diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index bacc37308ab..133a0d15df0 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -23,6 +23,7 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> @@ -5581,6 +5582,326 @@ alias to: source.geo.region_iso_code -- +[[exported-fields-iptables]] +== iptables fields + +Module for handling the iptables logs. + + + +[float] +== iptables fields + +Fields from the iptables logs. + + + +*`iptables.ether_type`*:: ++ +-- +type: long + +Value of the ethernet type field identifying the network layer protocol. + + +-- + +*`iptables.flow_label`*:: ++ +-- +type: integer + +IPv6 flow label. + + +-- + +*`iptables.fragment_flags`*:: ++ +-- +type: keyword + +IP fragment flags. A combination of CE, DF and MF. + + +-- + +*`iptables.fragment_offset`*:: ++ +-- +type: long + +Offset of the current IP fragment. + + +-- + +[float] +== icmp fields + +ICMP fields. + + + +*`iptables.icmp.code`*:: ++ +-- +type: long + +ICMP code. + + +-- + +*`iptables.icmp.id`*:: ++ +-- +type: long + +ICMP ID. + + +-- + +*`iptables.icmp.parameter`*:: ++ +-- +type: long + +ICMP parameter. + + +-- + +*`iptables.icmp.redirect`*:: ++ +-- +type: ip + +ICMP redirect address. + + +-- + +*`iptables.icmp.seq`*:: ++ +-- +type: long + +ICMP sequence number. + + +-- + +*`iptables.icmp.type`*:: ++ +-- +type: long + +ICMP type. + + +-- + +*`iptables.id`*:: ++ +-- +type: long + +Packet identifier. + + +-- + +*`iptables.incomplete_bytes`*:: ++ +-- +type: long + +Number of incomplete bytes. + + +-- + +*`iptables.input_device`*:: ++ +-- +type: keyword + +Device that received the packet. + + +-- + +*`iptables.precedence_bits`*:: ++ +-- +type: short + +IP precedence bits. + + +-- + +*`iptables.tos`*:: ++ +-- +type: long + +IP Type of Service field. + + +-- + +*`iptables.length`*:: ++ +-- +type: long + +Packet length. + + +-- + +*`iptables.output_device`*:: ++ +-- +type: keyword + +Device that output the packet. + + +-- + +[float] +== tcp fields + +TCP fields. + + + +*`iptables.tcp.flags`*:: ++ +-- +type: keyword + +TCP flags. + + +-- + +*`iptables.tcp.reserved_bits`*:: ++ +-- +type: short + +TCP reserved bits. + + +-- + +*`iptables.tcp.seq`*:: ++ +-- +type: long + +TCP sequence number. + + +-- + +*`iptables.tcp.ack`*:: ++ +-- +type: long + +TCP Acknowledgment number. + + +-- + +*`iptables.tcp.window`*:: ++ +-- +type: long + +Advertised TCP window size. + + +-- + +*`iptables.ttl`*:: ++ +-- +type: integer + +Time To Live field. + + +-- + +[float] +== udp fields + +UDP fields. + + + +*`iptables.udp.length`*:: ++ +-- +type: long + +Length of the UDP header and payload. + + +-- + +[float] +== ubiquiti fields + +Fields for Ubiquiti network devices. + + + +*`iptables.ubiquiti.input_zone`*:: ++ +-- +type: keyword + +Input zone. + + +-- + +*`iptables.ubiquiti.output_zone`*:: ++ +-- +type: keyword + +Output zone. + + +-- + +*`iptables.ubiquiti.rule_number`*:: ++ +-- +type: keyword + +The rule number within the rule set. + +-- + +*`iptables.ubiquiti.rule_set`*:: ++ +-- +type: keyword + +The rule set name. + +-- + [[exported-fields-kafka]] == Kafka fields diff --git a/filebeat/docs/images/kibana-iptables-ubiquiti.png b/filebeat/docs/images/kibana-iptables-ubiquiti.png new file mode 100644 index 00000000000..246f2ace263 Binary files /dev/null and b/filebeat/docs/images/kibana-iptables-ubiquiti.png differ diff --git a/filebeat/docs/images/kibana-iptables.png b/filebeat/docs/images/kibana-iptables.png new file mode 100644 index 00000000000..a12929d11d5 Binary files /dev/null and b/filebeat/docs/images/kibana-iptables.png differ diff --git a/filebeat/docs/modules/iptables.asciidoc b/filebeat/docs/modules/iptables.asciidoc new file mode 100644 index 00000000000..4edcae95a07 --- /dev/null +++ b/filebeat/docs/modules/iptables.asciidoc @@ -0,0 +1,85 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-iptables]] +[role="xpack"] + +:modulename: iptables +:has-dashboards: true + +== Iptables module + +This is a module for iptables and ip6tables logs. It parses logs received +over the network via syslog or from a file. Also, it understands the prefix added +by some Ubiquiti firewalls, which includes the rule set name, rule number and +the action performed on the traffic (allow/deny). + +When you run the module, it performs a few tasks under the hood: + +* Sets the default input to `syslog` and binds to `localhost` port `9001` + (but don’t worry, you can override the defaults). + +* Uses ingest node to parse and process the log lines, shaping the data into + a structure suitable for visualizing in Kibana. + +* Deploys dashboards for visualizing the log data. + +[float] +=== Compatibility + +This module requires the {elasticsearch-plugins}/ingest-geoip.html[ingest-geoip] +Elasticsearch plugins. + +include::../include/running-modules.asciidoc[] + +[float] +=== Example dashboard + +This module comes with sample dashboards showing geolocation and network +protocols used. One for all iptables logs: + +[role="screenshot"] +image::./images/kibana-iptables.png[] + +and one specific for Ubiquiti Firewall logs: + +[role="screenshot"] +image::./images/kibana-iptables-ubiquiti.png[] + +include::../include/configuring-intro.asciidoc[] + +The module is by default configured to run via syslog on port 9001. However +it can also be configured to read from a file path. See the following example. + +["source","yaml",subs="attributes"] +----- +- module: iptables + log: + enabled: true + var.paths: ["/var/log/iptables.log"] + var.input: "file" +----- + +:fileset_ex: log + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `log` log fileset settings + +include::../include/var-paths.asciidoc[] + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index b8712ccdb55..8af5a7858b0 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -9,6 +9,7 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> * <> * <> * <> @@ -34,6 +35,7 @@ include::modules/elasticsearch.asciidoc[] include::modules/haproxy.asciidoc[] include::modules/icinga.asciidoc[] include::modules/iis.asciidoc[] +include::modules/iptables.asciidoc[] include::modules/kafka.asciidoc[] include::modules/kibana.asciidoc[] include::modules/logstash.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index e84f3acdb1e..7400a56d3ef 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -206,6 +206,18 @@ filebeat.modules: # can be added under this section. #input: +#------------------------------- Iptables Module ------------------------------- +- module: iptables + log: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + #-------------------------------- Kafka Module -------------------------------- - module: kafka # All logs diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 529f23b9c1f..f4550a6e898 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -9,6 +9,7 @@ package include import ( // Import packages that need to register themselves. _ "github.com/elastic/beats/x-pack/filebeat/input/netflow" + _ "github.com/elastic/beats/x-pack/filebeat/module/iptables" _ "github.com/elastic/beats/x-pack/filebeat/module/suricata" _ "github.com/elastic/beats/x-pack/filebeat/module/zeek" ) diff --git a/x-pack/filebeat/module/iptables/README.md b/x-pack/filebeat/module/iptables/README.md new file mode 100644 index 00000000000..10ca22ff33c --- /dev/null +++ b/x-pack/filebeat/module/iptables/README.md @@ -0,0 +1,6 @@ +# iptables module + +## Caveats + +* Module is to be considered _beta_. + diff --git a/x-pack/filebeat/module/iptables/_meta/config.yml b/x-pack/filebeat/module/iptables/_meta/config.yml new file mode 100644 index 00000000000..0de64687f6e --- /dev/null +++ b/x-pack/filebeat/module/iptables/_meta/config.yml @@ -0,0 +1,10 @@ +- module: iptables + log: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/x-pack/filebeat/module/iptables/_meta/docs.asciidoc b/x-pack/filebeat/module/iptables/_meta/docs.asciidoc new file mode 100644 index 00000000000..c158cf3e1bc --- /dev/null +++ b/x-pack/filebeat/module/iptables/_meta/docs.asciidoc @@ -0,0 +1,72 @@ +[role="xpack"] + +:modulename: iptables +:has-dashboards: true + +== Iptables module + +This is a module for iptables and ip6tables logs. It parses logs received +over the network via syslog or from a file. Also, it understands the prefix added +by some Ubiquiti firewalls, which includes the rule set name, rule number and +the action performed on the traffic (allow/deny). + +When you run the module, it performs a few tasks under the hood: + +* Sets the default input to `syslog` and binds to `localhost` port `9001` + (but don’t worry, you can override the defaults). + +* Uses ingest node to parse and process the log lines, shaping the data into + a structure suitable for visualizing in Kibana. + +* Deploys dashboards for visualizing the log data. + +[float] +=== Compatibility + +This module requires the {elasticsearch-plugins}/ingest-geoip.html[ingest-geoip] +Elasticsearch plugins. + +include::../include/running-modules.asciidoc[] + +[float] +=== Example dashboard + +This module comes with sample dashboards showing geolocation and network +protocols used. One for all iptables logs: + +[role="screenshot"] +image::./images/kibana-iptables.png[] + +and one specific for Ubiquiti Firewall logs: + +[role="screenshot"] +image::./images/kibana-iptables-ubiquiti.png[] + +include::../include/configuring-intro.asciidoc[] + +The module is by default configured to run via syslog on port 9001. However +it can also be configured to read from a file path. See the following example. + +["source","yaml",subs="attributes"] +----- +- module: iptables + log: + enabled: true + var.paths: ["/var/log/iptables.log"] + var.input: "file" +----- + +:fileset_ex: log + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `log` log fileset settings + +include::../include/var-paths.asciidoc[] + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: diff --git a/x-pack/filebeat/module/iptables/_meta/fields.yml b/x-pack/filebeat/module/iptables/_meta/fields.yml new file mode 100644 index 00000000000..797e069697d --- /dev/null +++ b/x-pack/filebeat/module/iptables/_meta/fields.yml @@ -0,0 +1,10 @@ +- key: iptables + title: iptables + description: > + Module for handling the iptables logs. + fields: + - name: iptables + type: group + description: > + Fields from the iptables logs. + fields: diff --git a/x-pack/filebeat/module/iptables/_meta/kibana/6/dashboard/Filebeat-Iptables-Overview.json b/x-pack/filebeat/module/iptables/_meta/kibana/6/dashboard/Filebeat-Iptables-Overview.json new file mode 100644 index 00000000000..e10f783d764 --- /dev/null +++ b/x-pack/filebeat/module/iptables/_meta/kibana/6/dashboard/Filebeat-Iptables-Overview.json @@ -0,0 +1,759 @@ +{ + "objects": [ + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchId": "b3f1b010-1f26-11e9-8ec4-cf5d91a864b3", + "title": "Events Timeline [Filebeat Iptables]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customInterval": "2h", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "time_zone": "Europe/Berlin", + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "area", + "valueAxis": "ValueAxis-1" + } + ], + "times": [], + "type": "area", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Events Timeline [Filebeat Iptables]", + "type": "area" + } + }, + "id": "4c913eb0-1f51-11e9-93ed-f7e068f4aebb", + "type": "visualization", + "updated_at": "2019-01-23T20:56:04.891Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "iptables.length:*" + } + } + }, + "savedSearchId": "b3f1b010-1f26-11e9-8ec4-cf5d91a864b3", + "title": "Top Source Countries [Filebeat Iptables]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Country", + "field": "source.geo.country_iso_code", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Top Source Countries [Filebeat Iptables]", + "type": "table" + } + }, + "id": "2599f5e0-1e98-11e9-8ec4-cf5d91a864b3", + "type": "visualization", + "updated_at": "2019-01-23T20:51:02.293Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "iptables.length:*" + } + } + }, + "savedSearchId": "b3f1b010-1f26-11e9-8ec4-cf5d91a864b3", + "title": "Source Map [Filebeat Iptables]", + "uiStateJSON": { + "mapCenter": [ + 45.02695045318546, + -44.82421875000001 + ], + "mapZoom": 3 + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "autoPrecision": true, + "field": "source.geo.location", + "isFilteredByCollar": true, + "mapCenter": [ + 0, + 0 + ], + "mapZoom": 2, + "precision": 2, + "useGeocentroid": true + }, + "schema": "segment", + "type": "geohash_grid" + } + ], + "params": { + "addTooltip": true, + "colorSchema": "Yellow to Red", + "heatClusterSize": 1.5, + "isDesaturated": true, + "legendPosition": "bottomright", + "mapCenter": [ + 0, + 0 + ], + "mapType": "Scaled Circle Markers", + "mapZoom": 2, + "wms": { + "enabled": false, + "options": { + "format": "image/png", + "transparent": true + }, + "selectedTmsLayer": { + "attribution": "\u003cp\u003e\u0026#169; \u003ca href=\"http://www.openstreetmap.org/copyright\"\u003eOpenStreetMap\u003c/a\u003e contributors | \u003ca href=\"https://www.elastic.co/elastic-maps-service\"\u003eElastic Maps Service\u003c/a\u003e\u003c/p\u003e\u0026#10;", + "id": "road_map", + "maxZoom": 18, + "minZoom": 0, + "origin": "elastic_maps_service" + } + } + }, + "title": "Source Map [Filebeat Iptables]", + "type": "tile_map" + } + }, + "id": "c4394ec0-1efd-11e9-8ec4-cf5d91a864b3", + "type": "visualization", + "updated_at": "2019-01-23T20:51:02.293Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "iptables.length:*" + } + } + }, + "savedSearchId": "b3f1b010-1f26-11e9-8ec4-cf5d91a864b3", + "title": "Destination Map [Filebeat Iptables]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "autoPrecision": true, + "field": "destination.geo.location", + "isFilteredByCollar": true, + "mapCenter": [ + 0, + 0 + ], + "mapZoom": 2, + "precision": 2, + "useGeocentroid": true + }, + "schema": "segment", + "type": "geohash_grid" + } + ], + "params": { + "addTooltip": true, + "colorSchema": "Yellow to Red", + "heatClusterSize": 1.5, + "isDesaturated": true, + "legendPosition": "bottomright", + "mapCenter": [ + 0, + 0 + ], + "mapType": "Scaled Circle Markers", + "mapZoom": 2, + "wms": { + "enabled": false, + "options": { + "format": "image/png", + "transparent": true + }, + "selectedTmsLayer": { + "attribution": "\u003cp\u003e\u0026#169; \u003ca href=\"http://www.openstreetmap.org/copyright\"\u003eOpenStreetMap\u003c/a\u003e contributors | \u003ca href=\"https://www.elastic.co/elastic-maps-service\"\u003eElastic Maps Service\u003c/a\u003e\u003c/p\u003e\u0026#10;", + "id": "road_map", + "maxZoom": 18, + "minZoom": 0, + "origin": "elastic_maps_service" + } + } + }, + "title": "Destination Map [Filebeat Iptables]", + "type": "tile_map" + } + }, + "id": "d8cea010-1efd-11e9-8ec4-cf5d91a864b3", + "type": "visualization", + "updated_at": "2019-01-23T20:51:02.293Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "iptables.length:*" + } + } + }, + "savedSearchId": "b3f1b010-1f26-11e9-8ec4-cf5d91a864b3", + "title": "Network Type Breakdown [Filebeat Iptables]", + "uiStateJSON": { + "vis": { + "legendOpen": false + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "network.type", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": true, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Network Type Breakdown [Filebeat Iptables]", + "type": "pie" + } + }, + "id": "b57b7370-1f1d-11e9-8ec4-cf5d91a864b3", + "type": "visualization", + "updated_at": "2019-01-23T20:51:02.293Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "iptables.length:*" + } + } + }, + "savedSearchId": "b3f1b010-1f26-11e9-8ec4-cf5d91a864b3", + "title": "Network Transport Breakdown [Filebeat Iptables]", + "uiStateJSON": { + "vis": { + "legendOpen": false + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "network.transport", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": true, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Network Transport Breakdown [Filebeat Iptables]", + "type": "pie" + } + }, + "id": "35fe0910-1f26-11e9-8ec4-cf5d91a864b3", + "type": "visualization", + "updated_at": "2019-01-23T20:51:02.293Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "iptables.length:*" + } + } + }, + "savedSearchId": "b3f1b010-1f26-11e9-8ec4-cf5d91a864b3", + "title": "Top Destination Ports [Filebeat Iptables]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Port", + "field": "destination.port", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Top Destination Ports [Filebeat Iptables]", + "type": "table" + } + }, + "id": "683402b0-1f29-11e9-8ec4-cf5d91a864b3", + "type": "visualization", + "updated_at": "2019-01-23T20:51:02.293Z", + "version": 1 + }, + { + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "index": "filebeat-*", + "query": { + "language": "kuery", + "query": "iptables.length :*" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "Events Search [Filebeat Iptables]", + "version": 1 + }, + "id": "b3f1b010-1f26-11e9-8ec4-cf5d91a864b3", + "type": "search", + "updated_at": "2019-01-23T20:51:02.293Z", + "version": 1 + }, + { + "attributes": { + "description": "Overview of the iptables events dashboard.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 15, + "i": "1", + "w": 37, + "x": 0, + "y": 0 + }, + "id": "4c913eb0-1f51-11e9-93ed-f7e068f4aebb", + "panelIndex": "1", + "type": "visualization", + "version": "6.6.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 15, + "i": "2", + "w": 11, + "x": 37, + "y": 0 + }, + "id": "2599f5e0-1e98-11e9-8ec4-cf5d91a864b3", + "panelIndex": "2", + "type": "visualization", + "version": "6.6.0" + }, + { + "embeddableConfig": { + "mapCenter": [ + 47.15984001304432, + -47.02148437500001 + ], + "mapZoom": 2 + }, + "gridData": { + "h": 15, + "i": "3", + "w": 24, + "x": 0, + "y": 15 + }, + "id": "c4394ec0-1efd-11e9-8ec4-cf5d91a864b3", + "panelIndex": "3", + "type": "visualization", + "version": "6.6.0" + }, + { + "embeddableConfig": { + "mapCenter": [ + 49.15296965617042, + -27.949218750000004 + ], + "mapZoom": 2 + }, + "gridData": { + "h": 15, + "i": "4", + "w": 24, + "x": 24, + "y": 15 + }, + "id": "d8cea010-1efd-11e9-8ec4-cf5d91a864b3", + "panelIndex": "4", + "type": "visualization", + "version": "6.6.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 15, + "i": "5", + "w": 19, + "x": 0, + "y": 30 + }, + "id": "b57b7370-1f1d-11e9-8ec4-cf5d91a864b3", + "panelIndex": "5", + "type": "visualization", + "version": "6.6.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 15, + "i": "6", + "w": 18, + "x": 19, + "y": 30 + }, + "id": "35fe0910-1f26-11e9-8ec4-cf5d91a864b3", + "panelIndex": "6", + "type": "visualization", + "version": "6.6.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 15, + "i": "7", + "w": 11, + "x": 37, + "y": 30 + }, + "id": "683402b0-1f29-11e9-8ec4-cf5d91a864b3", + "panelIndex": "7", + "type": "visualization", + "version": "6.6.