Filebeat Module Suggestion

Rohit_Kumbhar · March 26, 2021, 2:02am

Hi Elasticsearch Developers,

This is kind of suggestion post,
I want to integrate Versa-Network Logs into Elasticsearch.
and it would be much easier if you include that module in Filebeat.
Too much fields for ecs mapping

Sample Logs

2020-05-07T23:14:44+0000 cgnatLog, applianceName=versa, tenantName=Tenant1,observationTimeMilliseconds=21034388, flowCookie=1588893277, flowId=33589149,sourceIPv6Address=2001:172:16:31::10, destinationIPv6Address=2001:192:168:5::10, postNATSourceIPv6Address=2001:172:16:91:ff9f::10, postNATDestinationIPv6Address=2001:192:168:5::10,sourcePort=6000, destinationPort=6000, postNAPTsourceTransportPort=6000, postNAPTdestinationTransportPort=6000, tenantId=1, vsnId=0, applianceId=1,protocolIdentifier=58, sourceNatPoolName=NPT_POOL_66, natRuleName=NPT_RULE_66, natEvent=nat66-sess-delete
2020-05-07T23:44:43+0000 alarmLog, applianceName=versa, tenantName=Tenant1,alarmType=cgnat-pool-utilization, alarmKey=Tenant1_NAPT_POOL1, generateTime=1588895083,applianceId=1, vsnId=0, tenantId=1, alarmCause=resourceAtOrNearingCapacity, alarmClearable=yes, alarmClass=changed, alarmKind=symptom, alarmEventType=equipmentAlarm, alarmSeverity=critical,alarmOwner=tenant, alarmSeqNo=6, alarmText="CGNAT pool Tenant1_NAPT_POOL1 addresses near exhaustion (utilization: 93%)",siteName=, serialNum=br103.versa
2018-10-12T23:10:28+0000 dhcpRequestLog, applianceName=Site2Branch1, tenantName=Customer1,tenantId=2, dhcpRequestLogType=address-renewal, ingressInterfaceName=vni-0/4.101, ethernetAddress=52:54:b1:f9:51:f9, profileName=LAN-Server-Customer1Lan, poolName=LAN-POOL-Customer1Lan, clientIPv4Address=172.19.101.50, expirationTime=1539472264
2017-11-28T23:12:43+0000 sdwanSlaPathViolLog, applianceName=Site1Branch1, tenantName=Customer1, flowId=34076716, flowCookie=1511911224, applianceId=1, tenantId=1, vsnId=0, rule=Rule_Http, localSiteName=Site1Branch1, fromRemoteSiteName=, fromLocalAccCktName=, fromRemoteAccCktName=, toRemoteSiteName=Site3Branch1, toLocalAccCktName=ISPA-Network, toRemoteAccCktName=ISPA-Network, forwardingClass=fc_be, fromPriority=P-0, toPriority=SLA Vio, reason="Violating metrics [Current value(Configured Threshold)]: latency-714(250) loss percentage-12.50(5) "
2017-11-26T22:42:38+0000 flowMonLog, applianceName=Branch1, tenantName=Customer1, flowId=33655871, flowCookie=1511734794, flowStartMilliseconds=361020099, flowEndMilliseconds=361865221, sentOctets=15000, sentPackets=34, recvdOctets=360, recvdPackets=6, vsnId=0, applianceId=1,tenantId=1, appRisk=1, appProductivity=3, appIdStr=iperf, appFamily=, appSubFamily=, urlCategory=, rule=catchall, localSiteName=Branch1, fwdEgrSiteName=Branch2, fwdEgrAccCktName=MPLS:MPLS, revIngAccCktName=MPLS, revIngSiteName=, fwdIngSiteName=, fwdIngAccCktName=vni-0/2.0, revEgrSiteName=, revEgrAccCktName=vni-0/2.0, deviceKey=, forwardForwardingClass=fc_be, reverseForwardingClass=fc_be
2017-11-26T22:42:38+0000 accessLog, applianceName=Branch1, tenantName=Customer1, flowId=33655871, flowCookie=1511734794, flowStartMilliseconds=361020099, flowEndMilliseconds=361865221, sentOctets=15000, sentPackets=34, recvdOctets=360, recvdPackets=6, appId=245, eventType=end, tenantId=1, urlCategory=, action=allow, vsnId=0, applianceId=1, appRisk=1, appProductivity=3, appIdStr=iperf, appFamily=networking, appSubFamily=network-management, rule=r1, forwardForwardingClass=fc_be, reverseForwardingClass=fc_be, host
2017-11-28T22:52:54+0000 avLog, applianceName=DC1Branch1, tenantName=Customer1, flowId=33890850, flowCookie=1511910209, vsnId=0, applianceId=1, tenantId=1, profileName=scan_http, appIdStr=http, fileName="1", fileType=Portable Document File, fileTransDir=download, avMalwareType=AV_DETECTION_TYPE_VIRUS, avMalwareName=W32/ExploreZip.210432, avAccuracy=AV_DETECTION_ACCURACY_LOW, avAction=reject
2017-11-28T23:09:29+0000 dosThreatLog, applianceName=Site1Branch1, tenantName=Customer1, observationTimeMilliseconds=1511911030085, threatType=Flood, dosAttackName=UDP, tenantId=1, fromZone=(null), toZone=, dosAttacker=, dosVictim=, dosScanList=(null), dosScanPortsCount=0, dosAction=Drop, severityLevel=1, vsnId=0
2017-11-26T22:37:11+0000 idpLog, applianceName=Branch1, tenantName=Customer1, flowId=33655871, flowCookie=1511734794, signatureId=1000000530, groupId=1, signatureRev=0, vsnId=0, applianceId=1, tenantId=1, moduleId=12, signaturePriority=2, idpAction=alert, signatureMsg="Microsoft DNS Server Denial ofService", classMsg="Attempted Denial of Service", threatType=attempted-dos,packetTime=11/26/2017-14:37:11.000000, HitCount=1, ipsProfile=Vulnerablity_Profile, ipsProfileRule=Rule1, ipsDirection=ToClient, ipsProtocol=UDP, ipsApplication=dns
2017-11-26T24:42:38+0000 urlfLog, applianceName=DC1Branch1, tenantName=Customer1, flowId=33655871, flowCookie=1511734794, vsnId=0, applianceId=1, tenantId=1, urlReputation=trustworthy, urlCategory=business_and_economy, httpUrl=apt.puppetlabs.com/dists/trusty/Release.gpg, urlfProfile=url_profile1, urlfAction=ask, urlfActionMessage=

ChrsMark · March 26, 2021, 8:09am

Hi!

Feel free to open a Github issue for this addition and let the team evaluate and schedule it!

C.

legoguy1000 · April 12, 2021, 1:33am

@Rohit_Kumbhar create the github issue as mentioned, https://github.com/elastic/beats/issues/new?assignees=&labels=&template=module-checklist.md. I'm busy this week but I'll try to work it. The initial setup shouldn't be too bad but we'll need your help to define the fields and answer questions if they arise.

system · May 10, 2021, 3:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.