From 2000f42a1c78fa3b567c702b69212b88e604ebbd Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Wed, 16 Dec 2020 12:09:49 -0500 Subject: [PATCH 1/2] Add UDP and TCP Syslog tests for CheckPoint Firewall Add system tests for the UDP and TCP inputs in the CheckPoint Firewall data stream. Depends on: https://github.com/elastic/elastic-package/pull/229 --- .../_dev/deploy/docker/docker-compose.yml | 12 ++++++ .../_dev/deploy/docker/test-checkpoint.log | 21 ++++++++++ .../_dev/test/system/test-tcp-config.yml | 6 +++ .../_dev/test/system/test-udp-config.yml | 6 +++ .../firewall/agent/stream/tcp.yml.hbs | 14 +++++++ .../data_stream/firewall/fields/beats.yml | 3 ++ .../data_stream/firewall/manifest.yml | 4 ++ packages/checkpoint/docs/README.md | 1 + packages/checkpoint/manifest.yml | 39 +++++++++++++++++++ 9 files changed, 106 insertions(+) create mode 100644 packages/checkpoint/_dev/deploy/docker/docker-compose.yml create mode 100644 packages/checkpoint/_dev/deploy/docker/test-checkpoint.log create mode 100644 packages/checkpoint/data_stream/firewall/_dev/test/system/test-tcp-config.yml create mode 100644 packages/checkpoint/data_stream/firewall/_dev/test/system/test-udp-config.yml create mode 100644 packages/checkpoint/data_stream/firewall/agent/stream/tcp.yml.hbs diff --git a/packages/checkpoint/_dev/deploy/docker/docker-compose.yml b/packages/checkpoint/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..71ea8833874 --- /dev/null +++ b/packages/checkpoint/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,12 @@ +version: '2.3' +services: + checkpoint-firewall-tcp: + image: akroh/stream:v0.0.1 + volumes: + - ./test-checkpoint.log:/sample_logs/test-checkpoint.log:ro + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9514 -p=tcp /sample_logs/test-checkpoint.log + checkpoint-firewall-udp: + image: akroh/stream:v0.0.1 + volumes: + - ./test-checkpoint.log:/sample_logs/test-checkpoint.log:ro + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9515 -p=udp /sample_logs/test-checkpoint.log diff --git a/packages/checkpoint/_dev/deploy/docker/test-checkpoint.log b/packages/checkpoint/_dev/deploy/docker/test-checkpoint.log new file mode 100644 index 00000000000..9e86bccac9c --- /dev/null +++ b/packages/checkpoint/_dev/deploy/docker/test-checkpoint.log @@ -0,0 +1,21 @@ +<134>1 2020-03-29T13:19:20Z gw-da58d3 CheckPoint 1930 - [flags:"133440"; ifdir:"inbound"; ifname:"daemon"; loguid:"{0x5e80a059,0x0,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.100"; sequencenum:"1"; version:"5"; product:"System Monitor"; sys_message::"The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk"] +<134>1 2020-03-29T13:19:21Z gw-da58d3 CheckPoint 1930 - [flags:"133440"; ifdir:"inbound"; ifname:"daemon"; loguid:"{0x5e80a059,0x2,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.100"; sequencenum:"2"; version:"5"; product:"System Monitor"; sys_message::"installed Standard"] +<134>1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a05a,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46915"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"] +<134>1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a05a,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\]"; dst:"194.29.39.10"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"61794"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"26680"; xlatesrc:"0.0.0.0"] +<134>1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a05a,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36749"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"] +<134>1 2020-03-29T23:18:44Z gw-da58d3 CheckPoint 8363 - [flags:"133440"; ifdir:"inbound"; loguid:"{0x5e812cd4,0x1,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; comment:"No update was found"; description:"Contracts"; product:"Security Gateway/Management"; status:"Finished"; update_service:"1"; version:"1.0"] +<134>1 2020-03-29T23:18:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812cd3,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"61180"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10860"; xlatesrc:"0.0.0.0"] +<134>1 2020-03-29T23:18:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812cdd,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585523933"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55039"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"] +<134>1 2020-03-30T01:18:44Z gw-da58d3 CheckPoint 8363 - [flags:"133440"; ifdir:"inbound"; loguid:"{0x5e8148f5,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; description:"Contracts"; product:"Security Gateway/Management"; status:"Started"; update_service:"1"; version:"1.0"] +<134>1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8148f6,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51894"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"11157"; xlatesrc:"0.0.0.0"] +<134>1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8148f6,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47919"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"] +<134>1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [flags:"133440"; ifdir:"inbound"; loguid:"{0x5e8148f7,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; comment:"No update was found"; description:"Contracts"; product:"Security Gateway/Management"; status:"Finished"; update_service:"1"; version:"1.0"] +<134>1 2020-03-30T06:12:45Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e818ddd,0xc,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"] +<134>1 2020-03-30T06:12:51Z gw-da58d3 CheckPoint 8363 - [flags:"166216"; ifdir:"outbound"; loguid:"{0x5e818de4,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; db_ver:"20033003"; description:"Gateway was updated with database version: 22032001."; product:"Application Control"; severity:"1"; update_status:"updated"] +<134>1 2020-03-30T06:12:51Z gw-da58d3 CheckPoint 8363 - [flags:"166216"; ifdir:"outbound"; loguid:"{0x5e818de4,0x1,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; db_ver:"20033003"; description:"Gateway was updated with database version: 22032001."; product:"URL Filtering"; severity:"1"; update_status:"updated"] +<134>1 2020-03-30T06:13:21Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e818e01,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"138"; service:"138"; service_id:"nbdatagram"; src:"192.168.1.1"] +<134>1 2020-03-30T06:13:42Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"425984"; ifdir:"outbound"; ifname:"eth0"; logid:"1"; loguid:"{0x5e818e17,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"2.21.41.118"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"65488"; service:"80"; src:"192.168.1.100"; tcp_flags:"FIN-ACK"; tcp_packet_out_of_state:"First packet isn't SYN"] +<134>1 2020-03-30T07:18:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819d63,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"] +<134>1 2020-03-30T07:19:22Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819d7a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50024"; service:"137"; service_id:"nbname"; src:"192.168.1.196"] +<134>1 2020-03-30T07:20:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"60226"; service:"22"; service_id:"ssh"; src:"192.168.1.205"] +<134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"] diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/system/test-tcp-config.yml b/packages/checkpoint/data_stream/firewall/_dev/test/system/test-tcp-config.yml new file mode 100644 index 00000000000..ca6d70aa258 --- /dev/null +++ b/packages/checkpoint/data_stream/firewall/_dev/test/system/test-tcp-config.yml @@ -0,0 +1,6 @@ +service: checkpoint-firewall-tcp +service_notify_signal: SIGHUP +input: tcp +vars: + syslog_host: 0.0.0.0 + syslog_port: 9514 diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/system/test-udp-config.yml b/packages/checkpoint/data_stream/firewall/_dev/test/system/test-udp-config.yml new file mode 100644 index 00000000000..7af32007c65 --- /dev/null +++ b/packages/checkpoint/data_stream/firewall/_dev/test/system/test-udp-config.yml @@ -0,0 +1,6 @@ +service: checkpoint-firewall-udp +service_notify_signal: SIGHUP +input: udp +vars: + syslog_host: 0.0.0.0 + syslog_port: 9515 diff --git a/packages/checkpoint/data_stream/firewall/agent/stream/tcp.yml.hbs b/packages/checkpoint/data_stream/firewall/agent/stream/tcp.yml.hbs new file mode 100644 index 00000000000..b3f78263894 --- /dev/null +++ b/packages/checkpoint/data_stream/firewall/agent/stream/tcp.yml.hbs @@ -0,0 +1,14 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +{{#contains tags "forwarded"}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: + - add_locale: ~ + - add_fields: + target: '' + fields: + ecs.version: 1.6.0 diff --git a/packages/checkpoint/data_stream/firewall/fields/beats.yml b/packages/checkpoint/data_stream/firewall/fields/beats.yml index 720b8dee3c1..143969c56cb 100644 --- a/packages/checkpoint/data_stream/firewall/fields/beats.yml +++ b/packages/checkpoint/data_stream/firewall/fields/beats.yml @@ -13,3 +13,6 @@ - description: Name of the service data is collected from. name: destination.service.name type: keyword +- description: Source address of logs received over the network. + name: log.source.address + type: keyword diff --git a/packages/checkpoint/data_stream/firewall/manifest.yml b/packages/checkpoint/data_stream/firewall/manifest.yml index 08a88ef0275..5d3a47ccb44 100644 --- a/packages/checkpoint/data_stream/firewall/manifest.yml +++ b/packages/checkpoint/data_stream/firewall/manifest.yml @@ -6,6 +6,10 @@ streams: template_path: udp.yml.hbs title: Check Point firewall logs (syslog over UDP) description: Collect Check Point firewall logs using udp input + - input: tcp + template_path: tcp.yml.hbs + title: Check Point firewall logs (syslog over TCP) + description: Collect Check Point firewall logs using tcp input - input: logfile template_path: log.yml.hbs title: Check Point firewall logs (log) diff --git a/packages/checkpoint/docs/README.md b/packages/checkpoint/docs/README.md index 284cacfc8bc..b8923fb9468 100644 --- a/packages/checkpoint/docs/README.md +++ b/packages/checkpoint/docs/README.md @@ -528,6 +528,7 @@ Consists of log entries from the Log Exporter in the Syslog format. | log.file.path | Path to the log file. | wildcard | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address of logs received over the network. | keyword | | message | Log message optimized for viewing in a log viewer. | text | | network.application | Application level protocol name. | keyword | | network.bytes | Total bytes transferred in both directions. | long | diff --git a/packages/checkpoint/manifest.yml b/packages/checkpoint/manifest.yml index 372d0a4b5d8..e76c90d917d 100644 --- a/packages/checkpoint/manifest.yml +++ b/packages/checkpoint/manifest.yml @@ -54,6 +54,45 @@ policy_templates: show_user: false default: - untrust + - type: tcp + vars: + - name: syslog_host + type: text + title: Syslog Host + multi: false + required: true + show_user: true + default: localhost + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - checkpoint-firewall + - forwarded + - name: syslog_port + type: integer + title: Syslog Port + multi: false + required: true + show_user: true + default: 9001 + - name: internal_zones + type: text + title: Internal Zones + multi: true + required: false + show_user: false + - name: external_zones + type: text + title: External Zones + multi: true + required: false + show_user: false + title: "Collect Check Point firewall logs (input: tcp)" + description: "Collecting firewall logs from Check Point instances (input: tcp)" - type: udp vars: - name: syslog_host From 15a81ae3e63bc67e543f643c2d6e95bcf08654d8 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Thu, 21 Jan 2021 11:11:14 -0500 Subject: [PATCH 2/2] Update elastic-package version --- go.mod | 2 +- go.sum | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 7bde0dc02b7..3472e74a4e3 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.12 require ( github.com/blang/semver v3.5.1+incompatible - github.com/elastic/elastic-package v0.0.0-20210118134226-ec5c00a8ad4d + github.com/elastic/elastic-package v0.0.0-20210121160610-d17b3a4119bd github.com/elastic/package-registry v0.13.0 github.com/magefile/mage v1.10.0 github.com/pkg/errors v0.9.1 diff --git a/go.sum b/go.sum index 4e18b278e22..75af1c24cab 100644 --- a/go.sum +++ b/go.sum @@ -84,10 +84,11 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= -github.com/elastic/elastic-package v0.0.0-20210118134226-ec5c00a8ad4d h1:KYFFjqV2c2Yz1XL1815XyB4omlDd2597ua/usgqCVcI= -github.com/elastic/elastic-package v0.0.0-20210118134226-ec5c00a8ad4d/go.mod h1:lphRg8ZgCi63Nd3vpKy29oqx2N/mme2VdTSHpN1ZNnk= +github.com/elastic/elastic-package v0.0.0-20210121160610-d17b3a4119bd h1:ziZFkr1ktdHak5YUtuxJ3JdS/CTO6/AnYBieiS71qNY= +github.com/elastic/elastic-package v0.0.0-20210121160610-d17b3a4119bd/go.mod h1:DQcm9icTXy+uFUn6etQFl4sPRmclIlIpFGEGQaF+fs8= github.com/elastic/go-elasticsearch/v7 v7.9.0 h1:UEau+a1MiiE/F+UrDj60kqIHFWdzU1M2y/YtBU2NC2M= github.com/elastic/go-elasticsearch/v7 v7.9.0/go.mod h1:OJ4wdbtDNk5g503kvlHLyErCgQwwzmDtaFC4XyOxXA4= +github.com/elastic/go-licenser v0.3.1/go.mod h1:D8eNQk70FOCVBl3smCGQt/lv7meBeQno2eI1S5apiHQ= github.com/elastic/go-ucfg v0.8.3/go.mod h1:iaiY0NBIYeasNgycLyTvhJftQlQEUO2hpF+FX0JKxzo= github.com/elastic/go-ucfg v0.8.4-0.20200415140258-1232bd4774a6 h1:Ehbr7du4rSSEypR8zePr0XRbMhO4PJgcHC9f8fDbgAg= github.com/elastic/go-ucfg v0.8.4-0.20200415140258-1232bd4774a6/go.mod h1:iaiY0NBIYeasNgycLyTvhJftQlQEUO2hpF+FX0JKxzo= @@ -451,6 +452,8 @@ golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f h1:+Nyd8tzPX9R7BWHguqsrbFdRx3WQ/1ib8I44HXV5yTA= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4 h1:myAQVi0cGEoqQVR5POX+8RR2mrocKqNN1hmeMqhX27k= +golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -502,6 +505,7 @@ golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=