diff --git a/packages/cyberarkpas/_dev/build/docs/README.md b/packages/cyberarkpas/_dev/build/docs/README.md index d3d37123eb3..d9893b5570a 100644 --- a/packages/cyberarkpas/_dev/build/docs/README.md +++ b/packages/cyberarkpas/_dev/build/docs/README.md @@ -1,9 +1,12 @@ # CyberArk Privileged Access Security -The CyberArk Privileged Access Security integration collects audit logs from [CyberArk's Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/Portal/Content/Resources/_TopNav/cc_Portal.htm) server. -## Audit +The CyberArk Privileged Access Security integration collects audit logs and monitoring data from [CyberArk's Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/Portal/Content/Resources/_TopNav/cc_Portal.htm) server. -The `audit` dataset receives Vault Audit logs for User and Safe activities over the syslog protocol. +## Data streams + +The `audit` data stream receives Vault Audit logs for User and Safe activities over the syslog protocol. + +It will also receive **monitoring** data from the server and route it to the `monitor` data stream (e.g. `logs-cyberarkpas.monitor-default`). ### Vault Configuration @@ -16,20 +19,28 @@ the `Server\Syslog` folder. ```ini [SYSLOG] -UseLegacySyslogFormat=No +UseLegacySyslogFormat=no SyslogTranslatorFile=Syslog\elastic-json-v1.0.xsl SyslogServerIP= SyslogServerPort= SyslogServerProtocol=TCP +SendMonitoringMessage=yes ``` For proper timestamping of events, it's recommended to use the newer RFC5424 Syslog format (`UseLegacySyslogFormat=No`). To avoid event loss, use `TCP` or `TLS` protocols instead of `UDP`. -### Example event +The sample configuration above will include monitoring data. For more information about monitoring, see +[Monitor the Vault in SIEM Applications Using Syslog](https://docs.cyberark.com/pam-self-hosted/latest/en/content/pasimp/monitoring-the-vault-using-syslog.htm). -{{event "audit"}} +### Example audit event -**Exported fields** +{{event "audit"}} {{fields "audit"}} + +### Example monitor event + +{{event "monitor"}} + +{{fields "monitor"}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/monitor.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/monitor.log new file mode 100644 index 00000000000..2d62f027633 --- /dev/null +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/monitor.log @@ -0,0 +1,30 @@ +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:00:00","IsoTimestamp":"2024-10-15T00:00:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0000","AverageExecutionTime":"10","MaxExecutionTime":"149","AverageQueueTime":"0","MaxQueueTime":"37","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"316","CPUUsage":"7","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:01:00","IsoTimestamp":"2024-10-15T00:01:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0001","AverageExecutionTime":"10","MaxExecutionTime":"196","AverageQueueTime":"0","MaxQueueTime":"12","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"302","CPUUsage":"14","MemoryUsage":"64","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:02:00","IsoTimestamp":"2024-10-15T00:02:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0002","AverageExecutionTime":"12","MaxExecutionTime":"113","AverageQueueTime":"2","MaxQueueTime":"5","NumberOfParallelTasks":"0","MaxParallelTasks":"20","TransactionCount":"315","CPUUsage":"2","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:03:00","IsoTimestamp":"2024-10-15T00:03:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0003","AverageExecutionTime":"10","MaxExecutionTime":"127","AverageQueueTime":"0","MaxQueueTime":"20","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"300","CPUUsage":"4","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:04:00","IsoTimestamp":"2024-10-15T00:04:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0004","AverageExecutionTime":"10","MaxExecutionTime":"199","AverageQueueTime":"0","MaxQueueTime":"47","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"117","CPUUsage":"14","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"1"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:05:00","IsoTimestamp":"2024-10-15T00:05:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0005","AverageExecutionTime":"11","MaxExecutionTime":"132","AverageQueueTime":"1","MaxQueueTime":"67","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"307","CPUUsage":"5","MemoryUsage":"64","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:06:00","IsoTimestamp":"2024-10-15T00:06:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0006","AverageExecutionTime":"10","MaxExecutionTime":"110","AverageQueueTime":"0","MaxQueueTime":"95","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"316","CPUUsage":"1","MemoryUsage":"64","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:07:00","IsoTimestamp":"2024-10-15T00:07:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0007","AverageExecutionTime":"10","MaxExecutionTime":"194","AverageQueueTime":"0","MaxQueueTime":"44","NumberOfParallelTasks":"0","MaxParallelTasks":"20","TransactionCount":"302","CPUUsage":"14","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:08:00","IsoTimestamp":"2024-10-15T00:08:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0008","AverageExecutionTime":"13","MaxExecutionTime":"154","AverageQueueTime":"3","MaxQueueTime":"17","NumberOfParallelTasks":"2","MaxParallelTasks":"20","TransactionCount":"315","CPUUsage":"8","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"1"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:09:00","IsoTimestamp":"2024-10-15T00:09:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0009","AverageExecutionTime":"10","MaxExecutionTime":"99","AverageQueueTime":"0","MaxQueueTime":"5","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"300","CPUUsage":"0","MemoryUsage":"64","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:10:00","IsoTimestamp":"2024-10-15T00:10:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0010","AverageExecutionTime":"10","MaxExecutionTime":"179","AverageQueueTime":"0","MaxQueueTime":"15","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"117","CPUUsage":"12","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:11:00","IsoTimestamp":"2024-10-15T00:11:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0011","AverageExecutionTime":"10","MaxExecutionTime":"175","AverageQueueTime":"0","MaxQueueTime":"41","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"307","CPUUsage":"11","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:12:00","IsoTimestamp":"2024-10-15T00:12:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0012","AverageExecutionTime":"11","MaxExecutionTime":"98","AverageQueueTime":"1","MaxQueueTime":"64","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"205","CPUUsage":"0","MemoryUsage":"64","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:13:00","IsoTimestamp":"2024-10-15T00:13:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0013","AverageExecutionTime":"10","MaxExecutionTime":"159","AverageQueueTime":"0","MaxQueueTime":"68","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"402","CPUUsage":"9","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:14:00","IsoTimestamp":"2024-10-15T00:14:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0014","AverageExecutionTime":"10","MaxExecutionTime":"191","AverageQueueTime":"0","MaxQueueTime":"51","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"333","CPUUsage":"13","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"1"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:15:00","IsoTimestamp":"2024-10-15T00:15:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0015","AverageExecutionTime":"10","MaxExecutionTime":"106","AverageQueueTime":"0","MaxQueueTime":"23","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"316","CPUUsage":"1","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:16:00","IsoTimestamp":"2024-10-15T00:16:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0016","AverageExecutionTime":"9","MaxExecutionTime":"138","AverageQueueTime":"0","MaxQueueTime":"6","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"302","CPUUsage":"5","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:17:00","IsoTimestamp":"2024-10-15T00:17:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0017","AverageExecutionTime":"10","MaxExecutionTime":"199","AverageQueueTime":"0","MaxQueueTime":"10","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"315","CPUUsage":"14","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:18:00","IsoTimestamp":"2024-10-15T00:18:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0018","AverageExecutionTime":"10","MaxExecutionTime":"122","AverageQueueTime":"0","MaxQueueTime":"33","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"300","CPUUsage":"3","MemoryUsage":"64","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:19:00","IsoTimestamp":"2024-10-15T00:19:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0019","AverageExecutionTime":"10","MaxExecutionTime":"118","AverageQueueTime":"0","MaxQueueTime":"59","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"117","CPUUsage":"2","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:20:00","IsoTimestamp":"2024-10-15T00:20:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0020","AverageExecutionTime":"12","MaxExecutionTime":"198","AverageQueueTime":"2","MaxQueueTime":"69","NumberOfParallelTasks":"0","MaxParallelTasks":"20","TransactionCount":"307","CPUUsage":"14","MemoryUsage":"64","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:21:00","IsoTimestamp":"2024-10-15T00:21:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0021","AverageExecutionTime":"10","MaxExecutionTime":"143","AverageQueueTime":"0","MaxQueueTime":"57","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"316","CPUUsage":"6","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:22:00","IsoTimestamp":"2024-10-15T00:22:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0022","AverageExecutionTime":"10","MaxExecutionTime":"103","AverageQueueTime":"0","MaxQueueTime":"30","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"302","CPUUsage":"0","MemoryUsage":"62","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"2"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:23:00","IsoTimestamp":"2024-10-15T00:23:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0023","AverageExecutionTime":"11","MaxExecutionTime":"187","AverageQueueTime":"1","MaxQueueTime":"8","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"315","CPUUsage":"13","MemoryUsage":"62","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:24:00","IsoTimestamp":"2024-10-15T00:24:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0024","AverageExecutionTime":"10","MaxExecutionTime":"165","AverageQueueTime":"0","MaxQueueTime":"7","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"300","CPUUsage":"9","MemoryUsage":"61","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:25:00","IsoTimestamp":"2024-10-15T00:25:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0025","AverageExecutionTime":"10","MaxExecutionTime":"98","AverageQueueTime":"0","MaxQueueTime":"27","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"117","CPUUsage":"0","MemoryUsage":"62","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:26:00","IsoTimestamp":"2024-10-15T00:26:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0026","AverageExecutionTime":"14","MaxExecutionTime":"170","AverageQueueTime":"4","MaxQueueTime":"54","NumberOfParallelTasks":"0","MaxParallelTasks":"20","TransactionCount":"307","CPUUsage":"10","MemoryUsage":"60","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:27:00","IsoTimestamp":"2024-10-15T00:27:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0027","AverageExecutionTime":"10","MaxExecutionTime":"184","AverageQueueTime":"0","MaxQueueTime":"102","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"316","CPUUsage":"12","MemoryUsage":"60","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"1"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:28:00","IsoTimestamp":"2024-10-15T00:28:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0028","AverageExecutionTime":"11","MaxExecutionTime":"101","AverageQueueTime":"1","MaxQueueTime":"62","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"302","CPUUsage":"0","MemoryUsage":"63","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:29:00","IsoTimestamp":"2024-10-15T00:29:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0029","AverageExecutionTime":"10","MaxExecutionTime":"148","AverageQueueTime":"0","MaxQueueTime":"37","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"315","CPUUsage":"7","MemoryUsage":"62","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} diff --git a/packages/cyberarkpas/changelog.yml b/packages/cyberarkpas/changelog.yml index ddafea479d7..484570e1b78 100644 --- a/packages/cyberarkpas/changelog.yml +++ b/packages/cyberarkpas/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.24.0" + changes: + - description: Collect monitoring data. + type: enhancement + link: https://github.com/elastic/integrations/pull/11478 - version: "2.23.0" changes: - description: Improve efficiency of `event.duration` calculation. diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json index 5aafd25fe49..fc3a2532642 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json @@ -65,7 +65,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -132,7 +133,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -199,7 +201,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -267,7 +270,8 @@ "ip": "67.43.156.14" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -334,7 +338,8 @@ "ip": "67.43.156.14" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -402,7 +407,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json index e29d39ebc8f..b4b6a88d21f 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json @@ -65,7 +65,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -132,7 +133,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -199,7 +201,8 @@ "ip": "67.43.156.14" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -267,7 +270,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -335,7 +339,8 @@ "ip": "67.43.156.15" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -403,7 +408,8 @@ "ip": "67.43.156.15" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json index a6ebc83be5d..a000b894894 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json @@ -66,7 +66,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json index 51817e80c6e..55b6c6b3b60 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json @@ -64,7 +64,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json index 6106dfce3e5..2982d49d088 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json @@ -64,7 +64,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json index 387f5616ef8..d36a580ef90 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json @@ -54,7 +54,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json index 7ad47c6453b..4ba385cc7d7 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json @@ -92,7 +92,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json index 0cfd769725d..ee1b692a02f 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json @@ -54,7 +54,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json index 024815e3747..11681cf23e1 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json @@ -70,7 +70,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "target": { @@ -148,7 +149,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "target": { @@ -226,7 +228,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "target": { @@ -304,7 +307,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "target": { @@ -382,7 +386,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "target": { @@ -460,7 +465,8 @@ "ip": "67.43.156.14" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "target": { @@ -538,7 +544,8 @@ "ip": "67.43.156.14" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "target": { @@ -617,7 +624,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "target": { @@ -696,7 +704,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "target": { @@ -775,7 +784,8 @@ "ip": "67.43.156.15" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "target": { @@ -854,7 +864,8 @@ "ip": "67.43.156.15" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "target": { @@ -933,7 +944,8 @@ "ip": "67.43.156.15" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "target": { diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json index f31a9e780ad..0cd1d19d17c 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json @@ -59,7 +59,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json index 66dee32f9ab..403ad537488 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json @@ -59,7 +59,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -122,7 +123,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json index f03fdcb21ee..2912f56965e 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json @@ -63,7 +63,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -121,7 +122,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json index b0062b70280..352220fd238 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json @@ -76,7 +76,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PVWAGWUser" @@ -167,7 +168,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PVWAGWUser" @@ -258,7 +260,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PVWAGWUser" @@ -339,7 +342,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PVWAGWUser" @@ -421,7 +425,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PVWAGWUser" @@ -513,7 +518,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PSMPGW_VAGRANT" @@ -605,7 +611,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PSMPGW_VAGRANT" @@ -697,7 +704,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PVWAGWUser" @@ -798,7 +806,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PSMPGW_SSH" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json index e42b3168de1..3178202c995 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json @@ -51,7 +51,8 @@ "ip": "10.0.0.15" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json index 69169493a52..7c0514105f9 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json @@ -49,7 +49,8 @@ "ip": "0.0.0.0" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json index 644b375e2e6..4bb6fa1597b 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json @@ -49,7 +49,8 @@ "ip": "0.0.0.0" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json index c92803fe828..509cd366c0f 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json @@ -90,7 +90,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager" @@ -205,7 +206,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json index 8efaf2ffdc0..b1d68d1ab7f 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json @@ -62,7 +62,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -119,7 +120,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -185,7 +187,8 @@ "ip": "67.43.156.15" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json index 4d092ce10c4..6ed6f955fd8 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json @@ -81,7 +81,8 @@ "ip": "10.2.0.4" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager", @@ -184,7 +185,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager", @@ -287,7 +289,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager", @@ -391,7 +394,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json index 6a87cfb74cb..73233f5bb68 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json @@ -59,7 +59,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -121,7 +122,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -183,7 +185,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -245,7 +248,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json index 180e4a845af..054e73efc74 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json @@ -60,7 +60,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -123,7 +124,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -186,7 +188,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -249,7 +252,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -312,7 +316,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -375,7 +380,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -438,7 +444,8 @@ "ip": "67.43.156.14" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -501,7 +508,8 @@ "ip": "67.43.156.14" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -564,7 +572,8 @@ "ip": "67.43.156.14" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -628,7 +637,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -692,7 +702,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -756,7 +767,8 @@ "ip": "67.43.156.15" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -820,7 +832,8 @@ "ip": "67.43.156.15" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -884,7 +897,8 @@ "ip": "67.43.156.15" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json index f896aa253f5..edd06458d83 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json @@ -60,7 +60,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -123,7 +124,8 @@ "ip": "67.43.156.14" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json index 5525a9ab6e1..cd13d96370d 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json @@ -60,7 +60,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json index b446e7edf08..5d31529f741 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json @@ -57,7 +57,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json index 68cf6d1a251..891efbee063 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json @@ -49,7 +49,8 @@ "ip": "0.0.0.0" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -94,7 +95,8 @@ "ip": "0.0.0.0" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json index 97dbbb8feb5..8d940b5ee56 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json @@ -49,7 +49,8 @@ "ip": "0.0.0.0" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -94,7 +95,8 @@ "ip": "0.0.0.0" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json index 2b353c8ecd5..9e70ce8080e 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json @@ -49,7 +49,8 @@ "ip": "0.0.0.0" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json index d7859036428..97e5da8c6cc 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json @@ -49,7 +49,8 @@ "ip": "0.0.0.0" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json index 1254976849f..e2753467fb2 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json @@ -64,7 +64,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -130,7 +131,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -208,7 +210,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -275,7 +278,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -341,7 +345,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -407,7 +412,8 @@ "ip": "67.43.156.14" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -485,7 +491,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -553,7 +560,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -632,7 +640,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -714,7 +723,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json index 31f344f7194..e0f8bf2962a 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json @@ -80,7 +80,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Prov_PVWA" @@ -180,7 +181,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "adm2" @@ -274,7 +276,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -380,7 +383,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager" @@ -466,7 +470,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager" @@ -568,7 +573,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Prov_COMPONENTS" @@ -663,7 +669,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -758,7 +765,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -864,7 +872,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager" @@ -950,7 +959,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager" @@ -1046,7 +1056,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -1140,7 +1151,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PVWAAppUser" @@ -1234,7 +1246,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json index a414807e3ca..44a2d02402e 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json @@ -92,7 +92,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -209,7 +210,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -326,7 +328,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -443,7 +446,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -560,7 +564,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -677,7 +682,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -794,7 +800,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -925,7 +932,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -1056,7 +1064,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -1185,7 +1194,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -1314,7 +1324,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -1443,7 +1454,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -1568,7 +1580,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -1693,7 +1706,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -1827,7 +1841,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -1961,7 +1976,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -2095,7 +2111,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json index 4004700c152..c5ddc6c6aa3 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json @@ -94,7 +94,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -213,7 +214,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -332,7 +334,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -451,7 +454,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -570,7 +574,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -689,7 +694,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -808,7 +814,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -941,7 +948,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -1074,7 +1082,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -1205,7 +1214,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -1336,7 +1346,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -1467,7 +1478,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -1594,7 +1606,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -1721,7 +1734,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -1857,7 +1871,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -1993,7 +2008,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json index 65eb542d620..2f8d0acc7d0 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json @@ -67,7 +67,8 @@ "ip": "10.0.0.15" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json index b87dddc0258..8eed9692a7b 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json @@ -87,7 +87,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "adm2" @@ -195,7 +196,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -303,7 +305,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -411,7 +414,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -519,7 +523,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -627,7 +632,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -735,7 +741,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -856,7 +863,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -975,7 +983,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -1099,7 +1108,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -1223,7 +1233,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json index d9995434ae1..b0da0a4f72b 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json @@ -68,7 +68,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "adriansr" @@ -142,7 +143,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "adriansra" @@ -217,7 +219,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PSMAdmin" @@ -301,7 +304,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "adrian" @@ -394,7 +398,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "testark" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json index 2831bba6af3..d8046bee543 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json @@ -83,7 +83,8 @@ "ip": "10.2.0.4" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json index 8f39a4f9406..7761b06f9fa 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json @@ -49,7 +49,8 @@ "ip": "0.0.0.0" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -94,7 +95,8 @@ "ip": "0.0.0.0" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json index 2054f987ba1..156995656ec 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json @@ -49,7 +49,8 @@ "ip": "0.0.0.0" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -94,7 +95,8 @@ "ip": "0.0.0.0" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json index 5ca43e0e52f..20ba04a1519 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json @@ -60,7 +60,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json index bc51adb6019..eb8adfa496f 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json @@ -59,7 +59,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json index ef7afc9c964..a16a6c4acb4 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json @@ -72,7 +72,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator", @@ -152,7 +153,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator", @@ -233,7 +235,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator", @@ -314,7 +317,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator", @@ -395,7 +399,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator", @@ -476,7 +481,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator", @@ -557,7 +563,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator", @@ -638,7 +645,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator", @@ -719,7 +727,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator", @@ -800,7 +809,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator", @@ -881,7 +891,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator", @@ -962,7 +973,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator", @@ -1043,7 +1055,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator", @@ -1124,7 +1137,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator", @@ -1205,7 +1219,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator", @@ -1286,7 +1301,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json index 497367a38af..f4a66ff602a 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json @@ -61,7 +61,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json index db4acafb6da..1f356b125a2 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json @@ -61,7 +61,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json index 4a4f4b87c35..0ad612ddfe8 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json @@ -72,7 +72,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator", @@ -153,7 +154,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator", @@ -234,7 +236,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator", @@ -315,7 +318,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator", @@ -396,7 +400,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator", @@ -477,7 +482,8 @@ "ip": "67.43.156.14" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator", @@ -559,7 +565,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PSMPApp_VAGRANT", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json index ad684276bfa..1280edead49 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json @@ -49,7 +49,8 @@ "ip": "0.0.0.0" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json index 5e741ac481c..81b02384819 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json @@ -49,7 +49,8 @@ "ip": "0.0.0.0" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json index f92147eab77..696fddd0838 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json @@ -49,7 +49,8 @@ "ip": "0.0.0.0" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -94,7 +95,8 @@ "ip": "0.0.0.0" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json index c5a4930cdf7..950af209d6f 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json @@ -49,7 +49,8 @@ "ip": "0.0.0.0" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -94,7 +95,8 @@ "ip": "0.0.0.0" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json index 985c64d66b2..510f35cbe20 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json @@ -112,7 +112,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -230,7 +231,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -348,7 +350,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -466,7 +469,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -584,7 +588,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -702,7 +707,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -820,7 +826,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -938,7 +945,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -1056,7 +1064,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -1174,7 +1183,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json index a77dcaa10bb..40ad0aafb6e 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json @@ -94,7 +94,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -227,7 +228,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -358,7 +360,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -489,7 +492,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -620,7 +624,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -756,7 +761,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -892,7 +898,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json index 97085773e81..d93115d88af 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json @@ -113,7 +113,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager" @@ -233,7 +234,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager" @@ -352,7 +354,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager" @@ -472,7 +475,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager" @@ -592,7 +596,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager" @@ -700,7 +705,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager" @@ -810,7 +816,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager" @@ -920,7 +927,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager" @@ -1030,7 +1038,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager" @@ -1141,7 +1150,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager" @@ -1254,7 +1264,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager" @@ -1367,7 +1378,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager" @@ -1476,7 +1488,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager" @@ -1596,7 +1609,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager" @@ -1716,7 +1730,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json index 90024e594a3..5a462fe7652 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json @@ -60,7 +60,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -123,7 +124,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -186,7 +188,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -249,7 +252,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -312,7 +316,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json index 3dd8d16ac48..b45a9b1efbb 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json @@ -68,7 +68,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -143,7 +144,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json index 2f858857a91..ed64cc84c28 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json @@ -105,7 +105,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "adm2" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json index 13b399fddbf..c8015e63381 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json @@ -110,7 +110,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json index ea5ca24bd83..6c98032299a 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json @@ -104,7 +104,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json index 4bad48d91de..3ec9e33363a 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json @@ -64,7 +64,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json index 1c0bd619527..4774ff14ebc 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json @@ -111,7 +111,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -231,7 +232,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -347,7 +349,8 @@ } }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json index 30d8c4376a7..4446d0c9ba0 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json @@ -51,7 +51,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json index 4b2e26ae32f..0d6bf60ba8f 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json @@ -78,7 +78,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -159,7 +160,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -241,7 +243,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json index 9a9f43bb00b..aef3ae73bc7 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json @@ -49,7 +49,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json index 8c01881e357..94b37f0f423 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json @@ -52,7 +52,8 @@ "ip": "0.0.0.0" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -100,7 +101,8 @@ "ip": "0.0.0.0" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json index 2da4601f888..286d7762fdd 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json @@ -49,7 +49,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json index 3f1a0cd407d..a58e2851ef1 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json @@ -54,7 +54,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -120,7 +121,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -177,7 +179,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -243,7 +246,8 @@ "ip": "67.43.156.14" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -310,7 +314,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -377,7 +382,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json index 330468f36df..9cb8f2badcd 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json @@ -54,7 +54,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -111,7 +112,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -173,7 +175,8 @@ "ip": "10.2.1.12" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json index 29af0ba5f95..bbb0979357f 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json @@ -71,7 +71,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -146,7 +147,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -203,7 +205,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -270,7 +273,8 @@ "ip": "67.43.156.14" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -337,7 +341,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -412,7 +417,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -485,7 +491,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -558,7 +565,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -635,7 +643,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -712,7 +721,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json index f5fdd39aded..f7609191716 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json @@ -103,7 +103,8 @@ "ip": "10.0.0.15" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json index c33362d5251..e27529108cd 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json @@ -50,7 +50,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -96,7 +97,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -149,7 +151,8 @@ "ip": "0.0.0.0" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json index 593884c5338..44247506b78 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json @@ -107,7 +107,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager", @@ -224,7 +225,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager", @@ -339,7 +341,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager", @@ -456,7 +459,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager", @@ -573,7 +577,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager", @@ -689,7 +694,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager", @@ -807,7 +813,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager", @@ -923,7 +930,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager", @@ -1042,7 +1050,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json index 9221c081524..91073734e3b 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json @@ -63,7 +63,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -129,7 +130,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -195,7 +197,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -261,7 +264,8 @@ "ip": "67.43.156.14" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -319,7 +323,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -386,7 +391,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -452,7 +458,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -519,7 +526,8 @@ "ip": "67.43.156.15" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json index 62ad0a9b776..ac9a0410dde 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json @@ -60,7 +60,8 @@ "ip": "10.2.0.6" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "adm2" @@ -126,7 +127,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager" @@ -192,7 +194,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "SCIM-user" @@ -258,7 +261,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PVWAGWUser" @@ -324,7 +328,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Prov_COMPONENTS" @@ -390,7 +395,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PVWAAppUser" @@ -465,7 +471,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -549,7 +556,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -633,7 +641,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -708,7 +717,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PSMP_ADB_localhost.localdomain" @@ -783,7 +793,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PSMPApp_localhost.localdomain" @@ -858,7 +869,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PSMPGW_localhost.localdomain" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json index 118cb303fd6..8a5bab8c716 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json @@ -60,7 +60,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -126,7 +127,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -192,7 +194,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager" @@ -258,7 +261,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Prov_COMPONENTS" @@ -324,7 +328,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PVWAGWUser" @@ -390,7 +395,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PVWAAppUser" @@ -465,7 +471,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -540,7 +547,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PSMP_ADB_localhost.localdomain" @@ -615,7 +623,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PSMPGW_localhost.localdomain" @@ -690,7 +699,8 @@ "ip": "67.43.156.14" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -775,7 +785,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -860,7 +871,8 @@ "ip": "10.0.2.2" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -936,7 +948,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PSMPGW_VAGRANT" @@ -1012,7 +1025,8 @@ "ip": "67.43.156.15" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" @@ -1106,7 +1120,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "Administrator" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json index 76eab1296f7..195c4bd6578 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json @@ -49,7 +49,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -101,7 +102,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -146,7 +148,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -198,7 +201,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -250,7 +254,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -311,7 +316,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -372,7 +378,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -433,7 +440,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -494,7 +502,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -555,7 +564,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -616,7 +626,8 @@ "ip": "67.43.156.14" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -677,7 +688,8 @@ "ip": "67.43.156.14" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -739,7 +751,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -801,7 +814,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -863,7 +877,8 @@ "ip": "67.43.156.15" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -925,7 +940,8 @@ "ip": "67.43.156.15" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -987,7 +1003,8 @@ "ip": "67.43.156.15" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -1049,7 +1066,8 @@ "ip": "67.43.156.15" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json index fb90f3f0776..d8603fea4fe 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json @@ -54,7 +54,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -120,7 +121,8 @@ "ip": "67.43.156.13" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -186,7 +188,8 @@ "ip": "67.43.156.14" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -253,7 +256,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json index 1817370df08..97265809646 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json @@ -54,7 +54,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-common-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-common-config.yml index 80145382e3e..ecd26d50036 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-common-config.yml +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-common-config.yml @@ -1,5 +1,4 @@ -dynamic_fields: - "@timestamp": "^[0-9]{4}(-[0-9]{2}){2}T[0-9]{2}(:[0-9]{2}){2}\\.[0-9]{3}Z$" fields: tags: - - preserve_original_event + - forwarded + - cyberarkpas-audit diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json index f66bbb6fde7..6e034470f6e 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json @@ -47,7 +47,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] } ] diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json index 62c6e9da18f..6b1842bd521 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json @@ -60,7 +60,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PVWAGWUser" @@ -126,7 +127,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PasswordManager" @@ -186,7 +188,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ] }, { @@ -249,7 +252,8 @@ "ip": "10.0.1.20" }, "tags": [ - "preserve_original_event" + "forwarded", + "cyberarkpas-audit" ], "user": { "name": "PVWAAppUser" diff --git a/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml b/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml new file mode 100644 index 00000000000..0221b1cd405 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml @@ -0,0 +1,1253 @@ +--- +description: Pipeline for CyberArk PAS audit +processors: + # + # Set ECS version. + # + - set: + tag: set_ecs_version + field: ecs.version + value: '8.11.0' + # + # Set event.original from message, unless reindexing. + # + - rename: + tag: rename_message + field: message + target_field: event.original + if: ctx.event?.original == null + ignore_missing: true + # + # Parse syslog headers (if any) and extract JSON payload. + # + - grok: + tag: grok_event_original + field: event.original + patterns: + # RFC5424 from CyberArk. + # UseLegacySyslogFormat=No + # <5>1 2021-03-04T17:28:23Z VAULT {"format":"elastic","version":"1.0",...} + - "^<%{NONNEGINT:log.syslog.priority:long}>%{NONNEGINT} %{TIMESTAMP_ISO8601:_tmp.syslog_ts} %{SYSLOGHOST:_tmp.hostname} %{JSON_PAYLOAD:_tmp.payload}" + + # Legacy format. + # UseLegacySyslogFormat=Yes + # Mar 08 02:57:42 VAULT {"format":"elastic","version":"1.0",...} + - "^%{SYSLOGTIMESTAMP:_tmp.syslog_ts} %{SYSLOGHOST:_tmp.hostname} %{JSON_PAYLOAD:_tmp.payload}" + + # Catch-all mode, just JSON payload. + - "%{JSON_PAYLOAD:_tmp.payload}" + pattern_definitions: + JSON_PAYLOAD: '{"format":"elastic","version":"1.0",.*}' + on_failure: + - fail: + message: "unexpected event format: {{{_ingest.on_failure_message}}}" + + - json: + tag: json_tmp_payload + field: _tmp.payload + target_field: _tmp.json + on_failure: + - fail: + message: "malformed JSON event: {{{_ingest.on_failure_message}}}" + + - rename: + tag: rename_tmp_json_syslog_audit_record + field: _tmp.json.syslog.audit_record + target_field: cyberarkpas.audit + on_failure: + - fail: + message: "unexpected event structure: {{{_ingest.on_failure_message}}}" + + + # + # Remove all empty fields + # + - script: + tag: script_removes_empty_audit_fields + lang: painless + description: 'Removes empty audit fields' + source: >- + ctx.cyberarkpas.audit.entrySet().removeIf(entry -> entry.getValue() == ""); + + - rename: + tag: rename_tmp_json_raw + field: _tmp.json.raw + target_field: cyberarkpas.audit.raw + ignore_missing: true + + # The following processors populate @timestamp from the different sources that can exist in an event. + # In the following order of precedence: + # - IsoTimestamp field (expected ISO8601). Present when new syslog format is used (rfc5424: yes). + # - Timestamp (expected MMM dd HH:mm:ss). Also present only when new syslog format is used. + # - Syslog header timestamp. Either ISO8601 or legacy MMM dd HH:mm:ss, depending on the syslog format in use. + # - Original @timestamp from Filebeat. + - date: + tag: date_cyberarkpas_audit_isotimestamp + if: ctx.cyberarkpas.audit.IsoTimestamp != null + field: cyberarkpas.audit.IsoTimestamp + target_field: _tmp.timestamp + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: "failed to parse ISO timestamp field: {{{cyberarkpas.audit.IsoTimestamp}}}: {{{_ingest.on_failure_message}}}" + + - date: + tag: date_cyberarkpas_audit_timestamp + if: 'ctx._tmp.timestamp == null && ctx.cyberarkpas.audit.Timestamp != null' + field: cyberarkpas.audit.Timestamp + target_field: _tmp.timestamp + formats: + # This is the default format. + - 'MMM dd HH:mm:ss' + # Drop a few other formats in case the above fails. + - ISO8601 + - 'MMM d HH:mm:ss' + - "EEE MMM dd HH:mm:ss" + - "EEE MMM d HH:mm:ss" + - "MMM d HH:mm:ss z" + - "MMM dd HH:mm:ss z" + - "EEE MMM d HH:mm:ss z" + - "EEE MMM dd HH:mm:ss z" + - "MMM d yyyy HH:mm:ss" + - "MMM dd yyyy HH:mm:ss" + - "EEE MMM d yyyy HH:mm:ss" + - "EEE MMM dd yyyy HH:mm:ss" + - "MMM d yyyy HH:mm:ss z" + - "MMM dd yyyy HH:mm:ss z" + - "EEE MMM d yyyy HH:mm:ss z" + - "EEE MMM dd yyyy HH:mm:ss z" + on_failure: + - append: + field: error.message + value: "failed to parse timestamp field: {{{cyberarkpas.audit.Timestamp}}}: {{{_ingest.on_failure_message}}}" + + - date: + tag: date_tmp_syslog_ts + if: ctx._tmp.timestamp == null && ctx._tmp.syslog_ts != null && ctx.event?.timezone == null + field: _tmp.syslog_ts + target_field: _tmp.timestamp + formats: + # This is the default format. + - 'MMM dd HH:mm:ss' + # Drop a few other formats in case the above fails. + - ISO8601 + - 'MMM d HH:mm:ss' + - "EEE MMM dd HH:mm:ss" + - "EEE MMM d HH:mm:ss" + - "MMM d HH:mm:ss z" + - "MMM dd HH:mm:ss z" + - "EEE MMM d HH:mm:ss z" + - "EEE MMM dd HH:mm:ss z" + - "MMM d yyyy HH:mm:ss" + - "MMM dd yyyy HH:mm:ss" + - "EEE MMM d yyyy HH:mm:ss" + - "EEE MMM dd yyyy HH:mm:ss" + - "MMM d yyyy HH:mm:ss z" + - "MMM dd yyyy HH:mm:ss z" + - "EEE MMM d yyyy HH:mm:ss z" + - "EEE MMM dd yyyy HH:mm:ss z" + on_failure: + - append: + field: error.message + value: "failed to parse legacy syslog timestamp: {{{_tmp.syslog_ts}}}: {{{_ingest.on_failure_message}}}" + + - date: + tag: date_tmp_syslog_ts_2 + if: ctx._tmp.timestamp == null && ctx._tmp.syslog_ts != null && ctx.event?.timezone != null + field: _tmp.syslog_ts + target_field: _tmp.timestamp + timezone: '{{{event.timezone}}}' + formats: + # This is the default format. + - 'MMM dd HH:mm:ss' + # Drop a few other formats in case the above fails. + - ISO8601 + - 'MMM d HH:mm:ss' + - "EEE MMM dd HH:mm:ss" + - "EEE MMM d HH:mm:ss" + - "MMM d HH:mm:ss z" + - "MMM dd HH:mm:ss z" + - "EEE MMM d HH:mm:ss z" + - "EEE MMM dd HH:mm:ss z" + - "MMM d yyyy HH:mm:ss" + - "MMM dd yyyy HH:mm:ss" + - "EEE MMM d yyyy HH:mm:ss" + - "EEE MMM dd yyyy HH:mm:ss" + - "MMM d yyyy HH:mm:ss z" + - "MMM dd yyyy HH:mm:ss z" + - "EEE MMM d yyyy HH:mm:ss z" + - "EEE MMM dd yyyy HH:mm:ss z" + on_failure: + - append: + field: error.message + value: "failed to parse legacy syslog timestamp: {{{_tmp.syslog_ts}}}: {{{_ingest.on_failure_message}}}" + + - set: + tag: set_timestamp + field: '@timestamp' + value: '{{{_tmp.timestamp}}}' + ignore_empty_value: true + override: true + + # This script ensures that CAProperties.CAProperty is an array. + # When there's a single property, it is serialised as an object instead + # of a single element array. + - script: + tag: script_converts_caproperties_into_an_array_if_necessary + lang: painless + description: "Converts CAProperties into an array if necessary" + source: > + def props = ctx.cyberarkpas?.audit?.CAProperties?.CAProperty; + if (props instanceof Map) { + ctx.cyberarkpas.audit.CAProperties.CAProperty = [ props ]; + } + + # This script converts the nested object under cyberarkpas.audit.CAProperties.CAProperty + # into an object under cyberarkpas.audit.CAProperties: + # + # input: + # "cyberarkpas.audit.CAProperties.CAProperty": [ + # { + # "Name": "PolicyID", + # "Value": "LINUX-SSH" + # }, + # { + # "Name": "UserName", + # "Value": "test12" + # } + # output: + # "cyberarkpas.audit.CAProperties": + # { + # "PolicyID": "LINUX-SSH", + # "UserName": "test12" + # } + - foreach: + tag: foreach_cyberarkpas_audit_caproperties_caproperty + field: cyberarkpas.audit.CAProperties.CAProperty + ignore_missing: true + processor: + set: + tag: set_cyberarkpas_audit_caproperties_ingest_value_name + field: 'cyberarkpas.audit.CAProperties.{{{_ingest._value.Name}}}' + value: '{{{_ingest._value.Value}}}' + on_failure: + - append: + field: error.message + value: "failed to process CAProperties array: {{{_ingest.on_failure_message}}}" + - remove: + tag: remove_cyberarkpas_audit_caproperties_caproperty + field: cyberarkpas.audit.CAProperties.CAProperty + ignore_missing: true + + # Parse key-value pairs at ExtraDetails: + # input: + # "cyberarkpas.audit.ExtraDetails": "Command=ls \"/var/tmp\";ConnectionComponentId=PSMP-SSH;DstHost=[...]", + # + # output: + # "cyberarkpas.audit.ExtraDetails": + # { + # "Command": "ls \"/var/tmp\"", + # "ConnectionComponentId": "PSMP-SSH", + # "DstHost": [...] + # + # The original string can contain escaped separators, \= and \; + - kv: + tag: kv_cyberarkpas_audit_extradetails + field: cyberarkpas.audit.ExtraDetails + field_split: '(? + String to_snake_case(String s) { + /* faster code path for strings that won't need an underscore */ + if (s.chars().skip(1).noneMatch(Character::isUpperCase)) { + return s.toLowerCase(); + } + int run = 0; + boolean first = true; + StringBuilder result = new StringBuilder(); + for (char c : s.toCharArray()) { + char o = Character.toLowerCase(c); + if (c != o) { + if (run == 0 && !first) { + result.append('_'); + } + run ++; + } else { + if (run > 1) { + char prev = result.charAt(result.length()-1); + result.setCharAt(result.length()-1, (char)'_'); + result.append(prev); + } + run = 0; + first = false; + } + result.append(o); + } + return result.toString(); + } + def keys_to_snake_case_recursive(Map object) { + return object.entrySet().stream().collect( + Collectors.toMap( + e -> to_snake_case(e.getKey()), + e -> e.getValue() instanceof Map ? keys_to_snake_case_recursive(e.getValue()) : e.getValue() + ) + ); + } + ctx.cyberarkpas.audit = keys_to_snake_case_recursive(ctx.cyberarkpas.audit); + + # + # Convert rfc5424 field to boolean. + # + - script: + tag: script_converts_the_rfc5424_audit_field_to_a_boolean + description: 'Converts the rfc5424 audit field to a boolean' + lang: painless + source: > + def value = ctx.cyberarkpas.audit.rfc5424; + ctx.cyberarkpas.audit["rfc5424"] = value == 'yes'; + + ######################################################## + # ECS enrichment + # + # All processors from this point use the snake_case form + # to access CyberArk fields. + ######################################################## + + - set: + tag: set_event_kind + field: event.kind + value: event + + - lowercase: + tag: lowercase_cyberarkpas_audit_action + field: cyberarkpas.audit.action + target_field: event.action + ignore_missing: true + + # Severity to number + # + # Possible values: + # Info -> 0 + # Error -> 7 + # Critical -> 10 + - set: + tag: set_event_severity + field: event.severity + value: 2 + if: 'ctx.cyberarkpas.audit.severity == "Info"' + - set: + tag: set_event_severity_2 + field: event.severity + value: 7 + if: 'ctx.cyberarkpas.audit.severity == "Error"' + - set: + tag: set_event_severity_3 + field: event.severity + value: 10 + if: 'ctx.cyberarkpas.audit.severity == "Critical"' + - set: + tag: set_event_type + field: event.type + value: [error] + if: ctx.event?.severity != null && ctx.event.severity > 6 + + - rename: + tag: rename_cyberarkpas_audit_message_id + field: cyberarkpas.audit.message_id + target_field: event.code + ignore_missing: true + + - set: + tag: set_source_address + field: source.address + value: '{{{cyberarkpas.audit.station}}}' + ignore_empty_value: true + + - set: + tag: set_destination_address + field: destination.address + value: '{{{cyberarkpas.audit.gateway_station}}}' + ignore_empty_value: true + + - set: + tag: set_file_path + field: file.path + value: '{{{cyberarkpas.audit.file}}}' + if: ctx.cyberarkpas.audit?.file != null + + # + # Observer fields + # + - rename: + tag: rename_cyberarkpas_audit_vendor + field: cyberarkpas.audit.vendor + target_field: observer.vendor + ignore_missing: true + - rename: + tag: rename_cyberarkpas_audit_product + field: cyberarkpas.audit.product + target_field: observer.product + ignore_missing: true + - rename: + tag: rename_cyberarkpas_audit_version + field: cyberarkpas.audit.version + target_field: observer.version + ignore_missing: true + - rename: + tag: rename_cyberarkpas_audit_hostname + field: cyberarkpas.audit.hostname + target_field: observer.hostname + ignore_missing: true + # Use hostname from syslog if audit record's Hostname field is missing. + - rename: + tag: rename_tmp_hostname + field: _tmp.hostname + target_field: observer.hostname + ignore_missing: true + if: ctx.observer?.hostname == null + # + # Enrichment based on message_id + # + # This script is overly complicated (read_field) because at this time + # there is no processor that allows to set one field from a source + # field using indirection (it is possible with rename, but that + # removes the original field). + # + # Once something like this is possible: + # set: + # target_field: '{{{_ingest.value.to}}}' + # copy_from: '{{{_ingest.value.from}}}' + # + # ... this script can be updated to just create two output lists, one + # for value-to pairs, another for value-from pairs. + # + - script: + tag: script_ecs_enrichment_based_on_message_id + lang: painless + description: 'ECS enrichment based on message_id' + params: + # 4 - User Authentication + # + # Always a failure. + "4": + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["authentication"] + - set: event.type + value: ["start"] + - set: event.action + value: "authentication_failure" + - set: event.outcome + value: "failure" + + # 7 - Logon + # + # User logged on to the PVWA. + "7": + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["authentication", "session"] + - set: event.type + value: ["start"] + - set: event.action + value: "authentication_success" + - set: event.outcome + value: "success" + + # 8 - Logoff + # + # User logged of from the PVWA. + "8": # Logoff + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["authentication", "session"] + - set: event.type + value: ["end"] + - set: event.outcome + value: "success" + + # 19 - Full gateway connection. + "19": + - set: source.user.name + from: cyberarkpas.audit.source_user + - set: user.name + from: cyberarkpas.audit.source_user + - set: destination.user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["network"] + - set: event.type + value: ["start"] + - set: event.outcome + value: "success" + + # 22 - CPM Verify Password + # + # Password on a target host is verified. + "22": + # Address of device that hosts the account. + - set: destination.address + from: cyberarkpas.audit.ca_properties.address + - set: event.outcome + from: cyberarkpas.audit.ca_properties.cpm_status + - set: destination.user.name + from: cyberarkpas.audit.ca_properties.user_name + - set: source.user.name + from: cyberarkpas.audit.issuer + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["iam"] + - set: event.type + value: ["admin", "info"] + + # 23 - Action on closed safe + # + # Nothing remarkable. + # + # "23": + + # 24 - CPM Change Password + "24": + - set: destination.address # This could be host.* or user.target.* (doesn't exists). + from: cyberarkpas.audit.ca_properties.address + - set: event.outcome + from: cyberarkpas.audit.ca_properties.cpm_status + - set: user.target.name + from: cyberarkpas.audit.ca_properties.user_name + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["iam"] + - set: event.type + value: ["user", "change"] + + # 31 - CPM Reconcile Password + # + "31": + - set: destination.address # This could be host.* or user.target.* (doesn't exists). + from: cyberarkpas.audit.ca_properties.address + - set: event.outcome + from: cyberarkpas.audit.ca_properties.cpm_status + - set: user.target.name + from: cyberarkpas.audit.ca_properties.user_name + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["iam"] + - set: event.type + value: ["user", "change"] + + # 32 - Add Owner + # + # Change owner of a Safe. + # source_user performs the action, docs suggest otherwise. + "32": + - set: user.name + from: cyberarkpas.audit.issuer + - set: user.target.name + from: cyberarkpas.audit.source_user + - set: event.category + value: ["iam"] # How to best model Vault/Safes? An IAM system? A Database? + - set: event.type + value: ["admin", "change"] + - set: event.outcome + value: "success" + + # 33 - Update Owner + # + # Same as above + "33": + - set: user.name + from: cyberarkpas.audit.issuer + - set: user.target.name + from: cyberarkpas.audit.source_user + - set: event.category + value: ["iam"] # How to best model Vault/Safes? An IAM system? A Database? + - set: event.type + value: ["admin", "change"] + - set: event.outcome + value: "success" + + # 38 - CPM Verify Password Failed + # + # Like 22 but failed. + "38": + # Address of device that hosts the account. + - set: destination.address + from: cyberarkpas.audit.ca_properties.address + - set: event.outcome + value: "failure" + - set: event.reason + from: cyberarkpas.audit.ca_properties.cpm_error_details + - set: destination.user.name + from: cyberarkpas.audit.ca_properties.user_name + - set: source.user.name + from: cyberarkpas.audit.issuer + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["iam"] + - set: event.type + value: ["admin", "info"] + + # 50 - Store File + # + # I don't think it makes much sense to enrich Vault file events as "file" category. + # This will involve probably constructing a file.path prefixed by the safe name. + # Then these file events may be treated as file events in SIEM, which can have + # unwanted consequences. + # "50": + + # 57 - CPM Change Password Failed + "57": + - set: destination.address # This could be host.* or user.target.* (doesn't exists). + from: cyberarkpas.audit.ca_properties.address + - set: event.outcome + value: "failure" + - set: user.target.name + from: cyberarkpas.audit.ca_properties.user_name + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["iam"] + - set: event.type + value: ["user", "change"] + - set: event.reason + from: cyberarkpas.audit.ca_properties.cpm_error_details + + # 60 - CPM Reconcile Password Failed + "60": + - set: destination.address # This could be host.* or user.target.* (doesn't exists). + from: cyberarkpas.audit.ca_properties.address + - set: event.outcome + value: "failure" + - set: user.target.name + from: cyberarkpas.audit.ca_properties.user_name + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["iam"] + - set: event.type + value: ["user", "change"] + - set: event.reason + from: cyberarkpas.audit.ca_properties.cpm_error_details + + # 130 - CPM Disable Password + "130": + - set: event.outcome + value: "failure" + - set: user.target.name + from: cyberarkpas.audit.ca_properties.user_name + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["iam"] + - set: event.type + value: ["user", "change"] + - set: event.reason + from: cyberarkpas.audit.ca_properties.cpm_error_details + - set: event.outcome + from: cyberarkpas.audit.ca_properties.cpm_status + + # 174 - Change User (untested) + "174": + - set: user.target.name + from: cyberarkpas.audit.source_user + - set: event.type + value: ["user", "change"] + - set: event.category + value: ["iam"] + - set: event.outcome + value: "success" + + # 175 - Change Your User (untested) + "175": + - set: user.target.name + from: cyberarkpas.audit.source_user + - set: event.type + value: ["user", "change"] + - set: event.category + value: ["iam"] + - set: event.outcome + value: "success" + + # 176 - Delete User (untested) + "176": + - set: user.target.name + from: cyberarkpas.audit.source_user + - set: event.type + value: ["user", "deletion"] + - set: event.category + value: ["iam"] + - set: event.outcome + value: "success" + + # 177 - Delete Your User (untested) + "177": + - set: user.target.name + from: cyberarkpas.audit.source_user + - set: event.type + value: ["user", "deletion"] + - set: event.category + value: ["iam"] + - set: event.outcome + value: "success" + + # 173 - Add User (alternative to 180, untested) + "173": + - set: user.target.name + from: cyberarkpas.audit.source_user + - set: event.type + value: ["user", "creation"] + - set: event.category + value: ["iam"] + - set: event.outcome + value: "success" + + # 180 - Add User + "180": + - set: user.target.name + from: cyberarkpas.audit.source_user + - set: event.type + value: ["user", "creation"] + - set: event.category + value: ["iam"] + - set: event.outcome + value: "success" + + # 295 - Retrieve Password succeeded + "295": + - set: destination.address + from: cyberarkpas.audit.ca_properties.address + - set: destination.user.name + from: cyberarkpas.audit.ca_properties.user_name + - set: source.user.name + from: cyberarkpas.audit.issuer + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["iam", "authentication"] + - set: event.type + value: ["admin", "start"] + - set: event.outcome + value: "success" + - set: event.reason + from: cyberarkpas.audit.reason + + # 300 - PSM Connect + "300": + - set: destination.address + from: cyberarkpas.audit.extra_details.dst_host + - set: destination.user.name + from: cyberarkpas.audit.extra_details.user + - set: source.address + from: cyberarkpas.audit.extra_details.src_host + - set: source.user.name + from: cyberarkpas.audit.issuer + - set: user.name + from: cyberarkpas.audit.issuer + - set: network.application + from: cyberarkpas.audit.extra_details.protocol + - set: event.category + value: ["session"] + - set: event.type + value: ["start"] + - set: event.outcome + value: "success" + + # 302 - PSM Disconnect + "302": + - set: destination.address + from: cyberarkpas.audit.extra_details.dst_host + - set: destination.user.name + from: cyberarkpas.audit.extra_details.user + - set: source.address + from: cyberarkpas.audit.extra_details.src_host + - set: source.user.name + from: cyberarkpas.audit.issuer + - set: user.name + from: cyberarkpas.audit.issuer + - set: network.application + from: cyberarkpas.audit.extra_details.protocol + - set: _tmp.duration_hms + from: cyberarkpas.audit.extra_details.session_duration + - set: event.category + value: ["session"] + - set: event.type + value: ["end"] + - set: event.outcome + value: "success" + + # 308 - Use Password + "308": + - set: destination.address + from: cyberarkpas.audit.ca_properties.address + - set: destination.user.name + from: cyberarkpas.audit.ca_properties.user_name + - set: source.user.name + from: cyberarkpas.audit.issuer + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["iam", "authentication"] + - set: event.type + value: ["admin", "start"] + - set: event.outcome + from: cyberarkpas.audit.ca_properties.cpm_status + - set: event.reason + from: cyberarkpas.audit.reason + + # 309 - Undefined user logon + # + "309": + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["authentication"] + - set: event.type + value: ["start"] + - set: event.action + value: "authentication_failure" + - set: event.outcome + value: "failure" + + # 361 - Keystroke logging + "361": + - set: destination.address + from: cyberarkpas.audit.extra_details.dst_host + - set: destination.user.name + from: cyberarkpas.audit.extra_details.user + - set: source.address + from: cyberarkpas.audit.extra_details.src_host + - set: source.user.name + from: cyberarkpas.audit.issuer + - set: user.name + from: cyberarkpas.audit.issuer + - set: network.application + from: cyberarkpas.audit.extra_details.protocol + - set: event.category + value: ["session"] + - set: event.type + value: ["info"] + + # 412 - Keystroke logging (same as 361?) + "412": + - set: destination.address + from: cyberarkpas.audit.extra_details.dst_host + - set: destination.user.name + from: cyberarkpas.audit.extra_details.user + - set: source.address + from: cyberarkpas.audit.extra_details.src_host + - set: source.user.name + from: cyberarkpas.audit.issuer + - set: user.name + from: cyberarkpas.audit.issuer + - set: network.application + from: cyberarkpas.audit.extra_details.protocol + - set: event.category + value: ["session"] + - set: event.type + value: ["info"] + + # 359 - SQL Command + "359": + - set: destination.address + from: cyberarkpas.audit.extra_details.dst_host + - set: destination.user.name + from: cyberarkpas.audit.extra_details.user + - set: source.address + from: cyberarkpas.audit.extra_details.src_host + - set: source.user.name + from: cyberarkpas.audit.issuer + - set: user.name + from: cyberarkpas.audit.issuer + - set: network.application + from: cyberarkpas.audit.extra_details.protocol + - set: event.category + value: ["database"] + - set: event.type + value: ["access"] + - set: event.outcome + from: cyberarkpas.audit.ca_properties.cpm_status + + # 411 - Window Title + "411": + - set: destination.address + from: cyberarkpas.audit.extra_details.dst_host + - set: destination.user.name + from: cyberarkpas.audit.extra_details.user + - set: source.address + from: cyberarkpas.audit.extra_details.src_host + - set: source.user.name + from: cyberarkpas.audit.issuer + - set: user.name + from: cyberarkpas.audit.issuer + - set: network.application + from: cyberarkpas.audit.extra_details.protocol + - set: process.pid + from: cyberarkpas.audit.extra_details.process_id + - set: process.name + from: cyberarkpas.audit.extra_details.process_name + - set: event.category + value: ["process"] + - set: event.type + value: ["access", "info"] + + # 414 - CPM Verify SSH Key + # + # SSH-key on a target host is verified. + "414": + # Address of device that hosts the account. + - set: destination.address + from: cyberarkpas.audit.ca_properties.address + - set: event.outcome + from: cyberarkpas.audit.ca_properties.cpm_status + - set: destination.user.name + from: cyberarkpas.audit.ca_properties.user_name + - set: source.user.name + from: cyberarkpas.audit.issuer + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["iam"] + - set: event.type + value: ["admin", "info"] + + # 428 - Retrieve SSH Key + "428": + - set: destination.address + from: cyberarkpas.audit.ca_properties.address + - set: destination.user.name + from: cyberarkpas.audit.ca_properties.user_name + - set: source.user.name + from: cyberarkpas.audit.issuer + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["iam", "authentication"] + - set: event.type + value: ["admin", "start"] + - set: event.outcome + value: "success" + - set: event.reason + from: cyberarkpas.audit.reason + + source: > + def clone(def val) { + return val instanceof List ? new ArrayList(val) : val; + } + def read_field(def map, String name) { + if (map == null || !(map instanceof Map)) return null; + int pos = name.indexOf("."); + return pos == -1 ? map[name] + : read_field(map[name.substring(0, pos)], name.substring(pos+1)); + } + String msgID = ctx.event?.code; + def actions = params.get(msgID); + if (actions == null) return; + List values = new ArrayList(); + for (def item : actions) { + def val = item.value; + if (val == null && (val = read_field(ctx, item.from)) == null || val == "") continue; + values.add([ + "to": item.set, + "value": clone(val) + ]); + } + if (!values.isEmpty()) ctx._tmp["values"] = values; + + - foreach: + tag: foreach_tmp_values + field: _tmp.values + ignore_missing: true + processor: + set: + tag: set_ingest_value_to + field: '{{{_ingest._value.to}}}' + copy_from: '_ingest._value.value' + ignore_empty_value: true + override: true + + # + # Force event.outcome: unknown in case it gets a value other than one of the allowed. + # + - set: + tag: set_event_outcome + field: event.outcome + value: 'unknown' + if: 'ctx.event?.outcome != null && !