("Symantec:22", part569); -var part570 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',Symantec Endpoint Protection,"Reputation check timed out during unproven file evaluation, likely due to network delays."')}" -match("MESSAGE#385:Symantec:23", "nwparser.payload", "Category: %{fld22},Symantec Endpoint Protection,\"Reputation check timed out during unproven file evaluation, likely due to network delays.\"", processor_chain([ +var part570 = match("MESSAGE#385:Symantec:23", "nwparser.payload", "Category: %{fld22},Symantec Endpoint Protection,\"Reputation check timed out during unproven file evaluation, likely due to network delays.\"", processor_chain([ dup259, dup12, dup13, @@ -10851,8 +10091,7 @@ match("MESSAGE#385:Symantec:23", "nwparser.payload", "Category: %{fld22},Symante var msg454 = msg("Symantec:23", part570); -var part571 = // "Pattern{Constant('Symantec Endpoint Protection Lotus Notes E-mail Auto-Protect Disabled'), Field(,false)}" -match("MESSAGE#386:Symantec:24", "nwparser.payload", "Symantec Endpoint Protection Lotus Notes E-mail Auto-Protect Disabled%{}", processor_chain([ +var part571 = match("MESSAGE#386:Symantec:24", "nwparser.payload", "Symantec Endpoint Protection Lotus Notes E-mail Auto-Protect Disabled%{}", processor_chain([ dup43, dup12, dup13, @@ -10862,8 +10101,7 @@ match("MESSAGE#386:Symantec:24", "nwparser.payload", "Symantec Endpoint Protecti var msg455 = msg("Symantec:24", part571); -var part572 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',Symantec AntiVirus,[Antivirus advanced heuristic detection submission] Submitting file to Symantec failed. File : ''), Field(filename,false), Constant(''.')}" -match("MESSAGE#387:Symantec:25", "nwparser.payload", "Category: %{fld22},Symantec AntiVirus,[Antivirus advanced heuristic detection submission] Submitting file to Symantec failed. File : '%{filename}'.", processor_chain([ +var part572 = match("MESSAGE#387:Symantec:25", "nwparser.payload", "Category: %{fld22},Symantec AntiVirus,[Antivirus advanced heuristic detection submission] Submitting file to Symantec failed. File : '%{filename}'.", processor_chain([ dup43, dup12, dup13, @@ -10878,11 +10116,9 @@ var select104 = linear_select([ dup262, ]); -var part573 = // "Pattern{Field(,false), Constant('advanced heuristic detection submission] Submitting information to Symantec about file failed. File : ''), Field(filename,false), Constant(''.'), Field(p0,false)}" -match("MESSAGE#388:Symantec:26/2", "nwparser.p0", "%{}advanced heuristic detection submission] Submitting information to Symantec about file failed. File : '%{filename}'.%{p0}"); +var part573 = match("MESSAGE#388:Symantec:26/2", "nwparser.p0", "%{}advanced heuristic detection submission] Submitting information to Symantec about file failed. File : '%{filename}'.%{p0}"); -var part574 = // "Pattern{Constant(' Network error : ''), Field(fld56,false), Constant(''.,Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#388:Symantec:26/3_0", "nwparser.p0", " Network error : '%{fld56}'.,Event time: %{fld17->} %{fld18}"); +var part574 = match("MESSAGE#388:Symantec:26/3_0", "nwparser.p0", " Network error : '%{fld56}'.,Event time: %{fld17->} %{fld18}"); var select105 = linear_select([ part574, @@ -10909,8 +10145,7 @@ var all159 = all_match({ var msg457 = msg("Symantec:26", all159); -var part575 = // "Pattern{Field(,false), Constant('submission] Information submitted to Symantec about file. File : ''), Field(filename,false), Constant('','), Field(p0,false)}" -match("MESSAGE#389:Symantec:39/4", "nwparser.p0", "%{}submission] Information submitted to Symantec about file. File : '%{filename}',%{p0}"); +var part575 = match("MESSAGE#389:Symantec:39/4", "nwparser.p0", "%{}submission] Information submitted to Symantec about file. File : '%{filename}',%{p0}"); var all160 = all_match({ processors: [ @@ -10933,8 +10168,7 @@ var all160 = all_match({ var msg458 = msg("Symantec:39", all160); -var part576 = // "Pattern{Field(,false), Constant('submission] File submitted to Symantec for analysis. File : ''), Field(filename,false), Constant('','), Field(p0,false)}" -match("MESSAGE#390:Symantec:40/4", "nwparser.p0", "%{}submission] File submitted to Symantec for analysis. File : '%{filename}',%{p0}"); +var part576 = match("MESSAGE#390:Symantec:40/4", "nwparser.p0", "%{}submission] File submitted to Symantec for analysis. File : '%{filename}',%{p0}"); var all161 = all_match({ processors: [ @@ -10957,8 +10191,7 @@ var all161 = all_match({ var msg459 = msg("Symantec:40", all161); -var part577 = // "Pattern{Constant('Symantec Endpoint Protection Manager server started with paid license.'), Field(,false)}" -match("MESSAGE#391:Symantec:27", "nwparser.payload", "Symantec Endpoint Protection Manager server started with paid license.%{}", processor_chain([ +var part577 = match("MESSAGE#391:Symantec:27", "nwparser.payload", "Symantec Endpoint Protection Manager server started with paid license.%{}", processor_chain([ dup43, dup12, dup13, @@ -10968,8 +10201,7 @@ match("MESSAGE#391:Symantec:27", "nwparser.payload", "Symantec Endpoint Protecti var msg460 = msg("Symantec:27", part577); -var part578 = // "Pattern{Constant('Uninstalling Symantec Management Client....'), Field(,false)}" -match("MESSAGE#392:Symantec:28", "nwparser.payload", "Uninstalling Symantec Management Client....%{}", processor_chain([ +var part578 = match("MESSAGE#392:Symantec:28", "nwparser.payload", "Uninstalling Symantec Management Client....%{}", processor_chain([ dup43, dup12, dup13, @@ -10979,8 +10211,7 @@ match("MESSAGE#392:Symantec:28", "nwparser.payload", "Uninstalling Symantec Mana var msg461 = msg("Symantec:28", part578); -var part579 = // "Pattern{Constant('Category: 2,Symantec Endpoint Protection,SONAR has generated an error: code '), Field(resultcode,false), Constant(': description: '), Field(result,false)}" -match("MESSAGE#393:Symantec:29", "nwparser.payload", "Category: 2,Symantec Endpoint Protection,SONAR has generated an error: code %{resultcode}: description: %{result}", processor_chain([ +var part579 = match("MESSAGE#393:Symantec:29", "nwparser.payload", "Category: 2,Symantec Endpoint Protection,SONAR has generated an error: code %{resultcode}: description: %{result}", processor_chain([ dup43, dup12, dup13, @@ -10991,8 +10222,7 @@ match("MESSAGE#393:Symantec:29", "nwparser.payload", "Category: 2,Symantec Endpo var msg462 = msg("Symantec:29", part579); -var part580 = // "Pattern{Constant('Symantec Endpoint Protection cannot connect to Symantec Endpoint Protection Manager. '), Field(result,false), Constant('.')}" -match("MESSAGE#394:Symantec:30", "nwparser.payload", "Symantec Endpoint Protection cannot connect to Symantec Endpoint Protection Manager. %{result}.", processor_chain([ +var part580 = match("MESSAGE#394:Symantec:30", "nwparser.payload", "Symantec Endpoint Protection cannot connect to Symantec Endpoint Protection Manager. %{result}.", processor_chain([ dup43, dup12, dup13, @@ -11004,8 +10234,7 @@ match("MESSAGE#394:Symantec:30", "nwparser.payload", "Symantec Endpoint Protecti var msg463 = msg("Symantec:30", part580); -var part581 = // "Pattern{Constant('The Symantec Endpoint Protection is unable to communicate with the Symantec Endpoint Protection Manager.'), Field(,false)}" -match("MESSAGE#395:Symantec:31", "nwparser.payload", "The Symantec Endpoint Protection is unable to communicate with the Symantec Endpoint Protection Manager.%{}", processor_chain([ +var part581 = match("MESSAGE#395:Symantec:31", "nwparser.payload", "The Symantec Endpoint Protection is unable to communicate with the Symantec Endpoint Protection Manager.%{}", processor_chain([ dup43, dup12, dup13, @@ -11017,8 +10246,7 @@ match("MESSAGE#395:Symantec:31", "nwparser.payload", "The Symantec Endpoint Prot var msg464 = msg("Symantec:31", part581); -var part582 = // "Pattern{Constant('The Symantec Endpoint Protection is unable to download the newest policy from the Symantec Endpoint Protection Manager.'), Field(,false)}" -match("MESSAGE#396:Symantec:32", "nwparser.payload", "The Symantec Endpoint Protection is unable to download the newest policy from the Symantec Endpoint Protection Manager.%{}", processor_chain([ +var part582 = match("MESSAGE#396:Symantec:32", "nwparser.payload", "The Symantec Endpoint Protection is unable to download the newest policy from the Symantec Endpoint Protection Manager.%{}", processor_chain([ dup43, dup12, dup13, @@ -11028,8 +10256,7 @@ match("MESSAGE#396:Symantec:32", "nwparser.payload", "The Symantec Endpoint Prot var msg465 = msg("Symantec:32", part582); -var part583 = // "Pattern{Constant('Category: 2,Symantec Endpoint Protection,SymELAM Protection has been enabled'), Field(p0,false)}" -match("MESSAGE#397:Symantec:36/0", "nwparser.payload", "Category: 2,Symantec Endpoint Protection,SymELAM Protection has been enabled%{p0}"); +var part583 = match("MESSAGE#397:Symantec:36/0", "nwparser.payload", "Category: 2,Symantec Endpoint Protection,SymELAM Protection has been enabled%{p0}"); var all162 = all_match({ processors: [ @@ -11048,8 +10275,7 @@ var all162 = all_match({ var msg466 = msg("Symantec:36", all162); -var part584 = // "Pattern{Constant('Category: 2,Symantec Endpoint Protection,SONAR has been enabled'), Field(p0,false)}" -match("MESSAGE#398:Symantec:37/0", "nwparser.payload", "Category: 2,Symantec Endpoint Protection,SONAR has been enabled%{p0}"); +var part584 = match("MESSAGE#398:Symantec:37/0", "nwparser.payload", "Category: 2,Symantec Endpoint Protection,SONAR has been enabled%{p0}"); var all163 = all_match({ processors: [ @@ -11068,8 +10294,7 @@ var all163 = all_match({ var msg467 = msg("Symantec:37", all163); -var part585 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',Symantec Endpoint Protection,SONAR has been disabled')}" -match("MESSAGE#401:Symantec:41", "nwparser.payload", "Category: %{fld22},Symantec Endpoint Protection,SONAR has been disabled", processor_chain([ +var part585 = match("MESSAGE#401:Symantec:41", "nwparser.payload", "Category: %{fld22},Symantec Endpoint Protection,SONAR has been disabled", processor_chain([ dup43, dup56, dup12, @@ -11080,8 +10305,7 @@ match("MESSAGE#401:Symantec:41", "nwparser.payload", "Category: %{fld22},Symante var msg468 = msg("Symantec:41", part585); -var part586 = // "Pattern{Constant('Symantec Endpoint Protection Internet E-mail Auto-Protect Disabled,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#403:Symantec:44", "nwparser.payload", "Symantec Endpoint Protection Internet E-mail Auto-Protect Disabled,Event time: %{event_time_string}", processor_chain([ +var part586 = match("MESSAGE#403:Symantec:44", "nwparser.payload", "Symantec Endpoint Protection Internet E-mail Auto-Protect Disabled,Event time: %{event_time_string}", processor_chain([ dup43, dup12, dup13, @@ -11091,8 +10315,7 @@ match("MESSAGE#403:Symantec:44", "nwparser.payload", "Symantec Endpoint Protecti var msg469 = msg("Symantec:44", part586); -var part587 = // "Pattern{Constant('Symantec Network Access Control is overdeployed'), Field(,false)}" -match("MESSAGE#511:Server:02", "nwparser.payload", "Symantec Network Access Control is overdeployed%{}", processor_chain([ +var part587 = match("MESSAGE#511:Server:02", "nwparser.payload", "Symantec Network Access Control is overdeployed%{}", processor_chain([ dup86, dup12, dup222, @@ -11102,8 +10325,7 @@ match("MESSAGE#511:Server:02", "nwparser.payload", "Symantec Network Access Cont var msg470 = msg("Server:02", part587); -var part588 = // "Pattern{Constant('Symantec Endpoint Protection is overdeployed'), Field(,false)}" -match("MESSAGE#513:Server:04", "nwparser.payload", "Symantec Endpoint Protection is overdeployed%{}", processor_chain([ +var part588 = match("MESSAGE#513:Server:04", "nwparser.payload", "Symantec Endpoint Protection is overdeployed%{}", processor_chain([ dup86, dup12, dup222, @@ -11114,8 +10336,7 @@ match("MESSAGE#513:Server:04", "nwparser.payload", "Symantec Endpoint Protection var msg471 = msg("Server:04", part588); -var part589 = // "Pattern{Constant('Symantec Endpoint Protection Manager could not update '), Field(application,false), Constant('.')}" -match("MESSAGE#688:Symantec:34", "nwparser.payload", "Symantec Endpoint Protection Manager could not update %{application}.", processor_chain([ +var part589 = match("MESSAGE#688:Symantec:34", "nwparser.payload", "Symantec Endpoint Protection Manager could not update %{application}.", processor_chain([ dup43, dup14, dup15, @@ -11124,20 +10345,15 @@ match("MESSAGE#688:Symantec:34", "nwparser.payload", "Symantec Endpoint Protecti var msg472 = msg("Symantec:34", part589); -var part590 = // "Pattern{Field(event_description,false), Constant('. File : '), Field(filename,false), Constant(', Size (bytes): '), Field(filename_size,false), Constant('.",Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#689:Symantec:35/0_0", "nwparser.payload", "%{event_description}. File : %{filename}, Size (bytes): %{filename_size}.\",Event time:%{fld17->} %{fld18}"); +var part590 = match("MESSAGE#689:Symantec:35/0_0", "nwparser.payload", "%{event_description}. File : %{filename}, Size (bytes): %{filename_size}.\",Event time:%{fld17->} %{fld18}"); -var part591 = // "Pattern{Field(event_description,false), Constant('. File : '), Field(filename,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#689:Symantec:35/0_1", "nwparser.payload", "%{event_description}. File : %{filename},Event time:%{fld17->} %{fld18}"); +var part591 = match("MESSAGE#689:Symantec:35/0_1", "nwparser.payload", "%{event_description}. File : %{filename},Event time:%{fld17->} %{fld18}"); -var part592 = // "Pattern{Field(event_description,false), Constant('.,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#689:Symantec:35/0_2", "nwparser.payload", "%{event_description}.,Event time:%{fld17->} %{fld18}"); +var part592 = match("MESSAGE#689:Symantec:35/0_2", "nwparser.payload", "%{event_description}.,Event time:%{fld17->} %{fld18}"); -var part593 = // "Pattern{Field(event_description,false), Constant('Operating System: '), Field(os,false), Constant('Network info:'), Field(info,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#689:Symantec:35/0_3", "nwparser.payload", "%{event_description}Operating System: %{os}Network info:%{info},Event time:%{fld17->} %{fld18}"); +var part593 = match("MESSAGE#689:Symantec:35/0_3", "nwparser.payload", "%{event_description}Operating System: %{os}Network info:%{info},Event time:%{fld17->} %{fld18}"); -var part594 = // "Pattern{Field(event_description,false), Constant('.')}" -match("MESSAGE#689:Symantec:35/0_4", "nwparser.payload", "%{event_description}."); +var part594 = match("MESSAGE#689:Symantec:35/0_4", "nwparser.payload", "%{event_description}."); var select106 = linear_select([ part590, @@ -11163,8 +10379,7 @@ var all164 = all_match({ var msg473 = msg("Symantec:35", all164); -var part595 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',Symantec Endpoint Protection,'), Field(event_description,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#690:Symantec:45", "nwparser.payload", "Category: %{fld22},Symantec Endpoint Protection,%{event_description},Event time:%{fld17->} %{fld18}", processor_chain([ +var part595 = match("MESSAGE#690:Symantec:45", "nwparser.payload", "Category: %{fld22},Symantec Endpoint Protection,%{event_description},Event time:%{fld17->} %{fld18}", processor_chain([ dup43, dup12, dup13, @@ -11174,8 +10389,7 @@ match("MESSAGE#690:Symantec:45", "nwparser.payload", "Category: %{fld22},Symante var msg474 = msg("Symantec:45", part595); -var part596 = // "Pattern{Field(event_description,false)}" -match_copy("MESSAGE#691:Server:05", "nwparser.payload", "event_description", processor_chain([ +var part596 = match_copy("MESSAGE#691:Server:05", "nwparser.payload", "event_description", processor_chain([ dup53, dup12, dup222, @@ -11234,8 +10448,7 @@ var select107 = linear_select([ msg475, ]); -var part597 = // "Pattern{Constant('Suspicious Behavior Detection has been '), Field(fld2,false), Constant(',Event time: '), Field(event_time_string,false)}" -match("MESSAGE#402:Symantec:43", "nwparser.payload", "Suspicious Behavior Detection has been %{fld2},Event time: %{event_time_string}", processor_chain([ +var part597 = match("MESSAGE#402:Symantec:43", "nwparser.payload", "Suspicious Behavior Detection has been %{fld2},Event time: %{event_time_string}", processor_chain([ dup43, dup12, dup13, @@ -11253,8 +10466,7 @@ match("MESSAGE#402:Symantec:43", "nwparser.payload", "Suspicious Behavior Detect var msg476 = msg("Symantec:43", part597); -var part598 = // "Pattern{Constant('System has been restarted '), Field(info,false), Constant('.')}" -match("MESSAGE#404:System", "nwparser.payload", "System has been restarted %{info}.", processor_chain([ +var part598 = match("MESSAGE#404:System", "nwparser.payload", "System has been restarted %{info}.", processor_chain([ dup53, dup12, dup13, @@ -11265,8 +10477,7 @@ match("MESSAGE#404:System", "nwparser.payload", "System has been restarted %{inf var msg477 = msg("System", part598); -var part599 = // "Pattern{Constant('System client-server activity logs have been swept.'), Field(,false)}" -match("MESSAGE#405:System:01", "nwparser.payload", "System client-server activity logs have been swept.%{}", processor_chain([ +var part599 = match("MESSAGE#405:System:01", "nwparser.payload", "System client-server activity logs have been swept.%{}", processor_chain([ dup53, dup12, dup13, @@ -11277,8 +10488,7 @@ match("MESSAGE#405:System:01", "nwparser.payload", "System client-server activit var msg478 = msg("System:01", part599); -var part600 = // "Pattern{Constant('System server activity logs have been swept.'), Field(,false)}" -match("MESSAGE#406:System:02", "nwparser.payload", "System server activity logs have been swept.%{}", processor_chain([ +var part600 = match("MESSAGE#406:System:02", "nwparser.payload", "System server activity logs have been swept.%{}", processor_chain([ dup53, dup12, dup13, @@ -11289,8 +10499,7 @@ match("MESSAGE#406:System:02", "nwparser.payload", "System server activity logs var msg479 = msg("System:02", part600); -var part601 = // "Pattern{Constant('System administrative logs have been swept.'), Field(,false)}" -match("MESSAGE#407:System:03", "nwparser.payload", "System administrative logs have been swept.%{}", processor_chain([ +var part601 = match("MESSAGE#407:System:03", "nwparser.payload", "System administrative logs have been swept.%{}", processor_chain([ dup53, dup12, dup13, @@ -11301,8 +10510,7 @@ match("MESSAGE#407:System:03", "nwparser.payload", "System administrative logs h var msg480 = msg("System:03", part601); -var part602 = // "Pattern{Constant('System enforcer activity logs have been swept.'), Field(,false)}" -match("MESSAGE#408:System:04", "nwparser.payload", "System enforcer activity logs have been swept.%{}", processor_chain([ +var part602 = match("MESSAGE#408:System:04", "nwparser.payload", "System enforcer activity logs have been swept.%{}", processor_chain([ dup53, dup14, dup15, @@ -11311,8 +10519,7 @@ match("MESSAGE#408:System:04", "nwparser.payload", "System enforcer activity log var msg481 = msg("System:04", part602); -var part603 = // "Pattern{Constant('System administrator "'), Field(username,false), Constant('" was added')}" -match("MESSAGE#409:System:05", "nwparser.payload", "System administrator \"%{username}\" was added", processor_chain([ +var part603 = match("MESSAGE#409:System:05", "nwparser.payload", "System administrator \"%{username}\" was added", processor_chain([ dup53, dup12, dup13, @@ -11331,16 +10538,14 @@ var select108 = linear_select([ msg482, ]); -var part604 = // "Pattern{Constant('- Caller MD5='), Field(fld6,false), Constant(','), Field(p0,false)}" -match("MESSAGE#410:Terminated/0_0", "nwparser.payload", "- Caller MD5=%{fld6},%{p0}"); +var part604 = match("MESSAGE#410:Terminated/0_0", "nwparser.payload", "- Caller MD5=%{fld6},%{p0}"); var select109 = linear_select([ part604, dup269, ]); -var part605 = // "Pattern{Field(action,false), Constant(',Begin:'), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End:'), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule:'), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User:'), Field(username,false), Constant(',Domain:'), Field(domain,false), Constant(',Action Type:'), Field(fld45,false), Constant(',File size (bytes):'), Field(filename_size,false), Constant(',Device ID:'), Field(device,false)}" -match("MESSAGE#410:Terminated/1", "nwparser.p0", "%{action},Begin:%{fld50->} %{fld52},End:%{fld51->} %{fld53},Rule:%{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User:%{username},Domain:%{domain},Action Type:%{fld45},File size (bytes):%{filename_size},Device ID:%{device}"); +var part605 = match("MESSAGE#410:Terminated/1", "nwparser.p0", "%{action},Begin:%{fld50->} %{fld52},End:%{fld51->} %{fld53},Rule:%{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User:%{username},Domain:%{domain},Action Type:%{fld45},File size (bytes):%{filename_size},Device ID:%{device}"); var all165 = all_match({ processors: [ @@ -11363,20 +10568,15 @@ var all165 = all_match({ var msg483 = msg("Terminated", all165); -var part606 = // "Pattern{Constant('Compliance '), Field(p0,false)}" -match("MESSAGE#411:Compliance/0", "nwparser.payload", "Compliance %{p0}"); +var part606 = match("MESSAGE#411:Compliance/0", "nwparser.payload", "Compliance %{p0}"); -var part607 = // "Pattern{Constant('server '), Field(p0,false)}" -match("MESSAGE#411:Compliance/1_0", "nwparser.p0", "server %{p0}"); +var part607 = match("MESSAGE#411:Compliance/1_0", "nwparser.p0", "server %{p0}"); -var part608 = // "Pattern{Constant('client '), Field(p0,false)}" -match("MESSAGE#411:Compliance/1_1", "nwparser.p0", "client %{p0}"); +var part608 = match("MESSAGE#411:Compliance/1_1", "nwparser.p0", "client %{p0}"); -var part609 = // "Pattern{Constant('traffic '), Field(p0,false)}" -match("MESSAGE#411:Compliance/1_2", "nwparser.p0", "traffic %{p0}"); +var part609 = match("MESSAGE#411:Compliance/1_2", "nwparser.p0", "traffic %{p0}"); -var part610 = // "Pattern{Constant('criteria '), Field(p0,false)}" -match("MESSAGE#411:Compliance/1_3", "nwparser.p0", "criteria %{p0}"); +var part610 = match("MESSAGE#411:Compliance/1_3", "nwparser.p0", "criteria %{p0}"); var select110 = linear_select([ part607, @@ -11385,8 +10585,7 @@ var select110 = linear_select([ part610, ]); -var part611 = // "Pattern{Constant('logs have been swept.'), Field(,false)}" -match("MESSAGE#411:Compliance/2", "nwparser.p0", "logs have been swept.%{}"); +var part611 = match("MESSAGE#411:Compliance/2", "nwparser.p0", "logs have been swept.%{}"); var all166 = all_match({ processors: [ @@ -11404,8 +10603,7 @@ var all166 = all_match({ var msg484 = msg("Compliance", all166); -var part612 = // "Pattern{Constant('Download started.'), Field(,false)}" -match("MESSAGE#412:Download", "nwparser.payload", "Download started.%{}", processor_chain([ +var part612 = match("MESSAGE#412:Download", "nwparser.payload", "Download started.%{}", processor_chain([ dup43, dup14, dup15, @@ -11414,8 +10612,7 @@ match("MESSAGE#412:Download", "nwparser.payload", "Download started.%{}", proces var msg485 = msg("Download", part612); -var part613 = // "Pattern{Constant('Traffic from IP address '), Field(hostip,true), Constant(' is blocked from '), Field(fld14,true), Constant(' to '), Field(fld15,false), Constant('.,Local: '), Field(daddr,false), Constant(',Local: '), Field(fld16,false), Constant(',Remote: '), Field(fld17,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld18,false), Constant(',Inbound,'), Field(fld19,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld10,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#413:Traffic", "nwparser.payload", "Traffic from IP address %{hostip->} is blocked from %{fld14->} to %{fld15}.,Local: %{daddr},Local: %{fld16},Remote: %{fld17},Remote: %{saddr},Remote: %{fld18},Inbound,%{fld19},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld10},User: %{username},Domain: %{domain}", processor_chain([ +var part613 = match("MESSAGE#413:Traffic", "nwparser.payload", "Traffic from IP address %{hostip->} is blocked from %{fld14->} to %{fld15}.,Local: %{daddr},Local: %{fld16},Remote: %{fld17},Remote: %{saddr},Remote: %{fld18},Inbound,%{fld19},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld10},User: %{username},Domain: %{domain}", processor_chain([ dup11, dup12, dup13, @@ -11430,8 +10627,7 @@ match("MESSAGE#413:Traffic", "nwparser.payload", "Traffic from IP address %{host var msg486 = msg("Traffic", part613); -var part614 = // "Pattern{Constant('Traffic from IP address '), Field(hostip,true), Constant(' is blocked from '), Field(fld14,true), Constant(' to '), Field(fld15,false), Constant('.,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld16,false), Constant(',Remote: '), Field(fld17,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld18,false), Constant(',Outbound,'), Field(fld19,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld10,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#414:Traffic:11", "nwparser.payload", "Traffic from IP address %{hostip->} is blocked from %{fld14->} to %{fld15}.,Local: %{saddr},Local: %{fld16},Remote: %{fld17},Remote: %{daddr},Remote: %{fld18},Outbound,%{fld19},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld10},User: %{username},Domain: %{domain}", processor_chain([ +var part614 = match("MESSAGE#414:Traffic:11", "nwparser.payload", "Traffic from IP address %{hostip->} is blocked from %{fld14->} to %{fld15}.,Local: %{saddr},Local: %{fld16},Remote: %{fld17},Remote: %{daddr},Remote: %{fld18},Outbound,%{fld19},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld10},User: %{username},Domain: %{domain}", processor_chain([ dup11, dup12, dup13, @@ -11446,8 +10642,7 @@ match("MESSAGE#414:Traffic:11", "nwparser.payload", "Traffic from IP address %{h var msg487 = msg("Traffic:11", part614); -var part615 = // "Pattern{Constant('Traffic from IP address '), Field(hostip,true), Constant(' is blocked from '), Field(fld1,true), Constant(' to '), Field(fld2,false), Constant('. ,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',1,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#415:Traffic:01", "nwparser.payload", "Traffic from IP address %{hostip->} is blocked from %{fld1->} to %{fld2}. ,Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},1,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain}", processor_chain([ +var part615 = match("MESSAGE#415:Traffic:01", "nwparser.payload", "Traffic from IP address %{hostip->} is blocked from %{fld1->} to %{fld2}. ,Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},1,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain}", processor_chain([ dup11, dup12, dup13, @@ -11461,8 +10656,7 @@ match("MESSAGE#415:Traffic:01", "nwparser.payload", "Traffic from IP address %{h var msg488 = msg("Traffic:01", part615); -var part616 = // "Pattern{Constant('Traffic from IP address '), Field(hostip,true), Constant(' is blocked from '), Field(fld1,true), Constant(' to '), Field(fld2,false), Constant('. ,Local: '), Field(daddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Inbound,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#416:Traffic:02/0", "nwparser.payload", "Traffic from IP address %{hostip->} is blocked from %{fld1->} to %{fld2}. ,Local: %{daddr},Local: %{fld3},Remote: %{fld4},Remote: %{saddr},Remote: %{fld5},Inbound,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); +var part616 = match("MESSAGE#416:Traffic:02/0", "nwparser.payload", "Traffic from IP address %{hostip->} is blocked from %{fld1->} to %{fld2}. ,Local: %{daddr},Local: %{fld3},Remote: %{fld4},Remote: %{saddr},Remote: %{fld5},Inbound,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); var all167 = all_match({ processors: [ @@ -11486,8 +10680,7 @@ var all167 = all_match({ var msg489 = msg("Traffic:02", all167); -var part617 = // "Pattern{Constant('Traffic from IP address '), Field(hostip,true), Constant(' is blocked from '), Field(fld1,true), Constant(' to '), Field(fld2,false), Constant('. ,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Outbound,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#417:Traffic:12/0", "nwparser.payload", "Traffic from IP address %{hostip->} is blocked from %{fld1->} to %{fld2}. ,Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Outbound,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); +var part617 = match("MESSAGE#417:Traffic:12/0", "nwparser.payload", "Traffic from IP address %{hostip->} is blocked from %{fld1->} to %{fld2}. ,Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Outbound,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); var all168 = all_match({ processors: [ @@ -11511,8 +10704,7 @@ var all168 = all_match({ var msg490 = msg("Traffic:12", all168); -var part618 = // "Pattern{Field(fld1,true), Constant(' Traffic Redirection disabled.,Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#717:Traffic:13", "nwparser.payload", "%{fld1->} Traffic Redirection disabled.,Event time: %{fld17->} %{fld18}", processor_chain([ +var part618 = match("MESSAGE#717:Traffic:13", "nwparser.payload", "%{fld1->} Traffic Redirection disabled.,Event time: %{fld17->} %{fld18}", processor_chain([ dup86, dup12, dup13, @@ -11523,8 +10715,7 @@ match("MESSAGE#717:Traffic:13", "nwparser.payload", "%{fld1->} Traffic Redirecti var msg491 = msg("Traffic:13", part618); -var part619 = // "Pattern{Field(fld1,true), Constant(' Traffic Redirection is malfunctioning.,Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#718:Traffic:14", "nwparser.payload", "%{fld1->} Traffic Redirection is malfunctioning.,Event time: %{fld17->} %{fld18}", processor_chain([ +var part619 = match("MESSAGE#718:Traffic:14", "nwparser.payload", "%{fld1->} Traffic Redirection is malfunctioning.,Event time: %{fld17->} %{fld18}", processor_chain([ dup86, dup12, dup13, @@ -11545,8 +10736,7 @@ var select111 = linear_select([ msg492, ]); -var part620 = // "Pattern{Constant('TruScan has generated an error: code '), Field(resultcode,false), Constant(': description: '), Field(info,false)}" -match("MESSAGE#418:TruScan", "nwparser.payload", "TruScan has generated an error: code %{resultcode}: description: %{info}", processor_chain([ +var part620 = match("MESSAGE#418:TruScan", "nwparser.payload", "TruScan has generated an error: code %{resultcode}: description: %{info}", processor_chain([ dup168, dup12, dup13, @@ -11557,11 +10747,9 @@ match("MESSAGE#418:TruScan", "nwparser.payload", "TruScan has generated an error var msg493 = msg("TruScan", part620); -var part621 = // "Pattern{Constant('Forced TruScan proactive threat detected,Computer name: '), Field(p0,false)}" -match("MESSAGE#419:TruScan:01/0", "nwparser.payload", "Forced TruScan proactive threat detected,Computer name: %{p0}"); +var part621 = match("MESSAGE#419:TruScan:01/0", "nwparser.payload", "Forced TruScan proactive threat detected,Computer name: %{p0}"); -var part622 = // "Pattern{Field(fld1,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version: '), Field(version,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld13,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld6,false), Constant(',Detection score: '), Field(fld7,false), Constant(',Submission recommendation: '), Field(fld8,false), Constant(',Permitted application reason: '), Field(fld9,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(',"'), Field(fld12,false), Constant('",Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld15,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#419:TruScan:01/2", "nwparser.p0", "%{fld1},Application name: %{application},Application type: %{obj_type},Application version: %{version},Hash type: %{encryption_type},Application hash: %{checksum},Company name: %{fld13},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score: %{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},\"%{fld12}\",Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld15},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); +var part622 = match("MESSAGE#419:TruScan:01/2", "nwparser.p0", "%{fld1},Application name: %{application},Application type: %{obj_type},Application version: %{version},Hash type: %{encryption_type},Application hash: %{checksum},Company name: %{fld13},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score: %{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},\"%{fld12}\",Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld15},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); var all169 = all_match({ processors: [ @@ -11591,14 +10779,11 @@ var all169 = all_match({ var msg494 = msg("TruScan:01", all169); -var part623 = // "Pattern{Constant('TruScan '), Field(info,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#420:TruScan:update/0", "nwparser.payload", "TruScan %{info->} %{p0}"); +var part623 = match("MESSAGE#420:TruScan:update/0", "nwparser.payload", "TruScan %{info->} %{p0}"); -var part624 = // "Pattern{Constant('was successfully updated'), Field(,false)}" -match("MESSAGE#420:TruScan:update/1_0", "nwparser.p0", "was successfully updated%{}"); +var part624 = match("MESSAGE#420:TruScan:update/1_0", "nwparser.p0", "was successfully updated%{}"); -var part625 = // "Pattern{Constant('is up-to-date'), Field(,false)}" -match("MESSAGE#420:TruScan:update/1_1", "nwparser.p0", "is up-to-date%{}"); +var part625 = match("MESSAGE#420:TruScan:update/1_1", "nwparser.p0", "is up-to-date%{}"); var select112 = linear_select([ part624, @@ -11622,8 +10807,7 @@ var all170 = all_match({ var msg495 = msg("TruScan:update", all170); -var part626 = // "Pattern{Constant('TruScan '), Field(info,true), Constant(' failed to update.')}" -match("MESSAGE#421:TruScan:updatefailed", "nwparser.payload", "TruScan %{info->} failed to update.", processor_chain([ +var part626 = match("MESSAGE#421:TruScan:updatefailed", "nwparser.payload", "TruScan %{info->} failed to update.", processor_chain([ dup168, dup12, dup13, @@ -11641,8 +10825,7 @@ var select113 = linear_select([ msg496, ]); -var part627 = // "Pattern{Constant('Unexpected server error. ErrorCode: '), Field(resultcode,false)}" -match("MESSAGE#422:Unexpected", "nwparser.payload", "Unexpected server error. ErrorCode: %{resultcode}", processor_chain([ +var part627 = match("MESSAGE#422:Unexpected", "nwparser.payload", "Unexpected server error. ErrorCode: %{resultcode}", processor_chain([ dup43, dup12, dup13, @@ -11653,8 +10836,7 @@ match("MESSAGE#422:Unexpected", "nwparser.payload", "Unexpected server error. Er var msg497 = msg("Unexpected", part627); -var part628 = // "Pattern{Constant('Unexpected server error.'), Field(,false)}" -match("MESSAGE#423:Unexpected:01", "nwparser.payload", "Unexpected server error.%{}", processor_chain([ +var part628 = match("MESSAGE#423:Unexpected:01", "nwparser.payload", "Unexpected server error.%{}", processor_chain([ dup43, dup12, dup13, @@ -11670,8 +10852,7 @@ var select114 = linear_select([ msg498, ]); -var part629 = // "Pattern{Constant('Unsolicited incoming ARP reply detected,'), Field(info,false), Constant('",Local: '), Field(daddr,false), Constant(',Local: '), Field(fld16,false), Constant(',Remote: '), Field(fld17,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld18,false), Constant(',Inbound,'), Field(fld19,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld20,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#424:Unsolicited", "nwparser.payload", "Unsolicited incoming ARP reply detected,%{info}\",Local: %{daddr},Local: %{fld16},Remote: %{fld17},Remote: %{saddr},Remote: %{fld18},Inbound,%{fld19},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld20},User: %{username},Domain: %{domain}", processor_chain([ +var part629 = match("MESSAGE#424:Unsolicited", "nwparser.payload", "Unsolicited incoming ARP reply detected,%{info}\",Local: %{daddr},Local: %{fld16},Remote: %{fld17},Remote: %{saddr},Remote: %{fld18},Inbound,%{fld19},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld20},User: %{username},Domain: %{domain}", processor_chain([ dup11, dup12, dup13, @@ -11686,8 +10867,7 @@ match("MESSAGE#424:Unsolicited", "nwparser.payload", "Unsolicited incoming ARP r var msg499 = msg("Unsolicited", part629); -var part630 = // "Pattern{Constant('Unsolicited incoming ARP reply detected,'), Field(info,false), Constant('",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld16,false), Constant(',Remote: '), Field(fld17,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld18,false), Constant(',Outbound,'), Field(fld19,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld20,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#425:Unsolicited:01", "nwparser.payload", "Unsolicited incoming ARP reply detected,%{info}\",Local: %{saddr},Local: %{fld16},Remote: %{fld17},Remote: %{daddr},Remote: %{fld18},Outbound,%{fld19},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld20},User: %{username},Domain: %{domain}", processor_chain([ +var part630 = match("MESSAGE#425:Unsolicited:01", "nwparser.payload", "Unsolicited incoming ARP reply detected,%{info}\",Local: %{saddr},Local: %{fld16},Remote: %{fld17},Remote: %{daddr},Remote: %{fld18},Outbound,%{fld19},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld20},User: %{username},Domain: %{domain}", processor_chain([ dup11, dup12, dup13, @@ -11707,11 +10887,9 @@ var select115 = linear_select([ msg500, ]); -var part631 = // "Pattern{Constant('User is attempting to terminate Symantec Management Client'), Field(p0,false)}" -match("MESSAGE#426:User/0", "nwparser.payload", "User is attempting to terminate Symantec Management Client%{p0}"); +var part631 = match("MESSAGE#426:User/0", "nwparser.payload", "User is attempting to terminate Symantec Management Client%{p0}"); -var part632 = // "Pattern{Constant('....,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#426:User/1_0", "nwparser.p0", "....,Event time:%{fld17->} %{fld18}"); +var part632 = match("MESSAGE#426:User/1_0", "nwparser.p0", "....,Event time:%{fld17->} %{fld18}"); var select116 = linear_select([ part632, @@ -11736,8 +10914,7 @@ var all171 = all_match({ var msg501 = msg("User", all171); -var part633 = // "Pattern{Field(fld44,false), Constant(',User - Kernel Hook Error,'), Field(fld1,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(fld6,false), Constant(','), Field(fld7,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#427:User:01", "nwparser.payload", "%{fld44},User - Kernel Hook Error,%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{fld4},%{fld5},%{fld6},%{fld7},User: %{username},Domain: %{domain}", processor_chain([ +var part633 = match("MESSAGE#427:User:01", "nwparser.payload", "%{fld44},User - Kernel Hook Error,%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{fld4},%{fld5},%{fld6},%{fld7},User: %{username},Domain: %{domain}", processor_chain([ dup171, dup12, dup13, @@ -11753,8 +10930,7 @@ match("MESSAGE#427:User:01", "nwparser.payload", "%{fld44},User - Kernel Hook Er var msg502 = msg("User:01", part633); -var part634 = // "Pattern{Constant('User has been created'), Field(,false)}" -match("MESSAGE#428:User:created", "nwparser.payload", "User has been created%{}", processor_chain([ +var part634 = match("MESSAGE#428:User:created", "nwparser.payload", "User has been created%{}", processor_chain([ dup170, dup12, dup13, @@ -11770,8 +10946,7 @@ match("MESSAGE#428:User:created", "nwparser.payload", "User has been created%{}" var msg503 = msg("User:created", part634); -var part635 = // "Pattern{Constant('User has been deleted'), Field(,false)}" -match("MESSAGE#429:User:deleted", "nwparser.payload", "User has been deleted%{}", processor_chain([ +var part635 = match("MESSAGE#429:User:deleted", "nwparser.payload", "User has been deleted%{}", processor_chain([ dup171, dup12, dup13, @@ -11794,11 +10969,9 @@ var select117 = linear_select([ msg504, ]); -var part636 = // "Pattern{Constant('Windows Version info: Operating System: '), Field(os,true), Constant(' Network info:'), Field(p0,false)}" -match("MESSAGE#446:Windows/0", "nwparser.payload", "Windows Version info: Operating System: %{os->} Network info:%{p0}"); +var part636 = match("MESSAGE#446:Windows/0", "nwparser.payload", "Windows Version info: Operating System: %{os->} Network info:%{p0}"); -var part637 = // "Pattern{Field(info,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#446:Windows/1_0", "nwparser.p0", "%{info},Event time:%{fld17->} %{fld18}"); +var part637 = match("MESSAGE#446:Windows/1_0", "nwparser.p0", "%{info},Event time:%{fld17->} %{fld18}"); var select118 = linear_select([ part637, @@ -11823,8 +10996,7 @@ var all172 = all_match({ var msg505 = msg("Windows", all172); -var part638 = // "Pattern{Constant('Windows Host Integrity Content '), Field(version,true), Constant(' was successfully updated.')}" -match("MESSAGE#447:Windows:01", "nwparser.payload", "Windows Host Integrity Content %{version->} was successfully updated.", processor_chain([ +var part638 = match("MESSAGE#447:Windows:01", "nwparser.payload", "Windows Host Integrity Content %{version->} was successfully updated.", processor_chain([ dup92, dup12, dup13, @@ -11840,8 +11012,7 @@ var select119 = linear_select([ msg506, ]); -var part639 = // "Pattern{Constant('"=======EXCEPTION:'), Field(event_description,false), Constant('"')}" -match("MESSAGE#448:\"=======EXCEPTION:", "nwparser.payload", "\"=======EXCEPTION:%{event_description}\"", processor_chain([ +var part639 = match("MESSAGE#448:\"=======EXCEPTION:", "nwparser.payload", "\"=======EXCEPTION:%{event_description}\"", processor_chain([ dup168, dup12, dup13, @@ -11851,8 +11022,7 @@ match("MESSAGE#448:\"=======EXCEPTION:", "nwparser.payload", "\"=======EXCEPTION var msg507 = msg("\"=======EXCEPTION:", part639); -var part640 = // "Pattern{Constant('Sysfer exception: '), Field(info,false), Constant(',Sysfer exception,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(filename,false), Constant(','), Field(fld4,false), Constant(','), Field(event_description,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld6,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#449:Allowed:08", "nwparser.payload", "Sysfer exception: %{info},Sysfer exception,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},%{event_description},User: %{username},Domain: %{domain},Action Type:%{fld6},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ +var part640 = match("MESSAGE#449:Allowed:08", "nwparser.payload", "Sysfer exception: %{info},Sysfer exception,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},%{event_description},User: %{username},Domain: %{domain},Action Type:%{fld6},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ dup121, dup12, dup13, @@ -11865,8 +11035,7 @@ match("MESSAGE#449:Allowed:08", "nwparser.payload", "Sysfer exception: %{info},S var msg508 = msg("Allowed:08", part640); -var part641 = // "Pattern{Constant('Sysfer exception: '), Field(info,false), Constant(',Sysfer exception,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(filename,false), Constant(','), Field(fld4,false), Constant(','), Field(event_description,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#450:Allowed", "nwparser.payload", "Sysfer exception: %{info},Sysfer exception,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},%{event_description},User: %{username},Domain: %{domain}", processor_chain([ +var part641 = match("MESSAGE#450:Allowed", "nwparser.payload", "Sysfer exception: %{info},Sysfer exception,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},%{event_description},User: %{username},Domain: %{domain}", processor_chain([ dup121, dup12, dup13, @@ -11879,8 +11048,7 @@ match("MESSAGE#450:Allowed", "nwparser.payload", "Sysfer exception: %{info},Sysf var msg509 = msg("Allowed", part641); -var part642 = // "Pattern{Constant('"'), Field(filename,false), Constant('",'), Field(fld1,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld4,false), Constant(','), Field(process,false), Constant(','), Field(fld5,false), Constant(','), Field(fld6,false), Constant(','), Field(info,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type: '), Field(fld8,false)}" -match("MESSAGE#451:Allowed:05", "nwparser.payload", "\"%{filename}\",%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld4},%{process},%{fld5},%{fld6},%{info},User: %{username},Domain: %{domain},Action Type: %{fld8}", processor_chain([ +var part642 = match("MESSAGE#451:Allowed:05", "nwparser.payload", "\"%{filename}\",%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld4},%{process},%{fld5},%{fld6},%{info},User: %{username},Domain: %{domain},Action Type: %{fld8}", processor_chain([ dup121, dup12, dup13, @@ -11893,8 +11061,7 @@ match("MESSAGE#451:Allowed:05", "nwparser.payload", "\"%{filename}\",%{fld1},Beg var msg510 = msg("Allowed:05", part642); -var part643 = // "Pattern{Constant('"'), Field(filename,false), Constant(','), Field(fld1,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld4,false), Constant(','), Field(process,false), Constant(','), Field(fld5,false), Constant(','), Field(fld6,false), Constant(','), Field(info,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type: '), Field(fld8,false)}" -match("MESSAGE#452:Allowed:06", "nwparser.payload", "\"%{filename},%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld4},%{process},%{fld5},%{fld6},%{info},User: %{username},Domain: %{domain},Action Type: %{fld8}", processor_chain([ +var part643 = match("MESSAGE#452:Allowed:06", "nwparser.payload", "\"%{filename},%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld4},%{process},%{fld5},%{fld6},%{info},User: %{username},Domain: %{domain},Action Type: %{fld8}", processor_chain([ dup121, dup12, dup13, @@ -11907,8 +11074,7 @@ match("MESSAGE#452:Allowed:06", "nwparser.payload", "\"%{filename},%{fld1},Begin var msg511 = msg("Allowed:06", part643); -var part644 = // "Pattern{Constant('"'), Field(filename,false), Constant('",'), Field(fld1,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld4,false), Constant(','), Field(process,false), Constant(','), Field(fld5,false), Constant(','), Field(fld6,false), Constant(','), Field(info,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#453:Allowed:01", "nwparser.payload", "\"%{filename}\",%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld4},%{process},%{fld5},%{fld6},%{info},User: %{username},Domain: %{domain}", processor_chain([ +var part644 = match("MESSAGE#453:Allowed:01", "nwparser.payload", "\"%{filename}\",%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld4},%{process},%{fld5},%{fld6},%{info},User: %{username},Domain: %{domain}", processor_chain([ dup121, dup12, dup13, @@ -11921,11 +11087,9 @@ match("MESSAGE#453:Allowed:01", "nwparser.payload", "\"%{filename}\",%{fld1},Beg var msg512 = msg("Allowed:01", part644); -var part645 = // "Pattern{Field(fld1,false), Constant(',File Read,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(filename,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(directory,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(p0,false)}" -match("MESSAGE#454:Allowed:02/0", "nwparser.payload", "%{fld1},File Read,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},No Module Name,%{directory},User: %{username},Domain: %{p0}"); +var part645 = match("MESSAGE#454:Allowed:02/0", "nwparser.payload", "%{fld1},File Read,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},No Module Name,%{directory},User: %{username},Domain: %{p0}"); -var part646 = // "Pattern{Field(domain,false), Constant(',Action Type:'), Field(fld45,false), Constant(',File size (bytes):'), Field(filename_size,false), Constant(',Device ID:'), Field(device,false)}" -match("MESSAGE#454:Allowed:02/1_0", "nwparser.p0", "%{domain},Action Type:%{fld45},File size (bytes):%{filename_size},Device ID:%{device}"); +var part646 = match("MESSAGE#454:Allowed:02/1_0", "nwparser.p0", "%{domain},Action Type:%{fld45},File size (bytes):%{filename_size},Device ID:%{device}"); var select120 = linear_select([ part646, @@ -11954,22 +11118,18 @@ var all173 = all_match({ var msg513 = msg("Allowed:02", all173); -var part647 = // "Pattern{Constant('- Caller MD5='), Field(checksum,false), Constant(',File Write,Begin: '), Field(p0,false)}" -match("MESSAGE#455:Allowed:09/0_0", "nwparser.payload", "- Caller MD5=%{checksum},File Write,Begin: %{p0}"); +var part647 = match("MESSAGE#455:Allowed:09/0_0", "nwparser.payload", "- Caller MD5=%{checksum},File Write,Begin: %{p0}"); -var part648 = // "Pattern{Field(fld1,false), Constant(',File Write,Begin: '), Field(p0,false)}" -match("MESSAGE#455:Allowed:09/0_1", "nwparser.payload", "%{fld1},File Write,Begin: %{p0}"); +var part648 = match("MESSAGE#455:Allowed:09/0_1", "nwparser.payload", "%{fld1},File Write,Begin: %{p0}"); var select121 = linear_select([ part647, part648, ]); -var part649 = // "Pattern{Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(p0,false)}" -match("MESSAGE#455:Allowed:09/1", "nwparser.p0", "%{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{p0}"); +var part649 = match("MESSAGE#455:Allowed:09/1", "nwparser.p0", "%{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{p0}"); -var part650 = // "Pattern{Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld46,false), Constant(',File size ('), Field(fld10,false), Constant('): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#455:Allowed:09/3", "nwparser.p0", "%{username},Domain: %{domain},Action Type:%{fld46},File size (%{fld10}): %{filename_size},Device ID: %{device}"); +var part650 = match("MESSAGE#455:Allowed:09/3", "nwparser.p0", "%{username},Domain: %{domain},Action Type:%{fld46},File size (%{fld10}): %{filename_size},Device ID: %{device}"); var all174 = all_match({ processors: [ @@ -11994,8 +11154,7 @@ var all174 = all_match({ var msg514 = msg("Allowed:09", all174); -var part651 = // "Pattern{Field(fld1,false), Constant(',File Write,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(filename,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(directory,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld46,false)}" -match("MESSAGE#456:Allowed:03", "nwparser.payload", "%{fld1},File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},No Module Name,%{directory},User: %{username},Domain: %{domain},Action Type:%{fld46}", processor_chain([ +var part651 = match("MESSAGE#456:Allowed:03", "nwparser.payload", "%{fld1},File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},No Module Name,%{directory},User: %{username},Domain: %{domain},Action Type:%{fld46}", processor_chain([ dup121, dup12, dup13, @@ -12011,14 +11170,11 @@ match("MESSAGE#456:Allowed:03", "nwparser.payload", "%{fld1},File Write,Begin: % var msg515 = msg("Allowed:03", part651); -var part652 = // "Pattern{Constant('- Caller MD5='), Field(checksum,false), Constant(',File Delete,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(p0,false)}" -match("MESSAGE#457:Allowed:10/0", "nwparser.payload", "- Caller MD5=%{checksum},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{p0}"); +var part652 = match("MESSAGE#457:Allowed:10/0", "nwparser.payload", "- Caller MD5=%{checksum},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{p0}"); -var part653 = // "Pattern{Constant('User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(p0,false)}" -match("MESSAGE#457:Allowed:10/2", "nwparser.p0", "User: %{username},Domain: %{domain},Action Type:%{p0}"); +var part653 = match("MESSAGE#457:Allowed:10/2", "nwparser.p0", "User: %{username},Domain: %{domain},Action Type:%{p0}"); -var part654 = // "Pattern{Field(fld46,false)}" -match_copy("MESSAGE#457:Allowed:10/3_1", "nwparser.p0", "fld46"); +var part654 = match_copy("MESSAGE#457:Allowed:10/3_1", "nwparser.p0", "fld46"); var select122 = linear_select([ dup278, @@ -12049,8 +11205,7 @@ var all175 = all_match({ var msg516 = msg("Allowed:10", all175); -var part655 = // "Pattern{Field(fld1,false), Constant(',File Delete,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(filename,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(directory,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld46,false)}" -match("MESSAGE#458:Allowed:04", "nwparser.payload", "%{fld1},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},No Module Name,%{directory},User: %{username},Domain: %{domain},Action Type:%{fld46}", processor_chain([ +var part655 = match("MESSAGE#458:Allowed:04", "nwparser.payload", "%{fld1},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},No Module Name,%{directory},User: %{username},Domain: %{domain},Action Type:%{fld46}", processor_chain([ dup121, dup12, dup13, @@ -12067,8 +11222,7 @@ match("MESSAGE#458:Allowed:04", "nwparser.payload", "%{fld1},File Delete,Begin: var msg517 = msg("Allowed:04", part655); -var part656 = // "Pattern{Field(filename,false), Constant(','), Field(fld1,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld4,false), Constant(','), Field(process,false), Constant(','), Field(fld5,false), Constant(','), Field(fld6,false), Constant(','), Field(info,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type: '), Field(fld8,false)}" -match("MESSAGE#459:Allowed:07", "nwparser.payload", "%{filename},%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld4},%{process},%{fld5},%{fld6},%{info},User: %{username},Domain: %{domain},Action Type: %{fld8}", processor_chain([ +var part656 = match("MESSAGE#459:Allowed:07", "nwparser.payload", "%{filename},%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld4},%{process},%{fld5},%{fld6},%{info},User: %{username},Domain: %{domain},Action Type: %{fld8}", processor_chain([ dup121, dup12, dup13, @@ -12095,8 +11249,7 @@ var select123 = linear_select([ msg518, ]); -var part657 = // "Pattern{Constant('Audit logs have been swept.'), Field(,false)}" -match("MESSAGE#460:Audit", "nwparser.payload", "Audit logs have been swept.%{}", processor_chain([ +var part657 = match("MESSAGE#460:Audit", "nwparser.payload", "Audit logs have been swept.%{}", processor_chain([ dup43, dup12, dup13, @@ -12107,8 +11260,7 @@ match("MESSAGE#460:Audit", "nwparser.payload", "Audit logs have been swept.%{}", var msg519 = msg("Audit", part657); -var part658 = // "Pattern{Field(fld24,false), Constant(','), Field(fld1,false), Constant(',FATAL: '), Field(event_description,false)}" -match("MESSAGE#465:Category", "nwparser.payload", "%{fld24},%{fld1},FATAL: %{event_description}", processor_chain([ +var part658 = match("MESSAGE#465:Category", "nwparser.payload", "%{fld24},%{fld1},FATAL: %{event_description}", processor_chain([ dup53, dup12, dup13, @@ -12118,11 +11270,9 @@ match("MESSAGE#465:Category", "nwparser.payload", "%{fld24},%{fld1},FATAL: %{eve var msg520 = msg("Category", part658); -var part659 = // "Pattern{Field(fld1,false), Constant(','), Field(fld2,false), Constant(','), Field(event_description,true), Constant(' Remote file path:'), Field(p0,false)}" -match("MESSAGE#466:Category:03/0", "nwparser.payload", "%{fld1},%{fld2},%{event_description->} Remote file path:%{p0}"); +var part659 = match("MESSAGE#466:Category:03/0", "nwparser.payload", "%{fld1},%{fld2},%{event_description->} Remote file path:%{p0}"); -var part660 = // "Pattern{Field(url,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#466:Category:03/1_0", "nwparser.p0", "%{url},Event time:%{fld17->} %{fld18}"); +var part660 = match("MESSAGE#466:Category:03/1_0", "nwparser.p0", "%{url},Event time:%{fld17->} %{fld18}"); var select124 = linear_select([ part660, @@ -12148,14 +11298,11 @@ var all176 = all_match({ var msg521 = msg("Category:03", all176); -var part661 = // "Pattern{Field(fld1,false), Constant(','), Field(fld2,false), Constant(',Downloaded content from GUP '), Field(daddr,false), Constant(': '), Field(p0,false)}" -match("MESSAGE#467:Category:02/0", "nwparser.payload", "%{fld1},%{fld2},Downloaded content from GUP %{daddr}: %{p0}"); +var part661 = match("MESSAGE#467:Category:02/0", "nwparser.payload", "%{fld1},%{fld2},Downloaded content from GUP %{daddr}: %{p0}"); -var part662 = // "Pattern{Field(dport,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#467:Category:02/1_0", "nwparser.p0", "%{dport},Event time:%{fld17->} %{fld18}"); +var part662 = match("MESSAGE#467:Category:02/1_0", "nwparser.p0", "%{dport},Event time:%{fld17->} %{fld18}"); -var part663 = // "Pattern{Field(dport,false)}" -match_copy("MESSAGE#467:Category:02/1_1", "nwparser.p0", "dport"); +var part663 = match_copy("MESSAGE#467:Category:02/1_1", "nwparser.p0", "dport"); var select125 = linear_select([ part662, @@ -12180,29 +11327,21 @@ var all177 = all_match({ var msg522 = msg("Category:02", all177); -var part664 = // "Pattern{Field(fld1,false), Constant(','), Field(fld2,false), Constant(','), Field(p0,false)}" -match("MESSAGE#468:Category:01/0", "nwparser.payload", "%{fld1},%{fld2},%{p0}"); +var part664 = match("MESSAGE#468:Category:01/0", "nwparser.payload", "%{fld1},%{fld2},%{p0}"); -var part665 = // "Pattern{Field(event_description,false), Constant('. File : ''), Field(filename,false), Constant('',",Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#468:Category:01/1_0", "nwparser.p0", "%{event_description}. File : '%{filename}',\",Event time: %{fld17->} %{fld18}"); +var part665 = match("MESSAGE#468:Category:01/1_0", "nwparser.p0", "%{event_description}. File : '%{filename}',\",Event time: %{fld17->} %{fld18}"); -var part666 = // "Pattern{Field(event_description,false), Constant('Size (bytes): '), Field(filename_size,false), Constant('.,Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#468:Category:01/1_1", "nwparser.p0", "%{event_description}Size (bytes): %{filename_size}.,Event time: %{fld17->} %{fld18}"); +var part666 = match("MESSAGE#468:Category:01/1_1", "nwparser.p0", "%{event_description}Size (bytes): %{filename_size}.,Event time: %{fld17->} %{fld18}"); -var part667 = // "Pattern{Field(event_description,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#468:Category:01/1_2", "nwparser.p0", "%{event_description},Event time: %{fld17->} %{fld18}"); +var part667 = match("MESSAGE#468:Category:01/1_2", "nwparser.p0", "%{event_description},Event time: %{fld17->} %{fld18}"); -var part668 = // "Pattern{Field(event_description,false), Constant('. Size (bytes):'), Field(filename_size,false), Constant('.')}" -match("MESSAGE#468:Category:01/1_3", "nwparser.p0", "%{event_description}. Size (bytes):%{filename_size}."); +var part668 = match("MESSAGE#468:Category:01/1_3", "nwparser.p0", "%{event_description}. Size (bytes):%{filename_size}."); -var part669 = // "Pattern{Field(event_description,false), Constant('. '), Field(space,true), Constant(' File : ''), Field(filename,false), Constant('',"')}" -match("MESSAGE#468:Category:01/1_4", "nwparser.p0", "%{event_description}. %{space->} File : '%{filename}',\""); +var part669 = match("MESSAGE#468:Category:01/1_4", "nwparser.p0", "%{event_description}. %{space->} File : '%{filename}',\""); -var part670 = // "Pattern{Field(event_description,false), Constant('. '), Field(space,true), Constant(' File : ''), Field(filename,false), Constant(''')}" -match("MESSAGE#468:Category:01/1_5", "nwparser.p0", "%{event_description}. %{space->} File : '%{filename}'"); +var part670 = match("MESSAGE#468:Category:01/1_5", "nwparser.p0", "%{event_description}. %{space->} File : '%{filename}'"); -var part671 = // "Pattern{Field(event_description,false)}" -match_copy("MESSAGE#468:Category:01/1_6", "nwparser.p0", "event_description"); +var part671 = match_copy("MESSAGE#468:Category:01/1_6", "nwparser.p0", "event_description"); var select126 = linear_select([ part665, @@ -12238,8 +11377,7 @@ var select127 = linear_select([ msg523, ]); -var part672 = // "Pattern{Constant('Default '), Field(info,false), Constant('..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld2,false), Constant('..Failed Alert Name: '), Field(action,false), Constant('..Time: '), Field(fld3,true), Constant(' '), Field(fld1,false), Constant('..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" -match("MESSAGE#469:Default", "nwparser.payload", "Default %{info}..Computer: %{shost}..Date: %{fld2}..Failed Alert Name: %{action}..Time: %{fld3->} %{fld1}..Severity: %{severity}..Source: %{product}", processor_chain([ +var part672 = match("MESSAGE#469:Default", "nwparser.payload", "Default %{info}..Computer: %{shost}..Date: %{fld2}..Failed Alert Name: %{action}..Time: %{fld3->} %{fld1}..Severity: %{severity}..Source: %{product}", processor_chain([ dup43, date_time({ dest: "event_time", @@ -12254,8 +11392,7 @@ match("MESSAGE#469:Default", "nwparser.payload", "Default %{info}..Computer: %{s var msg524 = msg("Default", part672); -var part673 = // "Pattern{Constant('Default Group blocks new clients. The client cannot register with the Default Group.'), Field(,false)}" -match("MESSAGE#470:Default:01", "nwparser.payload", "Default Group blocks new clients. The client cannot register with the Default Group.%{}", processor_chain([ +var part673 = match("MESSAGE#470:Default:01", "nwparser.payload", "Default Group blocks new clients. The client cannot register with the Default Group.