Skip to content

Commit

Permalink
[cyberarkpas] Collect monitoring data (#11478)
Browse files Browse the repository at this point in the history 
Has the `audit` data stream collect monitoring data and route it to the
`monitor` data stream.

A new dashboard is added to visualize monitoring information.
  • Loading branch information
@chrisberkhout
chrisberkhout authored Oct 28, 2024
1 parent 66e9b4b commit 5ece291
Show file tree
Hide file tree
Showing 98 changed files with 6,113 additions and 1,552 deletions.
25 changes: 18 additions & 7 deletions packages/cyberarkpas/_dev/build/docs/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,12 @@
# CyberArk Privileged Access Security

The CyberArk Privileged Access Security integration collects audit logs from [CyberArk's Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/Portal/Content/Resources/_TopNav/cc_Portal.htm) server.
## Audit
The CyberArk Privileged Access Security integration collects audit logs and monitoring data from [CyberArk's Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/Portal/Content/Resources/_TopNav/cc_Portal.htm) server.

The `audit` dataset receives Vault Audit logs for User and Safe activities over the syslog protocol.
## Data streams

The `audit` data stream receives Vault Audit logs for User and Safe activities over the syslog protocol.

It will also receive **monitoring** data from the server and route it to the `monitor` data stream (e.g. `logs-cyberarkpas.monitor-default`).

### Vault Configuration

Expand All @@ -16,20 +19,28 @@ the `Server\Syslog` folder.

```ini
[SYSLOG]
UseLegacySyslogFormat=No
UseLegacySyslogFormat=no
SyslogTranslatorFile=Syslog\elastic-json-v1.0.xsl
SyslogServerIP=<INSERT FILEBEAT IP HERE>
SyslogServerPort=<INSERT FILEBEAT PORT HERE>
SyslogServerProtocol=TCP
SendMonitoringMessage=yes
```

For proper timestamping of events, it's recommended to use the newer RFC5424 Syslog format
(`UseLegacySyslogFormat=No`). To avoid event loss, use `TCP` or `TLS` protocols instead of `UDP`.

### Example event
The sample configuration above will include monitoring data. For more information about monitoring, see
[Monitor the Vault in SIEM Applications Using Syslog](https://docs.cyberark.com/pam-self-hosted/latest/en/content/pasimp/monitoring-the-vault-using-syslog.htm).