["success", "failure"].contains(ctx.event.outcome)' + + + # + # Set event.duration from the session duration ("hh:mm:ss") present in some messages. + # + - script: + tag: script_set_event_duration_from_the_session_duration_hh_mm_ss + lang: painless + description: 'Set event.duration from the session duration ("hh:mm:ss")' + if: ctx._tmp?.duration_hms != null + source: > + long parse_hms(String s) { + long cur = 0, total = 0; + for (int i = 0, n = s.length(); i < n; i++) { + char c = s.charAt(i); + if (c >= (char)'0' && c <= (char)'9') { + cur = (cur*10) + (long)(c - (char)'0'); + } else if (c == (char)':') { + total = (total + cur) * 60; + cur = 0; + } else { + return 0; + } + } + return total + cur; + } + long nanos = parse_hms(ctx._tmp.duration_hms) * 1000000000L; + ctx.event['duration'] = nanos; + + # + # Populate ip/domain fields from address. + # + - convert: + tag: convert_source_address + field: source.address + target_field: source.ip + type: ip + ignore_missing: true + on_failure: + - set: + field: source.domain + copy_from: source.address + - convert: + tag: convert_destination_address + field: destination.address + target_field: destination.ip + type: ip + ignore_missing: true + on_failure: + - set: + field: destination.domain + copy_from: destination.address + + # + # Populate related.ip + # + - append: + tag: append_related_ip + field: related.ip + value: '{{{source.ip}}}' + if: ctx.source?.ip != null + allow_duplicates: false + - append: + tag: append_related_ip_2 + field: related.ip + value: '{{{destination.ip}}}' + if: ctx.destination?.ip != null + allow_duplicates: false + - append: + tag: append_related_ip_3 + field: related.ip + value: '{{{cyberarkpas.audit.station}}}' + if: ctx.cyberarkpas.audit.station != null + allow_duplicates: false + - append: + tag: append_related_ip_4 + field: related.ip + value: '{{{cyberarkpas.audit.gateway_station}}}' + if: ctx.cyberarkpas.audit.gateway_station != null + allow_duplicates: false + + # + # Populate related.user + # + - append: + tag: append_related_user + field: related.user + value: '{{{user.name}}}' + if: ctx.user?.name != null + allow_duplicates: false + - append: + tag: append_related_user_2 + field: related.user + value: '{{{source.user.name}}}' + if: ctx.source?.user?.name != null + allow_duplicates: false + - append: + tag: append_related_user_3 + field: related.user + value: '{{{destination.user.name}}}' + if: ctx.destination?.user?.name != null + allow_duplicates: false + - append: + tag: append_related_user_4 + field: related.user + value: '{{{user.target.name}}}' + if: ctx.user?.target?.name != null + allow_duplicates: false + + # + # sometimes application is capitalized. + # + - lowercase: + tag: lowercase_network_application + field: network.application + ignore_missing: true + + - geoip: + tag: geoip_source_ip + field: source.ip + target_field: source.geo + ignore_missing: true + + - geoip: + tag: geoip_destination_ip + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # + # Set host.name + # This sets host.name from observer.hostname when the original event from Filebeat didn't + # have a host.name. This is the case of forwarded events (the tag "forwarded" is present). + # + - set: + tag: set_host_name + field: host.name + value: '{{{observer.hostname}}}' + ignore_empty_value: true + if: ctx.host?.name == null + + - network_direction: + tag: network_direction + ignore_missing: true + internal_networks: + - loopback + - private + - unspecified + + - convert: + tag: convert_process_pid + field: process.pid + type: long + ignore_missing: true + + # + # Save only interesting fields under extra_fields and ca_properties + # to prevent mapping explosion. Keep the rest under .other (type flattened). + # + - script: + tag: script_map_interesting_fields_from_ca_properties_and_extra_details + lang: painless + description: Map interesting fields from ca_properties and extra_details. + params: + ca_properties: + - address + - cpm_disabled + - cpm_error_details + - cpm_status + - creation_method + - customer + - database + - device_type + - dual_account_status + - group_name + - in_process + - index + - last_fail_date + - last_success_change + - last_success_reconciliation + - last_success_verification + - last_task + - logon_domain + - policy_id + - port + - privcloud + - reset_immediately + - retries_count + - sequence_id + - tags + - user_dn + - user_name + - virtual_username + extra_details: + - ad_process_id + - ad_process_name + - application_type + - command + - connection_component_id + - dst_host + - logon_account + - managed_account + - process_id + - process_name + - protocol + - psmid + - session_duration + - session_id + - src_host + - username + source: > + Map audit = ctx.cyberarkpas.audit; + params.entrySet().stream().filter(e -> audit.containsKey(e.getKey())).forEach(lst -> { + Map base = audit[lst.getKey()], + selected = new HashMap(); + lst.getValue().stream().filter(fld -> base.containsKey(fld)).forEach(fld -> { + selected[fld] = base.remove(fld); + }); + selected['other'] = base; + audit[lst.getKey()] = selected; + }); + # + # Cleanup + # + - remove: + tag: remove_tmp + field: _tmp + ignore_missing: true + +on_failure: + - set: + tag: set_event_kind_on_failure + field: event.kind + value: pipeline_error + - append: + tag: append_error_message + field: error.message + value: >- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - remove: + tag: remove_tmp_on_failure + field: _tmp + ignore_missing: true diff --git a/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index ddeaed45804..d4dcbb9d73e 100644 --- a/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -1,1187 +1,22 @@ --- -description: Pipeline for CyberArk PAS +description: Pipeline for CyberArk PAS audit, wrapper processors: - # - # Set ECS version. - # - - set: - field: ecs.version - value: '8.11.0' - # - # Set event.original from message, unless reindexing. - # - - rename: - field: message - target_field: event.original - if: ctx.event?.original == null - ignore_missing: true - # - # Parse syslog headers (if any) and extract JSON payload. - # - - grok: - field: event.original - patterns: - # RFC5424 from CyberArk. - # UseLegacySyslogFormat=No - # <5>1 2021-03-04T17:28:23Z VAULT {"format":"elastic","version":"1.0",...} - - "^<%{NONNEGINT:log.syslog.priority:long}>%{NONNEGINT} %{TIMESTAMP_ISO8601:_tmp.syslog_ts} %{SYSLOGHOST:_tmp.hostname} %{JSON_PAYLOAD:_tmp.payload}" - - # Legacy format. - # UseLegacySyslogFormat=Yes - # Mar 08 02:57:42 VAULT {"format":"elastic","version":"1.0",...} - - "^%{SYSLOGTIMESTAMP:_tmp.syslog_ts} %{SYSLOGHOST:_tmp.hostname} %{JSON_PAYLOAD:_tmp.payload}" - - # Catch-all mode, just JSON payload. - - "%{JSON_PAYLOAD:_tmp.payload}" - pattern_definitions: - JSON_PAYLOAD: '{"format":"elastic","version":"1.0",.*}' - on_failure: - - fail: - message: "unexpected event format: {{{_ingest.on_failure_message}}}" - - - json: - field: _tmp.payload - target_field: _tmp.json - on_failure: - - fail: - message: "malformed JSON event: {{{_ingest.on_failure_message}}}" - - - rename: - field: _tmp.json.syslog.audit_record - target_field: cyberarkpas.audit - on_failure: - - fail: - message: "unexpected event structure: {{{_ingest.on_failure_message}}}" - - - # - # Remove all empty fields - # - - script: - lang: painless - description: 'Removes empty audit fields' - source: >- - ctx.cyberarkpas.audit.entrySet().removeIf(entry -> entry.getValue() == ""); - - - rename: - field: _tmp.json.raw - target_field: cyberarkpas.audit.raw - ignore_missing: true - - # The following processors populate @timestamp from the different sources that can exist in an event. - # In the following order of precedence: - # - IsoTimestamp field (expected ISO8601). Present when new syslog format is used (rfc5424: yes). - # - Timestamp (expected MMM dd HH:mm:ss). Also present only when new syslog format is used. - # - Syslog header timestamp. Either ISO8601 or legacy MMM dd HH:mm:ss, depending on the syslog format in use. - # - Original @timestamp from Filebeat. - - date: - if: ctx.cyberarkpas.audit.IsoTimestamp != null - field: cyberarkpas.audit.IsoTimestamp - target_field: _tmp.timestamp - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: "failed to parse ISO timestamp field: {{{cyberarkpas.audit.IsoTimestamp}}}: {{{_ingest.on_failure_message}}}" - - - date: - if: 'ctx._tmp.timestamp == null && ctx.cyberarkpas.audit.Timestamp != null' - field: cyberarkpas.audit.Timestamp - target_field: _tmp.timestamp - formats: - # This is the default format. - - 'MMM dd HH:mm:ss' - # Drop a few other formats in case the above fails. - - ISO8601 - - 'MMM d HH:mm:ss' - - "EEE MMM dd HH:mm:ss" - - "EEE MMM d HH:mm:ss" - - "MMM d HH:mm:ss z" - - "MMM dd HH:mm:ss z" - - "EEE MMM d HH:mm:ss z" - - "EEE MMM dd HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - "MMM dd yyyy HH:mm:ss" - - "EEE MMM d yyyy HH:mm:ss" - - "EEE MMM dd yyyy HH:mm:ss" - - "MMM d yyyy HH:mm:ss z" - - "MMM dd yyyy HH:mm:ss z" - - "EEE MMM d yyyy HH:mm:ss z" - - "EEE MMM dd yyyy HH:mm:ss z" - on_failure: - - append: - field: error.message - value: "failed to parse timestamp field: {{{cyberarkpas.audit.Timestamp}}}: {{{_ingest.on_failure_message}}}" - - - date: - if: ctx._tmp.timestamp == null && ctx._tmp.syslog_ts != null && ctx.event?.timezone == null - field: _tmp.syslog_ts - target_field: _tmp.timestamp - formats: - # This is the default format. - - 'MMM dd HH:mm:ss' - # Drop a few other formats in case the above fails. - - ISO8601 - - 'MMM d HH:mm:ss' - - "EEE MMM dd HH:mm:ss" - - "EEE MMM d HH:mm:ss" - - "MMM d HH:mm:ss z" - - "MMM dd HH:mm:ss z" - - "EEE MMM d HH:mm:ss z" - - "EEE MMM dd HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - "MMM dd yyyy HH:mm:ss" - - "EEE MMM d yyyy HH:mm:ss" - - "EEE MMM dd yyyy HH:mm:ss" - - "MMM d yyyy HH:mm:ss z" - - "MMM dd yyyy HH:mm:ss z" - - "EEE MMM d yyyy HH:mm:ss z" - - "EEE MMM dd yyyy HH:mm:ss z" - on_failure: - - append: - field: error.message - value: "failed to parse legacy syslog timestamp: {{{_tmp.syslog_ts}}}: {{{_ingest.on_failure_message}}}" - - - date: - if: ctx._tmp.timestamp == null && ctx._tmp.syslog_ts != null && ctx.event?.timezone != null - field: _tmp.syslog_ts - target_field: _tmp.timestamp - timezone: '{{{event.timezone}}}' - formats: - # This is the default format. - - 'MMM dd HH:mm:ss' - # Drop a few other formats in case the above fails. - - ISO8601 - - 'MMM d HH:mm:ss' - - "EEE MMM dd HH:mm:ss" - - "EEE MMM d HH:mm:ss" - - "MMM d HH:mm:ss z" - - "MMM dd HH:mm:ss z" - - "EEE MMM d HH:mm:ss z" - - "EEE MMM dd HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - "MMM dd yyyy HH:mm:ss" - - "EEE MMM d yyyy HH:mm:ss" - - "EEE MMM dd yyyy HH:mm:ss" - - "MMM d yyyy HH:mm:ss z" - - "MMM dd yyyy HH:mm:ss z" - - "EEE MMM d yyyy HH:mm:ss z" - - "EEE MMM dd yyyy HH:mm:ss z" - on_failure: - - append: - field: error.message - value: "failed to parse legacy syslog timestamp: {{{_tmp.syslog_ts}}}: {{{_ingest.on_failure_message}}}" - - - set: - field: '@timestamp' - value: '{{{_tmp.timestamp}}}' - ignore_empty_value: true - override: true - - # This script ensures that CAProperties.CAProperty is an array. - # When there's a single property, it is serialised as an object instead - # of a single element array. - - script: - lang: painless - description: "Converts CAProperties into an array if necessary" - source: > - def props = ctx.cyberarkpas?.audit?.CAProperties?.CAProperty; - if (props instanceof Map) { - ctx.cyberarkpas.audit.CAProperties.CAProperty = [ props ]; - } - - # This script converts the nested object under cyberarkpas.audit.CAProperties.CAProperty - # into an object under cyberarkpas.audit.CAProperties: - # - # input: - # "cyberarkpas.audit.CAProperties.CAProperty": [ - # { - # "Name": "PolicyID", - # "Value": "LINUX-SSH" - # }, - # { - # "Name": "UserName", - # "Value": "test12" - # } - # output: - # "cyberarkpas.audit.CAProperties": - # { - # "PolicyID": "LINUX-SSH", - # "UserName": "test12" - # } - - foreach: - field: cyberarkpas.audit.CAProperties.CAProperty - ignore_missing: true - processor: - set: - field: 'cyberarkpas.audit.CAProperties.{{{_ingest._value.Name}}}' - value: '{{{_ingest._value.Value}}}' - on_failure: - - append: - field: error.message - value: "failed to process CAProperties array: {{{_ingest.on_failure_message}}}" - - remove: - field: cyberarkpas.audit.CAProperties.CAProperty - ignore_missing: true - - # Parse key-value pairs at ExtraDetails: - # input: - # "cyberarkpas.audit.ExtraDetails": "Command=ls \"/var/tmp\";ConnectionComponentId=PSMP-SSH;DstHost=[...]", - # - # output: - # "cyberarkpas.audit.ExtraDetails": - # { - # "Command": "ls \"/var/tmp\"", - # "ConnectionComponentId": "PSMP-SSH", - # "DstHost": [...] - # - # The original string can contain escaped separators, \= and \; - - kv: - field: cyberarkpas.audit.ExtraDetails - field_split: '(? - String to_snake_case(String s) { - /* faster code path for strings that won't need an underscore */ - if (s.chars().skip(1).noneMatch(Character::isUpperCase)) { - return s.toLowerCase(); - } - int run = 0; - boolean first = true; - StringBuilder result = new StringBuilder(); - for (char c : s.toCharArray()) { - char o = Character.toLowerCase(c); - if (c != o) { - if (run == 0 && !first) { - result.append('_'); - } - run ++; - } else { - if (run > 1) { - char prev = result.charAt(result.length()-1); - result.setCharAt(result.length()-1, (char)'_'); - result.append(prev); - } - run = 0; - first = false; - } - result.append(o); - } - return result.toString(); - } - def keys_to_snake_case_recursive(Map object) { - return object.entrySet().stream().collect( - Collectors.toMap( - e -> to_snake_case(e.getKey()), - e -> e.getValue() instanceof Map ? keys_to_snake_case_recursive(e.getValue()) : e.getValue() - ) - ); - } - ctx.cyberarkpas.audit = keys_to_snake_case_recursive(ctx.cyberarkpas.audit); - - # - # Convert rfc5424 field to boolean. - # - - script: - description: 'Converts the rfc5424 audit field to a boolean' - lang: painless - source: > - def value = ctx.cyberarkpas.audit.rfc5424; - ctx.cyberarkpas.audit["rfc5424"] = value == 'yes'; - - ######################################################## - # ECS enrichment - # - # All processors from this point use the snake_case form - # to access CyberArk fields. - ######################################################## - - - set: - field: event.kind - value: event - - - lowercase: - field: cyberarkpas.audit.action - target_field: event.action - ignore_missing: true - - # Severity to number - # - # Possible values: - # Info -> 0 - # Error -> 7 - # Critical -> 10 - - set: - field: event.severity - value: 2 - if: 'ctx.cyberarkpas.audit.severity == "Info"' - - set: - field: event.severity - value: 7 - if: 'ctx.cyberarkpas.audit.severity == "Error"' - - set: - field: event.severity - value: 10 - if: 'ctx.cyberarkpas.audit.severity == "Critical"' - - set: - field: event.type - value: [error] - if: ctx.event?.severity != null && ctx.event.severity > 6 - - - rename: - field: cyberarkpas.audit.message_id - target_field: event.code - ignore_missing: true - - - set: - field: source.address - value: '{{{cyberarkpas.audit.station}}}' - ignore_empty_value: true - - - set: - field: destination.address - value: '{{{cyberarkpas.audit.gateway_station}}}' - ignore_empty_value: true - - - set: - field: file.path - value: '{{{cyberarkpas.audit.file}}}' - if: ctx.cyberarkpas.audit?.file != null - - # - # Observer fields - # - - rename: - field: cyberarkpas.audit.vendor - target_field: observer.vendor - ignore_missing: true - - rename: - field: cyberarkpas.audit.product - target_field: observer.product - ignore_missing: true - - rename: - field: cyberarkpas.audit.version - target_field: observer.version - ignore_missing: true - - rename: - field: cyberarkpas.audit.hostname - target_field: observer.hostname - ignore_missing: true - # Use hostname from syslog if audit record's Hostname field is missing. - - rename: - field: _tmp.hostname - target_field: observer.hostname - ignore_missing: true - if: ctx.observer?.hostname == null - # - # Enrichment based on message_id - # - # This script is overly complicated (read_field) because at this time - # there is no processor that allows to set one field from a source - # field using indirection (it is possible with rename, but that - # removes the original field). - # - # Once something like this is possible: - # set: - # target_field: '{{{_ingest.value.to}}}' - # copy_from: '{{{_ingest.value.from}}}' - # - # ... this script can be updated to just create two output lists, one - # for value-to pairs, another for value-from pairs. - # - - script: - lang: painless - description: 'ECS enrichment based on message_id' - params: - # 4 - User Authentication - # - # Always a failure. - "4": - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["authentication"] - - set: event.type - value: ["start"] - - set: event.action - value: "authentication_failure" - - set: event.outcome - value: "failure" - - # 7 - Logon - # - # User logged on to the PVWA. - "7": - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: [ "authentication", "session"] - - set: event.type - value: [ "start"] - - set: event.action - value: "authentication_success" - - set: event.outcome - value: "success" - - # 8 - Logoff - # - # User logged of from the PVWA. - "8": # Logoff - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: [ "authentication", "session"] - - set: event.type - value: ["end"] - - set: event.outcome - value: "success" - - # 19 - Full gateway connection. - "19": - - set: source.user.name - from: cyberarkpas.audit.source_user - - set: user.name - from: cyberarkpas.audit.source_user - - set: destination.user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["network"] - - set: event.type - value: ["start"] - - set: event.outcome - value: "success" - - # 22 - CPM Verify Password - # - # Password on a target host is verified. - "22": - # Address of device that hosts the account. - - set: destination.address - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - set: destination.user.name - from: cyberarkpas.audit.ca_properties.user_name - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["admin", "info"] - - # 23 - Action on closed safe - # - # Nothing remarkable. - # - # "23": - - # 24 - CPM Change Password - "24": - - set: destination.address # This could be host.* or user.target.* (doesn't exists). - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - set: user.target.name - from: cyberarkpas.audit.ca_properties.user_name - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["user", "change"] - - # 31 - CPM Reconcile Password - # - "31": - - set: destination.address # This could be host.* or user.target.* (doesn't exists). - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - set: user.target.name - from: cyberarkpas.audit.ca_properties.user_name - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["user", "change"] - - # 32 - Add Owner - # - # Change owner of a Safe. - # source_user performs the action, docs suggest otherwise. - "32": - - set: user.name - from: cyberarkpas.audit.issuer - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.category - value: ["iam"] # How to best model Vault/Safes? An IAM system? A Database? - - set: event.type - value: ["admin", "change"] - - set: event.outcome - value: "success" - - # 33 - Update Owner - # - # Same as above - "33": - - set: user.name - from: cyberarkpas.audit.issuer - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.category - value: ["iam"] # How to best model Vault/Safes? An IAM system? A Database? - - set: event.type - value: ["admin", "change"] - - set: event.outcome - value: "success" - - # 38 - CPM Verify Password Failed - # - # Like 22 but failed. - "38": - # Address of device that hosts the account. - - set: destination.address - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - value: "failure" - - set: event.reason - from: cyberarkpas.audit.ca_properties.cpm_error_details - - set: destination.user.name - from: cyberarkpas.audit.ca_properties.user_name - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["admin", "info"] - # 50 - Store File - # - # I don't think it makes much sense to enrich Vault file events as "file" category. - # This will involve probably constructing a file.path prefixed by the safe name. - # Then these file events may be treated as file events in SIEM, which can have - # unwanted consequences. - # "50": + - pipeline: + tag: pipeline_audit + name: '{{ IngestPipeline "audit" }}' + if: | + !ctx.message.contains('"Product":"VaultMonitor"') - # 57 - CPM Change Password Failed - "57": - - set: destination.address # This could be host.* or user.target.* (doesn't exists). - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - value: "failure" - - set: user.target.name - from: cyberarkpas.audit.ca_properties.user_name - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["user", "change"] - - set: event.reason - from: cyberarkpas.audit.ca_properties.cpm_error_details - - # 60 - CPM Reconcile Password Failed - "60": - - set: destination.address # This could be host.* or user.target.* (doesn't exists). - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - value: "failure" - - set: user.target.name - from: cyberarkpas.audit.ca_properties.user_name - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["user", "change"] - - set: event.reason - from: cyberarkpas.audit.ca_properties.cpm_error_details - - # 130 - CPM Disable Password - "130": - - set: event.outcome - value: "failure" - - set: user.target.name - from: cyberarkpas.audit.ca_properties.user_name - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["user", "change"] - - set: event.reason - from: cyberarkpas.audit.ca_properties.cpm_error_details - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - # 174 - Change User (untested) - "174": - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.type - value: ["user", "change"] - - set: event.category - value: ["iam"] - - set: event.outcome - value: "success" - - # 175 - Change Your User (untested) - "175": - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.type - value: ["user", "change"] - - set: event.category - value: ["iam"] - - set: event.outcome - value: "success" - - # 176 - Delete User (untested) - "176": - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.type - value: ["user", "deletion"] - - set: event.category - value: ["iam"] - - set: event.outcome - value: "success" - - # 177 - Delete Your User (untested) - "177": - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.type - value: ["user", "deletion"] - - set: event.category - value: ["iam"] - - set: event.outcome - value: "success" - - # 173 - Add User (alternative to 180, untested) - "173": - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.type - value: ["user", "creation"] - - set: event.category - value: ["iam"] - - set: event.outcome - value: "success" - - # 180 - Add User - "180": - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.type - value: ["user", "creation"] - - set: event.category - value: ["iam"] - - set: event.outcome - value: "success" - - # 295 - Retrieve Password succeeded - "295": - - set: destination.address - from: cyberarkpas.audit.ca_properties.address - - set: destination.user.name - from: cyberarkpas.audit.ca_properties.user_name - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam", "authentication"] - - set: event.type - value: ["admin", "start"] - - set: event.outcome - value: "success" - - set: event.reason - from: cyberarkpas.audit.reason - - # 300 - PSM Connect - "300": - - set: destination.address - from: cyberarkpas.audit.extra_details.dst_host - - set: destination.user.name - from: cyberarkpas.audit.extra_details.user - - set: source.address - from: cyberarkpas.audit.extra_details.src_host - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: network.application - from: cyberarkpas.audit.extra_details.protocol - - set: event.category - value: ["session"] - - set: event.type - value: ["start"] - - set: event.outcome - value: "success" - - # 302 - PSM Disconnect - "302": - - set: destination.address - from: cyberarkpas.audit.extra_details.dst_host - - set: destination.user.name - from: cyberarkpas.audit.extra_details.user - - set: source.address - from: cyberarkpas.audit.extra_details.src_host - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: network.application - from: cyberarkpas.audit.extra_details.protocol - - set: _tmp.duration_hms - from: cyberarkpas.audit.extra_details.session_duration - - set: event.category - value: ["session"] - - set: event.type - value: ["end"] - - set: event.outcome - value: "success" - - # 308 - Use Password - "308": - - set: destination.address - from: cyberarkpas.audit.ca_properties.address - - set: destination.user.name - from: cyberarkpas.audit.ca_properties.user_name - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam", "authentication"] - - set: event.type - value: ["admin", "start"] - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - set: event.reason - from: cyberarkpas.audit.reason - - # 309 - Undefined user logon - # - "309": - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["authentication"] - - set: event.type - value: ["start"] - - set: event.action - value: "authentication_failure" - - set: event.outcome - value: "failure" - - # 361 - Keystroke logging - "361": - - set: destination.address - from: cyberarkpas.audit.extra_details.dst_host - - set: destination.user.name - from: cyberarkpas.audit.extra_details.user - - set: source.address - from: cyberarkpas.audit.extra_details.src_host - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: network.application - from: cyberarkpas.audit.extra_details.protocol - - set: event.category - value: ["session"] - - set: event.type - value: ["info"] - - # 412 - Keystroke logging (same as 361?) - "412": - - set: destination.address - from: cyberarkpas.audit.extra_details.dst_host - - set: destination.user.name - from: cyberarkpas.audit.extra_details.user - - set: source.address - from: cyberarkpas.audit.extra_details.src_host - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: network.application - from: cyberarkpas.audit.extra_details.protocol - - set: event.category - value: ["session"] - - set: event.type - value: ["info"] - - # 359 - SQL Command - "359": - - set: destination.address - from: cyberarkpas.audit.extra_details.dst_host - - set: destination.user.name - from: cyberarkpas.audit.extra_details.user - - set: source.address - from: cyberarkpas.audit.extra_details.src_host - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: network.application - from: cyberarkpas.audit.extra_details.protocol - - set: event.category - value: ["database"] - - set: event.type - value: ["access"] - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - # 411 - Window Title - "411": - - set: destination.address - from: cyberarkpas.audit.extra_details.dst_host - - set: destination.user.name - from: cyberarkpas.audit.extra_details.user - - set: source.address - from: cyberarkpas.audit.extra_details.src_host - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: network.application - from: cyberarkpas.audit.extra_details.protocol - - set: process.pid - from: cyberarkpas.audit.extra_details.process_id - - set: process.name - from: cyberarkpas.audit.extra_details.process_name - - set: event.category - value: ["process"] - - set: event.type - value: ["access", "info"] - - # 414 - CPM Verify SSH Key - # - # SSH-key on a target host is verified. - "414": - # Address of device that hosts the account. - - set: destination.address - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - set: destination.user.name - from: cyberarkpas.audit.ca_properties.user_name - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["admin", "info"] - - # 428 - Retrieve SSH Key - "428": - - set: destination.address - from: cyberarkpas.audit.ca_properties.address - - set: destination.user.name - from: cyberarkpas.audit.ca_properties.user_name - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam", "authentication"] - - set: event.type - value: ["admin", "start"] - - set: event.outcome - value: "success" - - set: event.reason - from: cyberarkpas.audit.reason - - source: > - def clone(def val) { - return val instanceof List ? new ArrayList(val) : val; - } - def read_field(def map, String name) { - if (map == null || !(map instanceof Map)) return null; - int pos = name.indexOf("."); - return pos == -1 ? map[name] - : read_field(map[name.substring(0, pos)], name.substring(pos+1)); - } - String msgID = ctx.event?.code; - def actions = params.get(msgID); - if (actions == null) return; - List values = new ArrayList(); - for (def item : actions) { - def val = item.value; - if (val == null && (val = read_field(ctx, item.from)) == null || val == "") continue; - values.add([ - "to": item.set, - "value": clone(val) - ]); - } - if (!values.isEmpty()) ctx._tmp["values"] = values; - - - foreach: - field: _tmp.values - ignore_missing: true - processor: - set: - field: '{{{_ingest._value.to}}}' - copy_from: '_ingest._value.value' - ignore_empty_value: true - override: true - - # - # Force event.outcome: unknown in case it gets a value other than one of the allowed. - # - - set: - field: event.outcome - value: 'unknown' - if: 'ctx.event?.outcome != null && !["success", "failure"].contains(ctx.event.outcome)' - - - # - # Set event.duration from the session duration ("hh:mm:ss") present in some messages. - # - - script: - lang: painless - description: 'Set event.duration from the session duration ("hh:mm:ss")' - if: ctx._tmp?.duration_hms != null - source: > - long parse_hms(String s) { - long cur = 0, total = 0; - for (int i = 0, n = s.length(); i < n; i++) { - char c = s.charAt(i); - if (c >= (char)'0' && c <= (char)'9') { - cur = (cur*10) + (long)(c - (char)'0'); - } else if (c == (char)':') { - total = (total + cur) * 60; - cur = 0; - } else { - return 0; - } - } - return total + cur; - } - long nanos = parse_hms(ctx._tmp.duration_hms) * 1000000000L; - ctx.event['duration'] = nanos; - - # - # Populate ip/domain fields from address. - # - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true - on_failure: - - set: - field: source.domain - copy_from: source.address - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - set: - field: destination.domain - copy_from: destination.address - - # - # Populate related.ip - # - - append: - field: related.ip - value: '{{{source.ip}}}' - if: ctx.source?.ip != null - allow_duplicates: false - - append: - field: related.ip - value: '{{{destination.ip}}}' - if: ctx.destination?.ip != null - allow_duplicates: false - - append: - field: related.ip - value: '{{{cyberarkpas.audit.station}}}' - if: ctx.cyberarkpas.audit.station != null - allow_duplicates: false - - append: - field: related.ip - value: '{{{cyberarkpas.audit.gateway_station}}}' - if: ctx.cyberarkpas.audit.gateway_station != null - allow_duplicates: false - - # - # Populate related.user - # - - append: - field: related.user - value: '{{{user.name}}}' - if: ctx.user?.name != null - allow_duplicates: false - - append: - field: related.user - value: '{{{source.user.name}}}' - if: ctx.source?.user?.name != null - allow_duplicates: false - - append: - field: related.user - value: '{{{destination.user.name}}}' - if: ctx.destination?.user?.name != null - allow_duplicates: false - - append: - field: related.user - value: '{{{user.target.name}}}' - if: ctx.user?.target?.name != null - allow_duplicates: false - - # - # sometimes application is capitalized. - # - - lowercase: - field: network.application - ignore_missing: true - - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # - # Set host.name - # This sets host.name from observer.hostname when the original event from Filebeat didn't - # have a host.name. This is the case of forwarded events (the tag "forwarded" is present). - # - - set: - field: host.name - value: '{{{observer.hostname}}}' - ignore_empty_value: true - if: ctx.host?.name == null - - - network_direction: - ignore_missing: true - internal_networks: - - loopback - - private - - unspecified - - - convert: - field: process.pid - type: long - ignore_missing: true - - # - # Save only interesting fields under extra_fields and ca_properties - # to prevent mapping explosion. Keep the rest under .other (type flattened). - # - - script: - lang: painless - description: Map interesting fields from ca_properties and extra_details. - params: - ca_properties: - - address - - cpm_disabled - - cpm_error_details - - cpm_status - - creation_method - - customer - - database - - device_type - - dual_account_status - - group_name - - in_process - - index - - last_fail_date - - last_success_change - - last_success_reconciliation - - last_success_verification - - last_task - - logon_domain - - policy_id - - port - - privcloud - - reset_immediately - - retries_count - - sequence_id - - tags - - user_dn - - user_name - - virtual_username - extra_details: - - ad_process_id - - ad_process_name - - application_type - - command - - connection_component_id - - dst_host - - logon_account - - managed_account - - process_id - - process_name - - protocol - - psmid - - session_duration - - session_id - - src_host - - username - source: > - Map audit = ctx.cyberarkpas.audit; - params.entrySet().stream().filter(e -> audit.containsKey(e.getKey())).forEach(lst -> { - Map base = audit[lst.getKey()], - selected = new HashMap(); - lst.getValue().stream().filter(fld -> base.containsKey(fld)).forEach(fld -> { - selected[fld] = base.remove(fld); - }); - selected['other'] = base; - audit[lst.getKey()] = selected; - }); - # - # Cleanup - # - - remove: - field: _tmp - ignore_missing: true on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - remove: - field: _tmp - ignore_missing: true - set: + tag: set_event_kind_on_failure field: event.kind value: pipeline_error + - append: + tag: append_error_message + field: error.message + value: >- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' diff --git a/packages/cyberarkpas/data_stream/audit/manifest.yml b/packages/cyberarkpas/data_stream/audit/manifest.yml index 0b264b174f2..3282753215d 100644 --- a/packages/cyberarkpas/data_stream/audit/manifest.yml +++ b/packages/cyberarkpas/data_stream/audit/manifest.yml @@ -1,11 +1,15 @@ type: logs title: CyberArk PAS audit logs +dataset: cyberarkpas.audit +elasticsearch: + dynamic_dataset: true + dynamic_namespace: true streams: - input: logfile enabled: false template_path: log.yml.hbs title: CyberArk PAS audit logs - description: Collect CyberArk PAS audit logs from files. + description: Collect CyberArk PAS audit logs (and monitoring data) from files. vars: - name: paths type: text @@ -43,7 +47,7 @@ streams: enabled: true template_path: tcp.yml.hbs title: CyberArk PAS audit logs (TCP) - description: Collect CyberArk PAS audit logs using TCP input + description: Collect CyberArk PAS audit logs (and monitoring data) using TCP input vars: - name: syslog_host type: text @@ -96,7 +100,7 @@ streams: enabled: true template_path: udp.yml.hbs title: CyberArk PAS audit logs (UDP) - description: Collect CyberArk PAS audit logs using UDP input + description: Collect CyberArk PAS audit logs (and monitoring data) using UDP input vars: - name: syslog_host type: text diff --git a/packages/cyberarkpas/data_stream/audit/routing_rules.yml b/packages/cyberarkpas/data_stream/audit/routing_rules.yml new file mode 100644 index 00000000000..32e305e0faa --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/routing_rules.yml @@ -0,0 +1,7 @@ +- source_dataset: cyberarkpas.audit + rules: + - target_dataset: cyberarkpas.monitor + if: ctx.message?.contains('"Product":"VaultMonitor"') == true + namespace: + - "{{data_stream.namespace}}" + - default diff --git a/packages/cyberarkpas/data_stream/monitor/_dev/test/pipeline/test-common-config.yml b/packages/cyberarkpas/data_stream/monitor/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..ecd26d50036 --- /dev/null +++ b/packages/cyberarkpas/data_stream/monitor/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,4 @@ +fields: + tags: + - forwarded + - cyberarkpas-audit diff --git a/packages/cyberarkpas/data_stream/monitor/_dev/test/pipeline/test-monitor.log b/packages/cyberarkpas/data_stream/monitor/_dev/test/pipeline/test-monitor.log new file mode 100644 index 00000000000..2d62f027633 --- /dev/null +++ b/packages/cyberarkpas/data_stream/monitor/_dev/test/pipeline/test-monitor.log @@ -0,0 +1,30 @@ +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:00:00","IsoTimestamp":"2024-10-15T00:00:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0000","AverageExecutionTime":"10","MaxExecutionTime":"149","AverageQueueTime":"0","MaxQueueTime":"37","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"316","CPUUsage":"7","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:01:00","IsoTimestamp":"2024-10-15T00:01:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0001","AverageExecutionTime":"10","MaxExecutionTime":"196","AverageQueueTime":"0","MaxQueueTime":"12","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"302","CPUUsage":"14","MemoryUsage":"64","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:02:00","IsoTimestamp":"2024-10-15T00:02:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0002","AverageExecutionTime":"12","MaxExecutionTime":"113","AverageQueueTime":"2","MaxQueueTime":"5","NumberOfParallelTasks":"0","MaxParallelTasks":"20","TransactionCount":"315","CPUUsage":"2","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:03:00","IsoTimestamp":"2024-10-15T00:03:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0003","AverageExecutionTime":"10","MaxExecutionTime":"127","AverageQueueTime":"0","MaxQueueTime":"20","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"300","CPUUsage":"4","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:04:00","IsoTimestamp":"2024-10-15T00:04:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0004","AverageExecutionTime":"10","MaxExecutionTime":"199","AverageQueueTime":"0","MaxQueueTime":"47","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"117","CPUUsage":"14","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"1"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:05:00","IsoTimestamp":"2024-10-15T00:05:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0005","AverageExecutionTime":"11","MaxExecutionTime":"132","AverageQueueTime":"1","MaxQueueTime":"67","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"307","CPUUsage":"5","MemoryUsage":"64","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:06:00","IsoTimestamp":"2024-10-15T00:06:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0006","AverageExecutionTime":"10","MaxExecutionTime":"110","AverageQueueTime":"0","MaxQueueTime":"95","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"316","CPUUsage":"1","MemoryUsage":"64","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:07:00","IsoTimestamp":"2024-10-15T00:07:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0007","AverageExecutionTime":"10","MaxExecutionTime":"194","AverageQueueTime":"0","MaxQueueTime":"44","NumberOfParallelTasks":"0","MaxParallelTasks":"20","TransactionCount":"302","CPUUsage":"14","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:08:00","IsoTimestamp":"2024-10-15T00:08:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0008","AverageExecutionTime":"13","MaxExecutionTime":"154","AverageQueueTime":"3","MaxQueueTime":"17","NumberOfParallelTasks":"2","MaxParallelTasks":"20","TransactionCount":"315","CPUUsage":"8","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"1"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:09:00","IsoTimestamp":"2024-10-15T00:09:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0009","AverageExecutionTime":"10","MaxExecutionTime":"99","AverageQueueTime":"0","MaxQueueTime":"5","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"300","CPUUsage":"0","MemoryUsage":"64","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:10:00","IsoTimestamp":"2024-10-15T00:10:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0010","AverageExecutionTime":"10","MaxExecutionTime":"179","AverageQueueTime":"0","MaxQueueTime":"15","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"117","CPUUsage":"12","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:11:00","IsoTimestamp":"2024-10-15T00:11:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0011","AverageExecutionTime":"10","MaxExecutionTime":"175","AverageQueueTime":"0","MaxQueueTime":"41","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"307","CPUUsage":"11","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:12:00","IsoTimestamp":"2024-10-15T00:12:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0012","AverageExecutionTime":"11","MaxExecutionTime":"98","AverageQueueTime":"1","MaxQueueTime":"64","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"205","CPUUsage":"0","MemoryUsage":"64","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:13:00","IsoTimestamp":"2024-10-15T00:13:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0013","AverageExecutionTime":"10","MaxExecutionTime":"159","AverageQueueTime":"0","MaxQueueTime":"68","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"402","CPUUsage":"9","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:14:00","IsoTimestamp":"2024-10-15T00:14:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0014","AverageExecutionTime":"10","MaxExecutionTime":"191","AverageQueueTime":"0","MaxQueueTime":"51","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"333","CPUUsage":"13","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"1"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:15:00","IsoTimestamp":"2024-10-15T00:15:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0015","AverageExecutionTime":"10","MaxExecutionTime":"106","AverageQueueTime":"0","MaxQueueTime":"23","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"316","CPUUsage":"1","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:16:00","IsoTimestamp":"2024-10-15T00:16:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0016","AverageExecutionTime":"9","MaxExecutionTime":"138","AverageQueueTime":"0","MaxQueueTime":"6","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"302","CPUUsage":"5","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:17:00","IsoTimestamp":"2024-10-15T00:17:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0017","AverageExecutionTime":"10","MaxExecutionTime":"199","AverageQueueTime":"0","MaxQueueTime":"10","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"315","CPUUsage":"14","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:18:00","IsoTimestamp":"2024-10-15T00:18:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0018","AverageExecutionTime":"10","MaxExecutionTime":"122","AverageQueueTime":"0","MaxQueueTime":"33","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"300","CPUUsage":"3","MemoryUsage":"64","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:19:00","IsoTimestamp":"2024-10-15T00:19:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0019","AverageExecutionTime":"10","MaxExecutionTime":"118","AverageQueueTime":"0","MaxQueueTime":"59","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"117","CPUUsage":"2","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:20:00","IsoTimestamp":"2024-10-15T00:20:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0020","AverageExecutionTime":"12","MaxExecutionTime":"198","AverageQueueTime":"2","MaxQueueTime":"69","NumberOfParallelTasks":"0","MaxParallelTasks":"20","TransactionCount":"307","CPUUsage":"14","MemoryUsage":"64","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:21:00","IsoTimestamp":"2024-10-15T00:21:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0021","AverageExecutionTime":"10","MaxExecutionTime":"143","AverageQueueTime":"0","MaxQueueTime":"57","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"316","CPUUsage":"6","MemoryUsage":"63","DriveFreeSpaceInGB":"21","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:22:00","IsoTimestamp":"2024-10-15T00:22:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0022","AverageExecutionTime":"10","MaxExecutionTime":"103","AverageQueueTime":"0","MaxQueueTime":"30","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"302","CPUUsage":"0","MemoryUsage":"62","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"2"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:23:00","IsoTimestamp":"2024-10-15T00:23:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0023","AverageExecutionTime":"11","MaxExecutionTime":"187","AverageQueueTime":"1","MaxQueueTime":"8","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"315","CPUUsage":"13","MemoryUsage":"62","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:24:00","IsoTimestamp":"2024-10-15T00:24:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0024","AverageExecutionTime":"10","MaxExecutionTime":"165","AverageQueueTime":"0","MaxQueueTime":"7","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"300","CPUUsage":"9","MemoryUsage":"61","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:25:00","IsoTimestamp":"2024-10-15T00:25:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0025","AverageExecutionTime":"10","MaxExecutionTime":"98","AverageQueueTime":"0","MaxQueueTime":"27","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"117","CPUUsage":"0","MemoryUsage":"62","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:26:00","IsoTimestamp":"2024-10-15T00:26:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0026","AverageExecutionTime":"14","MaxExecutionTime":"170","AverageQueueTime":"4","MaxQueueTime":"54","NumberOfParallelTasks":"0","MaxParallelTasks":"20","TransactionCount":"307","CPUUsage":"10","MemoryUsage":"60","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:27:00","IsoTimestamp":"2024-10-15T00:27:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0027","AverageExecutionTime":"10","MaxExecutionTime":"184","AverageQueueTime":"0","MaxQueueTime":"102","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"316","CPUUsage":"12","MemoryUsage":"60","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"1"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:28:00","IsoTimestamp":"2024-10-15T00:28:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0028","AverageExecutionTime":"11","MaxExecutionTime":"101","AverageQueueTime":"1","MaxQueueTime":"62","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"302","CPUUsage":"0","MemoryUsage":"63","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:29:00","IsoTimestamp":"2024-10-15T00:29:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0029","AverageExecutionTime":"10","MaxExecutionTime":"148","AverageQueueTime":"0","MaxQueueTime":"37","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"315","CPUUsage":"7","MemoryUsage":"62","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} diff --git a/packages/cyberarkpas/data_stream/monitor/_dev/test/pipeline/test-monitor.log-expected.json b/packages/cyberarkpas/data_stream/monitor/_dev/test/pipeline/test-monitor.log-expected.json new file mode 100644 index 00000000000..2b29acb7b08 --- /dev/null +++ b/packages/cyberarkpas/data_stream/monitor/_dev/test/pipeline/test-monitor.log-expected.json @@ -0,0 +1,1504 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-15T00:00:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 10, + "average_queue_time": 0, + "cpu_usage": 7, + "drive_free_space_in_gb": 21, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:00:00Z", + "max_execution_time": 149, + "max_parallel_tasks": 20, + "max_queue_time": 37, + "memory_usage": 63, + "number_of_parallel_tasks": 1, + "syslog_queue_size": 0, + "timestamp": "Oct 15 00:00:00", + "transaction_count": 316, + "version": "11.7.0000" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:00:00\",\"IsoTimestamp\":\"2024-10-15T00:00:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0000\",\"AverageExecutionTime\":\"10\",\"MaxExecutionTime\":\"149\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"37\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"316\",\"CPUUsage\":\"7\",\"MemoryUsage\":\"63\",\"DriveFreeSpaceInGB\":\"21\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + }, + "host": { + "cpu": { + "usage": 0.07 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0000" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:01:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 10, + "average_queue_time": 0, + "cpu_usage": 14, + "drive_free_space_in_gb": 21, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:01:00Z", + "max_execution_time": 196, + "max_parallel_tasks": 20, + "max_queue_time": 12, + "memory_usage": 64, + "number_of_parallel_tasks": 1, + "syslog_queue_size": 0, + "timestamp": "Oct 15 00:01:00", + "transaction_count": 302, + "version": "11.7.0001" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:01:00\",\"IsoTimestamp\":\"2024-10-15T00:01:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0001\",\"AverageExecutionTime\":\"10\",\"MaxExecutionTime\":\"196\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"12\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"302\",\"CPUUsage\":\"14\",\"MemoryUsage\":\"64\",\"DriveFreeSpaceInGB\":\"21\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + }, + "host": { + "cpu": { + "usage": 0.14 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0001" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:02:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 12, + "average_queue_time": 2, + "cpu_usage": 2, + "drive_free_space_in_gb": 21, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:02:00Z", + "max_execution_time": 113, + "max_parallel_tasks": 20, + "max_queue_time": 5, + "memory_usage": 63, + "number_of_parallel_tasks": 0, + "syslog_queue_size": 0, + "timestamp": "Oct 15 00:02:00", + "transaction_count": 315, + "version": "11.7.0002" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:02:00\",\"IsoTimestamp\":\"2024-10-15T00:02:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0002\",\"AverageExecutionTime\":\"12\",\"MaxExecutionTime\":\"113\",\"AverageQueueTime\":\"2\",\"MaxQueueTime\":\"5\",\"NumberOfParallelTasks\":\"0\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"315\",\"CPUUsage\":\"2\",\"MemoryUsage\":\"63\",\"DriveFreeSpaceInGB\":\"21\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + }, + "host": { + "cpu": { + "usage": 0.02 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0002" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:03:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 10, + "average_queue_time": 0, + "cpu_usage": 4, + "drive_free_space_in_gb": 21, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:03:00Z", + "max_execution_time": 127, + "max_parallel_tasks": 20, + "max_queue_time": 20, + "memory_usage": 63, + "number_of_parallel_tasks": 1, + "syslog_queue_size": 0, + "timestamp": "Oct 15 00:03:00", + "transaction_count": 300, + "version": "11.7.0003" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:03:00\",\"IsoTimestamp\":\"2024-10-15T00:03:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0003\",\"AverageExecutionTime\":\"10\",\"MaxExecutionTime\":\"127\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"20\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"300\",\"CPUUsage\":\"4\",\"MemoryUsage\":\"63\",\"DriveFreeSpaceInGB\":\"21\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + }, + "host": { + "cpu": { + "usage": 0.04 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0003" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:04:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 10, + "average_queue_time": 0, + "cpu_usage": 14, + "drive_free_space_in_gb": 21, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:04:00Z", + "max_execution_time": 199, + "max_parallel_tasks": 20, + "max_queue_time": 47, + "memory_usage": 63, + "number_of_parallel_tasks": 1, + "syslog_queue_size": 1, + "timestamp": "Oct 15 00:04:00", + "transaction_count": 117, + "version": "11.7.0004" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:04:00\",\"IsoTimestamp\":\"2024-10-15T00:04:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0004\",\"AverageExecutionTime\":\"10\",\"MaxExecutionTime\":\"199\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"47\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"117\",\"CPUUsage\":\"14\",\"MemoryUsage\":\"63\",\"DriveFreeSpaceInGB\":\"21\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"1\"}}}" + }, + "host": { + "cpu": { + "usage": 0.14 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0004" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:05:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 11, + "average_queue_time": 1, + "cpu_usage": 5, + "drive_free_space_in_gb": 21, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:05:00Z", + "max_execution_time": 132, + "max_parallel_tasks": 20, + "max_queue_time": 67, + "memory_usage": 64, + "number_of_parallel_tasks": 1, + "syslog_queue_size": 0, + "timestamp": "Oct 15 00:05:00", + "transaction_count": 307, + "version": "11.7.0005" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:05:00\",\"IsoTimestamp\":\"2024-10-15T00:05:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0005\",\"AverageExecutionTime\":\"11\",\"MaxExecutionTime\":\"132\",\"AverageQueueTime\":\"1\",\"MaxQueueTime\":\"67\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"307\",\"CPUUsage\":\"5\",\"MemoryUsage\":\"64\",\"DriveFreeSpaceInGB\":\"21\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + }, + "host": { + "cpu": { + "usage": 0.05 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0005" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:06:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 10, + "average_queue_time": 0, + "cpu_usage": 1, + "drive_free_space_in_gb": 21, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:06:00Z", + "max_execution_time": 110, + "max_parallel_tasks": 20, + "max_queue_time": 95, + "memory_usage": 64, + "number_of_parallel_tasks": 1, + "syslog_queue_size": 0, + "timestamp": "Oct 15 00:06:00", + "transaction_count": 316, + "version": "11.7.0006" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:06:00\",\"IsoTimestamp\":\"2024-10-15T00:06:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0006\",\"AverageExecutionTime\":\"10\",\"MaxExecutionTime\":\"110\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"95\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"316\",\"CPUUsage\":\"1\",\"MemoryUsage\":\"64\",\"DriveFreeSpaceInGB\":\"21\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + }, + "host": { + "cpu": { + "usage": 0.01 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0006" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:07:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 10, + "average_queue_time": 0, + "cpu_usage": 14, + "drive_free_space_in_gb": 21, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:07:00Z", + "max_execution_time": 194, + "max_parallel_tasks": 20, + "max_queue_time": 44, + "memory_usage": 63, + "number_of_parallel_tasks": 0, + "syslog_queue_size": 0, + "timestamp": "Oct 15 00:07:00", + "transaction_count": 302, + "version": "11.7.0007" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:07:00\",\"IsoTimestamp\":\"2024-10-15T00:07:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0007\",\"AverageExecutionTime\":\"10\",\"MaxExecutionTime\":\"194\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"44\",\"NumberOfParallelTasks\":\"0\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"302\",\"CPUUsage\":\"14\",\"MemoryUsage\":\"63\",\"DriveFreeSpaceInGB\":\"21\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + }, + "host": { + "cpu": { + "usage": 0.14 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0007" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:08:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 13, + "average_queue_time": 3, + "cpu_usage": 8, + "drive_free_space_in_gb": 21, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:08:00Z", + "max_execution_time": 154, + "max_parallel_tasks": 20, + "max_queue_time": 17, + "memory_usage": 63, + "number_of_parallel_tasks": 2, + "syslog_queue_size": 1, + "timestamp": "Oct 15 00:08:00", + "transaction_count": 315, + "version": "11.7.0008" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:08:00\",\"IsoTimestamp\":\"2024-10-15T00:08:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0008\",\"AverageExecutionTime\":\"13\",\"MaxExecutionTime\":\"154\",\"AverageQueueTime\":\"3\",\"MaxQueueTime\":\"17\",\"NumberOfParallelTasks\":\"2\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"315\",\"CPUUsage\":\"8\",\"MemoryUsage\":\"63\",\"DriveFreeSpaceInGB\":\"21\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"1\"}}}" + }, + "host": { + "cpu": { + "usage": 0.08 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0008" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:09:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 10, + "average_queue_time": 0, + "cpu_usage": 0, + "drive_free_space_in_gb": 21, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:09:00Z", + "max_execution_time": 99, + "max_parallel_tasks": 20, + "max_queue_time": 5, + "memory_usage": 64, + "number_of_parallel_tasks": 1, + "syslog_queue_size": 0, + "timestamp": "Oct 15 00:09:00", + "transaction_count": 300, + "version": "11.7.0009" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:09:00\",\"IsoTimestamp\":\"2024-10-15T00:09:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0009\",\"AverageExecutionTime\":\"10\",\"MaxExecutionTime\":\"99\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"5\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"300\",\"CPUUsage\":\"0\",\"MemoryUsage\":\"64\",\"DriveFreeSpaceInGB\":\"21\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + }, + "host": { + "cpu": { + "usage": 0.0 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0009" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:10:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 10, + "average_queue_time": 0, + "cpu_usage": 12, + "drive_free_space_in_gb": 21, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:10:00Z", + "max_execution_time": 179, + "max_parallel_tasks": 20, + "max_queue_time": 15, + "memory_usage": 63, + "number_of_parallel_tasks": 1, + "syslog_queue_size": 0, + "timestamp": "Oct 15 00:10:00", + "transaction_count": 117, + "version": "11.7.0010" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:10:00\",\"IsoTimestamp\":\"2024-10-15T00:10:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0010\",\"AverageExecutionTime\":\"10\",\"MaxExecutionTime\":\"179\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"15\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"117\",\"CPUUsage\":\"12\",\"MemoryUsage\":\"63\",\"DriveFreeSpaceInGB\":\"21\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + }, + "host": { + "cpu": { + "usage": 0.12 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0010" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:11:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 10, + "average_queue_time": 0, + "cpu_usage": 11, + "drive_free_space_in_gb": 21, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:11:00Z", + "max_execution_time": 175, + "max_parallel_tasks": 20, + "max_queue_time": 41, + "memory_usage": 63, + "number_of_parallel_tasks": 1, + "syslog_queue_size": 0, + "timestamp": "Oct 15 00:11:00", + "transaction_count": 307, + "version": "11.7.0011" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:11:00\",\"IsoTimestamp\":\"2024-10-15T00:11:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0011\",\"AverageExecutionTime\":\"10\",\"MaxExecutionTime\":\"175\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"41\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"307\",\"CPUUsage\":\"11\",\"MemoryUsage\":\"63\",\"DriveFreeSpaceInGB\":\"21\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + }, + "host": { + "cpu": { + "usage": 0.11 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0011" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:12:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 11, + "average_queue_time": 1, + "cpu_usage": 0, + "drive_free_space_in_gb": 21, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:12:00Z", + "max_execution_time": 98, + "max_parallel_tasks": 20, + "max_queue_time": 64, + "memory_usage": 64, + "number_of_parallel_tasks": 1, + "syslog_queue_size": 0, + "timestamp": "Oct 15 00:12:00", + "transaction_count": 205, + "version": "11.7.0012" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:12:00\",\"IsoTimestamp\":\"2024-10-15T00:12:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0012\",\"AverageExecutionTime\":\"11\",\"MaxExecutionTime\":\"98\",\"AverageQueueTime\":\"1\",\"MaxQueueTime\":\"64\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"205\",\"CPUUsage\":\"0\",\"MemoryUsage\":\"64\",\"DriveFreeSpaceInGB\":\"21\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + }, + "host": { + "cpu": { + "usage": 0.0 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0012" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:13:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 10, + "average_queue_time": 0, + "cpu_usage": 9, + "drive_free_space_in_gb": 21, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:13:00Z", + "max_execution_time": 159, + "max_parallel_tasks": 20, + "max_queue_time": 68, + "memory_usage": 63, + "number_of_parallel_tasks": 1, + "syslog_queue_size": 0, + "timestamp": "Oct 15 00:13:00", + "transaction_count": 402, + "version": "11.7.0013" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:13:00\",\"IsoTimestamp\":\"2024-10-15T00:13:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0013\",\"AverageExecutionTime\":\"10\",\"MaxExecutionTime\":\"159\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"68\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"402\",\"CPUUsage\":\"9\",\"MemoryUsage\":\"63\",\"DriveFreeSpaceInGB\":\"21\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + }, + "host": { + "cpu": { + "usage": 0.09 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0013" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:14:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 10, + "average_queue_time": 0, + "cpu_usage": 13, + "drive_free_space_in_gb": 21, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:14:00Z", + "max_execution_time": 191, + "max_parallel_tasks": 20, + "max_queue_time": 51, + "memory_usage": 63, + "number_of_parallel_tasks": 1, + "syslog_queue_size": 1, + "timestamp": "Oct 15 00:14:00", + "transaction_count": 333, + "version": "11.7.0014" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:14:00\",\"IsoTimestamp\":\"2024-10-15T00:14:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0014\",\"AverageExecutionTime\":\"10\",\"MaxExecutionTime\":\"191\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"51\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"333\",\"CPUUsage\":\"13\",\"MemoryUsage\":\"63\",\"DriveFreeSpaceInGB\":\"21\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"1\"}}}" + }, + "host": { + "cpu": { + "usage": 0.13 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0014" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:15:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 10, + "average_queue_time": 0, + "cpu_usage": 1, + "drive_free_space_in_gb": 21, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:15:00Z", + "max_execution_time": 106, + "max_parallel_tasks": 20, + "max_queue_time": 23, + "memory_usage": 63, + "number_of_parallel_tasks": 1, + "syslog_queue_size": 0, + "timestamp": "Oct 15 00:15:00", + "transaction_count": 316, + "version": "11.7.0015" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:15:00\",\"IsoTimestamp\":\"2024-10-15T00:15:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0015\",\"AverageExecutionTime\":\"10\",\"MaxExecutionTime\":\"106\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"23\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"316\",\"CPUUsage\":\"1\",\"MemoryUsage\":\"63\",\"DriveFreeSpaceInGB\":\"21\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + }, + "host": { + "cpu": { + "usage": 0.01 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0015" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:16:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 9, + "average_queue_time": 0, + "cpu_usage": 5, + "drive_free_space_in_gb": 21, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:16:00Z", + "max_execution_time": 138, + "max_parallel_tasks": 20, + "max_queue_time": 6, + "memory_usage": 63, + "number_of_parallel_tasks": 1, + "syslog_queue_size": 0, + "timestamp": "Oct 15 00:16:00", + "transaction_count": 302, + "version": "11.7.0016" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:16:00\",\"IsoTimestamp\":\"2024-10-15T00:16:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0016\",\"AverageExecutionTime\":\"9\",\"MaxExecutionTime\":\"138\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"6\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"302\",\"CPUUsage\":\"5\",\"MemoryUsage\":\"63\",\"DriveFreeSpaceInGB\":\"21\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + }, + "host": { + "cpu": { + "usage": 0.05 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0016" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:17:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 10, + "average_queue_time": 0, + "cpu_usage": 14, + "drive_free_space_in_gb": 21, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:17:00Z", + "max_execution_time": 199, + "max_parallel_tasks": 20, + "max_queue_time": 10, + "memory_usage": 63, + "number_of_parallel_tasks": 1, + "syslog_queue_size": 0, + "timestamp": "Oct 15 00:17:00", + "transaction_count": 315, + "version": "11.7.0017" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:17:00\",\"IsoTimestamp\":\"2024-10-15T00:17:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0017\",\"AverageExecutionTime\":\"10\",\"MaxExecutionTime\":\"199\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"10\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"315\",\"CPUUsage\":\"14\",\"MemoryUsage\":\"63\",\"DriveFreeSpaceInGB\":\"21\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + }, + "host": { + "cpu": { + "usage": 0.14 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0017" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:18:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 10, + "average_queue_time": 0, + "cpu_usage": 3, + "drive_free_space_in_gb": 21, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:18:00Z", + "max_execution_time": 122, + "max_parallel_tasks": 20, + "max_queue_time": 33, + "memory_usage": 64, + "number_of_parallel_tasks": 1, + "syslog_queue_size": 0, + "timestamp": "Oct 15 00:18:00", + "transaction_count": 300, + "version": "11.7.0018" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:18:00\",\"IsoTimestamp\":\"2024-10-15T00:18:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0018\",\"AverageExecutionTime\":\"10\",\"MaxExecutionTime\":\"122\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"33\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"300\",\"CPUUsage\":\"3\",\"MemoryUsage\":\"64\",\"DriveFreeSpaceInGB\":\"21\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + }, + "host": { + "cpu": { + "usage": 0.03 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0018" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:19:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 10, + "average_queue_time": 0, + "cpu_usage": 2, + "drive_free_space_in_gb": 21, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:19:00Z", + "max_execution_time": 118, + "max_parallel_tasks": 20, + "max_queue_time": 59, + "memory_usage": 63, + "number_of_parallel_tasks": 1, + "syslog_queue_size": 0, + "timestamp": "Oct 15 00:19:00", + "transaction_count": 117, + "version": "11.7.0019" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:19:00\",\"IsoTimestamp\":\"2024-10-15T00:19:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0019\",\"AverageExecutionTime\":\"10\",\"MaxExecutionTime\":\"118\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"59\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"117\",\"CPUUsage\":\"2\",\"MemoryUsage\":\"63\",\"DriveFreeSpaceInGB\":\"21\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + }, + "host": { + "cpu": { + "usage": 0.02 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0019" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:20:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 12, + "average_queue_time": 2, + "cpu_usage": 14, + "drive_free_space_in_gb": 21, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:20:00Z", + "max_execution_time": 198, + "max_parallel_tasks": 20, + "max_queue_time": 69, + "memory_usage": 64, + "number_of_parallel_tasks": 0, + "syslog_queue_size": 0, + "timestamp": "Oct 15 00:20:00", + "transaction_count": 307, + "version": "11.7.0020" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:20:00\",\"IsoTimestamp\":\"2024-10-15T00:20:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0020\",\"AverageExecutionTime\":\"12\",\"MaxExecutionTime\":\"198\",\"AverageQueueTime\":\"2\",\"MaxQueueTime\":\"69\",\"NumberOfParallelTasks\":\"0\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"307\",\"CPUUsage\":\"14\",\"MemoryUsage\":\"64\",\"DriveFreeSpaceInGB\":\"21\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + }, + "host": { + "cpu": { + "usage": 0.14 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0020" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:21:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 10, + "average_queue_time": 0, + "cpu_usage": 6, + "drive_free_space_in_gb": 21, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:21:00Z", + "max_execution_time": 143, + "max_parallel_tasks": 20, + "max_queue_time": 57, + "memory_usage": 63, + "number_of_parallel_tasks": 1, + "syslog_queue_size": 0, + "timestamp": "Oct 15 00:21:00", + "transaction_count": 316, + "version": "11.7.0021" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:21:00\",\"IsoTimestamp\":\"2024-10-15T00:21:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0021\",\"AverageExecutionTime\":\"10\",\"MaxExecutionTime\":\"143\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"57\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"316\",\"CPUUsage\":\"6\",\"MemoryUsage\":\"63\",\"DriveFreeSpaceInGB\":\"21\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + }, + "host": { + "cpu": { + "usage": 0.06 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0021" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:22:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 10, + "average_queue_time": 0, + "cpu_usage": 0, + "drive_free_space_in_gb": 20, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:22:00Z", + "max_execution_time": 103, + "max_parallel_tasks": 20, + "max_queue_time": 30, + "memory_usage": 62, + "number_of_parallel_tasks": 1, + "syslog_queue_size": 2, + "timestamp": "Oct 15 00:22:00", + "transaction_count": 302, + "version": "11.7.0022" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:22:00\",\"IsoTimestamp\":\"2024-10-15T00:22:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0022\",\"AverageExecutionTime\":\"10\",\"MaxExecutionTime\":\"103\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"30\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"302\",\"CPUUsage\":\"0\",\"MemoryUsage\":\"62\",\"DriveFreeSpaceInGB\":\"20\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"2\"}}}" + }, + "host": { + "cpu": { + "usage": 0.0 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0022" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:23:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 11, + "average_queue_time": 1, + "cpu_usage": 13, + "drive_free_space_in_gb": 20, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:23:00Z", + "max_execution_time": 187, + "max_parallel_tasks": 20, + "max_queue_time": 8, + "memory_usage": 62, + "number_of_parallel_tasks": 1, + "syslog_queue_size": 0, + "timestamp": "Oct 15 00:23:00", + "transaction_count": 315, + "version": "11.7.0023" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:23:00\",\"IsoTimestamp\":\"2024-10-15T00:23:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0023\",\"AverageExecutionTime\":\"11\",\"MaxExecutionTime\":\"187\",\"AverageQueueTime\":\"1\",\"MaxQueueTime\":\"8\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"315\",\"CPUUsage\":\"13\",\"MemoryUsage\":\"62\",\"DriveFreeSpaceInGB\":\"20\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + }, + "host": { + "cpu": { + "usage": 0.13 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0023" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:24:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 10, + "average_queue_time": 0, + "cpu_usage": 9, + "drive_free_space_in_gb": 20, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:24:00Z", + "max_execution_time": 165, + "max_parallel_tasks": 20, + "max_queue_time": 7, + "memory_usage": 61, + "number_of_parallel_tasks": 1, + "syslog_queue_size": 0, + "timestamp": "Oct 15 00:24:00", + "transaction_count": 300, + "version": "11.7.0024" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:24:00\",\"IsoTimestamp\":\"2024-10-15T00:24:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0024\",\"AverageExecutionTime\":\"10\",\"MaxExecutionTime\":\"165\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"7\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"300\",\"CPUUsage\":\"9\",\"MemoryUsage\":\"61\",\"DriveFreeSpaceInGB\":\"20\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + }, + "host": { + "cpu": { + "usage": 0.09 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0024" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:25:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 10, + "average_queue_time": 0, + "cpu_usage": 0, + "drive_free_space_in_gb": 20, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:25:00Z", + "max_execution_time": 98, + "max_parallel_tasks": 20, + "max_queue_time": 27, + "memory_usage": 62, + "number_of_parallel_tasks": 1, + "syslog_queue_size": 0, + "timestamp": "Oct 15 00:25:00", + "transaction_count": 117, + "version": "11.7.0025" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:25:00\",\"IsoTimestamp\":\"2024-10-15T00:25:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0025\",\"AverageExecutionTime\":\"10\",\"MaxExecutionTime\":\"98\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"27\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"117\",\"CPUUsage\":\"0\",\"MemoryUsage\":\"62\",\"DriveFreeSpaceInGB\":\"20\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + }, + "host": { + "cpu": { + "usage": 0.0 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0025" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:26:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 14, + "average_queue_time": 4, + "cpu_usage": 10, + "drive_free_space_in_gb": 20, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:26:00Z", + "max_execution_time": 170, + "max_parallel_tasks": 20, + "max_queue_time": 54, + "memory_usage": 60, + "number_of_parallel_tasks": 0, + "syslog_queue_size": 0, + "timestamp": "Oct 15 00:26:00", + "transaction_count": 307, + "version": "11.7.0026" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:26:00\",\"IsoTimestamp\":\"2024-10-15T00:26:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0026\",\"AverageExecutionTime\":\"14\",\"MaxExecutionTime\":\"170\",\"AverageQueueTime\":\"4\",\"MaxQueueTime\":\"54\",\"NumberOfParallelTasks\":\"0\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"307\",\"CPUUsage\":\"10\",\"MemoryUsage\":\"60\",\"DriveFreeSpaceInGB\":\"20\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + }, + "host": { + "cpu": { + "usage": 0.1 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0026" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:27:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 10, + "average_queue_time": 0, + "cpu_usage": 12, + "drive_free_space_in_gb": 20, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:27:00Z", + "max_execution_time": 184, + "max_parallel_tasks": 20, + "max_queue_time": 102, + "memory_usage": 60, + "number_of_parallel_tasks": 1, + "syslog_queue_size": 1, + "timestamp": "Oct 15 00:27:00", + "transaction_count": 316, + "version": "11.7.0027" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:27:00\",\"IsoTimestamp\":\"2024-10-15T00:27:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0027\",\"AverageExecutionTime\":\"10\",\"MaxExecutionTime\":\"184\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"102\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"316\",\"CPUUsage\":\"12\",\"MemoryUsage\":\"60\",\"DriveFreeSpaceInGB\":\"20\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"1\"}}}" + }, + "host": { + "cpu": { + "usage": 0.12 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0027" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:28:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 11, + "average_queue_time": 1, + "cpu_usage": 0, + "drive_free_space_in_gb": 20, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:28:00Z", + "max_execution_time": 101, + "max_parallel_tasks": 20, + "max_queue_time": 62, + "memory_usage": 63, + "number_of_parallel_tasks": 1, + "syslog_queue_size": 0, + "timestamp": "Oct 15 00:28:00", + "transaction_count": 302, + "version": "11.7.0028" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:28:00\",\"IsoTimestamp\":\"2024-10-15T00:28:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0028\",\"AverageExecutionTime\":\"11\",\"MaxExecutionTime\":\"101\",\"AverageQueueTime\":\"1\",\"MaxQueueTime\":\"62\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"302\",\"CPUUsage\":\"0\",\"MemoryUsage\":\"63\",\"DriveFreeSpaceInGB\":\"20\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + }, + "host": { + "cpu": { + "usage": 0.0 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0028" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + }, + { + "@timestamp": "2024-10-15T00:29:00.000Z", + "cyberarkpas": { + "monitor": { + "average_execution_time": 10, + "average_queue_time": 0, + "cpu_usage": 7, + "drive_free_space_in_gb": 20, + "drive_total_space_in_gb": 40, + "iso_timestamp": "2024-10-15T00:29:00Z", + "max_execution_time": 148, + "max_parallel_tasks": 20, + "max_queue_time": 37, + "memory_usage": 62, + "number_of_parallel_tasks": 1, + "syslog_queue_size": 0, + "timestamp": "Oct 15 00:29:00", + "transaction_count": 315, + "version": "11.7.0029" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "metric", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:29:00\",\"IsoTimestamp\":\"2024-10-15T00:29:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0029\",\"AverageExecutionTime\":\"10\",\"MaxExecutionTime\":\"148\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"37\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"315\",\"CPUUsage\":\"7\",\"MemoryUsage\":\"62\",\"DriveFreeSpaceInGB\":\"20\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + }, + "host": { + "cpu": { + "usage": 0.07 + }, + "name": "VAULT" + }, + "observer": { + "hostname": "VAULT", + "product": "VaultMonitor", + "vendor": "Cyber-Ark", + "version": "11.7.0029" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/monitor/elasticsearch/ingest_pipeline/default.yml b/packages/cyberarkpas/data_stream/monitor/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..fbae1d65041 --- /dev/null +++ b/packages/cyberarkpas/data_stream/monitor/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,276 @@ +--- +description: Pipeline for CyberArk PAS monitor +processors: + # + # Set ECS version. + # + - set: + tag: set_ecs_version + field: ecs.version + value: '8.11.0' + # + # Set event.original from message, unless reindexing. + # + - rename: + tag: rename_message + field: message + target_field: event.original + if: ctx.event?.original == null + ignore_missing: true + + - json: + tag: json_event_original + field: event.original + target_field: _tmp.json + on_failure: + - fail: + message: "malformed JSON event: {{{_ingest.on_failure_message}}}" + + - rename: + tag: rename_tmp_json_syslog_monitor_record + field: _tmp.json.syslog.monitor_record + target_field: cyberarkpas.monitor + on_failure: + - fail: + message: "unexpected event structure: {{{_ingest.on_failure_message}}}" + + # + # Remove all empty fields + # + - script: + tag: script_removes_empty_monitor_fields + lang: painless + description: 'Removes empty monitor fields' + source: >- + ctx.cyberarkpas.monitor.entrySet().removeIf(entry -> entry.getValue() == ""); + + - rename: + tag: rename_tmp_json_raw + field: _tmp.json.raw + target_field: cyberarkpas.monitor.raw + ignore_missing: true + + - date: + tag: date_cyberarkpas_monitor_isotimestamp + field: cyberarkpas.monitor.IsoTimestamp + target_field: '@timestamp' + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: "failed to parse ISO timestamp field: {{{cyberarkpas.monitor.IsoTimestamp}}}: {{{_ingest.on_failure_message}}}" + + # + # Convert field names from CamelCase to snake_case. + # + - script: + tag: script_converts_monitor_fields_names_from_camelcase_to_snake_case + lang: painless + description: "Converts monitor field's names from CamelCase to snake_case" + source: > + String to_snake_case(String s) { + /* faster code path for strings that won't need an underscore */ + if (s.chars().skip(1).noneMatch(Character::isUpperCase)) { + return s.toLowerCase(); + } + int run = 0; + boolean first = true; + StringBuilder result = new StringBuilder(); + for (char c : s.toCharArray()) { + char o = Character.toLowerCase(c); + if (c != o) { + if (run == 0 && !first) { + result.append('_'); + } + run ++; + } else { + if (run > 1) { + char prev = result.charAt(result.length()-1); + result.setCharAt(result.length()-1, (char)'_'); + result.append(prev); + } + run = 0; + first = false; + } + result.append(o); + } + return result.toString(); + } + def keys_to_snake_case_recursive(Map object) { + return object.entrySet().stream().collect( + Collectors.toMap( + e -> to_snake_case(e.getKey()), + e -> e.getValue() instanceof Map ? keys_to_snake_case_recursive(e.getValue()) : e.getValue() + ) + ); + } + ctx.cyberarkpas.monitor = keys_to_snake_case_recursive(ctx.cyberarkpas.monitor); + + ######################################################## + # All processors from this point use the snake_case form + # to access CyberArk fields. + ######################################################## + + # + # Parse integers + # + - convert: + tag: convert_cyberarkpas_monitor_average_execution_time + field: cyberarkpas.monitor.average_execution_time + type: integer + ignore_missing: true + - convert: + tag: convert_cyberarkpas_monitor_max_execution_time + field: cyberarkpas.monitor.max_execution_time + type: integer + ignore_missing: true + - convert: + tag: convert_cyberarkpas_monitor_average_queue_time + field: cyberarkpas.monitor.average_queue_time + type: integer + ignore_missing: true + - convert: + tag: convert_cyberarkpas_monitor_max_queue_time + field: cyberarkpas.monitor.max_queue_time + type: integer + ignore_missing: true + - convert: + tag: convert_cyberarkpas_monitor_number_of_parallel_tasks + field: cyberarkpas.monitor.number_of_parallel_tasks + type: integer + ignore_missing: true + - convert: + tag: convert_cyberarkpas_monitor_max_parallel_tasks + field: cyberarkpas.monitor.max_parallel_tasks + type: integer + ignore_missing: true + - convert: + tag: convert_cyberarkpas_monitor_transaction_count + field: cyberarkpas.monitor.transaction_count + type: integer + ignore_missing: true + - convert: + tag: convert_cyberarkpas_monitor_cpu_usage + field: cyberarkpas.monitor.cpu_usage + type: integer + ignore_missing: true + - convert: + tag: convert_cyberarkpas_monitor_memory_usage + field: cyberarkpas.monitor.memory_usage + type: integer + ignore_missing: true + - convert: + tag: convert_cyberarkpas_monitor_drive_free_space_in_gb + field: cyberarkpas.monitor.drive_free_space_in_gb + type: integer + ignore_missing: true + - convert: + tag: convert_cyberarkpas_monitor_drive_total_space_in_gb + field: cyberarkpas.monitor.drive_total_space_in_gb + type: integer + ignore_missing: true + - convert: + tag: convert_cyberarkpas_monitor_syslog_queue_size + field: cyberarkpas.monitor.syslog_queue_size + type: integer + ignore_missing: true + + ######################################################## + # ECS enrichment + ######################################################## + + - set: + tag: set_event_kind + field: event.kind + value: metric + + # + # Rewrite the default tag + # + - script: + tag: script_rewrite_the_default_tag + lang: painless + description: 'Rewrite the default tag' + if: ctx.tags instanceof List + source: >- + def i = ctx.tags.indexOf("cyberarkpas-audit"); + if (i != -1) ctx.tags.set(i, "cyberarkpas-monitor"); + + # + # Observer fields + # + - rename: + tag: rename_cyberarkpas_monitor_vendor + field: cyberarkpas.monitor.vendor + target_field: observer.vendor + ignore_missing: true + - rename: + tag: rename_cyberarkpas_monitor_product + field: cyberarkpas.monitor.product + target_field: observer.product + ignore_missing: true + - set: + tag: set_observer_version + field: observer.version + copy_from: cyberarkpas.monitor.version + ignore_empty_value: true + - rename: + tag: rename_cyberarkpas_monitor_hostname + field: cyberarkpas.monitor.hostname + target_field: observer.hostname + ignore_missing: true + + # + # Populate related.hosts + # + - append: + tag: append_related_hosts + field: related.hosts + value: '{{{observer.hostname}}}' + if: ctx.observer?.hostname != null + allow_duplicates: false + + # + # Set host fields, unless already set + # + - script: + tag: script_set_host_cpu_usage + lang: painless + description: 'Set host.cpu.usage' + if: ctx.host?.cpu?.usage == null + source: >- + if (ctx.host == null) ctx.host = [:]; + if (ctx.host.cpu == null) ctx.host.cpu = [:]; + ctx.host.cpu.usage = ctx.cyberarkpas.monitor.cpu_usage/100.0; + - set: + tag: set_host_name + field: host.name + value: '{{{observer.hostname}}}' + ignore_empty_value: true + if: ctx.host?.name == null + + # + # Cleanup + # + - remove: + tag: remove_tmp + field: _tmp + ignore_missing: true + +on_failure: + - set: + tag: set_event_kind_on_failure + field: event.kind + value: pipeline_error + - append: + tag: append_error_message + field: error.message + value: >- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - remove: + tag: remove_tmp_on_failure + field: _tmp + ignore_missing: true diff --git a/packages/cyberarkpas/data_stream/monitor/fields/base-fields.yml b/packages/cyberarkpas/data_stream/monitor/fields/base-fields.yml new file mode 100644 index 00000000000..3f833eb979a --- /dev/null +++ b/packages/cyberarkpas/data_stream/monitor/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Name of the module this data is coming from. + value: cyberarkpas +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cyberarkpas.monitor +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/cyberarkpas/data_stream/monitor/fields/beats.yml b/packages/cyberarkpas/data_stream/monitor/fields/beats.yml new file mode 100644 index 00000000000..582ff946c0d --- /dev/null +++ b/packages/cyberarkpas/data_stream/monitor/fields/beats.yml @@ -0,0 +1,12 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/cyberarkpas/data_stream/monitor/fields/fields.yml b/packages/cyberarkpas/data_stream/monitor/fields/fields.yml new file mode 100644 index 00000000000..b3a9f46fe5a --- /dev/null +++ b/packages/cyberarkpas/data_stream/monitor/fields/fields.yml @@ -0,0 +1,53 @@ +- name: cyberarkpas.monitor + type: group + fields: + - name: timestamp + type: keyword + description: The timestamp, in MMM DD HH:MM:SS format. + - name: iso_timestamp + type: date + description: The timestamp, in ISO timestamp format (RFC 3339). + - name: version + type: version + description: A static value that represents the version of the Vault. + - name: average_execution_time + type: integer + description: The average time it has taken the Vault to complete the execution of a transaction in the last minute, in milliseconds. + - name: max_execution_time + type: integer + description: The maximum time it has taken the Vault to complete the execution of a transaction, in the last minute, in milliseconds. + - name: average_queue_time + type: integer + description: The average time that a transaction waited in the Vault's queue for execution in the last minute, in milliseconds. + - name: max_queue_time + type: integer + description: The maximum time that a transaction waited in the Vault's queue for execution in the last minute, in millisecond. + - name: number_of_parallel_tasks + type: integer + description: Number of Vault transactions that are currently running. + - name: max_parallel_tasks + type: integer + description: The maximum number of Vault transactions that can run concurrently, based on the TasksCount parameter in DBParm.ini. + - name: transaction_count + type: integer + description: Number of Vault transactions in the last minute. + - name: cpu_usage + type: integer + description: Percent of CPU usage on the Vault machine. + - name: memory_usage + type: integer + description: Percent of used physical memory on the Vault machine. + - name: drive_free_space_in_gb + type: integer + description: Number of GB available on the drive of the Vault installation folder. + - name: drive_total_space_in_gb + type: integer + description: Total number of GB on the drive of the Vault installation folder. + - name: syslog_queue_size + type: integer + description: The size of the syslog queue. + - name: raw + type: keyword + description: | + Raw XML for the original audit record. Only present when XSLT file has debugging enabled. + ignore_above: 4096 diff --git a/packages/cyberarkpas/data_stream/monitor/manifest.yml b/packages/cyberarkpas/data_stream/monitor/manifest.yml new file mode 100644 index 00000000000..43c4d51627c --- /dev/null +++ b/packages/cyberarkpas/data_stream/monitor/manifest.yml @@ -0,0 +1,3 @@ +type: logs +title: CyberArk PAS monitor Events +dataset: cyberarkpas.monitor diff --git a/packages/cyberarkpas/data_stream/monitor/sample_event.json b/packages/cyberarkpas/data_stream/monitor/sample_event.json new file mode 100644 index 00000000000..d674eb94432 --- /dev/null +++ b/packages/cyberarkpas/data_stream/monitor/sample_event.json @@ -0,0 +1,79 @@ +{ + "@timestamp": "2024-10-15T00:29:00.000Z", + "agent": { + "name": "elastic-agent-85013", + "id": "0a6fa575-a3ed-463b-b47f-9c3e3a07e56f", + "ephemeral_id": "c2d94886-0c83-475b-b25b-7e136a32240d", + "type": "filebeat", + "version": "8.14.3" + }, + "cyberarkpas": { + "monitor": { + "syslog_queue_size": 0, + "iso_timestamp": "2024-10-15T00:29:00Z", + "drive_free_space_in_gb": 20, + "drive_total_space_in_gb": 40, + "max_parallel_tasks": 20, + "transaction_count": 315, + "memory_usage": 62, + "average_queue_time": 0, + "max_execution_time": 148, + "version": "11.7.0029", + "average_execution_time": 10, + "max_queue_time": 37, + "number_of_parallel_tasks": 1, + "cpu_usage": 7, + "timestamp": "Oct 15 00:29:00" + } + }, + "data_stream": { + "namespace": "22830", + "type": "logs", + "dataset": "cyberarkpas.monitor" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "0a6fa575-a3ed-463b-b47f-9c3e3a07e56f", + "version": "8.14.3", + "snapshot": false + }, + "event": { + "agent_id_status": "verified", + "ingested": "2024-10-21T07:32:45Z", + "timezone": "+00:00", + "kind": "metric", + "dataset": "cyberarkpas.monitor" + }, + "host": { + "name": "VAULT", + "cpu": { + "usage": 0.07 + } + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/monitor.log" + }, + "offset": 15547 + }, + "observer": { + "product": "VaultMonitor", + "hostname": "VAULT", + "vendor": "Cyber-Ark", + "version": "11.7.0029" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/docs/README.md b/packages/cyberarkpas/docs/README.md index 201fe1a4caf..f6e494919f5 100644 --- a/packages/cyberarkpas/docs/README.md +++ b/packages/cyberarkpas/docs/README.md @@ -1,9 +1,12 @@ # CyberArk Privileged Access Security -The CyberArk Privileged Access Security integration collects audit logs from [CyberArk's Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/Portal/Content/Resources/_TopNav/cc_Portal.htm) server. -## Audit +The CyberArk Privileged Access Security integration collects audit logs and monitoring data from [CyberArk's Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/Portal/Content/Resources/_TopNav/cc_Portal.htm) server. -The `audit` dataset receives Vault Audit logs for User and Safe activities over the syslog protocol. +## Data streams + +The `audit` data stream receives Vault Audit logs for User and Safe activities over the syslog protocol. + +It will also receive **monitoring** data from the server and route it to the `monitor` data stream (e.g. `logs-cyberarkpas.monitor-default`). ### Vault Configuration @@ -16,17 +19,21 @@ the `Server\Syslog` folder. ```ini [SYSLOG] -UseLegacySyslogFormat=No +UseLegacySyslogFormat=no SyslogTranslatorFile=Syslog\elastic-json-v1.0.xsl SyslogServerIP= SyslogServerPort= SyslogServerProtocol=TCP +SendMonitoringMessage=yes ``` For proper timestamping of events, it's recommended to use the newer RFC5424 Syslog format (`UseLegacySyslogFormat=No`). To avoid event loss, use `TCP` or `TLS` protocols instead of `UDP`. -### Example event +The sample configuration above will include monitoring data. For more information about monitoring, see +[Monitor the Vault in SIEM Applications Using Syslog](https://docs.cyberark.com/pam-self-hosted/latest/en/content/pasimp/monitoring-the-vault-using-syslog.htm). + +### Example audit event An example event for `audit` looks as following: @@ -128,8 +135,6 @@ An example event for `audit` looks as following: **Exported fields** -**Exported fields** - | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | @@ -213,3 +218,121 @@ An example event for `audit` looks as following: | log.offset | Offset of the entry in the log file. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | + +### Example monitor event + +An example event for `monitor` looks as following: + +```json +{ + "@timestamp": "2024-10-15T00:29:00.000Z", + "agent": { + "name": "elastic-agent-85013", + "id": "0a6fa575-a3ed-463b-b47f-9c3e3a07e56f", + "ephemeral_id": "c2d94886-0c83-475b-b25b-7e136a32240d", + "type": "filebeat", + "version": "8.14.3" + }, + "cyberarkpas": { + "monitor": { + "syslog_queue_size": 0, + "iso_timestamp": "2024-10-15T00:29:00Z", + "drive_free_space_in_gb": 20, + "drive_total_space_in_gb": 40, + "max_parallel_tasks": 20, + "transaction_count": 315, + "memory_usage": 62, + "average_queue_time": 0, + "max_execution_time": 148, + "version": "11.7.0029", + "average_execution_time": 10, + "max_queue_time": 37, + "number_of_parallel_tasks": 1, + "cpu_usage": 7, + "timestamp": "Oct 15 00:29:00" + } + }, + "data_stream": { + "namespace": "22830", + "type": "logs", + "dataset": "cyberarkpas.monitor" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "0a6fa575-a3ed-463b-b47f-9c3e3a07e56f", + "version": "8.14.3", + "snapshot": false + }, + "event": { + "agent_id_status": "verified", + "ingested": "2024-10-21T07:32:45Z", + "timezone": "+00:00", + "kind": "metric", + "dataset": "cyberarkpas.monitor" + }, + "host": { + "name": "VAULT", + "cpu": { + "usage": 0.07 + } + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/monitor.log" + }, + "offset": 15547 + }, + "observer": { + "product": "VaultMonitor", + "hostname": "VAULT", + "vendor": "Cyber-Ark", + "version": "11.7.0029" + }, + "related": { + "hosts": [ + "VAULT" + ] + }, + "tags": [ + "forwarded", + "cyberarkpas-monitor" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cyberarkpas.monitor.average_execution_time | The average time it has taken the Vault to complete the execution of a transaction in the last minute, in milliseconds. | integer | +| cyberarkpas.monitor.average_queue_time | The average time that a transaction waited in the Vault's queue for execution in the last minute, in milliseconds. | integer | +| cyberarkpas.monitor.cpu_usage | Percent of CPU usage on the Vault machine. | integer | +| cyberarkpas.monitor.drive_free_space_in_gb | Number of GB available on the drive of the Vault installation folder. | integer | +| cyberarkpas.monitor.drive_total_space_in_gb | Total number of GB on the drive of the Vault installation folder. | integer | +| cyberarkpas.monitor.iso_timestamp | The timestamp, in ISO timestamp format (RFC 3339). | date | +| cyberarkpas.monitor.max_execution_time | The maximum time it has taken the Vault to complete the execution of a transaction, in the last minute, in milliseconds. | integer | +| cyberarkpas.monitor.max_parallel_tasks | The maximum number of Vault transactions that can run concurrently, based on the TasksCount parameter in DBParm.ini. | integer | +| cyberarkpas.monitor.max_queue_time | The maximum time that a transaction waited in the Vault's queue for execution in the last minute, in millisecond. | integer | +| cyberarkpas.monitor.memory_usage | Percent of used physical memory on the Vault machine. | integer | +| cyberarkpas.monitor.number_of_parallel_tasks | Number of Vault transactions that are currently running. | integer | +| cyberarkpas.monitor.raw | Raw XML for the original audit record. Only present when XSLT file has debugging enabled. | keyword | +| cyberarkpas.monitor.syslog_queue_size | The size of the syslog queue. | integer | +| cyberarkpas.monitor.timestamp | The timestamp, in MMM DD HH:MM:SS format. | keyword | +| cyberarkpas.monitor.transaction_count | Number of Vault transactions in the last minute. | integer | +| cyberarkpas.monitor.version | A static value that represents the version of the Vault. | version | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset | constant_keyword | +| event.module | Name of the module this data is coming from. | constant_keyword | +| input.type | Type of Filebeat input. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | + diff --git a/packages/cyberarkpas/img/monitoring.png b/packages/cyberarkpas/img/monitoring.png new file mode 100644 index 00000000000..fc972f1e1b2 Binary files /dev/null and b/packages/cyberarkpas/img/monitoring.png differ diff --git a/packages/cyberarkpas/kibana/dashboard/cyberarkpas-1c083996-84f6-472f-a818-4ad5060efc81.json b/packages/cyberarkpas/kibana/dashboard/cyberarkpas-1c083996-84f6-472f-a818-4ad5060efc81.json new file mode 100644 index 00000000000..983004aaf32 --- /dev/null +++ b/packages/cyberarkpas/kibana/dashboard/cyberarkpas-1c083996-84f6-472f-a818-4ad5060efc81.json @@ -0,0 +1,1965 @@ +{ + "attributes": { + "description": "Monitoring data from CyberArk PAS.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**CyberArk PAS Monitoring**\n\nPerformance and resource usage statistics from the Vault application. \nFor PAS audit data, see the [[Logs CyberArk PAS] Overview](#/dashboard/cyberarkpas-eb12ef60-96f6-11eb-bbf8-d77aef8ad7a6) dashboard.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 5, + "i": "7460163e-e9fc-4613-8a77-a778b46267e2", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "7460163e-e9fc-4613-8a77-a778b46267e2", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "description": "Percent of used physical memory on the Vault machine.", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "7ced0369-1bbd-46ec-9a35-e6f4cee16397": { + "columnOrder": [ + "cfb24880-96b1-462a-a86c-ddfbcf3edbda", + "0122f82f-1c65-47c9-9d93-c7633abef4d5" + ], + "columns": { + "0122f82f-1c65-47c9-9d93-c7633abef4d5": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"cyberarkpas.monitor.syslog_queue_size\": *" + }, + "isBucketed": false, + "label": "Average", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "cyberarkpas.monitor.syslog_queue_size" + }, + "cfb24880-96b1-462a-a86c-ddfbcf3edbda": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Time", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "35e33553-a087-4ff7-8b47-ef12af692d8c", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "cyberarkpas.monitor" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "cyberarkpas.monitor" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": true, + "yRight": true + }, + "curveType": "LINEAR", + "emphasizeFitting": true, + "endValue": "Nearest", + "fittingFunction": "Linear", + "layers": [ + { + "accessors": [ + "0122f82f-1c65-47c9-9d93-c7633abef4d5" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "cfb24880-96b1-462a-a86c-ddfbcf3edbda", + "yConfig": [ + { + "color": "#54b399", + "forAccessor": "0122f82f-1c65-47c9-9d93-c7633abef4d5" + } + ] + } + ], + "legend": { + "horizontalAlignment": "right", + "isInside": true, + "isVisible": false, + "position": "bottom", + "showSingleSeries": false, + "verticalAlignment": "bottom" + }, + "preferredSeriesType": "line", + "showCurrentTimeMarker": false, + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": false, + "yTitle": "Queue Size" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "The size of the syslog queue.", + "enhancements": {} + }, + "gridData": { + "h": 5, + "i": "e84df042-b589-4ee9-b3df-8ff9eaa87795", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "e84df042-b589-4ee9-b3df-8ff9eaa87795", + "title": "Syslog Queue Size", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "Percent of used physical memory on the Vault machine.", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "7ced0369-1bbd-46ec-9a35-e6f4cee16397": { + "columnOrder": [ + "cfb24880-96b1-462a-a86c-ddfbcf3edbda", + "87e32354-2170-4e0f-b380-b7ae49548675", + "0122f82f-1c65-47c9-9d93-c7633abef4d5" + ], + "columns": { + "0122f82f-1c65-47c9-9d93-c7633abef4d5": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"cyberarkpas.monitor.average_execution_time\": *" + }, + "isBucketed": false, + "label": "Average", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "cyberarkpas.monitor.average_execution_time" + }, + "87e32354-2170-4e0f-b380-b7ae49548675": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"cyberarkpas.monitor.max_execution_time\": *" + }, + "isBucketed": false, + "label": "Maximum", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "cyberarkpas.monitor.max_execution_time" + }, + "cfb24880-96b1-462a-a86c-ddfbcf3edbda": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Time", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "35e33553-a087-4ff7-8b47-ef12af692d8c", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "cyberarkpas.monitor" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "cyberarkpas.monitor" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": true, + "yRight": true + }, + "curveType": "LINEAR", + "emphasizeFitting": true, + "endValue": "Nearest", + "fittingFunction": "Linear", + "layers": [ + { + "accessors": [ + "87e32354-2170-4e0f-b380-b7ae49548675", + "0122f82f-1c65-47c9-9d93-c7633abef4d5" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "cfb24880-96b1-462a-a86c-ddfbcf3edbda", + "yConfig": [ + { + "color": "#6092c0", + "forAccessor": "87e32354-2170-4e0f-b380-b7ae49548675" + }, + { + "color": "#54b399", + "forAccessor": "0122f82f-1c65-47c9-9d93-c7633abef4d5" + } + ] + } + ], + "legend": { + "horizontalAlignment": "right", + "isInside": true, + "isVisible": false, + "position": "bottom", + "showSingleSeries": false, + "verticalAlignment": "bottom" + }, + "preferredSeriesType": "line", + "showCurrentTimeMarker": false, + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": false, + "yTitle": "Execution Time (ms)" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "The maximum and average time it has taken the Vault to complete the execution of a transaction, in the last minute, in milliseconds.", + "enhancements": {} + }, + "gridData": { + "h": 12, + "i": "832f4af4-271f-42a4-b450-0c0f8bc3aeef", + "w": 12, + "x": 0, + "y": 5 + }, + "panelIndex": "832f4af4-271f-42a4-b450-0c0f8bc3aeef", + "title": "Execution Time (Average vs Max, ms)", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "Percent of used physical memory on the Vault machine.", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "7ced0369-1bbd-46ec-9a35-e6f4cee16397": { + "columnOrder": [ + "cfb24880-96b1-462a-a86c-ddfbcf3edbda", + "87e32354-2170-4e0f-b380-b7ae49548675", + "0122f82f-1c65-47c9-9d93-c7633abef4d5" + ], + "columns": { + "0122f82f-1c65-47c9-9d93-c7633abef4d5": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"cyberarkpas.monitor.average_queue_time\": *" + }, + "isBucketed": false, + "label": "Average", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "cyberarkpas.monitor.average_queue_time" + }, + "87e32354-2170-4e0f-b380-b7ae49548675": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"cyberarkpas.monitor.max_queue_time\": *" + }, + "isBucketed": false, + "label": "Maximum", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "cyberarkpas.monitor.max_queue_time" + }, + "cfb24880-96b1-462a-a86c-ddfbcf3edbda": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Time", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "35e33553-a087-4ff7-8b47-ef12af692d8c", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "cyberarkpas.monitor" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "cyberarkpas.monitor" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": true, + "yRight": true + }, + "curveType": "LINEAR", + "emphasizeFitting": true, + "endValue": "Nearest", + "fittingFunction": "Linear", + "layers": [ + { + "accessors": [ + "87e32354-2170-4e0f-b380-b7ae49548675", + "0122f82f-1c65-47c9-9d93-c7633abef4d5" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "cfb24880-96b1-462a-a86c-ddfbcf3edbda", + "yConfig": [ + { + "color": "#6092c0", + "forAccessor": "87e32354-2170-4e0f-b380-b7ae49548675" + }, + { + "color": "#54b399", + "forAccessor": "0122f82f-1c65-47c9-9d93-c7633abef4d5" + } + ] + } + ], + "legend": { + "horizontalAlignment": "right", + "isInside": true, + "isVisible": false, + "position": "bottom", + "showSingleSeries": false, + "verticalAlignment": "bottom" + }, + "preferredSeriesType": "line", + "showCurrentTimeMarker": false, + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": false, + "yTitle": "Queue Time (ms)" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "The maximum and average time that a transaction waited in the Vault's queue for execution in the last minute, in milliseconds.", + "enhancements": {} + }, + "gridData": { + "h": 12, + "i": "509a034f-fa72-46f5-baf8-8cfbb379ea93", + "w": 12, + "x": 12, + "y": 5 + }, + "panelIndex": "509a034f-fa72-46f5-baf8-8cfbb379ea93", + "title": "Queue Time (Average vs Max, ms)", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "Percent of used physical memory on the Vault machine.", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "7ced0369-1bbd-46ec-9a35-e6f4cee16397": { + "columnOrder": [ + "cfb24880-96b1-462a-a86c-ddfbcf3edbda", + "87e32354-2170-4e0f-b380-b7ae49548675", + "0122f82f-1c65-47c9-9d93-c7633abef4d5" + ], + "columns": { + "0122f82f-1c65-47c9-9d93-c7633abef4d5": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"cyberarkpas.monitor.number_of_parallel_tasks\": *" + }, + "isBucketed": false, + "label": "Average", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "cyberarkpas.monitor.number_of_parallel_tasks" + }, + "87e32354-2170-4e0f-b380-b7ae49548675": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"cyberarkpas.monitor.max_parallel_tasks\": *" + }, + "isBucketed": false, + "label": "Maximum", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "cyberarkpas.monitor.max_parallel_tasks" + }, + "cfb24880-96b1-462a-a86c-ddfbcf3edbda": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Time", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "35e33553-a087-4ff7-8b47-ef12af692d8c", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "cyberarkpas.monitor" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "cyberarkpas.monitor" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": true, + "yRight": true + }, + "curveType": "LINEAR", + "emphasizeFitting": true, + "endValue": "Nearest", + "fittingFunction": "Linear", + "layers": [ + { + "accessors": [ + "87e32354-2170-4e0f-b380-b7ae49548675", + "0122f82f-1c65-47c9-9d93-c7633abef4d5" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "cfb24880-96b1-462a-a86c-ddfbcf3edbda", + "yConfig": [ + { + "color": "#6092c0", + "forAccessor": "87e32354-2170-4e0f-b380-b7ae49548675" + }, + { + "color": "#54b399", + "forAccessor": "0122f82f-1c65-47c9-9d93-c7633abef4d5" + } + ] + } + ], + "legend": { + "horizontalAlignment": "right", + "isInside": true, + "isVisible": false, + "position": "bottom", + "showSingleSeries": false, + "verticalAlignment": "bottom" + }, + "preferredSeriesType": "line", + "showCurrentTimeMarker": false, + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": false, + "yTitle": "Parallel Tasks" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "Number of Vault transactions that are currently running, and the maximum configured via the TasksCount parameter.", + "enhancements": {} + }, + "gridData": { + "h": 12, + "i": "a484e3cf-b085-4eb3-a948-9b6c525431d2", + "w": 12, + "x": 24, + "y": 5 + }, + "panelIndex": "a484e3cf-b085-4eb3-a948-9b6c525431d2", + "title": "Parallel Tasks (Current vs Max)", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "Percent of used physical memory on the Vault machine.", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "7ced0369-1bbd-46ec-9a35-e6f4cee16397": { + "columnOrder": [ + "cfb24880-96b1-462a-a86c-ddfbcf3edbda", + "0122f82f-1c65-47c9-9d93-c7633abef4d5" + ], + "columns": { + "0122f82f-1c65-47c9-9d93-c7633abef4d5": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"cyberarkpas.monitor.transaction_count\": *" + }, + "isBucketed": false, + "label": "Average", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "cyberarkpas.monitor.transaction_count" + }, + "cfb24880-96b1-462a-a86c-ddfbcf3edbda": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Time", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "35e33553-a087-4ff7-8b47-ef12af692d8c", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "cyberarkpas.monitor" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "cyberarkpas.monitor" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": true, + "yRight": true + }, + "curveType": "LINEAR", + "emphasizeFitting": true, + "endValue": "Nearest", + "fittingFunction": "Linear", + "layers": [ + { + "accessors": [ + "0122f82f-1c65-47c9-9d93-c7633abef4d5" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "cfb24880-96b1-462a-a86c-ddfbcf3edbda", + "yConfig": [ + { + "color": "#54b399", + "forAccessor": "0122f82f-1c65-47c9-9d93-c7633abef4d5" + } + ] + } + ], + "legend": { + "horizontalAlignment": "right", + "isInside": true, + "isVisible": false, + "position": "bottom", + "showSingleSeries": false, + "verticalAlignment": "bottom" + }, + "preferredSeriesType": "line", + "showCurrentTimeMarker": false, + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": false, + "yTitle": "Transactions" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "Number of Vault transactions in the last minute.", + "enhancements": {} + }, + "gridData": { + "h": 12, + "i": "53040586-54a3-47e6-b8fe-af231c5bce9e", + "w": 12, + "x": 36, + "y": 5 + }, + "panelIndex": "53040586-54a3-47e6-b8fe-af231c5bce9e", + "title": "Transaction Count", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "Percent of CPU usage on the Vault machine.", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "7ced0369-1bbd-46ec-9a35-e6f4cee16397": { + "columnOrder": [ + "0fcb1edb-48a5-4342-83d7-f273dbf52e02" + ], + "columns": { + "0fcb1edb-48a5-4342-83d7-f273dbf52e02": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"cyberarkpas.monitor.cpu_usage\": *" + }, + "isBucketed": false, + "label": " ", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "compact": false, + "decimals": 0, + "suffix": " %" + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "cyberarkpas.monitor.cpu_usage" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "35e33553-a087-4ff7-8b47-ef12af692d8c", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "cyberarkpas.monitor" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "cyberarkpas.monitor" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "0fcb1edb-48a5-4342-83d7-f273dbf52e02", + "layerId": "7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "description": "Percent of CPU usage on the Vault machine.", + "enhancements": {} + }, + "gridData": { + "h": 4, + "i": "cc1bc152-4275-4280-8fb4-f74d18a25953", + "w": 16, + "x": 0, + "y": 17 + }, + "panelIndex": "cc1bc152-4275-4280-8fb4-f74d18a25953", + "title": "CPU Usage (Last)", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "Percent of CPU usage on the Vault machine.", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "7ced0369-1bbd-46ec-9a35-e6f4cee16397": { + "columnOrder": [ + "0fcb1edb-48a5-4342-83d7-f273dbf52e02" + ], + "columns": { + "0fcb1edb-48a5-4342-83d7-f273dbf52e02": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"cyberarkpas.monitor.memory_usage\": *" + }, + "isBucketed": false, + "label": " ", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "compact": false, + "decimals": 0, + "suffix": " %" + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "cyberarkpas.monitor.memory_usage" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "35e33553-a087-4ff7-8b47-ef12af692d8c", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "cyberarkpas.monitor" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "cyberarkpas.monitor" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "0fcb1edb-48a5-4342-83d7-f273dbf52e02", + "layerId": "7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "description": "Percent of used physical memory on the Vault machine.", + "enhancements": {} + }, + "gridData": { + "h": 4, + "i": "25d902a2-fc52-4180-a8a2-10d068503a1a", + "w": 16, + "x": 16, + "y": 17 + }, + "panelIndex": "25d902a2-fc52-4180-a8a2-10d068503a1a", + "title": "Memory Usage (Last)", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "Percent of CPU usage on the Vault machine.", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "7ced0369-1bbd-46ec-9a35-e6f4cee16397": { + "columnOrder": [ + "0fcb1edb-48a5-4342-83d7-f273dbf52e02" + ], + "columns": { + "0fcb1edb-48a5-4342-83d7-f273dbf52e02": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"cyberarkpas.monitor.drive_free_space_in_gb\": *" + }, + "isBucketed": false, + "label": " ", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "compact": false, + "decimals": 0, + "suffix": " GB" + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "cyberarkpas.monitor.drive_free_space_in_gb" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "35e33553-a087-4ff7-8b47-ef12af692d8c", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "cyberarkpas.monitor" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "cyberarkpas.monitor" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "0fcb1edb-48a5-4342-83d7-f273dbf52e02", + "layerId": "7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "description": "Percent of used physical memory on the Vault machine.", + "enhancements": {} + }, + "gridData": { + "h": 4, + "i": "759f216f-a69f-411b-bfd0-b80bf4df48ef", + "w": 16, + "x": 32, + "y": 17 + }, + "panelIndex": "759f216f-a69f-411b-bfd0-b80bf4df48ef", + "title": "Disk Space Free (Last)", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "7ced0369-1bbd-46ec-9a35-e6f4cee16397": { + "columnOrder": [ + "cfb24880-96b1-462a-a86c-ddfbcf3edbda", + "0fcb1edb-48a5-4342-83d7-f273dbf52e02" + ], + "columns": { + "0fcb1edb-48a5-4342-83d7-f273dbf52e02": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"cyberarkpas.monitor.cpu_usage\": *" + }, + "isBucketed": false, + "label": "CPU Usage (%)", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "cyberarkpas.monitor.cpu_usage" + }, + "cfb24880-96b1-462a-a86c-ddfbcf3edbda": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Time", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "35e33553-a087-4ff7-8b47-ef12af692d8c", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "cyberarkpas.monitor" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "cyberarkpas.monitor" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": true, + "yRight": true + }, + "curveType": "LINEAR", + "emphasizeFitting": true, + "endValue": "Nearest", + "fittingFunction": "Linear", + "layers": [ + { + "accessors": [ + "0fcb1edb-48a5-4342-83d7-f273dbf52e02" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "cfb24880-96b1-462a-a86c-ddfbcf3edbda", + "yConfig": [ + { + "axisMode": "auto", + "forAccessor": "0fcb1edb-48a5-4342-83d7-f273dbf52e02" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "showCurrentTimeMarker": false, + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "Percent of CPU usage on the Vault machine.", + "enhancements": {} + }, + "gridData": { + "h": 12, + "i": "1d64da78-4a54-4f44-845c-387062f6aef4", + "w": 16, + "x": 0, + "y": 21 + }, + "panelIndex": "1d64da78-4a54-4f44-845c-387062f6aef4", + "title": "CPU Usage (%)", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "7ced0369-1bbd-46ec-9a35-e6f4cee16397": { + "columnOrder": [ + "cfb24880-96b1-462a-a86c-ddfbcf3edbda", + "0fcb1edb-48a5-4342-83d7-f273dbf52e02" + ], + "columns": { + "0fcb1edb-48a5-4342-83d7-f273dbf52e02": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"cyberarkpas.monitor.memory_usage\": *" + }, + "isBucketed": false, + "label": "Memory Usage (%)", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "cyberarkpas.monitor.memory_usage" + }, + "cfb24880-96b1-462a-a86c-ddfbcf3edbda": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Time", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "35e33553-a087-4ff7-8b47-ef12af692d8c", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "cyberarkpas.monitor" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "cyberarkpas.monitor" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": true, + "yRight": true + }, + "curveType": "LINEAR", + "emphasizeFitting": true, + "endValue": "Nearest", + "fittingFunction": "Linear", + "layers": [ + { + "accessors": [ + "0fcb1edb-48a5-4342-83d7-f273dbf52e02" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "cfb24880-96b1-462a-a86c-ddfbcf3edbda", + "yConfig": [ + { + "axisMode": "auto", + "forAccessor": "0fcb1edb-48a5-4342-83d7-f273dbf52e02" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "showCurrentTimeMarker": false, + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "Percent of used physical memory on the Vault machine.", + "enhancements": {} + }, + "gridData": { + "h": 12, + "i": "3d6ec074-8d18-4544-b572-6405d01b7cee", + "w": 16, + "x": 16, + "y": 21 + }, + "panelIndex": "3d6ec074-8d18-4544-b572-6405d01b7cee", + "title": "Memory Usage (%)", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "Percent of used physical memory on the Vault machine.", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "7ced0369-1bbd-46ec-9a35-e6f4cee16397": { + "columnOrder": [ + "cfb24880-96b1-462a-a86c-ddfbcf3edbda", + "0fcb1edb-48a5-4342-83d7-f273dbf52e02", + "395f62cf-4f8f-44a0-802f-a8af7be49214" + ], + "columns": { + "0fcb1edb-48a5-4342-83d7-f273dbf52e02": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"cyberarkpas.monitor.drive_total_space_in_gb\": *" + }, + "isBucketed": false, + "label": "Total", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "cyberarkpas.monitor.drive_total_space_in_gb" + }, + "395f62cf-4f8f-44a0-802f-a8af7be49214": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"cyberarkpas.monitor.drive_free_space_in_gb\": *" + }, + "isBucketed": false, + "label": "Free", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "cyberarkpas.monitor.drive_free_space_in_gb" + }, + "cfb24880-96b1-462a-a86c-ddfbcf3edbda": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Time", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "35e33553-a087-4ff7-8b47-ef12af692d8c", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "cyberarkpas.monitor" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "cyberarkpas.monitor" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": true, + "yRight": true + }, + "curveType": "LINEAR", + "emphasizeFitting": true, + "endValue": "Nearest", + "fittingFunction": "Linear", + "layers": [ + { + "accessors": [ + "0fcb1edb-48a5-4342-83d7-f273dbf52e02", + "395f62cf-4f8f-44a0-802f-a8af7be49214" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "xAccessor": "cfb24880-96b1-462a-a86c-ddfbcf3edbda", + "yConfig": [ + { + "axisMode": "auto", + "color": "#b7b7b7", + "forAccessor": "0fcb1edb-48a5-4342-83d7-f273dbf52e02" + }, + { + "color": "#54b399", + "forAccessor": "395f62cf-4f8f-44a0-802f-a8af7be49214" + } + ] + } + ], + "legend": { + "isInside": true, + "isVisible": true, + "position": "bottom" + }, + "preferredSeriesType": "area", + "showCurrentTimeMarker": false, + "title": "Empty XY chart", + "valueLabels": "hide", + "yTitle": "Storage Space (GB)" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "Number of GB total vs available, on the drive of the Vault installation folder.", + "enhancements": {} + }, + "gridData": { + "h": 12, + "i": "ee37b252-2ae6-4833-a2e2-c27d918b5562", + "w": 16, + "x": 32, + "y": 21 + }, + "panelIndex": "ee37b252-2ae6-4833-a2e2-c27d918b5562", + "title": "Disk Space Utilization (Free vs Total, GB)", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs CyberArk PAS] Monitoring", + "version": 2 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-10-21T07:43:41.449Z", + "id": "cyberarkpas-1c083996-84f6-472f-a818-4ad5060efc81", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "e84df042-b589-4ee9-b3df-8ff9eaa87795:indexpattern-datasource-layer-7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "832f4af4-271f-42a4-b450-0c0f8bc3aeef:indexpattern-datasource-layer-7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "509a034f-fa72-46f5-baf8-8cfbb379ea93:indexpattern-datasource-layer-7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a484e3cf-b085-4eb3-a948-9b6c525431d2:indexpattern-datasource-layer-7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "53040586-54a3-47e6-b8fe-af231c5bce9e:indexpattern-datasource-layer-7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cc1bc152-4275-4280-8fb4-f74d18a25953:indexpattern-datasource-layer-7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "25d902a2-fc52-4180-a8a2-10d068503a1a:indexpattern-datasource-layer-7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "759f216f-a69f-411b-bfd0-b80bf4df48ef:indexpattern-datasource-layer-7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1d64da78-4a54-4f44-845c-387062f6aef4:indexpattern-datasource-layer-7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3d6ec074-8d18-4544-b572-6405d01b7cee:indexpattern-datasource-layer-7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ee37b252-2ae6-4833-a2e2-c27d918b5562:indexpattern-datasource-layer-7ced0369-1bbd-46ec-9a35-e6f4cee16397", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0" +} \ No newline at end of file diff --git a/packages/cyberarkpas/manifest.yml b/packages/cyberarkpas/manifest.yml index 7df4e044449..be3472217de 100644 --- a/packages/cyberarkpas/manifest.yml +++ b/packages/cyberarkpas/manifest.yml @@ -1,32 +1,36 @@ name: cyberarkpas title: CyberArk Privileged Access Security -version: "2.23.0" +version: "2.24.0" description: Collect logs from CyberArk Privileged Access Security with Elastic Agent. type: integration format_version: "3.0.3" categories: ["security", "iam"] conditions: kibana: - version: "^8.13.0" + version: "^8.14.0" screenshots: - src: /img/filebeat-cyberarkpas-overview.png title: filebeat cyberarkpas overview size: 1792x2496 type: image/png + - src: /img/monitoring.png + title: cyberarkpas monitoring + size: 1280x1323 + type: image/png policy_templates: - name: cyberarkpas title: CyberArk Privileged Access Security audit logs - description: Collect logs from Vault instances + description: Collect data from Vault instances inputs: - type: tcp - title: 'Collect Vault audit logs via TCP' - description: 'Collecting Vault audit logs from CyberArk PAS via TCP' + title: 'Collect Vault data via TCP' + description: 'Collecting Vault data from CyberArk PAS via TCP' - type: udp - title: 'Collect Vault audit logs via UDP' - description: 'Collecting Vault audit logs from CyberArk PAS via UDP' + title: 'Collect Vault data via UDP' + description: 'Collecting Vault data from CyberArk PAS via UDP' - type: logfile - title: 'Collect Vault audit logs via file' - description: 'Collecting Vault audit logs from CyberArk PAS via file' + title: 'Collect Vault data via file' + description: 'Collecting Vault data from CyberArk PAS via file' icons: - src: /img/logo.svg title: CyberArk logo