%{}", processor_chain([ dup43, dup12, dup13, @@ -12270,8 +11407,7 @@ var select128 = linear_select([ msg525, ]); -var part674 = // "Pattern{Field(action,false), Constant('. '), Field(info,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld25,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld3,false), Constant(','), Field(direction,false), Constant(','), Field(fld5,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld12,false)}" -match("MESSAGE#471:Device:01", "nwparser.payload", "%{action}. %{info},Local: %{saddr},Local: %{fld1},Remote: %{fld25},Remote: %{daddr},Remote: %{fld3},%{direction},%{fld5},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld12}", processor_chain([ +var part674 = match("MESSAGE#471:Device:01", "nwparser.payload", "%{action}. %{info},Local: %{saddr},Local: %{fld1},Remote: %{fld25},Remote: %{daddr},Remote: %{fld3},%{direction},%{fld5},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld12}", processor_chain([ dup43, dup12, dup13, @@ -12285,14 +11421,11 @@ match("MESSAGE#471:Device:01", "nwparser.payload", "%{action}. %{info},Local: %{ var msg526 = msg("Device:01", part674); -var part675 = // "Pattern{Field(action,false), Constant('. '), Field(info,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld25,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld3,false), Constant(','), Field(direction,false), Constant(','), Field(fld5,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(','), Field(p0,false)}" -match("MESSAGE#472:Device/0", "nwparser.payload", "%{action}. %{info},Local: %{saddr},Local: %{fld1},Remote: %{fld25},Remote: %{daddr},Remote: %{fld3},%{direction},%{fld5},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},%{p0}"); +var part675 = match("MESSAGE#472:Device/0", "nwparser.payload", "%{action}. %{info},Local: %{saddr},Local: %{fld1},Remote: %{fld25},Remote: %{daddr},Remote: %{fld3},%{direction},%{fld5},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},%{p0}"); -var part676 = // "Pattern{Constant('"User:'), Field(username,false), Constant('",Domain:'), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld26,false)}" -match("MESSAGE#472:Device/1_0", "nwparser.p0", "\"User:%{username}\",Domain:%{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld26}"); +var part676 = match("MESSAGE#472:Device/1_0", "nwparser.p0", "\"User:%{username}\",Domain:%{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld26}"); -var part677 = // "Pattern{Constant(' User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#472:Device/1_1", "nwparser.p0", " User: %{username},Domain: %{domain}"); +var part677 = match("MESSAGE#472:Device/1_1", "nwparser.p0", " User: %{username},Domain: %{domain}"); var select129 = linear_select([ part676, @@ -12324,8 +11457,7 @@ var select130 = linear_select([ msg527, ]); -var part678 = // "Pattern{Constant('Email sending failed'), Field(,false)}" -match("MESSAGE#473:Email", "nwparser.payload", "Email sending failed%{}", processor_chain([ +var part678 = match("MESSAGE#473:Email", "nwparser.payload", "Email sending failed%{}", processor_chain([ dup53, dup12, dup13, @@ -12336,14 +11468,11 @@ match("MESSAGE#473:Email", "nwparser.payload", "Email sending failed%{}", proces var msg528 = msg("Email", part678); -var part679 = // "Pattern{Field(fld5,true), Constant(' - Caller MD5='), Field(checksum,false), Constant(',File Write,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(p0,false)}" -match("MESSAGE#474:FileWrite:02/0", "nwparser.payload", "%{fld5->} - Caller MD5=%{checksum},File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{p0}"); +var part679 = match("MESSAGE#474:FileWrite:02/0", "nwparser.payload", "%{fld5->} - Caller MD5=%{checksum},File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{p0}"); -var part680 = // "Pattern{Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(p0,false)}" -match("MESSAGE#474:FileWrite:02/2", "nwparser.p0", "%{username},Domain: %{domain},Action Type:%{p0}"); +var part680 = match("MESSAGE#474:FileWrite:02/2", "nwparser.p0", "%{username},Domain: %{domain},Action Type:%{p0}"); -var part681 = // "Pattern{Field(fld44,false)}" -match_copy("MESSAGE#474:FileWrite:02/3_1", "nwparser.p0", "fld44"); +var part681 = match_copy("MESSAGE#474:FileWrite:02/3_1", "nwparser.p0", "fld44"); var select131 = linear_select([ dup278, @@ -12373,8 +11502,7 @@ var all180 = all_match({ var msg529 = msg("FileWrite:02", all180); -var part682 = // "Pattern{Constant('[AC5-1.1] Log files written to Removable Media,File Write,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,false)}" -match("MESSAGE#475:FileWrite:01", "nwparser.payload", "[AC5-1.1] Log files written to Removable Media,File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ +var part682 = match("MESSAGE#475:FileWrite:01", "nwparser.payload", "[AC5-1.1] Log files written to Removable Media,File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ dup121, dup12, dup13, @@ -12389,8 +11517,7 @@ match("MESSAGE#475:FileWrite:01", "nwparser.payload", "[AC5-1.1] Log files writt var msg530 = msg("FileWrite:01", part682); -var part683 = // "Pattern{Field(fld5,false), Constant(',File Write,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,false)}" -match("MESSAGE#476:FileWrite:03", "nwparser.payload", "%{fld5},File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ +var part683 = match("MESSAGE#476:FileWrite:03", "nwparser.payload", "%{fld5},File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ dup121, dup12, dup13, @@ -12405,8 +11532,7 @@ match("MESSAGE#476:FileWrite:03", "nwparser.payload", "%{fld5},File Write,Begin: var msg531 = msg("FileWrite:03", part683); -var part684 = // "Pattern{Constant(',File Write,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#477:FileWrite", "nwparser.payload", ",File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain}", processor_chain([ +var part684 = match("MESSAGE#477:FileWrite", "nwparser.payload", ",File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain}", processor_chain([ dup121, dup12, dup13, @@ -12421,8 +11547,7 @@ match("MESSAGE#477:FileWrite", "nwparser.payload", ",File Write,Begin: %{fld50-> var msg532 = msg("FileWrite", part684); -var part685 = // "Pattern{Constant('[AC5-1.1] Log files written to Removable Media,File Delete,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,false)}" -match("MESSAGE#478:FileDelete", "nwparser.payload", "[AC5-1.1] Log files written to Removable Media,File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ +var part685 = match("MESSAGE#478:FileDelete", "nwparser.payload", "[AC5-1.1] Log files written to Removable Media,File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ dup121, dup12, dup13, @@ -12437,11 +11562,9 @@ match("MESSAGE#478:FileDelete", "nwparser.payload", "[AC5-1.1] Log files written var msg533 = msg("FileDelete", part685); -var part686 = // "Pattern{Field(info,true), Constant(' - Caller MD5='), Field(checksum,false), Constant(',File Delete,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(p0,false)}" -match("MESSAGE#479:Continue/0", "nwparser.payload", "%{info->} - Caller MD5=%{checksum},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{p0}"); +var part686 = match("MESSAGE#479:Continue/0", "nwparser.payload", "%{info->} - Caller MD5=%{checksum},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{p0}"); -var part687 = // "Pattern{Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#479:Continue/2", "nwparser.p0", "%{username},Domain: %{domain},Action Type:%{fld44},File size (bytes): %{filename_size},Device ID: %{device}"); +var part687 = match("MESSAGE#479:Continue/2", "nwparser.p0", "%{username},Domain: %{domain},Action Type:%{fld44},File size (bytes): %{filename_size},Device ID: %{device}"); var all181 = all_match({ processors: [ @@ -12466,8 +11589,7 @@ var all181 = all_match({ var msg534 = msg("Continue", all181); -var part688 = // "Pattern{Field(fld5,true), Constant(' - Caller MD5='), Field(fld6,false), Constant(',File Delete,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,false)}" -match("MESSAGE#480:FileDelete:01", "nwparser.payload", "%{fld5->} - Caller MD5=%{fld6},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ +var part688 = match("MESSAGE#480:FileDelete:01", "nwparser.payload", "%{fld5->} - Caller MD5=%{fld6},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ dup121, dup12, dup13, @@ -12482,8 +11604,7 @@ match("MESSAGE#480:FileDelete:01", "nwparser.payload", "%{fld5->} - Caller MD5=% var msg535 = msg("FileDelete:01", part688); -var part689 = // "Pattern{Field(fld5,false), Constant(',File Delete,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,false)}" -match("MESSAGE#481:FileDelete:02", "nwparser.payload", "%{fld5},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ +var part689 = match("MESSAGE#481:FileDelete:02", "nwparser.payload", "%{fld5},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ dup121, dup12, dup13, @@ -12498,8 +11619,7 @@ match("MESSAGE#481:FileDelete:02", "nwparser.payload", "%{fld5},File Delete,Begi var msg536 = msg("FileDelete:02", part689); -var part690 = // "Pattern{Field(fld5,false), Constant(',System,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(','), Field(fld6,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,false)}" -match("MESSAGE#482:System:06", "nwparser.payload", "%{fld5},System,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld6},%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ +var part690 = match("MESSAGE#482:System:06", "nwparser.payload", "%{fld5},System,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld6},%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ dup121, dup12, dup13, @@ -12511,8 +11631,7 @@ match("MESSAGE#482:System:06", "nwparser.payload", "%{fld5},System,Begin: %{fld5 var msg537 = msg("System:06", part690); -var part691 = // "Pattern{Field(fld1,false), Constant(',File Read,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld6,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#495:File:10", "nwparser.payload", "%{fld1},File Read,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain},Action Type:%{fld6},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ +var part691 = match("MESSAGE#495:File:10", "nwparser.payload", "%{fld1},File Read,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain},Action Type:%{fld6},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ dup121, dup12, dup13, @@ -12527,16 +11646,14 @@ match("MESSAGE#495:File:10", "nwparser.payload", "%{fld1},File Read,Begin: %{fld var msg538 = msg("File:10", part691); -var part692 = // "Pattern{Field(fld11,true), Constant(' - Caller MD5='), Field(fld6,false), Constant(','), Field(p0,false)}" -match("MESSAGE#503:Blocked:08/0_0", "nwparser.payload", "%{fld11->} - Caller MD5=%{fld6},%{p0}"); +var part692 = match("MESSAGE#503:Blocked:08/0_0", "nwparser.payload", "%{fld11->} - Caller MD5=%{fld6},%{p0}"); var select132 = linear_select([ part692, dup269, ]); -var part693 = // "Pattern{Field(action,false), Constant(',Begin: '), Field(fld2,true), Constant(' '), Field(fld3,false), Constant(',End: '), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(process_id,false), Constant(','), Field(process,false), Constant(','), Field(fld6,false), Constant(','), Field(fld7,false), Constant(','), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type: '), Field(fld9,false), Constant(',File size ('), Field(fld10,false), Constant('): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#503:Blocked:08/1", "nwparser.p0", "%{action},Begin: %{fld2->} %{fld3},End: %{fld4->} %{fld5},Rule: %{rulename},%{process_id},%{process},%{fld6},%{fld7},%{fld8},User: %{username},Domain: %{domain},Action Type: %{fld9},File size (%{fld10}): %{filename_size},Device ID: %{device}"); +var part693 = match("MESSAGE#503:Blocked:08/1", "nwparser.p0", "%{action},Begin: %{fld2->} %{fld3},End: %{fld4->} %{fld5},Rule: %{rulename},%{process_id},%{process},%{fld6},%{fld7},%{fld8},User: %{username},Domain: %{domain},Action Type: %{fld9},File size (%{fld10}): %{filename_size},Device ID: %{device}"); var all182 = all_match({ processors: [ @@ -12570,8 +11687,7 @@ var select133 = linear_select([ msg539, ]); -var part694 = // "Pattern{Field(event_description,false), Constant('",Local: '), Field(daddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld9,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld3,false), Constant(',Inbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(fld7,false)}" -match("MESSAGE#505:Ping/1", "nwparser.p0", "%{event_description}\",Local: %{daddr},Local: %{fld1},Remote: %{fld9},Remote: %{saddr},Remote: %{fld3},Inbound,%{protocol},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{fld7}"); +var part694 = match("MESSAGE#505:Ping/1", "nwparser.p0", "%{event_description}\",Local: %{daddr},Local: %{fld1},Remote: %{fld9},Remote: %{saddr},Remote: %{fld3},Inbound,%{protocol},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{fld7}"); var all183 = all_match({ processors: [ @@ -12594,8 +11710,7 @@ var all183 = all_match({ var msg540 = msg("Ping", all183); -var part695 = // "Pattern{Field(event_description,false), Constant('",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld9,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld3,false), Constant(',Outbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(fld7,false)}" -match("MESSAGE#506:Ping:01/1", "nwparser.p0", "%{event_description}\",Local: %{saddr},Local: %{fld1},Remote: %{fld9},Remote: %{daddr},Remote: %{fld3},Outbound,%{protocol},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{fld7}"); +var part695 = match("MESSAGE#506:Ping:01/1", "nwparser.p0", "%{event_description}\",Local: %{saddr},Local: %{fld1},Remote: %{fld9},Remote: %{daddr},Remote: %{fld3},Outbound,%{protocol},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{fld7}"); var all184 = all_match({ processors: [ @@ -12623,8 +11738,7 @@ var select134 = linear_select([ msg541, ]); -var part696 = // "Pattern{Field(fld1,false), Constant(': Site: '), Field(fld2,false), Constant(',Server: '), Field(hostid,false), Constant(','), Field(directory,true), Constant(' '), Field(event_description,false)}" -match("MESSAGE#509:Server", "nwparser.payload", "%{fld1}: Site: %{fld2},Server: %{hostid},%{directory->} %{event_description}", processor_chain([ +var part696 = match("MESSAGE#509:Server", "nwparser.payload", "%{fld1}: Site: %{fld2},Server: %{hostid},%{directory->} %{event_description}", processor_chain([ dup53, dup12, dup13, @@ -12634,8 +11748,7 @@ match("MESSAGE#509:Server", "nwparser.payload", "%{fld1}: Site: %{fld2},Server: var msg542 = msg("Server", part696); -var part697 = // "Pattern{Constant('Server returned HTTP response code: '), Field(resultcode,true), Constant(' for URL: '), Field(url,false)}" -match("MESSAGE#510:Server:01", "nwparser.payload", "Server returned HTTP response code: %{resultcode->} for URL: %{url}", processor_chain([ +var part697 = match("MESSAGE#510:Server:01", "nwparser.payload", "Server returned HTTP response code: %{resultcode->} for URL: %{url}", processor_chain([ dup53, dup12, dup13, @@ -12645,8 +11758,7 @@ match("MESSAGE#510:Server:01", "nwparser.payload", "Server returned HTTP respons var msg543 = msg("Server:01", part697); -var part698 = // "Pattern{Constant('Server security validation failed.'), Field(,false)}" -match("MESSAGE#512:Server:03", "nwparser.payload", "Server security validation failed.%{}", processor_chain([ +var part698 = match("MESSAGE#512:Server:03", "nwparser.payload", "Server security validation failed.%{}", processor_chain([ dup174, dup94, setf("saddr","hhostid"), @@ -12662,8 +11774,7 @@ var select135 = linear_select([ msg544, ]); -var part699 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" -match("MESSAGE#514:1", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ +var part699 = match("MESSAGE#514:1", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ dup110, dup115, dup116, @@ -12676,8 +11787,7 @@ match("MESSAGE#514:1", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^% var msg545 = msg("1", part699); -var part700 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" -match("MESSAGE#515:2", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ +var part700 = match("MESSAGE#515:2", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ dup110, dup115, dup116, @@ -12690,8 +11800,7 @@ match("MESSAGE#515:2", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^% var msg546 = msg("2", part700); -var part701 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" -match("MESSAGE#516:3", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ +var part701 = match("MESSAGE#516:3", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ dup110, dup115, dup116, @@ -12704,8 +11813,7 @@ match("MESSAGE#516:3", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^% var msg547 = msg("3", part701); -var part702 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" -match("MESSAGE#517:4", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ +var part702 = match("MESSAGE#517:4", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ dup110, dup115, dup116, @@ -12718,8 +11826,7 @@ match("MESSAGE#517:4", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^% var msg548 = msg("4", part702); -var part703 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" -match("MESSAGE#518:5", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ +var part703 = match("MESSAGE#518:5", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ dup110, dup115, dup116, @@ -12732,8 +11839,7 @@ match("MESSAGE#518:5", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^% var msg549 = msg("5", part703); -var part704 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" -match("MESSAGE#519:6", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ +var part704 = match("MESSAGE#519:6", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ dup110, dup115, dup116, @@ -12746,8 +11852,7 @@ match("MESSAGE#519:6", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^% var msg550 = msg("6", part704); -var part705 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" -match("MESSAGE#520:7", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ +var part705 = match("MESSAGE#520:7", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ dup110, dup115, dup116, @@ -12760,8 +11865,7 @@ match("MESSAGE#520:7", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^% var msg551 = msg("7", part705); -var part706 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" -match("MESSAGE#521:8", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ +var part706 = match("MESSAGE#521:8", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ dup110, dup115, dup116, @@ -12774,8 +11878,7 @@ match("MESSAGE#521:8", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^% var msg552 = msg("8", part706); -var part707 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" -match("MESSAGE#522:9", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ +var part707 = match("MESSAGE#522:9", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ dup110, dup115, dup116, @@ -12788,8 +11891,7 @@ match("MESSAGE#522:9", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^% var msg553 = msg("9", part707); -var part708 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" -match("MESSAGE#523:10", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ +var part708 = match("MESSAGE#523:10", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ dup110, dup115, dup116, @@ -12808,8 +11910,7 @@ var msg556 = msg("257", dup342); var msg557 = msg("259", dup342); -var part709 = // "Pattern{Field(id,false), Constant('^^'), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' Organization importing started')}" -match("MESSAGE#527:264", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3->} Organization importing started", processor_chain([ +var part709 = match("MESSAGE#527:264", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3->} Organization importing started", processor_chain([ dup53, dup284, dup15, @@ -12818,8 +11919,7 @@ match("MESSAGE#527:264", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3- var msg558 = msg("264", part709); -var part710 = // "Pattern{Field(id,false), Constant('^^'), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' Organization importing finished successfully')}" -match("MESSAGE#528:265", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3->} Organization importing finished successfully", processor_chain([ +var part710 = match("MESSAGE#528:265", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3->} Organization importing finished successfully", processor_chain([ dup53, dup284, dup15, @@ -12830,8 +11930,7 @@ var msg559 = msg("265", part710); var msg560 = msg("273", dup342); -var part711 = // "Pattern{Field(id,false), Constant('^^The process '), Field(process,true), Constant(' can not lock the process status table. The process status has been locked by the server '), Field(shost,true), Constant(' ('), Field(fld22,false), Constant(') since '), Field(recorded_time,false), Constant('.')}" -match("MESSAGE#530:275", "nwparser.payload", "%{id}^^The process %{process->} can not lock the process status table. The process status has been locked by the server %{shost->} (%{fld22}) since %{recorded_time}.", processor_chain([ +var part711 = match("MESSAGE#530:275", "nwparser.payload", "%{id}^^The process %{process->} can not lock the process status table. The process status has been locked by the server %{shost->} (%{fld22}) since %{recorded_time}.", processor_chain([ dup53, dup15, setc("event_description","The process can not lock the process status table"), @@ -12851,8 +11950,7 @@ var msg566 = msg("779", dup342); var msg567 = msg("782", dup342); -var part712 = // "Pattern{Field(id,false), Constant('^^'), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' Backup succeeded and finished at '), Field(fld4,true), Constant(' '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant('. The backup file resides at the following location on the server '), Field(shost,false), Constant(': '), Field(directory,false)}" -match("MESSAGE#537:1029", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3->} Backup succeeded and finished at %{fld4->} %{fld5->} %{fld6}. The backup file resides at the following location on the server %{shost}: %{directory}", processor_chain([ +var part712 = match("MESSAGE#537:1029", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3->} Backup succeeded and finished at %{fld4->} %{fld5->} %{fld6}. The backup file resides at the following location on the server %{shost}: %{directory}", processor_chain([ dup53, dup284, date_time({ @@ -12868,8 +11966,7 @@ match("MESSAGE#537:1029", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3 var msg568 = msg("1029", part712); -var part713 = // "Pattern{Field(id,false), Constant('^^Backup succeeded and finished. The backup file resides at the following location on the server '), Field(shost,false), Constant(': '), Field(directory,false)}" -match("MESSAGE#538:1029:01", "nwparser.payload", "%{id}^^Backup succeeded and finished. The backup file resides at the following location on the server %{shost}: %{directory}", processor_chain([ +var part713 = match("MESSAGE#538:1029:01", "nwparser.payload", "%{id}^^Backup succeeded and finished. The backup file resides at the following location on the server %{shost}: %{directory}", processor_chain([ dup53, dup15, dup285, @@ -12882,8 +11979,7 @@ var select136 = linear_select([ msg569, ]); -var part714 = // "Pattern{Field(id,false), Constant('^^'), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' Backup started')}" -match("MESSAGE#539:1030", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3->} Backup started", processor_chain([ +var part714 = match("MESSAGE#539:1030", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3->} Backup started", processor_chain([ dup53, dup284, dup15, @@ -12892,8 +11988,7 @@ match("MESSAGE#539:1030", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3 var msg570 = msg("1030", part714); -var part715 = // "Pattern{Field(id,false), Constant('^^Backup started')}" -match("MESSAGE#540:1030:01", "nwparser.payload", "%{id}^^Backup started", processor_chain([ +var part715 = match("MESSAGE#540:1030:01", "nwparser.payload", "%{id}^^Backup started", processor_chain([ dup53, dup15, dup286, @@ -12914,8 +12009,7 @@ var msg574 = msg("5121", dup342); var msg575 = msg("5122", dup342); -var part716 = // "Pattern{Field(id,false), Constant('^^Sending Email Failed for following email address ['), Field(user_address,false), Constant('].')}" -match("MESSAGE#545:4609", "nwparser.payload", "%{id}^^Sending Email Failed for following email address [%{user_address}].", processor_chain([ +var part716 = match("MESSAGE#545:4609", "nwparser.payload", "%{id}^^Sending Email Failed for following email address [%{user_address}].", processor_chain([ setc("eventcategory","1207010200"), setc("event_description","Sending Email Failed"), dup15, @@ -12974,8 +12068,7 @@ var select142 = linear_select([ msg589, ]); -var part717 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#559:302449166", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part717 = match("MESSAGE#559:302449166", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup165, dup15, dup287, @@ -12983,8 +12076,7 @@ match("MESSAGE#559:302449166", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^ var msg590 = msg("302449166", part717); -var part718 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#560:302449166:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part718 = match("MESSAGE#560:302449166:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup165, dup15, dup287, @@ -12997,8 +12089,7 @@ var select143 = linear_select([ msg591, ]); -var part719 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#561:302449168", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part719 = match("MESSAGE#561:302449168", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup136, dup288, dup56, @@ -13009,8 +12100,7 @@ match("MESSAGE#561:302449168", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^ var msg592 = msg("302449168", part719); -var part720 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#562:302449168:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part720 = match("MESSAGE#562:302449168:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup136, dup288, dup56, @@ -13035,8 +12125,7 @@ var select145 = linear_select([ msg595, ]); -var part721 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#565:302449176", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part721 = match("MESSAGE#565:302449176", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup213, dup288, dup172, @@ -13047,8 +12136,7 @@ match("MESSAGE#565:302449176", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^ var msg596 = msg("302449176", part721); -var part722 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#566:302449176:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part722 = match("MESSAGE#566:302449176:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup213, dup288, dup172, @@ -13064,8 +12152,7 @@ var select146 = linear_select([ msg597, ]); -var part723 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#567:302449178", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part723 = match("MESSAGE#567:302449178", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup256, dup15, dup287, @@ -13073,8 +12160,7 @@ match("MESSAGE#567:302449178", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^ var msg598 = msg("302449178", part723); -var part724 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#568:302449178:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part724 = match("MESSAGE#568:302449178:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup256, dup15, dup287, @@ -13105,8 +12191,7 @@ var select149 = linear_select([ msg603, ]); -var part725 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#573:302449412", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part725 = match("MESSAGE#573:302449412", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup289, dup15, dup287, @@ -13114,8 +12199,7 @@ match("MESSAGE#573:302449412", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^ var msg604 = msg("302449412", part725); -var part726 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#574:302449412:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part726 = match("MESSAGE#574:302449412:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup289, dup15, dup287, @@ -13128,8 +12212,7 @@ var select150 = linear_select([ msg605, ]); -var part727 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#575:302449413", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part727 = match("MESSAGE#575:302449413", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup232, dup15, dup287, @@ -13137,8 +12220,7 @@ match("MESSAGE#575:302449413", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^ var msg606 = msg("302449413", part727); -var part728 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#576:302449413:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part728 = match("MESSAGE#576:302449413:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup232, dup15, dup287, @@ -13430,8 +12512,7 @@ var select182 = linear_select([ msg669, ]); -var part729 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#639:303235080/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{p0}"); +var part729 = match("MESSAGE#639:303235080/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{p0}"); var all185 = all_match({ processors: [ @@ -13448,8 +12529,7 @@ var all185 = all_match({ var msg670 = msg("303235080", all185); -var part730 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#640:303235080:01/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{p0}"); +var part730 = match("MESSAGE#640:303235080:01/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{p0}"); var all186 = all_match({ processors: [ @@ -13511,8 +12591,7 @@ var select187 = linear_select([ var msg681 = msg("302448900", dup345); -var part731 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^Block all other IP traffic and log^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#651:301", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^Block all other IP traffic and log^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part731 = match("MESSAGE#651:301", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^Block all other IP traffic and log^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup294, dup295, dup351, @@ -13530,8 +12609,7 @@ match("MESSAGE#651:301", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hos var msg682 = msg("301", part731); -var part732 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^Block all other IP traffic and log^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#652:301:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^Block all other IP traffic and log^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part732 = match("MESSAGE#652:301:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^Block all other IP traffic and log^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup294, dup295, dup351, @@ -13549,8 +12627,7 @@ match("MESSAGE#652:301:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{ var msg683 = msg("301:01", part732); -var part733 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#653:301:02", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part733 = match("MESSAGE#653:301:02", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup120, dup295, dup268, @@ -13572,8 +12649,7 @@ var select188 = linear_select([ msg684, ]); -var part734 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#654:302", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part734 = match("MESSAGE#654:302", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup294, dup295, dup37, @@ -13590,8 +12666,7 @@ match("MESSAGE#654:302", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hos var msg685 = msg("302", part734); -var part735 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#655:302:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part735 = match("MESSAGE#655:302:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup294, dup295, dup37, @@ -13613,8 +12688,7 @@ var select189 = linear_select([ msg686, ]); -var part736 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#656:306", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part736 = match("MESSAGE#656:306", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup294, dup295, dup37, @@ -13631,8 +12705,7 @@ match("MESSAGE#656:306", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hos var msg687 = msg("306", part736); -var part737 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#657:306:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part737 = match("MESSAGE#657:306:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup294, dup295, dup37, @@ -13654,8 +12727,7 @@ var select190 = linear_select([ msg688, ]); -var part738 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#658:307", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part738 = match("MESSAGE#658:307", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup294, dup295, dup37, @@ -13672,8 +12744,7 @@ match("MESSAGE#658:307", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hos var msg689 = msg("307", part738); -var part739 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#659:307:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part739 = match("MESSAGE#659:307:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup294, dup295, dup37, @@ -13695,8 +12766,7 @@ var select191 = linear_select([ msg690, ]); -var part740 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^Block all other IP traffic and log^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#660:308", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^Block all other IP traffic and log^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part740 = match("MESSAGE#660:308", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^Block all other IP traffic and log^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup294, dup295, dup37, @@ -13714,8 +12784,7 @@ match("MESSAGE#660:308", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hos var msg691 = msg("308", part740); -var part741 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^Block all other IP traffic and log^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#661:308:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^Block all other IP traffic and log^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part741 = match("MESSAGE#661:308:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^Block all other IP traffic and log^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup294, dup295, dup37, @@ -13733,8 +12802,7 @@ match("MESSAGE#661:308:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{ var msg692 = msg("308:01", part741); -var part742 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#662:308:02", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part742 = match("MESSAGE#662:308:02", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup120, dup295, dup351, @@ -13756,8 +12824,7 @@ var select192 = linear_select([ msg693, ]); -var part743 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" -match("MESSAGE#663:202", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ +var part743 = match("MESSAGE#663:202", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ dup36, dup295, setc("ec_activity","Scan"), @@ -13791,8 +12858,7 @@ var select194 = linear_select([ msg698, ]); -var part744 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" -match("MESSAGE#668:208", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ +var part744 = match("MESSAGE#668:208", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ dup36, dup295, dup268, @@ -13809,8 +12875,7 @@ var msg699 = msg("208", part744); var msg700 = msg("210", dup359); -var part745 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#670:210:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part745 = match("MESSAGE#670:210:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup43, dup15, dup353, @@ -13839,8 +12904,7 @@ var select196 = linear_select([ var msg704 = msg("221", dup359); -var part746 = // "Pattern{Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" -match("MESSAGE#674:238/2", "nwparser.p0", "%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}"); +var part746 = match("MESSAGE#674:238/2", "nwparser.p0", "%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}"); var all187 = all_match({ processors: [ @@ -13862,11 +12926,9 @@ var all187 = all_match({ var msg705 = msg("238", all187); -var part747 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#675:238:01/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{p0}"); +var part747 = match("MESSAGE#675:238:01/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{p0}"); -var part748 = // "Pattern{Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#675:238:01/2", "nwparser.p0", "%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}"); +var part748 = match("MESSAGE#675:238:01/2", "nwparser.p0", "%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}"); var all188 = all_match({ processors: [ @@ -13902,8 +12964,7 @@ var select198 = linear_select([ msg708, ]); -var part749 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(parent_pid,false), Constant('^^'), Field(parent_process,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(param,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(fld31,false), Constant('^^'), Field(filename_size,false), Constant('^^'), Field(fld32,false), Constant('^^'), Field(fld33,false)}" -match("MESSAGE#678:502", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{username}^^%{sdomain}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}^^%{fld31}^^%{filename_size}^^%{fld32}^^%{fld33}", processor_chain([ +var part749 = match("MESSAGE#678:502", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{username}^^%{sdomain}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}^^%{fld31}^^%{filename_size}^^%{fld32}^^%{fld33}", processor_chain([ dup43, dup15, dup356, @@ -13917,8 +12978,7 @@ match("MESSAGE#678:502", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id} var msg709 = msg("502", part749); -var part750 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(parent_pid,false), Constant('^^'), Field(parent_process,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(param,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(fld30,false)}" -match("MESSAGE#679:502:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{username}^^%{sdomain}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}", processor_chain([ +var part750 = match("MESSAGE#679:502:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{username}^^%{sdomain}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}", processor_chain([ dup43, dup15, dup356, @@ -13946,8 +13006,7 @@ var select200 = linear_select([ msg712, ]); -var part751 = // "Pattern{Constant('Application,rn='), Field(fld1,true), Constant(' cid='), Field(fld2,true), Constant(' eid='), Field(fld3,false), Constant(','), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(','), Field(fld6,false), Constant(',Symantec AntiVirus,SYSTEM,Information,'), Field(shost,false), Constant(','), Field(event_description,false), Constant('. string-data=[ Scan type: '), Field(event_type,true), Constant(' Event: '), Field(result,true), Constant(' Security risk detected: '), Field(directory,true), Constant(' File: '), Field(filename,true), Constant(' Location: '), Field(fld7,true), Constant(' Computer: '), Field(fld8,true), Constant(' User: '), Field(username,true), Constant(' Action taken:'), Field(action,true), Constant(' Date found: '), Field(fld9,false), Constant(']')}" -match("MESSAGE#682:Application_45", "nwparser.payload", "Application,rn=%{fld1->} cid=%{fld2->} eid=%{fld3},%{fld4->} %{fld5},%{fld6},Symantec AntiVirus,SYSTEM,Information,%{shost},%{event_description}. string-data=[ Scan type: %{event_type->} Event: %{result->} Security risk detected: %{directory->} File: %{filename->} Location: %{fld7->} Computer: %{fld8->} User: %{username->} Action taken:%{action->} Date found: %{fld9}]", processor_chain([ +var part751 = match("MESSAGE#682:Application_45", "nwparser.payload", "Application,rn=%{fld1->} cid=%{fld2->} eid=%{fld3},%{fld4->} %{fld5},%{fld6},Symantec AntiVirus,SYSTEM,Information,%{shost},%{event_description}. string-data=[ Scan type: %{event_type->} Event: %{result->} Security risk detected: %{directory->} File: %{filename->} Location: %{fld7->} Computer: %{fld8->} User: %{username->} Action taken:%{action->} Date found: %{fld9}]", processor_chain([ dup43, dup15, dup55, @@ -13955,26 +13014,19 @@ match("MESSAGE#682:Application_45", "nwparser.payload", "Application,rn=%{fld1-> var msg713 = msg("Application_45", part751); -var part752 = // "Pattern{Constant('Using Group Update Provider type: '), Field(p0,false)}" -match("MESSAGE#692:SYLINK/0", "nwparser.payload", "Using Group Update Provider type: %{p0}"); +var part752 = match("MESSAGE#692:SYLINK/0", "nwparser.payload", "Using Group Update Provider type: %{p0}"); -var part753 = // "Pattern{Constant('Single Group Update Provider,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#692:SYLINK/1_0", "nwparser.p0", "Single Group Update Provider,Event time:%{fld17->} %{fld18}"); +var part753 = match("MESSAGE#692:SYLINK/1_0", "nwparser.p0", "Single Group Update Provider,Event time:%{fld17->} %{fld18}"); -var part754 = // "Pattern{Constant('Multiple Group Update Providers,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#692:SYLINK/1_1", "nwparser.p0", "Multiple Group Update Providers,Event time:%{fld17->} %{fld18}"); +var part754 = match("MESSAGE#692:SYLINK/1_1", "nwparser.p0", "Multiple Group Update Providers,Event time:%{fld17->} %{fld18}"); -var part755 = // "Pattern{Constant('Mapped Group Update Providers,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#692:SYLINK/1_2", "nwparser.p0", "Mapped Group Update Providers,Event time:%{fld17->} %{fld18}"); +var part755 = match("MESSAGE#692:SYLINK/1_2", "nwparser.p0", "Mapped Group Update Providers,Event time:%{fld17->} %{fld18}"); -var part756 = // "Pattern{Constant('Single Group Update Provider'), Field(,false)}" -match("MESSAGE#692:SYLINK/1_3", "nwparser.p0", "Single Group Update Provider%{}"); +var part756 = match("MESSAGE#692:SYLINK/1_3", "nwparser.p0", "Single Group Update Provider%{}"); -var part757 = // "Pattern{Constant('Multiple Group Update Providers'), Field(,false)}" -match("MESSAGE#692:SYLINK/1_4", "nwparser.p0", "Multiple Group Update Providers%{}"); +var part757 = match("MESSAGE#692:SYLINK/1_4", "nwparser.p0", "Multiple Group Update Providers%{}"); -var part758 = // "Pattern{Constant('Mapped Group Update Providers'), Field(,false)}" -match("MESSAGE#692:SYLINK/1_5", "nwparser.p0", "Mapped Group Update Providers%{}"); +var part758 = match("MESSAGE#692:SYLINK/1_5", "nwparser.p0", "Mapped Group Update Providers%{}"); var select201 = linear_select([ part753, @@ -14003,8 +13055,7 @@ var all189 = all_match({ var msg714 = msg("SYLINK", all189); -var part759 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,true), Constant(' [name]:'), Field(obj_name,true), Constant(' [class]:'), Field(obj_type,true), Constant(' [guid]:'), Field(hardware_id,true), Constant(' [deviceID]:'), Field(info,false), Constant('^^'), Field(fld79,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" -match("MESSAGE#703:242", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description->} [name]:%{obj_name->} [class]:%{obj_type->} [guid]:%{hardware_id->} [deviceID]:%{info}^^%{fld79}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ +var part759 = match("MESSAGE#703:242", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description->} [name]:%{obj_name->} [class]:%{obj_type->} [guid]:%{hardware_id->} [deviceID]:%{info}^^%{fld79}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ dup53, dup15, dup353, @@ -14017,22 +13068,18 @@ match("MESSAGE#703:242", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hos var msg715 = msg("242", part759); -var part760 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,true), Constant(' ['), Field(p0,false)}" -match("MESSAGE#704:242:01/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description->} [%{p0}"); +var part760 = match("MESSAGE#704:242:01/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description->} [%{p0}"); -var part761 = // "Pattern{Constant('Device]: '), Field(device,true), Constant(' [guid]: '), Field(hardware_id,true), Constant(' [Volume]:'), Field(p0,false)}" -match("MESSAGE#704:242:01/1_0", "nwparser.p0", "Device]: %{device->} [guid]: %{hardware_id->} [Volume]:%{p0}"); +var part761 = match("MESSAGE#704:242:01/1_0", "nwparser.p0", "Device]: %{device->} [guid]: %{hardware_id->} [Volume]:%{p0}"); -var part762 = // "Pattern{Constant('Volume]:'), Field(p0,false)}" -match("MESSAGE#704:242:01/1_1", "nwparser.p0", "Volume]:%{p0}"); +var part762 = match("MESSAGE#704:242:01/1_1", "nwparser.p0", "Volume]:%{p0}"); var select202 = linear_select([ part761, part762, ]); -var part763 = // "Pattern{Field(,true), Constant(' '), Field(disk_volume,true), Constant(' [Vendor]:'), Field(devvendor,true), Constant(' [Model]: '), Field(product,true), Constant(' [Access]: '), Field(accesses,false), Constant('^^'), Field(fld79,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" -match("MESSAGE#704:242:01/2", "nwparser.p0", "%{} %{disk_volume->} [Vendor]:%{devvendor->} [Model]: %{product->} [Access]: %{accesses}^^%{fld79}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}"); +var part763 = match("MESSAGE#704:242:01/2", "nwparser.p0", "%{} %{disk_volume->} [Vendor]:%{devvendor->} [Model]: %{product->} [Access]: %{accesses}^^%{fld79}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}"); var all190 = all_match({ processors: [ @@ -14054,8 +13101,7 @@ var all190 = all_match({ var msg716 = msg("242:01", all190); -var part764 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,true), Constant(' [Volume]: '), Field(disk_volume,true), Constant(' [Model]: '), Field(product,true), Constant(' [Access]: '), Field(accesses,false), Constant('^^'), Field(fld79,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" -match("MESSAGE#705:242:02", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description->} [Volume]: %{disk_volume->} [Model]: %{product->} [Access]: %{accesses}^^%{fld79}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ +var part764 = match("MESSAGE#705:242:02", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description->} [Volume]: %{disk_volume->} [Model]: %{product->} [Access]: %{accesses}^^%{fld79}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ dup53, dup15, dup353, @@ -14068,14 +13114,11 @@ match("MESSAGE#705:242:02", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{ var msg717 = msg("242:02", part764); -var part765 = // "Pattern{Field(event_description,false), Constant('. '), Field(info,true), Constant(' [Access]: '), Field(accesses,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#706:242:03/1_0", "nwparser.p0", "%{event_description}. %{info->} [Access]: %{accesses}^^%{p0}"); +var part765 = match("MESSAGE#706:242:03/1_0", "nwparser.p0", "%{event_description}. %{info->} [Access]: %{accesses}^^%{p0}"); -var part766 = // "Pattern{Constant(' '), Field(event_description,false), Constant('. '), Field(info,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#706:242:03/1_1", "nwparser.p0", " %{event_description}. %{info}^^%{p0}"); +var part766 = match("MESSAGE#706:242:03/1_1", "nwparser.p0", " %{event_description}. %{info}^^%{p0}"); -var part767 = // "Pattern{Constant(' '), Field(event_description,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#706:242:03/1_2", "nwparser.p0", " %{event_description}^^%{p0}"); +var part767 = match("MESSAGE#706:242:03/1_2", "nwparser.p0", " %{event_description}^^%{p0}"); var select203 = linear_select([ part765, @@ -14083,8 +13126,7 @@ var select203 = linear_select([ part767, ]); -var part768 = // "Pattern{Field(fld79,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" -match("MESSAGE#706:242:03/2", "nwparser.p0", "%{fld79}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}"); +var part768 = match("MESSAGE#706:242:03/2", "nwparser.p0", "%{fld79}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}"); var all191 = all_match({ processors: [ @@ -14113,8 +13155,7 @@ var select204 = linear_select([ msg718, ]); -var part769 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#707:303169540", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part769 = match("MESSAGE#707:303169540", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ setc("eventcategory","1801010000"), dup15, dup287, @@ -14122,8 +13163,7 @@ match("MESSAGE#707:303169540", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^ var msg719 = msg("303169540", part769); -var part770 = // "Pattern{Field(shost,false), Constant(', Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL:'), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#708:Remote::01", "nwparser.payload", "%{shost}, Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{url},Intrusion Payload URL:%{fld25}", processor_chain([ +var part770 = match("MESSAGE#708:Remote::01", "nwparser.payload", "%{shost}, Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{url},Intrusion Payload URL:%{fld25}", processor_chain([ dup53, dup12, dup15, @@ -14135,27 +13175,23 @@ match("MESSAGE#708:Remote::01", "nwparser.payload", "%{shost}, Remote: %{fld4},R var msg720 = msg("Remote::01", part770); -var part771 = // "Pattern{Constant('"'), Field(info,false), Constant('",Local: '), Field(p0,false)}" -match("MESSAGE#709:Notification::01/0_0", "nwparser.payload", "\"%{info}\",Local: %{p0}"); +var part771 = match("MESSAGE#709:Notification::01/0_0", "nwparser.payload", "\"%{info}\",Local: %{p0}"); -var part772 = // "Pattern{Field(info,false), Constant(',Local: '), Field(p0,false)}" -match("MESSAGE#709:Notification::01/0_1", "nwparser.payload", "%{info},Local: %{p0}"); +var part772 = match("MESSAGE#709:Notification::01/0_1", "nwparser.payload", "%{info},Local: %{p0}"); var select205 = linear_select([ part771, part772, ]); -var part773 = // "Pattern{Field(saddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld9,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld3,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(','), Field(p0,false)}" -match("MESSAGE#709:Notification::01/1", "nwparser.p0", "%{saddr},Local: %{fld1},Remote: %{fld9},Remote: %{daddr},Remote: %{fld3},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},%{p0}"); +var part773 = match("MESSAGE#709:Notification::01/1", "nwparser.p0", "%{saddr},Local: %{fld1},Remote: %{fld9},Remote: %{daddr},Remote: %{fld3},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},%{p0}"); var select206 = linear_select([ dup182, dup67, ]); -var part774 = // "Pattern{Field(,true), Constant(' '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#709:Notification::01/3", "nwparser.p0", "%{} %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); +var part774 = match("MESSAGE#709:Notification::01/3", "nwparser.p0", "%{} %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); var all192 = all_match({ processors: [ @@ -14388,299 +13424,201 @@ var chain1 = processor_chain([ }), ]); -var part775 = // "Pattern{Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#0:Active/1_0", "nwparser.p0", "%{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); +var part775 = match("MESSAGE#0:Active/1_0", "nwparser.p0", "%{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); -var part776 = // "Pattern{Field(domain,false)}" -match_copy("MESSAGE#0:Active/1_1", "nwparser.p0", "domain"); +var part776 = match_copy("MESSAGE#0:Active/1_1", "nwparser.p0", "domain"); -var part777 = // "Pattern{Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#15:Somebody:01/1_0", "nwparser.p0", "%{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); +var part777 = match("MESSAGE#15:Somebody:01/1_0", "nwparser.p0", "%{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); -var part778 = // "Pattern{Constant('"Intrusion URL: '), Field(url,false), Constant('",Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#27:Application:06/1_0", "nwparser.p0", "\"Intrusion URL: %{url}\",Intrusion Payload URL:%{fld25}"); +var part778 = match("MESSAGE#27:Application:06/1_0", "nwparser.p0", "\"Intrusion URL: %{url}\",Intrusion Payload URL:%{fld25}"); -var part779 = // "Pattern{Constant('Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#27:Application:06/1_1", "nwparser.p0", "Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); +var part779 = match("MESSAGE#27:Application:06/1_1", "nwparser.p0", "Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); -var part780 = // "Pattern{Constant('Intrusion URL: '), Field(url,false)}" -match("MESSAGE#27:Application:06/1_2", "nwparser.p0", "Intrusion URL: %{url}"); +var part780 = match("MESSAGE#27:Application:06/1_2", "nwparser.p0", "Intrusion URL: %{url}"); -var part781 = // "Pattern{Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#31:scanning:01/1_0", "nwparser.p0", "%{url},Intrusion Payload URL:%{fld25}"); +var part781 = match("MESSAGE#31:scanning:01/1_0", "nwparser.p0", "%{url},Intrusion Payload URL:%{fld25}"); -var part782 = // "Pattern{Field(url,false)}" -match_copy("MESSAGE#31:scanning:01/1_1", "nwparser.p0", "url"); +var part782 = match_copy("MESSAGE#31:scanning:01/1_1", "nwparser.p0", "url"); -var part783 = // "Pattern{Constant('Domain:'), Field(p0,false)}" -match("MESSAGE#33:Informational/1_1", "nwparser.p0", "Domain:%{p0}"); +var part783 = match("MESSAGE#33:Informational/1_1", "nwparser.p0", "Domain:%{p0}"); -var part784 = // "Pattern{Constant(':'), Field(p0,false)}" -match("MESSAGE#38:Web_Attack:16/1_1", "nwparser.p0", ":%{p0}"); +var part784 = match("MESSAGE#38:Web_Attack:16/1_1", "nwparser.p0", ":%{p0}"); -var part785 = // "Pattern{Constant('"'), Field(p0,false)}" -match("MESSAGE#307:process:12/1_0", "nwparser.p0", "\"%{p0}"); +var part785 = match("MESSAGE#307:process:12/1_0", "nwparser.p0", "\"%{p0}"); -var part786 = // "Pattern{Field(p0,false)}" -match_copy("MESSAGE#307:process:12/1_1", "nwparser.p0", "p0"); +var part786 = match_copy("MESSAGE#307:process:12/1_1", "nwparser.p0", "p0"); -var part787 = // "Pattern{Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(','), Field(p0,false)}" -match("MESSAGE#307:process:12/4", "nwparser.p0", ",Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},%{p0}"); +var part787 = match("MESSAGE#307:process:12/4", "nwparser.p0", ",Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},%{p0}"); -var part788 = // "Pattern{Constant('Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(p0,false)}" -match("MESSAGE#307:process:12/5_0", "nwparser.p0", "Intrusion ID: %{fld33},Begin: %{p0}"); +var part788 = match("MESSAGE#307:process:12/5_0", "nwparser.p0", "Intrusion ID: %{fld33},Begin: %{p0}"); -var part789 = // "Pattern{Field(fld33,false), Constant(',Begin: '), Field(p0,false)}" -match("MESSAGE#307:process:12/5_1", "nwparser.p0", "%{fld33},Begin: %{p0}"); +var part789 = match("MESSAGE#307:process:12/5_1", "nwparser.p0", "%{fld33},Begin: %{p0}"); -var part790 = // "Pattern{Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#307:process:12/6", "nwparser.p0", "%{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part790 = match("MESSAGE#307:process:12/6", "nwparser.p0", "%{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); -var part791 = // "Pattern{Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#21:Applied/1_0", "nwparser.p0", ",Event time:%{fld17->} %{fld18}"); +var part791 = match("MESSAGE#21:Applied/1_0", "nwparser.p0", ",Event time:%{fld17->} %{fld18}"); -var part792 = // "Pattern{}" -match_copy("MESSAGE#21:Applied/1_1", "nwparser.p0", ""); +var part792 = match_copy("MESSAGE#21:Applied/1_1", "nwparser.p0", ""); -var part793 = // "Pattern{Constant('"Location: '), Field(p0,false)}" -match("MESSAGE#23:blocked:01/1_0", "nwparser.p0", "\"Location: %{p0}"); +var part793 = match("MESSAGE#23:blocked:01/1_0", "nwparser.p0", "\"Location: %{p0}"); -var part794 = // "Pattern{Constant('Location: '), Field(p0,false)}" -match("MESSAGE#23:blocked:01/1_1", "nwparser.p0", "Location: %{p0}"); +var part794 = match("MESSAGE#23:blocked:01/1_1", "nwparser.p0", "Location: %{p0}"); -var part795 = // "Pattern{Constant(''), Field(fld2,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#52:blocked/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain}"); +var part795 = match("MESSAGE#52:blocked/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain}"); -var part796 = // "Pattern{Field(fld4,false), Constant(',MD-5:'), Field(fld5,false), Constant(',Local:'), Field(p0,false)}" -match("MESSAGE#190:Local::01/0_0", "nwparser.payload", "%{fld4},MD-5:%{fld5},Local:%{p0}"); +var part796 = match("MESSAGE#190:Local::01/0_0", "nwparser.payload", "%{fld4},MD-5:%{fld5},Local:%{p0}"); -var part797 = // "Pattern{Constant('Local:'), Field(p0,false)}" -match("MESSAGE#190:Local::01/0_1", "nwparser.payload", "Local:%{p0}"); +var part797 = match("MESSAGE#190:Local::01/0_1", "nwparser.payload", "Local:%{p0}"); -var part798 = // "Pattern{Constant('Rule: '), Field(rulename,false), Constant(',Location: '), Field(p0,false)}" -match("MESSAGE#192:Local:/1_0", "nwparser.p0", "Rule: %{rulename},Location: %{p0}"); +var part798 = match("MESSAGE#192:Local:/1_0", "nwparser.p0", "Rule: %{rulename},Location: %{p0}"); -var part799 = // "Pattern{Constant(' "Rule: '), Field(rulename,false), Constant('",Location: '), Field(p0,false)}" -match("MESSAGE#192:Local:/1_1", "nwparser.p0", " \"Rule: %{rulename}\",Location: %{p0}"); +var part799 = match("MESSAGE#192:Local:/1_1", "nwparser.p0", " \"Rule: %{rulename}\",Location: %{p0}"); -var part800 = // "Pattern{Field(fld11,false), Constant(',User: '), Field(username,false), Constant(','), Field(p0,false)}" -match("MESSAGE#192:Local:/2", "nwparser.p0", "%{fld11},User: %{username},%{p0}"); +var part800 = match("MESSAGE#192:Local:/2", "nwparser.p0", "%{fld11},User: %{username},%{p0}"); -var part801 = // "Pattern{Constant('Domain: '), Field(domain,false), Constant(',Action: '), Field(action,false)}" -match("MESSAGE#192:Local:/3_0", "nwparser.p0", "Domain: %{domain},Action: %{action}"); +var part801 = match("MESSAGE#192:Local:/3_0", "nwparser.p0", "Domain: %{domain},Action: %{action}"); -var part802 = // "Pattern{Constant(' Domain: '), Field(domain,false)}" -match("MESSAGE#192:Local:/3_1", "nwparser.p0", " Domain: %{domain}"); +var part802 = match("MESSAGE#192:Local:/3_1", "nwparser.p0", " Domain: %{domain}"); -var part803 = // "Pattern{Constant('"Intrusion URL: '), Field(url,false), Constant('",Intrusion Payload URL:'), Field(p0,false)}" -match("MESSAGE#198:Local::04/1_0", "nwparser.p0", "\"Intrusion URL: %{url}\",Intrusion Payload URL:%{p0}"); +var part803 = match("MESSAGE#198:Local::04/1_0", "nwparser.p0", "\"Intrusion URL: %{url}\",Intrusion Payload URL:%{p0}"); -var part804 = // "Pattern{Constant('Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(p0,false)}" -match("MESSAGE#198:Local::04/1_1", "nwparser.p0", "Intrusion URL: %{url},Intrusion Payload URL:%{p0}"); +var part804 = match("MESSAGE#198:Local::04/1_1", "nwparser.p0", "Intrusion URL: %{url},Intrusion Payload URL:%{p0}"); -var part805 = // "Pattern{Field(fld25,false)}" -match_copy("MESSAGE#198:Local::04/2", "nwparser.p0", "fld25"); +var part805 = match_copy("MESSAGE#198:Local::04/2", "nwparser.p0", "fld25"); -var part806 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(network_service,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#205:Local::07/0", "nwparser.payload", "%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{network_service},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); +var part806 = match("MESSAGE#205:Local::07/0", "nwparser.payload", "%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{network_service},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); -var part807 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(network_service,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#206:Local::19/0", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{network_service},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); +var part807 = match("MESSAGE#206:Local::19/0", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{network_service},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); -var part808 = // "Pattern{Constant(''), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#209:Local::03/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain}"); +var part808 = match("MESSAGE#209:Local::03/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain}"); -var part809 = // "Pattern{Constant('The client will block traffic from IP address '), Field(fld14,true), Constant(' for the next '), Field(duration_string,true), Constant(' (from '), Field(fld13,false), Constant(')'), Field(p0,false)}" -match("MESSAGE#64:client:05/0", "nwparser.payload", "The client will block traffic from IP address %{fld14->} for the next %{duration_string->} (from %{fld13})%{p0}"); +var part809 = match("MESSAGE#64:client:05/0", "nwparser.payload", "The client will block traffic from IP address %{fld14->} for the next %{duration_string->} (from %{fld13})%{p0}"); -var part810 = // "Pattern{Constant('.,'), Field(p0,false)}" -match("MESSAGE#64:client:05/1_0", "nwparser.p0", ".,%{p0}"); +var part810 = match("MESSAGE#64:client:05/1_0", "nwparser.p0", ".,%{p0}"); -var part811 = // "Pattern{Constant(' . ,'), Field(p0,false)}" -match("MESSAGE#64:client:05/1_1", "nwparser.p0", " . ,%{p0}"); +var part811 = match("MESSAGE#64:client:05/1_1", "nwparser.p0", " . ,%{p0}"); -var part812 = // "Pattern{Constant('Commercial application detected,Computer name: '), Field(p0,false)}" -match("MESSAGE#70:Commercial/0", "nwparser.payload", "Commercial application detected,Computer name: %{p0}"); +var part812 = match("MESSAGE#70:Commercial/0", "nwparser.payload", "Commercial application detected,Computer name: %{p0}"); -var part813 = // "Pattern{Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant(',Detection type: '), Field(p0,false)}" -match("MESSAGE#70:Commercial/1_0", "nwparser.p0", "%{shost},IP Address: %{saddr},Detection type: %{p0}"); +var part813 = match("MESSAGE#70:Commercial/1_0", "nwparser.p0", "%{shost},IP Address: %{saddr},Detection type: %{p0}"); -var part814 = // "Pattern{Field(shost,false), Constant(',Detection type: '), Field(p0,false)}" -match("MESSAGE#70:Commercial/1_1", "nwparser.p0", "%{shost},Detection type: %{p0}"); +var part814 = match("MESSAGE#70:Commercial/1_1", "nwparser.p0", "%{shost},Detection type: %{p0}"); -var part815 = // "Pattern{Field(severity,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld6,false), Constant(',Detection score:'), Field(fld7,false), Constant(',Submission recommendation: '), Field(fld8,false), Constant(',Permitted application reason: '), Field(fld9,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(fld1,false), Constant(','), Field(p0,false)}" -match("MESSAGE#70:Commercial/2", "nwparser.p0", "%{severity},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); +var part815 = match("MESSAGE#70:Commercial/2", "nwparser.p0", "%{severity},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); -var part816 = // "Pattern{Constant('"'), Field(filename,false), Constant('",Actual action: '), Field(p0,false)}" -match("MESSAGE#70:Commercial/3_0", "nwparser.p0", "\"%{filename}\",Actual action: %{p0}"); +var part816 = match("MESSAGE#70:Commercial/3_0", "nwparser.p0", "\"%{filename}\",Actual action: %{p0}"); -var part817 = // "Pattern{Field(filename,false), Constant(',Actual action: '), Field(p0,false)}" -match("MESSAGE#70:Commercial/3_1", "nwparser.p0", "%{filename},Actual action: %{p0}"); +var part817 = match("MESSAGE#70:Commercial/3_1", "nwparser.p0", "%{filename},Actual action: %{p0}"); -var part818 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#70:Commercial/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); +var part818 = match("MESSAGE#70:Commercial/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); -var part819 = // "Pattern{Constant('IP Address: '), Field(hostip,false), Constant(',Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(p0,false)}" -match("MESSAGE#76:Computer/0", "nwparser.payload", "IP Address: %{hostip},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{p0}"); +var part819 = match("MESSAGE#76:Computer/0", "nwparser.payload", "IP Address: %{hostip},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{p0}"); -var part820 = // "Pattern{Constant('"'), Field(filename,false), Constant('",'), Field(p0,false)}" -match("MESSAGE#78:Computer:03/1_0", "nwparser.p0", "\"%{filename}\",%{p0}"); +var part820 = match("MESSAGE#78:Computer:03/1_0", "nwparser.p0", "\"%{filename}\",%{p0}"); -var part821 = // "Pattern{Field(filename,false), Constant(','), Field(p0,false)}" -match("MESSAGE#78:Computer:03/1_1", "nwparser.p0", "%{filename},%{p0}"); +var part821 = match("MESSAGE#78:Computer:03/1_1", "nwparser.p0", "%{filename},%{p0}"); -var part822 = // "Pattern{Field(severity,false), Constant(',First Seen: '), Field(fld55,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld13,false), Constant(',Detection score:'), Field(fld7,false), Constant(',COH Engine Version: '), Field(fld41,false), Constant(','), Field(fld53,false), Constant(',Permitted application reason: '), Field(fld54,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',Risk Level: '), Field(fld50,false), Constant(',Detection Source: '), Field(fld52,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(fld22,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#79:Computer:02/2", "nwparser.p0", "%{severity},First Seen: %{fld55},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld13},Detection score:%{fld7},COH Engine Version: %{fld41},%{fld53},Permitted application reason: %{fld54},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},Risk Level: %{fld50},Detection Source: %{fld52},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); +var part822 = match("MESSAGE#79:Computer:02/2", "nwparser.p0", "%{severity},First Seen: %{fld55},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld13},Detection score:%{fld7},COH Engine Version: %{fld41},%{fld53},Permitted application reason: %{fld54},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},Risk Level: %{fld50},Detection Source: %{fld52},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); -var part823 = // "Pattern{Constant('"'), Field(,false)}" -match("MESSAGE#250:Network:24/1_0", "nwparser.p0", "\"%{}"); +var part823 = match("MESSAGE#250:Network:24/1_0", "nwparser.p0", "\"%{}"); -var part824 = // "Pattern{Constant(' Domain:'), Field(p0,false)}" -match("MESSAGE#134:Host:09/1_1", "nwparser.p0", " Domain:%{p0}"); +var part824 = match("MESSAGE#134:Host:09/1_1", "nwparser.p0", " Domain:%{p0}"); -var part825 = // "Pattern{Constant('is '), Field(p0,false)}" -match("MESSAGE#135:Intrusion/1_0", "nwparser.p0", "is %{p0}"); +var part825 = match("MESSAGE#135:Intrusion/1_0", "nwparser.p0", "is %{p0}"); -var part826 = // "Pattern{Constant('.,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#145:LiveUpdate:10/1_0", "nwparser.p0", ".,Event time:%{fld17->} %{fld18}"); +var part826 = match("MESSAGE#145:LiveUpdate:10/1_0", "nwparser.p0", ".,Event time:%{fld17->} %{fld18}"); -var part827 = // "Pattern{Constant('",Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#179:LiveUpdate:40/1_0", "nwparser.p0", "\",Event time:%{fld17->} %{fld18}"); +var part827 = match("MESSAGE#179:LiveUpdate:40/1_0", "nwparser.p0", "\",Event time:%{fld17->} %{fld18}"); -var part828 = // "Pattern{Constant(' '), Field(p0,false)}" -match("MESSAGE#432:Virus:02/1_1", "nwparser.p0", " %{p0}"); +var part828 = match("MESSAGE#432:Virus:02/1_1", "nwparser.p0", " %{p0}"); -var part829 = // "Pattern{Constant('Virus found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(p0,false)}" -match("MESSAGE#436:Virus:12/0", "nwparser.payload", "Virus found,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{p0}"); +var part829 = match("MESSAGE#436:Virus:12/0", "nwparser.payload", "Virus found,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{p0}"); -var part830 = // "Pattern{Constant('"'), Field(fld1,false), Constant('",Actual action: '), Field(p0,false)}" -match("MESSAGE#436:Virus:12/1_0", "nwparser.p0", "\"%{fld1}\",Actual action: %{p0}"); +var part830 = match("MESSAGE#436:Virus:12/1_0", "nwparser.p0", "\"%{fld1}\",Actual action: %{p0}"); -var part831 = // "Pattern{Field(fld1,false), Constant(',Actual action: '), Field(p0,false)}" -match("MESSAGE#436:Virus:12/1_1", "nwparser.p0", "%{fld1},Actual action: %{p0}"); +var part831 = match("MESSAGE#436:Virus:12/1_1", "nwparser.p0", "%{fld1},Actual action: %{p0}"); -var part832 = // "Pattern{Constant('Intensive Protection Level: '), Field(fld61,false), Constant(',Certificate issuer: '), Field(fld60,false), Constant(',Certificate signer: '), Field(fld62,false), Constant(',Certificate thumbprint: '), Field(fld63,false), Constant(',Signing timestamp: '), Field(fld64,false), Constant(',Certificate serial number: '), Field(fld65,false), Constant(',Source: '), Field(p0,false)}" -match("MESSAGE#437:Virus:15/1_0", "nwparser.p0", "Intensive Protection Level: %{fld61},Certificate issuer: %{fld60},Certificate signer: %{fld62},Certificate thumbprint: %{fld63},Signing timestamp: %{fld64},Certificate serial number: %{fld65},Source: %{p0}"); +var part832 = match("MESSAGE#437:Virus:15/1_0", "nwparser.p0", "Intensive Protection Level: %{fld61},Certificate issuer: %{fld60},Certificate signer: %{fld62},Certificate thumbprint: %{fld63},Signing timestamp: %{fld64},Certificate serial number: %{fld65},Source: %{p0}"); -var part833 = // "Pattern{Constant('Source: '), Field(p0,false)}" -match("MESSAGE#437:Virus:15/1_1", "nwparser.p0", "Source: %{p0}"); +var part833 = match("MESSAGE#437:Virus:15/1_1", "nwparser.p0", "Source: %{p0}"); -var part834 = // "Pattern{Constant('"Group: '), Field(group,false), Constant('",Server: '), Field(p0,false)}" -match("MESSAGE#438:Virus:13/3_0", "nwparser.p0", "\"Group: %{group}\",Server: %{p0}"); +var part834 = match("MESSAGE#438:Virus:13/3_0", "nwparser.p0", "\"Group: %{group}\",Server: %{p0}"); -var part835 = // "Pattern{Constant('Group: '), Field(group,false), Constant(',Server: '), Field(p0,false)}" -match("MESSAGE#438:Virus:13/3_1", "nwparser.p0", "Group: %{group},Server: %{p0}"); +var part835 = match("MESSAGE#438:Virus:13/3_1", "nwparser.p0", "Group: %{group},Server: %{p0}"); -var part836 = // "Pattern{Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',,First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld52,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(p0,false)}" -match("MESSAGE#438:Virus:13/4", "nwparser.p0", "%{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{p0}"); +var part836 = match("MESSAGE#438:Virus:13/4", "nwparser.p0", "%{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{p0}"); -var part837 = // "Pattern{Field(filename_size,false), Constant(',Category set: '), Field(category,false), Constant(',Category type: '), Field(event_type,false)}" -match("MESSAGE#438:Virus:13/5_0", "nwparser.p0", "%{filename_size},Category set: %{category},Category type: %{event_type}"); +var part837 = match("MESSAGE#438:Virus:13/5_0", "nwparser.p0", "%{filename_size},Category set: %{category},Category type: %{event_type}"); -var part838 = // "Pattern{Field(filename_size,false)}" -match_copy("MESSAGE#438:Virus:13/5_1", "nwparser.p0", "filename_size"); +var part838 = match_copy("MESSAGE#438:Virus:13/5_1", "nwparser.p0", "filename_size"); -var part839 = // "Pattern{Constant('Virus found,Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(p0,false)}" -match("MESSAGE#440:Virus:14/0", "nwparser.payload", "Virus found,Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{p0}"); +var part839 = match("MESSAGE#440:Virus:14/0", "nwparser.payload", "Virus found,Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{p0}"); -var part840 = // "Pattern{Constant('"'), Field(info,false), Constant('",Actual action: '), Field(p0,false)}" -match("MESSAGE#441:Virus:05/1_0", "nwparser.p0", "\"%{info}\",Actual action: %{p0}"); +var part840 = match("MESSAGE#441:Virus:05/1_0", "nwparser.p0", "\"%{info}\",Actual action: %{p0}"); -var part841 = // "Pattern{Field(info,false), Constant(',Actual action: '), Field(p0,false)}" -match("MESSAGE#441:Virus:05/1_1", "nwparser.p0", "%{info},Actual action: %{p0}"); +var part841 = match("MESSAGE#441:Virus:05/1_1", "nwparser.p0", "%{info},Actual action: %{p0}"); -var part842 = // "Pattern{Constant(''), Field(info,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#218:Location/3_0", "nwparser.p0", "%{info},Event time:%{fld17->} %{fld18}"); +var part842 = match("MESSAGE#218:Location/3_0", "nwparser.p0", "%{info},Event time:%{fld17->} %{fld18}"); -var part843 = // "Pattern{Field(info,false)}" -match_copy("MESSAGE#218:Location/3_1", "nwparser.p0", "info"); +var part843 = match_copy("MESSAGE#218:Location/3_1", "nwparser.p0", "info"); -var part844 = // "Pattern{Constant(' by policy'), Field(,false)}" -match("MESSAGE#253:Network:27/1_0", "nwparser.p0", " by policy%{}"); +var part844 = match("MESSAGE#253:Network:27/1_0", "nwparser.p0", " by policy%{}"); -var part845 = // "Pattern{Constant(','), Field(p0,false)}" -match("MESSAGE#296:Policy:deleted/1_0", "nwparser.p0", ",%{p0}"); +var part845 = match("MESSAGE#296:Policy:deleted/1_0", "nwparser.p0", ",%{p0}"); -var part846 = // "Pattern{Constant('Potential risk found,Computer name: '), Field(p0,false)}" -match("MESSAGE#298:Potential:02/0", "nwparser.payload", "Potential risk found,Computer name: %{p0}"); +var part846 = match("MESSAGE#298:Potential:02/0", "nwparser.payload", "Potential risk found,Computer name: %{p0}"); -var part847 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld20,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#299:Potential/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld20},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); +var part847 = match("MESSAGE#299:Potential/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld20},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); -var part848 = // "Pattern{Field(event_description,false), Constant(', process id: '), Field(process_id,true), Constant(' Filename: '), Field(filename,true), Constant(' The change was denied by user'), Field(fld6,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#308:process:03/0", "nwparser.payload", "%{event_description}, process id: %{process_id->} Filename: %{filename->} The change was denied by user%{fld6}\"%{p0}"); +var part848 = match("MESSAGE#308:process:03/0", "nwparser.payload", "%{event_description}, process id: %{process_id->} Filename: %{filename->} The change was denied by user%{fld6}\"%{p0}"); -var part849 = // "Pattern{Constant('''), Field(context,false), Constant('','), Field(p0,false)}" -match("MESSAGE#340:Scan:12/1_0", "nwparser.p0", "'%{context}',%{p0}"); +var part849 = match("MESSAGE#340:Scan:12/1_0", "nwparser.p0", "'%{context}',%{p0}"); -var part850 = // "Pattern{Constant('Security risk found,Computer name: '), Field(p0,false)}" -match("MESSAGE#343:Security:03/0", "nwparser.payload", "Security risk found,Computer name: %{p0}"); +var part850 = match("MESSAGE#343:Security:03/0", "nwparser.payload", "Security risk found,Computer name: %{p0}"); -var part851 = // "Pattern{Constant('Security risk found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(','), Field(p0,false)}" -match("MESSAGE#345:Security:05/0", "nwparser.payload", "Security risk found,IP Address: %{saddr},Computer name: %{shost},%{p0}"); +var part851 = match("MESSAGE#345:Security:05/0", "nwparser.payload", "Security risk found,IP Address: %{saddr},Computer name: %{shost},%{p0}"); -var part852 = // "Pattern{Field(filename_size,false), Constant(',Category set: '), Field(category,false), Constant(',Category type: '), Field(vendor_event_cat,false)}" -match("MESSAGE#345:Security:05/7_0", "nwparser.p0", "%{filename_size},Category set: %{category},Category type: %{vendor_event_cat}"); +var part852 = match("MESSAGE#345:Security:05/7_0", "nwparser.p0", "%{filename_size},Category set: %{category},Category type: %{vendor_event_cat}"); -var part853 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',Symantec AntiVirus,'), Field(p0,false)}" -match("MESSAGE#388:Symantec:26/0", "nwparser.payload", "Category: %{fld22},Symantec AntiVirus,%{p0}"); +var part853 = match("MESSAGE#388:Symantec:26/0", "nwparser.payload", "Category: %{fld22},Symantec AntiVirus,%{p0}"); -var part854 = // "Pattern{Constant('[Antivirus'), Field(p0,false)}" -match("MESSAGE#388:Symantec:26/1_0", "nwparser.p0", "[Antivirus%{p0}"); +var part854 = match("MESSAGE#388:Symantec:26/1_0", "nwparser.p0", "[Antivirus%{p0}"); -var part855 = // "Pattern{Constant('"[Antivirus'), Field(p0,false)}" -match("MESSAGE#388:Symantec:26/1_1", "nwparser.p0", "\"[Antivirus%{p0}"); +var part855 = match("MESSAGE#388:Symantec:26/1_1", "nwparser.p0", "\"[Antivirus%{p0}"); -var part856 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#389:Symantec:39/2", "nwparser.p0", "%{} %{p0}"); +var part856 = match("MESSAGE#389:Symantec:39/2", "nwparser.p0", "%{} %{p0}"); -var part857 = // "Pattern{Constant('detection'), Field(p0,false)}" -match("MESSAGE#389:Symantec:39/3_0", "nwparser.p0", "detection%{p0}"); +var part857 = match("MESSAGE#389:Symantec:39/3_0", "nwparser.p0", "detection%{p0}"); -var part858 = // "Pattern{Constant('advanced heuristic detection'), Field(p0,false)}" -match("MESSAGE#389:Symantec:39/3_1", "nwparser.p0", "advanced heuristic detection%{p0}"); +var part858 = match("MESSAGE#389:Symantec:39/3_1", "nwparser.p0", "advanced heuristic detection%{p0}"); -var part859 = // "Pattern{Constant(' Size (bytes): '), Field(filename_size,false), Constant('.",Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#389:Symantec:39/5_0", "nwparser.p0", " Size (bytes): %{filename_size}.