From 54bf096c5fd754c8fae4dbe0142608810d8bbaa0 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Tue, 16 Feb 2021 13:09:13 +0100 Subject: [PATCH] Sync system auth data stream with beats --- .../test-auth-ubuntu1204.log-expected.json | 1830 ++++++++++++++--- .../test/pipeline/test-auth.log-expected.json | 108 +- .../test-secure-rhel7.log-expected.json | 72 +- .../pipeline/test-timestamp.log-expected.json | 25 +- .../data_stream/auth/agent/stream/log.yml.hbs | 2 +- .../ingest_pipeline/default.json | 121 -- .../elasticsearch/ingest_pipeline/default.yml | 64 +- .../system/data_stream/auth/fields/ecs.yml | 13 + packages/system/docs/README.md | 2 + packages/system/manifest.yml | 2 +- 10 files changed, 1816 insertions(+), 423 deletions(-) delete mode 100644 packages/system/data_stream/auth/elasticsearch/ingest_pipeline/default.json diff --git a/packages/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-expected.json b/packages/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-expected.json index 06400c641c4..4cfe1d4f725 100644 --- a/packages/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-expected.json +++ b/packages/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-expected.json @@ -8,15 +8,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-09T21:19:40.000Z", + "@timestamp": "2021-02-09T21:19:40.000Z", + "related": { + "user": [ + "vagrant" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378031500Z", "timezone": "+0000", "kind": "event" }, - "message": "subsystem request for sftp by user vagrant" + "message": "subsystem request for sftp by user vagrant", + "user": { + "name": "vagrant" + } }, { "process": { @@ -32,21 +44,29 @@ } } }, - "@timestamp": "2020-02-09T21:19:40.000Z", + "@timestamp": "2021-02-09T21:19:40.000Z", "related": { "user": [ - "vagrant" + "vagrant", + "root" + ], + "hosts": [ + "precise32" ] }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378067800Z", "timezone": "+0000", "kind": "event" }, "user": { - "name": "vagrant" + "name": "vagrant", + "effective": { + "name": "root" + } } }, { @@ -56,15 +76,32 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-09T21:19:40.000Z", + "@timestamp": "2021-02-09T21:19:40.000Z", + "related": { + "user": [ + "vagrant", + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378083400Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)" + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "user": { + "name": "vagrant", + "effective": { + "name": "root" + }, + "id": "1000" + } }, { "process": { @@ -73,15 +110,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-09T21:19:41.000Z", + "@timestamp": "2021-02-09T21:19:41.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378109100Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session closed for user root" + "message": "pam_unix(sudo:session): session closed for user root", + "user": { + "name": "root" + } }, { "process": { @@ -97,21 +146,29 @@ } } }, - "@timestamp": "2020-02-09T21:21:02.000Z", + "@timestamp": "2021-02-09T21:21:02.000Z", "related": { "user": [ - "vagrant" + "vagrant", + "root" + ], + "hosts": [ + "precise32" ] }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378127400Z", "timezone": "+0000", "kind": "event" }, "user": { - "name": "vagrant" + "name": "vagrant", + "effective": { + "name": "root" + } } }, { @@ -121,11 +178,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-09T21:21:02.000Z", + "@timestamp": "2021-02-09T21:21:02.000Z", + "related": { + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378143600Z", "timezone": "+0000", "kind": "event" }, @@ -138,15 +201,32 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-09T21:21:02.000Z", + "@timestamp": "2021-02-09T21:21:02.000Z", + "related": { + "user": [ + "vagrant", + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378163Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)" + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "user": { + "name": "vagrant", + "effective": { + "name": "root" + }, + "id": "1000" + } }, { "process": { @@ -155,15 +235,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-09T21:21:02.000Z", + "@timestamp": "2021-02-09T21:21:02.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378180800Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session closed for user root" + "message": "pam_unix(sudo:session): session closed for user root", + "user": { + "name": "root" + } }, { "process": { @@ -173,15 +265,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T10:21:42.000Z", + "@timestamp": "2021-02-22T10:21:42.000Z", + "related": { + "user": [ + "vagrant" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378195700Z", "timezone": "+0000", "kind": "event" }, - "message": "subsystem request for sftp by user vagrant" + "message": "subsystem request for sftp by user vagrant", + "user": { + "name": "vagrant" + } }, { "process": { @@ -191,8 +295,9 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T10:21:43.000Z", + "@timestamp": "2021-02-22T10:21:43.000Z", "event": { + "ingested": "2021-02-16T12:08:22.378204400Z", "timezone": "+0000", "kind": "event" }, @@ -212,21 +317,29 @@ } } }, - "@timestamp": "2020-02-22T10:24:49.000Z", + "@timestamp": "2021-02-22T10:24:49.000Z", "related": { "user": [ - "vagrant" + "vagrant", + "root" + ], + "hosts": [ + "precise32" ] }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378232600Z", "timezone": "+0000", "kind": "event" }, "user": { - "name": "vagrant" + "name": "vagrant", + "effective": { + "name": "root" + } } }, { @@ -236,15 +349,32 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T10:24:49.000Z", + "@timestamp": "2021-02-22T10:24:49.000Z", + "related": { + "user": [ + "vagrant", + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378247300Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)" + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "user": { + "name": "vagrant", + "effective": { + "name": "root" + }, + "id": "1000" + } }, { "process": { @@ -254,11 +384,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T10:26:52.000Z", + "@timestamp": "2021-02-22T10:26:52.000Z", + "related": { + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378259400Z", "timezone": "+0000", "kind": "event" }, @@ -272,15 +408,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T10:26:52.000Z", + "@timestamp": "2021-02-22T10:26:52.000Z", + "related": { + "user": [ + "vagrant" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378271300Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sshd:session): session closed for user vagrant" + "message": "pam_unix(sshd:session): session closed for user vagrant", + "user": { + "name": "vagrant" + } }, { "process": { @@ -295,11 +443,14 @@ } } }, - "@timestamp": "2020-02-22T10:49:54.000Z", + "@timestamp": "2021-02-22T10:49:54.000Z", "related": { "user": [ "vagrant" ], + "hosts": [ + "precise32" + ], "ip": [ "10.0.2.2" ] @@ -312,16 +463,18 @@ "ip": "10.0.2.2" }, "event": { + "ingested": "2021-02-16T12:08:22.378283300Z", + "timezone": "+0000", + "kind": "event", "action": "ssh_login", "type": [ "authentication_success", "info" ], "category": [ - "authentication" + "authentication", + "session" ], - "timezone": "+0000", - "kind": "event", "outcome": "success" }, "user": { @@ -336,15 +489,31 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T10:49:54.000Z", + "@timestamp": "2021-02-22T10:49:54.000Z", + "related": { + "user": [ + "vagrant" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378294900Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)" + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", + "user": { + "name": "", + "effective": { + "name": "vagrant" + }, + "id": "0" + } }, { "process": { @@ -360,21 +529,29 @@ } } }, - "@timestamp": "2020-02-22T10:50:01.000Z", + "@timestamp": "2021-02-22T10:50:01.000Z", "related": { "user": [ - "vagrant" + "vagrant", + "root" + ], + "hosts": [ + "precise32" ] }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378306500Z", "timezone": "+0000", "kind": "event" }, "user": { - "name": "vagrant" + "name": "vagrant", + "effective": { + "name": "root" + } } }, { @@ -391,21 +568,29 @@ } } }, - "@timestamp": "2020-02-22T10:50:17.000Z", + "@timestamp": "2021-02-22T10:50:17.000Z", "related": { "user": [ - "vagrant" + "vagrant", + "root" + ], + "hosts": [ + "precise32" ] }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378318400Z", "timezone": "+0000", "kind": "event" }, "user": { - "name": "vagrant" + "name": "vagrant", + "effective": { + "name": "root" + } } }, { @@ -415,15 +600,32 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T10:50:17.000Z", + "@timestamp": "2021-02-22T10:50:17.000Z", + "related": { + "user": [ + "vagrant", + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378330300Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)" + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "user": { + "name": "vagrant", + "effective": { + "name": "root" + }, + "id": "1000" + } }, { "process": { @@ -432,15 +634,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T10:50:28.000Z", + "@timestamp": "2021-02-22T10:50:28.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378342500Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session closed for user root" + "message": "pam_unix(sudo:session): session closed for user root", + "user": { + "name": "root" + } }, { "process": { @@ -455,11 +669,14 @@ } } }, - "@timestamp": "2020-02-22T11:04:28.000Z", + "@timestamp": "2021-02-22T11:04:28.000Z", "related": { "user": [ "vagrant" ], + "hosts": [ + "precise32" + ], "ip": [ "10.0.2.2" ] @@ -472,16 +689,18 @@ "ip": "10.0.2.2" }, "event": { + "ingested": "2021-02-16T12:08:22.378354Z", + "timezone": "+0000", + "kind": "event", "action": "ssh_login", "type": [ "authentication_success", "info" ], "category": [ - "authentication" + "authentication", + "session" ], - "timezone": "+0000", - "kind": "event", "outcome": "success" }, "user": { @@ -496,15 +715,31 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T11:04:28.000Z", + "@timestamp": "2021-02-22T11:04:28.000Z", + "related": { + "user": [ + "vagrant" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378367800Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)" + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", + "user": { + "name": "", + "effective": { + "name": "vagrant" + }, + "id": "0" + } }, { "process": { @@ -514,11 +749,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T11:04:32.000Z", + "@timestamp": "2021-02-22T11:04:32.000Z", + "related": { + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378379800Z", "timezone": "+0000", "kind": "event" }, @@ -532,15 +773,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T11:04:32.000Z", + "@timestamp": "2021-02-22T11:04:32.000Z", + "related": { + "user": [ + "vagrant" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378391900Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sshd:session): session closed for user vagrant" + "message": "pam_unix(sshd:session): session closed for user vagrant", + "user": { + "name": "vagrant" + } }, { "process": { @@ -550,15 +803,31 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T11:17:01.000Z", + "@timestamp": "2021-02-22T11:17:01.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378403500Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(cron:session): session opened for user root by (uid=0)" + "message": "pam_unix(cron:session): session opened for user root by (uid=0)", + "user": { + "name": "", + "effective": { + "name": "root" + }, + "id": "0" + } }, { "process": { @@ -568,15 +837,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T11:17:01.000Z", + "@timestamp": "2021-02-22T11:17:01.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378415500Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(cron:session): session closed for user root" + "message": "pam_unix(cron:session): session closed for user root", + "user": { + "name": "root" + } }, { "process": { @@ -591,11 +872,14 @@ } } }, - "@timestamp": "2020-02-22T11:21:21.000Z", + "@timestamp": "2021-02-22T11:21:21.000Z", "related": { "user": [ "vagrant" ], + "hosts": [ + "precise32" + ], "ip": [ "10.0.2.2" ] @@ -608,16 +892,18 @@ "ip": "10.0.2.2" }, "event": { + "ingested": "2021-02-16T12:08:22.378427400Z", + "timezone": "+0000", + "kind": "event", "action": "ssh_login", "type": [ "authentication_success", "info" ], "category": [ - "authentication" + "authentication", + "session" ], - "timezone": "+0000", - "kind": "event", "outcome": "success" }, "user": { @@ -632,15 +918,31 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T11:21:21.000Z", + "@timestamp": "2021-02-22T11:21:21.000Z", + "related": { + "user": [ + "vagrant" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378439300Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)" + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", + "user": { + "name": "", + "effective": { + "name": "vagrant" + }, + "id": "0" + } }, { "process": { @@ -650,11 +952,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T11:21:24.000Z", + "@timestamp": "2021-02-22T11:21:24.000Z", + "related": { + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378451Z", "timezone": "+0000", "kind": "event" }, @@ -668,15 +976,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T11:21:24.000Z", + "@timestamp": "2021-02-22T11:21:24.000Z", + "related": { + "user": [ + "vagrant" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378462700Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sshd:session): session closed for user vagrant" + "message": "pam_unix(sshd:session): session closed for user vagrant", + "user": { + "name": "vagrant" + } }, { "process": { @@ -692,21 +1012,29 @@ } } }, - "@timestamp": "2020-02-22T11:24:43.000Z", + "@timestamp": "2021-02-22T11:24:43.000Z", "related": { "user": [ - "vagrant" + "vagrant", + "root" + ], + "hosts": [ + "precise32" ] }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378474300Z", "timezone": "+0000", "kind": "event" }, "user": { - "name": "vagrant" + "name": "vagrant", + "effective": { + "name": "root" + } } }, { @@ -716,15 +1044,32 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T11:24:43.000Z", + "@timestamp": "2021-02-22T11:24:43.000Z", + "related": { + "user": [ + "vagrant", + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378486100Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)" + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "user": { + "name": "vagrant", + "effective": { + "name": "root" + }, + "id": "1000" + } }, { "process": { @@ -734,15 +1079,31 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T23:17:01.000Z", + "@timestamp": "2021-02-22T23:17:01.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378499Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(cron:session): session opened for user root by (uid=0)" + "message": "pam_unix(cron:session): session opened for user root by (uid=0)", + "user": { + "name": "", + "effective": { + "name": "root" + }, + "id": "0" + } }, { "process": { @@ -752,15 +1113,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T23:17:01.000Z", + "@timestamp": "2021-02-22T23:17:01.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378510900Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(cron:session): session closed for user root" + "message": "pam_unix(cron:session): session closed for user root", + "user": { + "name": "root" + } }, { "process": { @@ -769,15 +1142,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T23:29:50.000Z", + "@timestamp": "2021-02-22T23:29:50.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378523100Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session closed for user root" + "message": "pam_unix(sudo:session): session closed for user root", + "user": { + "name": "root" + } }, { "process": { @@ -787,15 +1172,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T23:29:50.000Z", + "@timestamp": "2021-02-22T23:29:50.000Z", + "related": { + "user": [ + "vagrant" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378535Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sshd:session): session closed for user vagrant" + "message": "pam_unix(sshd:session): session closed for user vagrant", + "user": { + "name": "vagrant" + } }, { "process": { @@ -805,15 +1202,31 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-23T19:17:01.000Z", + "@timestamp": "2021-02-23T19:17:01.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378546800Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(cron:session): session opened for user root by (uid=0)" + "message": "pam_unix(cron:session): session opened for user root by (uid=0)", + "user": { + "name": "", + "effective": { + "name": "root" + }, + "id": "0" + } }, { "process": { @@ -823,15 +1236,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-23T19:17:01.000Z", + "@timestamp": "2021-02-23T19:17:01.