{{event "audit"}}
### Example audit event

**Exported fields**
{{event "audit"}}

{{fields "audit"}}

### Example monitor event

{{event "monitor"}}

{{fields "monitor"}}
30 changes: 30 additions & 0 deletions packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/monitor.log
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:00:00","IsoTimestamp":"2024-10-15T00:00:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0000","AverageExecutionTime":"10","MaxExecutionTime":"149","AverageQueueTime":"0","MaxQueueTime":"37","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"316","CPUUsage":"7","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:01:00","IsoTimestamp":"2024-10-15T00:01:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0001","AverageExecutionTime":"10","MaxExecutionTime":"196","AverageQueueTime":"0","MaxQueueTime":"12","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"302","CPUUsage":"14","MemoryUsage":"64","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:02:00","IsoTimestamp":"2024-10-15T00:02:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0002","AverageExecutionTime":"12","MaxExecutionTime":"113","AverageQueueTime":"2","MaxQueueTime":"5","NumberOfParallelTasks":"0","MaxParallelTasks":"20","TransactionCount":"315","CPUUsage":"2","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:03:00","IsoTimestamp":"2024-10-15T00:03:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0003","AverageExecutionTime":"10","MaxExecutionTime":"127","AverageQueueTime":"0","MaxQueueTime":"20","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"300","CPUUsage":"4","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:04:00","IsoTimestamp":"2024-10-15T00:04:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0004","AverageExecutionTime":"10","MaxExecutionTime":"199","AverageQueueTime":"0","MaxQueueTime":"47","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"117","CPUUsage":"14","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"1"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:05:00","IsoTimestamp":"2024-10-15T00:05:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0005","AverageExecutionTime":"11","MaxExecutionTime":"132","AverageQueueTime":"1","MaxQueueTime":"67","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"307","CPUUsage":"5","MemoryUsage":"64","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:06:00","IsoTimestamp":"2024-10-15T00:06:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0006","AverageExecutionTime":"10","MaxExecutionTime":"110","AverageQueueTime":"0","MaxQueueTime":"95","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"316","CPUUsage":"1","MemoryUsage":"64","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:07:00","IsoTimestamp":"2024-10-15T00:07:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0007","AverageExecutionTime":"10","MaxExecutionTime":"194","AverageQueueTime":"0","MaxQueueTime":"44","NumberOfParallelTasks":"0","MaxParallelTasks":"20","TransactionCount":"302","CPUUsage":"14","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:08:00","IsoTimestamp":"2024-10-15T00:08:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0008","AverageExecutionTime":"13","MaxExecutionTime":"154","AverageQueueTime":"3","MaxQueueTime":"17","NumberOfParallelTasks":"2","MaxParallelTasks":"20","TransactionCount":"315","CPUUsage":"8","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"1"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:09:00","IsoTimestamp":"2024-10-15T00:09:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0009","AverageExecutionTime":"10","MaxExecutionTime":"99","AverageQueueTime":"0","MaxQueueTime":"5","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"300","CPUUsage":"0","MemoryUsage":"64","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:10:00","IsoTimestamp":"2024-10-15T00:10:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0010","AverageExecutionTime":"10","MaxExecutionTime":"179","AverageQueueTime":"0","MaxQueueTime":"15","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"117","CPUUsage":"12","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:11:00","IsoTimestamp":"2024-10-15T00:11:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0011","AverageExecutionTime":"10","MaxExecutionTime":"175","AverageQueueTime":"0","MaxQueueTime":"41","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"307","CPUUsage":"11","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:12:00","IsoTimestamp":"2024-10-15T00:12:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0012","AverageExecutionTime":"11","MaxExecutionTime":"98","AverageQueueTime":"1","MaxQueueTime":"64","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"205","CPUUsage":"0","MemoryUsage":"64","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:13:00","IsoTimestamp":"2024-10-15T00:13:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0013","AverageExecutionTime":"10","MaxExecutionTime":"159","AverageQueueTime":"0","MaxQueueTime":"68","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"402","CPUUsage":"9","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:14:00","IsoTimestamp":"2024-10-15T00:14:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0014","AverageExecutionTime":"10","MaxExecutionTime":"191","AverageQueueTime":"0","MaxQueueTime":"51","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"333","CPUUsage":"13","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"1"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:15:00","IsoTimestamp":"2024-10-15T00:15:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0015","AverageExecutionTime":"10","MaxExecutionTime":"106","AverageQueueTime":"0","MaxQueueTime":"23","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"316","CPUUsage":"1","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:16:00","IsoTimestamp":"2024-10-15T00:16:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0016","AverageExecutionTime":"9","MaxExecutionTime":"138","AverageQueueTime":"0","MaxQueueTime":"6","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"302","CPUUsage":"5","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:17:00","IsoTimestamp":"2024-10-15T00:17:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0017","AverageExecutionTime":"10","MaxExecutionTime":"199","AverageQueueTime":"0","MaxQueueTime":"10","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"315","CPUUsage":"14","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:18:00","IsoTimestamp":"2024-10-15T00:18:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0018","AverageExecutionTime":"10","MaxExecutionTime":"122","AverageQueueTime":"0","MaxQueueTime":"33","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"300","CPUUsage":"3","MemoryUsage":"64","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:19:00","IsoTimestamp":"2024-10-15T00:19:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0019","AverageExecutionTime":"10","MaxExecutionTime":"118","AverageQueueTime":"0","MaxQueueTime":"59","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"117","CPUUsage":"2","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:20:00","IsoTimestamp":"2024-10-15T00:20:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0020","AverageExecutionTime":"12","MaxExecutionTime":"198","AverageQueueTime":"2","MaxQueueTime":"69","NumberOfParallelTasks":"0","MaxParallelTasks":"20","TransactionCount":"307","CPUUsage":"14","MemoryUsage":"64","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:21:00","IsoTimestamp":"2024-10-15T00:21:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0021","AverageExecutionTime":"10","MaxExecutionTime":"143","AverageQueueTime":"0","MaxQueueTime":"57","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"316","CPUUsage":"6","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:22:00","IsoTimestamp":"2024-10-15T00:22:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0022","AverageExecutionTime":"10","MaxExecutionTime":"103","AverageQueueTime":"0","MaxQueueTime":"30","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"302","CPUUsage":"0","MemoryUsage":"62","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"2"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:23:00","IsoTimestamp":"2024-10-15T00:23:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0023","AverageExecutionTime":"11","MaxExecutionTime":"187","AverageQueueTime":"1","MaxQueueTime":"8","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"315","CPUUsage":"13","MemoryUsage":"62","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:24:00","IsoTimestamp":"2024-10-15T00:24:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0024","AverageExecutionTime":"10","MaxExecutionTime":"165","AverageQueueTime":"0","MaxQueueTime":"7","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"300","CPUUsage":"9","MemoryUsage":"61","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:25:00","IsoTimestamp":"2024-10-15T00:25:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0025","AverageExecutionTime":"10","MaxExecutionTime":"98","AverageQueueTime":"0","MaxQueueTime":"27","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"117","CPUUsage":"0","MemoryUsage":"62","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:26:00","IsoTimestamp":"2024-10-15T00:26:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0026","AverageExecutionTime":"14","MaxExecutionTime":"170","AverageQueueTime":"4","MaxQueueTime":"54","NumberOfParallelTasks":"0","MaxParallelTasks":"20","TransactionCount":"307","CPUUsage":"10","MemoryUsage":"60","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:27:00","IsoTimestamp":"2024-10-15T00:27:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0027","AverageExecutionTime":"10","MaxExecutionTime":"184","AverageQueueTime":"0","MaxQueueTime":"102","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"316","CPUUsage":"12","MemoryUsage":"60","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"1"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:28:00","IsoTimestamp":"2024-10-15T00:28:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0028","AverageExecutionTime":"11","MaxExecutionTime":"101","AverageQueueTime":"1","MaxQueueTime":"62","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"302","CPUUsage":"0","MemoryUsage":"63","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:29:00","IsoTimestamp":"2024-10-15T00:29:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0029","AverageExecutionTime":"10","MaxExecutionTime":"148","AverageQueueTime":"0","MaxQueueTime":"37","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"315","CPUUsage":"7","MemoryUsage":"62","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
5 changes: 5 additions & 0 deletions packages/cyberarkpas/changelog.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "2.24.0"
changes:
- description: Collect monitoring data.
type: enhancement
link: https://github.com/elastic/integrations/pull/11478
- version: "2.23.0"
changes:
- description: Improve efficiency of `event.duration` calculation.
Expand Down
18 changes: 12 additions & 6 deletions ...rarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,8 @@
"ip": "127.0.0.1"
},
"tags": [
"preserve_original_event"
"forwarded",
"cyberarkpas-audit"
]
},
{
Expand Down Expand Up @@ -132,7 +133,8 @@
"ip": "67.43.156.13"
},
"tags": [
"preserve_original_event"
"forwarded",
"cyberarkpas-audit"
]
},
{
Expand Down Expand Up @@ -199,7 +201,8 @@
"ip": "67.43.156.13"
},
"tags": [
"preserve_original_event"
"forwarded",
"cyberarkpas-audit"
]
},
{
Expand Down Expand Up @@ -267,7 +270,8 @@
"ip": "67.43.156.14"
},
"tags": [
"preserve_original_event"
"forwarded",
"cyberarkpas-audit"
]
},
{
Expand Down Expand Up @@ -334,7 +338,8 @@
"ip": "67.43.156.14"
},
"tags": [
"preserve_original_event"
"forwarded",
"cyberarkpas-audit"
]
},
{
Expand Down Expand Up @@ -402,7 +407,8 @@
"ip": "67.43.156.13"
},
"tags": [
"preserve_original_event"
"forwarded",
"cyberarkpas-audit"
]
}
]
Expand Down
18 changes: 12 additions & 6 deletions ...kpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,8 @@
"ip": "127.0.0.1"
},
"tags": [
"preserve_original_event"
"forwarded",
"cyberarkpas-audit"
]
},
{
Expand Down Expand Up @@ -132,7 +133,8 @@
"ip": "67.43.156.13"
},
"tags": [
"preserve_original_event"
"forwarded",
"cyberarkpas-audit"
]
},
{
Expand Down Expand Up @@ -199,7 +201,8 @@
"ip": "67.43.156.14"
},
"tags": [
"preserve_original_event"
"forwarded",
"cyberarkpas-audit"
]
},
{
Expand Down Expand Up @@ -267,7 +270,8 @@
"ip": "67.43.156.13"
},
"tags": [
"preserve_original_event"
"forwarded",
"cyberarkpas-audit"
]
},
{
Expand Down Expand Up @@ -335,7 +339,8 @@
"ip": "67.43.156.15"
},
"tags": [
"preserve_original_event"
"forwarded",
"cyberarkpas-audit"
]
},
{
Expand Down Expand Up @@ -403,7 +408,8 @@
"ip": "67.43.156.15"
},
"tags": [
"preserve_original_event"
"forwarded",
"cyberarkpas-audit"
]
}
]
Expand Down
Loading

0 comments on commit 5ece291

Please sign in to comment.