\",Event time:%{fld17->} %{fld18}"); +var part859 = match("MESSAGE#389:Symantec:39/5_0", "nwparser.p0", " Size (bytes): %{filename_size}.\",Event time:%{fld17->} %{fld18}"); -var part860 = // "Pattern{Constant('Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#389:Symantec:39/5_2", "nwparser.p0", "Event time:%{fld17->} %{fld18}"); +var part860 = match("MESSAGE#389:Symantec:39/5_2", "nwparser.p0", "Event time:%{fld17->} %{fld18}"); -var part861 = // "Pattern{Constant(','), Field(p0,false)}" -match("MESSAGE#410:Terminated/0_1", "nwparser.payload", ",%{p0}"); +var part861 = match("MESSAGE#410:Terminated/0_1", "nwparser.payload", ",%{p0}"); -var part862 = // "Pattern{Constant(''), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#416:Traffic:02/2", "nwparser.p0", "%{fld6},User: %{username},Domain: %{domain}"); +var part862 = match("MESSAGE#416:Traffic:02/2", "nwparser.p0", "%{fld6},User: %{username},Domain: %{domain}"); -var part863 = // "Pattern{Constant('"'), Field(filename,false), Constant('",User: '), Field(p0,false)}" -match("MESSAGE#455:Allowed:09/2_0", "nwparser.p0", "\"%{filename}\",User: %{p0}"); +var part863 = match("MESSAGE#455:Allowed:09/2_0", "nwparser.p0", "\"%{filename}\",User: %{p0}"); -var part864 = // "Pattern{Field(filename,false), Constant(',User: '), Field(p0,false)}" -match("MESSAGE#455:Allowed:09/2_1", "nwparser.p0", "%{filename},User: %{p0}"); +var part864 = match("MESSAGE#455:Allowed:09/2_1", "nwparser.p0", "%{filename},User: %{p0}"); -var part865 = // "Pattern{Field(fld46,false), Constant(',File size ('), Field(fld10,false), Constant('): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#457:Allowed:10/3_0", "nwparser.p0", "%{fld46},File size (%{fld10}): %{filename_size},Device ID: %{device}"); +var part865 = match("MESSAGE#457:Allowed:10/3_0", "nwparser.p0", "%{fld46},File size (%{fld10}): %{filename_size},Device ID: %{device}"); -var part866 = // "Pattern{Constant('""'), Field(action,true), Constant(' . Description: '), Field(p0,false)}" -match("MESSAGE#505:Ping/0_0", "nwparser.payload", "\"\"%{action->} . Description: %{p0}"); +var part866 = match("MESSAGE#505:Ping/0_0", "nwparser.payload", "\"\"%{action->} . Description: %{p0}"); -var part867 = // "Pattern{Field(action,true), Constant(' . Description: '), Field(p0,false)}" -match("MESSAGE#505:Ping/0_1", "nwparser.payload", "%{action->} . Description: %{p0}"); +var part867 = match("MESSAGE#505:Ping/0_1", "nwparser.payload", "%{action->} . Description: %{p0}"); -var part868 = // "Pattern{Field(event_description,true), Constant(' [name]:'), Field(obj_name,true), Constant(' [class]:'), Field(obj_type,true), Constant(' [guid]:'), Field(hardware_id,true), Constant(' [deviceID]:'), Field(info,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#639:303235080/1_0", "nwparser.p0", "%{event_description->} [name]:%{obj_name->} [class]:%{obj_type->} [guid]:%{hardware_id->} [deviceID]:%{info}^^%{p0}"); +var part868 = match("MESSAGE#639:303235080/1_0", "nwparser.p0", "%{event_description->} [name]:%{obj_name->} [class]:%{obj_type->} [guid]:%{hardware_id->} [deviceID]:%{info}^^%{p0}"); -var part869 = // "Pattern{Field(event_description,false), Constant('. '), Field(info,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#639:303235080/1_1", "nwparser.p0", "%{event_description}. %{info}^^%{p0}"); +var part869 = match("MESSAGE#639:303235080/1_1", "nwparser.p0", "%{event_description}. %{info}^^%{p0}"); -var part870 = // "Pattern{Field(event_description,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#639:303235080/1_2", "nwparser.p0", "%{event_description}^^%{p0}"); +var part870 = match("MESSAGE#639:303235080/1_2", "nwparser.p0", "%{event_description}^^%{p0}"); -var part871 = // "Pattern{Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#639:303235080/2", "nwparser.p0", "%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}"); +var part871 = match("MESSAGE#639:303235080/2", "nwparser.p0", "%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}"); -var part872 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#674:238/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{p0}"); +var part872 = match("MESSAGE#674:238/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{p0}"); var select207 = linear_select([ dup9, @@ -14836,55 +13774,47 @@ var select236 = linear_select([ dup282, ]); -var part873 = // "Pattern{Field(id,false), Constant('^^'), Field(event_description,false)}" -match("MESSAGE#524:1281", "nwparser.payload", "%{id}^^%{event_description}", processor_chain([ +var part873 = match("MESSAGE#524:1281", "nwparser.payload", "%{id}^^%{event_description}", processor_chain([ dup53, dup15, ])); -var part874 = // "Pattern{Field(id,false), Constant('^^'), Field(event_description,false)}" -match("MESSAGE#546:4868", "nwparser.payload", "%{id}^^%{event_description}", processor_chain([ +var part874 = match("MESSAGE#546:4868", "nwparser.payload", "%{id}^^%{event_description}", processor_chain([ dup43, dup15, ])); -var part875 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#549:302449153", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part875 = match("MESSAGE#549:302449153", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup43, dup15, dup287, ])); -var part876 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#550:302449153:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part876 = match("MESSAGE#550:302449153:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup43, dup15, dup287, ])); -var part877 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#553:302449155", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part877 = match("MESSAGE#553:302449155", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup74, dup15, dup287, ])); -var part878 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#554:302449155:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part878 = match("MESSAGE#554:302449155:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup74, dup15, dup287, ])); -var part879 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#585:302450432", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part879 = match("MESSAGE#585:302450432", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup168, dup15, dup287, ])); -var part880 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#586:302450432:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part880 = match("MESSAGE#586:302450432:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup168, dup15, dup287, @@ -14896,8 +13826,7 @@ var select237 = linear_select([ dup292, ]); -var part881 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" -match("MESSAGE#664:206", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ +var part881 = match("MESSAGE#664:206", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ dup294, dup295, dup37, @@ -14911,8 +13840,7 @@ match("MESSAGE#664:206", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hos dup302, ])); -var part882 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#665:206:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part882 = match("MESSAGE#665:206:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup294, dup295, dup37, @@ -14926,8 +13854,7 @@ match("MESSAGE#665:206:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{ dup302, ])); -var part883 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" -match("MESSAGE#669:210", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ +var part883 = match("MESSAGE#669:210", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ dup43, dup15, dup353, @@ -14938,8 +13865,7 @@ match("MESSAGE#669:210", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hos dup302, ])); -var part884 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(parent_pid,false), Constant('^^'), Field(parent_process,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(param,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(fld31,false), Constant('^^'), Field(filename_size,false), Constant('^^'), Field(fld32,false), Constant('^^'), Field(fld33,false)}" -match("MESSAGE#676:501", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{username}^^%{sdomain}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}^^%{fld31}^^%{filename_size}^^%{fld32}^^%{fld33}", processor_chain([ +var part884 = match("MESSAGE#676:501", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{username}^^%{sdomain}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}^^%{fld31}^^%{filename_size}^^%{fld32}^^%{fld33}", processor_chain([ dup43, dup15, dup355, @@ -14950,8 +13876,7 @@ match("MESSAGE#676:501", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id} dup308, ])); -var part885 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(parent_pid,false), Constant('^^'), Field(parent_process,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(param,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(fld30,false)}" -match("MESSAGE#677:501:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{username}^^%{sdomain}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}", processor_chain([ +var part885 = match("MESSAGE#677:501:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{username}^^%{sdomain}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}", processor_chain([ dup43, dup15, dup355, diff --git a/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json b/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json index 9b9183fe35a..0c6eccf2dcc 100644 --- a/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json +++ b/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json @@ -704,8 +704,8 @@ "bore5546.www.local" ], "related.ip": [ - "10.7.164.113", "10.175.83.138", + "10.7.164.113", "10.207.125.114" ], "related.user": [ @@ -2263,8 +2263,8 @@ "edi6108.internal.domain" ], "related.ip": [ - "10.72.200.11", - "10.132.171.142" + "10.132.171.142", + "10.72.200.11" ], "related.user": [ "ero" @@ -2579,8 +2579,8 @@ "dita2048.www5.home" ], "related.ip": [ - "10.171.13.85", - "10.40.133.90" + "10.40.133.90", + "10.171.13.85" ], "related.user": [ "bor" @@ -2795,8 +2795,8 @@ "urExcep6087.www5.localhost" ], "related.ip": [ - "10.155.163.6", - "10.31.231.57" + "10.31.231.57", + "10.155.163.6" ], "related.user": [ "norumetM" diff --git a/x-pack/filebeat/module/zeek/capture_loss/config/capture_loss.yml b/x-pack/filebeat/module/zeek/capture_loss/config/capture_loss.yml index 6b6fcf216f2..5794bd0ca6f 100644 --- a/x-pack/filebeat/module/zeek/capture_loss/config/capture_loss.yml +++ b/x-pack/filebeat/module/zeek/capture_loss/config/capture_loss.yml @@ -22,4 +22,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/connection/config/connection.yml b/x-pack/filebeat/module/zeek/connection/config/connection.yml index 8a79295724f..f6caa143689 100644 --- a/x-pack/filebeat/module/zeek/connection/config/connection.yml +++ b/x-pack/filebeat/module/zeek/connection/config/connection.yml @@ -102,4 +102,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json index ccb28ef2f92..b7c0e0bc8cb 100644 --- a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json @@ -59,6 +59,7 @@ "destination.bytes": 206, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -116,6 +117,7 @@ "destination.bytes": 206, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -154,6 +156,7 @@ "source.bytes": 103, "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "4.4.2.2", diff --git a/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml b/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml index 45010e08973..7d7f0c87353 100644 --- a/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml +++ b/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml @@ -58,4 +58,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml b/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml index f1a2f0ced3a..b049d571c14 100644 --- a/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml +++ b/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml @@ -120,4 +120,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml b/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml index 7730d2b6d85..67033a42cf2 100644 --- a/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml +++ b/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml @@ -68,4 +68,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/dns/config/dns.yml b/x-pack/filebeat/module/zeek/dns/config/dns.yml index 86a2022d695..9e0f7e952e2 100644 --- a/x-pack/filebeat/module/zeek/dns/config/dns.yml +++ b/x-pack/filebeat/module/zeek/dns/config/dns.yml @@ -203,4 +203,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/dpd/config/dpd.yml b/x-pack/filebeat/module/zeek/dpd/config/dpd.yml index acc6defd4df..67565ef21ab 100644 --- a/x-pack/filebeat/module/zeek/dpd/config/dpd.yml +++ b/x-pack/filebeat/module/zeek/dpd/config/dpd.yml @@ -57,4 +57,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/files/config/files.yml b/x-pack/filebeat/module/zeek/files/config/files.yml index 65c067609c9..0e0ce22e2bf 100644 --- a/x-pack/filebeat/module/zeek/files/config/files.yml +++ b/x-pack/filebeat/module/zeek/files/config/files.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/ftp/config/ftp.yml b/x-pack/filebeat/module/zeek/ftp/config/ftp.yml index 51a3c053576..671a1162c66 100644 --- a/x-pack/filebeat/module/zeek/ftp/config/ftp.yml +++ b/x-pack/filebeat/module/zeek/ftp/config/ftp.yml @@ -86,4 +86,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/http/config/http.yml b/x-pack/filebeat/module/zeek/http/config/http.yml index 4c7c812d0cc..8a43f07f0dd 100644 --- a/x-pack/filebeat/module/zeek/http/config/http.yml +++ b/x-pack/filebeat/module/zeek/http/config/http.yml @@ -93,4 +93,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json b/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json index c4364d77426..200950e922a 100644 --- a/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json @@ -7,6 +7,7 @@ "destination.geo.city_name": "San Jose", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.3388, "destination.geo.location.lon": -121.8914, "destination.geo.region_iso_code": "US-CA", diff --git a/x-pack/filebeat/module/zeek/intel/config/intel.yml b/x-pack/filebeat/module/zeek/intel/config/intel.yml index 5b73833ea35..80d565745f1 100644 --- a/x-pack/filebeat/module/zeek/intel/config/intel.yml +++ b/x-pack/filebeat/module/zeek/intel/config/intel.yml @@ -67,4 +67,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/irc/config/irc.yml b/x-pack/filebeat/module/zeek/irc/config/irc.yml index 54aaa9d4f4b..7e09f9fe376 100644 --- a/x-pack/filebeat/module/zeek/irc/config/irc.yml +++ b/x-pack/filebeat/module/zeek/irc/config/irc.yml @@ -72,4 +72,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/irc/test/irc-json.log-expected.json b/x-pack/filebeat/module/zeek/irc/test/irc-json.log-expected.json index 245d1154e86..06d833b6a42 100644 --- a/x-pack/filebeat/module/zeek/irc/test/irc-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/irc/test/irc-json.log-expected.json @@ -6,6 +6,7 @@ "destination.as.organization.name": "Team Cymru Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "38.229.70.20", @@ -52,6 +53,7 @@ "destination.as.organization.name": "Team Cymru Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "38.229.70.20", @@ -103,6 +105,7 @@ "destination.as.organization.name": "Team Cymru Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "38.229.70.20", diff --git a/x-pack/filebeat/module/zeek/modbus/config/modbus.yml b/x-pack/filebeat/module/zeek/modbus/config/modbus.yml index d656ad0ab6a..a65bb88c0d0 100644 --- a/x-pack/filebeat/module/zeek/modbus/config/modbus.yml +++ b/x-pack/filebeat/module/zeek/modbus/config/modbus.yml @@ -73,4 +73,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/mysql/config/mysql.yml b/x-pack/filebeat/module/zeek/mysql/config/mysql.yml index 4c6e70d9f1c..963c8469fe1 100644 --- a/x-pack/filebeat/module/zeek/mysql/config/mysql.yml +++ b/x-pack/filebeat/module/zeek/mysql/config/mysql.yml @@ -72,4 +72,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/notice/config/notice.yml b/x-pack/filebeat/module/zeek/notice/config/notice.yml index 649d3f3ba97..07ccbfb76b4 100644 --- a/x-pack/filebeat/module/zeek/notice/config/notice.yml +++ b/x-pack/filebeat/module/zeek/notice/config/notice.yml @@ -104,4 +104,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/notice/test/notice-json.log-expected.json b/x-pack/filebeat/module/zeek/notice/test/notice-json.log-expected.json index a5838e9f3f1..90bb5e3145e 100644 --- a/x-pack/filebeat/module/zeek/notice/test/notice-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/notice/test/notice-json.log-expected.json @@ -40,6 +40,7 @@ "destination.geo.city_name": "Frankfurt am Main", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 50.1188, "destination.geo.location.lon": 8.6843, "destination.geo.region_iso_code": "DE-HE", @@ -71,6 +72,7 @@ "source.geo.city_name": "Longmont", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.1559, "source.geo.location.lon": -105.1624, "source.geo.region_iso_code": "US-CO", diff --git a/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml b/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml index c67f66b54b9..135086e19f9 100644 --- a/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml +++ b/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml @@ -86,4 +86,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml b/x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml index 874a0fde6d9..933f829b747 100644 --- a/x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml +++ b/x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml @@ -64,4 +64,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/pe/config/pe.yml b/x-pack/filebeat/module/zeek/pe/config/pe.yml index 3df430d7dc9..cfb8ea8c4b0 100644 --- a/x-pack/filebeat/module/zeek/pe/config/pe.yml +++ b/x-pack/filebeat/module/zeek/pe/config/pe.yml @@ -33,4 +33,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/radius/config/radius.yml b/x-pack/filebeat/module/zeek/radius/config/radius.yml index 66fccaa3f5c..471275d5ece 100644 --- a/x-pack/filebeat/module/zeek/radius/config/radius.yml +++ b/x-pack/filebeat/module/zeek/radius/config/radius.yml @@ -58,4 +58,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/rdp/config/rdp.yml b/x-pack/filebeat/module/zeek/rdp/config/rdp.yml index de71448fb1b..071cc59fab9 100644 --- a/x-pack/filebeat/module/zeek/rdp/config/rdp.yml +++ b/x-pack/filebeat/module/zeek/rdp/config/rdp.yml @@ -88,4 +88,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/rfb/config/rfb.yml b/x-pack/filebeat/module/zeek/rfb/config/rfb.yml index 3adb14c55bf..417e9ab4dcd 100644 --- a/x-pack/filebeat/module/zeek/rfb/config/rfb.yml +++ b/x-pack/filebeat/module/zeek/rfb/config/rfb.yml @@ -73,4 +73,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/sip/config/sip.yml b/x-pack/filebeat/module/zeek/sip/config/sip.yml index 7aa30034de2..97885a1e2dc 100644 --- a/x-pack/filebeat/module/zeek/sip/config/sip.yml +++ b/x-pack/filebeat/module/zeek/sip/config/sip.yml @@ -95,4 +95,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/sip/test/sip-json.log-expected.json b/x-pack/filebeat/module/zeek/sip/test/sip-json.log-expected.json index 79b38a0717d..71061cd293b 100644 --- a/x-pack/filebeat/module/zeek/sip/test/sip-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/sip/test/sip-json.log-expected.json @@ -6,6 +6,7 @@ "destination.as.organization.name": "Internap Corporation", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "74.63.41.218", @@ -72,6 +73,7 @@ "destination.geo.city_name": "Mexico City", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "MX", + "destination.geo.country_name": "Mexico", "destination.geo.location.lat": 19.4357, "destination.geo.location.lon": -99.1438, "destination.geo.region_iso_code": "MX-CMX", @@ -108,6 +110,7 @@ "source.geo.city_name": "Mexico City", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "MX", + "source.geo.country_name": "Mexico", "source.geo.location.lat": 19.4357, "source.geo.location.lon": -99.1438, "source.geo.region_iso_code": "MX-CMX", @@ -151,6 +154,7 @@ "destination.geo.city_name": "Mexico City", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "MX", + "destination.geo.country_name": "Mexico", "destination.geo.location.lat": 19.4357, "destination.geo.location.lon": -99.1438, "destination.geo.region_iso_code": "MX-CMX", @@ -187,6 +191,7 @@ "source.geo.city_name": "Mexico City", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "MX", + "source.geo.country_name": "Mexico", "source.geo.location.lat": 19.4357, "source.geo.location.lon": -99.1438, "source.geo.region_iso_code": "MX-CMX", diff --git a/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml b/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml index 763379a7d88..885669e4c9c 100644 --- a/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml +++ b/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml @@ -101,4 +101,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml b/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml index c5f7c2e53e7..a3f02a7558f 100644 --- a/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml +++ b/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml @@ -61,4 +61,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml b/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml index 624454ed171..59a68e2054b 100644 --- a/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml +++ b/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml @@ -57,4 +57,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/smtp/config/smtp.yml b/x-pack/filebeat/module/zeek/smtp/config/smtp.yml index 5b2f6595df2..0af383a7187 100644 --- a/x-pack/filebeat/module/zeek/smtp/config/smtp.yml +++ b/x-pack/filebeat/module/zeek/smtp/config/smtp.yml @@ -67,4 +67,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/snmp/config/snmp.yml b/x-pack/filebeat/module/zeek/snmp/config/snmp.yml index 0c7e05ce6db..1fa024742be 100644 --- a/x-pack/filebeat/module/zeek/snmp/config/snmp.yml +++ b/x-pack/filebeat/module/zeek/snmp/config/snmp.yml @@ -69,4 +69,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/socks/config/socks.yml b/x-pack/filebeat/module/zeek/socks/config/socks.yml index f834e5d1bcc..99613e4bfe3 100644 --- a/x-pack/filebeat/module/zeek/socks/config/socks.yml +++ b/x-pack/filebeat/module/zeek/socks/config/socks.yml @@ -67,4 +67,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/ssh/config/ssh.yml b/x-pack/filebeat/module/zeek/ssh/config/ssh.yml index c855d49dff2..45f160cd99d 100644 --- a/x-pack/filebeat/module/zeek/ssh/config/ssh.yml +++ b/x-pack/filebeat/module/zeek/ssh/config/ssh.yml @@ -76,4 +76,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json b/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json index 805d20d2a54..67817ff0a42 100644 --- a/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json @@ -8,6 +8,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.4043, "destination.geo.location.lon": -122.0748, "destination.geo.region_iso_code": "US-CA", @@ -88,6 +89,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.4043, "destination.geo.location.lon": -122.0748, "destination.geo.region_iso_code": "US-CA", diff --git a/x-pack/filebeat/module/zeek/stats/config/stats.yml b/x-pack/filebeat/module/zeek/stats/config/stats.yml index cdf243f7a45..45c22b6b3d2 100644 --- a/x-pack/filebeat/module/zeek/stats/config/stats.yml +++ b/x-pack/filebeat/module/zeek/stats/config/stats.yml @@ -97,4 +97,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/syslog/config/syslog.yml b/x-pack/filebeat/module/zeek/syslog/config/syslog.yml index a89601cb717..0d1b8fc05e5 100644 --- a/x-pack/filebeat/module/zeek/syslog/config/syslog.yml +++ b/x-pack/filebeat/module/zeek/syslog/config/syslog.yml @@ -57,4 +57,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml b/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml index 13a2a37cc69..741a0d7e454 100644 --- a/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml +++ b/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml @@ -45,4 +45,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/traceroute/test/traceroute-json.log-expected.json b/x-pack/filebeat/module/zeek/traceroute/test/traceroute-json.log-expected.json index 8fdfd983c94..34d600174ac 100644 --- a/x-pack/filebeat/module/zeek/traceroute/test/traceroute-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/traceroute/test/traceroute-json.log-expected.json @@ -6,6 +6,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", diff --git a/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml b/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml index ac636e9e7c0..243f83de760 100644 --- a/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml +++ b/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml @@ -56,4 +56,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json b/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json index 1e00e616e36..3ef709508a3 100644 --- a/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json @@ -6,6 +6,7 @@ "destination.as.organization.name": "Air Force Systems Networking", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "132.16.110.133", @@ -33,6 +34,7 @@ "source.as.organization.name": "Air Force Systems Networking", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "132.16.146.79", diff --git a/x-pack/filebeat/module/zeek/weird/config/weird.yml b/x-pack/filebeat/module/zeek/weird/config/weird.yml index 5807f95927b..4a4bab4dc33 100644 --- a/x-pack/filebeat/module/zeek/weird/config/weird.yml +++ b/x-pack/filebeat/module/zeek/weird/config/weird.yml @@ -56,4 +56,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zoom/webhook/config/webhook.yml b/x-pack/filebeat/module/zoom/webhook/config/webhook.yml index 207da5447e1..ac04136779c 100644 --- a/x-pack/filebeat/module/zoom/webhook/config/webhook.yml +++ b/x-pack/filebeat/module/zoom/webhook/config/webhook.yml @@ -33,4 +33,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json index b7bd436496b..1fbe44131f5 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json @@ -26,8 +26,8 @@ "rci737.www5.example" ], "related.ip": [ - "10.176.10.114", - "10.206.191.17" + "10.206.191.17", + "10.176.10.114" ], "related.user": [ "sumdo" @@ -115,8 +115,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "luptat", "rsa.misc.action": [ - "Allowed", - "tur" + "tur", + "Allowed" ], "rsa.misc.category": "eius", "rsa.misc.filter": "ameaqu", @@ -176,8 +176,8 @@ "orsitame3262.domain" ], "related.ip": [ - "10.254.146.57", - "10.204.86.149" + "10.204.86.149", + "10.254.146.57" ], "related.user": [ "tenima" @@ -191,8 +191,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uptassi", "rsa.misc.action": [ - "giatq", - "Blocked" + "Blocked", + "giatq" ], "rsa.misc.category": "llu", "rsa.misc.filter": "tconsec", @@ -252,8 +252,8 @@ "tempor4496.www.localdomain" ], "related.ip": [ - "10.252.125.53", - "10.103.246.190" + "10.103.246.190", + "10.252.125.53" ], "related.user": [ "equun" @@ -267,8 +267,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ima", "rsa.misc.action": [ - "llam", - "Allowed" + "Allowed", + "llam" ], "rsa.misc.category": "aboris", "rsa.misc.filter": "atatnonp", @@ -328,8 +328,8 @@ "ore2933.www.test" ], "related.ip": [ - "10.61.78.108", - "10.136.153.149" + "10.136.153.149", + "10.61.78.108" ], "related.user": [ "ercit" @@ -343,8 +343,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "inim", "rsa.misc.action": [ - "reetdolo", - "Blocked" + "Blocked", + "reetdolo" ], "rsa.misc.category": "osquir", "rsa.misc.filter": "ipit", @@ -480,8 +480,8 @@ "cup1793.local" ], "related.ip": [ - "10.243.224.205", - "10.123.104.59" + "10.123.104.59", + "10.243.224.205" ], "related.user": [ "xercitat" @@ -495,8 +495,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lupt", "rsa.misc.action": [ - "Blocked", - "dun" + "dun", + "Blocked" ], "rsa.misc.category": "rsitamet", "rsa.misc.filter": "usmod", @@ -632,8 +632,8 @@ "aperia4409.www5.invalid" ], "related.ip": [ - "10.78.151.178", - "10.25.192.202" + "10.25.192.202", + "10.78.151.178" ], "related.user": [ "quip" @@ -647,8 +647,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "atquovo", "rsa.misc.action": [ - "amvolup", - "Allowed" + "Allowed", + "amvolup" ], "rsa.misc.category": "hil", "rsa.misc.filter": "deFinibu", @@ -723,8 +723,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ihilm", "rsa.misc.action": [ - "Allowed", - "psaquae" + "psaquae", + "Allowed" ], "rsa.misc.category": "eFinib", "rsa.misc.filter": "inesci", @@ -784,8 +784,8 @@ "ite2026.www.invalid" ], "related.ip": [ - "10.19.145.131", - "10.223.247.86" + "10.223.247.86", + "10.19.145.131" ], "related.user": [ "tNequepo" @@ -860,8 +860,8 @@ "radipisc7020.home" ], "related.ip": [ - "10.2.53.125", - "10.181.80.139" + "10.181.80.139", + "10.2.53.125" ], "related.user": [ "ihilmo" @@ -936,8 +936,8 @@ "uamei2493.www.test" ], "related.ip": [ - "10.31.240.6", - "10.167.98.76" + "10.167.98.76", + "10.31.240.6" ], "related.user": [ "ratvolu" @@ -951,8 +951,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "catc", "rsa.misc.action": [ - "Allowed", - "veni" + "veni", + "Allowed" ], "rsa.misc.category": "sBono", "rsa.misc.filter": "isnisiu", @@ -1027,8 +1027,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iurer", "rsa.misc.action": [ - "ionevo", - "Allowed" + "Allowed", + "ionevo" ], "rsa.misc.category": "tinvolu", "rsa.misc.filter": "idex", @@ -1088,8 +1088,8 @@ "spi3544.www.host" ], "related.ip": [ - "10.63.250.128", - "10.111.187.12" + "10.111.187.12", + "10.63.250.128" ], "related.user": [ "saute" @@ -1164,8 +1164,8 @@ "tlab5981.www.host" ], "related.ip": [ - "10.5.126.127", - "10.252.124.150" + "10.252.124.150", + "10.5.126.127" ], "related.user": [ "inibusB" @@ -1179,8 +1179,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mod", "rsa.misc.action": [ - "Allowed", - "xeacomm" + "xeacomm", + "Allowed" ], "rsa.misc.category": "sauteiru", "rsa.misc.filter": "antiu", @@ -1331,8 +1331,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quid", "rsa.misc.action": [ - "itecto", - "Allowed" + "Allowed", + "itecto" ], "rsa.misc.category": "quam", "rsa.misc.filter": "adeser", @@ -1392,8 +1392,8 @@ "uamei2389.internal.example" ], "related.ip": [ - "10.215.205.216", - "10.31.198.58" + "10.31.198.58", + "10.215.205.216" ], "related.user": [ "aturve" @@ -1468,8 +1468,8 @@ "eacommod1930.internal.lan" ], "related.ip": [ - "10.229.83.165", - "10.29.155.171" + "10.29.155.171", + "10.229.83.165" ], "related.user": [ "ulapar" @@ -1483,8 +1483,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vitaedi", "rsa.misc.action": [ - "llitanim", - "Allowed" + "Allowed", + "llitanim" ], "rsa.misc.category": "apariat", "rsa.misc.filter": "tasnulap", @@ -1544,8 +1544,8 @@ "tem6984.www5.domain" ], "related.ip": [ - "10.161.148.64", - "10.129.192.145" + "10.129.192.145", + "10.161.148.64" ], "related.user": [ "lor" @@ -1620,8 +1620,8 @@ "lapariat7287.internal.host" ], "related.ip": [ - "10.203.65.161", - "10.7.200.140" + "10.7.200.140", + "10.203.65.161" ], "related.user": [ "snost" @@ -1711,8 +1711,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iutali", "rsa.misc.action": [ - "atcupi", - "Blocked" + "Blocked", + "atcupi" ], "rsa.misc.category": "isetq", "rsa.misc.filter": "equinesc", @@ -1772,8 +1772,8 @@ "stenatu4844.www.invalid" ], "related.ip": [ - "10.39.31.115", - "10.24.111.229" + "10.24.111.229", + "10.39.31.115" ], "related.user": [ "fugi" @@ -1848,8 +1848,8 @@ "sitam5077.internal.host" ], "related.ip": [ - "10.32.39.220", - "10.179.210.218" + "10.179.210.218", + "10.32.39.220" ], "related.user": [ "boreetdo" @@ -2000,8 +2000,8 @@ "lloin4019.www.localhost" ], "related.ip": [ - "10.130.241.232", - "10.238.224.49" + "10.238.224.49", + "10.130.241.232" ], "related.user": [ "onse" @@ -2015,8 +2015,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mnisiut", "rsa.misc.action": [ - "mod", - "Allowed" + "Allowed", + "mod" ], "rsa.misc.category": "uiinea", "rsa.misc.filter": "aturQu", @@ -2076,8 +2076,8 @@ "tamet6317.www.host" ], "related.ip": [ - "10.2.67.127", - "10.115.53.31" + "10.115.53.31", + "10.2.67.127" ], "related.user": [ "Cic" @@ -2091,8 +2091,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quatD", "rsa.misc.action": [ - "tatem", - "Allowed" + "Allowed", + "tatem" ], "rsa.misc.category": "aincidun", "rsa.misc.filter": "uela", @@ -2167,8 +2167,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tasun", "rsa.misc.action": [ - "quasiarc", - "Allowed" + "Allowed", + "quasiarc" ], "rsa.misc.category": "autfugi", "rsa.misc.filter": "ritqu", @@ -2228,8 +2228,8 @@ "utaliqu4248.www.localhost" ], "related.ip": [ - "10.18.226.72", - "10.101.85.169" + "10.101.85.169", + "10.18.226.72" ], "related.user": [ "rroqu" @@ -2319,8 +2319,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mag", "rsa.misc.action": [ - "tali", - "Allowed" + "Allowed", + "tali" ], "rsa.misc.category": "oconse", "rsa.misc.filter": "npr", @@ -2380,8 +2380,8 @@ "tatio6513.www.invalid" ], "related.ip": [ - "10.80.57.247", - "10.229.242.223" + "10.229.242.223", + "10.80.57.247" ], "related.user": [ "itasp" @@ -2471,8 +2471,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uteir", "rsa.misc.action": [ - "Allowed", - "Section" + "Section", + "Allowed" ], "rsa.misc.category": "cididu", "rsa.misc.filter": "Utenima", @@ -2532,8 +2532,8 @@ "aquioff3853.www.localdomain" ], "related.ip": [ - "10.54.159.1", - "10.236.230.136" + "10.236.230.136", + "10.54.159.1" ], "related.user": [ "mUteni" @@ -2547,8 +2547,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tec", "rsa.misc.action": [ - "tatema", - "Allowed" + "Allowed", + "tatema" ], "rsa.misc.category": "emullamc", "rsa.misc.filter": "emveleum", @@ -2623,8 +2623,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tvolup", "rsa.misc.action": [ - "utemvel", - "Allowed" + "Allowed", + "utemvel" ], "rsa.misc.category": "untutlab", "rsa.misc.filter": "dol", @@ -2684,8 +2684,8 @@ "iamea478.www5.host" ], "related.ip": [ - "10.142.120.198", - "10.166.10.42" + "10.166.10.42", + "10.142.120.198" ], "related.user": [ "olori" @@ -2699,8 +2699,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ende", "rsa.misc.action": [ - "doconse", - "Blocked" + "Blocked", + "doconse" ], "rsa.misc.category": "uovolupt", "rsa.misc.filter": "litesse", @@ -2775,8 +2775,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "issu", "rsa.misc.action": [ - "Allowed", - "sed" + "sed", + "Allowed" ], "rsa.misc.category": "atur", "rsa.misc.filter": "iciadese", @@ -2851,8 +2851,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ese", "rsa.misc.action": [ - "Allowed", - "litanim" + "litanim", + "Allowed" ], "rsa.misc.category": "idata", "rsa.misc.filter": "urerepre", @@ -2927,8 +2927,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "idolores", "rsa.misc.action": [ - "Blocked", - "lestia" + "lestia", + "Blocked" ], "rsa.misc.category": "risni", "rsa.misc.filter": "emacc", @@ -2988,8 +2988,8 @@ "pariatur7238.www5.invalid" ], "related.ip": [ - "10.202.224.79", - "10.33.144.10" + "10.33.144.10", + "10.202.224.79" ], "related.user": [ "rios" @@ -3079,8 +3079,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Loremip", "rsa.misc.action": [ - "quid", - "Allowed" + "Allowed", + "quid" ], "rsa.misc.category": "mini", "rsa.misc.filter": "uisnos", @@ -3140,8 +3140,8 @@ "mquisnos7453.home" ], "related.ip": [ - "10.134.128.27", - "10.118.177.136" + "10.118.177.136", + "10.134.128.27" ], "related.user": [ "Utenima" @@ -3155,8 +3155,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "voluptas", "rsa.misc.action": [ - "Allowed", - "olor" + "olor", + "Allowed" ], "rsa.misc.category": "ataevita", "rsa.misc.filter": "nderi", @@ -3307,8 +3307,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "etdol", "rsa.misc.action": [ - "mwrit", - "Blocked" + "Blocked", + "mwrit" ], "rsa.misc.category": "inim", "rsa.misc.filter": "aturQu", @@ -3368,8 +3368,8 @@ "etdolore4227.internal.corp" ], "related.ip": [ - "10.30.87.51", - "10.156.177.53" + "10.156.177.53", + "10.30.87.51" ], "related.user": [ "psaquaea" @@ -3383,8 +3383,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tatno", "rsa.misc.action": [ - "ptatev", - "Blocked" + "Blocked", + "ptatev" ], "rsa.misc.category": "udexerc", "rsa.misc.filter": "ptatemse", @@ -3444,8 +3444,8 @@ "rors1935.api.domain" ], "related.ip": [ - "10.83.138.34", - "10.111.249.184" + "10.111.249.184", + "10.83.138.34" ], "related.user": [ "dentsunt" @@ -3459,8 +3459,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tatemse", "rsa.misc.action": [ - "Blocked", - "upta" + "upta", + "Blocked" ], "rsa.misc.category": "tlabo", "rsa.misc.filter": "aliqui", @@ -3520,8 +3520,8 @@ "idexeac1655.internal.test" ], "related.ip": [ - "10.141.195.13", - "10.180.150.47" + "10.180.150.47", + "10.141.195.13" ], "related.user": [ "taliq" @@ -3535,8 +3535,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "itesse", "rsa.misc.action": [ - "Allowed", - "uip" + "uip", + "Allowed" ], "rsa.misc.category": "teturad", "rsa.misc.filter": "roquisqu", @@ -3670,8 +3670,8 @@ "tecto708.www5.example" ], "related.ip": [ - "10.22.122.43", - "10.100.143.226" + "10.100.143.226", + "10.22.122.43" ], "related.user": [ "ute" @@ -3685,8 +3685,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ento", "rsa.misc.action": [ - "Bonoru", - "Blocked" + "Blocked", + "Bonoru" ], "rsa.misc.category": "luptasnu", "rsa.misc.filter": "quamni", @@ -3746,8 +3746,8 @@ "ine3181.www.invalid" ], "related.ip": [ - "10.119.53.68", - "10.121.9.5" + "10.121.9.5", + "10.119.53.68" ], "related.user": [ "ssec" @@ -3822,8 +3822,8 @@ "tsunt3403.www5.test" ], "related.ip": [ - "10.31.153.177", - "10.237.0.173" + "10.237.0.173", + "10.31.153.177" ], "related.user": [ "sci" @@ -3837,8 +3837,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "eritqui", "rsa.misc.action": [ - "dolor", - "Blocked" + "Blocked", + "dolor" ], "rsa.misc.category": "taspe", "rsa.misc.filter": "oremipsu", @@ -3911,8 +3911,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "epor", "rsa.misc.action": [ - "etquasia", - "Allowed" + "Allowed", + "etquasia" ], "rsa.misc.category": "iaturE", "rsa.misc.filter": "rep", @@ -3983,8 +3983,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "adipisc", "rsa.misc.action": [ - "exer", - "Blocked" + "Blocked", + "exer" ], "rsa.misc.category": "remagna", "rsa.misc.filter": "emvel", @@ -4044,8 +4044,8 @@ "tamr1693.api.home" ], "related.ip": [ - "10.53.191.49", - "10.133.102.57" + "10.133.102.57", + "10.53.191.49" ], "related.user": [ "onsec" @@ -4059,8 +4059,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ecillum", "rsa.misc.action": [ - "Blocked", - "emp" + "emp", + "Blocked" ], "rsa.misc.category": "ciati", "rsa.misc.filter": "elit", @@ -4135,8 +4135,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iuntN", "rsa.misc.action": [ - "nim", - "Allowed" + "Allowed", + "nim" ], "rsa.misc.category": "etco", "rsa.misc.filter": "autodita", @@ -4272,8 +4272,8 @@ "pici1525.www5.corp" ], "related.ip": [ - "10.155.252.123", - "10.178.148.188" + "10.178.148.188", + "10.155.252.123" ], "related.user": [ "inrepreh" @@ -4348,8 +4348,8 @@ "dolo6418.internal.host" ], "related.ip": [ - "10.190.42.245", - "10.220.1.249" + "10.220.1.249", + "10.190.42.245" ], "related.user": [ "olup" @@ -4363,8 +4363,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uamquaer", "rsa.misc.action": [ - "Blocked", - "aerat" + "aerat", + "Blocked" ], "rsa.misc.category": "quela", "rsa.misc.filter": "qui", @@ -4422,8 +4422,8 @@ "imveni193.www5.host" ], "related.ip": [ - "10.55.38.153", - "10.112.190.154" + "10.112.190.154", + "10.55.38.153" ], "related.user": [ "oremeu" @@ -4498,8 +4498,8 @@ "ionu3320.api.localhost" ], "related.ip": [ - "10.250.48.82", - "10.195.153.42" + "10.195.153.42", + "10.250.48.82" ], "related.user": [ "tsedquia" @@ -4574,8 +4574,8 @@ "remips1499.www.local" ], "related.ip": [ - "10.252.164.230", - "10.60.52.219" + "10.60.52.219", + "10.252.164.230" ], "related.user": [ "gnamali" @@ -4589,8 +4589,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rroq", "rsa.misc.action": [ - "fdeFin", - "Blocked" + "Blocked", + "fdeFin" ], "rsa.misc.category": "diduntut", "rsa.misc.filter": "ano", @@ -4646,8 +4646,8 @@ "mdoloree96.domain" ], "related.ip": [ - "10.187.16.73", - "10.122.102.156" + "10.122.102.156", + "10.187.16.73" ], "related.user": [ "emoen" @@ -4796,8 +4796,8 @@ "sBonoru1929.example" ], "related.ip": [ - "10.51.161.245", - "10.15.254.181" + "10.15.254.181", + "10.51.161.245" ], "related.user": [ "abo" @@ -4872,8 +4872,8 @@ "onorumet4871.lan" ], "related.ip": [ - "10.7.152.238", - "10.129.66.196" + "10.129.66.196", + "10.7.152.238" ], "related.user": [ "equamn" @@ -4887,8 +4887,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vento", "rsa.misc.action": [ - "Blocked", - "reh" + "reh", + "Blocked" ], "rsa.misc.category": "atev", "rsa.misc.filter": "umq", @@ -4948,8 +4948,8 @@ "onproi4354.www5.invalid" ], "related.ip": [ - "10.185.107.27", - "10.29.162.157" + "10.29.162.157", + "10.185.107.27" ], "related.user": [ "evelite" @@ -4963,8 +4963,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "orinrep", "rsa.misc.action": [ - "Blocked", - "squirat" + "squirat", + "Blocked" ], "rsa.misc.category": "sequa", "rsa.misc.filter": "orainci", @@ -5024,8 +5024,8 @@ "beataevi7552.api.test" ], "related.ip": [ - "10.215.63.248", - "10.138.0.214" + "10.138.0.214", + "10.215.63.248" ], "related.user": [ "eavolupt" @@ -5039,8 +5039,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "odita", "rsa.misc.action": [ - "dqu", - "Blocked" + "Blocked", + "dqu" ], "rsa.misc.category": "ipex", "rsa.misc.filter": "ine", @@ -5115,8 +5115,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tNequepo", "rsa.misc.action": [ - "Allowed", - "rmagnido" + "rmagnido", + "Allowed" ], "rsa.misc.category": "luptatem", "rsa.misc.filter": "deritq", @@ -5191,8 +5191,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "plicab", "rsa.misc.action": [ - "Blocked", - "umq" + "umq", + "Blocked" ], "rsa.misc.category": "eruntmol", "rsa.misc.filter": "labore", @@ -5267,8 +5267,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "omnisi", "rsa.misc.action": [ - "Allowed", - "userro" + "userro", + "Allowed" ], "rsa.misc.category": "etd", "rsa.misc.filter": "loremeum", @@ -5328,8 +5328,8 @@ "olo7317.www5.localhost" ], "related.ip": [ - "10.249.1.143", - "10.124.177.226" + "10.124.177.226", + "10.249.1.143" ], "related.user": [ "isciveli" @@ -5343,8 +5343,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Utenim", "rsa.misc.action": [ - "onevo", - "Allowed" + "Allowed", + "onevo" ], "rsa.misc.category": "tdolore", "rsa.misc.filter": "ptasn", @@ -5419,8 +5419,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ect", "rsa.misc.action": [ - "Blocked", - "maccu" + "maccu", + "Blocked" ], "rsa.misc.category": "iaecon", "rsa.misc.filter": "eni", @@ -5480,8 +5480,8 @@ "agna5654.www.corp" ], "related.ip": [ - "10.203.47.23", - "10.200.74.101" + "10.200.74.101", + "10.203.47.23" ], "related.user": [ "litesse" @@ -5495,8 +5495,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "nde", "rsa.misc.action": [ - "Allowed", - "iqu" + "iqu", + "Allowed" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "ntincul", @@ -5556,8 +5556,8 @@ "ites5711.internal.host" ], "related.ip": [ - "10.162.78.48", - "10.24.23.209" + "10.24.23.209", + "10.162.78.48" ], "related.user": [ "ntore" @@ -5571,8 +5571,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ereprehe", "rsa.misc.action": [ - "Blocked", - "tutl" + "tutl", + "Blocked" ], "rsa.misc.category": "mip", "rsa.misc.filter": "umSecti", @@ -5632,8 +5632,8 @@ "oluptat2848.api.home" ], "related.ip": [ - "10.211.66.68", - "10.55.151.53" + "10.55.151.53", + "10.211.66.68" ], "related.user": [ "squir" @@ -5647,8 +5647,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "diconseq", "rsa.misc.action": [ - "Allowed", - "umet" + "umet", + "Allowed" ], "rsa.misc.category": "ciad", "rsa.misc.filter": "oeiusmod", @@ -5708,8 +5708,8 @@ "ngelitse7535.internal.lan" ], "related.ip": [ - "10.110.16.169", - "10.209.203.156" + "10.209.203.156", + "10.110.16.169" ], "related.user": [ "mes" @@ -5723,8 +5723,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iamquisn", "rsa.misc.action": [ - "Blocked", - "lupta" + "lupta", + "Blocked" ], "rsa.misc.category": "uasiarch", "rsa.misc.filter": "usBonor", @@ -5784,8 +5784,8 @@ "tiumtot3611.internal.localdomain" ], "related.ip": [ - "10.107.68.114", - "10.84.9.150" + "10.84.9.150", + "10.107.68.114" ], "related.user": [ "sequatDu" @@ -5799,8 +5799,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "omnis", "rsa.misc.action": [ - "uianonnu", - "Allowed" + "Allowed", + "uianonnu" ], "rsa.misc.category": "Excepteu", "rsa.misc.filter": "enimadmi", @@ -5875,8 +5875,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lloin", "rsa.misc.action": [ - "ici", - "Blocked" + "Blocked", + "ici" ], "rsa.misc.category": "quidolor", "rsa.misc.filter": "nonproi", @@ -5936,8 +5936,8 @@ "psaqu6066.www5.localhost" ], "related.ip": [ - "10.164.190.2", - "10.223.11.164" + "10.223.11.164", + "10.164.190.2" ], "related.user": [ "ten" @@ -6012,8 +6012,8 @@ "iavol5202.api.example" ], "related.ip": [ - "10.121.181.243", - "10.14.37.8" + "10.14.37.8", + "10.121.181.243" ], "related.user": [ "umwr" @@ -6027,8 +6027,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vitaedic", "rsa.misc.action": [ - "Blocked", - "rinc" + "rinc", + "Blocked" ], "rsa.misc.category": "prehende", "rsa.misc.filter": "rume", @@ -6103,8 +6103,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tat", "rsa.misc.action": [ - "nia", - "Blocked" + "Blocked", + "nia" ], "rsa.misc.category": "turQuis", "rsa.misc.filter": "nonp", @@ -6164,8 +6164,8 @@ "rsitame4049.internal.corp" ], "related.ip": [ - "10.77.102.206", - "10.34.98.144" + "10.34.98.144", + "10.77.102.206" ], "related.user": [ "tectobe" @@ -6179,8 +6179,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Exce", "rsa.misc.action": [ - "Allowed", - "ulapa" + "ulapa", + "Allowed" ], "rsa.misc.category": "reprehen", "rsa.misc.filter": "itsedqui", @@ -6240,8 +6240,8 @@ "elit912.www5.test" ], "related.ip": [ - "10.176.233.249", - "10.75.144.118" + "10.75.144.118", + "10.176.233.249" ], "related.user": [ "isnos" @@ -6255,8 +6255,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "essequa", "rsa.misc.action": [ - "Blocked", - "odic" + "odic", + "Blocked" ], "rsa.misc.category": "cto", "rsa.misc.filter": "odite", @@ -6331,8 +6331,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uis", "rsa.misc.action": [ - "Allowed", - "mvele" + "mvele", + "Allowed" ], "rsa.misc.category": "vitaedi", "rsa.misc.filter": "ndeomni", @@ -6620,8 +6620,8 @@ "archite4407.mail.invalid" ], "related.ip": [ - "10.247.255.107", - "10.234.34.40" + "10.234.34.40", + "10.247.255.107" ], "related.user": [ "aeabillo" @@ -6696,8 +6696,8 @@ "aria1424.mail.home" ], "related.ip": [ - "10.250.102.42", - "10.124.81.20" + "10.124.81.20", + "10.250.102.42" ], "related.user": [ "tNequ" @@ -6711,8 +6711,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ilmoles", "rsa.misc.action": [ - "tatisetq", - "Blocked" + "Blocked", + "tatisetq" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "liquide", @@ -6772,8 +6772,8 @@ "Bonoru7444.www5.example" ], "related.ip": [ - "10.166.205.159", - "10.154.188.132" + "10.154.188.132", + "10.166.205.159" ], "related.user": [ "uptat" @@ -6787,8 +6787,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "proid", "rsa.misc.action": [ - "Allowed", - "onevolu" + "onevolu", + "Allowed" ], "rsa.misc.category": "iratio", "rsa.misc.filter": "odita", @@ -6916,8 +6916,8 @@ "oloremeu5047.www5.invalid" ], "related.ip": [ - "10.172.159.251", - "10.254.119.31" + "10.254.119.31", + "10.172.159.251" ], "related.user": [ "usm" @@ -6931,8 +6931,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "imadmi", "rsa.misc.action": [ - "tatemacc", - "Blocked" + "Blocked", + "tatemacc" ], "rsa.misc.category": "tutlabor", "rsa.misc.filter": "eturad", @@ -6992,8 +6992,8 @@ "edutpe1255.internal.lan" ], "related.ip": [ - "10.195.62.230", - "10.98.126.206" + "10.98.126.206", + "10.195.62.230" ], "related.user": [ "ptassit" @@ -7007,8 +7007,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "isnost", "rsa.misc.action": [ - "Allowed", - "oriosa" + "oriosa", + "Allowed" ], "rsa.misc.category": "uis", "rsa.misc.filter": "nemul", @@ -7068,8 +7068,8 @@ "nderit1171.www5.domain" ], "related.ip": [ - "10.144.93.186", - "10.84.140.5" + "10.84.140.5", + "10.144.93.186" ], "related.user": [ "eroi" @@ -7220,8 +7220,8 @@ "oremeum4231.internal.host" ], "related.ip": [ - "10.139.90.218", - "10.131.81.172" + "10.131.81.172", + "10.139.90.218" ], "related.user": [ "hende" @@ -7235,8 +7235,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rrorsi", "rsa.misc.action": [ - "Allowed", - "exe" + "exe", + "Allowed" ], "rsa.misc.category": "mnihi", "rsa.misc.filter": "consequa", @@ -7296,8 +7296,8 @@ "ueip6097.api.host" ], "related.ip": [ - "10.152.217.174", - "10.128.43.71" + "10.128.43.71", + "10.152.217.174" ], "related.user": [ "mquiado" @@ -7387,8 +7387,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tionemu", "rsa.misc.action": [ - "Blocked", - "rehe" + "rehe", + "Blocked" ], "rsa.misc.category": "aecons", "rsa.misc.filter": "aturve", @@ -7448,8 +7448,8 @@ "onsequ3168.www.corp" ], "related.ip": [ - "10.172.17.6", - "10.109.192.53" + "10.109.192.53", + "10.172.17.6" ], "related.user": [ "eprehen" @@ -7463,8 +7463,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "temUte", "rsa.misc.action": [ - "Blocked", - "tassit" + "tassit", + "Blocked" ], "rsa.misc.category": "ita", "rsa.misc.filter": "scive", @@ -7524,8 +7524,8 @@ "oremquel3120.internal.localhost" ], "related.ip": [ - "10.135.38.213", - "10.119.106.108" + "10.119.106.108", + "10.135.38.213" ], "related.user": [ "ore" @@ -7539,8 +7539,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "exeacomm", "rsa.misc.action": [ - "Blocked", - "volup" + "volup", + "Blocked" ], "rsa.misc.category": "ten", "rsa.misc.filter": "ssecil", diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json index bdf9957b55d..d2e89ea6140 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json @@ -31,8 +31,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "", "rsa.misc.action": [ - "", - "" + "", + "" ], "rsa.misc.category": "", "rsa.misc.filter": "", diff --git a/x-pack/filebeat/modules.d/juniper.yml.disabled b/x-pack/filebeat/modules.d/juniper.yml.disabled index e3359756d90..6ffe87834a4 100644 --- a/x-pack/filebeat/modules.d/juniper.yml.disabled +++ b/x-pack/filebeat/modules.d/juniper.yml.disabled @@ -39,3 +39,16 @@ # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local + + srx: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9006. + #var.syslog_port: 9006 diff --git a/x-pack/filebeat/modules.d/microsoft.yml.disabled b/x-pack/filebeat/modules.d/microsoft.yml.disabled index 09c7211e179..63bcc20897a 100644 --- a/x-pack/filebeat/modules.d/microsoft.yml.disabled +++ b/x-pack/filebeat/modules.d/microsoft.yml.disabled @@ -13,7 +13,20 @@ # Oauth Client Secret #var.oauth2.client.secret: "" - + + # Oauth Token URL, should include the tenant ID + #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" + m365_defender: + enabled: true + # How often the API should be polled + #var.interval: 5m + + # Oauth Client ID + #var.oauth2.client.id: "" + + # Oauth Client Secret + #var.oauth2.client.secret: "" + # Oauth Token URL, should include the tenant ID #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" dhcp: diff --git a/x-pack/functionbeat/Jenkinsfile.yml b/x-pack/functionbeat/Jenkinsfile.yml index 37a70d06d3e..a8d42ce5fb9 100644 --- a/x-pack/functionbeat/Jenkinsfile.yml +++ b/x-pack/functionbeat/Jenkinsfile.yml @@ -19,15 +19,27 @@ stages: mage: "mage build unitTest" platforms: ## override default label in this specific stage. - "macosx" - when: ## Aggregate when with the top-level one. + when: ## Override the top-level when. comments: - "/test x-pack/functionbeat for macos" labels: - "macOS" parameters: - "macosTest" + branches: true ## for all the branches + tags: true ## for all the tags windows: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2019" - - "windows-10" + windows-2016: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2016" + when: ## Override the top-level when. + comments: + - "/test x-pack/functionbeat for windows-2016" + labels: + - "windows-2016" + branches: true ## for all the branches + tags: true ## for all the tags diff --git a/x-pack/functionbeat/docs/fields.asciidoc b/x-pack/functionbeat/docs/fields.asciidoc index 73c93e39a61..7f4aa3d5aaf 100644 --- a/x-pack/functionbeat/docs/fields.asciidoc +++ b/x-pack/functionbeat/docs/fields.asciidoc @@ -216,8 +216,15 @@ type: object [[exported-fields-ecs]] == ECS fields -ECS Fields. +This section defines Elastic Common Schema (ECS) fields—a common set of fields +to be used when storing event data in {es}. + +This is an exhaustive list, and fields listed here are not necessarily used by {beatname_uc}. +The goal of ECS is to enable and encourage users of {es} to normalize their event data, +so that they can better analyze, visualize, and correlate the data represented in their events. + +See the {ecs-ref}[ECS reference] for more information. *`@timestamp`*:: + diff --git a/x-pack/libbeat/common/cloudfoundry/cache.go b/x-pack/libbeat/common/cloudfoundry/cache.go index 22f41f3b23c..0f19818666e 100644 --- a/x-pack/libbeat/common/cloudfoundry/cache.go +++ b/x-pack/libbeat/common/cloudfoundry/cache.go @@ -5,13 +5,16 @@ package cloudfoundry import ( + "crypto/sha1" + "encoding/base64" "fmt" "time" "github.com/cloudfoundry-community/go-cfclient" + "github.com/pkg/errors" - "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/x-pack/libbeat/persistentcache" ) // cfClient interface is provided so unit tests can mock the actual client. @@ -22,65 +25,113 @@ type cfClient interface { // clientCacheWrap wraps the cloudfoundry client to add a cache in front of GetAppByGuid. type clientCacheWrap struct { - cache *common.Cache + cache *persistentcache.PersistentCache client cfClient log *logp.Logger errorTTL time.Duration } // newClientCacheWrap creates a new cache for application data. -func newClientCacheWrap(client cfClient, ttl time.Duration, errorTTL time.Duration, log *logp.Logger) *clientCacheWrap { +func newClientCacheWrap(client cfClient, cacheName string, ttl time.Duration, errorTTL time.Duration, log *logp.Logger) (*clientCacheWrap, error) { + options := persistentcache.Options{ + Timeout: ttl, + } + + name := "cloudfoundry" + if cacheName != "" { + name = name + "-" + sanitizeCacheName(cacheName) + } + + cache, err := persistentcache.New(name, options) + if err != nil { + return nil, fmt.Errorf("creating metadata cache: %w", err) + } + return &clientCacheWrap{ - cache: common.NewCacheWithExpireOnAdd(ttl, 100), + cache: cache, client: client, errorTTL: errorTTL, log: log, - } + }, nil } type appResponse struct { - app *cfclient.App - err error + App AppMeta `json:"a"` + Error cfclient.CloudFoundryError `json:"e,omitempty"` + ErrorMessage string `json:"em,omitempty"` +} + +func (r *appResponse) fromStructs(app cfclient.App, err error) { + if err != nil { + cause := errors.Cause(err) + if cferr, ok := cause.(cfclient.CloudFoundryError); ok { + r.Error = cferr + } + r.ErrorMessage = err.Error() + return + } + r.App = AppMeta{ + Name: app.Name, + Guid: app.Guid, + SpaceName: app.SpaceData.Entity.Name, + SpaceGuid: app.SpaceData.Meta.Guid, + OrgName: app.SpaceData.Entity.OrgData.Entity.Name, + OrgGuid: app.SpaceData.Entity.OrgData.Meta.Guid, + } +} + +func (r *appResponse) toStructs() (*AppMeta, error) { + var empty cfclient.CloudFoundryError + if r.Error != empty { + // Wrapping the error so cfclient.IsAppNotFoundError can identify it + return nil, errors.Wrap(r.Error, r.ErrorMessage) + } + if len(r.ErrorMessage) > 0 { + return nil, errors.New(r.ErrorMessage) + } + return &r.App, nil } // fetchApp uses the cfClient to retrieve an App entity and // stores it in the internal cache -func (c *clientCacheWrap) fetchAppByGuid(guid string) (*cfclient.App, error) { +func (c *clientCacheWrap) fetchAppByGuid(guid string) (*AppMeta, error) { app, err := c.client.GetAppByGuid(guid) - resp := appResponse{ - app: &app, - err: err, - } + var resp appResponse + resp.fromStructs(app, err) timeout := time.Duration(0) if err != nil { // Cache nil, because is what we want to return when there was an error - resp.app = nil timeout = c.errorTTL } - c.cache.PutWithTimeout(guid, &resp, timeout) - return resp.app, resp.err + err = c.cache.PutWithTimeout(guid, resp, timeout) + if err != nil { + return nil, fmt.Errorf("storing app response in cache: %w", err) + } + return resp.toStructs() } // GetApp returns CF Application info, either from the cache or // using the CF client. -func (c *clientCacheWrap) GetAppByGuid(guid string) (*cfclient.App, error) { - cachedResp := c.cache.Get(guid) - if cachedResp == nil { +func (c *clientCacheWrap) GetAppByGuid(guid string) (*AppMeta, error) { + var resp appResponse + err := c.cache.Get(guid, &resp) + if err != nil { return c.fetchAppByGuid(guid) } - resp, ok := cachedResp.(*appResponse) - if !ok { - return nil, fmt.Errorf("error converting cached app response (of type %T), this is likely a bug", cachedResp) - } - return resp.app, resp.err + return resp.toStructs() } -// StartJanitor starts a goroutine that will periodically clean the applications cache. -func (c *clientCacheWrap) StartJanitor(interval time.Duration) { - c.cache.StartJanitor(interval) +// Close release resources associated with this client +func (c *clientCacheWrap) Close() error { + err := c.cache.Close() + if err != nil { + return fmt.Errorf("closing cache: %w", err) + } + return nil } -// StopJanitor stops the goroutine that periodically clean the applications cache. -func (c *clientCacheWrap) StopJanitor() { - c.cache.StopJanitor() +// sanitizeCacheName returns a unique string that can be used safely as part of a file name +func sanitizeCacheName(name string) string { + hash := sha1.Sum([]byte(name)) + return base64.RawURLEncoding.EncodeToString(hash[:]) } diff --git a/x-pack/libbeat/common/cloudfoundry/cache_integration_test.go b/x-pack/libbeat/common/cloudfoundry/cache_integration_test.go index f6af11787c9..f799cc0615f 100644 --- a/x-pack/libbeat/common/cloudfoundry/cache_integration_test.go +++ b/x-pack/libbeat/common/cloudfoundry/cache_integration_test.go @@ -31,7 +31,7 @@ func TestGetApps(t *testing.T) { client, err := hub.Client() require.NoError(t, err) - apps, err := client.(*clientCacheWrap).client.(*cfclient.Client).ListApps() + apps, err := client.ListApps() require.NoError(t, err) t.Logf("%d applications available", len(apps)) @@ -40,8 +40,9 @@ func TestGetApps(t *testing.T) { if len(apps) == 0 { t.Skip("no apps in account?") } - client, err := hub.Client() + client, err := hub.ClientWithCache() require.NoError(t, err) + defer client.Close() guid := apps[0].Guid app, err := client.GetAppByGuid(guid) @@ -50,13 +51,15 @@ func TestGetApps(t *testing.T) { }) t.Run("handle error when application is not available", func(t *testing.T) { - client, err := hub.Client() + client, err := hub.ClientWithCache() require.NoError(t, err) + defer client.Close() testNotExists := func(t *testing.T) { app, err := client.GetAppByGuid("notexists") assert.Nil(t, app) - assert.True(t, cfclient.IsAppNotFoundError(err)) + assert.Error(t, err) + assert.True(t, cfclient.IsAppNotFoundError(err), "Error found: %v", err) } var firstTimeDuration time.Duration diff --git a/x-pack/libbeat/common/cloudfoundry/cache_test.go b/x-pack/libbeat/common/cloudfoundry/cache_test.go index 9e18a5ac86e..b345beff226 100644 --- a/x-pack/libbeat/common/cloudfoundry/cache_test.go +++ b/x-pack/libbeat/common/cloudfoundry/cache_test.go @@ -13,19 +13,25 @@ import ( "github.com/cloudfoundry-community/go-cfclient" "github.com/gofrs/uuid" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "github.com/elastic/beats/v7/libbeat/logp" ) func TestClientCacheWrap(t *testing.T) { - ttl := 500 * time.Millisecond + if testing.Short() { + t.Skip("skipping in short mode") + } + + ttl := 2 * time.Second guid := mustCreateFakeGuid() app := cfclient.App{ - Guid: guid, - Memory: 1, // use this field to track if from cache or from client + Guid: guid, + Name: "Foo", // use this field to track if from cache or from client } fakeClient := &fakeCFClient{app, 0} - cache := newClientCacheWrap(fakeClient, ttl, ttl, logp.NewLogger("cloudfoundry")) + cache, err := newClientCacheWrap(fakeClient, "test", ttl, ttl, logp.NewLogger("cloudfoundry")) + require.NoError(t, err) missingAppGuid := mustCreateFakeGuid() @@ -44,25 +50,28 @@ func TestClientCacheWrap(t *testing.T) { // fetched from client for the first time one, err = cache.GetAppByGuid(guid) assert.NoError(t, err) - assert.Equal(t, app, *one) + assert.Equal(t, app.Guid, one.Guid) + assert.Equal(t, app.Name, one.Name) assert.Equal(t, 2, fakeClient.callCount) // updated app in fake client, new fetch should not have updated app updatedApp := cfclient.App{ - Guid: guid, - Memory: 2, + Guid: guid, + Name: "Bar", } fakeClient.app = updatedApp two, err := cache.GetAppByGuid(guid) assert.NoError(t, err) - assert.Equal(t, app, *two) + assert.Equal(t, app.Guid, two.Guid) + assert.Equal(t, app.Name, two.Name) assert.Equal(t, 2, fakeClient.callCount) // wait the ttl, then it should have updated app time.Sleep(ttl) three, err := cache.GetAppByGuid(guid) assert.NoError(t, err) - assert.Equal(t, updatedApp, *three) + assert.Equal(t, updatedApp.Guid, three.Guid) + assert.Equal(t, updatedApp.Name, three.Name) assert.Equal(t, 3, fakeClient.callCount) } diff --git a/x-pack/libbeat/common/cloudfoundry/hub.go b/x-pack/libbeat/common/cloudfoundry/hub.go index 4bb7fce1eec..4cf9757c278 100644 --- a/x-pack/libbeat/common/cloudfoundry/hub.go +++ b/x-pack/libbeat/common/cloudfoundry/hub.go @@ -5,10 +5,8 @@ package cloudfoundry import ( - "fmt" "net/http" "strings" - "time" "github.com/cloudfoundry-community/go-cfclient" "github.com/pkg/errors" @@ -19,11 +17,20 @@ import ( // Client interface exposed by Hub.Client. type Client interface { // GetAppByGuid returns the application from cloudfoundry. - GetAppByGuid(guid string) (*cfclient.App, error) - // StartJanitor keeps the cache of applications clean. - StartJanitor(interval time.Duration) - // StopJanitor stops the running janitor. - StopJanitor() + GetAppByGuid(guid string) (*AppMeta, error) + + // Close releases resources associated with this client. + Close() error +} + +// AppMeta is the metadata associated with a cloudfoundry application +type AppMeta struct { + Guid string `json:"guid"` + Name string `json:"name"` + SpaceGuid string `json:"space_guid"` + SpaceName string `json:"space_name"` + OrgGuid string `json:"org_guid"` + OrgName string `json:"org_name"` } // Hub is central place to get all the required clients to communicate with cloudfoundry. @@ -39,7 +46,7 @@ func NewHub(cfg *Config, userAgent string, log *logp.Logger) *Hub { } // Client returns the cloudfoundry client. -func (h *Hub) Client() (Client, error) { +func (h *Hub) Client() (*cfclient.Client, error) { httpClient, insecure, err := h.httpClient() if err != nil { return nil, err @@ -67,7 +74,15 @@ func (h *Hub) Client() (Client, error) { if h.cfg.UaaAddress != "" { cf.Endpoint.AuthEndpoint = h.cfg.UaaAddress } - return newClientCacheWrap(cf, h.cfg.CacheDuration, h.cfg.CacheRetryDelay, h.log), nil + return cf, nil +} + +func (h *Hub) ClientWithCache() (Client, error) { + c, err := h.Client() + if err != nil { + return nil, err + } + return newClientCacheWrap(c, h.cfg.APIAddress, h.cfg.CacheDuration, h.cfg.CacheRetryDelay, h.log) } // RlpListener returns a listener client that calls the passed callback when the provided events are streamed through @@ -85,7 +100,7 @@ func (h *Hub) RlpListener(callbacks RlpListenerCallbacks) (*RlpListener, error) // // In the case that the cloudfoundry client was already needed by the code path, call this method // as not to create a intermediate client that will not be used. -func (h *Hub) RlpListenerFromClient(client Client, callbacks RlpListenerCallbacks) (*RlpListener, error) { +func (h *Hub) RlpListenerFromClient(client *cfclient.Client, callbacks RlpListenerCallbacks) (*RlpListener, error) { var rlpAddress string if h.cfg.RlpAddress != "" { rlpAddress = h.cfg.RlpAddress @@ -107,47 +122,29 @@ func (h *Hub) DopplerConsumer(callbacks DopplerCallbacks) (*DopplerConsumer, err return h.DopplerConsumerFromClient(client, callbacks) } -func (h *Hub) DopplerConsumerFromClient(client Client, callbacks DopplerCallbacks) (*DopplerConsumer, error) { +func (h *Hub) DopplerConsumerFromClient(client *cfclient.Client, callbacks DopplerCallbacks) (*DopplerConsumer, error) { dopplerAddress := h.cfg.DopplerAddress if dopplerAddress == "" { - endpoint, err := cfEndpoint(client) - if err != nil { - return nil, errors.Wrap(err, "getting endpoints from client") - } - dopplerAddress = endpoint.DopplerEndpoint + dopplerAddress = client.Endpoint.DopplerEndpoint } httpClient, _, err := h.httpClient() if err != nil { return nil, errors.Wrap(err, "getting http client") } - // TODO: Refactor Client so it is easier to access the cfclient - ccw, ok := client.(*clientCacheWrap) - if !ok { - return nil, fmt.Errorf("client without cache wrap") - } - cfc, ok := ccw.client.(*cfclient.Client) - if !ok { - return nil, fmt.Errorf("client is not a cloud foundry client") - } - - tr := TokenRefresherFromCfClient(cfc) + tr := TokenRefresherFromCfClient(client) return newDopplerConsumer(dopplerAddress, h.cfg.ShardID, h.log, httpClient, tr, callbacks) } // doerFromClient returns an auth token doer using uaa. -func (h *Hub) doerFromClient(client Client) (*authTokenDoer, error) { +func (h *Hub) doerFromClient(client *cfclient.Client) (*authTokenDoer, error) { httpClient, _, err := h.httpClient() if err != nil { return nil, err } url := h.cfg.UaaAddress if url == "" { - endpoint, err := cfEndpoint(client) - if err != nil { - return nil, errors.Wrap(err, "getting endpoints from client") - } - url = endpoint.AuthEndpoint + url = client.Endpoint.AuthEndpoint } return newAuthTokenDoer(url, h.cfg.ClientID, h.cfg.ClientSecret, httpClient, h.log), nil } @@ -165,18 +162,6 @@ func (h *Hub) httpClient() (*http.Client, bool, error) { return httpClient, tls.InsecureSkipVerify, nil } -func cfEndpoint(client Client) (cfclient.Endpoint, error) { - ccw, ok := client.(*clientCacheWrap) - if !ok { - return cfclient.Endpoint{}, fmt.Errorf("client without cache wrap") - } - cfc, ok := ccw.client.(*cfclient.Client) - if !ok { - return cfclient.Endpoint{}, fmt.Errorf("client is not a cloud foundry client") - } - return cfc.Endpoint, nil -} - // defaultTransport returns a new http.Transport for http.Client func defaultTransport() *http.Transport { defaultTransport := http.DefaultTransport.(*http.Transport) diff --git a/x-pack/libbeat/common/cloudfoundry/main_test.go b/x-pack/libbeat/common/cloudfoundry/main_test.go new file mode 100644 index 00000000000..ec352def825 --- /dev/null +++ b/x-pack/libbeat/common/cloudfoundry/main_test.go @@ -0,0 +1,29 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package cloudfoundry + +import ( + "fmt" + "io/ioutil" + "os" + "testing" + + "github.com/elastic/beats/v7/libbeat/paths" +) + +func TestMain(m *testing.M) { + // Override global beats data dir to avoid creating directories in the working copy. + tmpdir, err := ioutil.TempDir("", "beats-data-dir") + if err != nil { + fmt.Printf("Failed to create temporal data directory: %v\n", err) + os.Exit(1) + } + paths.Paths.Data = tmpdir + + result := m.Run() + os.RemoveAll(tmpdir) + + os.Exit(result) +} diff --git a/x-pack/libbeat/persistentcache/encoding.go b/x-pack/libbeat/persistentcache/encoding.go new file mode 100644 index 00000000000..60b2058ebf4 --- /dev/null +++ b/x-pack/libbeat/persistentcache/encoding.go @@ -0,0 +1,55 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package persistentcache + +import ( + "bytes" + "encoding/json" + + ugorjicodec "github.com/ugorji/go/codec" +) + +type codec interface { + Decode([]byte, interface{}) error + Encode(interface{}) ([]byte, error) +} + +type jsonCodec struct{} + +func newJSONCodec() *jsonCodec { + return &jsonCodec{} +} + +// Encode encodes an object in json format. +func (*jsonCodec) Encode(v interface{}) ([]byte, error) { + return json.Marshal(v) +} + +// Decode decodes an object from its json representation. +func (*jsonCodec) Decode(d []byte, v interface{}) error { + return json.Unmarshal(d, v) +} + +type cborCodec struct { + handle ugorjicodec.CborHandle +} + +func newCBORCodec() *cborCodec { + return &cborCodec{} +} + +// Encode encodes an object in cbor format. +func (c *cborCodec) Encode(v interface{}) ([]byte, error) { + var buf bytes.Buffer + enc := ugorjicodec.NewEncoder(&buf, &c.handle) + err := enc.Encode(v) + return buf.Bytes(), err +} + +// Decode decodes an object from its cbor representation. +func (c *cborCodec) Decode(d []byte, v interface{}) error { + dec := ugorjicodec.NewDecoder(bytes.NewReader(d), &c.handle) + return dec.Decode(v) +} diff --git a/x-pack/libbeat/persistentcache/persistentcache.go b/x-pack/libbeat/persistentcache/persistentcache.go new file mode 100644 index 00000000000..39721095b86 --- /dev/null +++ b/x-pack/libbeat/persistentcache/persistentcache.go @@ -0,0 +1,112 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package persistentcache + +import ( + "fmt" + "time" + + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/paths" +) + +const ( + cacheFile = "cache" + gcPeriod = 5 * time.Minute +) + +// PersistentCache is a persistent map of keys to values. Elements added to the +// cache are stored until they are explicitly deleted or are expired due to time-based +// eviction based on last access or add time. +type PersistentCache struct { + log *logp.Logger + + store *Store + codec codec + + refreshOnAccess bool + timeout time.Duration +} + +// Options are the options that can be used to customize persistent caches +type Options struct { + // Length of time before cache elements expire + Timeout time.Duration + + // If set to true, expiration time of an entry is updated + // when the object is accessed. + RefreshOnAccess bool + + // If empty, beats data path is used. + RootPath string +} + +// New creates and returns a new persistent cache. +// Cache returned by this method must be closed with Close() when +// not needed anymore. +func New(name string, opts Options) (*PersistentCache, error) { + logger := logp.NewLogger("persistentcache") + + rootPath := opts.RootPath + if rootPath == "" { + rootPath = paths.Resolve(paths.Data, cacheFile) + } + store, err := newStore(logger, rootPath, name) + if err != nil { + return nil, err + } + + return &PersistentCache{ + log: logger, + store: store, + codec: newCBORCodec(), + + refreshOnAccess: opts.RefreshOnAccess, + timeout: opts.Timeout, + }, nil +} + +// Put writes the given key and value to the map replacing any +// existing value if it exists. +func (c *PersistentCache) Put(k string, v interface{}) error { + return c.PutWithTimeout(k, v, 0) +} + +// PutWithTimeout writes the given key and value to the map replacing any +// existing value if it exists. +// The cache expiration time will be overwritten by timeout of the key being +// inserted. +func (c *PersistentCache) PutWithTimeout(k string, v interface{}, timeout time.Duration) error { + d, err := c.codec.Encode(v) + if err != nil { + return fmt.Errorf("encoding item to store in cache: %w", err) + } + if timeout == 0 { + timeout = c.timeout + } + return c.store.Set([]byte(k), d, timeout) +} + +// Get the current value associated with a key or nil if the key is not +// present. The last access time of the element is updated. +func (c *PersistentCache) Get(k string, v interface{}) error { + d, err := c.store.Get([]byte(k)) + if err != nil { + return err + } + if c.refreshOnAccess && c.timeout > 0 { + c.store.Set([]byte(k), d, c.timeout) + } + err = c.codec.Decode(d, v) + if err != nil { + return fmt.Errorf("decoding item stored in cache: %w", err) + } + return nil +} + +// Close releases all resources associated with this cache. +func (c *PersistentCache) Close() error { + return c.store.Close() +} diff --git a/x-pack/libbeat/persistentcache/persistentcache_test.go b/x-pack/libbeat/persistentcache/persistentcache_test.go new file mode 100644 index 00000000000..f6f28d73b75 --- /dev/null +++ b/x-pack/libbeat/persistentcache/persistentcache_test.go @@ -0,0 +1,436 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package persistentcache + +import ( + "fmt" + "io/ioutil" + "math/rand" + "os" + "path/filepath" + "strconv" + "testing" + "time" + + "github.com/gofrs/uuid" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/logp" +) + +func TestPutGet(t *testing.T) { + logp.TestingSetup() + t.Parallel() + + cache, err := New("test", testOptions(t)) + require.NoError(t, err) + defer cache.Close() + + type valueType struct { + Something string + } + + var key = "somekey" + var value = valueType{Something: "foo"} + + err = cache.Put(key, value) + assert.NoError(t, err) + + var result valueType + err = cache.Get(key, &result) + assert.NoError(t, err) + assert.Equal(t, value, result) + + err = cache.Get("notexist", &result) + assert.Error(t, err) +} + +func TestPersist(t *testing.T) { + logp.TestingSetup() + t.Parallel() + + options := testOptions(t) + + cache, err := New("test", options) + require.NoError(t, err) + + type valueType struct { + Something string + } + + var key = "somekey" + var value = valueType{Something: "foo"} + + err = cache.Put(key, value) + assert.NoError(t, err) + + err = cache.Close() + assert.NoError(t, err) + + cache, err = New("test", options) + require.NoError(t, err) + defer cache.Close() + + var result valueType + err = cache.Get(key, &result) + assert.NoError(t, err) + assert.Equal(t, value, result) +} + +func TestExpired(t *testing.T) { + if testing.Short() { + t.Skip("skipping in short mode") + } + logp.TestingSetup() + t.Parallel() + + options := testOptions(t) + cache, err := New("test", options) + require.NoError(t, err) + defer cache.Close() + + type valueType struct { + Something string + } + + var key = "somekey" + var value = valueType{Something: "foo"} + + // Badger TTL is not reliable on sub-second durations. + err = cache.PutWithTimeout(key, value, 2*time.Second) + assert.NoError(t, err) + + var result valueType + err = cache.Get(key, &result) + assert.NoError(t, err) + assert.Equal(t, value, result) + + time.Sleep(2 * time.Second) + err = cache.Get(key, &result) + assert.Error(t, err) +} + +func TestRefreshOnAccess(t *testing.T) { + t.Skip("flaky test") + + if testing.Short() { + t.Skip("skipping in short mode") + } + + logp.TestingSetup() + t.Parallel() + + // Badger TTL is not reliable on sub-second durations. + options := testOptions(t) + options.Timeout = 2 * time.Second + options.RefreshOnAccess = true + + cache, err := New("test", options) + require.NoError(t, err) + defer cache.Close() + + type valueType struct { + Something string + } + + var key1 = "somekey" + var value1 = valueType{Something: "foo"} + var key2 = "otherkey" + var value2 = valueType{Something: "bar"} + + err = cache.Put(key1, value1) + assert.NoError(t, err) + err = cache.Put(key2, value2) + assert.NoError(t, err) + + time.Sleep(1 * time.Second) + + var result valueType + err = cache.Get(key1, &result) + assert.NoError(t, err) + assert.Equal(t, value1, result) + + time.Sleep(1 * time.Second) + + err = cache.Get(key1, &result) + assert.NoError(t, err) + assert.Equal(t, value1, result) + err = cache.Get(key2, &result) + assert.Error(t, err) +} + +var benchmarkCacheSizes = []int{10, 100, 1000, 10000, 100000} + +func BenchmarkPut(b *testing.B) { + type cache interface { + Put(key string, value interface{}) error + Close() error + } + + options := testOptions(b) + newPersistentCache := func(tb testing.TB, name string) cache { + cache, err := New(name, options) + require.NoError(tb, err) + return cache + } + + caches := []struct { + name string + factory func(t testing.TB, name string) cache + }{ + {name: "badger", factory: newPersistentCache}, + } + + b.Run("random strings", func(b *testing.B) { + for _, c := range caches { + b.Run(c.name, func(b *testing.B) { + b.ReportAllocs() + + cache := c.factory(b, b.Name()) + defer cache.Close() + + value := uuid.Must(uuid.NewV4()).String() + + b.ResetTimer() + for i := 0; i < b.N; i++ { + err := cache.Put(strconv.Itoa(i), value) + if err != nil { + b.Fatal(err) + } + } + b.StopTimer() + }) + } + }) + + b.Run("objects", func(b *testing.B) { + for _, c := range caches { + type entry struct { + ID string + Data [128]byte + } + + b.Run(c.name, func(b *testing.B) { + b.ReportAllocs() + + cache := c.factory(b, b.Name()) + defer cache.Close() + + value := entry{ID: uuid.Must(uuid.NewV4()).String()} + + b.ResetTimer() + for i := 0; i < b.N; i++ { + err := cache.Put(strconv.Itoa(i), value) + if err != nil { + b.Fatal(err) + } + } + b.StopTimer() + }) + } + }) + + b.Run("maps", func(b *testing.B) { + for _, c := range caches { + b.Run(c.name, func(b *testing.B) { + b.ReportAllocs() + + cache := c.factory(b, b.Name()) + defer cache.Close() + + value := map[string]string{ + "id": uuid.Must(uuid.NewV4()).String(), + } + + b.ResetTimer() + for i := 0; i < b.N; i++ { + err := cache.Put(strconv.Itoa(i), value) + if err != nil { + b.Fatal(err) + } + } + b.StopTimer() + }) + } + }) + + for _, size := range benchmarkCacheSizes { + b.Run(fmt.Sprintf("%d objects", size), func(b *testing.B) { + type entry struct { + ID string + Data [128]byte + } + objects := make([]entry, size) + for i := 0; i < size; i++ { + objects[i] = entry{ + ID: uuid.Must(uuid.NewV4()).String(), + } + } + + for _, c := range caches { + b.Run(c.name, func(b *testing.B) { + b.ReportAllocs() + + for i := 0; i < b.N; i++ { + cache := c.factory(b, b.Name()) + for _, object := range objects { + cache.Put(object.ID, object) + } + cache.Close() + } + }) + } + }) + } +} + +func BenchmarkOpen(b *testing.B) { + type cache interface { + Put(key string, value interface{}) error + Close() error + } + + options := testOptions(b) + newPersistentCache := func(tb testing.TB, name string) cache { + cache, err := New(name, options) + require.NoError(tb, err) + return cache + } + + caches := []struct { + name string + factory func(t testing.TB, name string) cache + }{ + {name: "badger", factory: newPersistentCache}, + } + + for _, size := range benchmarkCacheSizes { + b.Run(fmt.Sprintf("%d objects", size), func(b *testing.B) { + type entry struct { + ID string + Data [128]byte + } + + for _, c := range caches { + cacheName := b.Name() + cache := c.factory(b, cacheName) + for i := 0; i < size; i++ { + e := entry{ + ID: uuid.Must(uuid.NewV4()).String(), + } + err := cache.Put(e.ID, e) + require.NoError(b, err) + } + cache.Close() + + b.Run(c.name, func(b *testing.B) { + b.ReportAllocs() + + for i := 0; i < b.N; i++ { + cache := c.factory(b, cacheName) + cache.Close() + } + }) + } + }) + } +} + +func BenchmarkGet(b *testing.B) { + type cache interface { + Put(key string, value interface{}) error + Get(key string, value interface{}) error + Close() error + } + + options := testOptions(b) + newPersistentCache := func(tb testing.TB, name string) cache { + cache, err := New(name, options) + require.NoError(tb, err) + return cache + } + + caches := []struct { + name string + factory func(t testing.TB, name string) cache + }{ + {name: "badger", factory: newPersistentCache}, + } + + for _, size := range benchmarkCacheSizes { + b.Run(fmt.Sprintf("%d objects", size), func(b *testing.B) { + for _, c := range caches { + type entry struct { + ID string + Data [128]byte + } + + cacheName := b.Name() + + objects := make([]entry, size) + cache := c.factory(b, cacheName) + for i := 0; i < size; i++ { + e := entry{ + ID: uuid.Must(uuid.NewV4()).String(), + } + objects[i] = e + err := cache.Put(e.ID, e) + require.NoError(b, err) + } + cache.Close() + + b.Run(c.name, func(b *testing.B) { + b.ReportAllocs() + + cache := c.factory(b, cacheName) + + var result entry + + b.ResetTimer() + for i := 0; i < b.N; i++ { + expected := objects[rand.Intn(size)] + cache.Get(expected.ID, &result) + if expected.ID != result.ID { + b.Fatalf("%s != %s", expected.ID, result.ID) + } + } + b.StopTimer() + cache.Close() + }) + } + }) + } +} + +func testOptions(t testing.TB) Options { + t.Helper() + + tempDir, err := ioutil.TempDir("", "beat-data-dir-") + require.NoError(t, err) + + t.Cleanup(func() { os.RemoveAll(tempDir) }) + + return Options{ + RootPath: filepath.Join(tempDir, cacheFile), + } +} + +func dirSize(tb testing.TB, path string) int64 { + var size int64 + + err := filepath.Walk(path, func(_ string, info os.FileInfo, err error) error { + if err != nil { + return err + } + if !info.IsDir() { + size += info.Size() + } + return nil + }) + require.NoError(tb, err) + + return size +} diff --git a/x-pack/libbeat/persistentcache/store.go b/x-pack/libbeat/persistentcache/store.go new file mode 100644 index 00000000000..589fc724e01 --- /dev/null +++ b/x-pack/libbeat/persistentcache/store.go @@ -0,0 +1,141 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package persistentcache + +import ( + "fmt" + "os" + "path/filepath" + "time" + + badger "github.com/dgraph-io/badger/v2" + + "github.com/elastic/beats/v7/libbeat/logp" +) + +// Store is a store for a persistent cache. It can be shared between consumers. +type Store struct { + logger *logp.Logger + name string + + gcQuit chan struct{} + db *badger.DB +} + +// newStore opens a store persisted on the specified directory, with the specified name. +// If succeeds, returned store must be closed. +func newStore(logger *logp.Logger, dir, name string) (*Store, error) { + dbPath := filepath.Join(dir, name) + err := os.MkdirAll(dbPath, 0750) + if err != nil { + return nil, fmt.Errorf("creating directory for cache store: %w", err) + } + + // Opinionated options for the use of badger as a store for metadata caches in Beats. + options := badger.DefaultOptions(dbPath) + options.Logger = badgerLogger{logger.Named("badger")} + // TODO: Disabling sync writes gives better performance, and data loss wouldn't + // be a problem for caches. But we are not properly closing processors yet, so let + // sync on writes by now. + // options.SyncWrites = false + + db, err := badger.Open(options) + if err != nil { + return nil, fmt.Errorf("opening database for cache store: %w", err) + } + + store := Store{ + db: db, + logger: logger, + name: name, + gcQuit: make(chan struct{}), + } + go store.runGC(gcPeriod) + return &store, nil +} + +// Close closes the store. +func (s *Store) Close() error { + s.stopGC() + err := s.db.Close() + if err != nil { + return fmt.Errorf("closing database of cache store: %w", err) + } + return nil +} + +// Set sets a value with a ttl in the store. If ttl is zero, it is ignored. +func (s *Store) Set(k, v []byte, ttl time.Duration) error { + entry := badger.Entry{ + Key: []byte(k), + Value: v, + } + if ttl > 0 { + entry.WithTTL(ttl) + } + err := s.db.Update(func(txn *badger.Txn) error { + return txn.SetEntry(&entry) + }) + if err != nil { + return fmt.Errorf("setting value in cache store: %w", err) + } + return err +} + +// Get gets a value from the store. +func (s *Store) Get(k []byte) ([]byte, error) { + var result []byte + err := s.db.View(func(txn *badger.Txn) error { + item, err := txn.Get(k) + if err != nil { + return err + } + result, err = item.ValueCopy(nil) + if err != nil { + return err + } + return nil + }) + if err != nil { + return nil, fmt.Errorf("getting value from cache store: %w", err) + } + return result, nil +} + +// runGC starts garbage collection in the store. +func (s *Store) runGC(period time.Duration) { + ticker := time.NewTicker(period) + defer ticker.Stop() + for { + select { + case <-ticker.C: + var err error + count := 0 + for err == nil { + err = s.db.RunValueLogGC(0.5) + count++ + } + s.logger.Debugf("Result of garbage collector after running %d times: %s", count, err) + case <-s.gcQuit: + return + } + } + +} + +// stopGC stops garbage collection in the store. +func (s *Store) stopGC() { + close(s.gcQuit) +} + +// badgerLogger is an adapter between a logp logger and the loggers expected by badger. +type badgerLogger struct { + *logp.Logger +} + +// Warningf logs a message at the warning level. +func (l badgerLogger) Warningf(format string, args ...interface{}) { + l.Warnf(format, args...) +} diff --git a/x-pack/libbeat/persistentcache/store_test.go b/x-pack/libbeat/persistentcache/store_test.go new file mode 100644 index 00000000000..efa51f24b7f --- /dev/null +++ b/x-pack/libbeat/persistentcache/store_test.go @@ -0,0 +1,43 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package persistentcache + +import ( + "io/ioutil" + "os" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/logp" +) + +func TestStandaloneStore(t *testing.T) { + type valueType struct { + Something string + } + + var key = []byte("somekey") + var value = []byte("somevalue") + + tempDir, err := ioutil.TempDir("", "beat-data-dir-") + require.NoError(t, err) + t.Cleanup(func() { os.RemoveAll(tempDir) }) + + store, err := newStore(logp.NewLogger("test"), tempDir, "store-cache") + require.NoError(t, err) + + err = store.Set(key, value, 0) + assert.NoError(t, err) + + result, err := store.Get(key) + if assert.NoError(t, err) { + assert.Equal(t, value, result) + } + + err = store.Close() + assert.NoError(t, err) +} diff --git a/x-pack/libbeat/processors/add_cloudfoundry_metadata/add_cloudfoundry_metadata.go b/x-pack/libbeat/processors/add_cloudfoundry_metadata/add_cloudfoundry_metadata.go index d18a04ca979..c178ea04325 100644 --- a/x-pack/libbeat/processors/add_cloudfoundry_metadata/add_cloudfoundry_metadata.go +++ b/x-pack/libbeat/processors/add_cloudfoundry_metadata/add_cloudfoundry_metadata.go @@ -5,8 +5,6 @@ package add_cloudfoundry_metadata import ( - "time" - "github.com/pkg/errors" "github.com/elastic/beats/v7/libbeat/beat" @@ -40,14 +38,11 @@ func New(cfg *common.Config) (processors.Processor, error) { log := logp.NewLogger(selector) hub := cloudfoundry.NewHub(&config, "add_cloudfoundry_metadata", log) - client, err := hub.Client() + client, err := hub.ClientWithCache() if err != nil { - log.Debugf("%s: failed to created cloudfoundry client: %+v", processorName, err) + return nil, errors.Wrapf(err, "%s: creating cloudfoundry client", processorName) } - // Janitor run every 5 minutes to clean up the client cache. - client.StartJanitor(5 * time.Minute) - return &addCloudFoundryMetadata{ log: log, client: client, @@ -79,18 +74,31 @@ func (d *addCloudFoundryMetadata) Run(event *beat.Event) (*beat.Event, error) { "name": app.Name, }, "space": common.MapStr{ - "id": app.SpaceData.Meta.Guid, - "name": app.SpaceData.Entity.Name, + "id": app.SpaceGuid, + "name": app.SpaceName, }, "org": common.MapStr{ - "id": app.SpaceData.Entity.OrgData.Meta.Guid, - "name": app.SpaceData.Entity.OrgData.Entity.Name, + "id": app.OrgGuid, + "name": app.OrgName, }, }, }) return event, nil } +// String returns this processor name. func (d *addCloudFoundryMetadata) String() string { return processorName } + +// Close closes the underlying client and releases its resources. +func (d *addCloudFoundryMetadata) Close() error { + if d.client == nil { + return nil + } + err := d.client.Close() + if err != nil { + return errors.Wrap(err, "closing client") + } + return nil +} diff --git a/x-pack/libbeat/processors/add_cloudfoundry_metadata/add_cloudfoundry_metadata_test.go b/x-pack/libbeat/processors/add_cloudfoundry_metadata/add_cloudfoundry_metadata_test.go index 1aff4cb2df8..95a7073321e 100644 --- a/x-pack/libbeat/processors/add_cloudfoundry_metadata/add_cloudfoundry_metadata_test.go +++ b/x-pack/libbeat/processors/add_cloudfoundry_metadata/add_cloudfoundry_metadata_test.go @@ -6,7 +6,6 @@ package add_cloudfoundry_metadata import ( "testing" - "time" "github.com/cloudfoundry-community/go-cfclient" "github.com/gofrs/uuid" @@ -15,6 +14,7 @@ import ( "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/x-pack/libbeat/common/cloudfoundry" ) func TestNoClient(t *testing.T) { @@ -84,25 +84,13 @@ func TestCFAppNotFound(t *testing.T) { func TestCFAppUpdated(t *testing.T) { guid := mustCreateFakeGuid() - app := cfclient.App{ - Guid: guid, - Name: "My Fake App", - SpaceData: cfclient.SpaceResource{ - Meta: cfclient.Meta{ - Guid: mustCreateFakeGuid(), - }, - Entity: cfclient.Space{ - Name: "My Fake Space", - OrgData: cfclient.OrgResource{ - Meta: cfclient.Meta{ - Guid: mustCreateFakeGuid(), - }, - Entity: cfclient.Org{ - Name: "My Fake Org", - }, - }, - }, - }, + app := cloudfoundry.AppMeta{ + Guid: guid, + Name: "My Fake App", + SpaceGuid: mustCreateFakeGuid(), + SpaceName: "My Fake Space", + OrgGuid: mustCreateFakeGuid(), + OrgName: "My Fake Org", } p := addCloudFoundryMetadata{ log: logp.NewLogger("add_cloudfoundry_metadata"), @@ -126,12 +114,12 @@ func TestCFAppUpdated(t *testing.T) { "name": app.Name, }, "space": common.MapStr{ - "id": app.SpaceData.Meta.Guid, - "name": app.SpaceData.Entity.Name, + "id": app.SpaceGuid, + "name": app.SpaceName, }, "org": common.MapStr{ - "id": app.SpaceData.Entity.OrgData.Meta.Guid, - "name": app.SpaceData.Entity.OrgData.Entity.Name, + "id": app.OrgGuid, + "name": app.OrgName, }, }, }, @@ -142,20 +130,18 @@ func TestCFAppUpdated(t *testing.T) { } type fakeClient struct { - app cfclient.App + app cloudfoundry.AppMeta } -func (c *fakeClient) GetAppByGuid(guid string) (*cfclient.App, error) { +func (c *fakeClient) GetAppByGuid(guid string) (*cloudfoundry.AppMeta, error) { if c.app.Guid != guid { return nil, cfclient.CloudFoundryError{Code: 100004} } return &c.app, nil } -func (c *fakeClient) StartJanitor(_ time.Duration) { -} - -func (c *fakeClient) StopJanitor() { +func (c *fakeClient) Close() error { + return nil } func mustCreateFakeGuid() string { diff --git a/x-pack/libbeat/processors/add_cloudfoundry_metadata/docs/add_cloudfoundry_metadata.asciidoc b/x-pack/libbeat/processors/add_cloudfoundry_metadata/docs/add_cloudfoundry_metadata.asciidoc index 558b5a1031b..67e89c8173b 100644 --- a/x-pack/libbeat/processors/add_cloudfoundry_metadata/docs/add_cloudfoundry_metadata.asciidoc +++ b/x-pack/libbeat/processors/add_cloudfoundry_metadata/docs/add_cloudfoundry_metadata.asciidoc @@ -6,8 +6,6 @@ add_cloudfoundry_metadata ++++ -beta[] - The `add_cloudfoundry_metadata` processor annotates each event with relevant metadata from Cloud Foundry applications. The events are annotated with Cloud Foundry metadata, only if the event contains a reference to a Cloud Foundry application (using field diff --git a/x-pack/metricbeat/Jenkinsfile.yml b/x-pack/metricbeat/Jenkinsfile.yml index bf155746dd5..d02dc5e16aa 100644 --- a/x-pack/metricbeat/Jenkinsfile.yml +++ b/x-pack/metricbeat/Jenkinsfile.yml @@ -22,15 +22,27 @@ stages: mage: "mage build unitTest" platforms: ## override default label in this specific stage. - "macosx" - when: ## Aggregate when with the top-level one. + when: ## Override the top-level when. comments: - "/test x-pack/metricbeat for macos" labels: - "macOS" parameters: - "macosTest" + branches: true ## for all the branches + tags: true ## for all the tags windows: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2019" - - "windows-10" + windows-2016: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2016" + when: ## Override the top-level when. + comments: + - "/test x-pack/metricbeat for windows-2016" + labels: + - "windows-2016" + branches: true ## for all the branches + tags: true ## for all the tags diff --git a/x-pack/metricbeat/metricbeat.reference.yml b/x-pack/metricbeat/metricbeat.reference.yml index ff9bffda33e..b7b62643353 100644 --- a/x-pack/metricbeat/metricbeat.reference.yml +++ b/x-pack/metricbeat/metricbeat.reference.yml @@ -343,6 +343,14 @@ metricbeat.modules: metrics: - id: ["requests/count", "requests/duration"] +- module: azure + metricsets: + - app_state + enabled: true + period: 300s + application_id: '' + api_key: '' + #--------------------------------- Beat Module --------------------------------- - module: beat metricsets: @@ -685,6 +693,13 @@ metricbeat.modules: # use istio-pilot.istio-system:15014, when deploying Metricbeat in a kubernetes cluster as Pod or Daemonset hosts: ["localhost:15014"] +# Istio istiod to monitor the Istio Daemon for versions after 1.5 of Istio. +- module: istio + metricsets: ['istiod'] + period: 10s + # use istiod.istio-system:15014, when deploying Metricbeat in a kubernetes cluster as Pod or Daemonset + hosts: ['localhost:15014'] + #------------------------------- Jolokia Module ------------------------------- - module: jolokia #metricsets: ["jmx"] @@ -894,8 +909,10 @@ metricbeat.modules: period: 10s metricsets: - "pageinfo" + - "memory" # - ksm # - conntrack + # - iostat enabled: true #hostfs: /hostfs diff --git a/x-pack/metricbeat/module/aws/_meta/config.yml b/x-pack/metricbeat/module/aws/_meta/config.yml index 618ed4cd854..6f604138505 100644 --- a/x-pack/metricbeat/module/aws/_meta/config.yml +++ b/x-pack/metricbeat/module/aws/_meta/config.yml @@ -44,4 +44,8 @@ period: 24h metricsets: - s3_daily_storage +- module: aws + period: 1m + latency: 5m + metricsets: - s3_request diff --git a/x-pack/metricbeat/module/aws/_meta/docs.asciidoc b/x-pack/metricbeat/module/aws/_meta/docs.asciidoc index fe9aeea007f..e4e55e82136 100644 --- a/x-pack/metricbeat/module/aws/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/aws/_meta/docs.asciidoc @@ -11,16 +11,27 @@ module. Please see <> for more details. [float] == Module-specific configuration notes +* *AWS Credentials* + The `aws` module requires AWS credentials configuration in order to make AWS API calls. Users can either use `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and/or `AWS_SESSION_TOKEN`, or use shared AWS credentials file. Please see <> for more details. +* *regions* + This module also accepts optional configuration `regions` to specify which AWS regions to query metrics from. If the `regions` parameter is not set in the config file, then by default, the `aws` module will query metrics from all available AWS regions. +* *latency* + +Some AWS services send monitoring metrics to CloudWatch with a latency to +process larger than Metricbeat collection period. This case, please specify a +`latency` parameter so collection start time and end time will be shifted by the +given latency amount. + The aws module comes with a predefined dashboard. For example: image::./images/metricbeat-aws-overview.png[] diff --git a/x-pack/metricbeat/module/aws/aws.go b/x-pack/metricbeat/module/aws/aws.go index f7b744c27cb..167e6a088a0 100644 --- a/x-pack/metricbeat/module/aws/aws.go +++ b/x-pack/metricbeat/module/aws/aws.go @@ -27,6 +27,7 @@ import ( type Config struct { Period time.Duration `config:"period" validate:"nonzero,required"` Regions []string `config:"regions"` + Latency time.Duration `config:"latency"` AWSConfig awscommon.ConfigAWS `config:",inline"` TagsFilter []Tag `config:"tags_filter"` } @@ -37,6 +38,7 @@ type MetricSet struct { RegionsList []string Endpoint string Period time.Duration + Latency time.Duration AwsConfig *awssdk.Config AccountName string AccountID string @@ -87,6 +89,7 @@ func NewMetricSet(base mb.BaseMetricSet) (*MetricSet, error) { metricSet := MetricSet{ BaseMetricSet: base, Period: config.Period, + Latency: config.Latency, AwsConfig: &awsConfig, TagsFilter: config.TagsFilter, } @@ -193,11 +196,14 @@ func StringInSlice(str string, list []string) (bool, int) { } // InitEvent initialize mb.Event with basic information like service.name, cloud.provider -func InitEvent(regionName string, accountName string, accountID string) mb.Event { - event := mb.Event{} - event.MetricSetFields = common.MapStr{} - event.ModuleFields = common.MapStr{} - event.RootFields = common.MapStr{} +func InitEvent(regionName string, accountName string, accountID string, timestamp time.Time) mb.Event { + event := mb.Event{ + Timestamp: timestamp, + MetricSetFields: common.MapStr{}, + ModuleFields: common.MapStr{}, + RootFields: common.MapStr{}, + } + event.RootFields.Put("cloud.provider", "aws") if regionName != "" { event.RootFields.Put("cloud.region", regionName) diff --git a/x-pack/metricbeat/module/aws/billing/billing.go b/x-pack/metricbeat/module/aws/billing/billing.go index 2eb2bd2854a..39d600983d0 100644 --- a/x-pack/metricbeat/module/aws/billing/billing.go +++ b/x-pack/metricbeat/module/aws/billing/billing.go @@ -116,7 +116,7 @@ func (m *MetricSet) Fetch(report mb.ReporterV2) error { startDate, endDate := getStartDateEndDate(m.Period) // Get startTime and endTime - startTime, endTime := aws.GetStartTimeEndTime(m.Period) + startTime, endTime := aws.GetStartTimeEndTime(m.Period, m.Latency) // get cost metrics from cost explorer awsConfig := m.MetricSet.AwsConfig.Copy() @@ -178,26 +178,28 @@ func (m *MetricSet) getCloudWatchBillingMetrics( // Find a timestamp for all metrics in output timestamp := aws.FindTimestamp(metricDataOutput) - if !timestamp.IsZero() { - for _, output := range metricDataOutput { - if len(output.Values) == 0 { - continue - } - exists, timestampIdx := aws.CheckTimestampInArray(timestamp, output.Timestamps) - if exists { - labels := strings.Split(*output.Label, labelSeparator) + if timestamp.IsZero() { + return nil + } + + for _, output := range metricDataOutput { + if len(output.Values) == 0 { + continue + } + exists, timestampIdx := aws.CheckTimestampInArray(timestamp, output.Timestamps) + if exists { + labels := strings.Split(*output.Label, labelSeparator) - event := aws.InitEvent("", m.AccountName, m.AccountID) - event.MetricSetFields.Put(labels[0], output.Values[timestampIdx]) + event := aws.InitEvent("", m.AccountName, m.AccountID, timestamp) + event.MetricSetFields.Put(labels[0], output.Values[timestampIdx]) - i := 1 - for i < len(labels)-1 { - event.MetricSetFields.Put(labels[i], labels[i+1]) - i += 2 - } - event.Timestamp = endTime - events = append(events, event) + i := 1 + for i < len(labels)-1 { + event.MetricSetFields.Put(labels[i], labels[i+1]) + i += 2 } + event.Timestamp = endTime + events = append(events, event) } } return events @@ -278,7 +280,7 @@ func (m *MetricSet) getCostGroupBy(svcCostExplorer costexploreriface.ClientAPI, } func (m *MetricSet) addCostMetrics(metrics map[string]costexplorer.MetricValue, groupDefinition costexplorer.GroupDefinition, startDate string, endDate string) mb.Event { - event := aws.InitEvent("", m.AccountName, m.AccountID) + event := aws.InitEvent("", m.AccountName, m.AccountID, time.Now()) // add group definition event.MetricSetFields.Put("group_definition", common.MapStr{ diff --git a/x-pack/metricbeat/module/aws/cloudwatch/cloudwatch.go b/x-pack/metricbeat/module/aws/cloudwatch/cloudwatch.go index 42d68acb3af..af04508a111 100644 --- a/x-pack/metricbeat/module/aws/cloudwatch/cloudwatch.go +++ b/x-pack/metricbeat/module/aws/cloudwatch/cloudwatch.go @@ -141,7 +141,8 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // of an error set the Error field of mb.Event or simply call report.Error(). func (m *MetricSet) Fetch(report mb.ReporterV2) error { // Get startTime and endTime - startTime, endTime := aws.GetStartTimeEndTime(m.Period) + startTime, endTime := aws.GetStartTimeEndTime(m.Period, m.Latency) + m.Logger().Debugf("startTime = %s, endTime = %s", startTime, endTime) // Check statistic method in config err := m.checkStatistics() @@ -498,34 +499,35 @@ func (m *MetricSet) createEvents(svcCloudwatch cloudwatchiface.ClientAPI, svcRes // Find a timestamp for all metrics in output timestamp := aws.FindTimestamp(metricDataResults) + if timestamp.IsZero() { + return nil, nil + } // Create events when there is no tags_filter or resource_type specified. if len(resourceTypeTagFilters) == 0 { - if !timestamp.IsZero() { - for _, output := range metricDataResults { - if len(output.Values) == 0 { - continue - } + for _, output := range metricDataResults { + if len(output.Values) == 0 { + continue + } - exists, timestampIdx := aws.CheckTimestampInArray(timestamp, output.Timestamps) - if exists { - labels := strings.Split(*output.Label, labelSeparator) - if len(labels) != 5 { - // when there is no identifier value in label, use region+accountID+namespace instead - identifier := regionName + m.AccountID + labels[namespaceIdx] - if _, ok := events[identifier]; !ok { - events[identifier] = aws.InitEvent(regionName, m.AccountName, m.AccountID) - } - events[identifier] = insertRootFields(events[identifier], output.Values[timestampIdx], labels) - continue + exists, timestampIdx := aws.CheckTimestampInArray(timestamp, output.Timestamps) + if exists { + labels := strings.Split(*output.Label, labelSeparator) + if len(labels) != 5 { + // when there is no identifier value in label, use region+accountID+namespace instead + identifier := regionName + m.AccountID + labels[namespaceIdx] + if _, ok := events[identifier]; !ok { + events[identifier] = aws.InitEvent(regionName, m.AccountName, m.AccountID, timestamp) } + events[identifier] = insertRootFields(events[identifier], output.Values[timestampIdx], labels) + continue + } - identifierValue := labels[identifierValueIdx] - if _, ok := events[identifierValue]; !ok { - events[identifierValue] = aws.InitEvent(regionName, m.AccountName, m.AccountID) - } - events[identifierValue] = insertRootFields(events[identifierValue], output.Values[timestampIdx], labels) + identifierValue := labels[identifierValueIdx] + if _, ok := events[identifierValue]; !ok { + events[identifierValue] = aws.InitEvent(regionName, m.AccountName, m.AccountID, timestamp) } + events[identifierValue] = insertRootFields(events[identifierValue], output.Values[timestampIdx], labels) } } return events, nil @@ -555,45 +557,43 @@ func (m *MetricSet) createEvents(svcCloudwatch cloudwatchiface.ClientAPI, svcRes m.logger.Debugf("In region %s, service %s tags match tags_filter", regionName, identifier) } - if !timestamp.IsZero() { - for _, output := range metricDataResults { - if len(output.Values) == 0 { - continue - } + for _, output := range metricDataResults { + if len(output.Values) == 0 { + continue + } - exists, timestampIdx := aws.CheckTimestampInArray(timestamp, output.Timestamps) - if exists { - labels := strings.Split(*output.Label, labelSeparator) - if len(labels) != 5 { - // if there is no tag in labels but there is a tagsFilter, then no event should be reported. - if len(tagsFilter) != 0 { - continue - } - - // when there is no identifier value in label, use region+accountID+namespace instead - identifier := regionName + m.AccountID + labels[namespaceIdx] - if _, ok := events[identifier]; !ok { - events[identifier] = aws.InitEvent(regionName, m.AccountName, m.AccountID) - } - events[identifier] = insertRootFields(events[identifier], output.Values[timestampIdx], labels) + exists, timestampIdx := aws.CheckTimestampInArray(timestamp, output.Timestamps) + if exists { + labels := strings.Split(*output.Label, labelSeparator) + if len(labels) != 5 { + // if there is no tag in labels but there is a tagsFilter, then no event should be reported. + if len(tagsFilter) != 0 { continue } - identifierValue := labels[identifierValueIdx] - if _, ok := events[identifierValue]; !ok { - // when tagsFilter is not empty but no entry in - // resourceTagMap for this identifier, do not initialize - // an event for this identifier. - if len(tagsFilter) != 0 && resourceTagMap[identifierValue] == nil { - continue - } - events[identifierValue] = aws.InitEvent(regionName, m.AccountName, m.AccountID) + // when there is no identifier value in label, use region+accountID+namespace instead + identifier := regionName + m.AccountID + labels[namespaceIdx] + if _, ok := events[identifier]; !ok { + events[identifier] = aws.InitEvent(regionName, m.AccountName, m.AccountID, timestamp) } - events[identifierValue] = insertRootFields(events[identifierValue], output.Values[timestampIdx], labels) + events[identifier] = insertRootFields(events[identifier], output.Values[timestampIdx], labels) + continue + } - // add tags to event based on identifierValue - insertTags(events, identifierValue, resourceTagMap) + identifierValue := labels[identifierValueIdx] + if _, ok := events[identifierValue]; !ok { + // when tagsFilter is not empty but no entry in + // resourceTagMap for this identifier, do not initialize + // an event for this identifier. + if len(tagsFilter) != 0 && resourceTagMap[identifierValue] == nil { + continue + } + events[identifierValue] = aws.InitEvent(regionName, m.AccountName, m.AccountID, timestamp) } + events[identifierValue] = insertRootFields(events[identifierValue], output.Values[timestampIdx], labels) + + // add tags to event based on identifierValue + insertTags(events, identifierValue, resourceTagMap) } } } diff --git a/x-pack/metricbeat/module/aws/cloudwatch/cloudwatch_test.go b/x-pack/metricbeat/module/aws/cloudwatch/cloudwatch_test.go index 353ffd0e236..ecd4bb2f9d1 100644 --- a/x-pack/metricbeat/module/aws/cloudwatch/cloudwatch_test.go +++ b/x-pack/metricbeat/module/aws/cloudwatch/cloudwatch_test.go @@ -11,9 +11,6 @@ import ( "testing" "time" - "github.com/elastic/beats/v7/libbeat/logp" - "github.com/elastic/beats/v7/metricbeat/mb" - awssdk "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/cloudwatch" "github.com/aws/aws-sdk-go-v2/service/cloudwatch/cloudwatchiface" @@ -22,12 +19,14 @@ import ( "github.com/pkg/errors" "github.com/stretchr/testify/assert" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/x-pack/metricbeat/module/aws" ) var ( regionName = "us-west-1" - timestamp = time.Now() + timestamp = time.Date(2020, 10, 06, 00, 00, 00, 0, time.UTC) accountID = "123456789012" accountName = "test" @@ -1357,7 +1356,7 @@ func TestCreateEventsWithIdentifier(t *testing.T) { Value: "test-ec2", }, } - startTime, endTime := aws.GetStartTimeEndTime(m.MetricSet.Period) + startTime, endTime := aws.GetStartTimeEndTime(m.MetricSet.Period, m.MetricSet.Latency) events, err := m.createEvents(mockCloudwatchSvc, mockTaggingSvc, listMetricWithStatsTotal, resourceTypeTagFilters, regionName, startTime, endTime) assert.NoError(t, err) @@ -1399,7 +1398,7 @@ func TestCreateEventsWithoutIdentifier(t *testing.T) { } resourceTypeTagFilters := map[string][]aws.Tag{} - startTime, endTime := aws.GetStartTimeEndTime(m.MetricSet.Period) + startTime, endTime := aws.GetStartTimeEndTime(m.MetricSet.Period, m.MetricSet.Latency) events, err := m.createEvents(mockCloudwatchSvc, mockTaggingSvc, listMetricWithStatsTotal, resourceTypeTagFilters, regionName, startTime, endTime) assert.NoError(t, err) @@ -1447,7 +1446,7 @@ func TestCreateEventsWithTagsFilter(t *testing.T) { Value: "foo", }, } - startTime, endTime := aws.GetStartTimeEndTime(m.MetricSet.Period) + startTime, endTime := aws.GetStartTimeEndTime(m.MetricSet.Period, m.MetricSet.Latency) events, err := m.createEvents(mockCloudwatchSvc, mockTaggingSvc, listMetricWithStatsTotal, resourceTypeTagFilters, regionName, startTime, endTime) assert.NoError(t, err) @@ -1466,9 +1465,9 @@ func TestInsertTags(t *testing.T) { tagValue3 := "dev" events := map[string]mb.Event{} - events[identifier1] = aws.InitEvent(regionName, accountName, accountID) - events[identifier2] = aws.InitEvent(regionName, accountName, accountID) - events[identifierContainsArn] = aws.InitEvent(regionName, accountName, accountID) + events[identifier1] = aws.InitEvent(regionName, accountName, accountID, timestamp) + events[identifier2] = aws.InitEvent(regionName, accountName, accountID, timestamp) + events[identifierContainsArn] = aws.InitEvent(regionName, accountName, accountID, timestamp) resourceTagMap := map[string][]resourcegroupstaggingapi.Tag{} resourceTagMap["test-s3-1"] = []resourcegroupstaggingapi.Tag{ @@ -1569,3 +1568,29 @@ func TestConfigDimensionValueContainsWildcard(t *testing.T) { }) } } + +func TestCreateEventsTimestamp(t *testing.T) { + m := MetricSet{ + logger: logp.NewLogger("test"), + CloudwatchConfigs: []Config{{Statistic: []string{"Average"}}}, + MetricSet: &aws.MetricSet{Period: 5, AccountID: accountID}, + } + + listMetricWithStatsTotal := []metricsWithStatistics{ + { + cloudwatch.Metric{ + MetricName: awssdk.String("CPUUtilization"), + Namespace: awssdk.String("AWS/EC2"), + }, + []string{"Average"}, + nil, + }, + } + + resourceTypeTagFilters := map[string][]aws.Tag{} + startTime, endTime := aws.GetStartTimeEndTime(m.MetricSet.Period, m.MetricSet.Latency) + + events, err := m.createEvents(&MockCloudWatchClientWithoutDim{}, &MockResourceGroupsTaggingClient{}, listMetricWithStatsTotal, resourceTypeTagFilters, regionName, startTime, endTime) + assert.NoError(t, err) + assert.Equal(t, timestamp, events[regionName+accountID+namespace].Timestamp) +} diff --git a/x-pack/metricbeat/module/aws/ec2/ec2.go b/x-pack/metricbeat/module/aws/ec2/ec2.go index 36ad9a1ca02..7cb69623a00 100644 --- a/x-pack/metricbeat/module/aws/ec2/ec2.go +++ b/x-pack/metricbeat/module/aws/ec2/ec2.go @@ -88,7 +88,8 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // of an error set the Error field of mb.Event or simply call report.Error(). func (m *MetricSet) Fetch(report mb.ReporterV2) error { // Get startTime and endTime - startTime, endTime := aws.GetStartTimeEndTime(m.Period) + startTime, endTime := aws.GetStartTimeEndTime(m.Period, m.Latency) + m.Logger().Debugf("startTime = %s, endTime = %s", startTime, endTime) for _, regionName := range m.MetricSet.RegionsList { awsConfig := m.MetricSet.AwsConfig.Copy() @@ -174,115 +175,117 @@ func constructMetricQueries(listMetricsOutput []cloudwatch.Metric, instanceID st } func (m *MetricSet) createCloudWatchEvents(getMetricDataResults []cloudwatch.MetricDataResult, instanceOutput map[string]ec2.Instance, regionName string) (map[string]mb.Event, error) { + // monitoring state for each instance + monitoringStates := map[string]string{} + + // Find a timestamp for all metrics in output + timestamp := aws.FindTimestamp(getMetricDataResults) + if timestamp.IsZero() { + return nil, nil + } + // Initialize events and metricSetFieldResults per instanceID events := map[string]mb.Event{} metricSetFieldResults := map[idStat]map[string]interface{}{} for instanceID := range instanceOutput { for _, statistic := range statistics { - events[instanceID] = aws.InitEvent(regionName, m.AccountName, m.AccountID) + events[instanceID] = aws.InitEvent(regionName, m.AccountName, m.AccountID, timestamp) metricSetFieldResults[idStat{instanceID: instanceID, statistic: statistic}] = map[string]interface{}{} } } - // monitoring state for each instance - monitoringStates := map[string]string{} + for _, output := range getMetricDataResults { + if len(output.Values) == 0 { + continue + } - // Find a timestamp for all metrics in output - timestamp := aws.FindTimestamp(getMetricDataResults) - if !timestamp.IsZero() { - for _, output := range getMetricDataResults { - if len(output.Values) == 0 { + exists, timestampIdx := aws.CheckTimestampInArray(timestamp, output.Timestamps) + if exists { + label, err := newLabelFromJSON(*output.Label) + if err != nil { + m.logger.Errorf("convert cloudwatch MetricDataResult label failed for label = %s: %w", *output.Label, err) continue } - exists, timestampIdx := aws.CheckTimestampInArray(timestamp, output.Timestamps) - if exists { - label, err := newLabelFromJSON(*output.Label) - if err != nil { - m.logger.Errorf("convert cloudwatch MetricDataResult label failed for label = %s: %w", *output.Label, err) + instanceID := label.InstanceID + statistic := label.Statistic + + // Add tags + tags := instanceOutput[instanceID].Tags + if m.TagsFilter != nil { + // Check with each tag filter + // If tag filter doesn't exist in tagKeys/tagValues, + // then do not report this event/instance. + if exists := aws.CheckTagFiltersExist(m.TagsFilter, tags); !exists { + // if tag filter doesn't exist, remove this event initial + // entry to avoid report an empty event. + delete(events, instanceID) continue } + } - instanceID := label.InstanceID - statistic := label.Statistic - - // Add tags - tags := instanceOutput[instanceID].Tags - if m.TagsFilter != nil { - // Check with each tag filter - // If tag filter doesn't exist in tagKeys/tagValues, - // then do not report this event/instance. - if exists := aws.CheckTagFiltersExist(m.TagsFilter, tags); !exists { - // if tag filter doesn't exist, remove this event initial - // entry to avoid report an empty event. - delete(events, instanceID) - continue - } - } - - // By default, replace dot "." using underscore "_" for tag keys. - // Note: tag values are not dedotted. - for _, tag := range tags { - events[instanceID].ModuleFields.Put("tags."+common.DeDot(*tag.Key), *tag.Value) - // add cloud.instance.name and host.name into ec2 events - if *tag.Key == "Name" { - events[instanceID].RootFields.Put("cloud.instance.name", *tag.Value) - events[instanceID].RootFields.Put("host.name", *tag.Value) - } - } - - machineType, err := instanceOutput[instanceID].InstanceType.MarshalValue() - if err != nil { - return events, errors.Wrap(err, "instance.InstanceType.MarshalValue failed") + // By default, replace dot "." using underscore "_" for tag keys. + // Note: tag values are not dedotted. + for _, tag := range tags { + events[instanceID].ModuleFields.Put("tags."+common.DeDot(*tag.Key), *tag.Value) + // add cloud.instance.name and host.name into ec2 events + if *tag.Key == "Name" { + events[instanceID].RootFields.Put("cloud.instance.name", *tag.Value) + events[instanceID].RootFields.Put("host.name", *tag.Value) } + } - events[instanceID].RootFields.Put("cloud.instance.id", instanceID) - events[instanceID].RootFields.Put("cloud.machine.type", machineType) + machineType, err := instanceOutput[instanceID].InstanceType.MarshalValue() + if err != nil { + return events, errors.Wrap(err, "instance.InstanceType.MarshalValue failed") + } - placement := instanceOutput[instanceID].Placement - if placement != nil { - events[instanceID].RootFields.Put("cloud.availability_zone", *placement.AvailabilityZone) - } + events[instanceID].RootFields.Put("cloud.instance.id", instanceID) + events[instanceID].RootFields.Put("cloud.machine.type", machineType) - if len(output.Values) > timestampIdx { - metricSetFieldResults[idStat{instanceID: instanceID, statistic: statistic}][label.MetricName] = fmt.Sprint(output.Values[timestampIdx]) - } + placement := instanceOutput[instanceID].Placement + if placement != nil { + events[instanceID].RootFields.Put("cloud.availability_zone", *placement.AvailabilityZone) + } - instanceStateName, err := instanceOutput[instanceID].State.Name.MarshalValue() - if err != nil { - return events, errors.Wrap(err, "instance.State.Name.MarshalValue failed") - } + if len(output.Values) > timestampIdx { + metricSetFieldResults[idStat{instanceID: instanceID, statistic: statistic}][label.MetricName] = fmt.Sprint(output.Values[timestampIdx]) + } - monitoringState, err := instanceOutput[instanceID].Monitoring.State.MarshalValue() - if err != nil { - return events, errors.Wrap(err, "instance.Monitoring.State.MarshalValue failed") - } + instanceStateName, err := instanceOutput[instanceID].State.Name.MarshalValue() + if err != nil { + return events, errors.Wrap(err, "instance.State.Name.MarshalValue failed") + } - monitoringStates[instanceID] = monitoringState + monitoringState, err := instanceOutput[instanceID].Monitoring.State.MarshalValue() + if err != nil { + return events, errors.Wrap(err, "instance.Monitoring.State.MarshalValue failed") + } - cpuOptions := instanceOutput[instanceID].CpuOptions - if cpuOptions != nil { - events[instanceID].MetricSetFields.Put("instance.core.count", *cpuOptions.CoreCount) - events[instanceID].MetricSetFields.Put("instance.threads_per_core", *cpuOptions.ThreadsPerCore) - } + monitoringStates[instanceID] = monitoringState - publicIP := instanceOutput[instanceID].PublicIpAddress - if publicIP != nil { - events[instanceID].MetricSetFields.Put("instance.public.ip", *publicIP) - } + cpuOptions := instanceOutput[instanceID].CpuOptions + if cpuOptions != nil { + events[instanceID].MetricSetFields.Put("instance.core.count", *cpuOptions.CoreCount) + events[instanceID].MetricSetFields.Put("instance.threads_per_core", *cpuOptions.ThreadsPerCore) + } - privateIP := instanceOutput[instanceID].PrivateIpAddress - if privateIP != nil { - events[instanceID].MetricSetFields.Put("instance.private.ip", *privateIP) - } + publicIP := instanceOutput[instanceID].PublicIpAddress + if publicIP != nil { + events[instanceID].MetricSetFields.Put("instance.public.ip", *publicIP) + } - events[instanceID].MetricSetFields.Put("instance.image.id", *instanceOutput[instanceID].ImageId) - events[instanceID].MetricSetFields.Put("instance.state.name", instanceStateName) - events[instanceID].MetricSetFields.Put("instance.state.code", *instanceOutput[instanceID].State.Code) - events[instanceID].MetricSetFields.Put("instance.monitoring.state", monitoringState) - events[instanceID].MetricSetFields.Put("instance.public.dns_name", *instanceOutput[instanceID].PublicDnsName) - events[instanceID].MetricSetFields.Put("instance.private.dns_name", *instanceOutput[instanceID].PrivateDnsName) + privateIP := instanceOutput[instanceID].PrivateIpAddress + if privateIP != nil { + events[instanceID].MetricSetFields.Put("instance.private.ip", *privateIP) } + + events[instanceID].MetricSetFields.Put("instance.image.id", *instanceOutput[instanceID].ImageId) + events[instanceID].MetricSetFields.Put("instance.state.name", instanceStateName) + events[instanceID].MetricSetFields.Put("instance.state.code", *instanceOutput[instanceID].State.Code) + events[instanceID].MetricSetFields.Put("instance.monitoring.state", monitoringState) + events[instanceID].MetricSetFields.Put("instance.public.dns_name", *instanceOutput[instanceID].PublicDnsName) + events[instanceID].MetricSetFields.Put("instance.private.dns_name", *instanceOutput[instanceID].PrivateDnsName) } } diff --git a/x-pack/metricbeat/module/aws/rds/rds.go b/x-pack/metricbeat/module/aws/rds/rds.go index f8bd907b3f6..3bb14f28de8 100644 --- a/x-pack/metricbeat/module/aws/rds/rds.go +++ b/x-pack/metricbeat/module/aws/rds/rds.go @@ -79,7 +79,8 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // of an error set the Error field of mb.Event or simply call report.Error(). func (m *MetricSet) Fetch(report mb.ReporterV2) error { // Get startTime and endTime - startTime, endTime := aws.GetStartTimeEndTime(m.Period) + startTime, endTime := aws.GetStartTimeEndTime(m.Period, m.Latency) + m.Logger().Debugf("startTime = %s, endTime = %s", startTime, endTime) for _, regionName := range m.MetricSet.RegionsList { awsConfig := m.MetricSet.AwsConfig.Copy() @@ -273,70 +274,72 @@ func (m *MetricSet) createCloudWatchEvents(getMetricDataResults []cloudwatch.Met // Find a timestamp for all metrics in output timestamp := aws.FindTimestamp(getMetricDataResults) - if !timestamp.IsZero() { - for _, output := range getMetricDataResults { - if len(output.Values) == 0 { - continue + if timestamp.IsZero() { + return nil, nil + } + + for _, output := range getMetricDataResults { + if len(output.Values) == 0 { + continue + } + exists, timestampIdx := aws.CheckTimestampInArray(timestamp, output.Timestamps) + if exists { + labels := strings.Split(*output.Label, " ") + // Collect dimension values from the labels and initialize events and metricSetFieldResults with dimValues + var dimValues string + for i := 1; i < len(labels); i += 2 { + dimValues = dimValues + labels[i+1] } - exists, timestampIdx := aws.CheckTimestampInArray(timestamp, output.Timestamps) - if exists { - labels := strings.Split(*output.Label, " ") - // Collect dimension values from the labels and initialize events and metricSetFieldResults with dimValues - var dimValues string - for i := 1; i < len(labels); i += 2 { - dimValues = dimValues + labels[i+1] - } - if _, ok := events[dimValues]; !ok { - events[dimValues] = aws.InitEvent(regionName, m.AccountName, m.AccountID) - } + if _, ok := events[dimValues]; !ok { + events[dimValues] = aws.InitEvent(regionName, m.AccountName, m.AccountID, timestamp) + } - if _, ok := metricSetFieldResults[dimValues]; !ok { - metricSetFieldResults[dimValues] = map[string]interface{}{} - } + if _, ok := metricSetFieldResults[dimValues]; !ok { + metricSetFieldResults[dimValues] = map[string]interface{}{} + } - if len(output.Values) > timestampIdx && len(labels) > 0 { - if labels[metricNameIdx] == "CPUUtilization" { - metricSetFieldResults[dimValues][labels[metricNameIdx]] = fmt.Sprint(output.Values[timestampIdx] / 100) - } else { - metricSetFieldResults[dimValues][labels[metricNameIdx]] = fmt.Sprint(output.Values[timestampIdx]) - } + if len(output.Values) > timestampIdx && len(labels) > 0 { + if labels[metricNameIdx] == "CPUUtilization" { + metricSetFieldResults[dimValues][labels[metricNameIdx]] = fmt.Sprint(output.Values[timestampIdx] / 100) + } else { + metricSetFieldResults[dimValues][labels[metricNameIdx]] = fmt.Sprint(output.Values[timestampIdx]) + } - for i := 1; i < len(labels); i += 2 { - if labels[i] == "DBInstanceIdentifier" { - dbIdentifier := labels[i+1] - if _, found := events[dbIdentifier]; found { - if _, found := dbInstanceMap[dbIdentifier]; !found { - delete(metricSetFieldResults, dimValues) - continue - } - events[dbIdentifier].RootFields.Put("cloud.availability_zone", dbInstanceMap[dbIdentifier].dbAvailabilityZone) - events[dbIdentifier].MetricSetFields.Put("db_instance.arn", dbInstanceMap[dbIdentifier].dbArn) - events[dbIdentifier].MetricSetFields.Put("db_instance.class", dbInstanceMap[dbIdentifier].dbClass) - events[dbIdentifier].MetricSetFields.Put("db_instance.identifier", dbInstanceMap[dbIdentifier].dbIdentifier) - events[dbIdentifier].MetricSetFields.Put("db_instance.status", dbInstanceMap[dbIdentifier].dbStatus) - - for _, tag := range dbInstanceMap[dbIdentifier].tags { - events[dbIdentifier].ModuleFields.Put("tags."+tag.Key, tag.Value) - } + for i := 1; i < len(labels); i += 2 { + if labels[i] == "DBInstanceIdentifier" { + dbIdentifier := labels[i+1] + if _, found := events[dbIdentifier]; found { + if _, found := dbInstanceMap[dbIdentifier]; !found { + delete(metricSetFieldResults, dimValues) + continue + } + events[dbIdentifier].RootFields.Put("cloud.availability_zone", dbInstanceMap[dbIdentifier].dbAvailabilityZone) + events[dbIdentifier].MetricSetFields.Put("db_instance.arn", dbInstanceMap[dbIdentifier].dbArn) + events[dbIdentifier].MetricSetFields.Put("db_instance.class", dbInstanceMap[dbIdentifier].dbClass) + events[dbIdentifier].MetricSetFields.Put("db_instance.identifier", dbInstanceMap[dbIdentifier].dbIdentifier) + events[dbIdentifier].MetricSetFields.Put("db_instance.status", dbInstanceMap[dbIdentifier].dbStatus) + + for _, tag := range dbInstanceMap[dbIdentifier].tags { + events[dbIdentifier].ModuleFields.Put("tags."+tag.Key, tag.Value) } } - metricSetFieldResults[dimValues][labels[i]] = fmt.Sprint(labels[(i + 1)]) + } + metricSetFieldResults[dimValues][labels[i]] = fmt.Sprint(labels[(i + 1)]) + } + + // if tags_filter is given, then only return metrics with DBInstanceIdentifier as dimension + if m.TagsFilter != nil { + if len(labels) == 1 { + delete(events, dimValues) + delete(metricSetFieldResults, dimValues) } - // if tags_filter is given, then only return metrics with DBInstanceIdentifier as dimension - if m.TagsFilter != nil { - if len(labels) == 1 { + for i := 1; i < len(labels); i += 2 { + if labels[i] != "DBInstanceIdentifier" && i == len(labels)-2 { delete(events, dimValues) delete(metricSetFieldResults, dimValues) } - - for i := 1; i < len(labels); i += 2 { - if labels[i] != "DBInstanceIdentifier" && i == len(labels)-2 { - delete(events, dimValues) - delete(metricSetFieldResults, dimValues) - } - } } } } diff --git a/x-pack/metricbeat/module/aws/s3_daily_storage/s3_daily_storage.go b/x-pack/metricbeat/module/aws/s3_daily_storage/s3_daily_storage.go index 7c9d453baca..d5efa36fb03 100644 --- a/x-pack/metricbeat/module/aws/s3_daily_storage/s3_daily_storage.go +++ b/x-pack/metricbeat/module/aws/s3_daily_storage/s3_daily_storage.go @@ -69,7 +69,8 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { func (m *MetricSet) Fetch(report mb.ReporterV2) error { namespace := "AWS/S3" // Get startTime and endTime - startTime, endTime := aws.GetStartTimeEndTime(m.Period) + startTime, endTime := aws.GetStartTimeEndTime(m.Period, m.Latency) + m.Logger().Debugf("startTime = %s, endTime = %s", startTime, endTime) // GetMetricData for AWS S3 from Cloudwatch for _, regionName := range m.MetricSet.RegionsList { @@ -185,8 +186,6 @@ func createMetricDataQuery(metric cloudwatch.Metric, period time.Duration, index } func createCloudWatchEvents(outputs []cloudwatch.MetricDataResult, regionName string, bucketName string, accountName string, accountID string) (event mb.Event, err error) { - event = aws.InitEvent(regionName, accountName, accountID) - // AWS s3_daily_storage metrics mapOfMetricSetFieldResults := make(map[string]interface{}) @@ -213,6 +212,7 @@ func createCloudWatchEvents(outputs []cloudwatch.MetricDataResult, regionName st return } + event = aws.InitEvent(regionName, accountName, accountID, timestamp) event.MetricSetFields = resultMetricSetFields event.RootFields.Put("aws.s3.bucket.name", bucketName) return diff --git a/x-pack/metricbeat/module/aws/s3_request/s3_request.go b/x-pack/metricbeat/module/aws/s3_request/s3_request.go index afe53ac49ba..00b82827bbf 100644 --- a/x-pack/metricbeat/module/aws/s3_request/s3_request.go +++ b/x-pack/metricbeat/module/aws/s3_request/s3_request.go @@ -69,7 +69,8 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { func (m *MetricSet) Fetch(report mb.ReporterV2) error { namespace := "AWS/S3" // Get startTime and endTime - startTime, endTime := aws.GetStartTimeEndTime(m.Period) + startTime, endTime := aws.GetStartTimeEndTime(m.Period, m.Latency) + m.Logger().Debugf("startTime = %s, endTime = %s", startTime, endTime) // GetMetricData for AWS S3 from Cloudwatch for _, regionName := range m.MetricSet.RegionsList { @@ -187,8 +188,6 @@ func constructMetricQueries(listMetricsOutputs []cloudwatch.Metric, period time. // CreateS3Events creates s3_request and s3_daily_storage events from Cloudwatch metric data. func createS3RequestEvents(outputs []cloudwatch.MetricDataResult, regionName string, bucketName string, accountName string, accountID string) (event mb.Event, err error) { - event = aws.InitEvent(regionName, accountName, accountID) - // AWS s3_request metrics mapOfMetricSetFieldResults := make(map[string]interface{}) @@ -215,6 +214,7 @@ func createS3RequestEvents(outputs []cloudwatch.MetricDataResult, regionName str return } + event = aws.InitEvent(regionName, accountName, accountID, timestamp) event.MetricSetFields = resultMetricSetFields event.RootFields.Put("aws.s3.bucket.name", bucketName) return diff --git a/x-pack/metricbeat/module/aws/sqs/sqs.go b/x-pack/metricbeat/module/aws/sqs/sqs.go index 7bc6a8349d0..5f17eccb4b1 100644 --- a/x-pack/metricbeat/module/aws/sqs/sqs.go +++ b/x-pack/metricbeat/module/aws/sqs/sqs.go @@ -67,7 +67,8 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { func (m *MetricSet) Fetch(report mb.ReporterV2) error { namespace := "AWS/SQS" // Get startTime and endTime - startTime, endTime := aws.GetStartTimeEndTime(m.Period) + startTime, endTime := aws.GetStartTimeEndTime(m.Period, m.Latency) + m.Logger().Debugf("startTime = %s, endTime = %s", startTime, endTime) for _, regionName := range m.MetricSet.RegionsList { awsConfig := m.MetricSet.AwsConfig.Copy() @@ -174,9 +175,7 @@ func createMetricDataQuery(metric cloudwatch.Metric, index int, period time.Dura return } -func createEventPerQueue(getMetricDataResults []cloudwatch.MetricDataResult, queueName string, metricsetName string, regionName string, schemaMetricFields s.Schema, accountName string, accountID string) (event mb.Event, err error) { - event = aws.InitEvent(regionName, accountName, accountID) - +func createEventPerQueue(getMetricDataResults []cloudwatch.MetricDataResult, queueName string, regionName string, schemaMetricFields s.Schema, accountName string, accountID string) (event mb.Event, err error) { // AWS sqs metrics mapOfMetricSetFieldResults := make(map[string]interface{}) @@ -203,6 +202,7 @@ func createEventPerQueue(getMetricDataResults []cloudwatch.MetricDataResult, que return } + event = aws.InitEvent(regionName, accountName, accountID, timestamp) event.MetricSetFields = resultMetricSetFields event.MetricSetFields.Put("queue.name", queueName) return @@ -212,7 +212,7 @@ func createSQSEvents(queueURLs []string, metricDataResults []cloudwatch.MetricDa for _, queueURL := range queueURLs { queueURLParsed := strings.Split(queueURL, "/") queueName := queueURLParsed[len(queueURLParsed)-1] - event, err := createEventPerQueue(metricDataResults, queueName, metricsetName, regionName, schemaRequestFields, accountName, accountID) + event, err := createEventPerQueue(metricDataResults, queueName, regionName, schemaRequestFields, accountName, accountID) if err != nil { event.Error = err report.Event(event) diff --git a/x-pack/metricbeat/module/aws/utils.go b/x-pack/metricbeat/module/aws/utils.go index 67e5809bc8e..d1846083854 100644 --- a/x-pack/metricbeat/module/aws/utils.go +++ b/x-pack/metricbeat/module/aws/utils.go @@ -22,8 +22,13 @@ import ( ) // GetStartTimeEndTime function uses durationString to create startTime and endTime for queries. -func GetStartTimeEndTime(period time.Duration) (time.Time, time.Time) { +func GetStartTimeEndTime(period time.Duration, latency time.Duration) (time.Time, time.Time) { endTime := time.Now() + if latency != 0 { + // add latency if config is not 0 + endTime = endTime.Add(latency * -1) + } + // Set startTime double the period earlier than the endtime in order to // make sure GetMetricDataRequest gets the latest data point for each metric. return endTime.Add(period * -2), endTime diff --git a/x-pack/metricbeat/module/aws/utils_test.go b/x-pack/metricbeat/module/aws/utils_test.go index aef35f57e61..3c480d347db 100644 --- a/x-pack/metricbeat/module/aws/utils_test.go +++ b/x-pack/metricbeat/module/aws/utils_test.go @@ -176,7 +176,7 @@ func TestGetListMetricsOutputWithWildcard(t *testing.T) { } func TestGetMetricDataPerRegion(t *testing.T) { - startTime, endTime := GetStartTimeEndTime(10 * time.Minute) + startTime, endTime := GetStartTimeEndTime(10*time.Minute, 0) mockSvc := &MockCloudWatchClient{} var metricDataQueries []cloudwatch.MetricDataQuery @@ -205,7 +205,7 @@ func TestGetMetricDataPerRegion(t *testing.T) { } func TestGetMetricDataResults(t *testing.T) { - startTime, endTime := GetStartTimeEndTime(10 * time.Minute) + startTime, endTime := GetStartTimeEndTime(10*time.Minute, 0) mockSvc := &MockCloudWatchClient{} metricInfo := cloudwatch.Metric{ diff --git a/x-pack/metricbeat/module/azure/_meta/config.reference.yml b/x-pack/metricbeat/module/azure/_meta/config.reference.yml index 1f9ac04529e..b06e466a01f 100644 --- a/x-pack/metricbeat/module/azure/_meta/config.reference.yml +++ b/x-pack/metricbeat/module/azure/_meta/config.reference.yml @@ -102,3 +102,11 @@ api_key: '' metrics: - id: ["requests/count", "requests/duration"] + +- module: azure + metricsets: + - app_state + enabled: true + period: 300s + application_id: '' + api_key: '' diff --git a/x-pack/metricbeat/module/azure/_meta/config.yml b/x-pack/metricbeat/module/azure/_meta/config.yml index 0f497af6fb4..f7215d4f991 100644 --- a/x-pack/metricbeat/module/azure/_meta/config.yml +++ b/x-pack/metricbeat/module/azure/_meta/config.yml @@ -111,3 +111,11 @@ # api_key: '' # metrics: # - id: ["requests/count", "requests/duration"] + +#- module: azure +# metricsets: +# - app_state +# enabled: true +# period: 300s +# application_id: '' +# api_key: '' diff --git a/x-pack/metricbeat/module/azure/_meta/docs.asciidoc b/x-pack/metricbeat/module/azure/_meta/docs.asciidoc index b0f76ecb623..01f6389ab93 100644 --- a/x-pack/metricbeat/module/azure/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/azure/_meta/docs.asciidoc @@ -37,6 +37,10 @@ The Azure billing dashboards show relevant usage and forecast information: image::./images/metricbeat-azure-billing-overview.png[] +The Azure app_state dashboard shows relevant application insights information: + +image::./images/metricbeat-azure-app-state-overview.png[] + [float] === Module-specific configuration notes @@ -112,6 +116,10 @@ so the `period` for `billing` metricset should be `24h` or multiples of `24h`. === `app_insights` This metricset will collect application insights metrics, the `period` (interval) for the `app-insights` metricset is set by default at `300s`. +[float] +=== `app_state` +This metricset concentrate on the most relevant application insights metrics and provides a dashboard for visualization, the `period` (interval) for the `app_state` metricset is set by default at `300s`. + [float] [[azure-api-cost]] == Additional notes about metrics and costs diff --git a/x-pack/metricbeat/module/azure/_meta/fields.yml b/x-pack/metricbeat/module/azure/_meta/fields.yml index c6471dc108d..a6476fcc957 100644 --- a/x-pack/metricbeat/module/azure/_meta/fields.yml +++ b/x-pack/metricbeat/module/azure/_meta/fields.yml @@ -39,6 +39,10 @@ type: keyword description: > The subscription ID + - name: application_id + type: keyword + description: > + The application ID - name: dimensions.* type: object object_type: keyword diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-app-state-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-app-state-overview.json new file mode 100644 index 00000000000..b447a6b276e --- /dev/null +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-app-state-overview.json @@ -0,0 +1,1509 @@ +{ + "objects": [ + { + "attributes": { + "description": "Provides relevant app insights metrics for web applications", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "controlledBy": "1532342651170", + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "azure.app_state.application_id", + "negate": false, + "params": { + "query": "42cb59a9-d5be-400b-a5c4-69b0a0026ac6" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "azure.app_state.application_id": "42cb59a9-d5be-400b-a5c4-69b0a0026ac6" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 15, + "i": "307a1ecd-284c-4f35-9a3c-d5b77c9a9c82", + "w": 7, + "x": 0, + "y": 0 + }, + "panelIndex": "307a1ecd-284c-4f35-9a3c-d5b77c9a9c82", + "panelRefName": "panel_0", + "version": "7.9.2" + }, + { + "embeddableConfig": { + "title": "Exceptions" + }, + "gridData": { + "h": 15, + "i": "654e745f-360d-4898-89b6-57f788c5f540", + "w": 20, + "x": 7, + "y": 0 + }, + "panelIndex": "654e745f-360d-4898-89b6-57f788c5f540", + "panelRefName": "panel_1", + "title": "Exceptions", + "version": "7.9.2" + }, + { + "embeddableConfig": { + "title": "Available Memory" + }, + "gridData": { + "h": 15, + "i": "5adca737-559d-4b4f-9fa7-58841daa99c5", + "w": 21, + "x": 27, + "y": 0 + }, + "panelIndex": "5adca737-559d-4b4f-9fa7-58841daa99c5", + "panelRefName": "panel_2", + "title": "Available Memory", + "version": "7.9.2" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 15, + "i": "531cf244-45e0-43c3-9920-8f32397bd973", + "w": 8, + "x": 0, + "y": 15 + }, + "panelIndex": "531cf244-45e0-43c3-9920-8f32397bd973", + "panelRefName": "panel_3", + "version": "7.9.2" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 15, + "i": "b9242495-babc-48a7-9ad7-56c62b1dc117", + "w": 8, + "x": 8, + "y": 15 + }, + "panelIndex": "b9242495-babc-48a7-9ad7-56c62b1dc117", + "panelRefName": "panel_4", + "version": "7.9.2" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 15, + "i": "d311025a-f5c5-4e48-9f1c-710f59264c43", + "w": 8, + "x": 16, + "y": 15 + }, + "panelIndex": "d311025a-f5c5-4e48-9f1c-710f59264c43", + "panelRefName": "panel_5", + "version": "7.9.2" + }, + { + "embeddableConfig": { + "title": "Requests" + }, + "gridData": { + "h": 15, + "i": "48974418-b1f7-4050-921e-a83771e125ae", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "48974418-b1f7-4050-921e-a83771e125ae", + "panelRefName": "panel_6", + "title": "Requests", + "version": "7.9.2" + }, + { + "embeddableConfig": { + "title": "Browser Send/Receive Duration" + }, + "gridData": { + "h": 15, + "i": "39d20db1-316a-4ff3-811a-5571cb4497c3", + "w": 24, + "x": 0, + "y": 30 + }, + "panelIndex": "39d20db1-316a-4ff3-811a-5571cb4497c3", + "panelRefName": "panel_7", + "title": "Browser Send/Receive Duration", + "version": "7.9.2" + }, + { + "embeddableConfig": { + "title": "Browser Networking/Processing Duration" + }, + "gridData": { + "h": 15, + "i": "bc810208-0395-4c70-9057-d7307e064e43", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "bc810208-0395-4c70-9057-d7307e064e43", + "panelRefName": "panel_8", + "title": "Browser Networking/Processing Duration", + "version": "7.9.2" + }, + { + "embeddableConfig": { + "title": "Process CPU Usage" + }, + "gridData": { + "h": 15, + "i": "ecf6fbfa-ba65-481e-af85-07fd9d5feb5f", + "w": 24, + "x": 0, + "y": 45 + }, + "panelIndex": "ecf6fbfa-ba65-481e-af85-07fd9d5feb5f", + "panelRefName": "panel_9", + "title": "Process CPU Usage", + "version": "7.9.2" + }, + { + "embeddableConfig": { + "title": "Process Private Bytes" + }, + "gridData": { + "h": 15, + "i": "40a1b80b-cd62-446d-91aa-a971bb3769e7", + "w": 24, + "x": 24, + "y": 45 + }, + "panelIndex": "40a1b80b-cd62-446d-91aa-a971bb3769e7", + "panelRefName": "panel_10", + "title": "Process Private Bytes", + "version": "7.9.2" + } + ], + "timeRestore": false, + "title": "[Metricbeat Azure] App State Overview", + "version": 1 + }, + "id": "d5fbd610-03d9-11eb-8034-63f2039e9d3f", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "metricbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "2e5183a0-03da-11eb-8034-63f2039e9d3f", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "1064f9a0-04a5-11eb-8034-63f2039e9d3f", + "name": "panel_1", + "type": "lens" + }, + { + "id": "76cc1d70-04a7-11eb-8034-63f2039e9d3f", + "name": "panel_2", + "type": "lens" + }, + { + "id": "a89c8fd0-03ec-11eb-8034-63f2039e9d3f", + "name": "panel_3", + "type": "lens" + }, + { + "id": "cb5ec410-03ed-11eb-8034-63f2039e9d3f", + "name": "panel_4", + "type": "lens" + }, + { + "id": "0df175c0-03ee-11eb-8034-63f2039e9d3f", + "name": "panel_5", + "type": "lens" + }, + { + "id": "f0678020-04a2-11eb-8034-63f2039e9d3f", + "name": "panel_6", + "type": "lens" + }, + { + "id": "e2704140-04a3-11eb-8034-63f2039e9d3f", + "name": "panel_7", + "type": "lens" + }, + { + "id": "0e74dee0-04a4-11eb-8034-63f2039e9d3f", + "name": "panel_8", + "type": "lens" + }, + { + "id": "cfa361a0-04a8-11eb-8034-63f2039e9d3f", + "name": "panel_9", + "type": "lens" + }, + { + "id": "2b54b2c0-04a8-11eb-8034-63f2039e9d3f", + "name": "panel_10", + "type": "lens" + } + ], + "type": "dashboard", + "updated_at": "2020-10-02T12:22:06.090Z", + "version": "WzMzMDEsMl0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "controlledBy": "1532342651170", + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "azure.application_id", + "negate": false, + "params": { + "query": "42cb59a9-d5be-400b-a5c4-69b0a0026ac6" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "azure.application_id": "42cb59a9-d5be-400b-a5c4-69b0a0026ac6" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "App State Filters [Metricbeat Azure]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "controls": [ + { + "fieldName": "azure.application_id", + "id": "1532342651170", + "indexPatternRefName": "control_0_index_pattern", + "label": "Application ID", + "options": { + "multiselect": true, + "order": "desc", + "size": 10, + "type": "terms" + }, + "parent": "", + "type": "list" + }, + { + "fieldName": "azure.dimensions.request_url_host", + "id": "1601559750853", + "indexPatternRefName": "control_1_index_pattern", + "label": "Host URL", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "1532342651170", + "type": "list" + }, + { + "fieldName": "azure.dimensions.cloud_role_name", + "id": "1601640368472", + "indexPatternRefName": "control_2_index_pattern", + "label": "Name", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "1532342651170", + "type": "list" + }, + { + "fieldName": "azure.dimensions.browser_timing_url_host", + "id": "1601640439434", + "indexPatternRefName": "control_3_index_pattern", + "label": "Browser URL Host", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "1532342651170", + "type": "list" + } + ], + "pinFilters": false, + "updateFiltersOnChange": true, + "useTimeFilter": false + }, + "title": "App State Filters [Metricbeat Azure]", + "type": "input_control_vis" + } + }, + "id": "2e5183a0-03da-11eb-8034-63f2039e9d3f", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "metricbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metricbeat-*", + "name": "control_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "metricbeat-*", + "name": "control_1_index_pattern", + "type": "index-pattern" + }, + { + "id": "metricbeat-*", + "name": "control_2_index_pattern", + "type": "index-pattern" + }, + { + "id": "metricbeat-*", + "name": "control_3_index_pattern", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-10-02T12:22:51.232Z", + "version": "WzMzMTIsMl0=" + }, + { + "attributes": { + "description": "", + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"85644d0a-8011-45af-a751-7961b8bdd071\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"bcbccc16-d042-40fa-a9b2-0f09268281ff\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"auto\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"5788331a-267d-426a-a68e-94a5310af644\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"azure.dimensions.exception_type\\\",\\\"orderBy\\\":\\\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":3,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"azure.app_state.exceptions_count.sum\\\",\\\"missing\\\":0}},{\\\"id\\\":\\\"e5c93c50-bb0a-4609-a7ce-7003f2f9a20e\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"azure.app_state.exceptions_server.sum\\\",\\\"missing\\\":0}},{\\\"id\\\":\\\"9e183a5e-3dba-4929-b07e-2a3321f7926b\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"azure.app_state.exceptions_browser.sum\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-bcbccc16-d042-40fa-a9b2-0f09268281ff\\\":{\\\"label\\\":\\\"@timestamp\\\",\\\"dataType\\\":\\\"date\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"suggestedPriority\\\":1,\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"scale\\\":\\\"interval\\\",\\\"params\\\":{\\\"interval\\\":\\\"auto\\\"},\\\"id\\\":\\\"bcbccc16-d042-40fa-a9b2-0f09268281ff\\\"},\\\"col-4-5788331a-267d-426a-a68e-94a5310af644\\\":{\\\"label\\\":\\\"Type\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"azure.dimensions.exception_type\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":3,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"customLabel\\\":true,\\\"id\\\":\\\"5788331a-267d-426a-a68e-94a5310af644\\\"},\\\"col-5-b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\\\":{\\\"label\\\":\\\"Total\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"sourceField\\\":\\\"azure.app_state.exceptions_count.sum\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\\\"},\\\"col-6-e5c93c50-bb0a-4609-a7ce-7003f2f9a20e\\\":{\\\"label\\\":\\\"Server \\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"sourceField\\\":\\\"azure.app_state.exceptions_server.sum\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"e5c93c50-bb0a-4609-a7ce-7003f2f9a20e\\\"},\\\"col-7-9e183a5e-3dba-4929-b07e-2a3321f7926b\\\":{\\\"label\\\":\\\"Browser\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"sourceField\\\":\\\"azure.app_state.exceptions_browser.sum\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"9e183a5e-3dba-4929-b07e-2a3321f7926b\\\"}}\"}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Total\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"85644d0a-8011-45af-a751-7961b8bdd071\" hide=false xAccessor=\"bcbccc16-d042-40fa-a9b2-0f09268281ff\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"5788331a-267d-426a-a68e-94a5310af644\" seriesType=\"area_stacked\" accessors=\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\" accessors=\"e5c93c50-bb0a-4609-a7ce-7003f2f9a20e\" accessors=\"9e183a5e-3dba-4929-b07e-2a3321f7926b\" columnToLabel=\"{\\\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\\\":\\\"Total\\\",\\\"e5c93c50-bb0a-4609-a7ce-7003f2f9a20e\\\":\\\"Server \\\",\\\"9e183a5e-3dba-4929-b07e-2a3321f7926b\\\":\\\"Browser\\\",\\\"5788331a-267d-426a-a68e-94a5310af644\\\":\\\"Type\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "metricbeat-*", + "title": "metricbeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "85644d0a-8011-45af-a751-7961b8bdd071": { + "columnOrder": [ + "bcbccc16-d042-40fa-a9b2-0f09268281ff", + "5788331a-267d-426a-a68e-94a5310af644", + "b0d8f2d4-91f3-469c-8bcb-962a9fb48fba", + "e5c93c50-bb0a-4609-a7ce-7003f2f9a20e", + "9e183a5e-3dba-4929-b07e-2a3321f7926b" + ], + "columns": { + "5788331a-267d-426a-a68e-94a5310af644": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Type", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "b0d8f2d4-91f3-469c-8bcb-962a9fb48fba", + "type": "column" + }, + "orderDirection": "desc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "azure.dimensions.exception_type" + }, + "9e183a5e-3dba-4929-b07e-2a3321f7926b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Browser", + "operationType": "avg", + "scale": "ratio", + "sourceField": "azure.app_state.exceptions_browser.sum" + }, + "b0d8f2d4-91f3-469c-8bcb-962a9fb48fba": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total", + "operationType": "avg", + "scale": "ratio", + "sourceField": "azure.app_state.exceptions_count.sum" + }, + "bcbccc16-d042-40fa-a9b2-0f09268281ff": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp", + "suggestedPriority": 1 + }, + "e5c93c50-bb0a-4609-a7ce-7003f2f9a20e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Server ", + "operationType": "avg", + "scale": "ratio", + "sourceField": "azure.app_state.exceptions_server.sum" + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ + { + "accessors": [ + "b0d8f2d4-91f3-469c-8bcb-962a9fb48fba", + "e5c93c50-bb0a-4609-a7ce-7003f2f9a20e", + "9e183a5e-3dba-4929-b07e-2a3321f7926b" + ], + "layerId": "85644d0a-8011-45af-a751-7961b8bdd071", + "position": "top", + "seriesType": "area_stacked", + "showGridlines": false, + "splitAccessor": "5788331a-267d-426a-a68e-94a5310af644", + "xAccessor": "bcbccc16-d042-40fa-a9b2-0f09268281ff" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "area_stacked" + } + }, + "title": "App state Exceptions [Metricbeat Azure]", + "visualizationType": "lnsXY" + }, + "id": "1064f9a0-04a5-11eb-8034-63f2039e9d3f", + "migrationVersion": { + "lens": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "lens", + "updated_at": "2020-10-02T11:53:16.483Z", + "version": "WzI5NjMsMl0=" + }, + { + "attributes": { + "description": "", + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"85644d0a-8011-45af-a751-7961b8bdd071\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"bcbccc16-d042-40fa-a9b2-0f09268281ff\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"auto\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"a1f669d0-c9f2-4bc5-9bdd-e40badd261b9\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"azure.dimensions.cloud_role_instance\\\",\\\"orderBy\\\":\\\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":3,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"azure.app_state.performance_counters_memory_available_bytes.avg\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-bcbccc16-d042-40fa-a9b2-0f09268281ff\\\":{\\\"label\\\":\\\"@timestamp\\\",\\\"dataType\\\":\\\"date\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"suggestedPriority\\\":1,\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"scale\\\":\\\"interval\\\",\\\"params\\\":{\\\"interval\\\":\\\"auto\\\"},\\\"id\\\":\\\"bcbccc16-d042-40fa-a9b2-0f09268281ff\\\"},\\\"col-2-a1f669d0-c9f2-4bc5-9bdd-e40badd261b9\\\":{\\\"label\\\":\\\"Instance\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"azure.dimensions.cloud_role_instance\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":3,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"customLabel\\\":true,\\\"id\\\":\\\"a1f669d0-c9f2-4bc5-9bdd-e40badd261b9\\\"},\\\"col-3-b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\\\":{\\\"label\\\":\\\"Available memory\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"sourceField\\\":\\\"azure.app_state.performance_counters_memory_available_bytes.avg\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"params\\\":{\\\"format\\\":{\\\"id\\\":\\\"bytes\\\",\\\"params\\\":{\\\"decimals\\\":2}}},\\\"id\\\":\\\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\\\"}}\" | lens_format_column format=\"bytes\" columnId=\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\" decimals=2}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Available memory\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"85644d0a-8011-45af-a751-7961b8bdd071\" hide=false xAccessor=\"bcbccc16-d042-40fa-a9b2-0f09268281ff\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"a1f669d0-c9f2-4bc5-9bdd-e40badd261b9\" seriesType=\"area\" accessors=\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\" columnToLabel=\"{\\\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\\\":\\\"Available memory\\\",\\\"a1f669d0-c9f2-4bc5-9bdd-e40badd261b9\\\":\\\"Instance\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "metricbeat-*", + "title": "metricbeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "85644d0a-8011-45af-a751-7961b8bdd071": { + "columnOrder": [ + "bcbccc16-d042-40fa-a9b2-0f09268281ff", + "a1f669d0-c9f2-4bc5-9bdd-e40badd261b9", + "b0d8f2d4-91f3-469c-8bcb-962a9fb48fba" + ], + "columns": { + "a1f669d0-c9f2-4bc5-9bdd-e40badd261b9": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Instance", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "b0d8f2d4-91f3-469c-8bcb-962a9fb48fba", + "type": "column" + }, + "orderDirection": "desc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "azure.dimensions.cloud_role_instance" + }, + "b0d8f2d4-91f3-469c-8bcb-962a9fb48fba": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Available memory", + "operationType": "avg", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "azure.app_state.performance_counters_memory_available_bytes.avg" + }, + "bcbccc16-d042-40fa-a9b2-0f09268281ff": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp", + "suggestedPriority": 1 + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ + { + "accessors": [ + "b0d8f2d4-91f3-469c-8bcb-962a9fb48fba" + ], + "layerId": "85644d0a-8011-45af-a751-7961b8bdd071", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "a1f669d0-c9f2-4bc5-9bdd-e40badd261b9", + "xAccessor": "bcbccc16-d042-40fa-a9b2-0f09268281ff" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "area" + } + }, + "title": "App state Memory [Metricbeat Azure]", + "visualizationType": "lnsXY" + }, + "id": "76cc1d70-04a7-11eb-8034-63f2039e9d3f", + "migrationVersion": { + "lens": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "lens", + "updated_at": "2020-10-02T12:04:46.406Z", + "version": "WzMwNTcsMl0=" + }, + { + "attributes": { + "description": "", + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"82e648a8-6d9a-4ae0-9449-b802ce1ac723\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true aggConfigs=\"[{\\\"id\\\":\\\"d62f1bf0-71b4-41ba-9d9c-dc9f4e478ac1\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"azure.app_state.users_count.unique\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-d62f1bf0-71b4-41ba-9d9c-dc9f4e478ac1\\\":{\\\"label\\\":\\\"Unique users\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"sourceField\\\":\\\"azure.app_state.users_count.unique\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"d62f1bf0-71b4-41ba-9d9c-dc9f4e478ac1\\\"}}\"}\n| lens_metric_chart title=\"Unique users\" accessor=\"d62f1bf0-71b4-41ba-9d9c-dc9f4e478ac1\" mode=\"full\"", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "metricbeat-*", + "title": "metricbeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "82e648a8-6d9a-4ae0-9449-b802ce1ac723": { + "columnOrder": [ + "d62f1bf0-71b4-41ba-9d9c-dc9f4e478ac1" + ], + "columns": { + "d62f1bf0-71b4-41ba-9d9c-dc9f4e478ac1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique users", + "operationType": "avg", + "scale": "ratio", + "sourceField": "azure.app_state.users_count.unique" + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "d62f1bf0-71b4-41ba-9d9c-dc9f4e478ac1", + "layerId": "82e648a8-6d9a-4ae0-9449-b802ce1ac723" + } + }, + "title": "App state Unique users [Metricbeat Azure]", + "visualizationType": "lnsMetric" + }, + "id": "a89c8fd0-03ec-11eb-8034-63f2039e9d3f", + "migrationVersion": { + "lens": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "lens", + "updated_at": "2020-10-01T13:47:34.093Z", + "version": "WzEzMzAsMl0=" + }, + { + "attributes": { + "description": "", + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"82e648a8-6d9a-4ae0-9449-b802ce1ac723\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true aggConfigs=\"[{\\\"id\\\":\\\"d62f1bf0-71b4-41ba-9d9c-dc9f4e478ac1\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"azure.app_state.users_authenticated.unique\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-d62f1bf0-71b4-41ba-9d9c-dc9f4e478ac1\\\":{\\\"label\\\":\\\"Unique authenticated users\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"sourceField\\\":\\\"azure.app_state.users_authenticated.unique\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"d62f1bf0-71b4-41ba-9d9c-dc9f4e478ac1\\\"}}\"}\n| lens_metric_chart title=\"Unique authenticated users\" accessor=\"d62f1bf0-71b4-41ba-9d9c-dc9f4e478ac1\" mode=\"full\"", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "metricbeat-*", + "title": "metricbeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "82e648a8-6d9a-4ae0-9449-b802ce1ac723": { + "columnOrder": [ + "d62f1bf0-71b4-41ba-9d9c-dc9f4e478ac1" + ], + "columns": { + "d62f1bf0-71b4-41ba-9d9c-dc9f4e478ac1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique authenticated users", + "operationType": "avg", + "scale": "ratio", + "sourceField": "azure.app_state.users_authenticated.unique" + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "d62f1bf0-71b4-41ba-9d9c-dc9f4e478ac1", + "layerId": "82e648a8-6d9a-4ae0-9449-b802ce1ac723" + } + }, + "title": "App state Unique authenticated users [Metricbeat Azure]", + "visualizationType": "lnsMetric" + }, + "id": "cb5ec410-03ed-11eb-8034-63f2039e9d3f", + "migrationVersion": { + "lens": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "lens", + "updated_at": "2020-10-01T13:55:41.904Z", + "version": "WzE0MjAsMl0=" + }, + { + "attributes": { + "description": "", + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"82e648a8-6d9a-4ae0-9449-b802ce1ac723\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true aggConfigs=\"[{\\\"id\\\":\\\"d62f1bf0-71b4-41ba-9d9c-dc9f4e478ac1\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"azure.app_state.sessions_count.unique\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-d62f1bf0-71b4-41ba-9d9c-dc9f4e478ac1\\\":{\\\"label\\\":\\\"Unique sessions\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"sourceField\\\":\\\"azure.app_state.sessions_count.unique\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"d62f1bf0-71b4-41ba-9d9c-dc9f4e478ac1\\\"}}\"}\n| lens_metric_chart title=\"Unique sessions\" accessor=\"d62f1bf0-71b4-41ba-9d9c-dc9f4e478ac1\" mode=\"full\"", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "metricbeat-*", + "title": "metricbeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "82e648a8-6d9a-4ae0-9449-b802ce1ac723": { + "columnOrder": [ + "d62f1bf0-71b4-41ba-9d9c-dc9f4e478ac1" + ], + "columns": { + "d62f1bf0-71b4-41ba-9d9c-dc9f4e478ac1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique sessions", + "operationType": "avg", + "scale": "ratio", + "sourceField": "azure.app_state.sessions_count.unique" + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "d62f1bf0-71b4-41ba-9d9c-dc9f4e478ac1", + "layerId": "82e648a8-6d9a-4ae0-9449-b802ce1ac723" + } + }, + "title": "App state Unique sessions [Metricbeat Azure]", + "visualizationType": "lnsMetric" + }, + "id": "0df175c0-03ee-11eb-8034-63f2039e9d3f", + "migrationVersion": { + "lens": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "lens", + "updated_at": "2020-10-01T13:57:33.596Z", + "version": "WzE0NjAsMl0=" + }, + { + "attributes": { + "description": "", + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"85644d0a-8011-45af-a751-7961b8bdd071\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"bcbccc16-d042-40fa-a9b2-0f09268281ff\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"auto\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"8864c98b-413a-484f-a61d-336a63ef3f13\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"azure.dimensions.request_url_host\\\",\\\"orderBy\\\":\\\"9ec4d260-e302-46c4-ac09-50ef54627894\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":3,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"9ec4d260-e302-46c4-ac09-50ef54627894\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"azure.app_state.requests_count.sum\\\",\\\"missing\\\":0}},{\\\"id\\\":\\\"a47e59dc-fb62-42f8-90e1-236c7c5a073d\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"azure.app_state.requests_failed.sum\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-bcbccc16-d042-40fa-a9b2-0f09268281ff\\\":{\\\"label\\\":\\\"@timestamp\\\",\\\"dataType\\\":\\\"date\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"suggestedPriority\\\":1,\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"scale\\\":\\\"interval\\\",\\\"params\\\":{\\\"interval\\\":\\\"auto\\\"},\\\"id\\\":\\\"bcbccc16-d042-40fa-a9b2-0f09268281ff\\\"},\\\"col-3-8864c98b-413a-484f-a61d-336a63ef3f13\\\":{\\\"label\\\":\\\"Host URL\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"azure.dimensions.request_url_host\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":3,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"9ec4d260-e302-46c4-ac09-50ef54627894\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"customLabel\\\":true,\\\"id\\\":\\\"8864c98b-413a-484f-a61d-336a63ef3f13\\\"},\\\"col-4-9ec4d260-e302-46c4-ac09-50ef54627894\\\":{\\\"label\\\":\\\"Total requests\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"sourceField\\\":\\\"azure.app_state.requests_count.sum\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"9ec4d260-e302-46c4-ac09-50ef54627894\\\"},\\\"col-5-a47e59dc-fb62-42f8-90e1-236c7c5a073d\\\":{\\\"label\\\":\\\"Failed requests\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"sourceField\\\":\\\"azure.app_state.requests_failed.sum\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"a47e59dc-fb62-42f8-90e1-236c7c5a073d\\\"}}\"}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Total requests\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"85644d0a-8011-45af-a751-7961b8bdd071\" hide=false xAccessor=\"bcbccc16-d042-40fa-a9b2-0f09268281ff\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"8864c98b-413a-484f-a61d-336a63ef3f13\" seriesType=\"area\" accessors=\"9ec4d260-e302-46c4-ac09-50ef54627894\" accessors=\"a47e59dc-fb62-42f8-90e1-236c7c5a073d\" columnToLabel=\"{\\\"9ec4d260-e302-46c4-ac09-50ef54627894\\\":\\\"Total requests\\\",\\\"a47e59dc-fb62-42f8-90e1-236c7c5a073d\\\":\\\"Failed requests\\\",\\\"8864c98b-413a-484f-a61d-336a63ef3f13\\\":\\\"Host URL\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "metricbeat-*", + "title": "metricbeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "85644d0a-8011-45af-a751-7961b8bdd071": { + "columnOrder": [ + "bcbccc16-d042-40fa-a9b2-0f09268281ff", + "8864c98b-413a-484f-a61d-336a63ef3f13", + "9ec4d260-e302-46c4-ac09-50ef54627894", + "a47e59dc-fb62-42f8-90e1-236c7c5a073d" + ], + "columns": { + "8864c98b-413a-484f-a61d-336a63ef3f13": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Host URL", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "9ec4d260-e302-46c4-ac09-50ef54627894", + "type": "column" + }, + "orderDirection": "desc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "azure.dimensions.request_url_host" + }, + "9ec4d260-e302-46c4-ac09-50ef54627894": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total requests", + "operationType": "avg", + "scale": "ratio", + "sourceField": "azure.app_state.requests_count.sum" + }, + "a47e59dc-fb62-42f8-90e1-236c7c5a073d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Failed requests", + "operationType": "avg", + "scale": "ratio", + "sourceField": "azure.app_state.requests_failed.sum" + }, + "bcbccc16-d042-40fa-a9b2-0f09268281ff": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp", + "suggestedPriority": 1 + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ + { + "accessors": [ + "9ec4d260-e302-46c4-ac09-50ef54627894", + "a47e59dc-fb62-42f8-90e1-236c7c5a073d" + ], + "layerId": "85644d0a-8011-45af-a751-7961b8bdd071", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "8864c98b-413a-484f-a61d-336a63ef3f13", + "xAccessor": "bcbccc16-d042-40fa-a9b2-0f09268281ff" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "area" + } + }, + "title": "App state Requests [Metricbeat Azure]", + "visualizationType": "lnsXY" + }, + "id": "f0678020-04a2-11eb-8034-63f2039e9d3f", + "migrationVersion": { + "lens": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "lens", + "updated_at": "2020-10-02T11:32:22.946Z", + "version": "WzI0MzUsMl0=" + }, + { + "attributes": { + "description": "", + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"85644d0a-8011-45af-a751-7961b8bdd071\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"bcbccc16-d042-40fa-a9b2-0f09268281ff\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"auto\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"4d4c068a-0194-4d54-a1fa-3863c3df9331\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"azure.dimensions.browser_timing_url_path\\\",\\\"orderBy\\\":\\\"be6a3d8b-9428-480b-a7b3-071127726093\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":3,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"be6a3d8b-9428-480b-a7b3-071127726093\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"azure.app_state.browser_timings_send_duration.avg\\\",\\\"missing\\\":0}},{\\\"id\\\":\\\"6bc1fd35-168d-42d5-b9c8-7078896d8ce4\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"azure.app_state.browser_timings_total_duration.avg\\\",\\\"missing\\\":0}},{\\\"id\\\":\\\"988e9976-3471-478c-89f6-11fd46458d7f\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"azure.app_state.browser_timings_receive_duration.avg\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-bcbccc16-d042-40fa-a9b2-0f09268281ff\\\":{\\\"label\\\":\\\"@timestamp\\\",\\\"dataType\\\":\\\"date\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"suggestedPriority\\\":1,\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"scale\\\":\\\"interval\\\",\\\"params\\\":{\\\"interval\\\":\\\"auto\\\"},\\\"id\\\":\\\"bcbccc16-d042-40fa-a9b2-0f09268281ff\\\"},\\\"col-4-4d4c068a-0194-4d54-a1fa-3863c3df9331\\\":{\\\"label\\\":\\\"Url Path\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"azure.dimensions.browser_timing_url_path\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":3,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"be6a3d8b-9428-480b-a7b3-071127726093\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"customLabel\\\":true,\\\"id\\\":\\\"4d4c068a-0194-4d54-a1fa-3863c3df9331\\\"},\\\"col-5-be6a3d8b-9428-480b-a7b3-071127726093\\\":{\\\"label\\\":\\\"Send duration\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"sourceField\\\":\\\"azure.app_state.browser_timings_send_duration.avg\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"params\\\":{},\\\"customLabel\\\":true,\\\"id\\\":\\\"be6a3d8b-9428-480b-a7b3-071127726093\\\"},\\\"col-6-6bc1fd35-168d-42d5-b9c8-7078896d8ce4\\\":{\\\"label\\\":\\\"Total duration\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"sourceField\\\":\\\"azure.app_state.browser_timings_total_duration.avg\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"6bc1fd35-168d-42d5-b9c8-7078896d8ce4\\\"},\\\"col-7-988e9976-3471-478c-89f6-11fd46458d7f\\\":{\\\"label\\\":\\\"Receive duration\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"sourceField\\\":\\\"azure.app_state.browser_timings_receive_duration.avg\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"988e9976-3471-478c-89f6-11fd46458d7f\\\"}}\"}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Send duration\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"85644d0a-8011-45af-a751-7961b8bdd071\" hide=false xAccessor=\"bcbccc16-d042-40fa-a9b2-0f09268281ff\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"4d4c068a-0194-4d54-a1fa-3863c3df9331\" seriesType=\"bar\" accessors=\"be6a3d8b-9428-480b-a7b3-071127726093\" accessors=\"6bc1fd35-168d-42d5-b9c8-7078896d8ce4\" accessors=\"988e9976-3471-478c-89f6-11fd46458d7f\" columnToLabel=\"{\\\"be6a3d8b-9428-480b-a7b3-071127726093\\\":\\\"Send duration\\\",\\\"6bc1fd35-168d-42d5-b9c8-7078896d8ce4\\\":\\\"Total duration\\\",\\\"988e9976-3471-478c-89f6-11fd46458d7f\\\":\\\"Receive duration\\\",\\\"4d4c068a-0194-4d54-a1fa-3863c3df9331\\\":\\\"Url Path\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "metricbeat-*", + "title": "metricbeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "85644d0a-8011-45af-a751-7961b8bdd071": { + "columnOrder": [ + "bcbccc16-d042-40fa-a9b2-0f09268281ff", + "4d4c068a-0194-4d54-a1fa-3863c3df9331", + "be6a3d8b-9428-480b-a7b3-071127726093", + "6bc1fd35-168d-42d5-b9c8-7078896d8ce4", + "988e9976-3471-478c-89f6-11fd46458d7f" + ], + "columns": { + "4d4c068a-0194-4d54-a1fa-3863c3df9331": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Url Path", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "be6a3d8b-9428-480b-a7b3-071127726093", + "type": "column" + }, + "orderDirection": "desc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "azure.dimensions.browser_timing_url_path" + }, + "6bc1fd35-168d-42d5-b9c8-7078896d8ce4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total duration", + "operationType": "avg", + "scale": "ratio", + "sourceField": "azure.app_state.browser_timings_total_duration.avg" + }, + "988e9976-3471-478c-89f6-11fd46458d7f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Receive duration", + "operationType": "avg", + "scale": "ratio", + "sourceField": "azure.app_state.browser_timings_receive_duration.avg" + }, + "bcbccc16-d042-40fa-a9b2-0f09268281ff": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp", + "suggestedPriority": 1 + }, + "be6a3d8b-9428-480b-a7b3-071127726093": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Send duration", + "operationType": "avg", + "params": {}, + "scale": "ratio", + "sourceField": "azure.app_state.browser_timings_send_duration.avg" + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ + { + "accessors": [ + "be6a3d8b-9428-480b-a7b3-071127726093", + "6bc1fd35-168d-42d5-b9c8-7078896d8ce4", + "988e9976-3471-478c-89f6-11fd46458d7f" + ], + "layerId": "85644d0a-8011-45af-a751-7961b8bdd071", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "splitAccessor": "4d4c068a-0194-4d54-a1fa-3863c3df9331", + "xAccessor": "bcbccc16-d042-40fa-a9b2-0f09268281ff" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar" + } + }, + "title": "App state Browser Send/Receive Duration [Metricbeat Azure]", + "visualizationType": "lnsXY" + }, + "id": "e2704140-04a3-11eb-8034-63f2039e9d3f", + "migrationVersion": { + "lens": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "lens", + "updated_at": "2020-10-02T11:39:09.012Z", + "version": "WzI2MzQsMl0=" + }, + { + "attributes": { + "description": "", + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"85644d0a-8011-45af-a751-7961b8bdd071\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"bcbccc16-d042-40fa-a9b2-0f09268281ff\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"auto\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"4d4c068a-0194-4d54-a1fa-3863c3df9331\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"azure.dimensions.browser_timing_url_path\\\",\\\"orderBy\\\":\\\"_key\\\",\\\"order\\\":\\\"asc\\\",\\\"size\\\":3,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"b5a75764-e98b-434b-a0f0-5658a4aa1cf6\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"azure.app_state.browser_timings_network_duration.avg\\\",\\\"missing\\\":0}},{\\\"id\\\":\\\"ab158cba-532f-47f8-8450-db883504dc0f\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"azure.app_state.browser_timings_processing_duration.avg\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-bcbccc16-d042-40fa-a9b2-0f09268281ff\\\":{\\\"label\\\":\\\"@timestamp\\\",\\\"dataType\\\":\\\"date\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"suggestedPriority\\\":1,\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"scale\\\":\\\"interval\\\",\\\"params\\\":{\\\"interval\\\":\\\"auto\\\"},\\\"id\\\":\\\"bcbccc16-d042-40fa-a9b2-0f09268281ff\\\"},\\\"col-3-4d4c068a-0194-4d54-a1fa-3863c3df9331\\\":{\\\"label\\\":\\\"Url Path\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"azure.dimensions.browser_timing_url_path\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":3,\\\"orderBy\\\":{\\\"type\\\":\\\"alphabetical\\\"},\\\"orderDirection\\\":\\\"asc\\\"},\\\"customLabel\\\":true,\\\"id\\\":\\\"4d4c068a-0194-4d54-a1fa-3863c3df9331\\\"},\\\"col-4-b5a75764-e98b-434b-a0f0-5658a4aa1cf6\\\":{\\\"label\\\":\\\"Networking duration\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"sourceField\\\":\\\"azure.app_state.browser_timings_network_duration.avg\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"b5a75764-e98b-434b-a0f0-5658a4aa1cf6\\\"},\\\"col-5-ab158cba-532f-47f8-8450-db883504dc0f\\\":{\\\"label\\\":\\\"Processing duration\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"sourceField\\\":\\\"azure.app_state.browser_timings_processing_duration.avg\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"ab158cba-532f-47f8-8450-db883504dc0f\\\"}}\"}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Networking duration\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"85644d0a-8011-45af-a751-7961b8bdd071\" hide=false xAccessor=\"bcbccc16-d042-40fa-a9b2-0f09268281ff\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"4d4c068a-0194-4d54-a1fa-3863c3df9331\" seriesType=\"bar\" accessors=\"b5a75764-e98b-434b-a0f0-5658a4aa1cf6\" accessors=\"ab158cba-532f-47f8-8450-db883504dc0f\" columnToLabel=\"{\\\"b5a75764-e98b-434b-a0f0-5658a4aa1cf6\\\":\\\"Networking duration\\\",\\\"ab158cba-532f-47f8-8450-db883504dc0f\\\":\\\"Processing duration\\\",\\\"4d4c068a-0194-4d54-a1fa-3863c3df9331\\\":\\\"Url Path\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "metricbeat-*", + "title": "metricbeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "85644d0a-8011-45af-a751-7961b8bdd071": { + "columnOrder": [ + "bcbccc16-d042-40fa-a9b2-0f09268281ff", + "4d4c068a-0194-4d54-a1fa-3863c3df9331", + "b5a75764-e98b-434b-a0f0-5658a4aa1cf6", + "ab158cba-532f-47f8-8450-db883504dc0f" + ], + "columns": { + "4d4c068a-0194-4d54-a1fa-3863c3df9331": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Url Path", + "operationType": "terms", + "params": { + "orderBy": { + "type": "alphabetical" + }, + "orderDirection": "asc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "azure.dimensions.browser_timing_url_path" + }, + "ab158cba-532f-47f8-8450-db883504dc0f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Processing duration", + "operationType": "avg", + "scale": "ratio", + "sourceField": "azure.app_state.browser_timings_processing_duration.avg" + }, + "b5a75764-e98b-434b-a0f0-5658a4aa1cf6": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Networking duration", + "operationType": "avg", + "scale": "ratio", + "sourceField": "azure.app_state.browser_timings_network_duration.avg" + }, + "bcbccc16-d042-40fa-a9b2-0f09268281ff": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp", + "suggestedPriority": 1 + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ + { + "accessors": [ + "b5a75764-e98b-434b-a0f0-5658a4aa1cf6", + "ab158cba-532f-47f8-8450-db883504dc0f" + ], + "layerId": "85644d0a-8011-45af-a751-7961b8bdd071", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "splitAccessor": "4d4c068a-0194-4d54-a1fa-3863c3df9331", + "xAccessor": "bcbccc16-d042-40fa-a9b2-0f09268281ff" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar" + } + }, + "title": "App state Browser Networking/Processing Duration [Metricbeat Azure]", + "visualizationType": "lnsXY" + }, + "id": "0e74dee0-04a4-11eb-8034-63f2039e9d3f", + "migrationVersion": { + "lens": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "lens", + "updated_at": "2020-10-02T11:40:22.862Z", + "version": "WzI2ODQsMl0=" + }, + { + "attributes": { + "description": "", + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"85644d0a-8011-45af-a751-7961b8bdd071\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"bcbccc16-d042-40fa-a9b2-0f09268281ff\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"auto\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"a1f669d0-c9f2-4bc5-9bdd-e40badd261b9\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"azure.dimensions.cloud_role_instance\\\",\\\"orderBy\\\":\\\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":3,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"azure.app_state.performance_counters_process_cpu_percentage_total.avg\\\",\\\"missing\\\":0}},{\\\"id\\\":\\\"252dfd5f-26bd-4861-bb01-4b3530cadd95\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"azure.app_state.performance_counters_process_cpu_percentage.avg\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-bcbccc16-d042-40fa-a9b2-0f09268281ff\\\":{\\\"label\\\":\\\"@timestamp\\\",\\\"dataType\\\":\\\"date\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"suggestedPriority\\\":1,\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"scale\\\":\\\"interval\\\",\\\"params\\\":{\\\"interval\\\":\\\"auto\\\"},\\\"id\\\":\\\"bcbccc16-d042-40fa-a9b2-0f09268281ff\\\"},\\\"col-3-a1f669d0-c9f2-4bc5-9bdd-e40badd261b9\\\":{\\\"label\\\":\\\"Instance\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"azure.dimensions.cloud_role_instance\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":3,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"customLabel\\\":true,\\\"id\\\":\\\"a1f669d0-c9f2-4bc5-9bdd-e40badd261b9\\\"},\\\"col-4-b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\\\":{\\\"label\\\":\\\"Total CPU percentage \\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"sourceField\\\":\\\"azure.app_state.performance_counters_process_cpu_percentage_total.avg\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"params\\\":{\\\"format\\\":{\\\"id\\\":\\\"percent\\\",\\\"params\\\":{\\\"decimals\\\":2}}},\\\"id\\\":\\\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\\\"},\\\"col-5-252dfd5f-26bd-4861-bb01-4b3530cadd95\\\":{\\\"label\\\":\\\"CPU percentage\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"sourceField\\\":\\\"azure.app_state.performance_counters_process_cpu_percentage.avg\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"params\\\":{\\\"format\\\":{\\\"id\\\":\\\"percent\\\",\\\"params\\\":{\\\"decimals\\\":2}}},\\\"customLabel\\\":true,\\\"id\\\":\\\"252dfd5f-26bd-4861-bb01-4b3530cadd95\\\"}}\" | lens_format_column format=\"percent\" columnId=\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\" decimals=2 | lens_format_column format=\"percent\" columnId=\"252dfd5f-26bd-4861-bb01-4b3530cadd95\" decimals=2}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Total CPU percentage \" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"85644d0a-8011-45af-a751-7961b8bdd071\" hide=false xAccessor=\"bcbccc16-d042-40fa-a9b2-0f09268281ff\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"a1f669d0-c9f2-4bc5-9bdd-e40badd261b9\" seriesType=\"area\" accessors=\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\" accessors=\"252dfd5f-26bd-4861-bb01-4b3530cadd95\" columnToLabel=\"{\\\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\\\":\\\"Total CPU percentage \\\",\\\"252dfd5f-26bd-4861-bb01-4b3530cadd95\\\":\\\"CPU percentage\\\",\\\"a1f669d0-c9f2-4bc5-9bdd-e40badd261b9\\\":\\\"Instance\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "metricbeat-*", + "title": "metricbeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "85644d0a-8011-45af-a751-7961b8bdd071": { + "columnOrder": [ + "bcbccc16-d042-40fa-a9b2-0f09268281ff", + "a1f669d0-c9f2-4bc5-9bdd-e40badd261b9", + "b0d8f2d4-91f3-469c-8bcb-962a9fb48fba", + "252dfd5f-26bd-4861-bb01-4b3530cadd95" + ], + "columns": { + "252dfd5f-26bd-4861-bb01-4b3530cadd95": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "CPU percentage", + "operationType": "avg", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "azure.app_state.performance_counters_process_cpu_percentage.avg" + }, + "a1f669d0-c9f2-4bc5-9bdd-e40badd261b9": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Instance", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "b0d8f2d4-91f3-469c-8bcb-962a9fb48fba", + "type": "column" + }, + "orderDirection": "desc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "azure.dimensions.cloud_role_instance" + }, + "b0d8f2d4-91f3-469c-8bcb-962a9fb48fba": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total CPU percentage ", + "operationType": "avg", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "azure.app_state.performance_counters_process_cpu_percentage_total.avg" + }, + "bcbccc16-d042-40fa-a9b2-0f09268281ff": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp", + "suggestedPriority": 1 + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ + { + "accessors": [ + "b0d8f2d4-91f3-469c-8bcb-962a9fb48fba", + "252dfd5f-26bd-4861-bb01-4b3530cadd95" + ], + "layerId": "85644d0a-8011-45af-a751-7961b8bdd071", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "a1f669d0-c9f2-4bc5-9bdd-e40badd261b9", + "xAccessor": "bcbccc16-d042-40fa-a9b2-0f09268281ff" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "area" + } + }, + "title": "App state Process CPU usage [Metricbeat Azure]", + "visualizationType": "lnsXY" + }, + "id": "cfa361a0-04a8-11eb-8034-63f2039e9d3f", + "migrationVersion": { + "lens": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "lens", + "updated_at": "2020-10-02T12:14:24.954Z", + "version": "WzMyNTMsMl0=" + }, + { + "attributes": { + "description": "", + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"85644d0a-8011-45af-a751-7961b8bdd071\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"bcbccc16-d042-40fa-a9b2-0f09268281ff\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"auto\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"a1f669d0-c9f2-4bc5-9bdd-e40badd261b9\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"azure.dimensions.cloud_role_instance\\\",\\\"orderBy\\\":\\\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":3,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"azure.app_state.performance_counters_process_private_bytes.avg\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-bcbccc16-d042-40fa-a9b2-0f09268281ff\\\":{\\\"label\\\":\\\"@timestamp\\\",\\\"dataType\\\":\\\"date\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"suggestedPriority\\\":1,\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"scale\\\":\\\"interval\\\",\\\"params\\\":{\\\"interval\\\":\\\"auto\\\"},\\\"id\\\":\\\"bcbccc16-d042-40fa-a9b2-0f09268281ff\\\"},\\\"col-2-a1f669d0-c9f2-4bc5-9bdd-e40badd261b9\\\":{\\\"label\\\":\\\"Instance\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"azure.dimensions.cloud_role_instance\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":3,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"customLabel\\\":true,\\\"id\\\":\\\"a1f669d0-c9f2-4bc5-9bdd-e40badd261b9\\\"},\\\"col-3-b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\\\":{\\\"label\\\":\\\"Process private bytes\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"sourceField\\\":\\\"azure.app_state.performance_counters_process_private_bytes.avg\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"params\\\":{\\\"format\\\":{\\\"id\\\":\\\"bytes\\\",\\\"params\\\":{\\\"decimals\\\":2}}},\\\"id\\\":\\\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\\\"}}\" | lens_format_column format=\"bytes\" columnId=\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\" decimals=2}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Process private bytes\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"85644d0a-8011-45af-a751-7961b8bdd071\" hide=false xAccessor=\"bcbccc16-d042-40fa-a9b2-0f09268281ff\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"a1f669d0-c9f2-4bc5-9bdd-e40badd261b9\" seriesType=\"area\" accessors=\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\" columnToLabel=\"{\\\"b0d8f2d4-91f3-469c-8bcb-962a9fb48fba\\\":\\\"Process private bytes\\\",\\\"a1f669d0-c9f2-4bc5-9bdd-e40badd261b9\\\":\\\"Instance\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "metricbeat-*", + "title": "metricbeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "85644d0a-8011-45af-a751-7961b8bdd071": { + "columnOrder": [ + "bcbccc16-d042-40fa-a9b2-0f09268281ff", + "a1f669d0-c9f2-4bc5-9bdd-e40badd261b9", + "b0d8f2d4-91f3-469c-8bcb-962a9fb48fba" + ], + "columns": { + "a1f669d0-c9f2-4bc5-9bdd-e40badd261b9": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Instance", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "b0d8f2d4-91f3-469c-8bcb-962a9fb48fba", + "type": "column" + }, + "orderDirection": "desc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "azure.dimensions.cloud_role_instance" + }, + "b0d8f2d4-91f3-469c-8bcb-962a9fb48fba": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Process private bytes", + "operationType": "avg", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "azure.app_state.performance_counters_process_private_bytes.avg" + }, + "bcbccc16-d042-40fa-a9b2-0f09268281ff": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp", + "suggestedPriority": 1 + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ + { + "accessors": [ + "b0d8f2d4-91f3-469c-8bcb-962a9fb48fba" + ], + "layerId": "85644d0a-8011-45af-a751-7961b8bdd071", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "a1f669d0-c9f2-4bc5-9bdd-e40badd261b9", + "xAccessor": "bcbccc16-d042-40fa-a9b2-0f09268281ff" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "area" + } + }, + "title": "App state Process Private Bytes [Metricbeat Azure]", + "visualizationType": "lnsXY" + }, + "id": "2b54b2c0-04a8-11eb-8034-63f2039e9d3f", + "migrationVersion": { + "lens": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "lens", + "updated_at": "2020-10-02T12:09:49.291Z", + "version": "WzMxMjMsMl0=" + } + ], + "version": "7.9.2" +} diff --git a/x-pack/metricbeat/module/azure/add_metadata.go b/x-pack/metricbeat/module/azure/add_metadata.go index ba8f35c7db6..1342170aec0 100644 --- a/x-pack/metricbeat/module/azure/add_metadata.go +++ b/x-pack/metricbeat/module/azure/add_metadata.go @@ -35,7 +35,7 @@ func addHostMetadata(event *mb.Event, metricList common.MapStr) { } } -func addCloudVMMetadata(event *mb.Event, vm VmResource) { +func addCloudVMMetadata(event *mb.Event, vm VmResource, subscriptionId string) { if vm.Name != "" { event.RootFields.Put("cloud.instance.name", vm.Name) event.RootFields.Put("host.name", vm.Name) @@ -47,4 +47,7 @@ func addCloudVMMetadata(event *mb.Event, vm VmResource) { if vm.Size != "" { event.RootFields.Put("cloud.machine.type", vm.Size) } + if subscriptionId != "" { + event.RootFields.Put("cloud.account.id", subscriptionId) + } } diff --git a/x-pack/metricbeat/module/azure/app_insights/_meta/data.json b/x-pack/metricbeat/module/azure/app_insights/_meta/data.json index 3d1f07c1ac1..c9b35f39923 100644 --- a/x-pack/metricbeat/module/azure/app_insights/_meta/data.json +++ b/x-pack/metricbeat/module/azure/app_insights/_meta/data.json @@ -1,16 +1,15 @@ { "@timestamp": "2017-10-12T08:05:34.853Z", - "azure" : { - "app_insights" : { - "metrics" : { - "requests_failed" : { - "sum" : 182 - }, - "request_name" : "GET /favicon.ico" - }, - "start_date" : "2020-07-12T10:52:11.831Z", - "end_date" : "2020-07-12T12:52:11.831Z", - "application_id" : "42cb59a9-d5be-400b-a5c4-69b0a0026ac6" + "azure": { + "app_insights": { + "end_date": "2020-10-02T13:17:45.691Z", + "start_date": "2020-10-02T13:12:45.691Z" + }, + "application_id": "42cb59a9-d5be-400b-a5c4-69b0a00434fdf4", + "metrics": { + "requests_count": { + "sum": 0 + } } }, "cloud": { diff --git a/x-pack/metricbeat/module/azure/app_insights/_meta/fields.yml b/x-pack/metricbeat/module/azure/app_insights/_meta/fields.yml index 40ab8560827..4e8fa91edbd 100644 --- a/x-pack/metricbeat/module/azure/app_insights/_meta/fields.yml +++ b/x-pack/metricbeat/module/azure/app_insights/_meta/fields.yml @@ -4,10 +4,6 @@ description: > application insights fields: - - name: application_id - type: keyword - description: > - The application ID - name: start_date type: date description: > diff --git a/x-pack/metricbeat/module/azure/app_insights/app_insights.go b/x-pack/metricbeat/module/azure/app_insights/app_insights.go index 8ffe02eb860..091a72f465e 100644 --- a/x-pack/metricbeat/module/azure/app_insights/app_insights.go +++ b/x-pack/metricbeat/module/azure/app_insights/app_insights.go @@ -23,6 +23,7 @@ type Config struct { ApiKey string `config:"api_key" validate:"required"` Period time.Duration `config:"period" validate:"nonzero,required"` Metrics []Metric `config:"metrics" validate:"required"` + Namespace string `config:"namespace"` } // Metric struct used for configuration options @@ -70,7 +71,7 @@ func (m *MetricSet) Fetch(report mb.ReporterV2) error { if err != nil { return errors.Wrap(err, "error retrieving metric values") } - events := EventsMapping(results, m.client.Config.ApplicationId) + events := EventsMapping(results, m.client.Config.ApplicationId, m.client.Config.Namespace) for _, event := range events { isOpen := report.Event(event) if !isOpen { diff --git a/x-pack/metricbeat/module/azure/app_insights/app_insights_integration_test.go b/x-pack/metricbeat/module/azure/app_insights/app_insights_integration_test.go index 3cb93663007..c33f05c2de6 100644 --- a/x-pack/metricbeat/module/azure/app_insights/app_insights_integration_test.go +++ b/x-pack/metricbeat/module/azure/app_insights/app_insights_integration_test.go @@ -10,12 +10,20 @@ package app_insights import ( "testing" + "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/test" + "github.com/stretchr/testify/assert" mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" ) +var metrics = []map[string]interface{}{{ + "id": "requests/count", +}} + func TestFetchMetricset(t *testing.T) { + config := test.GetConfigForInsights(t, "app_insights") + config["metrics"] = metrics metricSet := mbtest.NewReportingMetricSetV2Error(t, config) events, errs := mbtest.ReportingFetchV2Error(metricSet) if len(errs) > 0 { @@ -26,6 +34,8 @@ func TestFetchMetricset(t *testing.T) { } func TestData(t *testing.T) { + config := test.GetConfigForInsights(t, "app_insights") + config["metrics"] = metrics metricSet := mbtest.NewFetcher(t, config) metricSet.WriteEvents(t, "/") } diff --git a/x-pack/metricbeat/module/azure/app_insights/client.go b/x-pack/metricbeat/module/azure/app_insights/client.go index b78f2257d3f..49794da4d3f 100644 --- a/x-pack/metricbeat/module/azure/app_insights/client.go +++ b/x-pack/metricbeat/module/azure/app_insights/client.go @@ -23,9 +23,6 @@ type Client struct { Log *logp.Logger } -type MetricValue struct { -} - // NewClient instantiates the an Azure monitoring client func NewClient(config Config) (*Client, error) { service, err := NewService(config) diff --git a/x-pack/metricbeat/module/azure/app_insights/data.go b/x-pack/metricbeat/module/azure/app_insights/data.go index df7efdbeaba..1cd661cc3a0 100644 --- a/x-pack/metricbeat/module/azure/app_insights/data.go +++ b/x-pack/metricbeat/module/azure/app_insights/data.go @@ -6,98 +6,217 @@ package app_insights import ( "fmt" + "regexp" "strings" + "github.com/Azure/azure-sdk-for-go/services/preview/appinsights/v1/insights" "github.com/Azure/go-autorest/autorest/date" - "github.com/Azure/azure-sdk-for-go/services/preview/appinsights/v1/insights" + "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/metricbeat/mb" ) -func EventsMapping(metricValues insights.ListMetricsResultsItem, applicationId string) []mb.Event { - var events []mb.Event - if metricValues.Value == nil { - return events - } - groupedAddProp := make(map[string][]insights.MetricsResultInfo) +const aggsRegex = "_(?:sum|count|unique|avg|min|max)$" + +// segmentNames list is used to filter out the dimension from the api response. Based on the body format it is not possible to detect what was the segment selected +var segmentNames = []string{ + "request_source", "request_name", "request_url_host", "request_url_path", "request_success", "request_result_code", "request_performance_bucket", "operation_name", "operation_synthetic", "operation_synthetic_source", "user_authenticated", "application_version", "client_type", "client_model", + "client_os", "client_city", "client_state_or_province", "client_country_or_region", "client_browser", "cloud_role_name", "cloud_role_instance", "custom_dimensions__ms_processedb_by_metric_extractors", "custom_dimensions_developer_mode", + "page_view_name", "page_view_url_path", "page_view_url_host", "page_view_performance_bucket", "custom_dimensions_ibiza_session_id", "custom_dimensions_part_instance", "browser_timing_name", "browser_timing_url_host", "browser_timing_url_path", "browser_timing_performance_bucket", + "trace_severity_level", "type", "custom_dimensions_agent_session", "custom_dimensions_agent_version", "custom_dimensions_machine_name", "custom_dimensions_running_mode", "custom_dimensions_source", "custom_dimensions_agent_assembly_version", "custom_dimensions_agent_process_session", + "custom_dimensions_hashed_machine_name", + "custom_dimensions_data_cube", "dependency_target", "dependency_type", "dependency_name", "dependency_success", "dependency_result_code", "dependency_performance_bucket", "custom_dimensions_container", "custom_dimensions_blob", "custom_dimensions_error_message", + "custom_event_name", "custom_dimensions_event_name", "custom_dimensions_page_title", "custom_dimensions_service_profiler_content", "custom_dimensions_executing_assembly_file_version", "custom_dimensions_service_profiler_version", "custom_dimensions_process_id", "custom_dimensions_request_id", + "custom_dimensions_running_session", "custom_dimensions_problem_id", "custom_dimensions_snapshot_context", "custom_dimensions_snapshot_version", "custom_dimensions_duration", "custom_dimensions_snapshot_id", "custom_dimensions_stamp_id", "custom_dimensions_de_optimization_id", + "custom_dimensions_method", "custom_dimensions_parent_process_id", "custom_dimensions_section", "custom_dimensions_configuration", "custom_dimensions_dump_folder", "custom_dimensions_reason", "custom_dimensions_extension_version", "custom_dimensions_site_name", + "availability_result_name", "availability_result_location", "availability_result_success", "custom_dimensions_full_test_result_available", "exception_problem_id", "exception_handled_at", "exception_type", "exception_assembly", "exception_method", "custom_dimensions_custom_perf_counter", + "exception_severity_level", "custom_dimensions_url", "custom_dimensions_ai.snapshot_stampid", "custom_dimensions_ai.snapshot_id", "custom_dimensions_ai.snapshot_version", "custom_dimensions_ai.snapshot_planid", "custom_dimensions__ms_example", "custom_dimensions_sa_origin_app_id", + "custom_dimensions_base_sdk_target_framework", "custom_dimensions_runtime_framework", "custom_dimensions__ms_aggregation_interval_ms", "custom_dimensions_problem_id", "custom_dimensions_operation_name", "custom_dimensions_request_success", "custom_dimensions__ms_metric_id", + "custom_dimensions_dependency_success", "custom_dimensions__ms_is_autocollected", "custom_dimensions_dependency_type", "performance_counter_name", "performance_counter_category", "performance_counter_counter", "performance_counter_instance", "custom_dimensions_counter_instance_name", +} + +type MetricValue struct { + SegmentName map[string]string + Value map[string]interface{} + Segments []MetricValue + Interval string + Start *date.Time + End *date.Time +} + +func mapMetricValues(metricValues insights.ListMetricsResultsItem) []MetricValue { + var mapped []MetricValue for _, item := range *metricValues.Value { + metricValue := MetricValue{ + Start: item.Body.Value.Start, + End: item.Body.Value.End, + Value: map[string]interface{}{}, + SegmentName: map[string]string{}, + } + metricValue.Interval = fmt.Sprintf("%sTO%s", item.Body.Value.Start, item.Body.Value.End) if item.Body != nil && item.Body.Value != nil { if item.Body.Value.AdditionalProperties != nil { - groupedAddProp[fmt.Sprintf("%sTO%s", item.Body.Value.Start, item.Body.Value.End)] = - append(groupedAddProp[fmt.Sprintf("%sTO%s", item.Body.Value.Start, item.Body.Value.End)], *item.Body.Value) - } else if item.Body.Value.Segments != nil { - for _, segment := range *item.Body.Value.Segments { - event, ok := createSegmentEvent(*item.Body.Value.Start, *item.Body.Value.End, segment, applicationId) - if ok { - events = append(events, event) + metrics := getAdditionalPropMetric(item.Body.Value.AdditionalProperties) + for key, metric := range metrics { + if isSegment(key) { + metricValue.SegmentName[key] = metric.(string) + } else { + metricValue.Value[key] = metric } } } + if item.Body.Value.Segments != nil { + for _, segment := range *item.Body.Value.Segments { + metVal := mapSegment(segment, metricValue.SegmentName) + metricValue.Segments = append(metricValue.Segments, metVal) + } + } + mapped = append(mapped, metricValue) } + } - if len(groupedAddProp) > 0 { - for _, val := range groupedAddProp { - event, ok := createEvent(val, applicationId) - if ok { - events = append(events, event) + return mapped +} + +func mapSegment(segment insights.MetricsSegmentInfo, parentSeg map[string]string) MetricValue { + metricValue := MetricValue{Value: map[string]interface{}{}, SegmentName: map[string]string{}} + if segment.AdditionalProperties != nil { + metrics := getAdditionalPropMetric(segment.AdditionalProperties) + for key, metric := range metrics { + if isSegment(key) { + metricValue.SegmentName[key] = metric.