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378558800Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(cron:session): session closed for user root" + "message": "pam_unix(cron:session): session closed for user root", + "user": { + "name": "root" + } }, { "process": { @@ -846,11 +1271,14 @@ } } }, - "@timestamp": "2020-02-23T19:26:35.000Z", + "@timestamp": "2021-02-23T19:26:35.000Z", "related": { "user": [ "vagrant" ], + "hosts": [ + "precise32" + ], "ip": [ "10.0.2.2" ] @@ -863,16 +1291,18 @@ "ip": "10.0.2.2" }, "event": { + "ingested": "2021-02-16T12:08:22.378570500Z", + "timezone": "+0000", + "kind": "event", "action": "ssh_login", "type": [ "authentication_success", "info" ], "category": [ - "authentication" + "authentication", + "session" ], - "timezone": "+0000", - "kind": "event", "outcome": "success" }, "user": { @@ -887,15 +1317,31 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-23T19:26:35.000Z", + "@timestamp": "2021-02-23T19:26:35.000Z", + "related": { + "user": [ + "vagrant" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378582400Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)" + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", + "user": { + "name": "", + "effective": { + "name": "vagrant" + }, + "id": "0" + } }, { "process": { @@ -911,21 +1357,29 @@ } } }, - "@timestamp": "2020-02-23T20:05:18.000Z", + "@timestamp": "2021-02-23T20:05:18.000Z", "related": { "user": [ - "vagrant" + "vagrant", + "root" + ], + "hosts": [ + "precise32" ] }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378593700Z", "timezone": "+0000", "kind": "event" }, "user": { - "name": "vagrant" + "name": "vagrant", + "effective": { + "name": "root" + } } }, { @@ -935,15 +1389,32 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-23T20:05:18.000Z", + "@timestamp": "2021-02-23T20:05:18.000Z", + "related": { + "user": [ + "vagrant", + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378605500Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)" + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "user": { + "name": "vagrant", + "effective": { + "name": "root" + }, + "id": "1000" + } }, { "process": { @@ -952,15 +1423,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-23T20:15:04.000Z", + "@timestamp": "2021-02-23T20:15:04.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378619900Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session closed for user root" + "message": "pam_unix(sudo:session): session closed for user root", + "user": { + "name": "root" + } }, { "process": { @@ -970,11 +1453,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-23T20:15:09.000Z", + "@timestamp": "2021-02-23T20:15:09.000Z", + "related": { + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378635600Z", "timezone": "+0000", "kind": "event" }, @@ -988,15 +1477,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-23T20:15:09.000Z", + "@timestamp": "2021-02-23T20:15:09.000Z", + "related": { + "user": [ + "vagrant" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378647600Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sshd:session): session closed for user vagrant" + "message": "pam_unix(sshd:session): session closed for user vagrant", + "user": { + "name": "vagrant" + } }, { "process": { @@ -1006,15 +1507,31 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-23T23:17:01.000Z", + "@timestamp": "2021-02-23T23:17:01.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378659600Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(cron:session): session opened for user root by (uid=0)" + "message": "pam_unix(cron:session): session opened for user root by (uid=0)", + "user": { + "name": "", + "effective": { + "name": "root" + }, + "id": "0" + } }, { "process": { @@ -1024,15 +1541,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-23T23:17:01.000Z", + "@timestamp": "2021-02-23T23:17:01.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378671500Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(cron:session): session closed for user root" + "message": "pam_unix(cron:session): session closed for user root", + "user": { + "name": "root" + } }, { "process": { @@ -1047,11 +1576,14 @@ } } }, - "@timestamp": "2020-02-24T00:11:15.000Z", + "@timestamp": "2021-02-24T00:11:15.000Z", "related": { "user": [ "vagrant" ], + "hosts": [ + "precise32" + ], "ip": [ "10.0.2.2" ] @@ -1064,16 +1596,18 @@ "ip": "10.0.2.2" }, "event": { + "ingested": "2021-02-16T12:08:22.378773400Z", + "timezone": "+0000", + "kind": "event", "action": "ssh_login", "type": [ "authentication_success", "info" ], "category": [ - "authentication" + "authentication", + "session" ], - "timezone": "+0000", - "kind": "event", "outcome": "success" }, "user": { @@ -1088,15 +1622,31 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:11:15.000Z", + "@timestamp": "2021-02-24T00:11:15.000Z", + "related": { + "user": [ + "vagrant" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378804100Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)" + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", + "user": { + "name": "", + "effective": { + "name": "vagrant" + }, + "id": "0" + } }, { "process": { @@ -1111,11 +1661,14 @@ } } }, - "@timestamp": "2020-02-24T00:11:24.000Z", + "@timestamp": "2021-02-24T00:11:24.000Z", "related": { "user": [ "vagrant" ], + "hosts": [ + "precise32" + ], "ip": [ "10.0.2.2" ] @@ -1128,16 +1681,18 @@ "ip": "10.0.2.2" }, "event": { + "ingested": "2021-02-16T12:08:22.378817400Z", + "timezone": "+0000", + "kind": "event", "action": "ssh_login", "type": [ "authentication_success", "info" ], "category": [ - "authentication" + "authentication", + "session" ], - "timezone": "+0000", - "kind": "event", "outcome": "success" }, "user": { @@ -1152,15 +1707,31 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:11:24.000Z", + "@timestamp": "2021-02-24T00:11:24.000Z", + "related": { + "user": [ + "vagrant" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378829600Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)" + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", + "user": { + "name": "", + "effective": { + "name": "vagrant" + }, + "id": "0" + } }, { "process": { @@ -1176,21 +1747,29 @@ } } }, - "@timestamp": "2020-02-24T00:11:26.000Z", + "@timestamp": "2021-02-24T00:11:26.000Z", "related": { "user": [ - "vagrant" + "vagrant", + "root" + ], + "hosts": [ + "precise32" ] }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378841Z", "timezone": "+0000", "kind": "event" }, "user": { - "name": "vagrant" + "name": "vagrant", + "effective": { + "name": "root" + } } }, { @@ -1200,15 +1779,32 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:11:26.000Z", + "@timestamp": "2021-02-24T00:11:26.000Z", + "related": { + "user": [ + "vagrant", + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378852800Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)" + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "user": { + "name": "vagrant", + "effective": { + "name": "root" + }, + "id": "1000" + } }, { "process": { @@ -1218,11 +1814,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:12:02.000Z", + "@timestamp": "2021-02-24T00:12:02.000Z", + "related": { + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378867500Z", "category": [ "iam" ], @@ -1244,11 +1846,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:12:02.000Z", + "@timestamp": "2021-02-24T00:12:02.000Z", + "related": { + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378879500Z", "category": [ "iam" ], @@ -1270,11 +1878,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:12:02.000Z", + "@timestamp": "2021-02-24T00:12:02.000Z", + "related": { + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378891Z", "category": [ "iam" ], @@ -1304,16 +1918,20 @@ } } }, - "@timestamp": "2020-02-24T00:12:02.000Z", + "@timestamp": "2021-02-24T00:12:02.000Z", "related": { "user": [ "tsg" + ], + "hosts": [ + "precise32" ] }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378902400Z", "category": [ "iam" ], @@ -1341,11 +1959,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:12:07.000Z", + "@timestamp": "2021-02-24T00:12:07.000Z", + "related": { + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378913900Z", "timezone": "+0000", "kind": "event" }, @@ -1359,11 +1983,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:12:10.000Z", + "@timestamp": "2021-02-24T00:12:10.000Z", + "related": { + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378925700Z", "timezone": "+0000", "kind": "event" }, @@ -1377,11 +2007,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:12:14.000Z", + "@timestamp": "2021-02-24T00:12:14.000Z", + "related": { + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378937300Z", "timezone": "+0000", "kind": "event" }, @@ -1395,11 +2031,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:12:14.000Z", + "@timestamp": "2021-02-24T00:12:14.000Z", + "related": { + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378948600Z", "timezone": "+0000", "kind": "event" }, @@ -1413,15 +2055,32 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:12:14.000Z", + "@timestamp": "2021-02-24T00:12:14.000Z", + "related": { + "user": [ + "vagrant", + "tsg" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378960600Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(su:session): session opened for user tsg by vagrant(uid=0)" + "message": "pam_unix(su:session): session opened for user tsg by vagrant(uid=0)", + "user": { + "name": "vagrant", + "effective": { + "name": "tsg" + }, + "id": "0" + } }, { "process": { @@ -1430,11 +2089,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:12:20.000Z", + "@timestamp": "2021-02-24T00:12:20.000Z", + "related": { + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378970500Z", "timezone": "+0000", "kind": "event" }, @@ -1454,21 +2119,29 @@ } } }, - "@timestamp": "2020-02-24T00:12:37.000Z", + "@timestamp": "2021-02-24T00:12:37.000Z", "related": { "user": [ - "vagrant" + "vagrant", + "root" + ], + "hosts": [ + "precise32" ] }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378979300Z", "timezone": "+0000", "kind": "event" }, "user": { - "name": "vagrant" + "name": "vagrant", + "effective": { + "name": "root" + } } }, { @@ -1478,15 +2151,32 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:12:37.000Z", + "@timestamp": "2021-02-24T00:12:37.000Z", + "related": { + "user": [ + "vagrant", + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378990100Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)" + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "user": { + "name": "vagrant", + "effective": { + "name": "root" + }, + "id": "1000" + } }, { "process": { @@ -1495,15 +2185,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:12:37.000Z", + "@timestamp": "2021-02-24T00:12:37.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.378998800Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session closed for user root" + "message": "pam_unix(sudo:session): session closed for user root", + "user": { + "name": "root" + } }, { "process": { @@ -1520,21 +2222,29 @@ } } }, - "@timestamp": "2020-02-24T00:12:42.000Z", + "@timestamp": "2021-02-24T00:12:42.000Z", "related": { "user": [ - "tsg" + "tsg", + "root" + ], + "hosts": [ + "precise32" ] }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379010700Z", "timezone": "+0000", "kind": "event" }, "user": { - "name": "tsg" + "name": "tsg", + "effective": { + "name": "root" + } } }, { @@ -1544,11 +2254,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:12:42.000Z", + "@timestamp": "2021-02-24T00:12:42.000Z", + "related": { + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379018100Z", "timezone": "+0000", "kind": "event" }, @@ -1568,21 +2284,29 @@ } } }, - "@timestamp": "2020-02-24T00:12:50.000Z", + "@timestamp": "2021-02-24T00:12:50.000Z", "related": { "user": [ - "vagrant" + "vagrant", + "root" + ], + "hosts": [ + "precise32" ] }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379026300Z", "timezone": "+0000", "kind": "event" }, "user": { - "name": "vagrant" + "name": "vagrant", + "effective": { + "name": "root" + } } }, { @@ -1592,15 +2316,32 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:12:50.000Z", + "@timestamp": "2021-02-24T00:12:50.000Z", + "related": { + "user": [ + "vagrant", + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379038300Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)" + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "user": { + "name": "vagrant", + "effective": { + "name": "root" + }, + "id": "1000" + } }, { "process": { @@ -1609,15 +2350,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:12:50.000Z", + "@timestamp": "2021-02-24T00:12:50.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379049700Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session closed for user root" + "message": "pam_unix(sudo:session): session closed for user root", + "user": { + "name": "root" + } }, { "process": { @@ -1634,21 +2387,29 @@ } } }, - "@timestamp": "2020-02-24T00:13:02.000Z", + "@timestamp": "2021-02-24T00:13:02.000Z", "related": { "user": [ - "tsg" + "tsg", + "root" + ], + "hosts": [ + "precise32" ] }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379061500Z", "timezone": "+0000", "kind": "event" }, "user": { - "name": "tsg" + "name": "tsg", + "effective": { + "name": "root" + } } }, { @@ -1658,11 +2419,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:13:02.000Z", + "@timestamp": "2021-02-24T00:13:02.000Z", + "related": { + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379072900Z", "timezone": "+0000", "kind": "event" }, @@ -1682,21 +2449,29 @@ } } }, - "@timestamp": "2020-02-24T00:13:06.000Z", + "@timestamp": "2021-02-24T00:13:06.000Z", "related": { "user": [ - "vagrant" + "vagrant", + "root" + ], + "hosts": [ + "precise32" ] }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379084300Z", "timezone": "+0000", "kind": "event" }, "user": { - "name": "vagrant" + "name": "vagrant", + "effective": { + "name": "root" + } } }, { @@ -1706,15 +2481,32 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:13:06.000Z", + "@timestamp": "2021-02-24T00:13:06.000Z", + "related": { + "user": [ + "vagrant", + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379097200Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)" + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "user": { + "name": "vagrant", + "effective": { + "name": "root" + }, + "id": "1000" + } }, { "process": { @@ -1723,15 +2515,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:13:06.000Z", + "@timestamp": "2021-02-24T00:13:06.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379106300Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session closed for user root" + "message": "pam_unix(sudo:session): session closed for user root", + "user": { + "name": "root" + } }, { "process": { @@ -1741,15 +2545,31 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:17:01.000Z", + "@timestamp": "2021-02-24T00:17:01.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379113600Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(cron:session): session opened for user root by (uid=0)" + "message": "pam_unix(cron:session): session opened for user root by (uid=0)", + "user": { + "name": "", + "effective": { + "name": "root" + }, + "id": "0" + } }, { "process": { @@ -1759,15 +2579,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:17:01.000Z", + "@timestamp": "2021-02-24T00:17:01.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379118300Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(cron:session): session closed for user root" + "message": "pam_unix(cron:session): session closed for user root", + "user": { + "name": "root" + } }, { "process": { @@ -1777,15 +2609,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:45:47.000Z", + "@timestamp": "2021-02-24T00:45:47.000Z", + "related": { + "user": [ + "tsg" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379122600Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(su:session): session closed for user tsg" + "message": "pam_unix(su:session): session closed for user tsg", + "user": { + "name": "tsg" + } }, { "process": { @@ -1794,15 +2638,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:45:48.000Z", + "@timestamp": "2021-02-24T00:45:48.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379130100Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session closed for user root" + "message": "pam_unix(sudo:session): session closed for user root", + "user": { + "name": "root" + } }, { "process": { @@ -1812,11 +2668,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:45:49.000Z", + "@timestamp": "2021-02-24T00:45:49.000Z", + "related": { + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379140Z", "timezone": "+0000", "kind": "event" }, @@ -1830,15 +2692,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:45:49.000Z", + "@timestamp": "2021-02-24T00:45:49.000Z", + "related": { + "user": [ + "vagrant" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379149200Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sshd:session): session closed for user vagrant" + "message": "pam_unix(sshd:session): session closed for user vagrant", + "user": { + "name": "vagrant" + } }, { "process": { @@ -1853,11 +2727,14 @@ } } }, - "@timestamp": "2020-02-24T00:46:32.000Z", + "@timestamp": "2021-02-24T00:46:32.000Z", "related": { "user": [ "vagrant" ], + "hosts": [ + "precise32" + ], "ip": [ "10.0.2.2" ] @@ -1870,16 +2747,18 @@ "ip": "10.0.2.2" }, "event": { + "ingested": "2021-02-16T12:08:22.379160700Z", + "timezone": "+0000", + "kind": "event", "action": "ssh_login", "type": [ "authentication_success", "info" ], "category": [ - "authentication" + "authentication", + "session" ], - "timezone": "+0000", - "kind": "event", "outcome": "success" }, "user": { @@ -1894,15 +2773,31 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:46:32.000Z", + "@timestamp": "2021-02-24T00:46:32.000Z", + "related": { + "user": [ + "vagrant" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379172100Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)" + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", + "user": { + "name": "", + "effective": { + "name": "vagrant" + }, + "id": "0" + } }, { "process": { @@ -1912,11 +2807,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:46:32.000Z", + "@timestamp": "2021-02-24T00:46:32.000Z", + "related": { + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379183300Z", "timezone": "+0000", "kind": "event" }, @@ -1930,15 +2831,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T00:46:32.000Z", + "@timestamp": "2021-02-24T00:46:32.000Z", + "related": { + "user": [ + "vagrant" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379231700Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sshd:session): session closed for user vagrant" + "message": "pam_unix(sshd:session): session closed for user vagrant", + "user": { + "name": "vagrant" + } }, { "process": { @@ -1948,15 +2861,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T01:05:42.000Z", + "@timestamp": "2021-02-24T01:05:42.000Z", + "related": { + "user": [ + "vagrant" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379244400Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sshd:session): session closed for user vagrant" + "message": "pam_unix(sshd:session): session closed for user vagrant", + "user": { + "name": "vagrant" + } }, { "process": { @@ -1966,15 +2891,31 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T08:17:01.000Z", + "@timestamp": "2021-02-24T08:17:01.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379252Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(cron:session): session opened for user root by (uid=0)" + "message": "pam_unix(cron:session): session opened for user root by (uid=0)", + "user": { + "name": "", + "effective": { + "name": "root" + }, + "id": "0" + } }, { "process": { @@ -1984,15 +2925,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T08:17:01.000Z", + "@timestamp": "2021-02-24T08:17:01.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379259700Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(cron:session): session closed for user root" + "message": "pam_unix(cron:session): session closed for user root", + "user": { + "name": "root" + } }, { "process": { @@ -2002,15 +2955,31 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T09:17:01.000Z", + "@timestamp": "2021-02-24T09:17:01.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379271400Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(cron:session): session opened for user root by (uid=0)" + "message": "pam_unix(cron:session): session opened for user root by (uid=0)", + "user": { + "name": "", + "effective": { + "name": "root" + }, + "id": "0" + } }, { "process": { @@ -2020,15 +2989,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T09:17:01.000Z", + "@timestamp": "2021-02-24T09:17:01.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379282700Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(cron:session): session closed for user root" + "message": "pam_unix(cron:session): session closed for user root", + "user": { + "name": "root" + } }, { "process": { @@ -2043,11 +3024,14 @@ } } }, - "@timestamp": "2020-02-24T09:18:35.000Z", + "@timestamp": "2021-02-24T09:18:35.000Z", "related": { "user": [ "vagrant" ], + "hosts": [ + "precise32" + ], "ip": [ "10.0.2.2" ] @@ -2060,16 +3044,18 @@ "ip": "10.0.2.2" }, "event": { + "ingested": "2021-02-16T12:08:22.379294100Z", + "timezone": "+0000", + "kind": "event", "action": "ssh_login", "type": [ "authentication_success", "info" ], "category": [ - "authentication" + "authentication", + "session" ], - "timezone": "+0000", - "kind": "event", "outcome": "success" }, "user": { @@ -2084,15 +3070,31 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T09:18:35.000Z", + "@timestamp": "2021-02-24T09:18:35.000Z", + "related": { + "user": [ + "vagrant" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379305700Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)" + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", + "user": { + "name": "", + "effective": { + "name": "vagrant" + }, + "id": "0" + } }, { "process": { @@ -2108,21 +3110,29 @@ } } }, - "@timestamp": "2020-02-24T09:18:40.000Z", + "@timestamp": "2021-02-24T09:18:40.000Z", "related": { "user": [ - "vagrant" + "vagrant", + "root" + ], + "hosts": [ + "precise32" ] }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379317100Z", "timezone": "+0000", "kind": "event" }, "user": { - "name": "vagrant" + "name": "vagrant", + "effective": { + "name": "root" + } } }, { @@ -2132,15 +3142,32 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T09:18:40.000Z", + "@timestamp": "2021-02-24T09:18:40.000Z", + "related": { + "user": [ + "vagrant", + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379328700Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)" + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "user": { + "name": "vagrant", + "effective": { + "name": "root" + }, + "id": "1000" + } }, { "process": { @@ -2149,15 +3176,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T09:18:46.000Z", + "@timestamp": "2021-02-24T09:18:46.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379340Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session closed for user root" + "message": "pam_unix(sudo:session): session closed for user root", + "user": { + "name": "root" + } }, { "process": { @@ -2173,21 +3212,29 @@ } } }, - "@timestamp": "2020-02-24T09:18:53.000Z", + "@timestamp": "2021-02-24T09:18:53.000Z", "related": { "user": [ - "vagrant" + "vagrant", + "root" + ], + "hosts": [ + "precise32" ] }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379351400Z", "timezone": "+0000", "kind": "event" }, "user": { - "name": "vagrant" + "name": "vagrant", + "effective": { + "name": "root" + } } }, { @@ -2197,15 +3244,32 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T09:18:53.000Z", + "@timestamp": "2021-02-24T09:18:53.000Z", + "related": { + "user": [ + "vagrant", + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379362700Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)" + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "user": { + "name": "vagrant", + "effective": { + "name": "root" + }, + "id": "1000" + } }, { "process": { @@ -2214,15 +3278,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T09:18:53.000Z", + "@timestamp": "2021-02-24T09:18:53.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379374Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session closed for user root" + "message": "pam_unix(sudo:session): session closed for user root", + "user": { + "name": "root" + } }, { "process": { @@ -2238,21 +3314,29 @@ } } }, - "@timestamp": "2020-02-24T09:19:04.000Z", + "@timestamp": "2021-02-24T09:19:04.000Z", "related": { "user": [ - "vagrant" + "vagrant", + "root" + ], + "hosts": [ + "precise32" ] }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379385400Z", "timezone": "+0000", "kind": "event" }, "user": { - "name": "vagrant" + "name": "vagrant", + "effective": { + "name": "root" + } } }, { @@ -2262,15 +3346,32 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T09:19:04.000Z", + "@timestamp": "2021-02-24T09:19:04.000Z", + "related": { + "user": [ + "vagrant", + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379396800Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)" + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "user": { + "name": "vagrant", + "effective": { + "name": "root" + }, + "id": "1000" + } }, { "process": { @@ -2279,15 +3380,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T09:19:04.000Z", + "@timestamp": "2021-02-24T09:19:04.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379421100Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session closed for user root" + "message": "pam_unix(sudo:session): session closed for user root", + "user": { + "name": "root" + } }, { "process": { @@ -2303,21 +3416,29 @@ } } }, - "@timestamp": "2020-02-24T09:19:09.000Z", + "@timestamp": "2021-02-24T09:19:09.000Z", "related": { "user": [ - "vagrant" + "vagrant", + "root" + ], + "hosts": [ + "precise32" ] }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379435200Z", "timezone": "+0000", "kind": "event" }, "user": { - "name": "vagrant" + "name": "vagrant", + "effective": { + "name": "root" + } } }, { @@ -2327,15 +3448,32 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T09:19:09.000Z", + "@timestamp": "2021-02-24T09:19:09.000Z", + "related": { + "user": [ + "vagrant", + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379443800Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)" + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "user": { + "name": "vagrant", + "effective": { + "name": "root" + }, + "id": "1000" + } }, { "process": { @@ -2344,15 +3482,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T09:19:09.000Z", + "@timestamp": "2021-02-24T09:19:09.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379453300Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session closed for user root" + "message": "pam_unix(sudo:session): session closed for user root", + "user": { + "name": "root" + } }, { "process": { @@ -2368,21 +3518,29 @@ } } }, - "@timestamp": "2020-02-24T09:19:29.000Z", + "@timestamp": "2021-02-24T09:19:29.000Z", "related": { "user": [ - "vagrant" + "vagrant", + "root" + ], + "hosts": [ + "precise32" ] }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379458500Z", "timezone": "+0000", "kind": "event" }, "user": { - "name": "vagrant" + "name": "vagrant", + "effective": { + "name": "root" + } } }, { @@ -2392,15 +3550,32 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T09:19:29.000Z", + "@timestamp": "2021-02-24T09:19:29.000Z", + "related": { + "user": [ + "vagrant", + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379466200Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)" + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "user": { + "name": "vagrant", + "effective": { + "name": "root" + }, + "id": "1000" + } }, { "process": { @@ -2410,11 +3585,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T09:19:55.000Z", + "@timestamp": "2021-02-24T09:19:55.000Z", + "related": { + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379482400Z", "category": [ "iam" ], @@ -2436,11 +3617,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T09:19:55.000Z", + "@timestamp": "2021-02-24T09:19:55.000Z", + "related": { + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379494800Z", "category": [ "iam" ], @@ -2462,11 +3649,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T09:19:55.000Z", + "@timestamp": "2021-02-24T09:19:55.000Z", + "related": { + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379575900Z", "category": [ "iam" ], @@ -2496,16 +3689,20 @@ } } }, - "@timestamp": "2020-02-24T09:19:55.000Z", + "@timestamp": "2021-02-24T09:19:55.000Z", "related": { "user": [ "mysql" + ], + "hosts": [ + "precise32" ] }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379601100Z", "category": [ "iam" ], @@ -2533,11 +3730,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T09:19:55.000Z", + "@timestamp": "2021-02-24T09:19:55.000Z", + "related": { + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379614400Z", "timezone": "+0000", "kind": "event" }, @@ -2551,11 +3754,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T09:19:55.000Z", + "@timestamp": "2021-02-24T09:19:55.000Z", + "related": { + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379625800Z", "timezone": "+0000", "kind": "event" }, @@ -2568,15 +3777,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T09:20:08.000Z", + "@timestamp": "2021-02-24T09:20:08.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379637Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session closed for user root" + "message": "pam_unix(sudo:session): session closed for user root", + "user": { + "name": "root" + } }, { "process": { @@ -2592,21 +3813,29 @@ } } }, - "@timestamp": "2020-02-24T09:20:10.000Z", + "@timestamp": "2021-02-24T09:20:10.000Z", "related": { "user": [ - "vagrant" + "vagrant", + "root" + ], + "hosts": [ + "precise32" ] }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379654400Z", "timezone": "+0000", "kind": "event" }, "user": { - "name": "vagrant" + "name": "vagrant", + "effective": { + "name": "root" + } } }, { @@ -2616,15 +3845,32 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T09:20:10.000Z", + "@timestamp": "2021-02-24T09:20:10.000Z", + "related": { + "user": [ + "vagrant", + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379666300Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)" + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "user": { + "name": "vagrant", + "effective": { + "name": "root" + }, + "id": "1000" + } }, { "process": { @@ -2633,15 +3879,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T09:20:10.000Z", + "@timestamp": "2021-02-24T09:20:10.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379677300Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session closed for user root" + "message": "pam_unix(sudo:session): session closed for user root", + "user": { + "name": "root" + } }, { "process": { @@ -2657,21 +3915,29 @@ } } }, - "@timestamp": "2020-02-24T09:26:29.000Z", + "@timestamp": "2021-02-24T09:26:29.000Z", "related": { "user": [ - "vagrant" + "vagrant", + "root" + ], + "hosts": [ + "precise32" ] }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379688500Z", "timezone": "+0000", "kind": "event" }, "user": { - "name": "vagrant" + "name": "vagrant", + "effective": { + "name": "root" + } } }, { @@ -2681,15 +3947,32 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T09:26:29.000Z", + "@timestamp": "2021-02-24T09:26:29.000Z", + "related": { + "user": [ + "vagrant", + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379699500Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)" + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "user": { + "name": "vagrant", + "effective": { + "name": "root" + }, + "id": "1000" + } }, { "process": { @@ -2698,15 +3981,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T09:26:29.000Z", + "@timestamp": "2021-02-24T09:26:29.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379713600Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo:session): session closed for user root" + "message": "pam_unix(sudo:session): session closed for user root", + "user": { + "name": "root" + } }, { "process": { @@ -2721,11 +4016,14 @@ } } }, - "@timestamp": "2020-02-24T09:26:59.000Z", + "@timestamp": "2021-02-24T09:26:59.000Z", "related": { "user": [ "vagrant" ], + "hosts": [ + "precise32" + ], "ip": [ "10.0.2.2" ] @@ -2738,16 +4036,18 @@ "ip": "10.0.2.2" }, "event": { + "ingested": "2021-02-16T12:08:22.379725300Z", + "timezone": "+0000", + "kind": "event", "action": "ssh_login", "type": [ "authentication_success", "info" ], "category": [ - "authentication" + "authentication", + "session" ], - "timezone": "+0000", - "kind": "event", "outcome": "success" }, "user": { @@ -2762,15 +4062,31 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-24T09:26:59.000Z", + "@timestamp": "2021-02-24T09:26:59.000Z", + "related": { + "user": [ + "vagrant" + ], + "hosts": [ + "precise32" + ] + }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:22.379736800Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)" + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", + "user": { + "name": "", + "effective": { + "name": "vagrant" + }, + "id": "0" + } } ] } \ No newline at end of file diff --git a/packages/system/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json b/packages/system/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json index 5d1c1744c16..c6e9406581c 100644 --- a/packages/system/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json +++ b/packages/system/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json @@ -14,11 +14,14 @@ } } }, - "@timestamp": "2020-02-21T21:54:44.000Z", + "@timestamp": "2021-02-21T21:54:44.000Z", "related": { "user": [ "vagrant" ], + "hosts": [ + "localhost" + ], "ip": [ "10.0.2.2" ] @@ -31,16 +34,18 @@ "ip": "10.0.2.2" }, "event": { + "ingested": "2021-02-16T12:08:23.984384500Z", + "timezone": "+0000", + "kind": "event", "action": "ssh_login", "type": [ "authentication_success", "info" ], "category": [ - "authentication" + "authentication", + "session" ], - "timezone": "+0000", - "kind": "event", "outcome": "success" }, "user": { @@ -60,11 +65,14 @@ } } }, - "@timestamp": "2020-02-23T00:13:35.000Z", + "@timestamp": "2021-02-23T00:13:35.000Z", "related": { "user": [ "vagrant" ], + "hosts": [ + "localhost" + ], "ip": [ "192.168.33.1" ] @@ -77,16 +85,18 @@ "ip": "192.168.33.1" }, "event": { + "ingested": "2021-02-16T12:08:23.984398900Z", + "timezone": "+0000", + "kind": "event", "action": "ssh_login", "type": [ "authentication_success", "info" ], "category": [ - "authentication" + "authentication", + "session" ], - "timezone": "+0000", - "kind": "event", "outcome": "success" }, "user": { @@ -105,11 +115,14 @@ } } }, - "@timestamp": "2020-02-21T21:56:12.000Z", + "@timestamp": "2021-02-21T21:56:12.000Z", "related": { "user": [ "test" ], + "hosts": [ + "localhost" + ], "ip": [ "10.0.2.2" ] @@ -121,6 +134,9 @@ "ip": "10.0.2.2" }, "event": { + "ingested": "2021-02-16T12:08:23.984402600Z", + "timezone": "+0000", + "kind": "event", "action": "ssh_login", "type": [ "authentication_failure", @@ -129,8 +145,6 @@ "category": [ "authentication" ], - "timezone": "+0000", - "kind": "event", "outcome": "failure" }, "user": { @@ -150,11 +164,14 @@ } } }, - "@timestamp": "2020-02-20T08:35:22.000Z", + "@timestamp": "2021-02-20T08:35:22.000Z", "related": { "user": [ "root" ], + "hosts": [ + "slave22" + ], "ip": [ "116.31.116.24" ] @@ -184,6 +201,9 @@ "ip": "116.31.116.24" }, "event": { + "ingested": "2021-02-16T12:08:23.984407600Z", + "timezone": "+0000", + "kind": "event", "action": "ssh_login", "type": [ "authentication_failure", @@ -192,8 +212,6 @@ "category": [ "authentication" ], - "timezone": "+0000", - "kind": "event", "outcome": "failure" }, "user": { @@ -214,21 +232,29 @@ } } }, - "@timestamp": "2020-02-21T23:35:33.000Z", + "@timestamp": "2021-02-21T23:35:33.000Z", "related": { "user": [ - "vagrant" + "vagrant", + "root" + ], + "hosts": [ + "localhost" ] }, "host": { "hostname": "localhost" }, "event": { + "ingested": "2021-02-16T12:08:23.984411800Z", "timezone": "+0000", "kind": "event" }, "user": { - "name": "vagrant" + "name": "vagrant", + "effective": { + "name": "root" + } } }, { @@ -243,8 +269,11 @@ } } }, - "@timestamp": "2020-02-19T15:30:04.000Z", + "@timestamp": "2021-02-19T15:30:04.000Z", "related": { + "hosts": [ + "slave22" + ], "ip": [ "123.57.245.163" ] @@ -274,6 +303,7 @@ "ip": "123.57.245.163" }, "event": { + "ingested": "2021-02-16T12:08:23.984419500Z", "timezone": "+0000", "kind": "event" } @@ -292,21 +322,29 @@ } } }, - "@timestamp": "2020-02-23T00:08:48.000Z", + "@timestamp": "2021-02-23T00:08:48.000Z", "related": { "user": [ - "vagrant" + "vagrant", + "root" + ], + "hosts": [ + "localhost" ] }, "host": { "hostname": "localhost" }, "event": { + "ingested": "2021-02-16T12:08:23.984429700Z", "timezone": "+0000", "kind": "event" }, "user": { - "name": "vagrant" + "name": "vagrant", + "effective": { + "name": "root" + } } }, { @@ -324,21 +362,29 @@ } } }, - "@timestamp": "2020-02-24T00:13:02.000Z", + "@timestamp": "2021-02-24T00:13:02.000Z", "related": { "user": [ - "tsg" + "tsg", + "root" + ], + "hosts": [ + "precise32" ] }, "host": { "hostname": "precise32" }, "event": { + "ingested": "2021-02-16T12:08:23.984439100Z", "timezone": "+0000", "kind": "event" }, "user": { - "name": "tsg" + "name": "tsg", + "effective": { + "name": "root" + } } }, { @@ -349,11 +395,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T11:47:05.000Z", + "@timestamp": "2021-02-22T11:47:05.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, "host": { "hostname": "localhost" }, "event": { + "ingested": "2021-02-16T12:08:23.984448200Z", "category": [ "iam" ], @@ -383,16 +435,20 @@ } } }, - "@timestamp": "2020-02-22T11:47:05.000Z", + "@timestamp": "2021-02-22T11:47:05.000Z", "related": { "user": [ "apache" + ], + "hosts": [ + "localhost" ] }, "host": { "hostname": "localhost" }, "event": { + "ingested": "2021-02-16T12:08:23.984468100Z", "category": [ "iam" ], diff --git a/packages/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-expected.json b/packages/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-expected.json index 5c8f0569bae..a9069420ffa 100644 --- a/packages/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-expected.json +++ b/packages/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-expected.json @@ -13,11 +13,14 @@ } } }, - "@timestamp": "2020-02-22T16:45:20.000Z", + "@timestamp": "2021-02-22T16:45:20.000Z", "related": { "user": [ "root" ], + "hosts": [ + "slave22" + ], "ip": [ "202.109.143.106" ] @@ -47,6 +50,9 @@ "ip": "202.109.143.106" }, "event": { + "ingested": "2021-02-16T12:08:24.248985600Z", + "timezone": "+0000", + "kind": "event", "action": "ssh_login", "type": [ "authentication_failure", @@ -55,8 +61,6 @@ "category": [ "authentication" ], - "timezone": "+0000", - "kind": "event", "outcome": "failure" }, "user": { @@ -71,15 +75,27 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T16:45:20.000Z", + "@timestamp": "2021-02-22T16:45:20.000Z", + "related": { + "user": [ + "root" + ], + "hosts": [ + "slave22" + ] + }, "host": { "hostname": "slave22" }, "event": { + "ingested": "2021-02-16T12:08:24.249001100Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_succeed_if(sshd:auth): requirement \"uid \u003e= 1000\" not met by user \"root\"" + "message": "pam_succeed_if(sshd:auth): requirement \"uid \u003e= 1000\" not met by user \"root\"", + "user": { + "name": "root" + } }, { "process": { @@ -89,11 +105,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T16:45:26.000Z", + "@timestamp": "2021-02-22T16:45:26.000Z", + "related": { + "hosts": [ + "slave22" + ] + }, "host": { "hostname": "slave22" }, "event": { + "ingested": "2021-02-16T12:08:24.249011700Z", "timezone": "+0000", "kind": "event" }, @@ -107,11 +129,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T16:45:26.000Z", + "@timestamp": "2021-02-22T16:45:26.000Z", + "related": { + "hosts": [ + "slave22" + ] + }, "host": { "hostname": "slave22" }, "event": { + "ingested": "2021-02-16T12:08:24.249021100Z", "timezone": "+0000", "kind": "event" }, @@ -125,11 +153,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T16:45:26.000Z", + "@timestamp": "2021-02-22T16:45:26.000Z", + "related": { + "hosts": [ + "slave22" + ] + }, "host": { "hostname": "slave22" }, "event": { + "ingested": "2021-02-16T12:08:24.249030100Z", "timezone": "+0000", "kind": "event" }, @@ -143,11 +177,17 @@ "system": { "auth": {} }, - "@timestamp": "2020-02-22T16:45:32.000Z", + "@timestamp": "2021-02-22T16:45:32.000Z", + "related": { + "hosts": [ + "slave22" + ] + }, "host": { "hostname": "slave22" }, "event": { + "ingested": "2021-02-16T12:08:24.249039100Z", "timezone": "+0000", "kind": "event" }, @@ -167,21 +207,29 @@ } } }, - "@timestamp": "2020-02-22T17:04:51.000Z", + "@timestamp": "2021-02-22T17:04:51.000Z", "related": { "user": [ - "tsg" + "tsg", + "root" + ], + "hosts": [ + "slave22" ] }, "host": { "hostname": "slave22" }, "event": { + "ingested": "2021-02-16T12:08:24.249048200Z", "timezone": "+0000", "kind": "event" }, "user": { - "name": "tsg" + "name": "tsg", + "effective": { + "name": "root" + } } } ] diff --git a/packages/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-expected.json b/packages/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-expected.json index 40a61bc8271..45197f71dbc 100644 --- a/packages/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-expected.json +++ b/packages/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-expected.json @@ -8,14 +8,31 @@ "auth": {} }, "@timestamp": "2019-06-14T10:40:20.912Z", + "related": { + "user": [ + "userauth3", + "root" + ], + "hosts": [ + "localhost" + ] + }, "host": { "hostname": "localhost" }, "event": { + "ingested": "2021-02-16T12:08:24.328682200Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sudo-i:session): session opened for user root by userauth3(uid=0)" + "message": "pam_unix(sudo-i:session): session opened for user root by userauth3(uid=0)", + "user": { + "name": "userauth3", + "effective": { + "name": "root" + }, + "id": "0" + } }, { "process": { @@ -25,10 +42,16 @@ "auth": {} }, "@timestamp": "2019-06-14T11:31:15.412Z", + "related": { + "hosts": [ + "localhost" + ] + }, "host": { "hostname": "localhost" }, "event": { + "ingested": "2021-02-16T12:08:24.328694700Z", "timezone": "+0000", "kind": "event" }, diff --git a/packages/system/data_stream/auth/agent/stream/log.yml.hbs b/packages/system/data_stream/auth/agent/stream/log.yml.hbs index 58c96859c0b..83450e45eab 100644 --- a/packages/system/data_stream/auth/agent/stream/log.yml.hbs +++ b/packages/system/data_stream/auth/agent/stream/log.yml.hbs @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 \ No newline at end of file + ecs.version: 1.8.0 \ No newline at end of file diff --git a/packages/system/data_stream/auth/elasticsearch/ingest_pipeline/default.json b/packages/system/data_stream/auth/elasticsearch/ingest_pipeline/default.json deleted file mode 100644 index 8df0a77e582..00000000000 --- a/packages/system/data_stream/auth/elasticsearch/ingest_pipeline/default.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "description": "Pipeline for parsing system authorisation/secure logs", - "processors": [ - { - "grok": { - "field": "message", - "ignore_missing": true, - "pattern_definitions" : { - "GREEDYMULTILINE" : "(.|\n)*", - "TIMESTAMP": "(?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP})" - }, - "patterns": [ - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.ip}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: \\s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.auth.message}" - ] - } - }, - { - "remove": { - "field": "message" - } - }, - { - "rename": { - "field": "system.auth.message", - "target_field": "message", - "ignore_missing": true - } - }, - { - "set": { - "field": "source.ip", - "value": "{{system.auth.ssh.dropped_ip}}", - "if": "ctx.containsKey('system') && ctx.system.containsKey('auth') && ctx.system.auth.containsKey('ssh') && ctx.system.auth.ssh.containsKey('dropped_ip')" - } - }, - { - "date": { - "if": "ctx.event.timezone == null", - "field": "system.auth.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "ISO8601" - ], - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "date": { - "if": "ctx.event.timezone != null", - "field": "system.auth.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "ISO8601" - ], - "timezone": "{{ event.timezone }}", - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "remove": { - "field": "system.auth.timestamp" - } - }, - { - "geoip": { - "field": "source.ip", - "target_field": "source.geo", - "ignore_failure": true - } - }, - { - "geoip": { - "database_file": "GeoLite2-ASN.mmdb", - "field": "source.ip", - "target_field": "source.as", - "properties": [ - "asn", - "organization_name" - ], - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.asn", - "target_field": "source.as.number", - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.organization_name", - "target_field": "source.as.organization.name", - "ignore_missing": true - } - }, - { - "script": { - "lang": "painless", - "ignore_failure": true, - "source": "if (ctx.system.auth.ssh.event == \"Accepted\") { if (!ctx.containsKey(\"event\")) { ctx.event = [:]; } ctx.event.type = \"authentication_success\"; ctx.event.category = \"authentication\"; ctx.event.action = \"ssh_login\"; ctx.event.outcome = \"success\"; } else if (ctx.system.auth.ssh.event == \"Invalid\" || ctx.system.auth.ssh.event == \"Failed\") { if (!ctx.containsKey(\"event\")) { ctx.event = [:]; } ctx.event.type = \"authentication_failure\"; ctx.event.category = \"authentication\"; ctx.event.action = \"ssh_login\"; ctx.event.outcome = \"failure\"; }" - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "{{ _ingest.on_failure_message }}" - } - }] -} diff --git a/packages/system/data_stream/auth/elasticsearch/ingest_pipeline/default.yml b/packages/system/data_stream/auth/elasticsearch/ingest_pipeline/default.yml index 9f7c43959dc..7e825c58d19 100644 --- a/packages/system/data_stream/auth/elasticsearch/ingest_pipeline/default.yml +++ b/packages/system/data_stream/auth/elasticsearch/ingest_pipeline/default.yml @@ -1,6 +1,9 @@ --- description: Pipeline for parsing system authorisation/secure logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message ignore_missing: true @@ -34,10 +37,51 @@ processors: field: system.auth.message target_field: message ignore_missing: true + if: ctx?.system?.auth?.message != null && ctx?.system?.auth?.message != "" +- grok: + field: message + ignore_missing: true + ignore_failure: true + patterns: + - 'for user \"?%{DATA:_temp.foruser}\"? by \"?%{DATA:_temp.byuser}\"?(?:\(uid=%{NUMBER:_temp.byuid}\))?$' + - 'for user \"?%{DATA:_temp.foruser}\"?$' + - 'by user \"?%{DATA:_temp.byuser}\"?$' + if: ctx?.message != null && ctx?.message != "" +- rename: + field: _temp.byuser + target_field: user.name + ignore_missing: true + ignore_failure: true +- rename: + field: _temp.byuid + target_field: user.id + ignore_missing: true + ignore_failure: true +- rename: + field: _temp.foruser + target_field: user.name + ignore_missing: true + ignore_failure: true + if: ctx?.user?.name == null || ctx?.user?.name == "" +- rename: + field: _temp.foruser + target_field: user.effective.name + ignore_missing: true + ignore_failure: true + if: ctx?.user?.name != null +- remove: + field: _temp + ignore_missing: true +- convert: + field: system.auth.sudo.user + target_field: user.effective.name + type: string + ignore_failure: true + if: ctx?.system?.auth?.sudo?.user != null - set: field: source.ip value: '{{system.auth.ssh.dropped_ip}}' - if: "ctx?.system?.auth?.ssh?.dropped_ip != null" + ignore_empty_value: true - date: if: ctx.event.timezone == null field: system.auth.timestamp @@ -94,7 +138,7 @@ processors: source: >- if (ctx.system.auth.ssh.event == "Accepted") { ctx.event.type = ["authentication_success", "info"]; - ctx.event.category = ["authentication"]; + ctx.event.category = ["authentication","session"]; ctx.event.action = "ssh_login"; ctx.event.outcome = "success"; } else if (ctx.system.auth.ssh.event == "Invalid" || ctx.system.auth.ssh.event == "Failed") { @@ -135,11 +179,23 @@ processors: - append: field: related.user value: "{{user.name}}" - if: "ctx?.user?.name != null" + allow_duplicates: false + if: "ctx?.user?.name != null && ctx.user?.name != ''" +- append: + field: related.user + value: "{{user.effective.name}}" + allow_duplicates: false + if: "ctx?.user?.effective?.name != null && ctx.user?.effective?.name != ''" - append: field: related.ip value: "{{source.ip}}" - if: "ctx?.source?.ip != null" + allow_duplicates: false + if: "ctx?.source?.ip != null && ctx.source?.ip != ''" +- append: + field: related.hosts + value: "{{host.hostname}}" + allow_duplicates: false + if: "ctx.host?.hostname != null && ctx.host?.hostname != ''" on_failure: - set: field: error.message diff --git a/packages/system/data_stream/auth/fields/ecs.yml b/packages/system/data_stream/auth/fields/ecs.yml index 3bf40ac7d1f..1bd77bc20cb 100644 --- a/packages/system/data_stream/auth/fields/ecs.yml +++ b/packages/system/data_stream/auth/fields/ecs.yml @@ -126,6 +126,16 @@ type: text norms: false default_field: false + - name: effective.name + level: core + type: keyword + description: Short name or login of the user. + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false - description: "Operating system architecture." ignore_above: 1024 name: host.architecture @@ -194,6 +204,9 @@ - name: related.user type: keyword description: All the user names seen on your event. +- name: related.hosts + type: keyword + description: All the host names seen on your event. - name: source.as.number type: long description: Unique number allocated to the autonomous system. diff --git a/packages/system/docs/README.md b/packages/system/docs/README.md index 25590581e00..594a1ea8cb4 100644 --- a/packages/system/docs/README.md +++ b/packages/system/docs/README.md @@ -645,6 +645,7 @@ The `auth` dataset provides auth logs on linux and MacOS prior to 10.8. | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | | process.name | Process name. Sometimes called program name or similar. | keyword | | process.pid | Process id. | long | +| related.hosts | All the host names seen on your event. | keyword | | related.ip | All of the IPs seen on your event. | ip | | related.user | All the user names seen on your event. | keyword | | source.as.number | Unique number allocated to the autonomous system. | long | @@ -669,6 +670,7 @@ The `auth` dataset provides auth logs on linux and MacOS prior to 10.8. | system.auth.sudo.user | The target user to which the sudo command is switching. | keyword | | system.auth.useradd.home | The home folder for the new user. | keyword | | system.auth.useradd.shell | The default shell for the new user. | keyword | +| user.effective.name | Short name or login of the user. | keyword | | user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | | version | Operating system version as a raw string. | keyword | diff --git a/packages/system/manifest.yml b/packages/system/manifest.yml index abbfa015332..ca90ddf4386 100644 --- a/packages/system/manifest.yml +++ b/packages/system/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: system title: System -version: 0.10.9 +version: 0.11.0 license: basic description: System Integration type: integration