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 19, + "i": "8", + "w": 48, + "x": 0, + "y": 45 + }, + "id": "b3f1b010-1f26-11e9-8ec4-cf5d91a864b3", + "panelIndex": "8", + "type": "search", + "version": "6.6.0" + } + ], + "timeRestore": false, + "title": "[Filebeat Iptables] Overview", + "version": 1 + }, + "id": "ceefb9e0-1f51-11e9-93ed-f7e068f4aebb", + "type": "dashboard", + "updated_at": "2019-01-23T20:59:43.614Z", + "version": 1 + } + ], + "version": "6.6.0" +} diff --git a/x-pack/filebeat/module/iptables/_meta/kibana/6/dashboard/Filebeat-Iptables-Ubiquiti-Firewall-Overview.json b/x-pack/filebeat/module/iptables/_meta/kibana/6/dashboard/Filebeat-Iptables-Ubiquiti-Firewall-Overview.json new file mode 100644 index 00000000000..000a1bdcd93 --- /dev/null +++ b/x-pack/filebeat/module/iptables/_meta/kibana/6/dashboard/Filebeat-Iptables-Ubiquiti-Firewall-Overview.json @@ -0,0 +1,848 @@ +{ + "objects": [ + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchId": "c4e80aa0-1fd4-11e9-ae2a-939083c6a64e", + "title": "Ubiquiti Firewall Event Timeline [Filebeat Iptables]", + "uiStateJSON": { + "vis": { + "colors": { + "allow": "#64B0C8", + "deny": "#E24D42" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customInterval": "2h", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "timeRange": { + "from": "2019-01-24T15:47:12.171Z", + "mode": "absolute", + "to": "2019-01-24T15:47:52.785Z" + }, + "time_zone": "Europe/Berlin", + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "event.outcome", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "legendPosition": "top", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Ubiquiti Firewall Event Timeline [Filebeat Iptables]", + "type": "histogram" + } + }, + "id": "758b3620-1fda-11e9-ae2a-939083c6a64e", + "type": "visualization", + "updated_at": "2019-01-24T16:37:11.788Z", + "version": 2 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchId": "9f7d97c0-1fe9-11e9-ae2a-939083c6a64e", + "title": "Ubiquiti Firewall Top Blocked IPs [Filebeat Iptables]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Source IP", + "field": "source.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Ubiquiti Firewall Top Blocked IPs [Filebeat Iptables]", + "type": "table" + } + }, + "id": "1ba82fd0-1ff0-11e9-ae2a-939083c6a64e", + "type": "visualization", + "updated_at": "2019-01-24T16:06:20.635Z", + "version": 2 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchId": "7862cab0-1fdb-11e9-ae2a-939083c6a64e", + "title": "Ubiquiti Firewall Allowed Traffic Map [Filebeat Iptables]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "autoPrecision": true, + "field": "source.geo.location", + "isFilteredByCollar": true, + "mapCenter": [ + 0, + 0 + ], + "mapZoom": 2, + "precision": 2, + "useGeocentroid": true + }, + "schema": "segment", + "type": "geohash_grid" + } + ], + "params": { + "addTooltip": true, + "colorSchema": "Yellow to Red", + "heatClusterSize": 1.5, + "isDesaturated": true, + "legendPosition": "bottomright", + "mapCenter": [ + 0, + 0 + ], + "mapType": "Scaled Circle Markers", + "mapZoom": 2, + "wms": { + "enabled": false, + "options": { + "format": "image/png", + "transparent": true + }, + "selectedTmsLayer": { + "attribution": "\u003cp\u003e\u0026#169; \u003ca href=\"http://www.openstreetmap.org/copyright\"\u003eOpenStreetMap\u003c/a\u003e contributors | \u003ca href=\"https://www.elastic.co/elastic-maps-service\"\u003eElastic Maps Service\u003c/a\u003e\u003c/p\u003e\u0026#10;", + "id": "road_map", + "maxZoom": 18, + "minZoom": 0, + "origin": "elastic_maps_service" + } + } + }, + "title": "Ubiquiti Firewall Allowed Traffic Map [Filebeat Iptables]", + "type": "tile_map" + } + }, + "id": "5bd53050-1fe9-11e9-ae2a-939083c6a64e", + "type": "visualization", + "updated_at": "2019-01-24T15:04:34.005Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchId": "9f7d97c0-1fe9-11e9-ae2a-939083c6a64e", + "title": "Ubiquiti Firewall Blocked Traffic Map [Filebeat Iptables]", + "uiStateJSON": { + "mapCenter": [ + 19.228176737766262, + -22.851562500000004 + ], + "mapZoom": 3 + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "autoPrecision": true, + "field": "source.geo.location", + "isFilteredByCollar": true, + "mapCenter": [ + 0, + 0 + ], + "mapZoom": 2, + "precision": 2, + "useGeocentroid": true + }, + "schema": "segment", + "type": "geohash_grid" + } + ], + "params": { + "addTooltip": true, + "colorSchema": "Yellow to Red", + "heatClusterSize": 1.5, + "isDesaturated": true, + "legendPosition": "bottomright", + "mapCenter": [ + 0, + 0 + ], + "mapType": "Scaled Circle Markers", + "mapZoom": 2, + "wms": { + "enabled": false, + "options": { + "format": "image/png", + "transparent": true + }, + "selectedTmsLayer": { + "attribution": "\u003cp\u003e\u0026#169; \u003ca href=\"http://www.openstreetmap.org/copyright\"\u003eOpenStreetMap\u003c/a\u003e contributors | \u003ca href=\"https://www.elastic.co/elastic-maps-service\"\u003eElastic Maps Service\u003c/a\u003e\u003c/p\u003e\u0026#10;", + "id": "road_map", + "maxZoom": 18, + "minZoom": 0, + "origin": "elastic_maps_service" + } + } + }, + "title": "Ubiquiti Firewall Blocked Traffic Map [Filebeat Iptables]", + "type": "tile_map" + } + }, + "id": "8853aa20-1fef-11e9-ae2a-939083c6a64e", + "type": "visualization", + "updated_at": "2019-01-24T15:50:31.689Z", + "version": 2 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchId": "c4e80aa0-1fd4-11e9-ae2a-939083c6a64e", + "title": "Ubiquiti Firewall Traffic Breakdown [Filebeat Iptables]", + "uiStateJSON": { + "vis": { + "colors": { + "deny": "#E24D42", + "icmp": "#F29191", + "ipv4": "#65C5DB", + "ipv6": "#D683CE", + "ipv6-icmp": "#EA6460", + "tcp": "#447EBC", + "udp": "#F2C96D" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "event.outcome", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "network.type", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "field": "network.transport", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": false, + "show": true, + "truncate": 100, + "values": false + }, + "legendPosition": "top", + "type": "pie" + }, + "title": "Ubiquiti Firewall Traffic Breakdown [Filebeat Iptables]", + "type": "pie" + } + }, + "id": "fdea1ad0-1ff4-11e9-ae2a-939083c6a64e", + "type": "visualization", + "updated_at": "2019-01-24T16:27:50.397Z", + "version": 1 + }, + { + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "index": "filebeat-*", + "query": { + "language": "kuery", + "query": "iptables.ubiquiti.rule_set :*" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "Ubiquiti Firewall Events [Filebeat Iptables]", + "version": 1 + }, + "id": "c4e80aa0-1fd4-11e9-ae2a-939083c6a64e", + "type": "search", + "updated_at": "2019-01-24T12:37:10.858Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchId": "c4e80aa0-1fd4-11e9-ae2a-939083c6a64e", + "title": "Ubiquiti Firewall Traffic by Port [Filebeat Iptables]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "event.outcome", + "field": "event.outcome", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "row": false, + "size": 5 + }, + "schema": "split", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Destination port", + "field": "destination.port", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Ubiquiti Firewall Traffic by Port [Filebeat Iptables]", + "type": "table" + } + }, + "id": "190bcb50-1ff6-11e9-ae2a-939083c6a64e", + "type": "visualization", + "updated_at": "2019-01-24T16:35:45.413Z", + "version": 1 + }, + { + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "index": "filebeat-*", + "query": { + "language": "kuery", + "query": "iptables.ubiquiti.rule_set :* and event.outcome : \"deny\"" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "Ubiquiti Firewall Blocked Events [Filebeat Iptables]", + "version": 1 + }, + "id": "9f7d97c0-1fe9-11e9-ae2a-939083c6a64e", + "type": "search", + "updated_at": "2019-01-24T15:35:33.942Z", + "version": 2 + }, + { + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "index": "filebeat-*", + "query": { + "language": "kuery", + "query": "iptables.ubiquiti.rule_set :* and event.outcome : \"allow\"" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "Ubiquiti Firewall Allowed Events [Filebeat Iptables]", + "version": 1 + }, + "id": "7862cab0-1fdb-11e9-ae2a-939083c6a64e", + "type": "search", + "updated_at": "2019-01-24T15:04:12.010Z", + "version": 3 + }, + { + "attributes": { + "description": "Overview of the Ubiquiti Firewall iptables events dashboard.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "vis": { + "colors": { + "allow": "#64B0C8", + "deny": "#E24D42" + }, + "legendOpen": true + } + }, + "gridData": { + "h": 15, + "i": "1", + "w": 33, + "x": 0, + "y": 0 + }, + "id": "758b3620-1fda-11e9-ae2a-939083c6a64e", + "panelIndex": "1", + "title": "Event Timeline", + "type": "visualization", + "version": "6.6.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 15, + "i": "2", + "w": 15, + "x": 33, + "y": 0 + }, + "id": "1ba82fd0-1ff0-11e9-ae2a-939083c6a64e", + "panelIndex": "2", + "title": "Top Blocked by source IP", + "type": "visualization", + "version": "6.6.0" + }, + { + "embeddableConfig": { + "mapCenter": [ + 39.095962936305476, + -22.148437500000004 + ], + "mapZoom": 2 + }, + "gridData": { + "h": 15, + "i": "3", + "w": 24, + "x": 0, + "y": 15 + }, + "id": "5bd53050-1fe9-11e9-ae2a-939083c6a64e", + "panelIndex": "3", + "title": "Allowed Traffic Map", + "type": "visualization", + "version": "6.6.0" + }, + { + "embeddableConfig": { + "mapCenter": [ + 46.31658418182218, + -34.10156250000001 + ], + "mapZoom": 2 + }, + "gridData": { + "h": 15, + "i": "4", + "w": 24, + "x": 24, + "y": 15 + }, + "id": "8853aa20-1fef-11e9-ae2a-939083c6a64e", + "panelIndex": "4", + "title": "Blocked Traffic Map", + "type": "visualization", + "version": "6.6.0" + }, + { + "embeddableConfig": { + "vis": { + "colors": { + "allow": "#7EB26D", + "deny": "#E24D42", + "icmp": "#F29191", + "ipv4": "#65C5DB", + "ipv6": "#D683CE", + "ipv6-icmp": "#EA6460", + "tcp": "#447EBC", + "udp": "#F2C96D" + } + } + }, + "gridData": { + "h": 18, + "i": "5", + "w": 24, + "x": 0, + "y": 30 + }, + "id": "fdea1ad0-1ff4-11e9-ae2a-939083c6a64e", + "panelIndex": "5", + "title": "Traffic Breakdown by Protocol", + "type": "visualization", + "version": "6.6.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 27, + "i": "6", + "w": 48, + "x": 0, + "y": 48 + }, + "id": "c4e80aa0-1fd4-11e9-ae2a-939083c6a64e", + "panelIndex": "6", + "title": "Event View", + "type": "search", + "version": "6.6.