(string) + } else { + metricValue.Value[key] = metric + } + } + } + if len(parentSeg) > 0 { + for key, val := range parentSeg { + metricValue.SegmentName[key] = val + } + } + if segment.Segments != nil { + for _, segment := range *segment.Segments { + metVal := mapSegment(segment, metricValue.SegmentName) + metricValue.Segments = append(metricValue.Segments, metVal) + } + } + + return metricValue +} + +func isSegment(metric string) bool { + for _, seg := range segmentNames { + if metric == seg { + return true + } + } + return false +} + +func EventsMapping(metricValues insights.ListMetricsResultsItem, applicationId string, namespace string) []mb.Event { + var events []mb.Event + if metricValues.Value == nil { + return events + } + groupedAddProp := make(map[string][]MetricValue) + mValues := mapMetricValues(metricValues) + + var segValues []MetricValue + for _, mv := range mValues { + if len(mv.Segments) == 0 { + groupedAddProp[mv.Interval] = append(groupedAddProp[mv.Interval], mv) + } else { + segValues = append(segValues, mv) + } + } + + for _, val := range groupedAddProp { + event := createNoSegEvent(val, applicationId, namespace) + if len(event.MetricSetFields) > 0 { + events = append(events, event) + } + } + for _, val := range segValues { + for _, seg := range val.Segments { + lastSeg := getValue(seg) + for _, ls := range lastSeg { + events = append(events, createSegEvent(val, ls, applicationId, namespace)) } } } return events } -func createSegmentEvent(start date.Time, end date.Time, segment insights.MetricsSegmentInfo, applicationId string) (mb.Event, bool) { - metricList := common.MapStr{} - metrics := getMetric(segment.AdditionalProperties) - if len(metrics) == 0 { - return mb.Event{}, false +func getValue(metric MetricValue) []MetricValue { + var values []MetricValue + if metric.Segments == nil { + return []MetricValue{metric} + } + for _, met := range metric.Segments { + values = append(values, getValue(met)...) } - for key, metric := range metrics { + return values +} + +func createSegEvent(parentMetricValue MetricValue, metricValue MetricValue, applicationId string, namespace string) mb.Event { + metricList := common.MapStr{} + for key, metric := range metricValue.Value { metricList.Put(key, metric) } + if len(metricList) == 0 { + return mb.Event{} + } + event := createEvent(parentMetricValue.Start, parentMetricValue.End, applicationId, namespace, metricList) + if len(parentMetricValue.SegmentName) > 0 { + event.ModuleFields.Put("dimensions", parentMetricValue.SegmentName) + } + if len(metricValue.SegmentName) > 0 { + event.ModuleFields.Put("dimensions", metricValue.SegmentName) + } + return event +} + +func createEvent(start *date.Time, end *date.Time, applicationId string, namespace string, metricList common.MapStr) mb.Event { event := mb.Event{ - MetricSetFields: common.MapStr{ - "start_date": start, - "end_date": end, + ModuleFields: common.MapStr{ "application_id": applicationId, }, + MetricSetFields: common.MapStr{ + "start_date": start, + "end_date": end, + }, Timestamp: end.Time, } event.RootFields = common.MapStr{} event.RootFields.Put("cloud.provider", "azure") - event.MetricSetFields.Put("metrics", metricList) - return event, true + if namespace == "" { + event.ModuleFields.Put("metrics", metricList) + } else { + for key, metric := range metricList { + event.MetricSetFields.Put(key, metric) + } + } + return event } -func createEvent(values []insights.MetricsResultInfo, applicationId string) (mb.Event, bool) { +func createNoSegEvent(values []MetricValue, applicationId string, namespace string) mb.Event { metricList := common.MapStr{} for _, value := range values { - metrics := getMetric(value.AdditionalProperties) - for key, metric := range metrics { + for key, metric := range value.Value { metricList.Put(key, metric) } } if len(metricList) == 0 { - return mb.Event{}, false + return mb.Event{} } + return createEvent(values[0].Start, values[0].End, applicationId, namespace, metricList) - event := mb.Event{ - MetricSetFields: common.MapStr{ - "start_date": values[0].Start, - "end_date": values[0].End, - "application_id": applicationId, - }, - Timestamp: values[0].End.Time, - } - event.RootFields = common.MapStr{} - event.RootFields.Put("cloud.provider", "azure") - event.MetricSetFields.Put("metrics", metricList) - return event, true } -func getMetric(addProp map[string]interface{}) map[string]interface{} { +func getAdditionalPropMetric(addProp map[string]interface{}) map[string]interface{} { metricNames := make(map[string]interface{}) for key, val := range addProp { switch val.(type) { @@ -115,5 +234,19 @@ func getMetric(addProp map[string]interface{}) map[string]interface{} { } func cleanMetricNames(metric string) string { - return strings.Replace(metric, "/", "_", -1) + metric = strings.Replace(metric, "/", "_", -1) + metric = strings.Replace(metric, " ", "_", -1) + metric = azure.ReplaceUpperCase(metric) + obj := strings.Split(metric, ".") + for index := range obj { + // in some cases a trailing "_" is found + obj[index] = strings.TrimPrefix(obj[index], "_") + obj[index] = strings.TrimSuffix(obj[index], "_") + } + metric = strings.ToLower(strings.Join(obj, "_")) + aggsRegex := regexp.MustCompile(aggsRegex) + metric = aggsRegex.ReplaceAllStringFunc(metric, func(str string) string { + return strings.Replace(str, "_", ".", -1) + }) + return metric } diff --git a/x-pack/metricbeat/module/azure/app_insights/data_test.go b/x-pack/metricbeat/module/azure/app_insights/data_test.go index ebe4e7d98aa..f65f9f84b1d 100644 --- a/x-pack/metricbeat/module/azure/app_insights/data_test.go +++ b/x-pack/metricbeat/module/azure/app_insights/data_test.go @@ -39,20 +39,32 @@ func TestEventMapping(t *testing.T) { Value: &metrics, } applicationId := "abc" - events := EventsMapping(result, applicationId) + events := EventsMapping(result, applicationId, "") assert.Equal(t, len(events), 1) for _, event := range events { val1, _ := event.MetricSetFields.GetValue("start_date") assert.Equal(t, val1, &startDate) val2, _ := event.MetricSetFields.GetValue("end_date") assert.Equal(t, val2, &startDate) - val3, _ := event.MetricSetFields.GetValue("metrics.requests_count") + val3, _ := event.ModuleFields.GetValue("metrics.requests_count") assert.Equal(t, val3, common.MapStr{"sum": 12}) - val5, _ := event.MetricSetFields.GetValue("metrics.requests_failed") + val5, _ := event.ModuleFields.GetValue("metrics.requests_failed") assert.Equal(t, val5, common.MapStr{"sum": 10}) - val4, _ := event.MetricSetFields.GetValue("application_id") + val4, _ := event.ModuleFields.GetValue("application_id") assert.Equal(t, val4, applicationId) } } + +func TestCleanMetricNames(t *testing.T) { + ex := "customDimensions/ExecutingAssemblyFileVersion" + result := cleanMetricNames(ex) + assert.Equal(t, result, "custom_dimensions_executing_assembly_file_version") + ex = "customDimensions/_MS.AggregationIntervalMs" + result = cleanMetricNames(ex) + assert.Equal(t, result, "custom_dimensions__ms_aggregation_interval_ms") + ex = "customDimensions/_MS.IsAutocollected" + result = cleanMetricNames(ex) + assert.Equal(t, result, "custom_dimensions__ms_is_autocollected") +} diff --git a/x-pack/metricbeat/module/azure/app_state/_meta/data.json b/x-pack/metricbeat/module/azure/app_state/_meta/data.json new file mode 100644 index 00000000000..c4744db7f60 --- /dev/null +++ b/x-pack/metricbeat/module/azure/app_state/_meta/data.json @@ -0,0 +1,32 @@ +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "azure": { + "app_state": { + "end_date": "2020-10-02T13:23:11.221Z", + "requests_count": { + "sum": 16 + }, + "start_date": "2020-10-01T13:23:11.221Z" + }, + "application_id": "42cb59a9-d5be-400b-a5c4-69b0a00434fdf4", + "dimensions": { + "request_name": "GET /auth", + "request_url_host": "demoapplogobs.azurewebsites.net" + } + }, + "cloud": { + "provider": "azure" + }, + "event": { + "dataset": "azure.app_state", + "duration": 115000, + "module": "azure" + }, + "metricset": { + "name": "app_state", + "period": 10000 + }, + "service": { + "type": "azure" + } +} diff --git a/x-pack/metricbeat/module/azure/app_state/_meta/docs.asciidoc b/x-pack/metricbeat/module/azure/app_state/_meta/docs.asciidoc new file mode 100644 index 00000000000..4517ccfed0d --- /dev/null +++ b/x-pack/metricbeat/module/azure/app_state/_meta/docs.asciidoc @@ -0,0 +1,12 @@ +This is the app_state metricset of the module azure. + +This metricset allows users to retrieve application insights metrics from specified applications. + +[float] +==== Config options to identify resources + +`application_id`:: (_[]string_) ID of the application. This is Application ID from the API Access settings blade in the Azure portal. + +`api_key`:: (_[]string_) The API key which will be generated, more on the steps here https://dev.applicationinsights.io/documentation/Authorization/API-key-and-App-ID. + + diff --git a/x-pack/metricbeat/module/azure/app_state/_meta/fields.yml b/x-pack/metricbeat/module/azure/app_state/_meta/fields.yml new file mode 100644 index 00000000000..fad928c090f --- /dev/null +++ b/x-pack/metricbeat/module/azure/app_state/_meta/fields.yml @@ -0,0 +1,86 @@ +- name: app_state + type: group + release: beta + description: > + application state + fields: + - name: start_date + type: date + description: > + The start date + - name: end_date + type: date + description: > + The end date + - name: requests_count.sum + type: float + description: > + Request count + - name: requests_failed.sum + type: float + description: > + Request failed count + - name: users_count.unique + type: float + description: > + User count + - name: sessions_count.unique + type: float + description: > + Session count + - name: users_authenticated.unique + type: float + description: > + Authenticated users count + - name: browser_timings_network_duration.avg + type: float + description: > + Browser timings network duration + - name: browser_timings_send_duration.avg + type: float + description: > + Browser timings send duration + - name: browser_timings_receive_uration.avg + type: float + description: > + Browser timings receive duration + - name: browser_timings_processing_duration.avg + type: float + description: > + Browser timings processing duration + - name: browser_timings_total_duration.avg + type: float + description: > + Browser timings total duration + - name: exceptions_count.sum + type: float + description: > + Exception count + - name: exceptions_browser.sum + type: float + description: > + Exception count at browser level + - name: exceptions_server.sum + type: float + description: > + Exception count at server level + - name: performance_counters_memory_available_bytes.avg + type: float + description: > + Performance counters memory available bytes + - name: performance_counters_process_private_bytes.avg + type: float + description: > + Performance counters process private bytes + - name: performance_counters_process_cpu_percentage_total.avg + type: float + description: > + Performance counters process cpu percentage total + - name: performance_counters_process_cpu_percentage.avg + type: float + description: > + Performance counters process cpu percentage + - name: performance_counters_processiobytes_per_second.avg + type: float + description: > + Performance counters process IO bytes per second diff --git a/x-pack/metricbeat/module/azure/app_state/app_state_integration_test.go b/x-pack/metricbeat/module/azure/app_state/app_state_integration_test.go new file mode 100644 index 00000000000..8762cae440d --- /dev/null +++ b/x-pack/metricbeat/module/azure/app_state/app_state_integration_test.go @@ -0,0 +1,38 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build integration +// +build azure + +package app_state + +import ( + "testing" + + "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/test" + + "github.com/stretchr/testify/assert" + + mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" + + // Register input module and metricset + _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/app_insights" +) + +func TestFetchMetricset(t *testing.T) { + config := test.GetConfigForInsights(t, "app_state") + metricSet := mbtest.NewReportingMetricSetV2Error(t, config) + events, errs := mbtest.ReportingFetchV2Error(metricSet) + if len(errs) > 0 { + t.Fatalf("Expected 0 error, had %d. %v\n", len(errs), errs) + } + assert.NotEmpty(t, events) + mbtest.TestMetricsetFieldsDocumented(t, metricSet, events) +} + +func TestData(t *testing.T) { + config := test.GetConfigForInsights(t, "app_state") + metricSet := mbtest.NewFetcher(t, config) + metricSet.WriteEvents(t, "/") +} diff --git a/x-pack/metricbeat/module/azure/app_state/app_state_test.go b/x-pack/metricbeat/module/azure/app_state/app_state_test.go new file mode 100644 index 00000000000..a8dbab88081 --- /dev/null +++ b/x-pack/metricbeat/module/azure/app_state/app_state_test.go @@ -0,0 +1,17 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package app_state + +import ( + "os" + + "github.com/elastic/beats/v7/metricbeat/mb" +) + +func init() { + // To be moved to some kind of helper + os.Setenv("BEAT_STRICT_PERMS", "false") + mb.Registry.SetSecondarySource(mb.NewLightModulesSource("../../../module")) +} diff --git a/x-pack/metricbeat/module/azure/app_state/manifest.yml b/x-pack/metricbeat/module/azure/app_state/manifest.yml new file mode 100644 index 00000000000..5c1d08a2ceb --- /dev/null +++ b/x-pack/metricbeat/module/azure/app_state/manifest.yml @@ -0,0 +1,29 @@ +default: false +input: + module: azure + metricset: app_insights + defaults: + namespace: app_state + metrics: + - id: ["requests/count", "requests/failed"] + segment: ["request/urlHost", "request/name"] + aggregation: ["sum"] + interval: "P5M" + - id: ["users/count", "sessions/count", "users/authenticated"] + segment: ["request/urlHost"] + aggregation: ["unique"] + interval: "P5M" + - id: ["browserTimings/networkDuration", "browserTimings/sendDuration", "browserTimings/receiveDuration", "browserTimings/processingDuration", "browserTimings/totalDuration"] + segment: ["browserTiming/urlHost", "browserTiming/urlPath"] + aggregation: ["avg"] + interval: "P5M" + top: 5 + - id: ["exceptions/count", "exceptions/browser", "exceptions/server"] + segment: ["exception/type", "cloud/roleName"] + aggregation: ["sum"] + interval: "P5M" + - id: ["performanceCounters/memoryAvailableBytes", "performanceCounters/processCpuPercentageTotal", "performanceCounters/processCpuPercentage", "performanceCounters/processIOBytesPerSecond", + "performanceCounters/processPrivateBytes"] + aggregation: ["avg"] + segment: ["cloud/roleName", "cloud/roleInstance"] + interval: "P5M" diff --git a/x-pack/metricbeat/module/azure/compute_vm/_meta/data.json b/x-pack/metricbeat/module/azure/compute_vm/_meta/data.json index 1da5cfb63ab..c38407c76f1 100644 --- a/x-pack/metricbeat/module/azure/compute_vm/_meta/data.json +++ b/x-pack/metricbeat/module/azure/compute_vm/_meta/data.json @@ -2,62 +2,86 @@ "@timestamp": "2017-10-12T08:05:34.853Z", "azure": { "compute_vm": { + "disk_read_bytes": { + "total": 0 + }, "disk_read_operations_per_sec": { - "avg": 3.3875 + "avg": 0 + }, + "disk_write_bytes": { + "total": 2969709.4 }, "disk_write_operations_per_sec": { - "avg": 0.6705 + "avg": 0.7809999999999999 }, "inbound_flows": { - "avg": 28.4 + "avg": 10 }, "inbound_flows_maximum_creation_rate": { - "avg": 10.4 + "avg": 10.6 + }, + "network_in": { + "total": 1478232 + }, + "network_in_total": { + "total": 1569665 + }, + "network_out": { + "total": 793344 + }, + "network_out_total": { + "total": 1074624 + }, + "os_disk_bandwidth_consumed_percentage": { + "avg": 0 + }, + "os_disk_iops_consumed_percentage": { + "avg": 0 }, "os_disk_queue_depth": { - "avg": 0.00125 + "avg": 0.002 }, "os_disk_read_bytes_per_sec": { - "avg": 602589.1825 + "avg": 0 }, "os_disk_read_operations_per_sec": { - "avg": 5.28375 + "avg": 0 }, "os_disk_write_bytes_per_sec": { - "avg": 14137.59375 + "avg": 9899.025 }, "os_disk_write_operations_per_sec": { - "avg": 1.46875 + "avg": 1.5619999999999998 }, "os_per_disk_qd": { - "avg": 0.00125 + "avg": 0.002 }, "os_per_disk_read_bytes_per_sec": { - "avg": 602589.1825 + "avg": 0 }, "os_per_disk_read_operations_per_sec": { - "avg": 5.28375 + "avg": 0 }, "os_per_disk_write_bytes_per_sec": { - "avg": 14137.59375 + "avg": 9899.025 }, "os_per_disk_write_operations_per_sec": { - "avg": 1.46875 + "avg": 1.5619999999999998 }, "outbound_flows": { - "avg": 28.4 + "avg": 10 }, "outbound_flows_maximum_creation_rate": { - "avg": 10.4 + "avg": 10.6 }, "per_disk_qd": { - "avg": 0.0025 + "avg": 0 }, "per_disk_read_bytes_per_sec": { - "avg": 51985.035 + "avg": 0 }, "per_disk_read_operations_per_sec": { - "avg": 2.92875 + "avg": 0 }, "per_disk_write_bytes_per_sec": { "avg": 0 @@ -66,26 +90,41 @@ "avg": 0 }, "percentage_cpu": { - "avg": 9.747 + "avg": 1.8719999999999999 + }, + "vm_cached_bandwidth_consumed_percentage": { + "avg": 0 + }, + "vm_cached_iops_consumed_percentage": { + "avg": 0 + }, + "vm_uncached_bandwidth_consumed_percentage": { + "avg": 0 + }, + "vm_uncached_iops_consumed_percentage": { + "avg": 0 } }, "namespace": "Microsoft.Compute/virtualMachines", "resource": { "group": "obs-infrastructure", - "id": "/subscriptions/70bd6e64-4b1e-4835-8896-db77b8eef364/resourceGroups/obs-infrastructure/providers/Microsoft.Compute/virtualMachines/obslinux", - "name": "obslinux", + "id": "/subscriptions/fd675b6f-b5e5-426e-ac45-d1f876d0ffa6/resourceGroups/obs-infrastructure/providers/Microsoft.Compute/virtualMachines/testaz", + "name": "testaz", "type": "Microsoft.Compute/virtualMachines" }, - "subscription_id": "70bd6e64-4b1e-4835-8896-db77b8eef364", + "subscription_id": "fd675b6f-b5e5-426e-ac45-d1f876d0ffa6", "timegrain": "PT5M" }, "cloud": { + "account": { + "id": "fd675b6f-b5e5-426e-ac45-d1f876d0ffa6" + }, "instance": { - "id": "d5d9444a-1964-4d23-9c62-5463ecb16fe0", - "name": "obslinux" + "id": "490fe4cf-2b33-4ead-a016-7e614c2f48ad", + "name": "testaz" }, "machine": { - "type": "Basic_A0" + "type": "Standard_A1_v2" }, "provider": "azure", "region": "westeurope" @@ -97,10 +136,28 @@ }, "host": { "cpu": { - "pct": 0.09747 + "pct": 0.01872 }, - "id": "d5d9444a-1964-4d23-9c62-5463ecb16fe0", - "name": "obslinux" + "disk": { + "read": { + "bytes": 0 + }, + "write": { + "bytes": 2969709.4 + } + }, + "id": "490fe4cf-2b33-4ead-a016-7e614c2f48ad", + "name": "testaz", + "network": { + "in": { + "bytes": 1569665, + "packets": 1478232 + }, + "out": { + "bytes": 1074624, + "packets": 793344 + } + } }, "metricset": { "name": "compute_vm", diff --git a/x-pack/metricbeat/module/azure/compute_vm_scaleset/_meta/data.json b/x-pack/metricbeat/module/azure/compute_vm_scaleset/_meta/data.json index e8f59859d8b..2d99d8ff6b0 100644 --- a/x-pack/metricbeat/module/azure/compute_vm_scaleset/_meta/data.json +++ b/x-pack/metricbeat/module/azure/compute_vm_scaleset/_meta/data.json @@ -2,6 +2,12 @@ "@timestamp": "2017-10-12T08:05:34.853Z", "azure": { "compute_vm_scaleset": { + "cpu_credits_consumed": { + "avg": 0.006999999999999999 + }, + "cpu_credits_remaining": { + "avg": 84.72 + }, "os_per_disk_qd": { "avg": 0 }, @@ -12,35 +18,34 @@ "avg": 0 }, "os_per_disk_write_bytes_per_sec": { - "avg": 1872.1200000000001 + "avg": 3846.531 }, "os_per_disk_write_operations_per_sec": { - "avg": 0.296 + "avg": 0.5519999999999999 } }, "namespace": "Microsoft.Compute/virtualMachineScaleSets", "resource": { - "group": "testgroup", - "id": "/subscriptions/70bd6e23-e3er3-4835-6785-db77b8eef364/resourceGroups/testgroup/providers/Microsoft.Compute/virtualMachineScaleSets/vmscaleset", - "name": "vmscaleset", - "tags": { - "environment": "staging", - "role": "allocator" - }, + "group": "obs-infrastructure", + "id": "/subscriptions/fd675b6f-b5e5-426e-ac45-d1f876d0ffa6/resourceGroups/obs-infrastructure/providers/Microsoft.Compute/virtualMachineScaleSets/obslinuxvmss", + "name": "obslinuxvmss", "type": "Microsoft.Compute/virtualMachineScaleSets" }, - "subscription_id": "70bd6e23-e3er3-4835-6785-db77b8eef364", + "subscription_id": "fd675b6f-b5e5-426e-ac45-d1f876d0ffa6", "timegrain": "PT5M" }, "cloud": { + "account": { + "id": "fd675b6f-b5e5-426e-ac45-d1f876d0ffa6" + }, "instance": { - "name": "vmscaleset" + "name": "obslinuxvmss" }, "machine": { - "type": "Standard_D4s_v3" + "type": "Standard_B1ls" }, "provider": "azure", - "region": "eastus2" + "region": "westeurope" }, "event": { "dataset": "azure.compute_vm_scaleset", @@ -48,7 +53,7 @@ "module": "azure" }, "host": { - "name": "vmscaleset" + "name": "obslinuxvmss" }, "metricset": { "name": "compute_vm_scaleset", diff --git a/x-pack/metricbeat/module/azure/compute_vm_scaleset/manifest.yml b/x-pack/metricbeat/module/azure/compute_vm_scaleset/manifest.yml index 9369a36b79e..37b1293a2e5 100644 --- a/x-pack/metricbeat/module/azure/compute_vm_scaleset/manifest.yml +++ b/x-pack/metricbeat/module/azure/compute_vm_scaleset/manifest.yml @@ -12,8 +12,10 @@ input: - name: ["CPU Credits Remaining", "CPU Credits Consumed", "OS Per Disk Read Bytes/sec", "OS Per Disk Write Bytes/sec", "OS Per Disk Read Operations/Sec", "OS Per Disk Write Operations/Sec", "OS Per Disk QD"] namespace: "Microsoft.Compute/virtualMachineScaleSets" timegrain: "PT5M" + ignore_unsupported: true - name: ["Per Disk Read Bytes/sec", "Per Disk Write Bytes/sec", "Per Disk Read Operations/Sec", "Per Disk Write Operations/Sec", "Per Disk QD"] namespace: "Microsoft.Compute/virtualMachineScaleSets" + ignore_unsupported: true timegrain: "PT5M" dimensions: - name: "SlotId" @@ -24,6 +26,7 @@ input: "Premium Data Disk Cache Read Hit", "Outbound Flows Maximum Creation Rate", "Inbound Flows Maximum Creation Rate", "Outbound Flows", "Inbound Flows", "OS Disk IOPS Consumed Percentage", "OS Disk Bandwidth Consumed Percentage", "OS Disk Queue Depth", "OS Disk Write Operations/Sec", "OS Disk Read Operations/Sec", "OS Disk Write Bytes/sec", "OS Disk Read Bytes/sec", "Data Disk IOPS Consumed Percentage"] namespace: "Microsoft.Compute/virtualMachineScaleSets" + ignore_unsupported: true timegrain: "PT5M" dimensions: - name: "VMName" @@ -40,9 +43,11 @@ input: metrics: - name: ["CPU Credits Remaining", "CPU Credits Consumed", "OS Per Disk Read Bytes/sec", "OS Per Disk Write Bytes/sec", "OS Per Disk Read Operations/Sec", "OS Per Disk Write Operations/Sec", "OS Per Disk QD"] namespace: "Microsoft.Compute/virtualMachineScaleSets" + ignore_unsupported: true timegrain: "PT5M" - name: ["Per Disk Read Bytes/sec", "Per Disk Write Bytes/sec", "Per Disk Read Operations/Sec", "Per Disk Write Operations/Sec", "Per Disk QD"] namespace: "Microsoft.Compute/virtualMachineScaleSets" + ignore_unsupported: true timegrain: "PT5M" dimensions: - name: "SlotId" @@ -53,6 +58,7 @@ input: "Premium Data Disk Cache Read Hit", "Outbound Flows Maximum Creation Rate", "Inbound Flows Maximum Creation Rate", "Outbound Flows", "Inbound Flows", "OS Disk IOPS Consumed Percentage", "OS Disk Bandwidth Consumed Percentage", "OS Disk Queue Depth", "OS Disk Write Operations/Sec", "OS Disk Read Operations/Sec", "OS Disk Write Bytes/sec", "OS Disk Read Bytes/sec", "Data Disk IOPS Consumed Percentage"] namespace: "Microsoft.Compute/virtualMachineScaleSets" + ignore_unsupported: true timegrain: "PT5M" dimensions: - name: "VMName" diff --git a/x-pack/metricbeat/module/azure/config.go b/x-pack/metricbeat/module/azure/config.go index 63bb5450b57..00f1af56126 100644 --- a/x-pack/metricbeat/module/azure/config.go +++ b/x-pack/metricbeat/module/azure/config.go @@ -41,7 +41,7 @@ type MetricConfig struct { Dimensions []DimensionConfig `config:"dimensions"` Timegrain string `config:"timegrain"` // namespaces can be unsupported by some resources and supported in some, this configuration option makes sure no error messages are returned if namespace is unsupported - // info messages will be logged instead + // info messages will be logged instead. Same situation with metrics, some are being removed from the API, we would like to make sure that does not affect the module IgnoreUnsupported bool `config:"ignore_unsupported"` } diff --git a/x-pack/metricbeat/module/azure/container_instance/manifest.yml b/x-pack/metricbeat/module/azure/container_instance/manifest.yml index a0e6cd5ec27..c767e072a42 100644 --- a/x-pack/metricbeat/module/azure/container_instance/manifest.yml +++ b/x-pack/metricbeat/module/azure/container_instance/manifest.yml @@ -10,21 +10,25 @@ input: metrics: - name: ["CpuUsage", "MemoryUsage"] namespace: "Microsoft.ContainerInstance/containerGroups" + ignore_unsupported: true timegrain: "PT5M" dimensions: - name: "containerName" value: "*" - name: ["NetworkBytesReceivedPerSecond", "NetworkBytesTransmittedPerSecond"] namespace: "Microsoft.ContainerInstance/containerGroups" + ignore_unsupported: true timegrain: "PT5M" - resource_id: "" metrics: - name: ["CpuUsage", "MemoryUsage"] namespace: "Microsoft.ContainerInstance/containerGroups" + ignore_unsupported: true timegrain: "PT5M" dimensions: - name: "containerName" value: "*" - name: ["NetworkBytesReceivedPerSecond", "NetworkBytesTransmittedPerSecond"] namespace: "Microsoft.ContainerInstance/containerGroups" + ignore_unsupported: true timegrain: "PT5M" diff --git a/x-pack/metricbeat/module/azure/container_service/manifest.yml b/x-pack/metricbeat/module/azure/container_service/manifest.yml index 1384a268868..b7cf7639d42 100644 --- a/x-pack/metricbeat/module/azure/container_service/manifest.yml +++ b/x-pack/metricbeat/module/azure/container_service/manifest.yml @@ -10,6 +10,7 @@ input: metrics: - name: ["kube_node_status_condition"] namespace: "Microsoft.ContainerService/managedClusters" + ignore_unsupported: true timegrain: "PT5M" dimensions: - name: "node" @@ -20,9 +21,11 @@ input: value: "*" - name: ["kube_node_status_allocatable_cpu_cores", "kube_node_status_allocatable_memory_bytes"] namespace: "Microsoft.ContainerService/managedClusters" + ignore_unsupported: true timegrain: "PT5M" - name: ["kube_pod_status_ready", "kube_pod_status_phase"] namespace: "Microsoft.ContainerService/managedClusters" + ignore_unsupported: true timegrain: "PT5M" dimensions: - name: "pod" @@ -31,6 +34,7 @@ input: metrics: - name: ["kube_node_status_condition"] namespace: "Microsoft.ContainerService/managedClusters" + ignore_unsupported: true timegrain: "PT5M" dimensions: - name: "node" @@ -41,9 +45,11 @@ input: value: "*" - name: ["kube_node_status_allocatable_cpu_cores", "kube_node_status_allocatable_memory_bytes"] namespace: "Microsoft.ContainerService/managedClusters" + ignore_unsupported: true timegrain: "PT5M" - name: ["kube_pod_status_ready", "kube_pod_status_phase"] namespace: "Microsoft.ContainerService/managedClusters" + ignore_unsupported: true timegrain: "PT5M" dimensions: - name: "pod" diff --git a/x-pack/metricbeat/module/azure/data.go b/x-pack/metricbeat/module/azure/data.go index bf77f657416..eb7f1433142 100644 --- a/x-pack/metricbeat/module/azure/data.go +++ b/x-pack/metricbeat/module/azure/data.go @@ -82,7 +82,7 @@ func EventsMapping(metrics []Metric, client *Client, report mb.ReporterV2) error event, metricList = createEvent(timestamp, defaultMetric, resource, groupDimValues) if client.Config.AddCloudMetadata { vm = client.GetVMForMetaData(&resource, groupDimValues) - addCloudVMMetadata(&event, vm) + addCloudVMMetadata(&event, vm, resource.Subscription) } } } @@ -90,7 +90,7 @@ func EventsMapping(metrics []Metric, client *Client, report mb.ReporterV2) error event, metricList = createEvent(timestamp, defaultMetric, resource, groupTimeValues) if client.Config.AddCloudMetadata { vm = client.GetVMForMetaData(&resource, groupTimeValues) - addCloudVMMetadata(&event, vm) + addCloudVMMetadata(&event, vm, resource.Subscription) } } if client.Config.DefaultResourceType == "" { @@ -120,7 +120,7 @@ func managePropertyName(metric string) string { // create an object in case of ":" resultMetricName = strings.Replace(resultMetricName, "_-_", "_", -1) // replace uppercases with underscores - resultMetricName = replaceUpperCase(resultMetricName) + resultMetricName = ReplaceUpperCase(resultMetricName) // avoid cases as this "logicaldisk_avg._disk_sec_per_transfer" obj := strings.Split(resultMetricName, ".") @@ -134,8 +134,8 @@ func managePropertyName(metric string) string { return resultMetricName } -// replaceUpperCase func will replace upper case with '_' -func replaceUpperCase(src string) string { +// ReplaceUpperCase func will replace upper case with '_' +func ReplaceUpperCase(src string) string { replaceUpperCaseRegexp := regexp.MustCompile(replaceUpperCaseRegex) return replaceUpperCaseRegexp.ReplaceAllStringFunc(src, func(str string) string { var newStr string diff --git a/x-pack/metricbeat/module/azure/data_test.go b/x-pack/metricbeat/module/azure/data_test.go index cdfad1965f8..cca7edc0233 100644 --- a/x-pack/metricbeat/module/azure/data_test.go +++ b/x-pack/metricbeat/module/azure/data_test.go @@ -47,10 +47,10 @@ func TestGetDimensionValue(t *testing.T) { } func TestReplaceUpperCase(t *testing.T) { - result := replaceUpperCase("TestReplaceUpper_Case") + result := ReplaceUpperCase("TestReplaceUpper_Case") assert.Equal(t, result, "Test_replace_upper_Case") // should not split on acronyms - result = replaceUpperCase("CPU_Percentage") + result = ReplaceUpperCase("CPU_Percentage") assert.Equal(t, result, "CPU_Percentage") } diff --git a/x-pack/metricbeat/module/azure/database_account/manifest.yml b/x-pack/metricbeat/module/azure/database_account/manifest.yml index 39086f6ff66..3436008db7e 100644 --- a/x-pack/metricbeat/module/azure/database_account/manifest.yml +++ b/x-pack/metricbeat/module/azure/database_account/manifest.yml @@ -14,12 +14,14 @@ input: - name: ["AvailableStorage", "DataUsage","DocumentCount", "DocumentQuota", "IndexUsage", "MetadataRequests", "MongoRequestCharge", "MongoRequests", "MongoRequestsCount", "MongoRequestsInsert", "MongoRequestsDelete", "MongoRequestsQuery", "MongoRequestsUpdate","ProvisionedThroughput", "NormalizedRUConsumption"] namespace: "Microsoft.DocumentDb/databaseAccounts" + ignore_unsupported: true timegrain: "PT5M" dimensions: - name: "DatabaseName" value: "*" - name: ["TotalRequestUnits", "TotalRequests"] namespace: "Microsoft.DocumentDb/databaseAccounts" + ignore_unsupported: true timegrain: "PT5M" dimensions: - name: "DatabaseName" @@ -28,6 +30,7 @@ input: value: "*" - name: ["CassandraRequestCharges", "CassandraRequests"] namespace: "Microsoft.DocumentDb/databaseAccounts" + ignore_unsupported: true timegrain: "PT1M" dimensions: - name: "DatabaseName" @@ -38,6 +41,7 @@ input: "SqlContainerDelete", "SqlContainerThroughputUpdate", "SqlContainerUpdate", "SqlDatabaseDelete", "SqlDatabaseThroughputUpdate", "SqlDatabaseUpdate", "TableTableDelete", "TableTableThroughputUpdate","TableTableUpdate"] namespace: "Microsoft.DocumentDb/databaseAccounts" + ignore_unsupported: true dimensions: - name: "ResourceName" value: "*" @@ -49,12 +53,14 @@ input: - name: ["AvailableStorage", "DataUsage","DocumentCount", "DocumentQuota", "IndexUsage", "MetadataRequests", "MongoRequestCharge", "MongoRequests", "MongoRequestsCount", "MongoRequestsInsert", "MongoRequestsDelete", "MongoRequestsQuery", "MongoRequestsUpdate","ProvisionedThroughput", "NormalizedRUConsumption"] namespace: "Microsoft.DocumentDb/databaseAccounts" + ignore_unsupported: true timegrain: "PT5M" dimensions: - name: "DatabaseName" value: "*" - name: ["TotalRequestUnits", "TotalRequests"] namespace: "Microsoft.DocumentDb/databaseAccounts" + ignore_unsupported: true timegrain: "PT5M" dimensions: - name: "DatabaseName" @@ -63,6 +69,7 @@ input: value: "*" - name: ["CassandraRequestCharges", "CassandraRequests"] namespace: "Microsoft.DocumentDb/databaseAccounts" + ignore_unsupported: true timegrain: "PT1M" dimensions: - name: "DatabaseName" @@ -73,6 +80,7 @@ input: "SqlContainerDelete", "SqlContainerThroughputUpdate", "SqlContainerUpdate", "SqlDatabaseDelete", "SqlDatabaseThroughputUpdate", "SqlDatabaseUpdate", "TableTableDelete", "TableTableThroughputUpdate","TableTableUpdate"] namespace: "Microsoft.DocumentDb/databaseAccounts" + ignore_unsupported: true dimensions: - name: "ResourceName" value: "*" diff --git a/x-pack/metricbeat/module/azure/fields.go b/x-pack/metricbeat/module/azure/fields.go index 4c0ad95ad98..6a308a5d2ae 100644 --- a/x-pack/metricbeat/module/azure/fields.go +++ b/x-pack/metricbeat/module/azure/fields.go @@ -19,5 +19,5 @@ func init() { // AssetAzure returns asset data. // This is the base64 encoded gzipped contents of module/azure. func AssetAzure() string { - return "eJzUV8tu2zoQ3fsrBl4GSD7AiwsEt5suuuteGJNjhY1EEuQorfv1hR6kKVHyo1aKxIsAEcnzEM8MqUd4peMO8HfjaAPAiivawfa5/X+7AZDkhVOWldE7+G8DAP1cqI1sqnaJo4rQ0w5K3AAcFFXS77qJj6CxphN4++Ojbac609jhyQzDGCaFYlVT6VDpOBIgX+n40ziZPJ8F7n/fXwieexvETokZ3MDoyJvGCcoIUw9X0AUc8JaEOihKpU7tjiwfLY0Glh1fkBGktMvBHIATWbPUU4srcMfXkGNHw1j6p4dZWrP/QYInQ/3D4pywZEpRo7VKl8P87cP2NhN9bKKNTmwWmvavtziTmptjGqHAU0WCk9wENt/sI0Sh5P2cKSB8/ZIRSlWT9sro8T4t7NGF/bl2b85oHpVyIi4T3k/xTw836z5UBhcG/1b1t14MOOLGaZK5XLS2UNqr8oX9xf4T+/CeGK9TgNZWSmC3zTM857pSsnQcObi/R6SykvSl9J7RcSGR51vjzMAVvB1ovjZwkpZrM5KWy3zzYYUbmuE0tLBqK2wNDBqz5O5VVSldvkdoB2hALaHxWBJIYlTVtckVjXOkxXHdzM6iBkrriPFXIYyf7sbyPl3g/H+KFXszWXRck+aifbCuyxM4ZOAns0Y2WS7vJB5A88tQYO2SUHQVvGJ99vm60Bd6atLzXfAe4rPtYaiDwpJTRq7ehEOZ9fAwgY/HgBCmeZeoxTLvGZbzhoIbrFYtru4Q6mAhgw20B+NIoOfViQPwMnUfuJWPoqGVpmtjxzS1bZiKt3pyFo0//cYq/vl16qTyjIHCC6zIE38OJ1FuHJ/xphmVJtfeFBm1oI9tbVALQe0ZQ45K5dkdP4ehoPaMIU/uTX2WDRrE5h9/yLhHT8XQmT+ym6A1nCL5B6HRio27/p5aXnlLzYGnd9LlkvZsHJYfOiaDxPhe/wQAAP//ZxBMvQ==" + return "eJzkmU1v47YTxu/5FIMcA2w+gA9/IP+2hz0ULfpyJsbUWGEjkVxy6Kz76QuKkixLsizbspugOSywenme30MOJyLzBd5otwL8Ozh6AGDFBa3g8SX+//EBICMvnbKsjF7B/x4AID0LpclCEV9xVBB6WkGODwAbRUXmV9WDX0BjSXvx+MM7Gx91Jtj6yojDoUxXilVJuUOl2zuN5Bvt3o3LOtdHhdPPH68ELykGsVNyRLdxdORNcJIGht0MM+waHfCWpNoo6qL24x5E3lk6uHE88QmMBiW+DmYD3MEate5HXMC7HYahdhsYc//8NGpr1n+R5N6tdFFMgXUeESVaq3ReP//49HheiFQ2bYwKdlA08V9vcaRqzi7TVgo8FSS5UzeNmw/rVkKo7HrPriB8/XFgiNYWSuJifh29MbtMlaS9MvqwLI6UxIlymFsKE8gHnaMDNwBPj/jnp7O5N4XBIzcvpf45wYAjDk5TNsRFa4XSXuWv7E+2u7btr4lxHkF3mkd8ppqgZ3QsMuTxVjhyY0YvqkSH7zaepLOlHUlnx/3GqwXOaH79qoFFW18MUDOOlo7nw2Q3qZu+yX+9aBx9C+TZC2mC5mcfylHnsco4Yf1bUoZKeNp7g6qg7BbmSXmCIXhyTfig1bcwPvIXIPzpyU0Ye/JV17+J9+9J/GRuDPxKmuPioGxhhpeudvKb4Fk78+7JCVal0rkXmvjduDeRBVct3Gfc5kuR/T95Qe0FtRc0XrMAfbVS70Dnq/V7DpojSWpL4g5wtdV5fNYZGQtU53cZwL3deZhsGIu7EFZO03D0XVKld4NO/VOjPbE+O/71ON2QAJCb2YCCtlScQvLktjcnSiYTQJbcxrgStaQ0SbHFllQatxO4RVXguiCx3jH5Javp170tNLaQbKG1hcp2Pna9aIR1aot8L+raFWrXS6GlDcKSk6QZc0oL+W7s0gbYm6e1fW2Efwn+bGxlqhmL5MKTNDq7G/nXX1K1RD5I3oNdxloVhdL5LfYYtTSgjt86ceIzYlTF3A2qDM6RlrvRsbr4tGxUtZ1IR4zfhTS+Pw8Xz9APfa32CIYsOi5Js4gXlk25F4eB+D6sycJg93ulcS06PGLdf2XH/lNt+Rbc0KX6OrGRTNak+7GuN57cT9brIHYAZbLD0z24fsSbZZbkoSffnibIqj3coNTaZZ4cjtcbSg5YLLq4qpPOShYGso3txjiS6Hlx40b4uHUquIXPLupW2n237ZimtIFJbMveidfhH5QOKe5+arqnnAggvMSCPPHnSNLitvdHsmlGpckJpT3H39gfO1pNCw3tRCBHufLsdp8jUEM7ESjua9RnmaAadhAnQ8Y1ehJ1Z/7IaRrW5rfIIExptGLj5n+n5jO/UofC/W/S40vas3FxK/KBB7ZGbMf1nwAAAP//oQy/EA==" } diff --git a/x-pack/metricbeat/module/azure/module.yml b/x-pack/metricbeat/module/azure/module.yml index a51b202612b..4170154e246 100644 --- a/x-pack/metricbeat/module/azure/module.yml +++ b/x-pack/metricbeat/module/azure/module.yml @@ -4,5 +4,6 @@ metricsets: - container_instance - container_service - database_account + - app_state - compute_vm - compute_vm_scaleset diff --git a/x-pack/metricbeat/module/azure/monitor/_meta/docs.asciidoc b/x-pack/metricbeat/module/azure/monitor/_meta/docs.asciidoc index 19254f4ada9..9957b6a2ddd 100644 --- a/x-pack/metricbeat/module/azure/monitor/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/azure/monitor/_meta/docs.asciidoc @@ -50,6 +50,9 @@ Metrics with dimensions are exported as flattened single dimensional metrics, ag `name`:: Dimension key `value`:: Dimension value. (Users can select * to return metric values for each dimension) +`ignore_unsupported`:: (_bool_) Namespaces can be unsupported by some resources and supported in some, this configuration option makes sure no error messages are returned if the namespace is unsupported. +The same will go for the metrics configured, some can be removed from Azure Monitor and it should not affect the state of the module. + Users can select the options to retrieve all metrics from a specific namespace using the following: ["source","yaml"] diff --git a/x-pack/metricbeat/module/azure/monitor/client_helper.go b/x-pack/metricbeat/module/azure/monitor/client_helper.go index 82875f46de5..403b971496f 100644 --- a/x-pack/metricbeat/module/azure/monitor/client_helper.go +++ b/x-pack/metricbeat/module/azure/monitor/client_helper.go @@ -78,20 +78,20 @@ func filterMetricNames(resourceId string, metricConfig azure.MetricConfig, metri } } else { // verify if configured metric names are valid, return log error event for the invalid ones, map only the valid metric names - supportedMetricNames, unsupportedMetricNames = filterSConfiguredMetrics(metricConfig.Name, metricDefinitions) - if len(unsupportedMetricNames) > 0 { + supportedMetricNames, unsupportedMetricNames = filterConfiguredMetrics(metricConfig.Name, metricDefinitions) + if len(unsupportedMetricNames) > 0 && !metricConfig.IgnoreUnsupported { return nil, errors.Errorf("the metric names configured %s are not supported for the resource %s and namespace %s", strings.Join(unsupportedMetricNames, ","), resourceId, metricConfig.Namespace) } } - if len(supportedMetricNames) == 0 { + if len(supportedMetricNames) == 0 && !metricConfig.IgnoreUnsupported { return nil, errors.Errorf("the metric names configured : %s are not supported for the resource %s and namespace %s ", strings.Join(metricConfig.Name, ","), resourceId, metricConfig.Namespace) } return supportedMetricNames, nil } -// filterSConfiguredMetrics will filter out any unsupported metrics based on the namespace selected -func filterSConfiguredMetrics(selectedRange []string, allRange []insights.MetricDefinition) ([]string, []string) { +// filterConfiguredMetrics will filter out any unsupported metrics based on the namespace selected +func filterConfiguredMetrics(selectedRange []string, allRange []insights.MetricDefinition) ([]string, []string) { var inRange []string var notInRange []string var allMetrics string diff --git a/x-pack/metricbeat/module/azure/monitor/client_helper_test.go b/x-pack/metricbeat/module/azure/monitor/client_helper_test.go index a15ee0089b9..bcbad0f4c26 100644 --- a/x-pack/metricbeat/module/azure/monitor/client_helper_test.go +++ b/x-pack/metricbeat/module/azure/monitor/client_helper_test.go @@ -108,7 +108,7 @@ func TestMapMetric(t *testing.T) { func TestFilterSConfiguredMetrics(t *testing.T) { selectedRange := []string{"TotalRequests", "Capacity", "CPUUsage"} - intersection, difference := filterSConfiguredMetrics(selectedRange, *MockMetricDefinitions()) + intersection, difference := filterConfiguredMetrics(selectedRange, *MockMetricDefinitions()) assert.Equal(t, intersection, []string{"TotalRequests", "Capacity"}) assert.Equal(t, difference, []string{"CPUUsage"}) } diff --git a/x-pack/metricbeat/module/azure/test/integration.go b/x-pack/metricbeat/module/azure/test/integration.go index 7187e3b93f7..39e8402110c 100644 --- a/x-pack/metricbeat/module/azure/test/integration.go +++ b/x-pack/metricbeat/module/azure/test/integration.go @@ -40,3 +40,23 @@ func GetConfig(t *testing.T, metricSetName string) map[string]interface{} { "subscription_id": subId, } } + +// GetConfigForInsights function gets azure credentials for integration tests. +func GetConfigForInsights(t *testing.T, metricSetName string) map[string]interface{} { + t.Helper() + applicationId, ok := os.LookupEnv("AZURE_APPLICATION_ID") + if !ok { + t.Fatal("Could not find var AZURE_APPLICATION_ID") + } + apiKey, ok := os.LookupEnv("AZURE_API_KEY") + if !ok { + t.Fatal("Could not find var AZURE_API_KEY") + } + return map[string]interface{}{ + "module": "azure", + "period": "300s", + "metricsets": []string{metricSetName}, + "application_id": applicationId, + "api_key": apiKey, + } +} diff --git a/x-pack/metricbeat/module/googlecloud/_meta/kibana/7/dashboard/Metricbeat-googlecloud-pubsub-overview.json b/x-pack/metricbeat/module/googlecloud/_meta/kibana/7/dashboard/Metricbeat-googlecloud-pubsub-overview.json index 52041a1c64c..6b937817527 100644 --- a/x-pack/metricbeat/module/googlecloud/_meta/kibana/7/dashboard/Metricbeat-googlecloud-pubsub-overview.json +++ b/x-pack/metricbeat/module/googlecloud/_meta/kibana/7/dashboard/Metricbeat-googlecloud-pubsub-overview.json @@ -2,7 +2,7 @@ "objects": [ { "attributes": { - "description": "Overview of Googlecloud Pubsub Metrics", + "description": "Overview of Googlecloud PubSub Metrics", "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { @@ -23,212 +23,242 @@ "title": "Filters" }, "gridData": { - "h": 13, - "i": "575df0fe-b44d-471f-8386-c4bd118a3810", - "w": 10, + "h": 6, + "i": "3674673e-83e6-42df-8392-5284960a12ea", + "w": 48, "x": 0, "y": 0 }, - "panelIndex": "575df0fe-b44d-471f-8386-c4bd118a3810", + "panelIndex": "3674673e-83e6-42df-8392-5284960a12ea", "panelRefName": "panel_0", "title": "Filters", - "version": "7.6.1" + "version": "7.9.0" }, { "embeddableConfig": { - "title": "Subscription Oldest Unacked Message" + "title": "Topic Send Request" }, "gridData": { "h": 13, - "i": "5c336037-7c71-4eab-b544-926aaff73736", - "w": 17, - "x": 11, - "y": 0 + "i": "c1d89f36-43ed-42e6-98a0-8820b28f7953", + "w": 16, + "x": 0, + "y": 6 }, - "panelIndex": "5c336037-7c71-4eab-b544-926aaff73736", + "panelIndex": "c1d89f36-43ed-42e6-98a0-8820b28f7953", "panelRefName": "panel_1", - "title": "Subscription Oldest Unacked Message", - "version": "7.6.1" + "title": "Topic Send Request", + "version": "7.9.0" }, { "embeddableConfig": { - "title": "Subscription Undelivered Messages" + "title": "Topic Oldest Retained Acked Message Age" }, "gridData": { "h": 13, - "i": "389bc633-eeaf-4deb-815c-3a6b8e5d95ac", - "w": 19, - "x": 29, - "y": 0 + "i": "b26a6238-b982-4082-9e4e-3e3d9361a865", + "w": 16, + "x": 16, + "y": 6 }, - "panelIndex": "389bc633-eeaf-4deb-815c-3a6b8e5d95ac", + "panelIndex": "b26a6238-b982-4082-9e4e-3e3d9361a865", "panelRefName": "panel_2", - "title": "Subscription Undelivered Messages", - "version": "7.6.1" + "title": "Topic Oldest Retained Acked Message Age", + "version": "7.9.0" }, { "embeddableConfig": { - "title": "Subscription Backlog Size" + "title": "Topic Oldest Unacked Message Age" }, "gridData": { - "h": 15, - "i": "2e8dc479-ba85-4424-87c4-40b93e801006", - "w": 24, - "x": 0, - "y": 13 + "h": 13, + "i": "c7bbeabc-b158-4bdd-9ba3-9d45264d250b", + "w": 16, + "x": 32, + "y": 6 }, - "panelIndex": "2e8dc479-ba85-4424-87c4-40b93e801006", + "panelIndex": "c7bbeabc-b158-4bdd-9ba3-9d45264d250b", "panelRefName": "panel_3", - "title": "Subscription Backlog Size", - "version": "7.6.1" + "title": "Topic Oldest Unacked Message Age", + "version": "7.9.0" }, { "embeddableConfig": { - "title": "Subscription Pull Request Count" + "title": "Subsciption Oldest Unacked Message" }, "gridData": { - "h": 15, - "i": "aefce32f-71e4-4770-9a4b-bedb2c608abd", - "w": 24, - "x": 24, - "y": 13 + "h": 13, + "i": "b822a795-7086-4559-b7c0-176dfcc7380e", + "w": 16, + "x": 0, + "y": 19 }, - "panelIndex": "aefce32f-71e4-4770-9a4b-bedb2c608abd", + "panelIndex": "b822a795-7086-4559-b7c0-176dfcc7380e", "panelRefName": "panel_4", - "title": "Subscription Pull Request Count", - "version": "7.6.1" + "title": "Subsciption Oldest Unacked Message", + "version": "7.9.0" }, { "embeddableConfig": { - "title": "Topic Message Size" + "title": "Subscription Number of Undelivered Messages" }, "gridData": { - "h": 15, - "i": "ca4cce89-0d1d-4d96-b35f-443a05d1b410", - "w": 24, - "x": 0, - "y": 28 + "h": 13, + "i": "9c99d7bb-88f0-415c-abc1-c12ec1295236", + "w": 16, + "x": 16, + "y": 19 }, - "panelIndex": "ca4cce89-0d1d-4d96-b35f-443a05d1b410", + "panelIndex": "9c99d7bb-88f0-415c-abc1-c12ec1295236", "panelRefName": "panel_5", - "title": "Topic Message Size", - "version": "7.6.1" + "title": "Subscription Number of Undelivered Messages", + "version": "7.9.0" }, { "embeddableConfig": { - "title": "Subscription Undelivered Messages" + "title": "Snapshot Oldest Message" }, "gridData": { - "h": 15, - "i": "95c5c1f6-194c-4814-8281-02fecf7a81a5", - "w": 24, - "x": 24, - "y": 28 + "h": 13, + "i": "8cc0ccbd-5798-4d68-a519-07ef1d9693fd", + "w": 16, + "x": 32, + "y": 32 }, - "panelIndex": "95c5c1f6-194c-4814-8281-02fecf7a81a5", + "panelIndex": "8cc0ccbd-5798-4d68-a519-07ef1d9693fd", "panelRefName": "panel_6", - "title": "Subscription Undelivered Messages", - "version": "7.6.1" + "title": "Snapshot Oldest Message", + "version": "7.9.0" }, { "embeddableConfig": { - "title": "Subscription Pull Message Operation Count" + "title": "Snapshot Number of Messages" }, "gridData": { - "h": 15, - "i": "ab2fad6a-f888-4b49-92c4-c220f3b8669c", - "w": 24, + "h": 13, + "i": "f9e45ec1-72e5-4f49-82cf-2132162d642c", + "w": 16, "x": 0, - "y": 43 + "y": 32 }, - "panelIndex": "ab2fad6a-f888-4b49-92c4-c220f3b8669c", + "panelIndex": "f9e45ec1-72e5-4f49-82cf-2132162d642c", "panelRefName": "panel_7", - "title": "Subscription Pull Message Operation Count", - "version": "7.6.1" + "title": "Snapshot Number of Messages", + "version": "7.9.0" }, { "embeddableConfig": { - "title": "Subscription Sent Message Count" + "title": "Snapshot Backlog Bytes" }, "gridData": { - "h": 15, - "i": "2121bde6-3a01-4339-8508-a20c107c62c9", - "w": 24, - "x": 24, - "y": 43 + "h": 13, + "i": "d8876e62-daf0-4654-8618-8746d5da43e0", + "w": 16, + "x": 16, + "y": 32 }, - "panelIndex": "2121bde6-3a01-4339-8508-a20c107c62c9", + "panelIndex": "d8876e62-daf0-4654-8618-8746d5da43e0", "panelRefName": "panel_8", - "title": "Subscription Sent Message Count", - "version": "7.6.1" + "title": "Snapshot Backlog Bytes", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Subscription Backlog Bytes" + }, + "gridData": { + "h": 13, + "i": "6079e9ed-da9f-4457-bb3a-7ed20f98605e", + "w": 16, + "x": 32, + "y": 19 + }, + "panelIndex": "6079e9ed-da9f-4457-bb3a-7ed20f98605e", + "panelRefName": "panel_9", + "title": "Subscription Backlog Bytes", + "version": "7.9.0" } ], "timeRestore": false, - "title": "[Metricbeat Googlecloud] Pubsub Overview", + "title": "[Metricbeat Googlecloud] PubSub Overview", "version": 1 }, - "id": "ac97c2f0-6ac5-11ea-b657-e57ec854315f", + "id": "2b0fd7b0-feac-11ea-b032-d59f894a5072", "migrationVersion": { "dashboard": "7.3.0" }, + "namespaces": [ + "default" + ], "references": [ { - "id": "8897e920-6ac5-11ea-b657-e57ec854315f", + "id": "f6e33a00-feaf-11ea-b032-d59f894a5072", "name": "panel_0", "type": "visualization" }, { - "id": "1a83ede0-6ab5-11ea-b657-e57ec854315f", + "id": "bd399790-01a2-11eb-b032-d59f894a5072", "name": "panel_1", - "type": "visualization" + "type": "lens" }, { - "id": "fddf3a50-6ac8-11ea-b657-e57ec854315f", + "id": "25b76dc0-01a2-11eb-b032-d59f894a5072", "name": "panel_2", - "type": "visualization" + "type": "lens" }, { - "id": "5067cf60-6a2b-11ea-b657-e57ec854315f", + "id": "5f97d300-01a1-11eb-b032-d59f894a5072", "name": "panel_3", - "type": "visualization" + "type": "lens" }, { - "id": "8e4a1d50-6ab8-11ea-b657-e57ec854315f", + "id": "403d81e0-01a0-11eb-b032-d59f894a5072", "name": "panel_4", - "type": "visualization" + "type": "lens" }, { - "id": "0cb2b3f0-6abe-11ea-b657-e57ec854315f", + "id": "11d06fc0-01a0-11eb-b032-d59f894a5072", "name": "panel_5", - "type": "visualization" + "type": "lens" }, { - "id": "afe5e1b0-6ab3-11ea-b657-e57ec854315f", + "id": "f3e92c10-019d-11eb-b032-d59f894a5072", "name": "panel_6", - "type": "visualization" + "type": "lens" }, { - "id": "8355dab0-6ab8-11ea-b657-e57ec854315f", + "id": "6de1f430-019d-11eb-b032-d59f894a5072", "name": "panel_7", - "type": "visualization" + "type": "lens" }, { - "id": "97ee1230-6ab8-11ea-b657-e57ec854315f", + "id": "0776dbf0-019f-11eb-b032-d59f894a5072", "name": "panel_8", - "type": "visualization" + "type": "lens" + }, + { + "id": "79d80f10-01a0-11eb-b032-d59f894a5072", + "name": "panel_9", + "type": "lens" } ], "type": "dashboard", - "updated_at": "2020-03-20T16:52:13.023Z", - "version": "WzEwMDUsM10=" + "updated_at": "2020-09-28T16:57:22.839Z", + "version": "WzY5MDQsMV0=" }, { "attributes": { "description": "", "kibanaSavedObjectMeta": { - "searchSourceJSON": {} + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } }, - "title": "Pubsub Filters [Metricbeat Googlecloud]", + "title": "PubSub Filter [Metricbeat Googlecloud]", "uiStateJSON": {}, "version": 1, "visState": { @@ -237,7 +267,7 @@ "controls": [ { "fieldName": "googlecloud.labels.resource.subscription_id", - "id": "1584720667458", + "id": "1600984143264", "indexPatternRefName": "control_0_index_pattern", "label": "Subscription ID", "options": { @@ -252,7 +282,7 @@ }, { "fieldName": "googlecloud.labels.resource.topic_id", - "id": "1584720684072", + "id": "1600984164459", "indexPatternRefName": "control_1_index_pattern", "label": "Topic ID", "options": { @@ -264,20 +294,53 @@ }, "parent": "", "type": "list" + }, + { + "fieldName": "googlecloud.labels.resource.snapshot_id", + "id": "1601305675297", + "indexPatternRefName": "control_2_index_pattern", + "label": "Snapshot ID", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + }, + { + "fieldName": "googlecloud.labels.metrics.region", + "id": "1601307561260", + "indexPatternRefName": "control_3_index_pattern", + "label": "Region", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" } ], - "pinFilters": true, - "updateFiltersOnChange": true, - "useTimeFilter": true + "pinFilters": false, + "updateFiltersOnChange": false, + "useTimeFilter": false }, - "title": "Pubsub Filters [Metricbeat Googlecloud]", + "title": "PubSub Filter [Metricbeat Googlecloud]", "type": "input_control_vis" } }, - "id": "8897e920-6ac5-11ea-b657-e57ec854315f", + "id": "f6e33a00-feaf-11ea-b032-d59f894a5072", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [ { "id": "metricbeat-*", @@ -288,640 +351,1038 @@ "id": "metricbeat-*", "name": "control_1_index_pattern", "type": "index-pattern" + }, + { + "id": "metricbeat-*", + "name": "control_2_index_pattern", + "type": "index-pattern" + }, + { + "id": "metricbeat-*", + "name": "control_3_index_pattern", + "type": "index-pattern" } ], "type": "visualization", - "updated_at": "2020-03-20T16:34:17.599Z", - "version": "Wzk5MywzXQ==" + "updated_at": "2020-09-28T16:24:38.594Z", + "version": "WzYzNjcsMV0=" }, { "attributes": { "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": {} - }, - "title": "Pubsub Subscription Oldest Unacked Message [Metricbeat Googlecloud]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ - { - "id": "e0957450-6ab4-11ea-b946-0f4b813ed42e" - } - ], - "bar_color_rules": [ + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"91e62734-6524-424c-b2b5-3974c835dd6c\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"4f8dae5f-b49c-4a10-8f94-a29039f93919\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.labels.resource.topic_id\\\",\\\"orderBy\\\":\\\"27a71166-d245-471d-b550-ee0b1899ea88\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":3,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"f0d11f8d-e2f9-408a-9114-a0b9b18142d4\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"1m\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"27a71166-d245-471d-b550-ee0b1899ea88\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.pubsub.topic.send_request_count.value\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-4f8dae5f-b49c-4a10-8f94-a29039f93919\\\":{\\\"label\\\":\\\"Top values of googlecloud.labels.resource.topic_id\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.labels.resource.topic_id\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":3,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"27a71166-d245-471d-b550-ee0b1899ea88\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"id\\\":\\\"4f8dae5f-b49c-4a10-8f94-a29039f93919\\\"},\\\"col-2-f0d11f8d-e2f9-408a-9114-a0b9b18142d4\\\":{\\\"label\\\":\\\"@timestamp\\\",\\\"dataType\\\":\\\"date\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"scale\\\":\\\"interval\\\",\\\"params\\\":{\\\"interval\\\":\\\"1m\\\"},\\\"id\\\":\\\"f0d11f8d-e2f9-408a-9114-a0b9b18142d4\\\"},\\\"col-3-27a71166-d245-471d-b550-ee0b1899ea88\\\":{\\\"label\\\":\\\"Topic Send Request Count\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"suggestedPriority\\\":0,\\\"sourceField\\\":\\\"googlecloud.pubsub.topic.send_request_count.value\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"27a71166-d245-471d-b550-ee0b1899ea88\\\"}}\"}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Topic Send Request Count\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"91e62734-6524-424c-b2b5-3974c835dd6c\" hide=false xAccessor=\"f0d11f8d-e2f9-408a-9114-a0b9b18142d4\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"4f8dae5f-b49c-4a10-8f94-a29039f93919\" seriesType=\"line\" accessors=\"27a71166-d245-471d-b550-ee0b1899ea88\" columnToLabel=\"{\\\"27a71166-d245-471d-b550-ee0b1899ea88\\\":\\\"Topic Send Request Count\\\",\\\"4f8dae5f-b49c-4a10-8f94-a29039f93919\\\":\\\"Top values of googlecloud.labels.resource.topic_id\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ { - "id": "8a3465a0-6ac6-11ea-a262-61aa6533c46b" + "id": "metricbeat-*", + "title": "metricbeat-*" } - ], - "default_index_pattern": "metricbeat-*", - "default_timefield": "@timestamp", - "drop_last_bucket": 0, - "gauge_color_rules": [ - { - "id": "df2ac0c0-6ab4-11ea-b946-0f4b813ed42e" + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "91e62734-6524-424c-b2b5-3974c835dd6c": { + "columnOrder": [ + "4f8dae5f-b49c-4a10-8f94-a29039f93919", + "f0d11f8d-e2f9-408a-9114-a0b9b18142d4", + "27a71166-d245-471d-b550-ee0b1899ea88" + ], + "columns": { + "27a71166-d245-471d-b550-ee0b1899ea88": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Topic Send Request Count", + "operationType": "avg", + "scale": "ratio", + "sourceField": "googlecloud.pubsub.topic.send_request_count.value", + "suggestedPriority": 0 + }, + "4f8dae5f-b49c-4a10-8f94-a29039f93919": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of googlecloud.labels.resource.topic_id", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "27a71166-d245-471d-b550-ee0b1899ea88", + "type": "column" + }, + "orderDirection": "desc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "googlecloud.labels.resource.topic_id" + }, + "f0d11f8d-e2f9-408a-9114-a0b9b18142d4": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "1m" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "indexPatternId": "metricbeat-*" + } } - ], - "gauge_inner_width": 10, - "gauge_style": "half", - "gauge_width": 10, - "id": "61ca57f0-469d-11e7-af02-69e470af7417", - "index_pattern": "metricbeat-*", - "interval": "5m", - "isModelInvalid": false, - "series": [ + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": "0", - "filter": { - "language": "kuery", - "query": "event.dataset: \"googlecloud.pubsub\" " - }, - "formatter": "number", - "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "Oldest Unacknowledged Message(s)", - "line_width": "2", - "metrics": [ - { - "field": "googlecloud.pubsub.subscription.oldest_unacked_message_age.value", - "id": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "max" - } + "accessors": [ + "27a71166-d245-471d-b550-ee0b1899ea88" ], - "point_size": "3", - "separate_axis": 0, - "split_mode": "filter", - "stacked": "none", - "terms_field": "googlecloud.labels.resource.subscription_id", - "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "timeseries" + "layerId": "91e62734-6524-424c-b2b5-3974c835dd6c", + "seriesType": "line", + "splitAccessor": "4f8dae5f-b49c-4a10-8f94-a29039f93919", + "xAccessor": "f0d11f8d-e2f9-408a-9114-a0b9b18142d4" } ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "type": "metric" - }, - "title": "Pubsub Subscription Oldest Unacked Message [Metricbeat Googlecloud]", - "type": "metrics" - } + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line" + } + }, + "title": "Topic Send Request [Metricbeat Googlecloud]", + "visualizationType": "lnsXY" }, - "id": "1a83ede0-6ab5-11ea-b657-e57ec854315f", + "id": "bd399790-01a2-11eb-b032-d59f894a5072", "migrationVersion": { - "visualization": "7.4.2" + "lens": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], - "type": "visualization", - "updated_at": "2020-03-20T16:22:19.360Z", - "version": "Wzk4OCwzXQ==" + "type": "lens", + "updated_at": "2020-09-28T16:24:38.594Z", + "version": "WzYzNjgsMV0=" }, { "attributes": { "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": {} - }, - "title": "Pubsub Subscription Number of Undelivered Messages [Metricbeat Googlecloud]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"91e62734-6524-424c-b2b5-3974c835dd6c\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"f0d11f8d-e2f9-408a-9114-a0b9b18142d4\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"1m\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"89c8d41d-6896-470d-8318-c0a691fa638e\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.labels.metrics.region\\\",\\\"orderBy\\\":\\\"27a71166-d245-471d-b550-ee0b1899ea88\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":3,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"27a71166-d245-471d-b550-ee0b1899ea88\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.pubsub.topic.oldest_retained_acked_message_age_by_region.value\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-f0d11f8d-e2f9-408a-9114-a0b9b18142d4\\\":{\\\"label\\\":\\\"@timestamp\\\",\\\"dataType\\\":\\\"date\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"scale\\\":\\\"interval\\\",\\\"params\\\":{\\\"interval\\\":\\\"1m\\\"},\\\"id\\\":\\\"f0d11f8d-e2f9-408a-9114-a0b9b18142d4\\\"},\\\"col-2-89c8d41d-6896-470d-8318-c0a691fa638e\\\":{\\\"label\\\":\\\"Top values of googlecloud.labels.metrics.region\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.labels.metrics.region\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":3,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"27a71166-d245-471d-b550-ee0b1899ea88\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"id\\\":\\\"89c8d41d-6896-470d-8318-c0a691fa638e\\\"},\\\"col-3-27a71166-d245-471d-b550-ee0b1899ea88\\\":{\\\"label\\\":\\\"Topic Oldest Retained Acked Message Age By Region\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"suggestedPriority\\\":0,\\\"sourceField\\\":\\\"googlecloud.pubsub.topic.oldest_retained_acked_message_age_by_region.value\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"27a71166-d245-471d-b550-ee0b1899ea88\\\"}}\"}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Topic Oldest Retained Acked Message Age By Region\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"91e62734-6524-424c-b2b5-3974c835dd6c\" hide=false xAccessor=\"f0d11f8d-e2f9-408a-9114-a0b9b18142d4\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"89c8d41d-6896-470d-8318-c0a691fa638e\" seriesType=\"line\" accessors=\"27a71166-d245-471d-b550-ee0b1899ea88\" columnToLabel=\"{\\\"27a71166-d245-471d-b550-ee0b1899ea88\\\":\\\"Topic Oldest Retained Acked Message Age By Region\\\",\\\"89c8d41d-6896-470d-8318-c0a691fa638e\\\":\\\"Top values of googlecloud.labels.metrics.region\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ { - "id": "eed2b050-6ac8-11ea-a765-0512a055c04c" + "id": "metricbeat-*", + "title": "metricbeat-*" } - ], - "default_index_pattern": "metricbeat-*", - "default_timefield": "@timestamp", - "drop_last_bucket": 0, - "id": "61ca57f0-469d-11e7-af02-69e470af7417", - "index_pattern": "metricbeat-*", - "interval": "5m", - "isModelInvalid": false, - "series": [ + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "91e62734-6524-424c-b2b5-3974c835dd6c": { + "columnOrder": [ + "f0d11f8d-e2f9-408a-9114-a0b9b18142d4", + "89c8d41d-6896-470d-8318-c0a691fa638e", + "27a71166-d245-471d-b550-ee0b1899ea88" + ], + "columns": { + "27a71166-d245-471d-b550-ee0b1899ea88": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Topic Oldest Retained Acked Message Age By Region", + "operationType": "avg", + "scale": "ratio", + "sourceField": "googlecloud.pubsub.topic.oldest_retained_acked_message_age_by_region.value", + "suggestedPriority": 0 + }, + "89c8d41d-6896-470d-8318-c0a691fa638e": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of googlecloud.labels.metrics.region", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "27a71166-d245-471d-b550-ee0b1899ea88", + "type": "column" + }, + "orderDirection": "desc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "googlecloud.labels.metrics.region" + }, + "f0d11f8d-e2f9-408a-9114-a0b9b18142d4": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "1m" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": "0", - "formatter": "number", - "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "Number of Undelivered Messages", - "line_width": "2", - "metrics": [ - { - "field": "googlecloud.pubsub.subscription.num_undelivered_messages.value", - "id": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "avg" - } + "accessors": [ + "27a71166-d245-471d-b550-ee0b1899ea88" ], - "point_size": "3", - "separate_axis": 0, - "split_mode": "everything", - "stacked": "none", - "terms_field": "googlecloud.labels.resource.subscription_id", - "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "timeseries" + "layerId": "91e62734-6524-424c-b2b5-3974c835dd6c", + "seriesType": "line", + "splitAccessor": "89c8d41d-6896-470d-8318-c0a691fa638e", + "xAccessor": "f0d11f8d-e2f9-408a-9114-a0b9b18142d4" } ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "type": "metric" - }, - "title": "Pubsub Subscription Number of Undelivered Messages [Metricbeat Googlecloud]", - "type": "metrics" - } + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line" + } + }, + "title": "Topic Oldest Retained Acked Message Age By Region [Metricbeat Googlecloud]", + "visualizationType": "lnsXY" }, - "id": "fddf3a50-6ac8-11ea-b657-e57ec854315f", + "id": "25b76dc0-01a2-11eb-b032-d59f894a5072", "migrationVersion": { - "visualization": "7.4.2" + "lens": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], - "type": "visualization", - "updated_at": "2020-03-20T16:36:54.809Z", - "version": "Wzk5NywzXQ==" + "type": "lens", + "updated_at": "2020-09-28T16:24:38.594Z", + "version": "WzYzNjksMV0=" }, { "attributes": { "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": {} - }, - "title": "Pubsub Subscription Backlog Size [Metricbeat Googlecloud]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"91e62734-6524-424c-b2b5-3974c835dd6c\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"ed36f31e-ed2a-460a-a881-18e191f75d04\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.labels.metrics.region\\\",\\\"orderBy\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":3,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"1m\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.pubsub.topic.oldest_unacked_message_age_by_region.value\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-ed36f31e-ed2a-460a-a881-18e191f75d04\\\":{\\\"label\\\":\\\"Top values of googlecloud.labels.metrics.region\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.labels.metrics.region\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":3,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"id\\\":\\\"ed36f31e-ed2a-460a-a881-18e191f75d04\\\"},\\\"col-2-6be62612-437b-448d-9631-c6cc0938225d\\\":{\\\"label\\\":\\\"@timestamp\\\",\\\"dataType\\\":\\\"date\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"scale\\\":\\\"interval\\\",\\\"params\\\":{\\\"interval\\\":\\\"1m\\\"},\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\"},\\\"col-3-5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":{\\\"label\\\":\\\"Topic Oldest Unacked Message Age By Region\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"suggestedPriority\\\":0,\\\"sourceField\\\":\\\"googlecloud.pubsub.topic.oldest_unacked_message_age_by_region.value\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\"}}\"}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Topic Oldest Unacked Message Age By Region\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"91e62734-6524-424c-b2b5-3974c835dd6c\" hide=false xAccessor=\"6be62612-437b-448d-9631-c6cc0938225d\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"ed36f31e-ed2a-460a-a881-18e191f75d04\" seriesType=\"line\" accessors=\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\" columnToLabel=\"{\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":\\\"Topic Oldest Unacked Message Age By Region\\\",\\\"ed36f31e-ed2a-460a-a881-18e191f75d04\\\":\\\"Top values of googlecloud.labels.metrics.region\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ { - "id": "cb6bee00-6a1f-11ea-b594-a5f826db7e0b" + "id": "metricbeat-*", + "title": "metricbeat-*" } - ], - "bar_color_rules": [ + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "91e62734-6524-424c-b2b5-3974c835dd6c": { + "columnOrder": [ + "ed36f31e-ed2a-460a-a881-18e191f75d04", + "6be62612-437b-448d-9631-c6cc0938225d", + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" + ], + "columns": { + "0888bf93-1ecf-467a-b0b5-9e0deee6545c": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of googlecloud.labels.resource.topic_id", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "5424865c-c988-4e26-b00b-b3cf90e1e4cf", + "type": "column" + }, + "orderDirection": "desc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "googlecloud.labels.resource.topic_id" + }, + "5424865c-c988-4e26-b00b-b3cf90e1e4cf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Topic Oldest Unacked Message Age By Region", + "operationType": "avg", + "scale": "ratio", + "sourceField": "googlecloud.pubsub.topic.oldest_unacked_message_age_by_region.value", + "suggestedPriority": 0 + }, + "6be62612-437b-448d-9631-c6cc0938225d": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "1m" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "ed36f31e-ed2a-460a-a881-18e191f75d04": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of googlecloud.labels.metrics.region", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "5424865c-c988-4e26-b00b-b3cf90e1e4cf", + "type": "column" + }, + "orderDirection": "desc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "googlecloud.labels.metrics.region" + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ { - "id": "cc54ee70-6a1f-11ea-b594-a5f826db7e0b" + "accessors": [ + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" + ], + "layerId": "91e62734-6524-424c-b2b5-3974c835dd6c", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "ed36f31e-ed2a-460a-a881-18e191f75d04", + "xAccessor": "6be62612-437b-448d-9631-c6cc0938225d" } ], - "default_index_pattern": "metricbeat-*", - "default_timefield": "@timestamp", - "drop_last_bucket": 0, - "gauge_color_rules": [ + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line" + } + }, + "title": "Topic Oldest Unacked Message Age By Region [Metricbeat Googlecloud]", + "visualizationType": "lnsXY" + }, + "id": "5f97d300-01a1-11eb-b032-d59f894a5072", + "migrationVersion": { + "lens": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "lens", + "updated_at": "2020-09-28T16:24:38.594Z", + "version": "WzYzNzAsMV0=" + }, + { + "attributes": { + "description": "", + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"91e62734-6524-424c-b2b5-3974c835dd6c\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"1m\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"2251f8b6-6091-4386-890b-4d0d33e79a96\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.labels.resource.subscription_id\\\",\\\"orderBy\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":3,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.pubsub.subscription.oldest_unacked_message_age.value\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-6be62612-437b-448d-9631-c6cc0938225d\\\":{\\\"dataType\\\":\\\"date\\\",\\\"isBucketed\\\":true,\\\"label\\\":\\\"@timestamp\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"params\\\":{\\\"interval\\\":\\\"1m\\\"},\\\"scale\\\":\\\"interval\\\",\\\"sourceField\\\":\\\"@timestamp\\\",\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\"},\\\"col-2-2251f8b6-6091-4386-890b-4d0d33e79a96\\\":{\\\"dataType\\\":\\\"string\\\",\\\"isBucketed\\\":true,\\\"label\\\":\\\"Top values of googlecloud.labels.resource.subscription_id\\\",\\\"operationType\\\":\\\"terms\\\",\\\"params\\\":{\\\"orderBy\\\":{\\\"columnId\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"type\\\":\\\"column\\\"},\\\"orderDirection\\\":\\\"desc\\\",\\\"size\\\":3},\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.labels.resource.subscription_id\\\",\\\"id\\\":\\\"2251f8b6-6091-4386-890b-4d0d33e79a96\\\"},\\\"col-3-5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":{\\\"customLabel\\\":true,\\\"dataType\\\":\\\"number\\\",\\\"isBucketed\\\":false,\\\"label\\\":\\\"Subscription Oldest Unacked Message Age\\\",\\\"operationType\\\":\\\"avg\\\",\\\"scale\\\":\\\"ratio\\\",\\\"sourceField\\\":\\\"googlecloud.pubsub.subscription.oldest_unacked_message_age.value\\\",\\\"suggestedPriority\\\":0,\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\"}}\"}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Subscription Oldest Unacked Message Age\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"91e62734-6524-424c-b2b5-3974c835dd6c\" hide=false xAccessor=\"6be62612-437b-448d-9631-c6cc0938225d\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"2251f8b6-6091-4386-890b-4d0d33e79a96\" seriesType=\"line\" accessors=\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\" columnToLabel=\"{\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":\\\"Subscription Oldest Unacked Message Age\\\",\\\"2251f8b6-6091-4386-890b-4d0d33e79a96\\\":\\\"Top values of googlecloud.labels.resource.subscription_id\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ { - "id": "cce19e10-6a1f-11ea-b594-a5f826db7e0b" + "id": "metricbeat-*", + "title": "metricbeat-*" } - ], - "gauge_inner_width": 10, - "gauge_style": "half", - "gauge_width": 10, - "id": "61ca57f0-469d-11e7-af02-69e470af7417", - "index_pattern": "metricbeat-*", - "interval": "5m", - "isModelInvalid": false, - "series": [ + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "91e62734-6524-424c-b2b5-3974c835dd6c": { + "columnOrder": [ + "6be62612-437b-448d-9631-c6cc0938225d", + "2251f8b6-6091-4386-890b-4d0d33e79a96", + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" + ], + "columns": { + "2251f8b6-6091-4386-890b-4d0d33e79a96": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of googlecloud.labels.resource.subscription_id", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "5424865c-c988-4e26-b00b-b3cf90e1e4cf", + "type": "column" + }, + "orderDirection": "desc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "googlecloud.labels.resource.subscription_id" + }, + "5424865c-c988-4e26-b00b-b3cf90e1e4cf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Subscription Oldest Unacked Message Age", + "operationType": "avg", + "scale": "ratio", + "sourceField": "googlecloud.pubsub.subscription.oldest_unacked_message_age.value", + "suggestedPriority": 0 + }, + "6be62612-437b-448d-9631-c6cc0938225d": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "1m" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": "0", - "filter": { - "language": "kuery", - "query": "" - }, - "formatter": "bytes", - "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "", - "line_width": "2", - "metrics": [ - { - "field": "googlecloud.pubsub.subscription.backlog_bytes.value", - "id": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "avg" - } + "accessors": [ + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" ], - "point_size": "3", - "separate_axis": 0, - "split_mode": "terms", - "stacked": "none", - "terms_field": "googlecloud.labels.resource.subscription_id", - "type": "timeseries" + "layerId": "91e62734-6524-424c-b2b5-3974c835dd6c", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "2251f8b6-6091-4386-890b-4d0d33e79a96", + "xAccessor": "6be62612-437b-448d-9631-c6cc0938225d" } ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "type": "timeseries" - }, - "title": "Pubsub Subscription Backlog Size [Metricbeat Googlecloud]", - "type": "metrics" - } + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line" + } + }, + "title": "Subscription Oldest Unacked Message [Metricbeat Googlecloud]", + "visualizationType": "lnsXY" }, - "id": "5067cf60-6a2b-11ea-b657-e57ec854315f", + "id": "403d81e0-01a0-11eb-b032-d59f894a5072", "migrationVersion": { - "visualization": "7.4.2" + "lens": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], - "type": "visualization", - "updated_at": "2020-03-19T21:48:05.334Z", - "version": "Wzk1NiwzXQ==" + "type": "lens", + "updated_at": "2020-09-28T16:53:54.651Z", + "version": "WzY4NDIsMV0=" }, { "attributes": { "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": {} - }, - "title": "Pubsub Subscription Pull Request Count [Metricbeat Googlecloud]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"91e62734-6524-424c-b2b5-3974c835dd6c\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"1m\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"2251f8b6-6091-4386-890b-4d0d33e79a96\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.labels.resource.subscription_id\\\",\\\"orderBy\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":3,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.pubsub.subscription.num_undelivered_messages.value\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-6be62612-437b-448d-9631-c6cc0938225d\\\":{\\\"dataType\\\":\\\"date\\\",\\\"isBucketed\\\":true,\\\"label\\\":\\\"@timestamp\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"params\\\":{\\\"interval\\\":\\\"1m\\\"},\\\"scale\\\":\\\"interval\\\",\\\"sourceField\\\":\\\"@timestamp\\\",\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\"},\\\"col-2-2251f8b6-6091-4386-890b-4d0d33e79a96\\\":{\\\"dataType\\\":\\\"string\\\",\\\"isBucketed\\\":true,\\\"label\\\":\\\"Top values of googlecloud.labels.resource.subscription_id\\\",\\\"operationType\\\":\\\"terms\\\",\\\"params\\\":{\\\"orderBy\\\":{\\\"columnId\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"type\\\":\\\"column\\\"},\\\"orderDirection\\\":\\\"desc\\\",\\\"size\\\":3},\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.labels.resource.subscription_id\\\",\\\"id\\\":\\\"2251f8b6-6091-4386-890b-4d0d33e79a96\\\"},\\\"col-3-5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":{\\\"customLabel\\\":true,\\\"dataType\\\":\\\"number\\\",\\\"isBucketed\\\":false,\\\"label\\\":\\\"Subscription Number of Undelivered Messages\\\",\\\"operationType\\\":\\\"avg\\\",\\\"params\\\":{\\\"format\\\":{\\\"id\\\":\\\"bytes\\\",\\\"params\\\":{\\\"decimals\\\":0}}},\\\"scale\\\":\\\"ratio\\\",\\\"sourceField\\\":\\\"googlecloud.pubsub.subscription.num_undelivered_messages.value\\\",\\\"suggestedPriority\\\":0,\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\"}}\" | lens_format_column format=\"bytes\" columnId=\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\" decimals=0}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Subscription Number of Undelivered Messages\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"91e62734-6524-424c-b2b5-3974c835dd6c\" hide=false xAccessor=\"6be62612-437b-448d-9631-c6cc0938225d\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"2251f8b6-6091-4386-890b-4d0d33e79a96\" seriesType=\"line\" accessors=\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\" columnToLabel=\"{\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":\\\"Subscription Number of Undelivered Messages\\\",\\\"2251f8b6-6091-4386-890b-4d0d33e79a96\\\":\\\"Top values of googlecloud.labels.resource.subscription_id\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ { - "id": "e0957450-6ab4-11ea-b946-0f4b813ed42e" + "id": "metricbeat-*", + "title": "metricbeat-*" } - ], - "default_index_pattern": "metricbeat-*", - "default_timefield": "@timestamp", - "drop_last_bucket": 0, - "gauge_color_rules": [ - { - "id": "df2ac0c0-6ab4-11ea-b946-0f4b813ed42e" + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "91e62734-6524-424c-b2b5-3974c835dd6c": { + "columnOrder": [ + "6be62612-437b-448d-9631-c6cc0938225d", + "2251f8b6-6091-4386-890b-4d0d33e79a96", + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" + ], + "columns": { + "2251f8b6-6091-4386-890b-4d0d33e79a96": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of googlecloud.labels.resource.subscription_id", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "5424865c-c988-4e26-b00b-b3cf90e1e4cf", + "type": "column" + }, + "orderDirection": "desc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "googlecloud.labels.resource.subscription_id" + }, + "5424865c-c988-4e26-b00b-b3cf90e1e4cf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Subscription Number of Undelivered Messages", + "operationType": "avg", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "googlecloud.pubsub.subscription.num_undelivered_messages.value", + "suggestedPriority": 0 + }, + "6be62612-437b-448d-9631-c6cc0938225d": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "1m" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "indexPatternId": "metricbeat-*" + } } - ], - "gauge_inner_width": 10, - "gauge_style": "half", - "gauge_width": 10, - "id": "61ca57f0-469d-11e7-af02-69e470af7417", - "index_pattern": "metricbeat-*", - "interval": "5m", - "isModelInvalid": false, - "series": [ + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": "0", - "formatter": "number", - "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "", - "line_width": "2", - "metrics": [ - { - "field": "googlecloud.pubsub.subscription.pull_request_count.value", - "id": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "avg" - } + "accessors": [ + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" ], - "point_size": "3", - "separate_axis": 0, - "split_mode": "terms", - "stacked": "none", - "terms_field": "googlecloud.labels.resource.subscription_id", - "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "timeseries" + "layerId": "91e62734-6524-424c-b2b5-3974c835dd6c", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "2251f8b6-6091-4386-890b-4d0d33e79a96", + "xAccessor": "6be62612-437b-448d-9631-c6cc0938225d" } ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "type": "timeseries" - }, - "title": "Pubsub Subscription Pull Request Count [Metricbeat Googlecloud]", - "type": "metrics" - } + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line" + } + }, + "title": "Subscription Number of Undelivered Messages [Metricbeat Googlecloud]", + "visualizationType": "lnsXY" }, - "id": "8e4a1d50-6ab8-11ea-b657-e57ec854315f", + "id": "11d06fc0-01a0-11eb-b032-d59f894a5072", "migrationVersion": { - "visualization": "7.4.2" + "lens": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], - "type": "visualization", - "updated_at": "2020-03-20T16:10:38.696Z", - "version": "Wzk3OCwzXQ==" + "type": "lens", + "updated_at": "2020-09-28T16:55:54.581Z", + "version": "WzY4NzYsMV0=" }, { "attributes": { "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": {} - }, - "title": "Pubsub Topic Message Size [Metricbeat Googlecloud]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"91e62734-6524-424c-b2b5-3974c835dd6c\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"auto\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"921ee447-0c37-4e9d-9f42-a491f412baef\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.labels.resource.snapshot_id\\\",\\\"orderBy\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":3,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.pubsub.snapshot.oldest_message_age.value\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-6be62612-437b-448d-9631-c6cc0938225d\\\":{\\\"label\\\":\\\"@timestamp\\\",\\\"dataType\\\":\\\"date\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"scale\\\":\\\"interval\\\",\\\"params\\\":{\\\"interval\\\":\\\"auto\\\"},\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\"},\\\"col-2-921ee447-0c37-4e9d-9f42-a491f412baef\\\":{\\\"label\\\":\\\"Top values of googlecloud.labels.resource.snapshot_id\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.labels.resource.snapshot_id\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":3,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"id\\\":\\\"921ee447-0c37-4e9d-9f42-a491f412baef\\\"},\\\"col-3-5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":{\\\"label\\\":\\\"Snapshot Oldest Message\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"suggestedPriority\\\":0,\\\"sourceField\\\":\\\"googlecloud.pubsub.snapshot.oldest_message_age.value\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\"}}\"}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Snapshot Oldest Message\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"91e62734-6524-424c-b2b5-3974c835dd6c\" hide=false xAccessor=\"6be62612-437b-448d-9631-c6cc0938225d\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"921ee447-0c37-4e9d-9f42-a491f412baef\" seriesType=\"line\" accessors=\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\" columnToLabel=\"{\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":\\\"Snapshot Oldest Message\\\",\\\"921ee447-0c37-4e9d-9f42-a491f412baef\\\":\\\"Top values of googlecloud.labels.resource.snapshot_id\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ { - "id": "e0957450-6ab4-11ea-b946-0f4b813ed42e" + "id": "metricbeat-*", + "title": "metricbeat-*" } - ], - "default_index_pattern": "metricbeat-*", - "default_timefield": "@timestamp", - "drop_last_bucket": 0, - "gauge_color_rules": [ - { - "id": "df2ac0c0-6ab4-11ea-b946-0f4b813ed42e" + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "91e62734-6524-424c-b2b5-3974c835dd6c": { + "columnOrder": [ + "6be62612-437b-448d-9631-c6cc0938225d", + "921ee447-0c37-4e9d-9f42-a491f412baef", + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" + ], + "columns": { + "5424865c-c988-4e26-b00b-b3cf90e1e4cf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Snapshot Oldest Message", + "operationType": "avg", + "scale": "ratio", + "sourceField": "googlecloud.pubsub.snapshot.oldest_message_age.value", + "suggestedPriority": 0 + }, + "6be62612-437b-448d-9631-c6cc0938225d": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "921ee447-0c37-4e9d-9f42-a491f412baef": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of googlecloud.labels.resource.snapshot_id", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "5424865c-c988-4e26-b00b-b3cf90e1e4cf", + "type": "column" + }, + "orderDirection": "desc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "googlecloud.labels.resource.snapshot_id" + } + }, + "indexPatternId": "metricbeat-*" + } } - ], - "gauge_inner_width": 10, - "gauge_style": "half", - "gauge_width": 10, - "id": "61ca57f0-469d-11e7-af02-69e470af7417", - "index_pattern": "metricbeat-*", - "interval": "5m", - "isModelInvalid": false, - "series": [ + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": "0", - "formatter": "number", - "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "", - "line_width": "2", - "metrics": [ - { - "field": "googlecloud.pubsub.topic.message_sizes.bucket_options.Options.ExponentialBuckets.num_finite_buckets.value", - "id": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "avg" - } + "accessors": [ + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" ], - "point_size": "3", - "separate_axis": 0, - "split_mode": "terms", - "stacked": "none", - "terms_field": "googlecloud.labels.resource.topic_id", - "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "timeseries" + "layerId": "91e62734-6524-424c-b2b5-3974c835dd6c", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "921ee447-0c37-4e9d-9f42-a491f412baef", + "xAccessor": "6be62612-437b-448d-9631-c6cc0938225d" } ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "type": "timeseries" - }, - "title": "Pubsub Topic Message Size [Metricbeat Googlecloud]", - "type": "metrics" - } + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line" + } + }, + "title": "Snapshot Oldest Message [Metricbeat Googlecloud]", + "visualizationType": "lnsXY" }, - "id": "0cb2b3f0-6abe-11ea-b657-e57ec854315f", + "id": "f3e92c10-019d-11eb-b032-d59f894a5072", "migrationVersion": { - "visualization": "7.4.2" + "lens": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], - "type": "visualization", - "updated_at": "2020-03-20T16:53:34.774Z", - "version": "WzEwMDcsM10=" + "type": "lens", + "updated_at": "2020-09-28T16:24:38.594Z", + "version": "WzYzNzMsMV0=" }, { "attributes": { "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": {} - }, - "title": "Pubsub Subscription Undelivered Messages [Metricbeat Googlecloud]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "default_index_pattern": "metricbeat-*", - "default_timefield": "@timestamp", - "drop_last_bucket": 0, - "id": "61ca57f0-469d-11e7-af02-69e470af7417", - "index_pattern": "metricbeat-*", - "interval": "5m", - "isModelInvalid": false, - "series": [ + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"91e62734-6524-424c-b2b5-3974c835dd6c\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"auto\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"ef2fc668-040b-4c82-9f65-5d3fb25c9536\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.labels.resource.snapshot_id\\\",\\\"orderBy\\\":\\\"_key\\\",\\\"order\\\":\\\"asc\\\",\\\"size\\\":3,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.pubsub.snapshot.num_messages.value\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-6be62612-437b-448d-9631-c6cc0938225d\\\":{\\\"label\\\":\\\"@timestamp\\\",\\\"dataType\\\":\\\"date\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"scale\\\":\\\"interval\\\",\\\"params\\\":{\\\"interval\\\":\\\"auto\\\"},\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\"},\\\"col-2-ef2fc668-040b-4c82-9f65-5d3fb25c9536\\\":{\\\"label\\\":\\\"Top values of googlecloud.labels.resource.snapshot_id\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.labels.resource.snapshot_id\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":3,\\\"orderBy\\\":{\\\"type\\\":\\\"alphabetical\\\"},\\\"orderDirection\\\":\\\"asc\\\"},\\\"id\\\":\\\"ef2fc668-040b-4c82-9f65-5d3fb25c9536\\\"},\\\"col-3-5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":{\\\"label\\\":\\\"Snapshot Number of Messages\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"suggestedPriority\\\":0,\\\"sourceField\\\":\\\"googlecloud.pubsub.snapshot.num_messages.value\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\"}}\"}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Snapshot Number of Messages\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"91e62734-6524-424c-b2b5-3974c835dd6c\" hide=false xAccessor=\"6be62612-437b-448d-9631-c6cc0938225d\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"ef2fc668-040b-4c82-9f65-5d3fb25c9536\" seriesType=\"line\" accessors=\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\" columnToLabel=\"{\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":\\\"Snapshot Number of Messages\\\",\\\"ef2fc668-040b-4c82-9f65-5d3fb25c9536\\\":\\\"Top values of googlecloud.labels.resource.snapshot_id\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": "0", - "formatter": "number", - "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "", - "line_width": "2", - "metrics": [ - { - "field": "googlecloud.pubsub.subscription.num_undelivered_messages.value", - "id": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "avg" - } + "id": "metricbeat-*", + "title": "metricbeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "91e62734-6524-424c-b2b5-3974c835dd6c": { + "columnOrder": [ + "6be62612-437b-448d-9631-c6cc0938225d", + "ef2fc668-040b-4c82-9f65-5d3fb25c9536", + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" + ], + "columns": { + "5424865c-c988-4e26-b00b-b3cf90e1e4cf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Snapshot Number of Messages", + "operationType": "avg", + "scale": "ratio", + "sourceField": "googlecloud.pubsub.snapshot.num_messages.value", + "suggestedPriority": 0 + }, + "6be62612-437b-448d-9631-c6cc0938225d": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "ef2fc668-040b-4c82-9f65-5d3fb25c9536": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of googlecloud.labels.resource.snapshot_id", + "operationType": "terms", + "params": { + "orderBy": { + "type": "alphabetical" + }, + "orderDirection": "asc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "googlecloud.labels.resource.snapshot_id" + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ + { + "accessors": [ + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" ], - "point_size": "3", - "separate_axis": 0, - "split_mode": "terms", - "stacked": "none", - "terms_field": "googlecloud.labels.resource.subscription_id", - "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "timeseries" + "layerId": "91e62734-6524-424c-b2b5-3974c835dd6c", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "ef2fc668-040b-4c82-9f65-5d3fb25c9536", + "xAccessor": "6be62612-437b-448d-9631-c6cc0938225d" } ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "type": "timeseries" - }, - "title": "Pubsub Subscription Undelivered Messages [Metricbeat Googlecloud]", - "type": "metrics" - } + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line" + } + }, + "title": "Snapshot Number of Messages [Metricbeat Googlecloud]", + "visualizationType": "lnsXY" }, - "id": "afe5e1b0-6ab3-11ea-b657-e57ec854315f", + "id": "6de1f430-019d-11eb-b032-d59f894a5072", "migrationVersion": { - "visualization": "7.4.2" + "lens": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], - "type": "visualization", - "updated_at": "2020-03-20T14:04:17.099Z", - "version": "Wzk1OCwzXQ==" + "type": "lens", + "updated_at": "2020-09-28T16:24:38.594Z", + "version": "WzYzNzQsMV0=" }, { "attributes": { "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": {} - }, - "title": "Pubsub Subscription Pull Message Operation Count [Metricbeat Googlecloud]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"91e62734-6524-424c-b2b5-3974c835dd6c\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"auto\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"921ee447-0c37-4e9d-9f42-a491f412baef\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.labels.resource.snapshot_id\\\",\\\"orderBy\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":3,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.pubsub.snapshot.backlog_bytes.value\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-6be62612-437b-448d-9631-c6cc0938225d\\\":{\\\"label\\\":\\\"@timestamp\\\",\\\"dataType\\\":\\\"date\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"scale\\\":\\\"interval\\\",\\\"params\\\":{\\\"interval\\\":\\\"auto\\\"},\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\"},\\\"col-2-921ee447-0c37-4e9d-9f42-a491f412baef\\\":{\\\"label\\\":\\\"Top values of googlecloud.labels.resource.snapshot_id\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.labels.resource.snapshot_id\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":3,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"id\\\":\\\"921ee447-0c37-4e9d-9f42-a491f412baef\\\"},\\\"col-3-5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":{\\\"label\\\":\\\"Snapshot Backlog Bytes\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"suggestedPriority\\\":0,\\\"sourceField\\\":\\\"googlecloud.pubsub.snapshot.backlog_bytes.value\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"params\\\":{\\\"format\\\":{\\\"id\\\":\\\"bytes\\\",\\\"params\\\":{\\\"decimals\\\":0}}},\\\"customLabel\\\":true,\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\"}}\" | lens_format_column format=\"bytes\" columnId=\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\" decimals=0}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Snapshot Backlog Bytes\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"91e62734-6524-424c-b2b5-3974c835dd6c\" hide=false xAccessor=\"6be62612-437b-448d-9631-c6cc0938225d\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"921ee447-0c37-4e9d-9f42-a491f412baef\" seriesType=\"line\" accessors=\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\" columnToLabel=\"{\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":\\\"Snapshot Backlog Bytes\\\",\\\"921ee447-0c37-4e9d-9f42-a491f412baef\\\":\\\"Top values of googlecloud.labels.resource.snapshot_id\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ { - "id": "e0957450-6ab4-11ea-b946-0f4b813ed42e" + "id": "metricbeat-*", + "title": "metricbeat-*" } - ], - "default_index_pattern": "metricbeat-*", - "default_timefield": "@timestamp", - "drop_last_bucket": 0, - "gauge_color_rules": [ - { - "id": "df2ac0c0-6ab4-11ea-b946-0f4b813ed42e" + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "91e62734-6524-424c-b2b5-3974c835dd6c": { + "columnOrder": [ + "6be62612-437b-448d-9631-c6cc0938225d", + "921ee447-0c37-4e9d-9f42-a491f412baef", + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" + ], + "columns": { + "5424865c-c988-4e26-b00b-b3cf90e1e4cf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Snapshot Backlog Bytes", + "operationType": "avg", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "googlecloud.pubsub.snapshot.backlog_bytes.value", + "suggestedPriority": 0 + }, + "6be62612-437b-448d-9631-c6cc0938225d": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "921ee447-0c37-4e9d-9f42-a491f412baef": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of googlecloud.labels.resource.snapshot_id", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "5424865c-c988-4e26-b00b-b3cf90e1e4cf", + "type": "column" + }, + "orderDirection": "desc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "googlecloud.labels.resource.snapshot_id" + } + }, + "indexPatternId": "metricbeat-*" + } } - ], - "gauge_inner_width": 10, - "gauge_style": "half", - "gauge_width": 10, - "id": "61ca57f0-469d-11e7-af02-69e470af7417", - "index_pattern": "metricbeat-*", - "interval": "5m", - "isModelInvalid": false, - "series": [ + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": "0", - "formatter": "number", - "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "", - "line_width": "2", - "metrics": [ - { - "field": "googlecloud.pubsub.subscription.pull_message_operation_count.value", - "id": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "max" - } + "accessors": [ + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" ], - "point_size": "3", - "separate_axis": 0, - "split_mode": "terms", - "stacked": "none", - "terms_field": "googlecloud.labels.resource.subscription_id", - "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "timeseries" + "layerId": "91e62734-6524-424c-b2b5-3974c835dd6c", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "921ee447-0c37-4e9d-9f42-a491f412baef", + "xAccessor": "6be62612-437b-448d-9631-c6cc0938225d" } ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "type": "timeseries" - }, - "title": "Pubsub Subscription Pull Message Operation Count [Metricbeat Googlecloud]", - "type": "metrics" - } + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line" + } + }, + "title": "Snapshot Backlog Bytes [Metricbeat Googlecloud]", + "visualizationType": "lnsXY" }, - "id": "8355dab0-6ab8-11ea-b657-e57ec854315f", + "id": "0776dbf0-019f-11eb-b032-d59f894a5072", "migrationVersion": { - "visualization": "7.4.2" + "lens": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], - "type": "visualization", - "updated_at": "2020-03-20T14:38:49.818Z", - "version": "Wzk2MSwzXQ==" + "type": "lens", + "updated_at": "2020-09-28T16:24:38.594Z", + "version": "WzYzNzUsMV0=" }, { "attributes": { "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": {} - }, - "title": "Pubsub Subscription Sent Message Count [Metricbeat Googlecloud]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"91e62734-6524-424c-b2b5-3974c835dd6c\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"1m\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"2251f8b6-6091-4386-890b-4d0d33e79a96\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.labels.resource.subscription_id\\\",\\\"orderBy\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":3,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.pubsub.subscription.backlog_bytes.value\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-6be62612-437b-448d-9631-c6cc0938225d\\\":{\\\"dataType\\\":\\\"date\\\",\\\"isBucketed\\\":true,\\\"label\\\":\\\"@timestamp\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"params\\\":{\\\"interval\\\":\\\"1m\\\"},\\\"scale\\\":\\\"interval\\\",\\\"sourceField\\\":\\\"@timestamp\\\",\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\"},\\\"col-2-2251f8b6-6091-4386-890b-4d0d33e79a96\\\":{\\\"dataType\\\":\\\"string\\\",\\\"isBucketed\\\":true,\\\"label\\\":\\\"Top values of googlecloud.labels.resource.subscription_id\\\",\\\"operationType\\\":\\\"terms\\\",\\\"params\\\":{\\\"orderBy\\\":{\\\"columnId\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"type\\\":\\\"column\\\"},\\\"orderDirection\\\":\\\"desc\\\",\\\"size\\\":3},\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.labels.resource.subscription_id\\\",\\\"id\\\":\\\"2251f8b6-6091-4386-890b-4d0d33e79a96\\\"},\\\"col-3-5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":{\\\"customLabel\\\":true,\\\"dataType\\\":\\\"number\\\",\\\"isBucketed\\\":false,\\\"label\\\":\\\"Subscription Backlog Bytes\\\",\\\"operationType\\\":\\\"avg\\\",\\\"params\\\":{\\\"format\\\":{\\\"id\\\":\\\"bytes\\\",\\\"params\\\":{\\\"decimals\\\":0}}},\\\"scale\\\":\\\"ratio\\\",\\\"sourceField\\\":\\\"googlecloud.pubsub.subscription.backlog_bytes.value\\\",\\\"suggestedPriority\\\":0,\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\"}}\" | lens_format_column format=\"bytes\" columnId=\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\" decimals=0}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Subscription Backlog Bytes\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"91e62734-6524-424c-b2b5-3974c835dd6c\" hide=false xAccessor=\"6be62612-437b-448d-9631-c6cc0938225d\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"2251f8b6-6091-4386-890b-4d0d33e79a96\" seriesType=\"line\" accessors=\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\" columnToLabel=\"{\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":\\\"Subscription Backlog Bytes\\\",\\\"2251f8b6-6091-4386-890b-4d0d33e79a96\\\":\\\"Top values of googlecloud.labels.resource.subscription_id\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ { - "id": "e0957450-6ab4-11ea-b946-0f4b813ed42e" + "id": "metricbeat-*", + "title": "metricbeat-*" } - ], - "default_index_pattern": "metricbeat-*", - "default_timefield": "@timestamp", - "drop_last_bucket": 0, - "gauge_color_rules": [ - { - "id": "df2ac0c0-6ab4-11ea-b946-0f4b813ed42e" + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "91e62734-6524-424c-b2b5-3974c835dd6c": { + "columnOrder": [ + "6be62612-437b-448d-9631-c6cc0938225d", + "2251f8b6-6091-4386-890b-4d0d33e79a96", + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" + ], + "columns": { + "2251f8b6-6091-4386-890b-4d0d33e79a96": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of googlecloud.labels.resource.subscription_id", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "5424865c-c988-4e26-b00b-b3cf90e1e4cf", + "type": "column" + }, + "orderDirection": "desc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "googlecloud.labels.resource.subscription_id" + }, + "5424865c-c988-4e26-b00b-b3cf90e1e4cf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Subscription Backlog Bytes", + "operationType": "avg", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "googlecloud.pubsub.subscription.backlog_bytes.value", + "suggestedPriority": 0 + }, + "6be62612-437b-448d-9631-c6cc0938225d": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "1m" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "indexPatternId": "metricbeat-*" + } } - ], - "gauge_inner_width": 10, - "gauge_style": "half", - "gauge_width": 10, - "id": "61ca57f0-469d-11e7-af02-69e470af7417", - "index_pattern": "metricbeat-*", - "interval": "5m", - "isModelInvalid": false, - "series": [ + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": "0", - "formatter": "number", - "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "", - "line_width": "2", - "metrics": [ - { - "field": "googlecloud.pubsub.subscription.sent_message_count.value", - "id": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "avg" - } + "accessors": [ + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" ], - "point_size": "3", - "separate_axis": 0, - "split_mode": "terms", - "stacked": "none", - "terms_field": "googlecloud.labels.resource.subscription_id", - "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "timeseries" + "layerId": "91e62734-6524-424c-b2b5-3974c835dd6c", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "2251f8b6-6091-4386-890b-4d0d33e79a96", + "xAccessor": "6be62612-437b-448d-9631-c6cc0938225d" } ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "type": "timeseries" - }, - "title": "Pubsub Subscription Sent Message Count [Metricbeat Googlecloud]", - "type": "metrics" - } + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line" + } + }, + "title": "Subscription Backlog [Metricbeat Googlecloud]", + "visualizationType": "lnsXY" }, - "id": "97ee1230-6ab8-11ea-b657-e57ec854315f", + "id": "79d80f10-01a0-11eb-b032-d59f894a5072", "migrationVersion": { - "visualization": "7.4.2" + "lens": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], - "type": "visualization", - "updated_at": "2020-03-20T15:12:11.523Z", - "version": "Wzk2NCwzXQ==" + "type": "lens", + "updated_at": "2020-09-28T16:56:57.481Z", + "version": "WzY4OTYsMV0=" } ], - "version": "7.6.1" + "version": "7.9.0" } diff --git a/x-pack/metricbeat/module/istio/_meta/config.reference.yml b/x-pack/metricbeat/module/istio/_meta/config.reference.yml index c3e940f80e5..146728fdfcd 100644 --- a/x-pack/metricbeat/module/istio/_meta/config.reference.yml +++ b/x-pack/metricbeat/module/istio/_meta/config.reference.yml @@ -32,3 +32,10 @@ period: 10s # use istio-pilot.istio-system:15014, when deploying Metricbeat in a kubernetes cluster as Pod or Daemonset hosts: ["localhost:15014"] + +# Istio istiod to monitor the Istio Daemon for versions after 1.5 of Istio. +- module: istio + metricsets: ['istiod'] + period: 10s + # use istiod.istio-system:15014, when deploying Metricbeat in a kubernetes cluster as Pod or Daemonset + hosts: ['localhost:15014'] diff --git a/x-pack/metricbeat/module/istio/_meta/config.yml b/x-pack/metricbeat/module/istio/_meta/config.yml index c3e940f80e5..146728fdfcd 100644 --- a/x-pack/metricbeat/module/istio/_meta/config.yml +++ b/x-pack/metricbeat/module/istio/_meta/config.yml @@ -32,3 +32,10 @@ period: 10s # use istio-pilot.istio-system:15014, when deploying Metricbeat in a kubernetes cluster as Pod or Daemonset hosts: ["localhost:15014"] + +# Istio istiod to monitor the Istio Daemon for versions after 1.5 of Istio. +- module: istio + metricsets: ['istiod'] + period: 10s + # use istiod.istio-system:15014, when deploying Metricbeat in a kubernetes cluster as Pod or Daemonset + hosts: ['localhost:15014'] diff --git a/x-pack/metricbeat/module/istio/_meta/docs.asciidoc b/x-pack/metricbeat/module/istio/_meta/docs.asciidoc index 0a52294d1fc..cfba8ec7ce8 100644 --- a/x-pack/metricbeat/module/istio/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/istio/_meta/docs.asciidoc @@ -1,9 +1,22 @@ -This is the Istio module. The Istio module collects metrics from the +This is the Istio module. +This module is compatible with versions before `1.5` of Istio where microservices architecture is used. If using +versions priot to `1.5` then `mesh`, `mixer`, `pilot`, `galley`, `citadel` metricsets should be used. +wehre the Istio module collects metrics from the Istio https://istio.io/v1.4/docs/tasks/observability/metrics/querying-metrics/#about-the-prometheus-add-on[prometheus exporters endpoints]. +For versions after `1.5`, `istiod` metricset can be used which collects metrics directly from Istio Daemon. The default metricsets are `mesh`, `mixer`, `pilot`, `galley`, `citadel`. [float] === Compatibility -The Istio module is tested with Istio `1.4`. +The Istio module is tested with Istio `1.4` for `mesh`, `mixer`, `pilot`, `galley`, `citadel`. +The Istio module is tested with Istio `1.7` for `istiod`. + +[float] +=== Dashboard + +The Istio module includes a predefined dashboard with overview information about Istio Daemon. +This dashboard is only compatible with versions of Istio after `1.5` which should be monitored with `istiod` metricset. + +image::./images/metricbeat-istio-overview.png[] diff --git a/x-pack/metricbeat/module/istio/_meta/kibana/7/dashboard/Metricbeat-istio-overview.json b/x-pack/metricbeat/module/istio/_meta/kibana/7/dashboard/Metricbeat-istio-overview.json new file mode 100644 index 00000000000..72b995c2382 --- /dev/null +++ b/x-pack/metricbeat/module/istio/_meta/kibana/7/dashboard/Metricbeat-istio-overview.json @@ -0,0 +1,1762 @@ +{ + "objects": [ + { + "attributes": { + "description": "Overview of the Istiod Service status", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "title": "Pilot Proxy Queue Time" + }, + "gridData": { + "h": 9, + "i": "cd1bbc4f-95de-4156-a3ef-c091cf6402c0", + "w": 12, + "x": 0, + "y": 0 + }, + "panelIndex": "cd1bbc4f-95de-4156-a3ef-c091cf6402c0", + "panelRefName": "panel_0", + "title": "Pilot Proxy Queue Time", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "Pilot xds Push Time" + }, + "gridData": { + "h": 9, + "i": "06af11e6-e026-48db-a06b-b34b402b535b", + "w": 12, + "x": 12, + "y": 0 + }, + "panelIndex": "06af11e6-e026-48db-a06b-b34b402b535b", + "panelRefName": "panel_1", + "title": "Pilot xds Push Time", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "Pilot xds Pushes" + }, + "gridData": { + "h": 9, + "i": "d9a49bf0-f88b-4d4f-a1e2-74fbd482f77c", + "w": 11, + "x": 24, + "y": 0 + }, + "panelIndex": "d9a49bf0-f88b-4d4f-a1e2-74fbd482f77c", + "panelRefName": "panel_2", + "title": "Pilot xds Pushes", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "Pilot Inbound Updates" + }, + "gridData": { + "h": 9, + "i": "a8e47ef0-03db-419f-890f-0880d674682c", + "w": 13, + "x": 35, + "y": 0 + }, + "panelIndex": "a8e47ef0-03db-419f-890f-0880d674682c", + "panelRefName": "panel_3", + "title": "Pilot Inbound Updates", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "Citadel Cert Issuane" + }, + "gridData": { + "h": 9, + "i": "e708abfa-5a95-483c-9bb2-4470ee913f3c", + "w": 12, + "x": 0, + "y": 9 + }, + "panelIndex": "e708abfa-5a95-483c-9bb2-4470ee913f3c", + "panelRefName": "panel_4", + "title": "Citadel Cert Issuane", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "Galley Validation Failed" + }, + "gridData": { + "h": 9, + "i": "724f0f9e-2186-4ddd-859c-edb2649b8c0f", + "w": 12, + "x": 12, + "y": 9 + }, + "panelIndex": "724f0f9e-2186-4ddd-859c-edb2649b8c0f", + "panelRefName": "panel_5", + "title": "Galley Validation Failed", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "Pods witout IP", + "vis": null + }, + "gridData": { + "h": 9, + "i": "32eaa989-a4f9-4d31-97cb-684f31488aa8", + "w": 8, + "x": 24, + "y": 9 + }, + "panelIndex": "32eaa989-a4f9-4d31-97cb-684f31488aa8", + "panelRefName": "panel_6", + "title": "Pods witout IP", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "Pilot Virtual Services", + "vis": null + }, + "gridData": { + "h": 9, + "i": "6a8463fe-b7cb-4cd8-bf01-f7ca6a185178", + "w": 8, + "x": 32, + "y": 9 + }, + "panelIndex": "6a8463fe-b7cb-4cd8-bf01-f7ca6a185178", + "panelRefName": "panel_7", + "title": "Pilot Virtual Services", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "Pilot Services", + "vis": null + }, + "gridData": { + "h": 9, + "i": "51ecc2f8-3c3f-4a80-b4b6-b52db10e68ad", + "w": 8, + "x": 40, + "y": 9 + }, + "panelIndex": "51ecc2f8-3c3f-4a80-b4b6-b52db10e68ad", + "panelRefName": "panel_8", + "title": "Pilot Services", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "Pilot Conflict Inbound Listener", + "vis": null + }, + "gridData": { + "h": 9, + "i": "0a63d980-8d93-4ce1-b5a1-ab77e589ceec", + "w": 9, + "x": 0, + "y": 18 + }, + "panelIndex": "0a63d980-8d93-4ce1-b5a1-ab77e589ceec", + "panelRefName": "panel_9", + "title": "Pilot Conflict Inbound Listener", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "Pilot eds instances", + "vis": null + }, + "gridData": { + "h": 9, + "i": "9fbfca4c-37b5-4a1a-924e-49fc9ef2294c", + "w": 10, + "x": 9, + "y": 18 + }, + "panelIndex": "9fbfca4c-37b5-4a1a-924e-49fc9ef2294c", + "panelRefName": "panel_10", + "title": "Pilot eds instances", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "Pilot xds endpoints" + }, + "gridData": { + "h": 9, + "i": "d6b2845f-9582-4863-853e-ab753f3d763e", + "w": 14, + "x": 19, + "y": 18 + }, + "panelIndex": "d6b2845f-9582-4863-853e-ab753f3d763e", + "panelRefName": "panel_11", + "title": "Pilot xds endpoints", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "Pilot xds expired" + }, + "gridData": { + "h": 9, + "i": "3d0dec37-26c3-490b-a45f-48b6d1baa160", + "w": 15, + "x": 33, + "y": 18 + }, + "panelIndex": "3d0dec37-26c3-490b-a45f-48b6d1baa160", + "panelRefName": "panel_12", + "title": "Pilot xds expired", + "version": "7.8.0" + } + ], + "timeRestore": false, + "title": "[Metricbeat Istio] Overview", + "version": 1 + }, + "id": "d899d3f0-0883-11eb-a3fd-1b45ec532bb3", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "dd1392f0-07d8-11eb-a3fd-1b45ec532bb3", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "b5b3abb0-087c-11eb-a3fd-1b45ec532bb3", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "f858c200-087e-11eb-a3fd-1b45ec532bb3", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "aa997510-087d-11eb-a3fd-1b45ec532bb3", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "506c8490-087f-11eb-a3fd-1b45ec532bb3", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "98b01f00-087f-11eb-a3fd-1b45ec532bb3", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "4275f710-0882-11eb-a3fd-1b45ec532bb3", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "96bfe060-0882-11eb-a3fd-1b45ec532bb3", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "6cfbe3f0-0882-11eb-a3fd-1b45ec532bb3", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "d62a1e60-0881-11eb-a3fd-1b45ec532bb3", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "12cdcce0-0882-11eb-a3fd-1b45ec532bb3", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "e5f3e870-0882-11eb-a3fd-1b45ec532bb3", + "name": "panel_11", + "type": "visualization" + }, + { + "id": "0ed17c80-0883-11eb-a3fd-1b45ec532bb3", + "name": "panel_12", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2020-10-07T10:23:52.518Z", + "version": "WzQ0OTIsMV0=" + }, + { + "attributes": { + "description": "Time in seconds, a proxy is in the push queue before being dequeued.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Pilot Proxy Queue Time [Metricbeat Istio]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_min": 0, + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "7ccbe640-07d8-11eb-985d-2f490d4c2901", + "index_pattern": "metricbeat-*", + "interval": "auto", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#6092C0", + "fill": 0, + "formatter": "number", + "id": "7ccbe641-07d8-11eb-985d-2f490d4c2901", + "label": "queue_time", + "line_width": 2, + "metrics": [ + { + "field": "prometheus.pilot_proxy_queue_time.histogram.values", + "id": "7ccbe642-07d8-11eb-985d-2f490d4c2901", + "percentiles": [ + { + "id": "88c0d000-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "25" + }, + { + "id": "03ef6580-0887-11eb-876a-9d8e5e94d2f5", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "50" + }, + { + "id": "071fe4f0-0887-11eb-876a-9d8e5e94d2f5", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "75" + }, + { + "id": "0b7164c0-0887-11eb-876a-9d8e5e94d2f5", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "90" + }, + { + "id": "0f611580-0887-11eb-876a-9d8e5e94d2f5", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "95" + }, + { + "id": "136f98e0-0887-11eb-876a-9d8e5e94d2f5", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "99" + } + ], + "type": "percentile" + } + ], + "point_size": 0, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "type": "timeseries", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Pilot Proxy Queue Time [Metricbeat Istio]", + "type": "metrics" + } + }, + "id": "dd1392f0-07d8-11eb-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-10-07T10:23:11.367Z", + "version": "WzQ0ODMsMV0=" + }, + { + "attributes": { + "description": "Total time in seconds Pilot takes to push lds, rds, cds and eds.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Pilot xds Push Time [Metricbeat Istio]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_min": 0, + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "7ccbe640-07d8-11eb-985d-2f490d4c2901", + "index_pattern": "metricbeat-*", + "interval": "auto", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#6092C0", + "fill": 0, + "filter": { + "language": "kuery", + "query": "prometheus.labels.type: \"rds\" OR prometheus.labels.type: \"lds\" OR prometheus.labels.type: \"cds\" OR prometheus.labels.type: \"eds\"" + }, + "formatter": "s,s,", + "id": "7ccbe641-07d8-11eb-985d-2f490d4c2901", + "label": "pilot_xds_push_time", + "line_width": 2, + "metrics": [ + { + "field": "prometheus.pilot_xds_push_time.histogram.values", + "id": "7ccbe642-07d8-11eb-985d-2f490d4c2901", + "percentiles": [ + { + "id": "88c0d000-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "25" + }, + { + "id": "95c750d0-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "50" + }, + { + "id": "9c5ec900-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "75" + }, + { + "id": "9f8e3700-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "95" + }, + { + "id": "a3581040-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "99" + } + ], + "type": "percentile" + } + ], + "point_size": 0, + "separate_axis": 0, + "split_mode": "terms", + "stacked": "none", + "terms_field": "prometheus.labels.type", + "terms_size": "20", + "type": "timeseries", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Pilot xds Push Time [Metricbeat Istio]", + "type": "metrics" + } + }, + "id": "b5b3abb0-087c-11eb-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-10-07T10:23:48.176Z", + "version": "WzQ0ODgsMV0=" + }, + { + "attributes": { + "description": "Pilot build and send errors for lds, rds, cds and eds.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Pilot xds Pushes [Metricbeat Istio]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_min": 0, + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "7ccbe640-07d8-11eb-985d-2f490d4c2901", + "index_pattern": "metricbeat-*", + "interval": "auto", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#6092C0", + "fill": 0, + "filter": { + "language": "kuery", + "query": "" + }, + "formatter": "number", + "id": "7ccbe641-07d8-11eb-985d-2f490d4c2901", + "label": "pilot_xds_pushes", + "line_width": 2, + "metrics": [ + { + "field": "prometheus.pilot_xds_pushes.counter", + "id": "7ccbe642-07d8-11eb-985d-2f490d4c2901", + "percentiles": [ + { + "id": "88c0d000-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "50" + }, + { + "id": "95c750d0-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "25" + }, + { + "id": "9c5ec900-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "75" + }, + { + "id": "9f8e3700-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "95" + }, + { + "id": "a3581040-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "99" + } + ], + "type": "max", + "unit": "" + } + ], + "point_size": 0, + "separate_axis": 0, + "split_mode": "terms", + "stacked": "none", + "terms_field": "prometheus.labels.type", + "terms_order_by": "7ccbe642-07d8-11eb-985d-2f490d4c2901", + "terms_size": "4", + "type": "timeseries", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Pilot xds Pushes [Metricbeat Istio]", + "type": "metrics" + } + }, + "id": "f858c200-087e-11eb-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-10-07T09:24:59.040Z", + "version": "WzQzOTAsMV0=" + }, + { + "attributes": { + "description": "Total number of updates received by pilot.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Pilot Inbound Updates [Metricbeat Istio]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_min": 0, + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "7ccbe640-07d8-11eb-985d-2f490d4c2901", + "index_pattern": "metricbeat-*", + "interval": "auto", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#6092C0", + "fill": 0, + "filter": { + "language": "kuery", + "query": "" + }, + "formatter": "number", + "id": "7ccbe641-07d8-11eb-985d-2f490d4c2901", + "label": "pilot_inbound_updates", + "line_width": 2, + "metrics": [ + { + "field": "prometheus.pilot_inbound_updates.counter", + "id": "7ccbe642-07d8-11eb-985d-2f490d4c2901", + "percentiles": [ + { + "id": "88c0d000-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "50" + }, + { + "id": "95c750d0-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "25" + }, + { + "id": "9c5ec900-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "75" + }, + { + "id": "9f8e3700-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "95" + }, + { + "id": "a3581040-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "99" + } + ], + "type": "max", + "unit": "" + } + ], + "point_size": 0, + "separate_axis": 0, + "split_mode": "terms", + "stacked": "none", + "terms_field": "prometheus.labels.type", + "terms_order_by": "7ccbe642-07d8-11eb-985d-2f490d4c2901", + "terms_size": "10", + "type": "timeseries", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Pilot Inbound Updates [Metricbeat Istio]", + "type": "metrics" + } + }, + "id": "aa997510-087d-11eb-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-10-07T09:21:43.250Z", + "version": "WzQzODcsMV0=" + }, + { + "attributes": { + "description": "The number of certificates issuances that have succeeded.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Citadel Cert Issuance [Metricbeat Istio]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_min": 0, + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "7ccbe640-07d8-11eb-985d-2f490d4c2901", + "index_pattern": "metricbeat-*", + "interval": "auto", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#6092C0", + "fill": 0, + "filter": { + "language": "kuery", + "query": "" + }, + "formatter": "number", + "id": "7ccbe641-07d8-11eb-985d-2f490d4c2901", + "label": "success_cert_issuance", + "line_width": 2, + "metrics": [ + { + "field": "prometheus.citadel_server_success_cert_issuance_count.counter", + "id": "7ccbe642-07d8-11eb-985d-2f490d4c2901", + "percentiles": [ + { + "id": "88c0d000-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "50" + }, + { + "id": "95c750d0-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "25" + }, + { + "id": "9c5ec900-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "75" + }, + { + "id": "9f8e3700-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "95" + }, + { + "id": "a3581040-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "99" + } + ], + "type": "max", + "unit": "" + } + ], + "point_size": 0, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "terms_field": "prometheus.labels.type", + "terms_order_by": "7ccbe642-07d8-11eb-985d-2f490d4c2901", + "terms_size": "4", + "type": "timeseries", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Citadel Cert Issuance [Metricbeat Istio]", + "type": "metrics" + } + }, + "id": "506c8490-087f-11eb-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-10-07T10:15:51.172Z", + "version": "WzQ0NzYsMV0=" + }, + { + "attributes": { + "description": "Resource validation failed.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Galley Validation Failed [Metricbeat Istio]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_min": 0, + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "7ccbe640-07d8-11eb-985d-2f490d4c2901", + "index_pattern": "metricbeat-*", + "interval": "auto", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#6092C0", + "fill": 0, + "filter": { + "language": "kuery", + "query": "" + }, + "formatter": "number", + "id": "7ccbe641-07d8-11eb-985d-2f490d4c2901", + "label": "galley_validation_failed", + "line_width": 2, + "metrics": [ + { + "field": "prometheus.galley_validation_failed.counter", + "id": "7ccbe642-07d8-11eb-985d-2f490d4c2901", + "percentiles": [ + { + "id": "88c0d000-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "50" + }, + { + "id": "95c750d0-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "25" + }, + { + "id": "9c5ec900-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "75" + }, + { + "id": "9f8e3700-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "95" + }, + { + "id": "a3581040-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "99" + } + ], + "type": "max", + "unit": "" + } + ], + "point_size": 0, + "separate_axis": 0, + "split_mode": "terms", + "stacked": "none", + "terms_field": "prometheus.labels.resource", + "terms_order_by": "7ccbe642-07d8-11eb-985d-2f490d4c2901", + "terms_size": "10", + "type": "timeseries", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Galley Validation Failed [Metricbeat Istio]", + "type": "metrics" + } + }, + "id": "98b01f00-087f-11eb-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-10-07T09:30:05.212Z", + "version": "WzQzOTksMV0=" + }, + { + "attributes": { + "description": "Pods not found in the endpoint table, possibly invalid.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Pilot Pods without IP [Metricbeat Istio]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Pilot No IP pods", + "field": "prometheus.pilot_no_ip.value" + }, + "schema": "metric", + "type": "avg" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "gauge": { + "alignment": "automatic", + "backStyle": "Full", + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 50 + }, + { + "from": 50, + "to": 75 + }, + { + "from": 75, + "to": 100 + } + ], + "extendRange": true, + "gaugeColorMode": "Labels", + "gaugeStyle": "Full", + "gaugeType": "Arc", + "invertColors": false, + "labels": { + "color": "black", + "show": true + }, + "orientation": "vertical", + "percentageMode": false, + "scale": { + "color": "rgba(105,112,125,0.2)", + "labels": false, + "show": true + }, + "style": { + "bgColor": true, + "bgFill": "rgba(105,112,125,0.2)", + "bgMask": false, + "bgWidth": 0.9, + "fontSize": 60, + "mask": false, + "maskBars": 50, + "subText": "", + "width": 0.9 + }, + "type": "meter" + }, + "isDisplayWarning": false, + "type": "gauge" + }, + "title": "Pilot Pods without IP [Metricbeat Istio]", + "type": "gauge" + } + }, + "id": "4275f710-0882-11eb-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "metricbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-10-07T09:48:31.873Z", + "version": "WzQ0MjcsMV0=" + }, + { + "attributes": { + "description": "Total virtual services known to pilot.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Pilot Virtual Services [Metricbeat Istio]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Pilot Virtual Services", + "field": "prometheus.pilot_virt_services.value" + }, + "schema": "metric", + "type": "avg" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "gauge": { + "alignment": "automatic", + "backStyle": "Full", + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 50 + }, + { + "from": 50, + "to": 75 + }, + { + "from": 75, + "to": 100 + } + ], + "extendRange": true, + "gaugeColorMode": "Labels", + "gaugeStyle": "Full", + "gaugeType": "Arc", + "invertColors": false, + "labels": { + "color": "black", + "show": true + }, + "orientation": "vertical", + "percentageMode": false, + "scale": { + "color": "rgba(105,112,125,0.2)", + "labels": false, + "show": true + }, + "style": { + "bgColor": true, + "bgFill": "rgba(105,112,125,0.2)", + "bgMask": false, + "bgWidth": 0.9, + "fontSize": 60, + "mask": false, + "maskBars": 50, + "subText": "", + "width": 0.9 + }, + "type": "meter" + }, + "isDisplayWarning": false, + "type": "gauge" + }, + "title": "Pilot Virtual Services [Metricbeat Istio]", + "type": "gauge" + } + }, + "id": "96bfe060-0882-11eb-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "metricbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-10-07T09:50:53.286Z", + "version": "WzQ0MzMsMV0=" + }, + { + "attributes": { + "description": "Total services known to pilot.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Pilot Services [Metricbeat Istio]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Pilot Services", + "field": "prometheus.pilot_services.value" + }, + "schema": "metric", + "type": "avg" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "gauge": { + "alignment": "automatic", + "backStyle": "Full", + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 50 + }, + { + "from": 50, + "to": 75 + }, + { + "from": 75, + "to": 100 + } + ], + "extendRange": true, + "gaugeColorMode": "Labels", + "gaugeStyle": "Full", + "gaugeType": "Arc", + "invertColors": false, + "labels": { + "color": "black", + "show": true + }, + "orientation": "vertical", + "percentageMode": false, + "scale": { + "color": "rgba(105,112,125,0.2)", + "labels": false, + "show": true + }, + "style": { + "bgColor": true, + "bgFill": "rgba(105,112,125,0.2)", + "bgMask": false, + "bgWidth": 0.9, + "fontSize": 60, + "mask": false, + "maskBars": 50, + "subText": "", + "width": 0.9 + }, + "type": "meter" + }, + "isDisplayWarning": false, + "type": "gauge" + }, + "title": "Pilot Services [Metricbeat Istio]", + "type": "gauge" + } + }, + "id": "6cfbe3f0-0882-11eb-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "metricbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-10-07T10:04:27.677Z", + "version": "WzQ0NTksMV0=" + }, + { + "attributes": { + "description": "Number of conflicting inbound listeners.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Pilot Conflict Inbound Listener [Metricbeat Istio]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Pilot conflict inbound listener", + "field": "prometheus.pilot_conflict_inbound_listener.value" + }, + "schema": "metric", + "type": "avg" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "gauge": { + "alignment": "automatic", + "backStyle": "Full", + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 50 + }, + { + "from": 50, + "to": 75 + }, + { + "from": 75, + "to": 100 + } + ], + "extendRange": true, + "gaugeColorMode": "Labels", + "gaugeStyle": "Full", + "gaugeType": "Arc", + "invertColors": false, + "labels": { + "color": "black", + "show": true + }, + "orientation": "vertical", + "percentageMode": false, + "scale": { + "color": "rgba(105,112,125,0.2)", + "labels": false, + "show": true + }, + "style": { + "bgColor": true, + "bgFill": "rgba(105,112,125,0.2)", + "bgMask": false, + "bgWidth": 0.9, + "fontSize": 60, + "mask": false, + "maskBars": 50, + "subText": "", + "width": 0.9 + }, + "type": "meter" + }, + "isDisplayWarning": false, + "type": "gauge" + }, + "title": "Pilot Conflict Inbound Listener [Metricbeat Istio]", + "type": "gauge" + } + }, + "id": "d62a1e60-0881-11eb-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "metricbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-10-07T09:45:30.182Z", + "version": "WzQ0MjAsMV0=" + }, + { + "attributes": { + "description": "Number of clusters without instances.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Pilot eds Instances [Metricbeat Istio]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Pilot eds instnaces", + "field": "prometheus.pilot_eds_no_instances.value" + }, + "schema": "metric", + "type": "avg" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "gauge": { + "alignment": "automatic", + "backStyle": "Full", + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 50 + }, + { + "from": 50, + "to": 75 + }, + { + "from": 75, + "to": 100 + } + ], + "extendRange": true, + "gaugeColorMode": "Labels", + "gaugeStyle": "Full", + "gaugeType": "Arc", + "invertColors": false, + "labels": { + "color": "black", + "show": true + }, + "orientation": "vertical", + "percentageMode": false, + "scale": { + "color": "rgba(105,112,125,0.2)", + "labels": false, + "show": true + }, + "style": { + "bgColor": true, + "bgFill": "rgba(105,112,125,0.2)", + "bgMask": false, + "bgWidth": 0.9, + "fontSize": 60, + "mask": false, + "maskBars": 50, + "subText": "", + "width": 0.9 + }, + "type": "meter" + }, + "isDisplayWarning": false, + "type": "gauge" + }, + "title": "Pilot eds Instances [Metricbeat Istio]", + "type": "gauge" + } + }, + "id": "12cdcce0-0882-11eb-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "metricbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-10-07T09:47:11.918Z", + "version": "WzQ0MjQsMV0=" + }, + { + "attributes": { + "description": "Number of endpoints connected to this pilot using XDS.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Pilot XDS endpoints [Metricbeat Istio]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_min": 0, + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "7ccbe640-07d8-11eb-985d-2f490d4c2901", + "index_pattern": "metricbeat-*", + "interval": "auto", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#6092C0", + "fill": 0, + "formatter": "number", + "id": "7ccbe641-07d8-11eb-985d-2f490d4c2901", + "label": "pilot_xds", + "line_width": 2, + "metrics": [ + { + "field": "prometheus.pilot_xds.value", + "id": "7ccbe642-07d8-11eb-985d-2f490d4c2901", + "percentiles": [ + { + "id": "88c0d000-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "50" + }, + { + "id": "95c750d0-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "25" + }, + { + "id": "9c5ec900-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "75" + }, + { + "id": "9f8e3700-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "95" + }, + { + "id": "a3581040-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "99" + } + ], + "type": "avg" + } + ], + "point_size": 0, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "type": "timeseries", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Pilot XDS endpoints [Metricbeat Istio]", + "type": "metrics" + } + }, + "id": "e5f3e870-0882-11eb-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-10-07T09:53:38.583Z", + "version": "WzQ0NDEsMV0=" + }, + { + "attributes": { + "description": "Total number of XDS requests with an expired nonce.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Pilot XDS expired [Metricbeat Istio]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_min": 0, + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "7ccbe640-07d8-11eb-985d-2f490d4c2901", + "index_pattern": "metricbeat-*", + "interval": "auto", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#6092C0", + "fill": 0, + "formatter": "number", + "id": "7ccbe641-07d8-11eb-985d-2f490d4c2901", + "label": "pilot_xds_expired_nonce", + "line_width": 2, + "metrics": [ + { + "field": "prometheus.pilot_xds_expired_nonce.counter", + "id": "7ccbe642-07d8-11eb-985d-2f490d4c2901", + "percentiles": [ + { + "id": "88c0d000-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "50" + }, + { + "id": "95c750d0-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "25" + }, + { + "id": "9c5ec900-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "75" + }, + { + "id": "9f8e3700-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "95" + }, + { + "id": "a3581040-07d8-11eb-86d1-6521145f6524", + "mode": "line", + "percentile": "", + "shade": 0.2, + "value": "99" + } + ], + "type": "avg" + } + ], + "point_size": 0, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "type": "timeseries", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Pilot XDS expired [Metricbeat Istio]", + "type": "metrics" + } + }, + "id": "0ed17c80-0883-11eb-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-10-07T09:54:14.728Z", + "version": "WzQ0NDMsMV0=" + } + ], + "version": "7.8.0" +} diff --git a/x-pack/metricbeat/module/istio/fields.go b/x-pack/metricbeat/module/istio/fields.go index 40a9baed3f5..ccd41e55fe8 100644 --- a/x-pack/metricbeat/module/istio/fields.go +++ b/x-pack/metricbeat/module/istio/fields.go @@ -19,5 +19,5 @@ func init() { // AssetIstio returns asset data. // This is the base64 encoded gzipped contents of module/istio. func AssetIstio() string { - return "eJzUXE2T47bRvu+v6PLltd+a5V5Te0hVap2PrcSuza5TSeUiQ2BLhAUCNNCURv71KXyRFEVp9AFq1nPYnZFIPM8DNBqNRpNvYYP79yAsCf0GgARJfA/ffHR/f/MGoETLjWhIaPUe/vgGAMK18IMuW4lvAAxKZBbfwxKJvQFYCZSlfe8vfQuK1dg3735o3+B7WBvdNvGTCQz387O/62fgWhETyoIlRu4zboEqRrBDg2CQlbAyuoaPA5AhiSERLoiVKLvPp+icoeR+PkzQMSgZYQmkgSoMTOBDwAKLZis4DhoZd1n6GbMeMl+bhhc1UqXLg++Tgg3ud9qMvzujw/38VKFvGCYaPgA+1pALearlA2gHkhfX3Q565YfKoG2Qk9ieoDPJyyI3SAtnmEZLiWZht3zBOF9wg84QFhwNFVy3iiapS63W1/NWbb1E45i75sVKcEZoIWJC2aIzwKgAGPf44WuhVXFCitmiWRityZNe4HMjzH5hkWtV2kn2K6nZWNcF9FslnoFEjZZY3TyBUBBRnmBXoeomjCPjJcJOSAmeERbwbwSLBIKcSoVr5kdNKODM+vEUitAoJgGN0WZab2fNaIqKqVLi9HS6YYQ0MTkYo8+fPljgum4kutHRyttbgH4Cg2tmSonWumtty7n/1cCKCdkafJl9bdeFQY5iO6cEsGSQ1VCjtWyNztUFyENBl9G1mG8+jKiup7g6PFjur+JpiRma1ygixKkevMxuhVoXbtFRfF/Utli2fINU/P8kb738Bfm458OHi3scknOeWlmESAS+rYWUIs7q77px8at1xUpYIipgTSOd6xJavZW4RQlxIl47VFP9YNv60qFbaVMzeg9lazyZDPqj4Cewbe3+CJ8LtM5NDfvmJm2515PT9HuDrZGM4PbYODvSTErcPySgClCZ4in3b96wwrU4CCt0azj6P0IfghjKOsnJNix3nPX3dolGoYsVOoQx0Uk+WzT2eGLcySY2mghM+KYuWHexFZ+Ymncy6NtNJISyxNRLYZ/fjxSspQoVRQ9W1GirRkvhZvkssd6WSVEG7HeH2O+G2LBReqfchInThBEwaLRQ5JyPi7suF/VagvKIcd1S/IC2+qDVSoy55hfh8N71ePeRV0g7bTbO9ZdoSSjfM6aVDxiNHvvdGDubKFRbvV8JSWgeKmiIm03MmhHu2P6hQhJmNhFWlMjZY0cjYWYTsRWGWiZjbPBQLSPo+yR5D7gvGJERy5awZkqs0NL8igLyu2PkLIJCiP8AI4syEl4W8ik8eBj7DjAL/ccsHpH61avF+ZjLtMpdXTRGc7RWmwK3qGhhG6aKtHN7tQ1wIuA2Hju3t0XGKxCK61qoNXiqwCxUwpJeG1ZDoHnZfvBi7Q/d9F6iudsAp4szC869E75M0wW74vNqrGKNrTQtfIOvZLO9isAiZWe2GNIzkS6Wk4Z7o9IrLDSnhM4Ow3U3kv+9W5sUK/TffT3+0g2JE5045nSS53W/jq8c683mIM+Lnc1yj/XcaK6WGKG3qcW8UZY/9OvjqgZN+Ohfn//xAkHDCNf7QqsFr5haTyfn7qYnarQh+x0B/8+CVh88IlTMBs/GXTg1fU57RNj9ZRa/tgItx4Vx45XvXGOCPIOI1dOdAu1OHn3ecbFpl7iIy3w4BVuQJiZnJbrpM6IxTxuxV62U++48gqngjKeToy72DTPNH5xucF+0TckomwH/NcTOPRDscFlpvRme/8IU5hRHn5sqpGa5bGDzB9sT8q0n7/Ctwe8c0KWk8nbbaV5jnMSoRlu9GQPPcYLhgDKdXxylrIfcCZ9vOKBvjK6RKmztdOsJ+he9nES9OSE/AB633Xk3/LXNmQbx57Kp0eEBJFNxrBqjn/fnuLxuOPU5kOiX5BvDpwktDwuRPqf+T7ffGhZNiMgZ+kzw7NeUScscM7PiNyyWe8JXtJQv4je8dEN3TDvfDu4EnzHAGS4zjO2YzSHECWLh+Pz3N7jHvF9xdI/JfC3D22hDaPItdZ9jiyBKVC5+ixF/QurP5IPFw0cCYX3RG2kYnMiBWMWb3Pe++JXFqpnh4gVMlSm+nbqDS4GKhnecqBH0TRQ7bTYuqityl04IO+6RVEoRySdk2FWCVxDrLuN2KZC7mHj2+opp9gdFFiMZZ8k2RigumhMboGwcG0QDHVYiSoatVoInLgMD9AWa/qbDI3v3fWvxvCbWNPOqiR3MmgaWzIbSOveHZEuUt4zCDJUvx6xHlTAn+U0SHbiD15iZQ290vkdPEn2NmXgb7a9iTg4J3T0xh43NPjuHnX5+ik4Oz8sKXmO2nrekFynHJEBRaTsd6mThPSSZngtwiCnsEkuJbg/ndr3d+UMKPy7WML/XmdLhUK/j+GiHM8H6BQtJXd8YTZrruf1NRDkfd/7p08f+SrFyv29FieUTaKrQ7ITt7gRtXHCmYnFlumt6lLrIn+syX079WGVX5exwjqT6O4IPEhYag/6ZAa3k3jmov/3006d0njGtopdbWOStEbSPZRczRzzpKZ9Dpx+gzw9o3VLL5IKkDYtHiP/jcuEvYBvXW3XdqtSu14Z+QzHaRpxYlkhDq0IViAcZ3ZWy7kK5f2PHJfacKaUJlt5CGzTSfdO0Pp/aj0KXvBXPB5u0GbO3DilX+jZUqvKmSIPE+Gaek680OR1A//hOetbizPYpZudZyRpCUwi10oV/tMrGxP0sdAMCoPJ7dDT+yTbjFqZ46ul+jQYeqYGjdpjrv1xR+Gyerg8TIML5XKZjzVtjnJeJbM4yTdV4s/LrQG5gGAvtHtCNXUnf7SSj9fYnUI+y4CVy1lpMGoZnegapNQrLc08tRhnpVOYrm4WJ1hUzsFMyv9n0Z/7X241p5dfW2Y7SFR09VFAz4tU8S0wkVYpwaBMez2cW3DreMGORLeX5VcYTnd8aQnnq9ZZAWDcuJPjKrCHRusIiOiXzd3aCuqXDW2VdNLYSWBbMB9iL6DxnIRwgouWumJD9A/XdurNE1/OtYlsm5GmDLoVt3ExDsxgEx3bRoFlsmRFI+xlLXH7wQWoKjIYEfMiX7CUS8aDTMtKameQXXGo7UwFR18X9ez0CWrL8YBRAhikrTpt44lwyrLXKadrJcg8tZosQoMDoloQKls5gLbbYxX2AaiuMVjWqE0mVRDs++2+LZSvkI3o6Gnp6RcSNvd3R9mP2KJ+4q4QMZuIod7puk9AZucLdoyxc4U7uB2/vuIu3wfaBk9Pg2/b22Tnvo9dxQsLUatGXoHnvNx+JMUACboTU9JBkhUfKlKx4LvMeyn/wL6bRK2c4ybE+f/8lHUj3OTXrk9OfnJRpk3LMmtZW2fbHHTXH5+BFIk/ALOxQSvd/9EfeT/twzLhr/K/DG4+ad3JkaZ/AuH94aX1KDcsT2cUkz9fyvk7Vvi+Uc/BhGIDYBq0zNcdrWsvTy7VoF8rN+NjInTpiXVooIL5NTNZi/Dvl8GTmXtBpAc4yc9flf+w25G42+McIuGwtofFTzL82xZIXUsB/0ejhFt76ouzTmZKu17lWhM8U92uZqP84Dki+df2nW7LfgVCCBCO/T3NjkAicpJleV5WX4viNQ91Lsf7z/ZfEWqiwPJzegEnBqZDCEiqfJ13qVuWKLvpOTEiuzyIGJNDT5y0jcrolf2dRETWF3qIp4ppSEJ8+2c7FeSdkyZkpwUH3zGEnqOp2DN1FxPtr7hDnfstvz0NZ/tRrpMYvfGFX777+Ao02dP0YER8NkVPzmDEadv+pIToYx/vFzW1/ZyS9bGyh4I9rtX2dwMKtXQqxDGdRcRWL69ef1VbvD3Nat0cVh0IzhhT3KLg+njiUkTWYuEfIJZHE2bdyuAVqfZTVu2iVO37lxpllbSsMFbnfD+JpxBeAXEdH6ULk8g6fdBlS7Su/hMZkK6oyvHGB2FLiEzTaWrGUexDKHz+d8G8hFJtkdttjRd3x0F/++f2P06B06h2vtyEGmw010IdPgIV05/8CAAD//82LgnI=" + return "eJzUXE2T47bRvu+v6PLltd+a5V5Te0hVap2PrcSuza5TSeUiQ2BLhAUCNNCURv71KXyRFEVp9AFq1nPYnZFIPM8DNIBGd5NvYYP79yAsCf0GgARJfA/ffHR/f/MGoETLjWhIaPUe/vgGAMK18IMuW4lvAAxKZBbfwxKJvQFYCZSlfe8vfQuK1dg3735o3+B7WBvdNvGTCQz387O/62fgWhETyoIlRu4zboEqRrBDg2CQlbAyuoaPA5AhiSERLoiVKLvPp+icoeR+PkzQMSgZYQmkgSoMTOBDwAKLZis4DhoZd1n6GbMeMl+bhhc1UqXLg++Tgg3ud9qMvzujw/38VKFvGCYaPgA+1pALearlA2gHkhfX3Q565YfKoG2Qk9ieoDPJyyI3SAtnmEZLiWZht3zBOF9wg84QFhwNFVy3iiapS63W1/NWbb1E45i75sVKcEZoIWJC2aIzwKgAGPf44WuhVXFCitmiWRityZNe4HMjzH5hkWtV2kn2K6nZWNcF9FslnoFEjZZY3TyBUBBRnmBXoeomjCPjJcJOSAmeERbwbwSLBIKcSoVr5kdNKODM+vEUitAoJgGN0WZab2fNaIqKqVLi9HS6YYQ0MTkYo8+fPljgum4kutHRyttbgH4Cg2tmSonWumtty7n/1cCKCdkafJl9bdeFQY5iO6cEsGSQ1VCjtWyNbqkLkIeCLqNrMd98GFFdT3F1eLDcX8XTEjM0r1FEiFM9eJndCrUu3Kaj+L6obbFs+Qap+P9J3nr5C/Jxz4cPF/csSG7x1MoiRCLwbS2kFHFWf9eNi9+tK1bCElEBaxrpli6h1VuJW5QQJ+K1QzXVD7atLx26lTY1o/dQtsaTyaA/Cn4C29buj/C5QOuWqWHf3KQt935ymn5vsDWSEdweG2dHmkmJ+4c4VAEqkz/l/s3rVrgWB26Fbg1H/0foQxBDWSc52Ybl9rP+3i7RKHS+QocwJjrJZ4vGHk+MO9nERhOBibWpc9adb8UnpuadDPp2EwmhLDH1ktvnzyMFa6lCRXEFK2q0VaOlcLN8Fl9vy6QoA/a7Q+x3Q2zYKL1TbsLEacIIGDRaKHKLj/O7Lhf1WoLyiHHdUvyAtvqg1UqMueYX4fDe9Xj3kVdIO202bukv0ZJQvmdMKx8wGj32uzF2NlGotnq/EpLQPFTQEDebmDUj3LH9Q4UkzGwirCiRs8eORsLMJmIrDLVMRt/goVpG0PdJ8ivgvmBERixbwpopsUJL8ysKyO+OkbMICi7+A4wsykh4Wcgn9+Bh7DvALPQfs3lE6lfvFud9LtMqd3XRGM3RWm0K3KKihW2YKtLJ7dUOwImAO3js3NkWGa9AKK5rodbgqQKzUAlLem1YDYHmZefBi7U/9NB7iebuAJwuziw490n4Mk0XnIrPq7GKNbbStPANvpLN9ioCixSd2WIIz0S6WE4a7o1Kr7DQnBI6OwzX3Uj+925tUqzQf/f1rJduSJzoxDHnInle9+uslWO92RbI82Jns9xjPTeaqyVG6G1qMa+X5ZN+vV/VoAkf/evzP14gaBjhel9oteAVU+vp4Nzd9ESNNkS/I+D/WdDqg0eEitmwsnHnTk3naY8Iu7/M4tdWoOW4MG688uU1JsgziFg93SnQLvPo446LTbvERdzmQxZsQZqYnJXopo+IxjhtxF61Uu67fARTYTGeDo463zfMNJ843eC+aJuSUTYD/mvwnXsg2OGy0nozzP/CFOYURx+bKqRmuWxg8wfbE/Ktp9XhW4PfOaBLSeXtttO8xjhvT2QOEtMabfVmTGiOzIYDypTXOAplD7kTPt+QuG+MrpEqbO106wn6F72cRL05UD8AHrfdrXr4a5szPOLztanRYWKSqThWjdHP+3NcXtfN+hxI9Fv1jW7VhJaHuU6fU/+n2291lyZE5HSJJnj2e82kZY6ZWfEbFss94StayhfxG1560Dumne9kd4LPGOAMlxnGdszmEOIEsZBW//0N7jHvVxzdYzJfy/A22hCafFvd59giiBKV8+viSSAh9bn6YPHwkUBYXwxHGgaZOhCreJP73hfFslhNM9y8gKky+b1Td3ApUNHwjhO1g76JYqfNxnl7Re6SCmHHPZJKLCL5hAy7SvAKYj1mPEYFchcTz153Mc3+oPhiJOMs2cYIxUVz4mCUjWODaKDDSkTJsNVK8MRlYIC+cNPfdJjKd9+3Fs9rYk0zr5rYwaxpYMlsKLlzf0i2RHnLKMxQEXPMelQhc5LfJNHBcvAaM3O4Gp3v0ZNEX2Mm3kb7q5iTQ0J3T8xhY7PPzmGnn5+ik8PzsoLXmK3nLelFyjEIUFTaTrs6WXgPSabnBRxicrvEUqI7w7lTb5eXSO7HxRrmX3WmdDjU6zg+esGZYP2ChaSub4wmzfXc601EOe93/unTx/5KsXK/b0WJ5RNoqtDshO3uBG2cc6Zi0WW6a3qUOs+f6zJfrP1YZVf97HCOpPo7whokLDQG/bMEWsm9W6D+9tNPn1KeY1pFL7ewyFsjaB/LMWb2eNLTP4eLfoA+P6B1Sy2TC5I2bB7B/4/bhb+AbVxv1XWrUrteG/oDxegYcWJbIg2tCtUhHmR0V4rGC+X+jR2X2HOmlCZYegtt0Ej3TdP6eGo/Cl3wVjwfHNJmjN46pFzh21DBypsiDRLjm3kyYmlyOoD+sZ70DMaZ41OM2rOSNYSmEGqlC//IlY0B/VnoBgRA5c/oaPwTb8ZtTDEb6n6NBh6pgaN2mAO4XFH4bJ6uDxMgwvlYpmPNW2PcKhPZnGWaqvRm5deB3MAwFuA9oBu7Ur/bSUbr7TNTj7LgJXLWWkwahrk+g9QaheW5pxmjjJSV+cpmYaJ1xQzslMxvNn0twPV2Y1r5tXW2o3RFRw8V1Ix4Nc8WE0mVIiRtwmP7zILbxxtmLLKlPL/LeKLzW0MoW73eEgjrxrkEX5k1JFpXWESnZP7OTlC3dHirrPPGVgLLgnkHexEXz1kIB4houSsmZP+gfbfvLNH1fKvYlgl52qBLYRs309AsBs6xXTRoFltmBNJ+xtKXH7yTmhyjIQHv8iV7iUQ86LSMtGcm+QWX2s5UWNR1cf++j4CWLD8YBZBhyorTJp44lwxrrXKadrLcQ4vZIgQoMLoloYKlM1iLLXZ+H6DaCqNVjepEUCXRju8EsMWyFfIRPR0NPb064sbe7mj7MXvUmrirhAxm4ih3um6T0Bm5wt2jLFzhTu4Hb/W4i7fB9oGT0+Db9vbZOe8j2XFCwtRu0Zem+dVvPhJjgATcCKnpIcEKj5QpWPFc5k3Kf/AvrNErZzhpYX3+/ktKSPcxNeuD05+clGmTcsya1lbZzscdNcfn4AUjT8As7FBK939cj/w67d0x467xvw5vPGreyZGlfQLj/uGl9SE1LE9EF5M8X+P7OtX8vlDOwYdhAGIbtM7UHK9pLU8v16JdKDfj4yR36oh1aaGw+DYxWYv075TDk5l7QacFOMvMXa//sTuQu9ngHy/gsrWExk8x/zoVS15IAf9Fo4dHeOuLtU9HSrpe51oRPlM8r2Wi/uPYIfnW9Z9uyX4HQgkSjPw5zY1BInCSZnqNVV6K4zcRdS/L+s/3XxJrocL2cPoAJgWnQgpLqHycdKlblcu76DsxIbk+ixiQQE/nW0bkdEv+zqIiagq9RVPEPaUgPp3ZzsV5J2TJmSnBQffMYSeo6k4M3UXE+2vuEOd+y2/PQ1k+6zVS4ze+cKp3X3+BRhu6foyIj4bIqXnMGA27/9QQHYzj/eLmtr8zkl42tlDwx7Xavo5j4fYuhViGXFTcxeL+9We11fvDmNbtXsWh0IwuxT0KrvcnDmVkdSbuEXKJJ3H2bR1ug1ofRfUu2uWOX8VxZlvbCkNF7veGeBrxxSDX0VG6ELlWh0+6DKH2ld9CY7AVVRnexEBsKfEJGm2tWMo9COXTTyfWt+CKTTK77bGiLj30l39+/+M0KJ169+ttiMFmQw304ZNhIdz5vwAAAP//h0iIoA==" } diff --git a/x-pack/metricbeat/module/istio/istiod/_meta/docs.ascoodoc b/x-pack/metricbeat/module/istio/istiod/_meta/docs.ascoodoc new file mode 100644 index 00000000000..61170c60413 --- /dev/null +++ b/x-pack/metricbeat/module/istio/istiod/_meta/docs.ascoodoc @@ -0,0 +1,4 @@ +This is the istiod metricset of the module istio. +This metricset collects metrics from the Istio Daemon of Istio versions higher than 1.5 + +Tested with Istio 1.7 diff --git a/x-pack/metricbeat/module/istio/istiod/_meta/fields.yml b/x-pack/metricbeat/module/istio/istiod/_meta/fields.yml new file mode 100644 index 00000000000..8033a27f5ac --- /dev/null +++ b/x-pack/metricbeat/module/istio/istiod/_meta/fields.yml @@ -0,0 +1 @@ +- release: beta diff --git a/x-pack/metricbeat/module/istio/istiod/_meta/testdata/config.yml b/x-pack/metricbeat/module/istio/istiod/_meta/testdata/config.yml new file mode 100644 index 00000000000..376691991b5 --- /dev/null +++ b/x-pack/metricbeat/module/istio/istiod/_meta/testdata/config.yml @@ -0,0 +1,5 @@ +type: http +url: "/metrics" +suffix: plain +remove_fields_from_comparison: ["prometheus.labels.instance"] +omit_documented_fields_check: ["prometheus.labels.*"] diff --git a/x-pack/metricbeat/module/istio/istiod/_meta/testdata/istiod.v1.7.1.plain b/x-pack/metricbeat/module/istio/istiod/_meta/testdata/istiod.v1.7.1.plain new file mode 100644 index 00000000000..4ec26bf4a2c --- /dev/null +++ b/x-pack/metricbeat/module/istio/istiod/_meta/testdata/istiod.v1.7.1.plain @@ -0,0 +1,499 @@ +# HELP citadel_server_csr_count The number of CSRs received by Citadel server. +# TYPE citadel_server_csr_count counter +citadel_server_csr_count 8 +# HELP citadel_server_root_cert_expiry_timestamp The unix timestamp, in seconds, when Citadel root cert will expire. A negative time indicates the cert is expired. +# TYPE citadel_server_root_cert_expiry_timestamp gauge +citadel_server_root_cert_expiry_timestamp 1.916309303e+09 +# HELP citadel_server_success_cert_issuance_count The number of certificates issuances that have succeeded. +# TYPE citadel_server_success_cert_issuance_count counter +citadel_server_success_cert_issuance_count 8 +# HELP endpoint_no_pod Endpoints without an associated pod. +# TYPE endpoint_no_pod gauge +endpoint_no_pod 0 +# HELP galley_validation_config_updates k8s webhook configuration updates +# TYPE galley_validation_config_updates counter +galley_validation_config_updates 2 +# HELP galley_validation_failed Resource validation failed +# TYPE galley_validation_failed counter +galley_validation_failed{group="networking.istio.io",reason="invalid_resource",resource="gateways",version="v1alpha3"} 1 +# HELP go_gc_duration_seconds A summary of the GC invocation durations. +# TYPE go_gc_duration_seconds summary +go_gc_duration_seconds{quantile="0"} 8.969e-06 +go_gc_duration_seconds{quantile="0.25"} 8.7539e-05 +go_gc_duration_seconds{quantile="0.5"} 0.000238037 +go_gc_duration_seconds{quantile="0.75"} 0.000783504 +go_gc_duration_seconds{quantile="1"} 0.005515511 +go_gc_duration_seconds_sum 0.013316174 +go_gc_duration_seconds_count 13 +# HELP go_goroutines Number of goroutines that currently exist. +# TYPE go_goroutines gauge +go_goroutines 345 +# HELP go_info Information about the Go environment. +# TYPE go_info gauge +go_info{version="go1.14.7"} 1 +# HELP go_memstats_alloc_bytes Number of bytes allocated and still in use. +# TYPE go_memstats_alloc_bytes gauge +go_memstats_alloc_bytes 3.1723136e+07 +# HELP go_memstats_alloc_bytes_total Total number of bytes allocated, even if freed. +# TYPE go_memstats_alloc_bytes_total counter +go_memstats_alloc_bytes_total 1.106604e+08 +# HELP go_memstats_buck_hash_sys_bytes Number of bytes used by the profiling bucket hash table. +# TYPE go_memstats_buck_hash_sys_bytes gauge +go_memstats_buck_hash_sys_bytes 1.496287e+06 +# HELP go_memstats_frees_total Total number of frees. +# TYPE go_memstats_frees_total counter +go_memstats_frees_total 982627 +# HELP go_memstats_gc_cpu_fraction The fraction of this program's available CPU time used by the GC since the program started. +# TYPE go_memstats_gc_cpu_fraction gauge +go_memstats_gc_cpu_fraction 6.904294960464036e-05 +# HELP go_memstats_gc_sys_bytes Number of bytes used for garbage collection system metadata. +# TYPE go_memstats_gc_sys_bytes gauge +go_memstats_gc_sys_bytes 3.832072e+06 +# HELP go_memstats_heap_alloc_bytes Number of heap bytes allocated and still in use. +# TYPE go_memstats_heap_alloc_bytes gauge +go_memstats_heap_alloc_bytes 3.1723136e+07 +# HELP go_memstats_heap_idle_bytes Number of heap bytes waiting to be used. +# TYPE go_memstats_heap_idle_bytes gauge +go_memstats_heap_idle_bytes 2.1651456e+07 +# HELP go_memstats_heap_inuse_bytes Number of heap bytes that are in use. +# TYPE go_memstats_heap_inuse_bytes gauge +go_memstats_heap_inuse_bytes 4.2508288e+07 +# HELP go_memstats_heap_objects Number of allocated objects. +# TYPE go_memstats_heap_objects gauge +go_memstats_heap_objects 157553 +# HELP go_memstats_heap_released_bytes Number of heap bytes released to OS. +# TYPE go_memstats_heap_released_bytes gauge +go_memstats_heap_released_bytes 1.7825792e+07 +# HELP go_memstats_heap_sys_bytes Number of heap bytes obtained from system. +# TYPE go_memstats_heap_sys_bytes gauge +go_memstats_heap_sys_bytes 6.4159744e+07 +# HELP go_memstats_last_gc_time_seconds Number of seconds since 1970 of last garbage collection. +# TYPE go_memstats_last_gc_time_seconds gauge +go_memstats_last_gc_time_seconds 1.6019028053800597e+09 +# HELP go_memstats_lookups_total Total number of pointer lookups. +# TYPE go_memstats_lookups_total counter +go_memstats_lookups_total 0 +# HELP go_memstats_mallocs_total Total number of mallocs. +# TYPE go_memstats_mallocs_total counter +go_memstats_mallocs_total 1.14018e+06 +# HELP go_memstats_mcache_inuse_bytes Number of bytes in use by mcache structures. +# TYPE go_memstats_mcache_inuse_bytes gauge +go_memstats_mcache_inuse_bytes 6944 +# HELP go_memstats_mcache_sys_bytes Number of bytes used for mcache structures obtained from system. +# TYPE go_memstats_mcache_sys_bytes gauge +go_memstats_mcache_sys_bytes 16384 +# HELP go_memstats_mspan_inuse_bytes Number of bytes in use by mspan structures. +# TYPE go_memstats_mspan_inuse_bytes gauge +go_memstats_mspan_inuse_bytes 485384 +# HELP go_memstats_mspan_sys_bytes Number of bytes used for mspan structures obtained from system. +# TYPE go_memstats_mspan_sys_bytes gauge +go_memstats_mspan_sys_bytes 573440 +# HELP go_memstats_next_gc_bytes Number of heap bytes when next garbage collection will take place. +# TYPE go_memstats_next_gc_bytes gauge +go_memstats_next_gc_bytes 5.3766592e+07 +# HELP go_memstats_other_sys_bytes Number of bytes used for other system allocations. +# TYPE go_memstats_other_sys_bytes gauge +go_memstats_other_sys_bytes 914201 +# HELP go_memstats_stack_inuse_bytes Number of bytes in use by the stack allocator. +# TYPE go_memstats_stack_inuse_bytes gauge +go_memstats_stack_inuse_bytes 2.94912e+06 +# HELP go_memstats_stack_sys_bytes Number of bytes obtained from system for stack allocator. +# TYPE go_memstats_stack_sys_bytes gauge +go_memstats_stack_sys_bytes 2.94912e+06 +# HELP go_memstats_sys_bytes Number of bytes obtained from system. +# TYPE go_memstats_sys_bytes gauge +go_memstats_sys_bytes 7.3941248e+07 +# HELP go_threads Number of OS threads created. +# TYPE go_threads gauge +go_threads 14 +# HELP grpc_server_handled_total Total number of RPCs completed on the server, regardless of success or failure. +# TYPE grpc_server_handled_total counter +grpc_server_handled_total{grpc_code="Aborted",grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary"} 0 +grpc_server_handled_total{grpc_code="Aborted",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Aborted",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Aborted",grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Aborted",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Aborted",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="AlreadyExists",grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary"} 0 +grpc_server_handled_total{grpc_code="AlreadyExists",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="AlreadyExists",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="AlreadyExists",grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="AlreadyExists",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="AlreadyExists",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Canceled",grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary"} 0 +grpc_server_handled_total{grpc_code="Canceled",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Canceled",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Canceled",grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Canceled",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Canceled",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="DataLoss",grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary"} 0 +grpc_server_handled_total{grpc_code="DataLoss",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="DataLoss",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="DataLoss",grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="DataLoss",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="DataLoss",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="DeadlineExceeded",grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary"} 0 +grpc_server_handled_total{grpc_code="DeadlineExceeded",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="DeadlineExceeded",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="DeadlineExceeded",grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="DeadlineExceeded",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="DeadlineExceeded",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="FailedPrecondition",grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary"} 0 +grpc_server_handled_total{grpc_code="FailedPrecondition",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="FailedPrecondition",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="FailedPrecondition",grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="FailedPrecondition",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="FailedPrecondition",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Internal",grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary"} 0 +grpc_server_handled_total{grpc_code="Internal",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Internal",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Internal",grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Internal",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Internal",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="InvalidArgument",grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary"} 0 +grpc_server_handled_total{grpc_code="InvalidArgument",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="InvalidArgument",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="InvalidArgument",grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="InvalidArgument",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="InvalidArgument",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="NotFound",grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary"} 0 +grpc_server_handled_total{grpc_code="NotFound",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="NotFound",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="NotFound",grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="NotFound",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="NotFound",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="OK",grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary"} 8 +grpc_server_handled_total{grpc_code="OK",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="OK",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="OK",grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="OK",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="OK",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="OutOfRange",grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary"} 0 +grpc_server_handled_total{grpc_code="OutOfRange",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="OutOfRange",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="OutOfRange",grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="OutOfRange",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="OutOfRange",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="PermissionDenied",grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary"} 0 +grpc_server_handled_total{grpc_code="PermissionDenied",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="PermissionDenied",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="PermissionDenied",grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="PermissionDenied",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="PermissionDenied",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="ResourceExhausted",grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary"} 0 +grpc_server_handled_total{grpc_code="ResourceExhausted",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="ResourceExhausted",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="ResourceExhausted",grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="ResourceExhausted",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="ResourceExhausted",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Unauthenticated",grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary"} 0 +grpc_server_handled_total{grpc_code="Unauthenticated",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Unauthenticated",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Unauthenticated",grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Unauthenticated",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Unauthenticated",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Unavailable",grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary"} 0 +grpc_server_handled_total{grpc_code="Unavailable",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Unavailable",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Unavailable",grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Unavailable",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Unavailable",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Unimplemented",grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary"} 0 +grpc_server_handled_total{grpc_code="Unimplemented",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Unimplemented",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Unimplemented",grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Unimplemented",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Unimplemented",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Unknown",grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary"} 0 +grpc_server_handled_total{grpc_code="Unknown",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Unknown",grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Unknown",grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Unknown",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handled_total{grpc_code="Unknown",grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +# HELP grpc_server_handling_seconds Histogram of response latency (seconds) of gRPC that had been application-level handled by the server. +# TYPE grpc_server_handling_seconds histogram +grpc_server_handling_seconds_bucket{grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary",le="0.005"} 7 +grpc_server_handling_seconds_bucket{grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary",le="0.01"} 8 +grpc_server_handling_seconds_bucket{grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary",le="0.025"} 8 +grpc_server_handling_seconds_bucket{grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary",le="0.05"} 8 +grpc_server_handling_seconds_bucket{grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary",le="0.1"} 8 +grpc_server_handling_seconds_bucket{grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary",le="0.25"} 8 +grpc_server_handling_seconds_bucket{grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary",le="0.5"} 8 +grpc_server_handling_seconds_bucket{grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary",le="1"} 8 +grpc_server_handling_seconds_bucket{grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary",le="2.5"} 8 +grpc_server_handling_seconds_bucket{grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary",le="5"} 8 +grpc_server_handling_seconds_bucket{grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary",le="10"} 8 +grpc_server_handling_seconds_bucket{grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary",le="+Inf"} 8 +grpc_server_handling_seconds_sum{grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary"} 0.031283576 +grpc_server_handling_seconds_count{grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary"} 8 +grpc_server_handling_seconds_bucket{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.005"} 0 +grpc_server_handling_seconds_bucket{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.01"} 0 +grpc_server_handling_seconds_bucket{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.025"} 0 +grpc_server_handling_seconds_bucket{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.05"} 0 +grpc_server_handling_seconds_bucket{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.1"} 0 +grpc_server_handling_seconds_bucket{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.25"} 0 +grpc_server_handling_seconds_bucket{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.5"} 0 +grpc_server_handling_seconds_bucket{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream",le="1"} 0 +grpc_server_handling_seconds_bucket{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream",le="2.5"} 0 +grpc_server_handling_seconds_bucket{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream",le="5"} 0 +grpc_server_handling_seconds_bucket{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream",le="10"} 0 +grpc_server_handling_seconds_bucket{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream",le="+Inf"} 0 +grpc_server_handling_seconds_sum{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handling_seconds_count{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handling_seconds_bucket{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.005"} 0 +grpc_server_handling_seconds_bucket{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.01"} 0 +grpc_server_handling_seconds_bucket{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.025"} 0 +grpc_server_handling_seconds_bucket{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.05"} 0 +grpc_server_handling_seconds_bucket{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.1"} 0 +grpc_server_handling_seconds_bucket{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.25"} 0 +grpc_server_handling_seconds_bucket{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.5"} 0 +grpc_server_handling_seconds_bucket{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream",le="1"} 0 +grpc_server_handling_seconds_bucket{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream",le="2.5"} 0 +grpc_server_handling_seconds_bucket{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream",le="5"} 0 +grpc_server_handling_seconds_bucket{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream",le="10"} 0 +grpc_server_handling_seconds_bucket{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream",le="+Inf"} 0 +grpc_server_handling_seconds_sum{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handling_seconds_count{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handling_seconds_bucket{grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream",le="0.005"} 0 +grpc_server_handling_seconds_bucket{grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream",le="0.01"} 0 +grpc_server_handling_seconds_bucket{grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream",le="0.025"} 0 +grpc_server_handling_seconds_bucket{grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream",le="0.05"} 0 +grpc_server_handling_seconds_bucket{grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream",le="0.1"} 0 +grpc_server_handling_seconds_bucket{grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream",le="0.25"} 0 +grpc_server_handling_seconds_bucket{grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream",le="0.5"} 0 +grpc_server_handling_seconds_bucket{grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream",le="1"} 0 +grpc_server_handling_seconds_bucket{grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream",le="2.5"} 0 +grpc_server_handling_seconds_bucket{grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream",le="5"} 0 +grpc_server_handling_seconds_bucket{grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream",le="10"} 0 +grpc_server_handling_seconds_bucket{grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream",le="+Inf"} 0 +grpc_server_handling_seconds_sum{grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream"} 0 +grpc_server_handling_seconds_count{grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream"} 0 +grpc_server_handling_seconds_bucket{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.005"} 0 +grpc_server_handling_seconds_bucket{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.01"} 0 +grpc_server_handling_seconds_bucket{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.025"} 0 +grpc_server_handling_seconds_bucket{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.05"} 0 +grpc_server_handling_seconds_bucket{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.1"} 0 +grpc_server_handling_seconds_bucket{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.25"} 0 +grpc_server_handling_seconds_bucket{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.5"} 0 +grpc_server_handling_seconds_bucket{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream",le="1"} 0 +grpc_server_handling_seconds_bucket{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream",le="2.5"} 0 +grpc_server_handling_seconds_bucket{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream",le="5"} 0 +grpc_server_handling_seconds_bucket{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream",le="10"} 0 +grpc_server_handling_seconds_bucket{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream",le="+Inf"} 0 +grpc_server_handling_seconds_sum{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handling_seconds_count{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handling_seconds_bucket{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.005"} 0 +grpc_server_handling_seconds_bucket{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.01"} 0 +grpc_server_handling_seconds_bucket{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.025"} 0 +grpc_server_handling_seconds_bucket{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.05"} 0 +grpc_server_handling_seconds_bucket{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.1"} 0 +grpc_server_handling_seconds_bucket{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.25"} 0 +grpc_server_handling_seconds_bucket{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream",le="0.5"} 0 +grpc_server_handling_seconds_bucket{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream",le="1"} 0 +grpc_server_handling_seconds_bucket{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream",le="2.5"} 0 +grpc_server_handling_seconds_bucket{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream",le="5"} 0 +grpc_server_handling_seconds_bucket{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream",le="10"} 0 +grpc_server_handling_seconds_bucket{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream",le="+Inf"} 0 +grpc_server_handling_seconds_sum{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_handling_seconds_count{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +# HELP grpc_server_msg_received_total Total number of RPC stream messages received on the server. +# TYPE grpc_server_msg_received_total counter +grpc_server_msg_received_total{grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary"} 8 +grpc_server_msg_received_total{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_msg_received_total{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_msg_received_total{grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream"} 0 +grpc_server_msg_received_total{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_msg_received_total{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +# HELP grpc_server_msg_sent_total Total number of gRPC stream messages sent by the server. +# TYPE grpc_server_msg_sent_total counter +grpc_server_msg_sent_total{grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary"} 8 +grpc_server_msg_sent_total{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_msg_sent_total{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_msg_sent_total{grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream"} 0 +grpc_server_msg_sent_total{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_msg_sent_total{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +# HELP grpc_server_started_total Total number of RPCs started on the server. +# TYPE grpc_server_started_total counter +grpc_server_started_total{grpc_method="CreateCertificate",grpc_service="istio.v1.auth.IstioCertificateService",grpc_type="unary"} 8 +grpc_server_started_total{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_started_total{grpc_method="DeltaAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_started_total{grpc_method="ServerReflectionInfo",grpc_service="grpc.reflection.v1alpha.ServerReflection",grpc_type="bidi_stream"} 0 +grpc_server_started_total{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v2.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +grpc_server_started_total{grpc_method="StreamAggregatedResources",grpc_service="envoy.service.discovery.v3.AggregatedDiscoveryService",grpc_type="bidi_stream"} 0 +# HELP istio_build Istio component build info +# TYPE istio_build gauge +istio_build{component="pilot",tag="1.7.1"} 1 +# HELP pilot_conflict_inbound_listener Number of conflicting inbound listeners. +# TYPE pilot_conflict_inbound_listener gauge +pilot_conflict_inbound_listener 0 +# HELP pilot_conflict_outbound_listener_http_over_current_tcp Number of conflicting wildcard http listeners with current wildcard tcp listener. +# TYPE pilot_conflict_outbound_listener_http_over_current_tcp gauge +pilot_conflict_outbound_listener_http_over_current_tcp 0 +# HELP pilot_conflict_outbound_listener_tcp_over_current_http Number of conflicting wildcard tcp listeners with current wildcard http listener. +# TYPE pilot_conflict_outbound_listener_tcp_over_current_http gauge +pilot_conflict_outbound_listener_tcp_over_current_http 0 +# HELP pilot_conflict_outbound_listener_tcp_over_current_tcp Number of conflicting tcp listeners with current tcp listener. +# TYPE pilot_conflict_outbound_listener_tcp_over_current_tcp gauge +pilot_conflict_outbound_listener_tcp_over_current_tcp 0 +# HELP pilot_destrule_subsets Duplicate subsets across destination rules for same host +# TYPE pilot_destrule_subsets gauge +pilot_destrule_subsets 0 +# HELP pilot_duplicate_envoy_clusters Duplicate envoy clusters caused by service entries with same hostname +# TYPE pilot_duplicate_envoy_clusters gauge +pilot_duplicate_envoy_clusters 0 +# HELP pilot_eds_no_instances Number of clusters without instances. +# TYPE pilot_eds_no_instances gauge +pilot_eds_no_instances 0 +# HELP pilot_endpoint_not_ready Endpoint found in unready state. +# TYPE pilot_endpoint_not_ready gauge +pilot_endpoint_not_ready 0 +# HELP pilot_inbound_updates Total number of updates received by pilot. +# TYPE pilot_inbound_updates counter +pilot_inbound_updates{type="config"} 90 +pilot_inbound_updates{type="eds"} 54 +pilot_inbound_updates{type="svc"} 22 +# HELP pilot_info Pilot version and build information. +# TYPE pilot_info gauge +pilot_info{version="1.7.1-4e26c697ce460dc8d3b25b25818fb0163ca16394-Clean"} 1 +# HELP pilot_k8s_cfg_events Events from k8s config. +# TYPE pilot_k8s_cfg_events counter +pilot_k8s_cfg_events{event="add",type="DestinationRule"} 4 +pilot_k8s_cfg_events{event="add",type="EnvoyFilter"} 8 +pilot_k8s_cfg_events{event="add",type="Gateway"} 1 +pilot_k8s_cfg_events{event="add",type="VirtualService"} 1 +# HELP pilot_k8s_reg_events Events from k8s registry. +# TYPE pilot_k8s_reg_events counter +pilot_k8s_reg_events{event="add",type="Endpoints"} 12 +pilot_k8s_reg_events{event="add",type="Nodes"} 1 +pilot_k8s_reg_events{event="add",type="Pods"} 22 +pilot_k8s_reg_events{event="add",type="Services"} 11 +pilot_k8s_reg_events{event="update",type="Endpoints"} 30 +pilot_k8s_reg_events{event="update",type="Nodes"} 1 +pilot_k8s_reg_events{event="update",type="Pods"} 61 +pilot_k8s_reg_events{event="updatesame",type="Endpoints"} 185 +# HELP pilot_no_ip Pods not found in the endpoint table, possibly invalid. +# TYPE pilot_no_ip gauge +pilot_no_ip 0 +# HELP pilot_proxy_convergence_time Delay in seconds between config change and a proxy receiving all required configuration. +# TYPE pilot_proxy_convergence_time histogram +pilot_proxy_convergence_time_bucket{le="0.1"} 1 +pilot_proxy_convergence_time_bucket{le="0.5"} 1 +pilot_proxy_convergence_time_bucket{le="1"} 1 +pilot_proxy_convergence_time_bucket{le="3"} 1 +pilot_proxy_convergence_time_bucket{le="5"} 1 +pilot_proxy_convergence_time_bucket{le="10"} 1 +pilot_proxy_convergence_time_bucket{le="20"} 1 +pilot_proxy_convergence_time_bucket{le="30"} 1 +pilot_proxy_convergence_time_bucket{le="+Inf"} 1 +pilot_proxy_convergence_time_sum 0.002034992 +pilot_proxy_convergence_time_count 1 +# HELP pilot_proxy_queue_time Time in seconds, a proxy is in the push queue before being dequeued. +# TYPE pilot_proxy_queue_time histogram +pilot_proxy_queue_time_bucket{le="0.1"} 41 +pilot_proxy_queue_time_bucket{le="1"} 41 +pilot_proxy_queue_time_bucket{le="3"} 41 +pilot_proxy_queue_time_bucket{le="5"} 41 +pilot_proxy_queue_time_bucket{le="10"} 41 +pilot_proxy_queue_time_bucket{le="20"} 41 +pilot_proxy_queue_time_bucket{le="30"} 41 +pilot_proxy_queue_time_bucket{le="+Inf"} 41 +pilot_proxy_queue_time_sum 0.002216352 +pilot_proxy_queue_time_count 41 +# HELP pilot_push_triggers Total number of times a push was triggered, labeled by reason for the push. +# TYPE pilot_push_triggers counter +pilot_push_triggers{type="endpoint"} 40 +pilot_push_triggers{type="proxy"} 1 +# HELP pilot_services Total services known to pilot. +# TYPE pilot_services gauge +pilot_services 11 +# HELP pilot_virt_services Total virtual services known to pilot. +# TYPE pilot_virt_services gauge +pilot_virt_services 1 +# HELP pilot_vservice_dup_domain Virtual services with dup domains. +# TYPE pilot_vservice_dup_domain gauge +pilot_vservice_dup_domain 0 +# HELP pilot_xds Number of endpoints connected to this pilot using XDS. +# TYPE pilot_xds gauge +pilot_xds{version="1.7.1"} 8 +# HELP pilot_xds_push_time Total time in seconds Pilot takes to push lds, rds, cds and eds. +# TYPE pilot_xds_push_time histogram +pilot_xds_push_time_bucket{type="cds",le="0.01"} 9 +pilot_xds_push_time_bucket{type="cds",le="0.1"} 9 +pilot_xds_push_time_bucket{type="cds",le="1"} 9 +pilot_xds_push_time_bucket{type="cds",le="3"} 9 +pilot_xds_push_time_bucket{type="cds",le="5"} 9 +pilot_xds_push_time_bucket{type="cds",le="10"} 9 +pilot_xds_push_time_bucket{type="cds",le="20"} 9 +pilot_xds_push_time_bucket{type="cds",le="30"} 9 +pilot_xds_push_time_bucket{type="cds",le="+Inf"} 9 +pilot_xds_push_time_sum{type="cds"} 0.009549363999999998 +pilot_xds_push_time_count{type="cds"} 9 +pilot_xds_push_time_bucket{type="eds",le="0.01"} 49 +pilot_xds_push_time_bucket{type="eds",le="0.1"} 49 +pilot_xds_push_time_bucket{type="eds",le="1"} 49 +pilot_xds_push_time_bucket{type="eds",le="3"} 49 +pilot_xds_push_time_bucket{type="eds",le="5"} 49 +pilot_xds_push_time_bucket{type="eds",le="10"} 49 +pilot_xds_push_time_bucket{type="eds",le="20"} 49 +pilot_xds_push_time_bucket{type="eds",le="30"} 49 +pilot_xds_push_time_bucket{type="eds",le="+Inf"} 49 +pilot_xds_push_time_sum{type="eds"} 0.008623654 +pilot_xds_push_time_count{type="eds"} 49 +pilot_xds_push_time_bucket{type="lds",le="0.01"} 9 +pilot_xds_push_time_bucket{type="lds",le="0.1"} 9 +pilot_xds_push_time_bucket{type="lds",le="1"} 9 +pilot_xds_push_time_bucket{type="lds",le="3"} 9 +pilot_xds_push_time_bucket{type="lds",le="5"} 9 +pilot_xds_push_time_bucket{type="lds",le="10"} 9 +pilot_xds_push_time_bucket{type="lds",le="20"} 9 +pilot_xds_push_time_bucket{type="lds",le="30"} 9 +pilot_xds_push_time_bucket{type="lds",le="+Inf"} 9 +pilot_xds_push_time_sum{type="lds"} 0.011886486000000002 +pilot_xds_push_time_count{type="lds"} 9 +pilot_xds_push_time_bucket{type="rds",le="0.01"} 9 +pilot_xds_push_time_bucket{type="rds",le="0.1"} 9 +pilot_xds_push_time_bucket{type="rds",le="1"} 9 +pilot_xds_push_time_bucket{type="rds",le="3"} 9 +pilot_xds_push_time_bucket{type="rds",le="5"} 9 +pilot_xds_push_time_bucket{type="rds",le="10"} 9 +pilot_xds_push_time_bucket{type="rds",le="20"} 9 +pilot_xds_push_time_bucket{type="rds",le="30"} 9 +pilot_xds_push_time_bucket{type="rds",le="+Inf"} 9 +pilot_xds_push_time_sum{type="rds"} 0.002646734 +pilot_xds_push_time_count{type="rds"} 9 +# HELP pilot_xds_pushes Pilot build and send errors for lds, rds, cds and eds. +# TYPE pilot_xds_pushes counter +pilot_xds_pushes{type="cds"} 9 +pilot_xds_pushes{type="eds"} 49 +pilot_xds_pushes{type="lds"} 9 +pilot_xds_pushes{type="rds"} 9 +# HELP process_cpu_seconds_total Total user and system CPU time spent in seconds. +# TYPE process_cpu_seconds_total counter +process_cpu_seconds_total 2.35 +# HELP process_max_fds Maximum number of open file descriptors. +# TYPE process_max_fds gauge +process_max_fds 1.048576e+06 +# HELP process_open_fds Number of open file descriptors. +# TYPE process_open_fds gauge +process_open_fds 52 +# HELP process_resident_memory_bytes Resident memory size in bytes. +# TYPE process_resident_memory_bytes gauge +process_resident_memory_bytes 1.08478464e+08 +# HELP process_start_time_seconds Start time of the process since unix epoch in seconds. +# TYPE process_start_time_seconds gauge +process_start_time_seconds 1.60190238401e+09 +# HELP process_virtual_memory_bytes Virtual memory size in bytes. +# TYPE process_virtual_memory_bytes gauge +process_virtual_memory_bytes 8.08730624e+08 +# HELP process_virtual_memory_max_bytes Maximum amount of virtual memory available in bytes. +# TYPE process_virtual_memory_max_bytes gauge +process_virtual_memory_max_bytes -1 +# HELP statsd_metric_mapper_cache_gets_total The count of total metric cache gets. +# TYPE statsd_metric_mapper_cache_gets_total counter +statsd_metric_mapper_cache_gets_total 0 +# HELP statsd_metric_mapper_cache_hits_total The count of total metric cache hits. +# TYPE statsd_metric_mapper_cache_hits_total counter +statsd_metric_mapper_cache_hits_total 0 +# HELP statsd_metric_mapper_cache_length The count of unique metrics currently cached. +# TYPE statsd_metric_mapper_cache_length gauge +statsd_metric_mapper_cache_length 0 diff --git a/x-pack/metricbeat/module/istio/istiod/_meta/testdata/istiod.v1.7.1.plain-expected.json b/x-pack/metricbeat/module/istio/istiod/_meta/testdata/istiod.v1.7.1.plain-expected.json new file mode 100644 index 00000000000..2d96ee6b90e --- /dev/null +++ b/x-pack/metricbeat/module/istio/istiod/_meta/testdata/istiod.v1.7.1.plain-expected.json @@ -0,0 +1,843 @@ +[ + { + "event": { + "dataset": "istio.istiod", + "duration": 115000, + "module": "istio" + }, + "metricset": { + "name": "istiod", + "period": 10000 + }, + "prometheus": { + "labels": { + "event": "add", + "instance": "127.0.0.1:51143", + "job": "istio", + "type": "Gateway" + }, + "pilot_k8s_cfg_events": { + "counter": 1, + "rate": 0 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "istio" + } + }, + { + "event": { + "dataset": "istio.istiod", + "duration": 115000, + "module": "istio" + }, + "metricset": { + "name": "istiod", + "period": 10000 + }, + "prometheus": { + "labels": { + "event": "add", + "instance": "127.0.0.1:51143", + "job": "istio", + "type": "Nodes" + }, + "pilot_k8s_reg_events": { + "counter": 1, + "rate": 0 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "istio" + } + }, + { + "event": { + "dataset": "istio.istiod", + "duration": 115000, + "module": "istio" + }, + "metricset": { + "name": "istiod", + "period": 10000 + }, + "prometheus": { + "labels": { + "event": "update", + "instance": "127.0.0.1:51143", + "job": "istio", + "type": "Nodes" + }, + "pilot_k8s_reg_events": { + "counter": 1, + "rate": 0 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "istio" + } + }, + { + "event": { + "dataset": "istio.istiod", + "duration": 115000, + "module": "istio" + }, + "metricset": { + "name": "istiod", + "period": 10000 + }, + "prometheus": { + "labels": { + "event": "add", + "instance": "127.0.0.1:51143", + "job": "istio", + "type": "DestinationRule" + }, + "pilot_k8s_cfg_events": { + "counter": 4, + "rate": 0 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "istio" + } + }, + { + "event": { + "dataset": "istio.istiod", + "duration": 115000, + "module": "istio" + }, + "metricset": { + "name": "istiod", + "period": 10000 + }, + "prometheus": { + "labels": { + "instance": "127.0.0.1:51143", + "job": "istio", + "type": "proxy" + }, + "pilot_push_triggers": { + "counter": 1, + "rate": 0 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "istio" + } + }, + { + "event": { + "dataset": "istio.istiod", + "duration": 115000, + "module": "istio" + }, + "metricset": { + "name": "istiod", + "period": 10000 + }, + "prometheus": { + "labels": { + "instance": "127.0.0.1:51143", + "job": "istio", + "type": "lds" + }, + "pilot_xds_push_time": { + "histogram": { + "counts": [ + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0 + ], + "values": [ + 0.005, + 0.05500000000000001, + 0.55, + 2, + 4, + 7.5, + 15, + 25, + 40 + ] + } + }, + "pilot_xds_pushes": { + "counter": 9, + "rate": 0 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "istio" + } + }, + { + "event": { + "dataset": "istio.istiod", + "duration": 115000, + "module": "istio" + }, + "metricset": { + "name": "istiod", + "period": 10000 + }, + "prometheus": { + "labels": { + "instance": "127.0.0.1:51143", + "job": "istio", + "type": "svc" + }, + "pilot_inbound_updates": { + "counter": 22, + "rate": 0 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "istio" + } + }, + { + "event": { + "dataset": "istio.istiod", + "duration": 115000, + "module": "istio" + }, + "metricset": { + "name": "istiod", + "period": 10000 + }, + "prometheus": { + "labels": { + "instance": "127.0.0.1:51143", + "job": "istio", + "type": "eds" + }, + "pilot_inbound_updates": { + "counter": 54, + "rate": 0 + }, + "pilot_xds_push_time": { + "histogram": { + "counts": [ + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0 + ], + "values": [ + 0.005, + 0.05500000000000001, + 0.55, + 2, + 4, + 7.5, + 15, + 25, + 40 + ] + } + }, + "pilot_xds_pushes": { + "counter": 49, + "rate": 0 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "istio" + } + }, + { + "event": { + "dataset": "istio.istiod", + "duration": 115000, + "module": "istio" + }, + "metricset": { + "name": "istiod", + "period": 10000 + }, + "prometheus": { + "labels": { + "event": "add", + "instance": "127.0.0.1:51143", + "job": "istio", + "type": "EnvoyFilter" + }, + "pilot_k8s_cfg_events": { + "counter": 8, + "rate": 0 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "istio" + } + }, + { + "event": { + "dataset": "istio.istiod", + "duration": 115000, + "module": "istio" + }, + "metricset": { + "name": "istiod", + "period": 10000 + }, + "prometheus": { + "labels": { + "instance": "127.0.0.1:51143", + "job": "istio", + "type": "endpoint" + }, + "pilot_push_triggers": { + "counter": 40, + "rate": 0 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "istio" + } + }, + { + "event": { + "dataset": "istio.istiod", + "duration": 115000, + "module": "istio" + }, + "metricset": { + "name": "istiod", + "period": 10000 + }, + "prometheus": { + "labels": { + "instance": "127.0.0.1:51143", + "job": "istio", + "version": "1.7.1" + }, + "pilot_xds": { + "value": 8 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "istio" + } + }, + { + "event": { + "dataset": "istio.istiod", + "duration": 115000, + "module": "istio" + }, + "metricset": { + "name": "istiod", + "period": 10000 + }, + "prometheus": { + "labels": { + "event": "add", + "instance": "127.0.0.1:51143", + "job": "istio", + "type": "Services" + }, + "pilot_k8s_reg_events": { + "counter": 11, + "rate": 0 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "istio" + } + }, + { + "event": { + "dataset": "istio.istiod", + "duration": 115000, + "module": "istio" + }, + "metricset": { + "name": "istiod", + "period": 10000 + }, + "prometheus": { + "labels": { + "event": "update", + "instance": "127.0.0.1:51143", + "job": "istio", + "type": "Pods" + }, + "pilot_k8s_reg_events": { + "counter": 61, + "rate": 0 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "istio" + } + }, + { + "event": { + "dataset": "istio.istiod", + "duration": 115000, + "module": "istio" + }, + "metricset": { + "name": "istiod", + "period": 10000 + }, + "prometheus": { + "labels": { + "event": "update", + "instance": "127.0.0.1:51143", + "job": "istio", + "type": "Endpoints" + }, + "pilot_k8s_reg_events": { + "counter": 30, + "rate": 0 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "istio" + } + }, + { + "event": { + "dataset": "istio.istiod", + "duration": 115000, + "module": "istio" + }, + "metricset": { + "name": "istiod", + "period": 10000 + }, + "prometheus": { + "labels": { + "instance": "127.0.0.1:51143", + "job": "istio", + "version": "1.7.1-4e26c697ce460dc8d3b25b25818fb0163ca16394-Clean" + }, + "pilot_info": { + "value": 1 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "istio" + } + }, + { + "event": { + "dataset": "istio.istiod", + "duration": 115000, + "module": "istio" + }, + "metricset": { + "name": "istiod", + "period": 10000 + }, + "prometheus": { + "labels": { + "event": "add", + "instance": "127.0.0.1:51143", + "job": "istio", + "type": "Endpoints" + }, + "pilot_k8s_reg_events": { + "counter": 12, + "rate": 0 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "istio" + } + }, + { + "event": { + "dataset": "istio.istiod", + "duration": 115000, + "module": "istio" + }, + "metricset": { + "name": "istiod", + "period": 10000 + }, + "prometheus": { + "labels": { + "event": "add", + "instance": "127.0.0.1:51143", + "job": "istio", + "type": "VirtualService" + }, + "pilot_k8s_cfg_events": { + "counter": 1, + "rate": 0 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "istio" + } + }, + { + "event": { + "dataset": "istio.istiod", + "duration": 115000, + "module": "istio" + }, + "metricset": { + "name": "istiod", + "period": 10000 + }, + "prometheus": { + "labels": { + "instance": "127.0.0.1:51143", + "job": "istio", + "type": "cds" + }, + "pilot_xds_push_time": { + "histogram": { + "counts": [ + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0 + ], + "values": [ + 0.005, + 0.05500000000000001, + 0.55, + 2, + 4, + 7.5, + 15, + 25, + 40 + ] + } + }, + "pilot_xds_pushes": { + "counter": 9, + "rate": 0 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "istio" + } + }, + { + "event": { + "dataset": "istio.istiod", + "duration": 115000, + "module": "istio" + }, + "metricset": { + "name": "istiod", + "period": 10000 + }, + "prometheus": { + "labels": { + "event": "add", + "instance": "127.0.0.1:51143", + "job": "istio", + "type": "Pods" + }, + "pilot_k8s_reg_events": { + "counter": 22, + "rate": 0 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "istio" + } + }, + { + "event": { + "dataset": "istio.istiod", + "duration": 115000, + "module": "istio" + }, + "metricset": { + "name": "istiod", + "period": 10000 + }, + "prometheus": { + "labels": { + "event": "updatesame", + "instance": "127.0.0.1:51143", + "job": "istio", + "type": "Endpoints" + }, + "pilot_k8s_reg_events": { + "counter": 185, + "rate": 0 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "istio" + } + }, + { + "event": { + "dataset": "istio.istiod", + "duration": 115000, + "module": "istio" + }, + "metricset": { + "name": "istiod", + "period": 10000 + }, + "prometheus": { + "labels": { + "instance": "127.0.0.1:51143", + "job": "istio", + "type": "config" + }, + "pilot_inbound_updates": { + "counter": 90, + "rate": 0 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "istio" + } + }, + { + "event": { + "dataset": "istio.istiod", + "duration": 115000, + "module": "istio" + }, + "metricset": { + "name": "istiod", + "period": 10000 + }, + "prometheus": { + "citadel_server_csr_count": { + "counter": 8, + "rate": 0 + }, + "citadel_server_root_cert_expiry_timestamp": { + "value": 1916309303 + }, + "citadel_server_success_cert_issuance_count": { + "counter": 8, + "rate": 0 + }, + "galley_validation_config_updates": { + "counter": 2, + "rate": 0 + }, + "labels": { + "instance": "127.0.0.1:51143", + "job": "istio" + }, + "pilot_conflict_inbound_listener": { + "value": 0 + }, + "pilot_conflict_outbound_listener_http_over_current_tcp": { + "value": 0 + }, + "pilot_conflict_outbound_listener_tcp_over_current_http": { + "value": 0 + }, + "pilot_conflict_outbound_listener_tcp_over_current_tcp": { + "value": 0 + }, + "pilot_destrule_subsets": { + "value": 0 + }, + "pilot_duplicate_envoy_clusters": { + "value": 0 + }, + "pilot_eds_no_instances": { + "value": 0 + }, + "pilot_endpoint_not_ready": { + "value": 0 + }, + "pilot_no_ip": { + "value": 0 + }, + "pilot_proxy_convergence_time": { + "histogram": { + "counts": [ + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0 + ], + "values": [ + 0.05, + 0.30000000000000004, + 0.75, + 2, + 4, + 7.5, + 15, + 25, + 40 + ] + } + }, + "pilot_proxy_queue_time": { + "histogram": { + "counts": [ + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0 + ], + "values": [ + 0.05, + 0.55, + 2, + 4, + 7.5, + 15, + 25, + 40 + ] + } + }, + "pilot_services": { + "value": 11 + }, + "pilot_virt_services": { + "value": 1 + }, + "pilot_vservice_dup_domain": { + "value": 0 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "istio" + } + }, + { + "event": { + "dataset": "istio.istiod", + "duration": 115000, + "module": "istio" + }, + "metricset": { + "name": "istiod", + "period": 10000 + }, + "prometheus": { + "labels": { + "instance": "127.0.0.1:51143", + "job": "istio", + "type": "rds" + }, + "pilot_xds_push_time": { + "histogram": { + "counts": [ + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0 + ], + "values": [ + 0.005, + 0.05500000000000001, + 0.55, + 2, + 4, + 7.5, + 15, + 25, + 40 + ] + } + }, + "pilot_xds_pushes": { + "counter": 9, + "rate": 0 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "istio" + } + }, + { + "event": { + "dataset": "istio.istiod", + "duration": 115000, + "module": "istio" + }, + "metricset": { + "name": "istiod", + "period": 10000 + }, + "prometheus": { + "galley_validation_failed": { + "counter": 1, + "rate": 0 + }, + "labels": { + "group": "networking.istio.io", + "instance": "127.0.0.1:51143", + "job": "istio", + "reason": "invalid_resource", + "resource": "gateways", + "version": "v1alpha3" + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "istio" + } + } +] \ No newline at end of file diff --git a/x-pack/metricbeat/module/istio/istiod/istiod_test.go b/x-pack/metricbeat/module/istio/istiod/istiod_test.go new file mode 100644 index 00000000000..23ce86ca7f0 --- /dev/null +++ b/x-pack/metricbeat/module/istio/istiod/istiod_test.go @@ -0,0 +1,32 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build !integration + +package istiod + +import ( + "os" + "testing" + + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/metricbeat/mb" + mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" + + // Register input module and metricset + _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/prometheus" + _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/prometheus/collector" +) + +func init() { + // To be moved to some kind of helper + os.Setenv("BEAT_STRICT_PERMS", "false") + mb.Registry.SetSecondarySource(mb.NewLightModulesSource("../../../module")) +} + +func TestEventMapping(t *testing.T) { + logp.TestingSetup() + + mbtest.TestDataFiles(t, "istio", "istiod") +} diff --git a/x-pack/metricbeat/module/istio/istiod/manifest.yml b/x-pack/metricbeat/module/istio/istiod/manifest.yml new file mode 100644 index 00000000000..0a8294d9192 --- /dev/null +++ b/x-pack/metricbeat/module/istio/istiod/manifest.yml @@ -0,0 +1,11 @@ +default: false +input: + module: prometheus + metricset: collector + defaults: + metrics_path: /metrics + metrics_filters: + include: ["citadel_*", "galley_*", "pilot_*"] + exclude: ["^up$"] + use_types: true + rate_counters: true diff --git a/x-pack/metricbeat/module/istio/module.yaml b/x-pack/metricbeat/module/istio/module.yaml deleted file mode 100644 index 8b137891791..00000000000 --- a/x-pack/metricbeat/module/istio/module.yaml +++ /dev/null @@ -1 +0,0 @@ - diff --git a/x-pack/metricbeat/module/istio/module.yml b/x-pack/metricbeat/module/istio/module.yml new file mode 100644 index 00000000000..de29503fca5 --- /dev/null +++ b/x-pack/metricbeat/module/istio/module.yml @@ -0,0 +1,3 @@ +name: istio +metricsets: +- istiod diff --git a/x-pack/metricbeat/module/sql/_meta/docs.asciidoc b/x-pack/metricbeat/module/sql/_meta/docs.asciidoc index 31751f264ec..d445d62e305 100644 --- a/x-pack/metricbeat/module/sql/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/sql/_meta/docs.asciidoc @@ -1,21 +1,42 @@ -The SQL module allows to execute custom queries against an SQL database and store the results to Elasticsearch. +The SQL module allows you to execute custom queries against an SQL database and +store the results in {es}. -The currently supported databases are the ones already included in Metricbeat, which are: -- PostgreSQL -- MySQL -- Oracle -- Microsoft SQL -- CockroachDB +This module supports the databases that you can monitor with {metricbeat}, +including: -== Quickstart +* PostgreSQL +* MySQL +* Oracle +* Microsoft SQL +* CockroachDB -You can setup the module by activating it first running +To enable the module, run: - metricbeat module enable sql +[source,shell] +---- +metricbeat module enable sql +---- + +After enabling the module, open `modules.d/sql.yml` and set the required +fields: + +`driver`:: The driver can be any driver that has a {metricbeat} module, such as +`mssql` or `postgres`. +`sql_query`:: The single query you want to run. +`sql_response_format`:: Either `variables` or `table`: +`variables`::: Expects a two-column table that looks like a key/value result. +The left column is considered a key and the right column the value. This mode +generates a single event on each fetch operation. +`table`::: Expects any number of columns. This mode generates a single event for +each row. -Once it is activated, open `modules.d/sql.yml` and fill the required fields. This is an example that captures Innodb related metrics from the result of the query `SHOW GLOBAL STATUS LIKE 'Innodb_system%'` in a MySQL database: +[float] +=== Example: capture Innodb-related metrics + +This `sql.yml` configuration shows how to capture Innodb-related metrics that +result from the query `SHOW GLOBAL STATUS LIKE 'Innodb_system%'` in a MySQL +database: -.sql.yml [source,yaml] ---- - module: sql @@ -29,7 +50,8 @@ Once it is activated, open `modules.d/sql.yml` and fill the required fields. Thi sql_response_format: variables ---- -.SHOW GLOBAL STATUS LIKE 'Innodb_system%' +The `SHOW GLOBAL STATUS` query results in this table: + |==== |Variable_name|Value @@ -39,18 +61,11 @@ Once it is activated, open `modules.d/sql.yml` and fill the required fields. Thi |Innodb_system_rows_updated|315 |==== +Results are grouped by type in the result event for convenient mapping in +{es}. For example, `strings` values are grouped into `sql.strings`, `numeric` +into `sql.numeric`, and so on. -Keys in the YAML are defined as follow: - -- `driver`: The drivers currently supported are those which already have a Metricbeat module like `mssql` or `postgres`. -- `sql_query`: Is the single query you want to run -- `sql_response_format`: You have 2 options here: - - `variables`: Expects a table which looks like a key/value result. With 2 columns, left column will be considered a key and the right column the value. This mode generates a single event on each fetch operation. - - `table`: Table mode can contain any number of columns and a single event will be generated for each row. - -Results will be grouped by type in the result event for convenient mapping in Elasticsearch. So `strings` values will be grouped into `sql.strings`, `numeric` into `sql.numeric` and so on and so forth. - -The event generated with the example above looks like this: +The example shown earlier generates this event: [source,json] ---- @@ -102,9 +117,13 @@ The event generated with the example above looks like this: } ---- -In this example, we are querying PostgreSQL and generate a "table" result, hence a single event for each row returned +[float] +=== Example: query PostgreSQL and generate a "table" result + +This `sql.yml` configuration shows how to query PostgreSQL and generate +a "table" result. This configuration generates a single event for each row +returned: -.sql.yml [source,yaml] ---- - module: sql @@ -118,7 +137,8 @@ In this example, we are querying PostgreSQL and generate a "table" result, hence sql_response_format: table ---- -.SELECT datid, datname, blks_read, blks_hit, tup_returned, tup_fetched, stats_reset FROM pg_stat_database +The SELECT query results in this table: + |==== |datid|datname|blks_read|blks_hit|tup_returned|tup_fetched|stats_reset @@ -127,7 +147,8 @@ In this example, we are querying PostgreSQL and generate a "table" result, hence |13407|template0|0|0|0|0| |==== -With 3 rows on the table, three events will be generated with the contents of each row. As an example, below you can see the event created for the first row: +Because the table contains three rows, three events are generated, one event +for each row. For example, this event is created for the first row: [source,json] ---- @@ -184,14 +205,11 @@ With 3 rows on the table, three events will be generated with the contents of ea } ---- +[float] +=== Example: get the buffer catch hit ratio in Oracle -== More examples +This `sql.yml` configuration shows how to get the buffer cache hit ratio: -=== Oracle: - -Get the buffer cache hit ratio: - -.sql.yml [source,yaml] ---- - module: sql @@ -205,6 +223,7 @@ Get the buffer cache hit ratio: sql_response_format: table ---- +The example generates this event: [source,json] ---- @@ -259,11 +278,11 @@ Get the buffer cache hit ratio: } ---- -=== MSSQL +[float] +=== Example: get the buffer cache hit ratio for MSSQL -Get the buffer cache hit ratio: +This `sql.yml` configuration gets the buffer cache hit ratio: -.sql.yml [source,yaml] ---- - module: sql @@ -277,6 +296,8 @@ Get the buffer cache hit ratio: sql_response_format: table ---- +The example generates this event: + [source,json] ---- { @@ -328,11 +349,12 @@ Get the buffer cache hit ratio: } ---- -=== Two or more queries +[float] +=== Example: launch two or more queries -If you want to launch two or more queries, you need to specify them with their full configuration for each query. For example: +To launch two or more queries, specify the full configuration for each query. +For example: -.sql.yml [source,yaml] ---- - module: sql diff --git a/x-pack/metricbeat/module/sql/query/_meta/docs.asciidoc b/x-pack/metricbeat/module/sql/query/_meta/docs.asciidoc index df05a99c95c..8f48f8507de 100644 --- a/x-pack/metricbeat/module/sql/query/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/sql/query/_meta/docs.asciidoc @@ -1,4 +1,4 @@ -The sql `query` metricset collect rows returned by a query. +The sql `query` metricset collects rows returned by a query. -Fields names (columns) will be returned as lowercase. -Values will be returned as numeric or string. \ No newline at end of file +Field names (columns) are returned as lowercase strings. Values are returned as numeric +or string. diff --git a/x-pack/metricbeat/modules.d/aws.yml.disabled b/x-pack/metricbeat/modules.d/aws.yml.disabled index d0053297885..cc3103643c7 100644 --- a/x-pack/metricbeat/modules.d/aws.yml.disabled +++ b/x-pack/metricbeat/modules.d/aws.yml.disabled @@ -47,4 +47,8 @@ period: 24h metricsets: - s3_daily_storage +- module: aws + period: 1m + latency: 5m + metricsets: - s3_request diff --git a/x-pack/metricbeat/modules.d/azure.yml.disabled b/x-pack/metricbeat/modules.d/azure.yml.disabled index 23211f47206..10d00e003cf 100644 --- a/x-pack/metricbeat/modules.d/azure.yml.disabled +++ b/x-pack/metricbeat/modules.d/azure.yml.disabled @@ -114,3 +114,11 @@ # api_key: '' # metrics: # - id: ["requests/count", "requests/duration"] + +#- module: azure +# metricsets: +# - app_state +# enabled: true +# period: 300s +# application_id: '' +# api_key: '' diff --git a/x-pack/metricbeat/modules.d/istio.yml.disabled b/x-pack/metricbeat/modules.d/istio.yml.disabled index 1140d047a09..b65bcdef949 100644 --- a/x-pack/metricbeat/modules.d/istio.yml.disabled +++ b/x-pack/metricbeat/modules.d/istio.yml.disabled @@ -35,3 +35,10 @@ period: 10s # use istio-pilot.istio-system:15014, when deploying Metricbeat in a kubernetes cluster as Pod or Daemonset hosts: ["localhost:15014"] + +# Istio istiod to monitor the Istio Daemon for versions after 1.5 of Istio. +- module: istio + metricsets: ['istiod'] + period: 10s + # use istiod.istio-system:15014, when deploying Metricbeat in a kubernetes cluster as Pod or Daemonset + hosts: ['localhost:15014'] diff --git a/x-pack/packetbeat/Jenkinsfile.yml b/x-pack/packetbeat/Jenkinsfile.yml index a8e66d9021a..fd30546f70a 100644 --- a/x-pack/packetbeat/Jenkinsfile.yml +++ b/x-pack/packetbeat/Jenkinsfile.yml @@ -1,15 +1,15 @@ when: branches: true ## for all the branches changeset: ## when PR contains any of those entries in the changeset - - "^x-pack/winlogbeat/.*" + - "^x-pack/packetbeat/.*" - "@ci" ## special token regarding the changeset for the ci - "@xpack" ## special token regarding the changeset for the xpack comments: ## when PR comment contains any of those entries - - "/test x-pack/winlogbeat" + - "/test x-pack/packetbeat" labels: ## when PR labels matches any of those entries - - "x-pack-winlogbeat" + - "x-pack-packetbeat" parameters: ## when parameter was selected in the UI. - - "x-pack-winlogbeat" + - "x-pack-packetbeat" tags: true ## for all the tags platform: "linux && ubuntu-18" ## default label for all the stages stages: @@ -18,4 +18,14 @@ stages: withModule: true platforms: ## override default labels in this specific stage. - "windows-2019" - - "windows-10" + windows-2016: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2016" + when: ## Override the top-level when. + comments: + - "/test x-pack/winlogbeat for windows-2016" + labels: + - "windows-2016" + branches: true ## for all the branches + tags: true ## for all the tags diff --git a/x-pack/winlogbeat/Jenkinsfile.yml b/x-pack/winlogbeat/Jenkinsfile.yml index ad879243fee..788d4a35369 100644 --- a/x-pack/winlogbeat/Jenkinsfile.yml +++ b/x-pack/winlogbeat/Jenkinsfile.yml @@ -18,4 +18,14 @@ stages: withModule: true platforms: ## override default labels in this specific stage. - "windows-2019" - - "windows-10" + windows-2016: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2016" + when: ## Override the top-level when. + comments: + - "/test x-pack/winlogbeat for windows-2016" + labels: + - "windows-2016" + branches: true ## for all the branches + tags: true ## for all the tags diff --git a/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js b/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js index 71ce567ccc7..4ef1155086b 100644 --- a/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js +++ b/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js @@ -5,7 +5,7 @@ var powershell = (function () { var path = require("path"); var processor = require("processor"); - var winlogbeat = require("winlogbeat"); + var windows = require("windows"); var normalizeCommonFieldNames = new processor.Convert({ fields: [ @@ -183,7 +183,7 @@ var powershell = (function () { if (!commandLine) { return; } - evt.Put(target, winlogbeat.splitCommandLine(commandLine)); + evt.Put(target, windows.splitCommandLine(commandLine)); }; var addProcessArgs = function (evt) { diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js index 9a117a42f6f..5a8e91b677b 100644 --- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js +++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js @@ -5,7 +5,7 @@ var security = (function () { var path = require("path"); var processor = require("processor"); - var winlogbeat = require("winlogbeat"); + var windows = require("windows"); // Logon Types // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events @@ -1479,11 +1479,12 @@ var security = (function () { fields: [ {from: "winlog.event_data.AccountName", to: "user.name"}, {from: "winlog.event_data.AccountDomain", to: "user.domain"}, - {from: "winlog.event_data.ClientAddress", to: "source.ip"}, + {from: "winlog.event_data.ClientAddress", to: "source.ip", type: "ip"}, {from: "winlog.event_data.ClientName", to: "source.domain"}, {from: "winlog.event_data.LogonID", to: "winlog.logon.id"}, ], ignore_missing: true, + fail_on_error: false, }) .Add(function(evt) { var user = evt.Get("winlog.event_data.AccountName"); @@ -1669,7 +1670,7 @@ var security = (function () { if (!cl) { return; } - evt.Put("process.args", winlogbeat.splitCommandLine(cl)); + evt.Put("process.args", windows.splitCommandLine(cl)); evt.Put("process.command_line", cl); }) .Build(); diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js index 5fcedb9e40e..5b09c98fc32 100644 --- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js +++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js @@ -15,7 +15,7 @@ if (!String.prototype.startsWith) { var sysmon = (function () { var path = require("path"); var processor = require("processor"); - var winlogbeat = require("winlogbeat"); + var windows = require("windows"); var net = require("net"); // Windows error codes for DNS. This list was generated using @@ -311,7 +311,7 @@ var sysmon = (function () { if (!commandLine) { return; } - evt.Put(target, winlogbeat.splitCommandLine(commandLine)); + evt.Put(target, windows.splitCommandLine(commandLine)); }; var splitProcessArgs = function (evt) { diff --git a/x-pack/winlogbeat/module/testing_windows.go b/x-pack/winlogbeat/module/testing_windows.go index 12b2102070f..058e2320a9d 100644 --- a/x-pack/winlogbeat/module/testing_windows.go +++ b/x-pack/winlogbeat/module/testing_windows.go @@ -28,7 +28,6 @@ import ( // Register javascript modules. _ "github.com/elastic/beats/v7/libbeat/processors/script/javascript/module" - _ "github.com/elastic/beats/v7/winlogbeat/processors/script/javascript/module/winlogbeat" ) var update = flag.Bool("update", false, "update golden files")