elastic · mtojek · May 20, 2020 · May 20, 2020
diff --git a/dev/packages/alpha/cisco/0.1.0/dataset/asa/agent/stream/stream.yml.hbs b/dev/packages/alpha/cisco/0.1.0/dataset/asa/agent/stream/stream.yml.hbs
@@ -0,0 +1,8 @@
+paths:
+{{#each paths as |path i|}}
+  - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags: {{tags}}
+processors:
+  - add_locale: ~
diff --git a/dev/packages/alpha/cisco/0.1.0/dataset/asa/agent/stream/udp.yml.hbs b/dev/packages/alpha/cisco/0.1.0/dataset/asa/agent/stream/udp.yml.hbs
@@ -0,0 +1,5 @@
+udp:
+host: "{{udp_host}}:{{udp_port}}"
+tags: {{tags}}
+processors:
+  - add_locale: ~
diff --git a/dev/packages/alpha/cisco/0.1.0/dataset/asa/elasticsearch/ingest-pipeline/default.yml b/dev/packages/alpha/cisco/0.1.0/dataset/asa/elasticsearch/ingest-pipeline/default.yml
diff --git a/dev/packages/alpha/cisco/0.1.0/dataset/asa/fields/ecs.yml b/dev/packages/alpha/cisco/0.1.0/dataset/asa/fields/ecs.yml
@@ -0,0 +1,62 @@
+- name: '@timestamp'
+  level: core
+  required: true
+  type: date
+  description: >
+    Date/time when the event originated. This is the date/time extracted from the event, typically representing when
+    the event was generated by the source.
+    If the event source has no original timestamp, this value is typically populated
+    by the first time the event was received by the pipeline.
+    Required field for all events.
+    example: '2016-05-23T08:05:34.853Z'
+- name: labels
+  level: core
+  type: object
+  object_type: keyword
+  description: >
+    Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects.
+    All values are stored as keyword.
+    Example:
+      application: foo-bar
+      env: production
+- name: message
+  level: core
+  type: text
+  description: >
+    For log events the message field contains the log message, optimized
+    for viewing in a log viewer.
+    For structured logs without an original message field, other fields can be concatenated
+    to form a human-readable summary of the event.
+- name: event.code
+  type: keyword
+  description: Identification code for this event
+- name: event.provider
+  type: keyword
+  description: Source of the event (e.g. Server)
+- name: event.created
+  type: date
+  description: Date/time when the event was first read by an agent, or by your pipeline.
+- name: event.timezone
+  type: keyword
+  description: Time zone information
+- name: event.kind
+  type: keyword
+  description: Event kind (e.g. event)
+- name: event.category
+  type: keyword
+  description: Event category (e.g. database)
+- name: event.type
+  type: keyword
+  description: Event severity (e.g. info, error)
+- name: event.created
+  type: date
+  description: The date/time when the event was first read by an agent, or by your pipeline.
+- name: event.start
+  type: date
+  description: The date when the event started or when the activity was first observed.
+- name: event.end
+  type: keyword
+  description: The date when the event ended or when the activity was last observed.
+- name: event.duration
+  type: long
+  description: Duration of the event in nanoseconds.
diff --git a/dev/packages/alpha/cisco/0.1.0/dataset/asa/fields/fields.yml b/dev/packages/alpha/cisco/0.1.0/dataset/asa/fields/fields.yml
@@ -0,0 +1,75 @@
+- name: cisco.asa
+  type: group
+  fields:
+  - name: message_id
+    type: keyword
+    description: |
+      The Cisco ASA message identifier.
+  - name: suffix
+    type: keyword
+    description: |
+      Optional suffix after %ASA identifier.
+  - name: source_interface
+    type: keyword
+    description: |
+      Source interface for the flow or event.
+  - name: destination_interface
+    type: keyword
+    description: |
+      Destination interface for the flow or event.
+  - name: rule_name
+    type: keyword
+    description: |
+      Name of the Access Control List rule that matched this event.
+  - name: source_username
+    type: keyword
+    description: |
+      Name of the user that is the source for this event.
+  - name: destination_username
+    type: keyword
+    description: |
+      Name of the user that is the destination for this event.
+  - name: mapped_source_ip
+    type: ip
+    description: |
+      The translated source IP address.
+  - name: mapped_source_port
+    type: long
+    description: |
+      The translated source port.
+  - name: mapped_destination_ip
+    type: ip
+    description: |
+      The translated destination IP address.
+  - name: mapped_destination_port
+    type: long
+    description: |
+      The translated destination port.
+  - name: threat_level
+    type: keyword
+    description: |
+      Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high.
+  - name: threat_category
+    type: keyword
+    description: |
+      Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc.
+  - name: connection_id
+    type: keyword
+    description: |
+      Unique identifier for a flow.
+  - name: icmp_type
+    type: short
+    description: |
+      ICMP type.
+  - name: icmp_code
+    type: short
+    description: |
+      ICMP code.
+  - name: connection_type
+    type: keyword
+    description: |
+      The VPN connection type
+  - name: dap_records
+    type: keyword
+    description: |
+      The assigned DAP records
diff --git a/dev/packages/alpha/cisco/0.1.0/dataset/asa/fields/package-fields.yml b/dev/packages/alpha/cisco/0.1.0/dataset/asa/fields/package-fields.yml
@@ -0,0 +1,2 @@
+- name: cisco
+  type: group
diff --git a/dev/packages/alpha/cisco/0.1.0/dataset/asa/manifest.yml b/dev/packages/alpha/cisco/0.1.0/dataset/asa/manifest.yml
@@ -0,0 +1,65 @@
+title: Cisco ASA logs
+release: beta
+type: logs
+streams:
+- input: udp
+  title: Cisco ASA logs
+  description: Collect Cisco ASA logs
+  template_path: udp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - cisco-asa
+  - name: udp_host
+    type: text
+    title: UDP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: udp_port
+    type: integer
+    title: UDP Port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9001
+  - name: log_level
+    type: integer
+    title: Log Level
+    multi: false
+    required: true
+    show_user: false
+    default: 7
+- input: logs
+  title: Cisco ASA logs
+  description: Collect Cisco ASA logs from file
+  vars:
+  - name: paths
+    type: text
+    title: Paths
+    multi: true
+    required: true
+    show_user: true
+    default:
+      - /var/log/cisco-asa.log
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - cisco-asa
+  - name: log_level
+    type: integer
+    title: Log Level
+    multi: false
+    required: true
+    show_user: false
+    default: 7
diff --git a/dev/packages/alpha/cisco/0.1.0/dataset/ftd/agent/stream/stream.yml.hbs b/dev/packages/alpha/cisco/0.1.0/dataset/ftd/agent/stream/stream.yml.hbs
@@ -0,0 +1,8 @@
+paths:
+{{#each paths as |path i|}}
+  - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags: {{tags}}
+processors:
+  - add_locale: ~
diff --git a/dev/packages/alpha/cisco/0.1.0/dataset/ftd/agent/stream/udp.yml.hbs b/dev/packages/alpha/cisco/0.1.0/dataset/ftd/agent/stream/udp.yml.hbs
@@ -0,0 +1,4 @@
+host: "{{udp_host}}:{{udp_port}}"
+tags: {{tags}}
+processors:
+  - add_locale: ~