From 5b07955c8ec738c6b87ad8eff814fcfe7ce9211b Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Fri, 29 Oct 2021 09:45:19 +0200 Subject: [PATCH] Filebeat sophos/utm: Support logs with hostname in syslog header (#28638) Updates the sophos/utm datastream to support logs that include a hostname in their syslog header. --- CHANGELOG.next.asciidoc | 1 + .../module/sophos/utm/config/pipeline.js | 4 +- .../module/sophos/utm/test/generated.log | 4 +- .../utm/test/generated.log-expected.json | 216 ++++++++++-------- 4 files changed, 120 insertions(+), 105 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 65af2f2bfb4..fed51244c29 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -787,6 +787,7 @@ for a few releases. Please use other tools provided by Elastic to fetch data fro - Added proxy support to threatintel/malwarebazaar. {pull}28533[28533] - Add `text/csv` decoder to `httpjson` input {pull}28564[28564] - Update `aws-s3` input to connect to non AWS S3 buckets {issue}28222[28222] {pull}28234[28234] +- Sophos UTM: Support logs containing hostname in syslog header. {pull}28638[28638] *Heartbeat* diff --git a/x-pack/filebeat/module/sophos/utm/config/pipeline.js b/x-pack/filebeat/module/sophos/utm/config/pipeline.js index 47802f0ee26..bc98b46c817 100644 --- a/x-pack/filebeat/module/sophos/utm/config/pipeline.js +++ b/x-pack/filebeat/module/sophos/utm/config/pipeline.js @@ -169,11 +169,11 @@ var dup46 = lookup({ key: dup15, }); -var hdr1 = match("HEADER#0:0001", "message", "%{hfld1->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%{hfld1->} %{hostname->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ setc("header_id","0001"), ])); -var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{hostname->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ setc("header_id","0002"), ])); diff --git a/x-pack/filebeat/module/sophos/utm/test/generated.log b/x-pack/filebeat/module/sophos/utm/test/generated.log index 65a20d4f428..cb9fa97790b 100644 --- a/x-pack/filebeat/module/sophos/utm/test/generated.log +++ b/x-pack/filebeat/module/sophos/utm/test/generated.log @@ -1,9 +1,9 @@ -2016:1:29-06:09:59 smtpd[905]: MASTER[nnumqua]: QR globally disabled, status one set to 'disabled' +2016:1:29-06:09:59 localhost.localdomain smtpd[905]: MASTER[nnumqua]: QR globally disabled, status one set to 'disabled' 2016:2:12-13:12:33 astarosg_TVM[5716]: id=ommod severity=medium sys=inima sub=tlabo name=web request blocked, forbidden application detectedaction=accept method=ugiatnu client=stiae facility=nofdeF user=sunt srcip=10.57.170.140 dstip=10.213.231.72 version=1.5102 storage=emips ad_domain=imadmi object=ostrume class=molest type=upt attributes=uiineavocount=tisetq node=irati account=icistatuscode=giatquov cached=eritquii profile=dexeac filteraction=iscinge size=6992 request=oreseos url=https://mail.example.net/tati/utaliqu.html?iquaUten=santium#iciatisu referer=https://www5.example.org/eporroqu/uat.txt?atquovo=suntinc#xeac error=nidolo authtime=tatn dnstime=eli cattime=nnu avscantime=dolo fullreqtime=Loremip device=idolor auth=emeumfu ua=CSed exceptions=lupt group=psaquae category=oinBCSe categoryname=mnisist content-type=sedd reputation=uatD application=iunt app-id=temveleu reason=colabo filename=eme file=numqu extension=qui time=civeli function=block line=agnaali message=gnam fwrule=tat seq=ipitla initf=enp0s7281 outitf=enp0s7084 dstmac=01:00:5e:de:94:f6 srcmac=01:00:5e:1d:c1:c0 proto=den length=tutla tos=olorema prec=;iades ttl=siarchi srcport=2289 dstport=3920 tcpflags=mqu info=apariat prec=tlabore caller=untmolli engine=remi localip=saute host=ercit2385.internal.home extra=run server=10.47.202.102 cookie=quirat set-cookie=llu 2016:2:26-20:15:08 eirure7587.internal.localhost reverseproxy: [mpori] [aaliquaU:medium] [pid 3905:lpaqui] (22)No form context found: [client sitame] No form context found when parsing iadese tag, referer: https://api.example.com/utla/utei.htm?oei=tlabori#oin 2016:3:12-03:17:42 data4478.api.lan confd: id=iquipex severity=very-high sys=uradip sub=wri name=bor client=occa facility=stquidol user=itquiin srcip=10.106.239.55 version=1.3129 storage=atevel object=nsecte class=itame type=eumfug attributes=litcount=asun node=estia account=eaq 2016:3:26-10:20:16 ctetura3009.www5.corp reverseproxy: [lita] [adeseru:medium] [pid 7692:eaq] amest configured -- corp normal operations -2016:4:9-17:22:51 smtpd[1411]: MASTER[inculpa]: QR globally disabled, status one set to 'disabled' +2016:4:9-17:22:51 localhost smtpd[1411]: MASTER[inculpa]: QR globally disabled, status one set to 'disabled' 2016:4:24-00:25:25 httpproxy[176]: [nse] disk_cache_zap (non) paquioff 2016:5:8-07:27:59 ptasnu6684.mail.lan reverseproxy: [orumSe] [boree:low] [pid 945:rQuisau] AH01915: Init: (10.18.13.211:205) You configured ofdeFini(irat) on the onev(aturauto) port! 2016:5:22-14:30:33 ssecillu7166.internal.lan barnyard: Initializing daemon mode diff --git a/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json b/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json index 4be7d9e7113..59328342544 100644 --- a/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json @@ -4,16 +4,23 @@ "event.code": "smtpd", "event.dataset": "sophos.utm", "event.module": "sophos", - "event.original": "2016:1:29-06:09:59 smtpd[905]: MASTER[nnumqua]: QR globally disabled, status one set to 'disabled'", + "event.original": "2016:1:29-06:09:59 localhost.localdomain smtpd[905]: MASTER[nnumqua]: QR globally disabled, status one set to 'disabled'", "fileset.name": "utm", + "host.name": "localhost.localdomain", "input.type": "log", "log.offset": 0, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 905, + "related.hosts": [ + "localhost.localdomain" + ], "rsa.internal.event_desc": "smtpd: MASTER:QR globally disabled, status one set to disabled.", "rsa.internal.messageid": "smtpd", + "rsa.network.alias_host": [ + "localhost.localdomain" + ], "rsa.time.event_time": "2016-01-29T08:09:59.000Z", "service.type": "sophos", "tags": [ @@ -43,7 +50,7 @@ "http.request.referrer": "https://www5.example.org/eporroqu/uat.txt?atquovo=suntinc#xeac", "input.type": "log", "log.level": "medium", - "log.offset": 99, + "log.offset": 121, "observer.egress.interface.name": "enp0s7084", "observer.ingress.interface.name": "enp0s7281", "observer.product": "UTM", @@ -123,7 +130,7 @@ "http.request.referrer": "https://api.example.com/utla/utei.htm?oei=tlabori#oin", "input.type": "log", "log.level": "medium", - "log.offset": 1448, + "log.offset": 1470, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -157,7 +164,7 @@ "host.name": "data4478.api.lan", "input.type": "log", "log.level": "very-high", - "log.offset": 1708, + "log.offset": 1730, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -206,7 +213,7 @@ "host.name": "ctetura3009.www5.corp", "input.type": "log", "log.level": "medium", - "log.offset": 1988, + "log.offset": 2010, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -234,16 +241,23 @@ "event.code": "smtpd", "event.dataset": "sophos.utm", "event.module": "sophos", - "event.original": "2016:4:9-17:22:51 smtpd[1411]: MASTER[inculpa]: QR globally disabled, status one set to 'disabled'", + "event.original": "2016:4:9-17:22:51 localhost smtpd[1411]: MASTER[inculpa]: QR globally disabled, status one set to 'disabled'", "fileset.name": "utm", + "host.name": "localhost", "input.type": "log", - "log.offset": 2125, + "log.offset": 2147, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 1411, + "related.hosts": [ + "localhost" + ], "rsa.internal.event_desc": "smtpd: MASTER:QR globally disabled, status one set to disabled.", "rsa.internal.messageid": "smtpd", + "rsa.network.alias_host": [ + "localhost" + ], "rsa.time.event_time": "2016-04-09T19:22:51.000Z", "service.type": "sophos", "tags": [ @@ -259,7 +273,7 @@ "event.original": "2016:4:24-00:25:25 httpproxy[176]: [nse] disk_cache_zap (non) paquioff", "fileset.name": "utm", "input.type": "log", - "log.offset": 2224, + "log.offset": 2256, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -288,7 +302,7 @@ "host.name": "ptasnu6684.mail.lan", "input.type": "log", "log.level": "low", - "log.offset": 2295, + "log.offset": 2327, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -323,7 +337,7 @@ "fileset.name": "utm", "host.name": "ssecillu7166.internal.lan", "input.type": "log", - "log.offset": 2478, + "log.offset": 2510, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -352,7 +366,7 @@ "host.name": "ore5643.api.lan", "input.type": "log", "log.level": "high", - "log.offset": 2558, + "log.offset": 2590, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -384,7 +398,7 @@ "host.name": "ciun39.localdomain", "input.type": "log", "log.level": "high", - "log.offset": 2711, + "log.offset": 2743, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -417,7 +431,7 @@ "host.name": "atatnon6064.www.invalid", "input.type": "log", "log.level": "low", - "log.offset": 2887, + "log.offset": 2919, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -449,7 +463,7 @@ "host.name": "gitse2463.www5.invalid", "input.type": "log", "log.level": "low", - "log.offset": 3026, + "log.offset": 3058, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -484,7 +498,7 @@ "event.original": "2016:8:2-01:43:25 httpproxy[2078]: [mol] sc_server_cmd (umdolors) decrypt failed", "fileset.name": "utm", "input.type": "log", - "log.offset": 3197, + "log.offset": 3229, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -507,7 +521,7 @@ "fileset.name": "utm", "host.name": "oriosam6277.mail.localdomain", "input.type": "log", - "log.offset": 3278, + "log.offset": 3310, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -543,7 +557,7 @@ "host.name": "ptate3830.internal.localhost", "input.type": "log", "log.level": "high", - "log.offset": 3363, + "log.offset": 3395, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -575,7 +589,7 @@ "host.name": "nvo6105.invalid", "input.type": "log", "log.level": "medium", - "log.offset": 3542, + "log.offset": 3574, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -607,7 +621,7 @@ "event.original": "2016:9:28-05:53:42 afcd[2492]: Classifier configuration reloaded successfully", "fileset.name": "utm", "input.type": "log", - "log.offset": 3665, + "log.offset": 3697, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -632,7 +646,7 @@ "host.name": "edic2758.api.domain", "input.type": "log", "log.level": "medium", - "log.offset": 3743, + "log.offset": 3775, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -680,7 +694,7 @@ "fileset.name": "utm", "input.type": "log", "log.level": "high", - "log.offset": 4032, + "log.offset": 4064, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -710,7 +724,7 @@ "event.original": "2016:11:10-03:01:24 sshd[2051]: Server listening on 10.59.215.207 port 6195.", "fileset.name": "utm", "input.type": "log", - "log.offset": 4201, + "log.offset": 4233, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -741,7 +755,7 @@ "host.name": "ectobeat3157.mail.local", "input.type": "log", "log.level": "low", - "log.offset": 4278, + "log.offset": 4310, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -779,7 +793,7 @@ "host.name": "ident2323.internal.corp", "input.type": "log", "log.level": "high", - "log.offset": 4428, + "log.offset": 4460, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -814,7 +828,7 @@ "fileset.name": "utm", "host.name": "ttenb4581.www.host", "input.type": "log", - "log.offset": 4630, + "log.offset": 4662, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -842,7 +856,7 @@ "fileset.name": "utm", "host.name": "lapari5763.api.invalid", "input.type": "log", - "log.offset": 4725, + "log.offset": 4757, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -883,7 +897,7 @@ "host.name": "elites4713.www.localhost", "input.type": "log", "log.level": "very-high", - "log.offset": 4802, + "log.offset": 4834, "observer.egress.interface.name": "lo272", "observer.ingress.interface.name": "lo6086", "observer.product": "UTM", @@ -936,7 +950,7 @@ "host.name": "sam1795.invalid", "input.type": "log", "log.level": "low", - "log.offset": 5194, + "log.offset": 5226, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -970,7 +984,7 @@ "fileset.name": "utm", "input.type": "log", "log.level": "high", - "log.offset": 5332, + "log.offset": 5364, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1027,7 +1041,7 @@ "http.request.referrer": "https://example.com/taliqui/idi.txt?undeomn=ape#itaspe", "input.type": "log", "log.level": "high", - "log.offset": 5594, + "log.offset": 5626, "observer.egress.interface.name": "lo6683", "observer.ingress.interface.name": "lo1543", "observer.product": "UTM", @@ -1109,7 +1123,7 @@ "host.name": "xeaco7887.www.localdomain", "input.type": "log", "log.level": "very-high", - "log.offset": 6963, + "log.offset": 6995, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1145,7 +1159,7 @@ "event.original": "2017:4:2-01:27:07 reverseproxy[5430]: ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"iscivel3512.invalid\"] [uri \"atcupi\"] [unique_id \"eriti\"]", "fileset.name": "utm", "input.type": "log", - "log.offset": 7142, + "log.offset": 7174, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1172,7 +1186,7 @@ "event.original": "2017:4:16-08:29:41 sockd[6181]: dante/server 1.202 running", "fileset.name": "utm", "input.type": "log", - "log.offset": 7446, + "log.offset": 7478, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1197,7 +1211,7 @@ "fileset.name": "utm", "host.name": "dolor5799.home", "input.type": "log", - "log.offset": 7505, + "log.offset": 7537, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1227,7 +1241,7 @@ "http.request.referrer": "https://example.com/adeser/mSe.gif?aute=rchite#rcit", "input.type": "log", "log.level": "low", - "log.offset": 7592, + "log.offset": 7624, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1266,7 +1280,7 @@ "fileset.name": "utm", "input.type": "log", "log.level": "very-high", - "log.offset": 7885, + "log.offset": 7917, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1292,7 +1306,7 @@ "host.name": "autodit272.www.localhost", "input.type": "log", "log.level": "very-high", - "log.offset": 7988, + "log.offset": 8020, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1326,7 +1340,7 @@ "host.name": "rporis6787.www5.localdomain", "input.type": "log", "log.level": "low", - "log.offset": 8158, + "log.offset": 8190, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1364,7 +1378,7 @@ "fileset.name": "utm", "host.name": "reprehe5661.www.lan", "input.type": "log", - "log.offset": 8337, + "log.offset": 8369, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1397,7 +1411,7 @@ "fileset.name": "utm", "host.name": "sequatD163.internal.example", "input.type": "log", - "log.offset": 8611, + "log.offset": 8643, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1434,7 +1448,7 @@ "fileset.name": "utm", "host.name": "elillu5777.www5.lan", "input.type": "log", - "log.offset": 8742, + "log.offset": 8774, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1468,7 +1482,7 @@ "fileset.name": "utm", "host.name": "ecatcup3022.mail.invalid", "input.type": "log", - "log.offset": 8878, + "log.offset": 8910, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1497,7 +1511,7 @@ "fileset.name": "utm", "host.name": "qui7797.www.host", "input.type": "log", - "log.offset": 8951, + "log.offset": 8983, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1527,7 +1541,7 @@ "http.request.referrer": "https://example.org/tquov/natu.jpg?uianonnu=por#nve", "input.type": "log", "log.level": "high", - "log.offset": 9045, + "log.offset": 9077, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1558,7 +1572,7 @@ "event.original": "2017:10:4-21:00:32 sockd[7264]: dante/server 1.3714 running", "fileset.name": "utm", "input.type": "log", - "log.offset": 9280, + "log.offset": 9312, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1585,7 +1599,7 @@ "http.request.referrer": "https://mail.example.org/urautod/eveli.html?rese=nonproi#doconse", "input.type": "log", "log.level": "high", - "log.offset": 9340, + "log.offset": 9372, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1618,7 +1632,7 @@ "fileset.name": "utm", "input.type": "log", "log.level": "high", - "log.offset": 9571, + "log.offset": 9603, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1661,7 +1675,7 @@ "event.original": "2017:11:16-18:08:15 named[1900]: reloading eddoei iono", "fileset.name": "utm", "input.type": "log", - "log.offset": 9846, + "log.offset": 9878, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1689,7 +1703,7 @@ "host.name": "obeatae2042.www.domain", "input.type": "log", "log.level": "low", - "log.offset": 9901, + "log.offset": 9933, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1723,7 +1737,7 @@ "fileset.name": "utm", "host.name": "aerat1267.www5.example", "input.type": "log", - "log.offset": 10086, + "log.offset": 10118, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1753,7 +1767,7 @@ "host.name": "writt2238.internal.localdomain", "input.type": "log", "log.level": "low", - "log.offset": 10155, + "log.offset": 10187, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1786,7 +1800,7 @@ "host.name": "siutaliq4937.api.lan", "input.type": "log", "log.level": "very-high", - "log.offset": 10351, + "log.offset": 10383, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1818,7 +1832,7 @@ "event.original": "2018:1:27-05:21:06 URID[7596]: T=BCSedut ------ 1 - [exit] accept: ametco", "fileset.name": "utm", "input.type": "log", - "log.offset": 10535, + "log.offset": 10567, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1857,7 +1871,7 @@ "http.request.referrer": "https://example.com/eetdol/aut.jpg?pitlab=tutlabor#imadmi", "input.type": "log", "log.level": "low", - "log.offset": 10609, + "log.offset": 10641, "observer.egress.interface.name": "eth965", "observer.ingress.interface.name": "lo1255", "observer.product": "UTM", @@ -1940,7 +1954,7 @@ "fileset.name": "utm", "input.type": "log", "log.level": "medium", - "log.offset": 11911, + "log.offset": 11943, "observer.egress.interface.name": "eth6357", "observer.ingress.interface.name": "lo7088", "observer.product": "UTM", @@ -1991,7 +2005,7 @@ "host.name": "ectob5542.www5.corp", "input.type": "log", "log.level": "high", - "log.offset": 12298, + "log.offset": 12330, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2041,7 +2055,7 @@ "http.request.referrer": "https://mail.example.org/natuser/olupt.txt?ipsumqu=nsec#smo", "input.type": "log", "log.level": "high", - "log.offset": 12470, + "log.offset": 12502, "observer.egress.interface.name": "lo4358", "observer.ingress.interface.name": "lo3680", "observer.product": "UTM", @@ -2140,7 +2154,7 @@ "http.request.referrer": "https://api.example.org/mremap/ate.htm?tlabor=cidunt#ria", "input.type": "log", "log.level": "low", - "log.offset": 13825, + "log.offset": 13857, "observer.egress.interface.name": "lo2179", "observer.ingress.interface.name": "enp0s566", "observer.product": "UTM", @@ -2219,7 +2233,7 @@ "host.name": "iscing6960.api.invalid", "input.type": "log", "log.level": "very-high", - "log.offset": 15157, + "log.offset": 15189, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2254,7 +2268,7 @@ "fileset.name": "utm", "input.type": "log", "log.level": "low", - "log.offset": 15301, + "log.offset": 15333, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2292,7 +2306,7 @@ "fileset.name": "utm", "host.name": "iavolu7814.www5.localhost", "input.type": "log", - "log.offset": 15644, + "log.offset": 15676, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2340,7 +2354,7 @@ "http.request.referrer": "https://internal.example.org/eddoei/iatqu.htm?itessec=dat#tdol", "input.type": "log", "log.level": "low", - "log.offset": 15741, + "log.offset": 15773, "observer.egress.interface.name": "lo2114", "observer.ingress.interface.name": "enp0s3792", "observer.product": "UTM", @@ -2417,7 +2431,7 @@ "event.original": "2018:6:19-03:46:49 frox[7744]: Listening on 10.99.134.49:2274", "fileset.name": "utm", "input.type": "log", - "log.offset": 17056, + "log.offset": 17088, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2449,7 +2463,7 @@ "http.request.referrer": "https://example.com/ariat/ptatemU.txt?cusan=ueipsaq#upid", "input.type": "log", "log.level": "medium", - "log.offset": 17118, + "log.offset": 17150, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2483,7 +2497,7 @@ "host.name": "nsecte3644.internal.test", "input.type": "log", "log.level": "high", - "log.offset": 17338, + "log.offset": 17370, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2515,7 +2529,7 @@ "fileset.name": "utm", "input.type": "log", "log.level": "very-high", - "log.offset": 17488, + "log.offset": 17520, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2558,7 +2572,7 @@ "fileset.name": "utm", "host.name": "econseq7119.www.home", "input.type": "log", - "log.offset": 17764, + "log.offset": 17796, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2588,7 +2602,7 @@ "http.request.referrer": "https://example.com/oremagn/ehenderi.htm?mdolo=ionul#oeiusmo", "input.type": "log", "log.level": "high", - "log.offset": 17861, + "log.offset": 17893, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2620,7 +2634,7 @@ "event.original": "2018:9:12-22:02:15 pluto[7138]: | sent accept notification olore with seqno = urEx", "fileset.name": "utm", "input.type": "log", - "log.offset": 18090, + "log.offset": 18122, "log.original": "olore", "observer.product": "UTM", "observer.type": "Firewall", @@ -2660,7 +2674,7 @@ "http.request.referrer": "https://api.example.org/Bonorume/emeumfu.txt?iuntNequ=ender#quid", "input.type": "log", "log.level": "medium", - "log.offset": 18173, + "log.offset": 18205, "observer.egress.interface.name": "lo3615", "observer.ingress.interface.name": "eth65", "observer.product": "UTM", @@ -2749,7 +2763,7 @@ "host.name": "itametc1599.api.test", "input.type": "log", "log.level": "low", - "log.offset": 19485, + "log.offset": 19517, "observer.egress.interface.name": "enp0s1164", "observer.ingress.interface.name": "eth2679", "observer.product": "UTM", @@ -2801,7 +2815,7 @@ "fileset.name": "utm", "host.name": "tiumt5462.mail.localhost", "input.type": "log", - "log.offset": 19882, + "log.offset": 19914, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2829,7 +2843,7 @@ "fileset.name": "utm", "host.name": "vol1450.internal.host", "input.type": "log", - "log.offset": 19962, + "log.offset": 19994, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2863,7 +2877,7 @@ "event.original": "2018:11:23-09:15:06 ipsec_starter[178]: IP address or index of physical interface changed -> reinit of ipsec interface", "fileset.name": "utm", "input.type": "log", - "log.offset": 20054, + "log.offset": 20086, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2887,7 +2901,7 @@ "host.name": "rporissu573.api.test", "input.type": "log", "log.level": "very-high", - "log.offset": 20173, + "log.offset": 20205, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2921,7 +2935,7 @@ "fileset.name": "utm", "host.name": "nostru774.corp", "input.type": "log", - "log.offset": 20324, + "log.offset": 20356, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2951,7 +2965,7 @@ "event.original": "2019:1:5-06:22:49 ipsec_starter[6226]: IP address or index of physical interface changed -> reinit of ipsec interface", "fileset.name": "utm", "input.type": "log", - "log.offset": 20409, + "log.offset": 20441, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2976,7 +2990,7 @@ "fileset.name": "utm", "input.type": "log", "log.level": "medium", - "log.offset": 20527, + "log.offset": 20559, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3016,7 +3030,7 @@ "host.name": "sum2208.host", "input.type": "log", "log.level": "medium", - "log.offset": 20882, + "log.offset": 20914, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3048,7 +3062,7 @@ "host.name": "ore6843.local", "input.type": "log", "log.level": "medium", - "log.offset": 21065, + "log.offset": 21097, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3084,7 +3098,7 @@ "host.name": "Sedu1610.mail.corp", "input.type": "log", "log.level": "medium", - "log.offset": 21209, + "log.offset": 21241, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3122,7 +3136,7 @@ "host.name": "corpo6737.example", "input.type": "log", "log.level": "very-high", - "log.offset": 21386, + "log.offset": 21418, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3153,7 +3167,7 @@ "event.original": "2019:4:1-00:38:14 pop3proxy[6854]: Master started", "fileset.name": "utm", "input.type": "log", - "log.offset": 21547, + "log.offset": 21579, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3176,7 +3190,7 @@ "fileset.name": "utm", "host.name": "eratvol314.www.home", "input.type": "log", - "log.offset": 21597, + "log.offset": 21629, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3207,7 +3221,7 @@ "host.name": "utemvele1838.mail.test", "input.type": "log", "log.level": "high", - "log.offset": 21662, + "log.offset": 21694, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3248,7 +3262,7 @@ "host.name": "ulapari2656.local", "input.type": "log", "log.level": "very-high", - "log.offset": 21931, + "log.offset": 21963, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3281,7 +3295,7 @@ "http.request.referrer": "https://example.org/etcon/ipitlab.gif?utlabore=suscipi#tlabor", "input.type": "log", "log.level": "very-high", - "log.offset": 22082, + "log.offset": 22114, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3307,7 +3321,7 @@ "event.original": "2019:6:11-11:51:06 URID[7418]: T=xer ------ 1 - [exit] cancel: onemul", "fileset.name": "utm", "input.type": "log", - "log.offset": 22301, + "log.offset": 22333, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3333,7 +3347,7 @@ "event.original": "2019:6:25-18:53:40 pluto[7201]: | handling event ips for 10.165.217.56 \"econse\" #otamr", "fileset.name": "utm", "input.type": "log", - "log.offset": 22371, + "log.offset": 22403, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3363,7 +3377,7 @@ "host.name": "stla2856.host", "input.type": "log", "log.level": "very-high", - "log.offset": 22458, + "log.offset": 22490, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3396,7 +3410,7 @@ "host.name": "peri6748.www5.domain", "input.type": "log", "log.level": "high", - "log.offset": 22597, + "log.offset": 22629, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3430,7 +3444,7 @@ "host.name": "tnon5442.internal.test", "input.type": "log", "log.level": "very-high", - "log.offset": 22774, + "log.offset": 22806, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3467,7 +3481,7 @@ "http.request.referrer": "https://example.org/tation/tutlabo.jpg?amvo=ullamco#tati", "input.type": "log", "log.level": "very-high", - "log.offset": 22905, + "log.offset": 22937, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3505,7 +3519,7 @@ "host.name": "imv1805.api.host", "input.type": "log", "log.level": "very-high", - "log.offset": 23130, + "log.offset": 23162, "observer.egress.interface.name": "lo3422", "observer.ingress.interface.name": "lo4665", "observer.product": "UTM", @@ -3561,7 +3575,7 @@ "host.name": "rita600.www5.localdomain", "input.type": "log", "log.level": "high", - "log.offset": 23536, + "log.offset": 23568, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3596,7 +3610,7 @@ "event.original": "2019:10:3-20:11:40 sshd[2014]: Did not receive identification string from rroq", "fileset.name": "utm", "input.type": "log", - "log.offset": 23718, + "log.offset": 23750, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3620,7 +3634,7 @@ "host.name": "admini1122.www.local", "input.type": "log", "log.level": "very-high", - "log.offset": 23797, + "log.offset": 23829, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3661,7 +3675,7 @@ "fileset.name": "utm", "input.type": "log", "log.level": "low", - "log.offset": 24004, + "log.offset": 24036, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3704,7 +3718,7 @@ "fileset.name": "utm", "host.name": "emvel4391.localhost", "input.type": "log", - "log.offset": 24284, + "log.offset": 24316, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3732,7 +3746,7 @@ "fileset.name": "utm", "input.type": "log", "log.level": "high", - "log.offset": 24381, + "log.offset": 24413, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3757,7 +3771,7 @@ "fileset.name": "utm", "host.name": "untinc5531.www5.test", "input.type": "log", - "log.offset": 24475, + "log.offset": 24507, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos",