Hello everyone!
I would be very grateful for your help! Now I am trying to integrate the Checkpoint firewall with ELK. I receive logs, but they are not parsed. I get the following error when parsing logs from the Checkpoint firewall:
[
"field [syslog5424_sd] not present as part of path [syslog5424_sd]"
]
And I have the following ingest pipeline:
[
{
"set": {
"field": "ecs.version",
"value": "8.11.0"
}
},
{
"set": {
"tag": "set_event_original",
"field": "event.original",
"copy_from": "message"
}
},
{
"remove": {
"tag": "remove_message",
"field": "message",
"ignore_missing": true
}
},
{
"grok": {
"field": "event.original",
"patterns": [
"%{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP}|-) +(?:%{IPORHOST:syslog5424_host}|-) +(-|%{SYSLOG5424PRINTASCII:syslog5424_app}) +(-|%{SYSLOG5424PRINTASCII:syslog5424_proc}) +(?::-|%{SYSLOG5424PRINTASCII:syslog5424_msgid}) +\\[%{GREEDYDATA:syslog5424_sd}\\]",
"<%{NUMBER:priority}>%{MONTH:month} %{MONTHDAY:day} %{TIME:time} %{HOSTNAME:hostname}(?: %{DATA:process}(?:\\[%{NUMBER:pid}\\])?:)? (?:%{DATA:module})?(?: Action=\"%{WORD:action}\")?(?: inzone=\"%{WORD:inzone}\")?(?: outzone=\"%{WORD:outzone}\")?(?: service_id=\"%{DATA:service_id}\")?(?: src=\"%{IP:src_ip}\")?(?: dst=\"%{IP:dst_ip}\")?(?: proto=\"%{NUMBER:protocol}\")?(?: xlatesrc=\"%{IP:xlatesrc}\")?(?: xlatedst=\"%{IP:xlatedst}\")?(?: NAT_rulenum=\"%{NUMBER:nat_rulenum}\")?(?: NAT_addtnl_rulenum=\"%{NUMBER:nat_addtnl_rulenum}\")?(?: user=\"%{DATA:user}\")?(?: ProductName=\"%{DATA:product_name}\")?(?: svc=\"%{NUMBER:svc}\")?(?: sport_svc=\"%{NUMBER:sport_svc}\")?(?: xlatedport_svc=\"%{DATA:xlatedport_svc}\")?(?: xlatesport_svc=\"%{NUMBER:xlatesport_svc}\")?(?: layer_uuid=\"%{DATA:layer_uuid}\")?(?: layer_name=\"%{DATA:layer_name}\")?(?: rule_uid=\"%{DATA:rule_uid}\")?(?: rule_name=\"%{DATA:rule_name}\")?(?: src_device_function=\"%{DATA:src_device_function}\")?(?: src_device_manufacturer=\"%{DATA:src_device_manufacturer}\")?(?: src_device_model=\"%{DATA:src_device_model}\")?(?: src_dynobj_name=\"%{DATA:src_dynobj_name}\")?(?: dst_dynobj_name=\"%{DATA:dst_dynobj_name}\")?(?: dst_domain_name=\"%{DATA:dst_domain_name}\")?(?: dst_uo_name=\"%{DATA:dst_uo_name}\")?(?: dst_uo_icon=\"%{DATA:dst_uo_icon}\")?(?: dst_object_type=\"%{DATA:dst_object_type}\")?(?: ProductFamily=\"%{DATA:product_family}\")?(?: %{GREEDYDATA:additional_data})?"
],
"pattern_definitions": {
"TIMESTAMP": "%{TIMESTAMP_ISO8601:syslog5424_ts}(?:-?%{ISO8601_TIMEZONE:_temp_.tz})?",
"TIMESTAMP_ISO8601": "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?"
},
"tag": "grok_syslog_line",
"on_failure": [
{
"append": {
"field": "error.message",
"value": "fail-{{{ _ingest.on_failure_processor_tag }}}"
}
},
{
"fail": {
"message": "Processor {{{ _ingest.on_failure_processor_type }}} with tag {{{ _ingest.on_failure_processor_tag }}} in pipeline {{{ _ingest.on_failure_pipeline }}} failed with message: {{{ _ingest.on_failure_message }}}"
}
}
]
}
},
{
"kv": {
"field": "syslog5424_sd",
"field_split": "(?<=\"); ",
"value_split": "(?i)(?<=[a-z]):{1,2}(?=\")",
"exclude_keys": [
"flags",
"layer_uuid",
"__policy_id_tag",
"version",
"rounded_bytes",
"db_tag",
"update_service"
],
"prefix": "checkpoint.",
"trim_key": " ",
"trim_value": " ",
"strip_brackets": true,
"tag": "kv_syslog_structured_semicolon_colon",
"ignore_failure": true,
"on_failure": [
{
"append": {
"field": "error.message",
"value": "fail-{{{ _ingest.on_failure_processor_tag }}}"
}
},
{
"fail": {
"message": "Processor {{{ _ingest.on_failure_processor_type }}} with tag {{{ _ingest.on_failure_processor_tag }}} in pipeline {{{ _ingest.on_failure_pipeline }}} failed with message: {{{ _ingest.on_failure_message }}}"
}
}
]
}
},
{
"grok": {
"field": "syslog5424_sd",
"patterns": [
"(?:%{NOTSPACE} +)?%{GREEDYDATA:syslog5424_sd}"
],
"if": "ctx.checkpoint == null"
}
},
{
"kv": {
"field": "syslog5424_sd",
"field_split": "(?<=\") ",
"value_split": "(?i)(?<=[a-z])=(?=\")",
"exclude_keys": [
"flags",
"layer_uuid",
"__policy_id_tag",
"version",
"rounded_bytes",
"db_tag",
"update_service",
"ProductName",
"ProductFamily",
"UP_match_table",
"ROW_END"
],
"prefix": "checkpoint.",
"trim_key": " ",
"trim_value": " ",
"strip_brackets": true,
"if": "ctx.checkpoint == null",
"tag": "kv_syslog_structured_space_equals",
"ignore_failure": true,
"on_failure": [
{
"append": {
"field": "error.message",
"value": "fail-{{{ _ingest.on_failure_processor_tag }}}"
}
},
{
"fail": {
"message": "Processor {{{ _ingest.on_failure_processor_type }}} with tag {{{ _ingest.on_failure_processor_tag }}} in pipeline {{{ _ingest.on_failure_pipeline }}} failed with message: {{{ _ingest.on_failure_message }}}"
}
}
]
}
},
{
"foreach": {
"field": "checkpoint",
"ignore_missing": true,
"ignore_failure": true,
"processor": {
"lowercase": {
"field": "_ingest._key"
}
}
}
},
{
"remove": {
"field": [
"syslog5424_sd",
"syslog5424_app",
"syslog5424_host",
"syslog5424_msgid",
"syslog5424_pri",
"syslog5424_proc",
"syslog5424_ver",
"host"
]
}
},
{
"rename": {
"field": "@timestamp",
"target_field": "event.created",
"ignore_missing": true
}
},
{
"set": {
"field": "_temp_.tz",
"value": "UTC",
"if": "ctx._temp_?.tz == 'Z'"
}
},
{
"set": {
"field": "_temp_.tz",
"copy_from": "_conf.tz_offset",
"override": false,
"if": "ctx._conf?.tz_offset != null && ctx._conf?.tz_offset != 'local'"
}
},
{
"set": {
"field": "_temp_.tz",
"copy_from": "event.timezone",
"override": false,
"if": "ctx.event?.timezone != null"
}
},
{
"set": {
"field": "_temp_.tz",
"value": "UTC",
"override": false
}
},
{
"set": {
"field": "event.timezone",
"copy_from": "_temp_.tz"
}
},
{
"gsub": {
"field": "event.timezone",
"pattern": "([+-][0-9]{2})([0-9]{2})",
"replacement": "$1:$2",
"ignore_missing": true
}
},
{
"gsub": {
"field": "event.timezone",
"pattern": "([+-])([0-9]):?([0-9]{2})",
"replacement": "$10$2:$3",
"ignore_missing": true
}
},
{
"date": {
"field": "syslog5424_ts",
"timezone": "{{{ event.timezone }}}",
"formats": [
"ISO8601",
"UNIX"
],
"if": "ctx.checkpoint?.time == null",
"on_failure": [
{
"remove": {
"field": "event.timezone",
"ignore_missing": true
}
},
{
"date": {
"tag": "date_utc_fallback",
"field": "syslog5424_ts",
"formats": [
"ISO8601",
"UNIX"
],
"on_failure": [
{
"append": {
"field": "error.message",
"value": "fail-{{{ _ingest.on_failure_processor_tag }}}"
}
},
{
"fail": {
"message": "Processor {{{ _ingest.on_failure_processor_type }}} with tag {{{ _ingest.on_failure_processor_tag }}} in pipeline {{{ _ingest.on_failure_pipeline }}} failed with message: {{{ _ingest.on_failure_message }}}"
}
}
]
}
}
]
}
},
{
"fingerprint": {
"if": "ctx.checkpoint?.loguid == null && ctx.checkpoint?.time == null",
"fields": [
"event.original"
],
"target_field": "_id",
"ignore_missing": true
}
},
{
"fingerprint": {
"if": "ctx._id == null",
"fields": [
"@timestamp",
"checkpoint.loguid",
"checkpoint.time",
"checkpoint.segment_time"
],
"target_field": "_id",
"ignore_missing": true
}
},
{
"append": {
"field": "event.category",
"value": "network",
"if": "!['Log In','Log Out'].contains(ctx.checkpoint?.operation) && !['Log In','Log Out'].contains(ctx.checkpoint?.action)",
"allow_duplicates": false
}
},
{
"set": {
"field": "observer.vendor",
"value": "Checkpoint"
}
},
{
"set": {
"field": "observer.type",
"value": "firewall",
"if": "ctx.checkpoint?.type == null"
}
},
{
"set": {
"field": "observer.product",
"value": "{{{checkpoint.product}}}",
"ignore_empty_value": true
}
},
{
"rename": {
"field": "checkpoint.src",
"target_field": "source.ip",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.client_ip",
"target_field": "source.ip",
"ignore_missing": true,
"if": "ctx.source?.ip == null"
}
},
{
"rename": {
"field": "checkpoint.xlatesrc",
"target_field": "source.nat.ip",
"if": "ctx.checkpoint?.xlatesrc != '0.0.0.0' && ctx.checkpoint?.xlatesrc != ''",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.dst",
"target_field": "destination.ip",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.xlatedst",
"target_field": "destination.nat.ip",
"if": "ctx.checkpoint?.xlatedst != '0.0.0.0' && ctx.checkpoint?.xlatedst != ''",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.uid",
"target_field": "source.user.id",
"ignore_missing": true
}
},
{
"set": {
"field": "source.user.name",
"copy_from": "checkpoint.user",
"ignore_empty_value": true
}
},
{
"set": {
"field": "source.user.name",
"copy_from": "checkpoint.administrator",
"if": "ctx.source?.user?.name == null",
"ignore_empty_value": true
}
},
{
"set": {
"field": "source.user.name",
"copy_from": "checkpoint.src_user_name",
"if": "ctx.source?.user?.name == null",
"ignore_empty_value": true
}
},
{
"convert": {
"field": "checkpoint.client_outbound_packets",
"target_field": "source.packets",
"type": "long",
"ignore_failure": true,
"ignore_missing": true
}
},
{
"convert": {
"field": "checkpoint.server_outbound_packets",
"target_field": "destination.packets",
"type": "long",
"ignore_failure": true,
"ignore_missing": true
}
},
{
"convert": {
"field": "checkpoint.client_outbound_bytes",
"target_field": "source.bytes",
"type": "long",
"ignore_failure": true,
"ignore_missing": true
}
},
{
"convert": {
"field": "checkpoint.sent_byte",
"target_field": "source.bytes",
"type": "long",
"ignore_failure": true,
"ignore_missing": true,
"if": "ctx.source?.bytes == null"
}
},
{
"convert": {
"field": "checkpoint.server_outbound_bytes",
"target_field": "destination.bytes",
"type": "long",
"ignore_failure": true,
"ignore_missing": true
}
},
{
"convert": {
"field": "checkpoint.received_bytes",
"target_field": "destination.bytes",
"type": "long",
"ignore_failure": true,
"ignore_missing": true,
"if": "ctx.destination?.bytes == null"
}
},
{
"convert": {
"field": "checkpoint.service",
"target_field": "destination.port",
"type": "long",
"ignore_failure": true,
"ignore_missing": true
}
},
{
"convert": {
"field": "checkpoint.xlatedport",
"target_field": "destination.nat.port",
"type": "long",
"ignore_failure": true,
"ignore_missing": true,
"if": "ctx.checkpoint?.xlatedport != '0'"
}
},
{
"convert": {
"field": "checkpoint.s_port",
"target_field": "source.port",
"type": "long",
"ignore_failure": true,
"ignore_missing": true
}
},
{
"convert": {
"field": "checkpoint.xlatesport",
"target_field": "source.nat.port",
"type": "long",
"ignore_failure": true,
"ignore_missing": true,
"if": "ctx.checkpoint?.xlatesport != '0'"
}
},
{
"rename": {
"field": "checkpoint.mac_source_address",
"target_field": "source.mac",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.src_machine_name",
"target_field": "source.domain",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.destination_dns_hostname",
"target_field": "destination.domain",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.dst_machine_name",
"target_field": "destination.domain",
"if": "ctx.server?.domain == null",
"ignore_missing": true
}
},
{
"set": {
"field": "destination.user.name",
"copy_from": "checkpoint.dst_user_name",
"if": "ctx.checkpoint?.dst_user_name != null"
}
},
{
"set": {
"field": "destination.user.domain",
"copy_from": "checkpoint.dst_user_dn",
"if": "ctx.checkpoint?.dst_user_dn != null"
}
},
{
"rename": {
"field": "checkpoint.src_user_group",
"target_field": "source.user.group.name",
"ignore_missing": true
}
},
{
"append": {
"field": "event.category",
"value": "authentication",
"if": "ctx.checkpoint?.operation == 'Log In' || ctx.checkpoint?.operation == 'Log Out'",
"allow_duplicates": false
}
},
{
"rename": {
"field": "checkpoint.originsicname",
"target_field": "checkpoint.origin_sic_name",
"ignore_missing": true
}
},
{
"set": {
"field": "event.kind",
"value": "alert",
"if": "['Prevent', 'Detect', 'Quarantine'].contains(ctx.checkpoint?.rule_action)"
}
},
{
"set": {
"field": "event.kind",
"value": "event",
"if": "ctx.event?.kind == null"
}
},
{
"set": {
"field": "event.outcome",
"value": "success",
"if": "['Accept', 'Allow'].contains(ctx.checkpoint?.rule_action)"
}
},
{
"append": {
"field": "event.type",
"value": [
"allowed",
"connection"
],
"if": "['Accept', 'Allow'].contains(ctx.checkpoint?.rule_action) && (ctx.checkpoint?.operation != 'Log In' && ctx.checkpoint?.operation != 'Log Out')"
}
},
{
"set": {
"field": "event.outcome",
"value": "success",
"if": "ctx.checkpoint?.audit_status == 'Success'"
}
},
{
"set": {
"field": "event.outcome",
"value": "failure",
"if": "ctx.checkpoint?.audit_status == 'Failure'"
}
},
{
"set": {
"field": "event.outcome",
"value": "success",
"if": "['Drop', 'Reject', 'Block', 'Prevent'].contains(ctx.checkpoint?.rule_action)"
}
},
{
"append": {
"field": "event.type",
"value": [
"connection",
"denied"
],
"if": "['Drop', 'Reject', 'Block', 'Prevent'].contains(ctx.checkpoint?.rule_action)"
}
},
{
"append": {
"field": "event.category",
"value": "malware",
"if": "ctx.checkpoint?.malware_action != null",
"allow_duplicates": false
}
},
{
"append": {
"field": "event.category",
"value": "intrusion_detection",
"if": "['Detect', 'Prevent'].contains(ctx.checkpoint?.rule_action)",
"allow_duplicates": false
}
},
{
"set": {
"field": "event.outcome",
"value": "success",
"if": "ctx.checkpoint?.action == 'Log In'"
}
},
{
"set": {
"field": "event.outcome",
"value": "failure",
"if": "ctx.checkpoint?.action == 'Failed Log In'"
}
},
{
"set": {
"field": "event.outcome",
"value": "success",
"if": "ctx.checkpoint?.operation == 'Log Out'",
"override": true,
"description": "Set 'success' outcome for logoff activity."
}
},
{
"set": {
"field": "event.outcome",
"value": "success",
"if": "ctx.checkpoint?.operation == 'Log In' && (ctx.checkpoint?.audit_status == 'Success' || ctx.checkpoint?.audit_status == null)",
"override": true,
"description": "Set 'success' outcome by default for logon events without audit outcome set."
}
},
{
"append": {
"field": "event.category",
"value": "authentication",
"if": "['Log In', 'Failed Log In'].contains(ctx.checkpoint?.action)",
"allow_duplicates": false
}
},
{
"append": {
"field": "event.type",
"value": [
"start"
],
"allow_duplicates": false,
"if": "ctx.checkpoint?.action == 'Log In' || ctx.checkpoint?.operation == 'Log In'"
}
},
{
"append": {
"field": "event.type",
"value": "end",
"allow_duplicates": false,
"if": "ctx.checkpoint?.action == 'Log Out' || ctx.checkpoint?.operation == 'Log Out'",
"description": "Add 'end' categorization type for events related to log out activities."
}
},
{
"set": {
"field": "checkpoint.action",
"value": "logged-in",
"if": "ctx.checkpoint?.action == 'Log In'"
}
},
{
"append": {
"field": "event.type",
"value": "denied",
"allow_duplicates": false,
"if": "ctx.checkpoint?.action == 'Failed Log In'"
}
},
{
"set": {
"field": "checkpoint.action",
"value": "logon-failed",
"if": "ctx.checkpoint?.action == 'Failed Log In'"
}
},
{
"append": {
"field": "related.ip",
"value": "{{{source.ip}}}",
"allow_duplicates": false,
"if": "ctx.source?.ip != null"
}
},
{
"append": {
"field": "related.ip",
"value": "{{{source.nat.ip}}}",
"allow_duplicates": false,
"if": "ctx.source?.nat?.ip != null"
}
},
{
"append": {
"field": "related.ip",
"value": "{{{destination.ip}}}",
"allow_duplicates": false,
"if": "ctx.destination?.ip != null"
}
},
{
"append": {
"field": "related.ip",
"value": "{{{destination.nat.ip}}}",
"allow_duplicates": false,
"if": "ctx.destination?.nat?.ip != null"
}
},
{
"append": {
"field": "related.hash",
"value": "{{{checkpoint.file_md5}}}",
"allow_duplicates": false,
"if": "ctx.checkpoint?.file_md5 != null"
}
},
{
"append": {
"field": "related.hash",
"value": "{{{checkpoint.file_sha1}}}",
"allow_duplicates": false,
"if": "ctx.checkpoint?.file_sha1 != null"
}
},
{
"append": {
"field": "related.hash",
"value": "{{{checkpoint.file_sha256}}}",
"allow_duplicates": false,
"if": "ctx.checkpoint?.file_sha256 != null"
}
},
{
"rename": {
"field": "checkpoint.from",
"target_field": "source.user.email",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.to",
"target_field": "destination.user.email",
"ignore_missing": true
}
},
{
"set": {
"field": "email.from.address",
"value": [
"{{{destination.user.email}}}"
],
"if": "ctx?.destination?.user?.email != null"
}
},
{
"set": {
"field": "email.to.address",
"value": [
"{{{destination.user.email}}}"
],
"if": "ctx?.destination?.user?.email != null"
}
},
{
"append": {
"field": "email.from.address",
"value": "{{{checkpoint.mime_from}}}",
"if": "ctx?.checkpoint?.mime_from != null"
}
},
{
"append": {
"field": "email.to.address",
"value": "{{{checkpoint.mime_to}}}",
"if": "ctx?.checkpoint?.mime_to != null"
}
},
{
"set": {
"field": "email.subject",
"copy_from": "checkpoint.email_subject",
"if": "ctx?.checkpoint?.email_subject != null"
}
},
{
"append": {
"field": "email.bcc.address",
"value": "{{{checkpoint.bcc}}}",
"if": "ctx?.checkpoint?.bcc != null"
}
},
{
"append": {
"field": "email.cc.address",
"value": "{{{checkpoint.cc}}}",
"if": "ctx?.checkpoint?.cc != null"
}
},
{
"set": {
"field": "email.delivery_timestamp",
"copy_from": "checkpoint.delivery_time",
"if": "ctx?.checkpoint?.delivery_time != null"
}
},
{
"set": {
"field": "email.message_id",
"copy_from": "checkpoint.email_message_id",
"if": "ctx?.checkpoint?.email_message_id != null"
}
},
{
"set": {
"field": "email.local_id",
"copy_from": "checkpoint.email_queue_id",
"if": "ctx?.checkpoint?.email_queue_id != null"
}
},
{
"rename": {
"field": "checkpoint.usercheck_incident_uid",
"target_field": "destination.user.id",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.service_name",
"target_field": "destination.service.name",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.mac_destination_address",
"target_field": "destination.mac",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.dns_type",
"target_field": "dns.question.type",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.domain_name",
"target_field": "dns.question.name",
"ignore_missing": true
}
},
{
"rename": {
"field": "dns.question.name",
"target_field": "source.user.domain",
"ignore_missing": true,
"if": "ctx.checkpoint?.operation == 'Log Out' && ctx.source?.user?.domain == null"
}
},
{
"dissect": {
"field": "checkpoint.additional_info",
"pattern": "Administrator failed to log in: %{event.reason}",
"ignore_missing": true,
"ignore_failure": true,
"if": "ctx.checkpoint?.operation == 'Log In' && ctx.checkpoint.audit_status == 'Failure' && (ctx.event?.reason == null || ctx.event?.reason == \"\")"
}
},
{
"rename": {
"field": "checkpoint.dns_message_type",
"target_field": "dns.type",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.tid",
"target_field": "dns.id",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.loguid",
"target_field": "event.id",
"ignore_missing": true
}
},
{
"convert": {
"field": "checkpoint.sequencenum",
"target_field": "event.sequence",
"type": "long",
"ignore_failure": true,
"ignore_missing": true
}
},
{
"convert": {
"field": "checkpoint.severity",
"target_field": "event.severity",
"type": "long",
"ignore_failure": true,
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.action",
"target_field": "event.action",
"ignore_missing": true
}
},
{
"set": {
"field": "event.action",
"value": "logon-failed",
"override": true,
"if": "ctx.checkpoint?.operation == 'Log In' && ctx.checkpoint.audit_status == 'Failure'",
"description": "Set 'logon-failed' action categorization for failed logon attempts."
}
},
{
"set": {
"field": "event.action",
"value": "logged-in",
"override": true,
"if": "ctx.checkpoint?.operation == 'Log In' && (ctx.checkpoint.audit_status == 'Success' || ctx.checkpoint.audit_status == null)",
"description": "Set 'logged-in' action categorization for events related to successful logons."
}
},
{
"set": {
"field": "event.action",
"value": "logged-out",
"override": true,
"if": "ctx.checkpoint?.operation == 'Log Out'",
"description": "Set 'logged-out' action categorization for logoff events."
}
},
{
"set": {
"field": "host.name",
"value": "{{{ checkpoint.device_name }}}",
"override": false,
"ignore_empty_value": true,
"if": "ctx.checkpoint?.operation == 'Log In' && ctx.observer?.product == 'Expert Shell'",
"description": "Copy the device name to the host.name field for logon events in Checkpoint expert shells."
}
},
{
"set": {
"field": "host.type",
"value": "{{{ checkpoint.device_type }}}",
"override": false,
"ignore_empty_value": true,
"if": "ctx.checkpoint?.operation == 'Log In' && ctx.observer?.product == 'Expert Shell'",
"description": "Copy the device type to the host.type field for logon events in Checkpoint expert shells."
}
},
{
"set": {
"field": "source.domain",
"value": "{{{ checkpoint.machine }}}",
"override": false,
"ignore_empty_value": true,
"if": "['Log In', 'Log Out'].contains(ctx.checkpoint?.operation) && ctx.checkpoint.machine != 'localhost'",
"description": "Copy the device type to the host.type field for logon events in Checkpoint expert shells."
}
},
{
"set": {
"field": "network.protocol",
"value": "ssh",
"override": false,
"if": "ctx.checkpoint?.operation == 'Log In' && ctx.observer?.product == 'Expert Shell'",
"description": "Set network protocol to SSH for logon activities made with Checkpoint expert shells."
}
},
{
"set": {
"field": "user.name",
"value": "{{{ source.user.name }}}",
"override": false,
"ignore_empty_value": true
}
},
{
"set": {
"field": "user.id",
"value": "{{{ source.user.id }}}",
"override": false,
"ignore_empty_value": true
}
},
{
"set": {
"field": "user.group.name",
"value": "{{{ source.user.group.name }}}",
"override": false,
"ignore_empty_value": true
}
},
{
"set": {
"field": "user.email",
"value": "{{{ source.user.email }}}",
"override": false,
"ignore_empty_value": true
}
},
{
"set": {
"field": "user.domain",
"value": "{{{ source.user.domain }}}",
"override": false,
"ignore_empty_value": true
}
},
{
"append": {
"field": "user.roles",
"value": "administrator",
"allow_duplicates": false,
"if": "ctx.message == 'Administrator Login' || ctx.message == 'Administrator Logout' || ctx.message == 'Administrator Expert Shell login'",
"description": "Add administrator label to the user.role field for all events related to administrator logon / logoff activities."
}
},
{
"set": {
"field": "event.code",
"value": "{{{ checkpoint.operation_number }}}",
"override": false,
"ignore_empty_value": true
}
},
{
"lowercase": {
"field": "user.name",
"ignore_missing": true
}
},
{
"lowercase": {
"field": "user.id",
"ignore_missing": true
}
},
{
"lowercase": {
"field": "user.email",
"ignore_missing": true
}
},
{
"lowercase": {
"field": "user.domain",
"ignore_missing": true
}
},
{
"lowercase": {
"field": "user.group.name",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.packet_capture",
"target_field": "event.url",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.start_time",
"target_field": "event.start",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.first_detection",
"target_field": "event.start",
"ignore_missing": true,
"if": "ctx.event?.start == null"
}
},
{
"rename": {
"field": "checkpoint.last_detection",
"target_field": "event.end",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.app_risk",
"target_field": "event.risk_score",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.file_id",
"target_field": "file.inode",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.file_type",
"target_field": "file.type",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.file_name",
"target_field": "file.name",
"ignore_missing": true
}
},
{
"convert": {
"field": "checkpoint.file_size",
"target_field": "file.size",
"type": "long",
"ignore_failure": true,
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.file_md5",
"target_field": "file.hash.md5",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.file_sha1",
"target_field": "file.hash.sha1",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.file_sha256",
"target_field": "file.hash.sha256",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.dlp_file_name",
"target_field": "file.name",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.user_group",
"target_field": "group.name",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.os_version",
"target_field": "host.os.version",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.os_name",
"target_field": "host.os.name",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.method",
"target_field": "http.request.method",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.referrer",
"target_field": "http.request.referrer",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.service_id",
"target_field": "network.application",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.ifdir",
"target_field": "network.direction",
"ignore_missing": true
}
},
{
"convert": {
"field": "checkpoint.bytes",
"type": "long",
"ignore_missing": true
}
},
{
"convert": {
"field": "checkpoint.icmp_code",
"type": "long",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"convert": {
"field": "checkpoint.icmp_type",
"type": "long",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"rename": {
"field": "checkpoint.bytes",
"target_field": "network.bytes",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.proto",
"target_field": "network.iana_number",
"ignore_missing": true
}
},
{
"script": {
"lang": "painless",
"ignore_failure": true,
"if": "ctx?.network?.iana_number != null",
"source": "def iana_number = ctx.network.iana_number;\nif (iana_number == '0') {\n ctx.network.transport = 'hopopt';\n} else if (iana_number == '1') {\n ctx.network.transport = 'icmp';\n} else if (iana_number == '2') {\n ctx.network.transport = 'igmp';\n} else if (iana_number == '6') {\n ctx.network.transport = 'tcp';\n} else if (iana_number == '8') {\n ctx.network.transport = 'egp';\n} else if (iana_number == '17') {\n ctx.network.transport = 'udp';\n} else if (iana_number == '47') {\n ctx.network.transport = 'gre';\n} else if (iana_number == '50') {\n ctx.network.transport = 'esp';\n} else if (iana_number == '58') {\n ctx.network.transport = 'ipv6-icmp';\n} else if (iana_number == '112') {\n ctx.network.transport = 'vrrp';\n} else if (iana_number == '132') {\n ctx.network.transport = 'sctp';\n}\n"
}
},
{
"date": {
"field": "checkpoint.subs_exp",
"target_field": "checkpoint.subs_exp",
"timezone": "{{{ event.timezone }}}",
"formats": [
"EEE MMM dd HH:mm:ss yyyy",
"EEE MMM d HH:mm:ss yyyy",
"EEE MMM d HH:mm:ss yyyy",
"ISO8601",
"UNIX"
],
"if": "ctx.checkpoint?.subs_exp != null",
"on_failure": [
{
"date": {
"tag": "date_utc_fallback",
"field": "checkpoint.subs_exp",
"target_field": "checkpoint.subs_exp",
"formats": [
"EEE MMM dd HH:mm:ss yyyy",
"EEE MMM d HH:mm:ss yyyy",
"EEE MMM d HH:mm:ss yyyy",
"ISO8601",
"UNIX"
],
"on_failure": [
{
"remove": {
"field": "checkpoint.subs_exp",
"ignore_missing": true
}
}
]
}
}
]
}
},
{
"convert": {
"field": "checkpoint.packets",
"type": "long",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.packets",
"target_field": "network.packets",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.layer_name",
"target_field": "network.name",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.app_name",
"target_field": "network.application",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.client_inbound_interface",
"target_field": "observer.ingress.interface.name",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.client_outbound_interface",
"target_field": "observer.egress.interface.name",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.ifname",
"target_field": "observer.ingress.interface.name",
"ignore_missing": true,
"if": "ctx.observer?.ingress?.interface?.name == null && ctx.network?.direction == 'inbound'"
}
},
{
"rename": {
"field": "checkpoint.ifname",
"target_field": "observer.egress.interface.name",
"ignore_missing": true,
"if": "ctx.observer?.egress?.interface?.name == null && ctx.network?.direction == 'outbound'"
}
},
{
"rename": {
"field": "checkpoint.type",
"target_field": "observer.type",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.origin",
"target_field": "observer.name",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.mac_address",
"target_field": "_temp_.observer.mac",
"ignore_missing": true
}
},
{
"gsub": {
"field": "_temp_.observer.mac",
"ignore_missing": true,
"pattern": "[:]",
"replacement": "-"
}
},
{
"uppercase": {
"field": "_temp_.observer.mac",
"ignore_missing": true
}
},
{
"append": {
"value": "{{{_temp_.observer.mac}}}",
"field": "observer.mac",
"if": "ctx._temp_?.observer?.mac != null"
}
},
{
"append": {
"value": "{{{checkpoint.origin_ip}}}",
"field": "observer.ip",
"if": "ctx.checkpoint?.origin_ip != null"
}
},
{
"append": {
"value": "{{{checkpoint.endpoint_ip}}}",
"field": "observer.ip",
"if": "ctx.checkpoint?.endpoint_ip != null && ctx.observer?.ip == null"
}
},
{
"rename": {
"field": "checkpoint.outzone",
"target_field": "observer.egress.zone",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.inzone",
"target_field": "observer.ingress.zone",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.security_outzone",
"target_field": "observer.egress.zone",
"ignore_missing": true,
"if": "ctx.observer?.egress?.zone == null"
}
},
{
"rename": {
"field": "checkpoint.security_inzone",
"target_field": "observer.ingress.zone",
"ignore_missing": true,
"if": "ctx.observer?.ingress?.zone == null"
}
},
{
"rename": {
"field": "checkpoint.update_version",
"target_field": "observer.version",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.process_md5",
"target_field": "process.hash.md5",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.process_name",
"target_field": "process.name",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.parent_process_md5",
"target_field": "process.parent.hash.md5",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.parent_process_name",
"target_field": "process.parent.name",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.matched_category",
"target_field": "rule.category",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.categories",
"target_field": "rule.category",
"ignore_missing": true,
"if": "ctx.rule?.category == null"
}
},
{
"rename": {
"field": "checkpoint.malware_action",
"target_field": "rule.description",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.malware_rule_id",
"target_field": "rule.id",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.app_rule_id",
"target_field": "rule.id",
"ignore_missing": true,
"if": "ctx.rule?.id == null"
}
},
{
"rename": {
"field": "checkpoint.objectname",
"target_field": "rule.name",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.rule_name",
"target_field": "rule.name",
"ignore_missing": true,
"if": "ctx.rule?.name == null"
}
},
{
"rename": {
"field": "checkpoint.malware_rule_name",
"target_field": "rule.name",
"ignore_missing": true,
"if": "ctx.rule?.name == null"
}
},
{
"rename": {
"field": "checkpoint.app_rule_name",
"target_field": "rule.name",
"ignore_missing": true,
"if": "ctx.rule?.name == null"
}
},
{
"rename": {
"field": "checkpoint.dlp_rule_name",
"target_field": "rule.name",
"ignore_missing": true,
"if": "ctx.rule?.name == null"
}
},
{
"rename": {
"field": "checkpoint.smartdefence_profile",
"target_field": "rule.ruleset",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.policy",
"target_field": "rule.ruleset",
"ignore_missing": true,
"if": "ctx.rule?.ruleset == null"
}
},
{
"rename": {
"field": "checkpoint.rule_uid",
"target_field": "rule.uuid",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.dlp_rule_uid",
"target_field": "rule.uuid",
"ignore_missing": true,
"if": "ctx.rule?.uuid == null"
}
},
{
"rename": {
"field": "checkpoint.url",
"target_field": "url.original",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.resource",
"target_field": "url.original",
"ignore_missing": true,
"if": "ctx.url?.original == null"
}
},
{
"rename": {
"field": "checkpoint.http_host",
"target_field": "url.domain",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.web_client_type",
"target_field": "user_agent.name",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.user_agent",
"target_field": "user_agent.original",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.industry_reference",
"target_field": "vulnerability.id",
"ignore_missing": true
}
},
{
"script": {
"lang": "painless",
"tag": "checkpoint_time_conversion_script",
"if": "ctx.checkpoint?.time != null && (ctx.checkpoint.time instanceof String || ctx.checkpoint.time instanceof List)",
"source": "ZonedDateTime convert(String time) {\n ZonedDateTime zdt;\n try {\n Instant instant;\n long temp_time = Long.parseLong(time);\n if (String.valueOf(temp_time).length() > 10) {\n instant = Instant.ofEpochMilli(temp_time);\n } else {\n instant = Instant.ofEpochMilli(temp_time * 1000L);\n }\n zdt = ZonedDateTime.ofInstant(instant, ZoneId.of('Z'));\n }\n catch (NumberFormatException nfe) {\n zdt = ZonedDateTime.parse(time);\n }\n return zdt\n}\n\n// Handle single time field.\nif (ctx.checkpoint.time instanceof String) {\n ctx.checkpoint._temp_unixms = convert(ctx.checkpoint.time);\n return;\n}\n\n// Some log lines have more than one time. Pick the earliest and retain all.\nList zdt = new ArrayList();\nfor (def time: ctx.checkpoint.time) {\n zdt.add(convert(time));\n}\nctx.checkpoint.times = zdt;\nctx.checkpoint._temp_unixms = Collections.min(zdt);\n",
"on_failure": [
{
"append": {
"field": "error.message",
"value": "fail-{{{ _ingest.on_failure_processor_tag }}}"
}
},
{
"fail": {
"message": "Processor {{{ _ingest.on_failure_processor_type }}} with tag {{{ _ingest.on_failure_processor_tag }}} in pipeline {{{ _ingest.on_failure_pipeline }}} failed with message: {{{ _ingest.on_failure_message }}}"
}
}
]
}
},
{
"rename": {
"field": "checkpoint._temp_unixms",
"target_field": "@timestamp",
"ignore_missing": true
}
},
{
"date": {
"field": "checkpoint.lastupdatetime",
"formats": [
"ISO8601",
"UNIX"
],
"target_field": "event.end",
"if": "ctx.checkpoint?.lastupdatetime != null"
}
},
{
"rename": {
"field": "checkpoint.message",
"target_field": "message",
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.reason",
"target_field": "message",
"ignore_missing": true,
"if": "ctx.message == null"
}
},
{
"rename": {
"field": "checkpoint.subject",
"target_field": "message",
"ignore_missing": true,
"if": "ctx.message == null"
}
},
{
"gsub": {
"field": "checkpoint.sys_message",
"pattern": "^:\"",
"replacement": "",
"if": "ctx.checkpoint?.sys_message != null"
}
},
{
"append": {
"field": "related.user",
"value": "{{{checkpoint.user}}}",
"allow_duplicates": false,
"if": "ctx.checkpoint?.user != null"
}
},
{
"append": {
"field": "related.user",
"value": "{{{checkpoint.administrator}}}",
"allow_duplicates": false,
"if": "ctx.checkpoint?.administrator != null"
}
},
{
"append": {
"field": "related.user",
"value": "{{{checkpoint.src_user_name}}}",
"allow_duplicates": false,
"if": "ctx.checkpoint?.src_user_name != null"
}
},
{
"append": {
"field": "related.user",
"value": "{{{checkpoint.dst_user_name}}}",
"allow_duplicates": false,
"if": "ctx.checkpoint?.dst_user_name != null"
}
},
{
"script": {
"lang": "painless",
"source": "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes",
"if": "ctx?.source?.bytes != null && ctx?.destination?.bytes != null && ctx?.network?.bytes == null",
"ignore_failure": true
}
},
{
"script": {
"lang": "painless",
"source": "ctx.network.packets = ctx.source.packets + ctx.destination.packets",
"if": "ctx?.source?.packets != null && ctx?.destination?.packets != null && ctx?.network?.packets == null",
"ignore_failure": true
}
},
{
"rename": {
"field": "checkpoint.action_reason",
"target_field": "checkpoint.action_reason_msg",
"if": "ctx.checkpoint?.action_reason != null && ctx.checkpoint?.action_reason.contains(\" \")",
"ignore_missing": true
}
},
{
"geoip": {
"field": "source.ip",
"target_field": "source.geo",
"ignore_missing": true,
"if": "ctx.source?.geo == null"
}
},
{
"geoip": {
"field": "destination.ip",
"target_field": "destination.geo",
"ignore_missing": true,
"if": "ctx.destination?.geo == null"
}
},
{
"geoip": {
"database_file": "GeoLite2-ASN.mmdb",
"field": "source.ip",
"target_field": "source.as",
"properties": [
"asn",
"organization_name"
],
"ignore_missing": true
}
},
{
"geoip": {
"database_file": "GeoLite2-ASN.mmdb",
"field": "destination.ip",
"target_field": "destination.as",
"properties": [
"asn",
"organization_name"
],
"ignore_missing": true
}
},
{
"rename": {
"field": "source.as.asn",
"target_field": "source.as.number",
"ignore_missing": true
}
},
{
"rename": {
"field": "source.as.organization_name",
"target_field": "source.as.organization.name",
"ignore_missing": true
}
},
{
"rename": {
"field": "destination.as.asn",
"target_field": "destination.as.number",
"ignore_missing": true
}
},
{
"rename": {
"field": "destination.as.organization_name",
"target_field": "destination.as.organization.name",
"ignore_missing": true
}
},
{
"set": {
"field": "network.direction",
"value": "inbound",
"if": "ctx?._temp_?.external_zones != null && ctx?._temp_?.internal_zones != null && ctx?.observer?.ingress?.zone != null && ctx?.observer?.egress?.zone != null && ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && ctx._temp_.internal_zones.contains(ctx.observer.egress.zone)\n"
}
},
{
"set": {
"field": "network.direction",
"value": "outbound",
"if": "ctx?._temp_?.external_zones != null && ctx?._temp_?.internal_zones != null && ctx?.observer?.ingress?.zone != null && ctx?.observer?.egress?.zone != null && ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)\n"
}
},
{
"set": {
"field": "network.direction",
"value": "internal",
"if": "ctx?._temp_?.external_zones != null && ctx?._temp_?.internal_zones != null && ctx?.observer?.ingress?.zone != null && ctx?.observer?.egress?.zone != null && ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)\n"
}
},
{
"set": {
"field": "network.direction",
"value": "external",
"if": "ctx?._temp_?.external_zones != null && ctx?._temp_?.internal_zones != null && ctx?.observer?.ingress?.zone != null && ctx?.observer?.egress?.zone != null && ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && ctx._temp_.external_zones.contains(ctx.observer.ingress.zone)\n"
}
},
{
"set": {
"field": "network.direction",
"value": "unknown",
"if": "ctx?._temp_?.external_zones != null && ctx?._temp_?.internal_zones != null && ctx?.observer?.ingress?.zone != null && ctx?.observer?.egress?.zone != null && (\n (\n !ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&\n !ctx._temp_.internal_zones.contains(ctx.observer.egress.zone)\n ) ||\n (\n !ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) &&\n !ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)\n )\n)\n"
}
},
{
"remove": {
"field": [
"checkpoint.ifname",
"checkpoint.server_outbound_interface",
"checkpoint.client_outbound_packets",
"checkpoint.server_outbound_packets",
"checkpoint.client_outbound_bytes",
"checkpoint.server_outbound_bytes",
"checkpoint.client_inbound_packets",
"checkpoint.server_inbound_packets",
"checkpoint.client_inbound_bytes",
"checkpoint.server_inbound_bytes",
"checkpoint.sent_byte",
"checkpoint.received_bytes",
"checkpoint.service",
"checkpoint.xlatedport",
"checkpoint.s_port",
"checkpoint.xlatesport",
"checkpoint.contextnum",
"checkpoint.sequencenum",
"checkpoint.file_size",
"checkpoint.product",
"checkpoint.severity",
"checkpoint.xlatesrc",
"checkpoint.xlatedst",
"checkpoint.uid",
"checkpoint.time",
"checkpoint.__nsons",
"checkpoint.__p_dport",
"checkpoint.__pos",
"checkpoint.hll_key",
"checkpoint.segment_time",
"checkpoint.lastupdatetime",
"checkpoint.endpoint_ip",
"checkpoint.origin_ip",
"syslog5424_ts",
"_temp_",
"_conf"
],
"ignore_missing": true
}
},
{
"rename": {
"field": "checkpoint.times",
"target_field": "checkpoint.time",
"ignore_missing": true
}
},
{
"date": {
"if": "ctx.checkpoint?.time != null",
"field": "checkpoint.time",
"target_field": "checkpoint.time",
"formats": [
"UNIX"
],
"ignore_failure": true
}
},
{
"script": {
"description": "Drops null/empty values recursively.",
"lang": "painless",
"source": "boolean dropEmptyFields(Object object) { if (object == null || object == '') { return true; } else if (object instanceof Map) { ((Map) object).values().removeIf(value -> dropEmptyFields(value)); return (((Map) object).size() == 0); } else if (object instanceof List) { ((List) object).removeIf(value -> dropEmptyFields(value)); return (((List) object).length == 0); } return false; } dropEmptyFields(ctx);"
}
},
{
"pipeline": {
"name": "global@custom",
"ignore_missing_pipeline": true,
"description": "[Fleet] Global pipeline for all data streams"
}
},
{
"pipeline": {
"name": "logs@custom",
"ignore_missing_pipeline": true,
"description": "[Fleet] Pipeline for all data streams of type `logs`"
}
},
{
"pipeline": {
"name": "logs-checkpoint.integration@custom",
"ignore_missing_pipeline": true,
"description": "[Fleet] Pipeline for all data streams of type `logs` defined by the `checkpoint` integration"
}
},
{
"pipeline": {
"name": "logs-checkpoint.firewall@custom",
"ignore_missing_pipeline": true,
"description": "[Fleet] Pipeline for the `checkpoint.firewall` dataset"
}
}
What could be the problem? I had other errors with grok_failer before, they seem to have disappeared after making changes to the pipeline.