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 18, + "i": "7", + "w": 24, + "x": 24, + "y": 30 + }, + "id": "190bcb50-1ff6-11e9-ae2a-939083c6a64e", + "panelIndex": "7", + "title": "Traffic Breakdown by Port", + "type": "visualization", + "version": "6.6.0" + } + ], + "timeRestore": false, + "title": "[Filebeat Iptables] Ubiquiti Firewall Overview", + "version": 1 + }, + "id": "d39f0980-1ff3-11e9-ae2a-939083c6a64e", + "type": "dashboard", + "updated_at": "2019-01-24T16:38:35.174Z", + "version": 4 + } + ], + "version": "6.6.0" +} diff --git a/x-pack/filebeat/module/iptables/fields.go b/x-pack/filebeat/module/iptables/fields.go new file mode 100644 index 00000000000..3fe34ea1268 --- /dev/null +++ b/x-pack/filebeat/module/iptables/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package iptables + +import ( + "github.com/elastic/beats/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "iptables", asset.ModuleFieldsPri, AssetIptables); err != nil { + panic(err) + } +} + +// AssetIptables returns asset data. +// This is the base64 encoded gzipped contents of module/iptables. +func AssetIptables() string { + return "eJy0l09vozwQxu/5FPMB3ub4HnJYqWq2UqV2W2nTvUaOPYAVY1N7SEQ//comUBKIQ0OWI3+e38x4/Ay+gy1WC5AFsY1CNwMgSQqP7gh03MqCpNEL+DEDAHgxolQIibGQMS2U1ClQhu1XoEzq5jOARKISbhE+ugPN8mNpf1FV4AJSa8ricGcA6K/HoAWJNfkwzF9dYBeKlKFde1b7qEEro9POzTN0f/1hqkQwScAHRY0UVGouSIGaZFI19dBIe2O3oFiFFgpryHCj5q1oL8xEmf1asQ2qXphSE6Zox0X69Lb7P4hBEIsRLUtz1LROFEtdj7rFam+sGEtt5SDIzeEeuMk3UjP/vi/dw8//YPkITAt4eRwTl0kShzRh1V6DQLNsvLTWx9eJNRKF5HnRQ3d79VJFHl7eDj057zw47dLOo4bMjcAjqcG0o/AD3isNpNhJUtwG9LSMYgpmWY501MITaK1cFGpRSIucBpiy+Cax0QImhEXnomCHH7fJ0+FHiZoj6DLfXMj2xN8mUP2HsX0hJmzIN8a3SI1ZysGcWpDmJi8UEq43FWHfoMZjf4X6eR/4EoUgGuUXJa0F7iTvT45vmeMyaABljMAiR7lDERypCOWIxFD414XvgfVGUr8ELjOWRjv0lxp4tQiXzJRyB9jKz0aTwG+0IftgfBGkQp1SNr23ap0IyJT0Lxa2lh23rMQnjZbVw5WT5XTQn0/6wvqGCMKYjzuwQ7tDcdq757p3BLSRPNfAt3VhT/yOCTO+vQnznm+12SsU9Q/VCPJeamH2k+H3YoeWpEMR4qhVwcnP2EQgmvjLupI5wsrAs9xd9olSTNo778sr907Pn66r8HOQaX5JfTQZMoE2/BYXrFKGRbPfyI9SkpxSguY0ZSy8H+Ta40rtimNrczosP43Gk3zPG8yFQgE8eU3wmoOt33P029Jfaz8fgbelwnW9R6/E9+CrDIPsYevDXlImdWiZcNsNjpdeUMenp9tE5A9UHjGf/Q0AAP//R0INxw==" +} diff --git a/x-pack/filebeat/module/iptables/log/_meta/fields.yml b/x-pack/filebeat/module/iptables/log/_meta/fields.yml new file mode 100644 index 00000000000..6b1617ab450 --- /dev/null +++ b/x-pack/filebeat/module/iptables/log/_meta/fields.yml @@ -0,0 +1,163 @@ +- name: ether_type + type: long + description: > + Value of the ethernet type field identifying the network layer protocol. + +- name: flow_label + type: integer + description: > + IPv6 flow label. + +- name: fragment_flags + type: keyword + description: > + IP fragment flags. A combination of CE, DF and MF. + +- name: fragment_offset + type: long + description: > + Offset of the current IP fragment. + +- name: icmp + type: group + description: > + ICMP fields. + fields: + + - name: code + type: long + description: > + ICMP code. + + - name: id + type: long + description: > + ICMP ID. + + - name: parameter + type: long + description: > + ICMP parameter. + + - name: redirect + type: ip + description: > + ICMP redirect address. + + - name: seq + type: long + description: > + ICMP sequence number. + + - name: type + type: long + description: > + ICMP type. + +- name: id + type: long + description: > + Packet identifier. + +- name: incomplete_bytes + type: long + description: > + Number of incomplete bytes. + +- name: input_device + type: keyword + description: > + Device that received the packet. + +- name: precedence_bits + type: short + description: > + IP precedence bits. + +- name: tos + type: long + description: > + IP Type of Service field. + +- name: length + type: long + description: > + Packet length. + +- name: output_device + type: keyword + description: > + Device that output the packet. + +- name: tcp + type: group + description: > + TCP fields. + fields: + + - name: flags + type: keyword + description: > + TCP flags. + + - name: reserved_bits + type: short + description: > + TCP reserved bits. + + - name: seq + type: long + description: > + TCP sequence number. + + - name: ack + type: long + description: > + TCP Acknowledgment number. + + - name: window + type: long + description: > + Advertised TCP window size. + +- name: ttl + type: integer + description: > + Time To Live field. + +- name: udp + type: group + description: > + UDP fields. + fields: + + - name: length + type: long + description: > + Length of the UDP header and payload. + +- name: ubiquiti + type: group + description: > + Fields for Ubiquiti network devices. + fields: + + - name: input_zone + type: keyword + description: > + Input zone. + + - name: output_zone + type: keyword + description: > + Output zone. + + - name: rule_number + type: keyword + description: + The rule number within the rule set. + + - name: rule_set + type: keyword + description: + The rule set name. diff --git a/x-pack/filebeat/module/iptables/log/config/file.yml b/x-pack/filebeat/module/iptables/log/config/file.yml new file mode 100644 index 00000000000..21045d97393 --- /dev/null +++ b/x-pack/filebeat/module/iptables/log/config/file.yml @@ -0,0 +1,11 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags}} +{{ if .convert_timezone }} +processors: + - add_locale: ~ +{{ end }} diff --git a/x-pack/filebeat/module/iptables/log/config/syslog.yml b/x-pack/filebeat/module/iptables/log/config/syslog.yml new file mode 100644 index 00000000000..896b4441de9 --- /dev/null +++ b/x-pack/filebeat/module/iptables/log/config/syslog.yml @@ -0,0 +1,8 @@ +type: syslog + {{ if .convert_timezone }} +processors: + - add_locale: ~ + {{ end }} + +protocol.udp: + host: "{{.syslog_host}}:{{.syslog_port}}" diff --git a/x-pack/filebeat/module/iptables/log/ingest/pipeline.json b/x-pack/filebeat/module/iptables/log/ingest/pipeline.json new file mode 100644 index 00000000000..1678df94c5e --- /dev/null +++ b/x-pack/filebeat/module/iptables/log/ingest/pipeline.json @@ -0,0 +1,180 @@ +{ + "description" : "Pipeline for IPTables", + "processors" : [ + { + "grok": { + "field": "message", + "patterns": [ + "%{SYSLOGTIMESTAMP:iptables.raw_date}%{GREEDYDATA}\\[%{UBIQUITI_LABEL}\\]%{IPTABLES}%{SPACE}", + "%{SYSLOGTIMESTAMP:iptables.raw_date}%{GREEDYDATA}%{IPTABLES}%{SPACE}", + "%{GREEDYDATA}\\[%{UBIQUITI_LABEL}\\]%{IPTABLES}%{SPACE}", + "%{GREEDYDATA}%{IPTABLES}%{SPACE}" + ], + "pattern_definitions": { + "UNSIGNED_INT": "[0-9]+", + "ETHTYPE": "(?:[A-Fa-f0-9]{2}):(?:[A-Fa-f0-9]{2})", + "ETHTYPE_DISCARD": "(?::[A-Fa-f0-9]{2})*", + "NETFILTERMAC": "(?:%{MAC:destination.mac}:%{MAC:source.mac}:%{ETHTYPE:iptables.ether_type}?%{ETHTYPE_DISCARD}|%{MAC:destination.mac}%{ETHTYPE_DISCARD}:%{ETHTYPE:iptables.ether_type}?)", + "IPTABLES_ETHERNET": "IN=%{DATA:iptables.input_device} OUT=%{DATA:iptables.output_device}?(?: MAC=%{NETFILTERMAC})?", + "IPTABLES_PORT_PAIR": "SPT=%{UNSIGNED_INT:source.port:int} DPT=%{UNSIGNED_INT:destination.port:int}", + "IPTABLES_TCP_FLAGS": "((?<= )(CWR|ECE|URG|ACK|PSH|RST|SYN|FIN))*", + "IPTABLES_TCP_SEQ": "SEQ=%{UNSIGNED_INT:iptables.tcp.seq:int} ACK=%{UNSIGNED_INT:iptables.tcp.ack:int}", + "IPTABLES_TCP_DETAILS": "(?:%{IPTABLES_TCP_SEQ} )?WINDOW=%{UNSIGNED_INT:iptables.tcp.window:int} RES=0x%{BASE16NUM:iptables.tcp_reserved_bits} %{IPTABLES_TCP_FLAGS:iptables.tcp.flags}", + "IPTABLES_INCOMPLETE_PACKET": "INCOMPLETE \\[%{UNSIGNED_INT:iptables.incomplete_bytes:int} bytes\\]", + "IPTABLES_UDP_DETAILS": "LEN=%{UNSIGNED_INT:iptables.udp.length:int}", + "IPTABLES_ICMP_EXTRA_ECHO": "ID=%{UNSIGNED_INT:iptables.icmp.id:int} SEQ=%{UNSIGNED_INT:iptables.icmp.seq:int}", + "IPTABLES_ICMP_EXTRA_PARAM": "PARAMETER=%{UNSIGNED_INT:iptables.icmp.parameter:int}", + "IPTABLES_ICMP_EXTRA_REDIRECT": "GATEWAY=%{IP:iptables.icmp.redirect}", + "IPTABLES_ICMP_EXTRA": "( (?:%{IPTABLES_ICMP_EXTRA_ECHO}|%{IPTABLES_ICMP_EXTRA_PARAM}|%{IPTABLES_ICMP_EXTRA_REDIRECT}))*", + "IPTABLES_ICMP_DETAILS": "TYPE=%{UNSIGNED_INT:iptables.icmp.type:int} CODE=%{UNSIGNED_INT:iptables.icmp.code:int}(( %{IPTABLES_INCOMPLETE_PACKET})|%{IPTABLES_ICMP_EXTRA})", + "IPTABLES_PROTOCOL": "PROTO=(?[a-zA-Z0-9]+)", + "IPTABLES_IP_PAYLOAD": "%{IPTABLES_PROTOCOL}( %{IPTABLES_PORT_PAIR})?( (%{IPTABLES_TCP_DETAILS}|%{IPTABLES_UDP_DETAILS}|%{IPTABLES_ICMP_DETAILS}|%{IPTABLES_INCOMPLETE_PACKET}))?", + "IPTABLES_IP_FRAGFLAG": "((?<= )(CE|DF|MF))*", + "IPTABLES_IP_START": "SRC=%{IPV4:source.ip} DST=%{IPV4:destination.ip} LEN=%{UNSIGNED_INT:iptables.length:int} TOS=0x%{BASE16NUM:iptables.tos} PREC=0x%{BASE16NUM:iptables.precedence_bits} TTL=%{UNSIGNED_INT:iptables.ttl:int} ID=%{UNSIGNED_INT:iptables.id:int}(?: %{IPTABLES_IP_FRAGFLAG:iptables.fragment_flags})?(?: FRAG: %{UNSIGNED_INT:iptables.fragment_offset:int})?", + "IPTABLES_IP": "%{IPTABLES_IP_START} %{IPTABLES_IP_PAYLOAD}", + "IPTABLES_IPV6_START": "SRC=%{IPV6:source.ip} DST=%{IPV6:destination.ip} LEN=%{UNSIGNED_INT:iptables.length:int} TC=%{UNSIGNED_INT:iptables.tos} HOPLIMIT=%{UNSIGNED_INT:iptables.ttl:int} FLOWLBL=%{UNSIGNED_INT:iptables.flow_label:int}", + "IPTABLES_IPV6": "%{IPTABLES_IPV6_START} %{IPTABLES_IP_PAYLOAD}", + "IPTABLES": "%{IPTABLES_ETHERNET} (:?%{IPTABLES_IP}|%{IPTABLES_IPV6})", + "UBIQUITI_FIELD": "[^-\\]]*", + "UBIQUITI_RULESET_NAME": "[^\\]]*", + "UBIQUITI_LABEL": "%{UBIQUITI_RULESET_NAME:iptables.ubiquiti.rule_set}-%{UBIQUITI_FIELD:iptables.ubiquiti.rule_number}-%{UBIQUITI_FIELD:event.outcome}" + } + } + }, + { + "rename": { + "field": "message", + "target_field": "log.original" + } + }, + { + "grok": { + "field": "iptables.ubiquiti.rule_set", + "ignore_missing": true, + "ignore_failure": true, + "patterns": [ + "%{UBIQUITI_FIELD:iptables.ubiquiti.input_zone}-%{UBIQUITI_FIELD:iptables.ubiquiti.output_zone}" + ], + "pattern_definitions": { + "UBIQUITI_FIELD": "[^-]*" + } + } + }, + { + "date": { + "field": "iptables.raw_date", + "ignore_failure": true, + {< if .convert_timezone >}"timezone": "{{ beat.timezone }}",{< end >} + "formats": [ + "MMM d HH:mm:ss", + "MMM dd HH:mm:ss" + ] + } + }, + { + "remove": { + "field": "iptables.raw_date", + "ignore_missing": true + } + }, + + { + "lowercase": { + "field": "network.transport", + "ignore_missing": true + } + }, + { + "geoip": { + "field": "source.ip", + "target_field": "source.geo", + "ignore_missing": true + } + }, + { + "geoip": { + "field": "destination.ip", + "target_field": "destination.geo", + "ignore_missing": true + } + }, + { + "script": { + "lang": "painless", + "params": { + "mappings": [ + { + "source": { + "object": "iptables", + "key": "ether_type" + }, + "destination": { + "object": "network", + "key": "type" + }, + "map": { + "08:00": "ipv4", + "86:dd": "ipv6" + } + }, + { + "source": { + "object": "event", + "key": "outcome" + }, + "destination": { + "object": "event", + "key": "outcome" + }, + "map": { + "D": "deny", + "A": "allow" + } + }, + { + "source": { + "object": "network", + "key": "transport" + }, + "destination": { + "object": "network", + "key": "transport" + }, + "map": { + "icmpv6": "ipv6-icmp" + } + } + ] + }, + "source": "for (action in params.mappings) { def src = ctx[action.source.object]; if (src != null) { Map map = action.map; String key = src[action.source.key]; String mapping = map[key]; if (mapping != null) { Map dst = ctx[action.destination.object]; if (dst == null) { dst = new HashMap(); ctx[action.destination.object] = dst;} dst[action.destination.key] = mapping; } } }" + } + }, + { + "script": { + "lang": "painless", + "params": { + "hex_fields_to_convert": [ + "ether_type", + "tos", + "precedence_bits", + "tcp_reserved_bits" + ] + }, + "source": "def iptables = ctx['iptables']; if (iptables != null) { for (key in params.hex_fields_to_convert) { long value = 0; def field = iptables[key]; if (field == null) continue; char[] hex = field.toLowerCase().toCharArray(); for (chr in hex) { long v = -1; if (chr >= (char)'a' && chr <= (char)'f') v = (long)chr - (char)'a' + 10; else if (chr >= (char)'0' && chr <= (char)'9') v = (long)chr - (char)'0'; if (v >= 0) {value = value*16 + v;} } iptables[key] = value; } }" + } + }, + { + "rename": { + "field": "iptables.tcp_reserved_bits", + "target_field": "iptables.tcp.reserved_bits", + "ignore_missing": true + } + } + ], + "on_failure" : [{ + "set" : { + "field" : "error.message", + "value" : "{{ _ingest.on_failure_message }}" + } + }] +} diff --git a/x-pack/filebeat/module/iptables/log/manifest.yml b/x-pack/filebeat/module/iptables/log/manifest.yml new file mode 100644 index 00000000000..0262a19f5fb --- /dev/null +++ b/x-pack/filebeat/module/iptables/log/manifest.yml @@ -0,0 +1,28 @@ +module_version: "1.0" + +var: + - name: paths + default: + - /var/log/iptables.log + - name: tags + default: [iptables] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9001 + - name: input + default: syslog + - name: convert_timezone + default: false + # if ES < 6.1.0, this flag switches to false automatically when evaluating the + # pipeline + min_elasticsearch_version: + version: 6.1.0 + value: false + +ingest_pipeline: ingest/pipeline.json +input: config/{{.input}}.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/iptables/log/test/geo.log b/x-pack/filebeat/module/iptables/log/test/geo.log new file mode 100644 index 00000000000..1755a7853c0 --- /dev/null +++ b/x-pack/filebeat/module/iptables/log/test/geo.log @@ -0,0 +1 @@ +Oct 10 07:25:12 Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=158.109.0.1 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0 diff --git a/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json b/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json new file mode 100644 index 00000000000..b7c0182599c --- /dev/null +++ b/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json @@ -0,0 +1,48 @@ +[ + { + "@timestamp": "2019-10-10T07:25:12.000Z", + "destination.ip": "10.4.0.5", + "destination.mac": "90:10:20:76:8d:20", + "destination.port": 443, + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "event.outcome": "deny", + "fileset.name": "log", + "input.type": "log", + "iptables.ether_type": 2048, + "iptables.fragment_flags": "DF", + "iptables.id": 0, + "iptables.input_device": "eth0", + "iptables.length": 52, + "iptables.output_device": "", + "iptables.precedence_bits": 0, + "iptables.tcp.flags": "ACK", + "iptables.tcp.reserved_bits": 0, + "iptables.tcp.window": 2853, + "iptables.tos": 0, + "iptables.ttl": 63, + "iptables.ubiquiti.input_zone": "wan", + "iptables.ubiquiti.output_zone": "lan", + "iptables.ubiquiti.rule_number": "default", + "iptables.ubiquiti.rule_set": "wan-lan", + "log.offset": 0, + "log.original": "Oct 10 07:25:12 Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=158.109.0.1 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0 ", + "network.transport": "tcp", + "network.type": "ipv4", + "service.type": "iptables", + "source.geo.city_name": "Bellaterra", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.5026, + "source.geo.location.lon": 2.0875, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "158.109.0.1", + "source.mac": "90:10:65:29:b6:2a", + "source.port": 38842, + "tags": [ + "iptables" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/iptables/log/test/icmp.log b/x-pack/filebeat/module/iptables/log/test/icmp.log new file mode 100644 index 00000000000..6ab1f8c7ee6 --- /dev/null +++ b/x-pack/filebeat/module/iptables/log/test/icmp.log @@ -0,0 +1 @@ +Jan 8 03:37:09 DENY: IN=eth0 OUT= MAC=90:10:28:5f:62:24:90:10:18:5a:89:2a:08:00 SRC=192.0.2.71 DST=192.0.2.83 LEN=88 TOS=0x00 PREC=0x00 TTL=118 ID=21684 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.0.2.83 DST=192.168.173.191 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=21458 DPT=62936 LEN=40 ] diff --git a/x-pack/filebeat/module/iptables/log/test/icmp.log-expected.json b/x-pack/filebeat/module/iptables/log/test/icmp.log-expected.json new file mode 100644 index 00000000000..689ad154856 --- /dev/null +++ b/x-pack/filebeat/module/iptables/log/test/icmp.log-expected.json @@ -0,0 +1,32 @@ +[ + { + "@timestamp": "2019-01-08T03:37:09.000Z", + "destination.ip": "192.0.2.83", + "destination.mac": "90:10:28:5f:62:24", + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "fileset.name": "log", + "input.type": "log", + "iptables.ether_type": 2048, + "iptables.icmp.code": 3, + "iptables.icmp.type": 3, + "iptables.id": 21684, + "iptables.input_device": "eth0", + "iptables.length": 88, + "iptables.output_device": "", + "iptables.precedence_bits": 0, + "iptables.tos": 0, + "iptables.ttl": 118, + "log.offset": 0, + "log.original": "Jan 8 03:37:09 DENY: IN=eth0 OUT= MAC=90:10:28:5f:62:24:90:10:18:5a:89:2a:08:00 SRC=192.0.2.71 DST=192.0.2.83 LEN=88 TOS=0x00 PREC=0x00 TTL=118 ID=21684 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.0.2.83 DST=192.168.173.191 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=21458 DPT=62936 LEN=40 ]", + "network.transport": "icmp", + "network.type": "ipv4", + "service.type": "iptables", + "source.ip": "192.0.2.71", + "source.mac": "90:10:18:5a:89:2a", + "tags": [ + "iptables" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/iptables/log/test/iptables.log b/x-pack/filebeat/module/iptables/log/test/iptables.log new file mode 100644 index 00000000000..26a169f56ff --- /dev/null +++ b/x-pack/filebeat/module/iptables/log/test/iptables.log @@ -0,0 +1,10 @@ +Jan 8 03:37:09 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=203.0.113.36 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=15743 DF PROTO=TCP SPT=17805 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 +Jan 8 03:37:57 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=198.51.100.198 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=17703 PROTO=TCP SPT=47091 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0 +Jan 8 03:38:45 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=203.0.113.201 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=19619 DF PROTO=TCP SPT=59319 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 +Jan 8 03:39:25 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=203.0.113.246 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=4255 DF PROTO=TCP SPT=44181 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 +Jan 8 03:40:21 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=203.0.113.208 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=27150 DF PROTO=TCP SPT=64358 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 +Jan 8 03:40:25 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=198.51.100.160 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=7264 PROTO=TCP SPT=58830 DPT=445 WINDOW=1024 RES=0x00 SYN URGP=0 +Jan 8 03:41:17 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=198.51.100.115 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=117 ID=6101 DF PROTO=TCP SPT=51985 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 +Jan 8 03:41:23 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=198.51.100.167 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=6319 DF PROTO=TCP SPT=4099 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 +Jan 8 03:43:18 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=198.51.100.19 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=48624 PROTO=TCP SPT=59287 DPT=139 WINDOW=1024 RES=0x00 SYN URGP=0 +Jan 8 03:43:42 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00:45:00:00:00:00 SRC=198.51.100.68 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=54321 PROTO=TCP SPT=53296 DPT=8088 WINDOW=65535 RES=0x00 SYN URGP=0 diff --git a/x-pack/filebeat/module/iptables/log/test/iptables.log-expected.json b/x-pack/filebeat/module/iptables/log/test/iptables.log-expected.json new file mode 100644 index 00000000000..ff646faf78b --- /dev/null +++ b/x-pack/filebeat/module/iptables/log/test/iptables.log-expected.json @@ -0,0 +1,338 @@ +[ + { + "@timestamp": "2019-01-08T03:37:09.000Z", + "destination.ip": "172.16.54.114", + "destination.mac": "90:10:35:5a:1e:3a", + "destination.port": 445, + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "fileset.name": "log", + "input.type": "log", + "iptables.ether_type": 2048, + "iptables.fragment_flags": "DF", + "iptables.id": 15743, + "iptables.input_device": "eth0", + "iptables.length": 52, + "iptables.output_device": "", + "iptables.precedence_bits": 0, + "iptables.tcp.flags": "SYN", + "iptables.tcp.reserved_bits": 0, + "iptables.tcp.window": 8192, + "iptables.tos": 0, + "iptables.ttl": 115, + "log.offset": 0, + "log.original": "Jan 8 03:37:09 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=203.0.113.36 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=15743 DF PROTO=TCP SPT=17805 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", + "network.transport": "tcp", + "network.type": "ipv4", + "service.type": "iptables", + "source.ip": "203.0.113.36", + "source.mac": "90:10:9e:ec:2c:71", + "source.port": 17805, + "tags": [ + "iptables" + ] + }, + { + "@timestamp": "2019-01-08T03:37:57.000Z", + "destination.ip": "172.16.54.114", + "destination.mac": "90:10:35:5a:1e:3a", + "destination.port": 1433, + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "fileset.name": "log", + "input.type": "log", + "iptables.ether_type": 2048, + "iptables.id": 17703, + "iptables.input_device": "eth0", + "iptables.length": 40, + "iptables.output_device": "", + "iptables.precedence_bits": 0, + "iptables.tcp.flags": "SYN", + "iptables.tcp.reserved_bits": 0, + "iptables.tcp.window": 1024, + "iptables.tos": 0, + "iptables.ttl": 243, + "log.offset": 259, + "log.original": "Jan 8 03:37:57 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=198.51.100.198 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=17703 PROTO=TCP SPT=47091 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0 ", + "network.transport": "tcp", + "network.type": "ipv4", + "service.type": "iptables", + "source.ip": "198.51.100.198", + "source.mac": "90:10:76:e0:e2:d5", + "source.port": 47091, + "tags": [ + "iptables" + ] + }, + { + "@timestamp": "2019-01-08T03:38:45.000Z", + "destination.ip": "172.16.54.114", + "destination.mac": "90:10:35:5a:1e:3a", + "destination.port": 445, + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "fileset.name": "log", + "input.type": "log", + "iptables.ether_type": 2048, + "iptables.fragment_flags": "DF", + "iptables.id": 19619, + "iptables.input_device": "eth0", + "iptables.length": 52, + "iptables.output_device": "", + "iptables.precedence_bits": 0, + "iptables.tcp.flags": "SYN", + "iptables.tcp.reserved_bits": 0, + "iptables.tcp.window": 8192, + "iptables.tos": 0, + "iptables.ttl": 115, + "log.offset": 518, + "log.original": "Jan 8 03:38:45 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=203.0.113.201 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=19619 DF PROTO=TCP SPT=59319 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", + "network.transport": "tcp", + "network.type": "ipv4", + "service.type": "iptables", + "source.ip": "203.0.113.201", + "source.mac": "90:10:9e:ec:2c:71", + "source.port": 59319, + "tags": [ + "iptables" + ] + }, + { + "@timestamp": "2019-01-08T03:39:25.000Z", + "destination.ip": "172.16.54.114", + "destination.mac": "90:10:35:5a:1e:3a", + "destination.port": 80, + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "fileset.name": "log", + "input.type": "log", + "iptables.ether_type": 2048, + "iptables.fragment_flags": "DF", + "iptables.id": 4255, + "iptables.input_device": "eth0", + "iptables.length": 40, + "iptables.output_device": "", + "iptables.precedence_bits": 0, + "iptables.tcp.flags": "SYN", + "iptables.tcp.reserved_bits": 0, + "iptables.tcp.window": 14600, + "iptables.tos": 0, + "iptables.ttl": 240, + "log.offset": 778, + "log.original": "Jan 8 03:39:25 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=203.0.113.246 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=4255 DF PROTO=TCP SPT=44181 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 ", + "network.transport": "tcp", + "network.type": "ipv4", + "service.type": "iptables", + "source.ip": "203.0.113.246", + "source.mac": "90:10:9e:ec:2c:71", + "source.port": 44181, + "tags": [ + "iptables" + ] + }, + { + "@timestamp": "2019-01-08T03:40:21.000Z", + "destination.ip": "172.16.54.114", + "destination.mac": "90:10:35:5a:1e:3a", + "destination.port": 445, + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "fileset.name": "log", + "input.type": "log", + "iptables.ether_type": 2048, + "iptables.fragment_flags": "DF", + "iptables.id": 27150, + "iptables.input_device": "eth0", + "iptables.length": 52, + "iptables.output_device": "", + "iptables.precedence_bits": 0, + "iptables.tcp.flags": "SYN", + "iptables.tcp.reserved_bits": 0, + "iptables.tcp.window": 8192, + "iptables.tos": 0, + "iptables.ttl": 110, + "log.offset": 1037, + "log.original": "Jan 8 03:40:21 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=203.0.113.208 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=27150 DF PROTO=TCP SPT=64358 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", + "network.transport": "tcp", + "network.type": "ipv4", + "service.type": "iptables", + "source.ip": "203.0.113.208", + "source.mac": "90:10:76:e0:e2:d5", + "source.port": 64358, + "tags": [ + "iptables" + ] + }, + { + "@timestamp": "2019-01-08T03:40:25.000Z", + "destination.ip": "172.16.54.114", + "destination.mac": "90:10:35:5a:1e:3a", + "destination.port": 445, + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "fileset.name": "log", + "input.type": "log", + "iptables.ether_type": 2048, + "iptables.id": 7264, + "iptables.input_device": "eth0", + "iptables.length": 40, + "iptables.output_device": "", + "iptables.precedence_bits": 0, + "iptables.tcp.flags": "SYN", + "iptables.tcp.reserved_bits": 0, + "iptables.tcp.window": 1024, + "iptables.tos": 0, + "iptables.ttl": 242, + "log.offset": 1297, + "log.original": "Jan 8 03:40:25 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=198.51.100.160 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=7264 PROTO=TCP SPT=58830 DPT=445 WINDOW=1024 RES=0x00 SYN URGP=0 ", + "network.transport": "tcp", + "network.type": "ipv4", + "service.type": "iptables", + "source.ip": "198.51.100.160", + "source.mac": "90:10:9e:ec:2c:71", + "source.port": 58830, + "tags": [ + "iptables" + ] + }, + { + "@timestamp": "2019-01-08T03:41:17.000Z", + "destination.ip": "172.16.54.114", + "destination.mac": "90:10:35:5a:1e:3a", + "destination.port": 445, + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "fileset.name": "log", + "input.type": "log", + "iptables.ether_type": 2048, + "iptables.fragment_flags": "DF", + "iptables.id": 6101, + "iptables.input_device": "eth0", + "iptables.length": 52, + "iptables.output_device": "", + "iptables.precedence_bits": 0, + "iptables.tcp.flags": "SYN", + "iptables.tcp.reserved_bits": 0, + "iptables.tcp.window": 8192, + "iptables.tos": 0, + "iptables.ttl": 117, + "log.offset": 1554, + "log.original": "Jan 8 03:41:17 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=198.51.100.115 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=117 ID=6101 DF PROTO=TCP SPT=51985 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", + "network.transport": "tcp", + "network.type": "ipv4", + "service.type": "iptables", + "source.ip": "198.51.100.115", + "source.mac": "90:10:76:e0:e2:d5", + "source.port": 51985, + "tags": [ + "iptables" + ] + }, + { + "@timestamp": "2019-01-08T03:41:23.000Z", + "destination.ip": "172.16.54.114", + "destination.mac": "90:10:35:5a:1e:3a", + "destination.port": 445, + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "fileset.name": "log", + "input.type": "log", + "iptables.ether_type": 2048, + "iptables.fragment_flags": "DF", + "iptables.id": 6319, + "iptables.input_device": "eth0", + "iptables.length": 52, + "iptables.output_device": "", + "iptables.precedence_bits": 0, + "iptables.tcp.flags": "SYN", + "iptables.tcp.reserved_bits": 0, + "iptables.tcp.window": 8192, + "iptables.tos": 0, + "iptables.ttl": 45, + "log.offset": 1814, + "log.original": "Jan 8 03:41:23 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=198.51.100.167 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=6319 DF PROTO=TCP SPT=4099 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", + "network.transport": "tcp", + "network.type": "ipv4", + "service.type": "iptables", + "source.ip": "198.51.100.167", + "source.mac": "90:10:76:e0:e2:d5", + "source.port": 4099, + "tags": [ + "iptables" + ] + }, + { + "@timestamp": "2019-01-08T03:43:18.000Z", + "destination.ip": "172.16.54.114", + "destination.mac": "90:10:35:5a:1e:3a", + "destination.port": 139, + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "fileset.name": "log", + "input.type": "log", + "iptables.ether_type": 2048, + "iptables.id": 48624, + "iptables.input_device": "eth0", + "iptables.length": 40, + "iptables.output_device": "", + "iptables.precedence_bits": 0, + "iptables.tcp.flags": "SYN", + "iptables.tcp.reserved_bits": 0, + "iptables.tcp.window": 1024, + "iptables.tos": 0, + "iptables.ttl": 245, + "log.offset": 2072, + "log.original": "Jan 8 03:43:18 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=198.51.100.19 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=48624 PROTO=TCP SPT=59287 DPT=139 WINDOW=1024 RES=0x00 SYN URGP=0 ", + "network.transport": "tcp", + "network.type": "ipv4", + "service.type": "iptables", + "source.ip": "198.51.100.19", + "source.mac": "90:10:9e:ec:2c:71", + "source.port": 59287, + "tags": [ + "iptables" + ] + }, + { + "@timestamp": "2019-01-08T03:43:42.000Z", + "destination.ip": "172.16.54.114", + "destination.mac": "90:10:35:5a:1e:3a", + "destination.port": 8088, + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "fileset.name": "log", + "input.type": "log", + "iptables.ether_type": 2048, + "iptables.id": 54321, + "iptables.input_device": "eth0", + "iptables.length": 40, + "iptables.output_device": "", + "iptables.precedence_bits": 0, + "iptables.tcp.flags": "SYN", + "iptables.tcp.reserved_bits": 0, + "iptables.tcp.window": 65535, + "iptables.tos": 0, + "iptables.ttl": 250, + "log.offset": 2329, + "log.original": "Jan 8 03:43:42 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00:45:00:00:00:00 SRC=198.51.100.68 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=54321 PROTO=TCP SPT=53296 DPT=8088 WINDOW=65535 RES=0x00 SYN URGP=0 ", + "network.transport": "tcp", + "network.type": "ipv4", + "service.type": "iptables", + "source.ip": "198.51.100.68", + "source.mac": "90:10:76:e0:e2:d5", + "source.port": 53296, + "tags": [ + "iptables" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/iptables/log/test/ipv6.log b/x-pack/filebeat/module/iptables/log/test/ipv6.log new file mode 100644 index 00000000000..5541c810644 --- /dev/null +++ b/x-pack/filebeat/module/iptables/log/test/ipv6.log @@ -0,0 +1,11 @@ +Jan 22 09:05:05 ubuntu-bionic kernel: [16571.459614] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=1 +Jan 22 09:05:05 ubuntu-bionic kernel: [16571.459695] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=770819 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3427 SEQ=1 +Jan 22 09:05:06 ubuntu-bionic kernel: [16572.482458] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=2 +Jan 22 09:05:06 ubuntu-bionic kernel: [16572.482476] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=770819 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3427 SEQ=2 +Jan 22 09:05:07 ubuntu-bionic kernel: [16573.506336] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=3 +Jan 22 09:05:07 ubuntu-bionic kernel: [16573.506356] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=770819 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3427 SEQ=3 +Jan 22 09:05:08 ubuntu-bionic kernel: [16574.533989] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=4 +Jan 22 09:05:08 ubuntu-bionic kernel: [16574.534007] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=770819 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3427 SEQ=4 +Jan 22 09:05:09 ubuntu-bionic kernel: [16575.553704] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=5 +Jan 22 09:05:09 ubuntu-bionic kernel: [16575.553722] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=770819 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3427 SEQ=5 +Jan 22 10:52:34 ubuntu-bionic kernel: [ 307.757925] IN= OUT=enp0s3 MAC=90:10:12:34:56:78:90:10:aa:bb:cc:dd:86:dd:ff:ff SRC=fe80:0000:0000:0000:0084:88ff:feae:790a DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 MARK=0xd4 diff --git a/x-pack/filebeat/module/iptables/log/test/ipv6.log-expected.json b/x-pack/filebeat/module/iptables/log/test/ipv6.log-expected.json new file mode 100644 index 00000000000..5c662ddd178 --- /dev/null +++ b/x-pack/filebeat/module/iptables/log/test/ipv6.log-expected.json @@ -0,0 +1,301 @@ +[ + { + "@timestamp": "2019-01-22T09:05:05.000Z", + "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "fileset.name": "log", + "input.type": "log", + "iptables.flow_label": 868225, + "iptables.icmp.code": 0, + "iptables.icmp.id": 3427, + "iptables.icmp.seq": 1, + "iptables.icmp.type": 128, + "iptables.input_device": "", + "iptables.length": 104, + "iptables.output_device": "lo", + "iptables.tos": 0, + "iptables.ttl": 64, + "log.offset": 0, + "log.original": "Jan 22 09:05:05 ubuntu-bionic kernel: [16571.459614] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=1 ", + "network.transport": "ipv6-icmp", + "service.type": "iptables", + "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", + "tags": [ + "iptables" + ] + }, + { + "@timestamp": "2019-01-22T09:05:05.000Z", + "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "fileset.name": "log", + "input.type": "log", + "iptables.flow_label": 770819, + "iptables.icmp.code": 0, + "iptables.icmp.id": 3427, + "iptables.icmp.seq": 1, + "iptables.icmp.type": 129, + "iptables.input_device": "", + "iptables.length": 104, + "iptables.output_device": "lo", + "iptables.tos": 0, + "iptables.ttl": 64, + "log.offset": 236, + "log.original": "Jan 22 09:05:05 ubuntu-bionic kernel: [16571.459695] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=770819 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3427 SEQ=1 ", + "network.transport": "ipv6-icmp", + "service.type": "iptables", + "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", + "tags": [ + "iptables" + ] + }, + { + "@timestamp": "2019-01-22T09:05:06.000Z", + "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "fileset.name": "log", + "input.type": "log", + "iptables.flow_label": 868225, + "iptables.icmp.code": 0, + "iptables.icmp.id": 3427, + "iptables.icmp.seq": 2, + "iptables.icmp.type": 128, + "iptables.input_device": "", + "iptables.length": 104, + "iptables.output_device": "lo", + "iptables.tos": 0, + "iptables.ttl": 64, + "log.offset": 472, + "log.original": "Jan 22 09:05:06 ubuntu-bionic kernel: [16572.482458] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=2 ", + "network.transport": "ipv6-icmp", + "service.type": "iptables", + "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", + "tags": [ + "iptables" + ] + }, + { + "@timestamp": "2019-01-22T09:05:06.000Z", + "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "fileset.name": "log", + "input.type": "log", + "iptables.flow_label": 770819, + "iptables.icmp.code": 0, + "iptables.icmp.id": 3427, + "iptables.icmp.seq": 2, + "iptables.icmp.type": 129, + "iptables.input_device": "", + "iptables.length": 104, + "iptables.output_device": "lo", + "iptables.tos": 0, + "iptables.ttl": 64, + "log.offset": 708, + "log.original": "Jan 22 09:05:06 ubuntu-bionic kernel: [16572.482476] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=770819 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3427 SEQ=2 ", + "network.transport": "ipv6-icmp", + "service.type": "iptables", + "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", + "tags": [ + "iptables" + ] + }, + { + "@timestamp": "2019-01-22T09:05:07.000Z", + "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "fileset.name": "log", + "input.type": "log", + "iptables.flow_label": 868225, + "iptables.icmp.code": 0, + "iptables.icmp.id": 3427, + "iptables.icmp.seq": 3, + "iptables.icmp.type": 128, + "iptables.input_device": "", + "iptables.length": 104, + "iptables.output_device": "lo", + "iptables.tos": 0, + "iptables.ttl": 64, + "log.offset": 944, + "log.original": "Jan 22 09:05:07 ubuntu-bionic kernel: [16573.506336] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=3 ", + "network.transport": "ipv6-icmp", + "service.type": "iptables", + "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", + "tags": [ + "iptables" + ] + }, + { + "@timestamp": "2019-01-22T09:05:07.000Z", + "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "fileset.name": "log", + "input.type": "log", + "iptables.flow_label": 770819, + "iptables.icmp.code": 0, + "iptables.icmp.id": 3427, + "iptables.icmp.seq": 3, + "iptables.icmp.type": 129, + "iptables.input_device": "", + "iptables.length": 104, + "iptables.output_device": "lo", + "iptables.tos": 0, + "iptables.ttl": 64, + "log.offset": 1180, + "log.original": "Jan 22 09:05:07 ubuntu-bionic kernel: [16573.506356] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=770819 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3427 SEQ=3 ", + "network.transport": "ipv6-icmp", + "service.type": "iptables", + "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", + "tags": [ + "iptables" + ] + }, + { + "@timestamp": "2019-01-22T09:05:08.000Z", + "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "fileset.name": "log", + "input.type": "log", + "iptables.flow_label": 868225, + "iptables.icmp.code": 0, + "iptables.icmp.id": 3427, + "iptables.icmp.seq": 4, + "iptables.icmp.type": 128, + "iptables.input_device": "", + "iptables.length": 104, + "iptables.output_device": "lo", + "iptables.tos": 0, + "iptables.ttl": 64, + "log.offset": 1416, + "log.original": "Jan 22 09:05:08 ubuntu-bionic kernel: [16574.533989] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=4 ", + "network.transport": "ipv6-icmp", + "service.type": "iptables", + "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", + "tags": [ + "iptables" + ] + }, + { + "@timestamp": "2019-01-22T09:05:08.000Z", + "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "fileset.name": "log", + "input.type": "log", + "iptables.flow_label": 770819, + "iptables.icmp.code": 0, + "iptables.icmp.id": 3427, + "iptables.icmp.seq": 4, + "iptables.icmp.type": 129, + "iptables.input_device": "", + "iptables.length": 104, + "iptables.output_device": "lo", + "iptables.tos": 0, + "iptables.ttl": 64, + "log.offset": 1652, + "log.original": "Jan 22 09:05:08 ubuntu-bionic kernel: [16574.534007] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=770819 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3427 SEQ=4 ", + "network.transport": "ipv6-icmp", + "service.type": "iptables", + "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", + "tags": [ + "iptables" + ] + }, + { + "@timestamp": "2019-01-22T09:05:09.000Z", + "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "fileset.name": "log", + "input.type": "log", + "iptables.flow_label": 868225, + "iptables.icmp.code": 0, + "iptables.icmp.id": 3427, + "iptables.icmp.seq": 5, + "iptables.icmp.type": 128, + "iptables.input_device": "", + "iptables.length": 104, + "iptables.output_device": "lo", + "iptables.tos": 0, + "iptables.ttl": 64, + "log.offset": 1888, + "log.original": "Jan 22 09:05:09 ubuntu-bionic kernel: [16575.553704] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=5 ", + "network.transport": "ipv6-icmp", + "service.type": "iptables", + "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", + "tags": [ + "iptables" + ] + }, + { + "@timestamp": "2019-01-22T09:05:09.000Z", + "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "fileset.name": "log", + "input.type": "log", + "iptables.flow_label": 770819, + "iptables.icmp.code": 0, + "iptables.icmp.id": 3427, + "iptables.icmp.seq": 5, + "iptables.icmp.type": 129, + "iptables.input_device": "", + "iptables.length": 104, + "iptables.output_device": "lo", + "iptables.tos": 0, + "iptables.ttl": 64, + "log.offset": 2124, + "log.original": "Jan 22 09:05:09 ubuntu-bionic kernel: [16575.553722] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=770819 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3427 SEQ=5 ", + "network.transport": "ipv6-icmp", + "service.type": "iptables", + "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", + "tags": [ + "iptables" + ] + }, + { + "@timestamp": "2019-01-22T10:52:34.000Z", + "destination.ip": "ff02:0000:0000:0000:0000:0000:0000:0016", + "destination.mac": "90:10:12:34:56:78", + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "fileset.name": "log", + "input.type": "log", + "iptables.ether_type": 34525, + "iptables.flow_label": 0, + "iptables.icmp.code": 0, + "iptables.icmp.type": 143, + "iptables.input_device": "", + "iptables.length": 96, + "iptables.output_device": "enp0s3", + "iptables.tos": 0, + "iptables.ttl": 1, + "log.offset": 2360, + "log.original": "Jan 22 10:52:34 ubuntu-bionic kernel: [ 307.757925] IN= OUT=enp0s3 MAC=90:10:12:34:56:78:90:10:aa:bb:cc:dd:86:dd:ff:ff SRC=fe80:0000:0000:0000:0084:88ff:feae:790a DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 MARK=0xd4", + "network.transport": "ipv6-icmp", + "network.type": "ipv6", + "service.type": "iptables", + "source.ip": "fe80:0000:0000:0000:0084:88ff:feae:790a", + "source.mac": "90:10:aa:bb:cc:dd", + "tags": [ + "iptables" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/iptables/log/test/ubiquiti.log b/x-pack/filebeat/module/iptables/log/test/ubiquiti.log new file mode 100644 index 00000000000..c795c77a516 --- /dev/null +++ b/x-pack/filebeat/module/iptables/log/test/ubiquiti.log @@ -0,0 +1,5 @@ +Jan 5 20:17:05 MainFirewall kernel: [LAN_LOCAL-default-A]IN=eth0.90 OUT= MAC=90:10:92:6e:ea:a7:90:10:73:ba:d6:77:08:00:45:fc:02:1c SRC=192.168.48.137 DST=255.55.174.225 LEN=540 TOS=0x1C PREC=0xE0 TTL=64 ID=27223 PROTO=UDP SPT=48689 DPT=48689 LEN=520 +Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:24:67:f4:89:08:00 SRC=192.168.134.158 DST=192.0.2.25 LEN=265 TOS=0x00 PREC=0x00 TTL=63 ID=51768 DF PROTO=TCP SPT=43189 DPT=443 WINDOW=159 RES=0x00 ACK PSH URGP=0 +Jan 5 20:17:01 MainFirewall kernel: [source-dest-default-D]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2857 RES=0x00 ACK URGP=0 +Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2853 RES=0x00 ACK URGP=0 +Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2850 RES=0x00 ACK URGP=0 diff --git a/x-pack/filebeat/module/iptables/log/test/ubiquiti.log-expected.json b/x-pack/filebeat/module/iptables/log/test/ubiquiti.log-expected.json new file mode 100644 index 00000000000..f268a98822e --- /dev/null +++ b/x-pack/filebeat/module/iptables/log/test/ubiquiti.log-expected.json @@ -0,0 +1,186 @@ +[ + { + "@timestamp": "2019-01-05T20:17:05.000Z", + "destination.ip": "255.55.174.225", + "destination.mac": "90:10:92:6e:ea:a7", + "destination.port": 48689, + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "event.outcome": "allow", + "fileset.name": "log", + "input.type": "log", + "iptables.ether_type": 2048, + "iptables.id": 27223, + "iptables.input_device": "eth0.90", + "iptables.length": 540, + "iptables.output_device": "", + "iptables.precedence_bits": 224, + "iptables.tos": 28, + "iptables.ttl": 64, + "iptables.ubiquiti.rule_number": "default", + "iptables.ubiquiti.rule_set": "LAN_LOCAL", + "iptables.udp.length": 520, + "log.offset": 0, + "log.original": "Jan 5 20:17:05 MainFirewall kernel: [LAN_LOCAL-default-A]IN=eth0.90 OUT= MAC=90:10:92:6e:ea:a7:90:10:73:ba:d6:77:08:00:45:fc:02:1c SRC=192.168.48.137 DST=255.55.174.225 LEN=540 TOS=0x1C PREC=0xE0 TTL=64 ID=27223 PROTO=UDP SPT=48689 DPT=48689 LEN=520 ", + "network.transport": "udp", + "network.type": "ipv4", + "service.type": "iptables", + "source.ip": "192.168.48.137", + "source.mac": "90:10:73:ba:d6:77", + "source.port": 48689, + "tags": [ + "iptables" + ] + }, + { + "@timestamp": "2019-01-05T20:17:01.000Z", + "destination.ip": "192.0.2.25", + "destination.mac": "90:10:20:76:8d:20", + "destination.port": 443, + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "event.outcome": "allow", + "fileset.name": "log", + "input.type": "log", + "iptables.ether_type": 2048, + "iptables.fragment_flags": "DF", + "iptables.id": 51768, + "iptables.input_device": "eth0", + "iptables.length": 265, + "iptables.output_device": "eth2", + "iptables.precedence_bits": 0, + "iptables.tcp.flags": "ACK", + "iptables.tcp.reserved_bits": 0, + "iptables.tcp.window": 159, + "iptables.tos": 0, + "iptables.ttl": 63, + "iptables.ubiquiti.rule_number": "2000", + "iptables.ubiquiti.rule_set": "WAN_OUT", + "log.offset": 252, + "log.original": "Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:24:67:f4:89:08:00 SRC=192.168.134.158 DST=192.0.2.25 LEN=265 TOS=0x00 PREC=0x00 TTL=63 ID=51768 DF PROTO=TCP SPT=43189 DPT=443 WINDOW=159 RES=0x00 ACK PSH URGP=0 ", + "network.transport": "tcp", + "network.type": "ipv4", + "service.type": "iptables", + "source.ip": "192.168.134.158", + "source.mac": "90:10:24:67:f4:89", + "source.port": 43189, + "tags": [ + "iptables" + ] + }, + { + "@timestamp": "2019-01-05T20:17:01.000Z", + "destination.ip": "192.0.2.25", + "destination.mac": "90:10:20:76:8d:20", + "destination.port": 1443, + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "event.outcome": "deny", + "fileset.name": "log", + "input.type": "log", + "iptables.ether_type": 2048, + "iptables.fragment_flags": "DF", + "iptables.id": 0, + "iptables.input_device": "eth0", + "iptables.length": 52, + "iptables.output_device": "eth2", + "iptables.precedence_bits": 0, + "iptables.tcp.flags": "ACK", + "iptables.tcp.reserved_bits": 0, + "iptables.tcp.window": 2857, + "iptables.tos": 0, + "iptables.ttl": 63, + "iptables.ubiquiti.input_zone": "source", + "iptables.ubiquiti.output_zone": "dest", + "iptables.ubiquiti.rule_number": "default", + "iptables.ubiquiti.rule_set": "source-dest", + "log.offset": 513, + "log.original": "Jan 5 20:17:01 MainFirewall kernel: [source-dest-default-D]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2857 RES=0x00 ACK URGP=0 ", + "network.transport": "tcp", + "network.type": "ipv4", + "service.type": "iptables", + "source.ip": "192.168.110.116", + "source.mac": "90:10:65:29:b6:2a", + "source.port": 50093, + "tags": [ + "iptables" + ] + }, + { + "@timestamp": "2019-01-05T20:17:01.000Z", + "destination.ip": "192.0.2.25", + "destination.mac": "90:10:20:76:8d:20", + "destination.port": 1443, + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "event.outcome": "allow", + "fileset.name": "log", + "input.type": "log", + "iptables.ether_type": 2048, + "iptables.fragment_flags": "DF", + "iptables.id": 0, + "iptables.input_device": "eth0", + "iptables.length": 52, + "iptables.output_device": "eth2", + "iptables.precedence_bits": 0, + "iptables.tcp.flags": "ACK", + "iptables.tcp.reserved_bits": 0, + "iptables.tcp.window": 2853, + "iptables.tos": 0, + "iptables.ttl": 63, + "iptables.ubiquiti.rule_number": "2000", + "iptables.ubiquiti.rule_set": "WAN_OUT", + "log.offset": 774, + "log.original": "Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2853 RES=0x00 ACK URGP=0 ", + "network.transport": "tcp", + "network.type": "ipv4", + "service.type": "iptables", + "source.ip": "192.168.110.116", + "source.mac": "90:10:65:29:b6:2a", + "source.port": 50093, + "tags": [ + "iptables" + ] + }, + { + "@timestamp": "2019-01-05T20:17:01.000Z", + "destination.ip": "192.0.2.25", + "destination.mac": "90:10:20:76:8d:20", + "destination.port": 1443, + "ecs.version": "1.0.0-beta2", + "event.dataset": "iptables.log", + "event.module": "iptables", + "event.outcome": "allow", + "fileset.name": "log", + "input.type": "log", + "iptables.ether_type": 2048, + "iptables.fragment_flags": "DF", + "iptables.id": 0, + "iptables.input_device": "eth0", + "iptables.length": 52, + "iptables.output_device": "eth2", + "iptables.precedence_bits": 0, + "iptables.tcp.flags": "ACK", + "iptables.tcp.reserved_bits": 0, + "iptables.tcp.window": 2850, + "iptables.tos": 0, + "iptables.ttl": 63, + "iptables.ubiquiti.rule_number": "2000", + "iptables.ubiquiti.rule_set": "WAN_OUT", + "log.offset": 1028, + "log.original": "Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2850 RES=0x00 ACK URGP=0 ", + "network.transport": "tcp", + "network.type": "ipv4", + "service.type": "iptables", + "source.ip": "192.168.110.116", + "source.mac": "90:10:65:29:b6:2a", + "source.port": 50093, + "tags": [ + "iptables" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/iptables/module.yml b/x-pack/filebeat/module/iptables/module.yml new file mode 100644 index 00000000000..3129ecbdbc3 --- /dev/null +++ b/x-pack/filebeat/module/iptables/module.yml @@ -0,0 +1,5 @@ +dashboards: +- id: ceefb9e0-1f51-11e9-93ed-f7e068f4aebb + file: Filebeat-Iptables-Overview.json +- id: d39f0980-1ff3-11e9-ae2a-939083c6a64e + file: Filebeat-Iptables-Ubiquiti-Firewall-Overview.json diff --git a/x-pack/filebeat/modules.d/iptables.yml.disabled b/x-pack/filebeat/modules.d/iptables.yml.disabled new file mode 100644 index 00000000000..833fd91537b --- /dev/null +++ b/x-pack/filebeat/modules.d/iptables.yml.disabled @@ -0,0 +1,13 @@ +# Module: iptables +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-iptables.html + +- module: iptables + log: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: