diff --git a/CHANGELOG-developer.next.asciidoc b/CHANGELOG-developer.next.asciidoc index ba659a3ff31..2b319225a97 100644 --- a/CHANGELOG-developer.next.asciidoc +++ b/CHANGELOG-developer.next.asciidoc @@ -104,6 +104,7 @@ The list below covers the major changes between 7.0.0-rc2 and master only. - Update Go version to 1.14.7. {pull}20508[20508] - Add packaging for docker image based on UBI minimal 8. {pull}20576[20576] - Make the mage binary used by the build process in the docker container to be statically compiled. {pull}20827[20827] +- Add Pensando distributed firewall module. {pull}21063[21063] - Update ecszap to v0.3.0 for using ECS 1.6.0 in logs {pull}22267[22267] - Add support for customized monitoring API. {pull}22605[22605] - Update Go version to 1.15.7. {pull}22495[22495] diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 2a4e439452b..a8cb2e8d44a 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -69,6 +69,7 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> @@ -105827,6 +105828,147 @@ Specifies the sub type of the log -- +[[exported-fields-pensando]] +== Pensando fields + +pensando Module + + + +[float] +=== pensando + +Fields from Pensando logs. + + + +[float] +=== dfw + +Fields for Pensando DFW + + + +*`pensando.dfw.action`*:: ++ +-- +Action on the flow. + + +type: keyword + +-- + +*`pensando.dfw.app_id`*:: ++ +-- +Application ID + + +type: integer + +-- + +*`pensando.dfw.destination_address`*:: ++ +-- +Address of destination. + + +type: keyword + +-- + +*`pensando.dfw.destination_port`*:: ++ +-- +Port of destination. + + +type: integer + +-- + +*`pensando.dfw.direction`*:: ++ +-- +Direction of the flow + + +type: keyword + +-- + +*`pensando.dfw.protocol`*:: ++ +-- +Protocol of the flow + + +type: keyword + +-- + +*`pensando.dfw.rule_id`*:: ++ +-- +Rule ID that was matched. + + +type: keyword + +-- + +*`pensando.dfw.session_id`*:: ++ +-- +Session ID of the flow + + +type: integer + +-- + +*`pensando.dfw.session_state`*:: ++ +-- +Session state of the flow. + + +type: keyword + +-- + +*`pensando.dfw.source_address`*:: ++ +-- +Source address of the flow. + + +type: keyword + +-- + +*`pensando.dfw.source_port`*:: ++ +-- +Source port of the flow. + + +type: integer + +-- + +*`pensando.dfw.timestamp`*:: ++ +-- +Timestamp of the log. + + +type: date + +-- + [[exported-fields-postgresql]] == PostgreSQL fields diff --git a/filebeat/docs/images/filebeat-pensando-dfw.png b/filebeat/docs/images/filebeat-pensando-dfw.png new file mode 100755 index 00000000000..da98465eee5 Binary files /dev/null and b/filebeat/docs/images/filebeat-pensando-dfw.png differ diff --git a/filebeat/docs/modules/pensando.asciidoc b/filebeat/docs/modules/pensando.asciidoc new file mode 100644 index 00000000000..88c2924a8f1 --- /dev/null +++ b/filebeat/docs/modules/pensando.asciidoc @@ -0,0 +1,69 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-pensando]] +:modulename: pensando +:has-dashboards: true + +== pensando module + +The +{modulename}+ module parses distributed firewall logs created by the +http://pensando.io/[Pensando] distributed services card (DSC). + + +include::../include/what-happens.asciidoc[] + +include::../include/gs-link.asciidoc[] + +[float] +=== Compatibility + +The Pensando module has been tested with 1.12.0-E-54 and later. + +include::../include/configuring-intro.asciidoc[] +The following example shows how to set parameters in the +modules.d/{modulename}.yml+ +file to listen for firewall logs sent from the Pensando DSC(s) on port 5514 (default is 9001): + +["source","yaml",subs="attributes"] +----- +- module: pensando + access: + enabled: true + var.syslog_host: 0.0.0.0 + var.syslog_port: [9001] +----- +:fileset_ex: dfw + +include::../include/config-option-intro.asciidoc[] + +TODO: document the variables from each fileset. If you're describing a variable +that's common to other modules, you can reuse shared descriptions by including +the relevant file. For example: + +[float] +==== `dfw` log fileset settings + +include::../include/var-paths.asciidoc[] + +[float] +=== Example dashboard + +This module comes with a sample dashboard. For example: + +[role="screenshot"] +image::./images/filebeat-pensando-dfw.png[] + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index 1a3da8bca3d..aec43cb354e 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -50,6 +50,7 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> * <> * <> * <> @@ -121,6 +122,7 @@ include::modules/okta.asciidoc[] include::modules/oracle.asciidoc[] include::modules/osquery.asciidoc[] include::modules/panw.asciidoc[] +include::modules/pensando.asciidoc[] include::modules/postgresql.asciidoc[] include::modules/proofpoint.asciidoc[] include::modules/rabbitmq.asciidoc[] diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index 2a5533bb636..e232640ffd0 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -335,6 +335,18 @@ filebeat.modules: # of the document. The default is true. #var.use_namespace: true +#------------------------------- Pensando Module ------------------------------- +- module: pensando +# Firewall logs + dfw: + enabled: true + var.syslog_host: 0.0.0.0 + var.syslog_port: 9001 + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + # var.paths: + #------------------------------ PostgreSQL Module ------------------------------ #- module: postgresql # Logs diff --git a/filebeat/include/list.go b/filebeat/include/list.go index 519d0e71581..e4c1396d973 100644 --- a/filebeat/include/list.go +++ b/filebeat/include/list.go @@ -45,6 +45,7 @@ import ( _ "github.com/elastic/beats/v7/filebeat/module/nats" _ "github.com/elastic/beats/v7/filebeat/module/nginx" _ "github.com/elastic/beats/v7/filebeat/module/osquery" + _ "github.com/elastic/beats/v7/filebeat/module/pensando" _ "github.com/elastic/beats/v7/filebeat/module/postgresql" _ "github.com/elastic/beats/v7/filebeat/module/redis" _ "github.com/elastic/beats/v7/filebeat/module/santa" diff --git a/filebeat/module/pensando/_meta/config.yml b/filebeat/module/pensando/_meta/config.yml new file mode 100644 index 00000000000..e632160bdd7 --- /dev/null +++ b/filebeat/module/pensando/_meta/config.yml @@ -0,0 +1,10 @@ +- module: pensando +# Firewall logs + dfw: + enabled: true + var.syslog_host: 0.0.0.0 + var.syslog_port: 9001 + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + # var.paths: diff --git a/filebeat/module/pensando/_meta/docs.asciidoc b/filebeat/module/pensando/_meta/docs.asciidoc new file mode 100644 index 00000000000..611ccdf01ca --- /dev/null +++ b/filebeat/module/pensando/_meta/docs.asciidoc @@ -0,0 +1,56 @@ +:modulename: pensando +:has-dashboards: true + +== pensando module + +The +{modulename}+ module parses distributed firewall logs created by the +http://pensando.io/[Pensando] distributed services card (DSC). + + +include::../include/what-happens.asciidoc[] + +include::../include/gs-link.asciidoc[] + +[float] +=== Compatibility + +The Pensando module has been tested with 1.12.0-E-54 and later. + +include::../include/configuring-intro.asciidoc[] +The following example shows how to set parameters in the +modules.d/{modulename}.yml+ +file to listen for firewall logs sent from the Pensando DSC(s) on port 5514 (default is 9001): + +["source","yaml",subs="attributes"] +----- +- module: pensando + access: + enabled: true + var.syslog_host: 0.0.0.0 + var.syslog_port: [9001] +----- +:fileset_ex: dfw + +include::../include/config-option-intro.asciidoc[] + +TODO: document the variables from each fileset. If you're describing a variable +that's common to other modules, you can reuse shared descriptions by including +the relevant file. For example: + +[float] +==== `dfw` log fileset settings + +include::../include/var-paths.asciidoc[] + +[float] +=== Example dashboard + +This module comes with a sample dashboard. For example: + +[role="screenshot"] +image::./images/filebeat-pensando-dfw.png[] + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: diff --git a/filebeat/module/pensando/_meta/fields.yml b/filebeat/module/pensando/_meta/fields.yml new file mode 100644 index 00000000000..f4dba1a22ba --- /dev/null +++ b/filebeat/module/pensando/_meta/fields.yml @@ -0,0 +1,10 @@ +- key: pensando + title: Pensando + description: > + pensando Module + fields: + - name: pensando + type: group + description: > + Fields from Pensando logs. + fields: diff --git a/filebeat/module/pensando/_meta/kibana/7/dashboard/pensando-dfw-overview.json b/filebeat/module/pensando/_meta/kibana/7/dashboard/pensando-dfw-overview.json new file mode 100644 index 00000000000..33ebc169841 --- /dev/null +++ b/filebeat/module/pensando/_meta/kibana/7/dashboard/pensando-dfw-overview.json @@ -0,0 +1,1341 @@ +{ + "objects": [ + { + "attributes": { + "description": "Overview of events coming from Pensando DSC distributed firewall system.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": false + }, + "panelsJSON": [ + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 5, + "i": "85119076-2756-4415-8917-14c9d46732a5", + "w": 41, + "x": 0, + "y": 0 + }, + "panelIndex": "85119076-2756-4415-8917-14c9d46732a5", + "panelRefName": "panel_0", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 5, + "i": "9215c2be-bca5-4b21-8042-0e0be99e38c0", + "w": 7, + "x": 41, + "y": 0 + }, + "panelIndex": "9215c2be-bca5-4b21-8042-0e0be99e38c0", + "panelRefName": "panel_1", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "Active Workloads" + }, + "gridData": { + "h": 9, + "i": "81013c87-76c2-4ff0-9545-1295babad06e", + "w": 8, + "x": 0, + "y": 5 + }, + "panelIndex": "81013c87-76c2-4ff0-9545-1295babad06e", + "panelRefName": "panel_2", + "title": "Active Workloads", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "DFW Allowed Count" + }, + "gridData": { + "h": 9, + "i": "3ee01275-08dd-4d3f-9834-d844f5550365", + "w": 8, + "x": 8, + "y": 5 + }, + "panelIndex": "3ee01275-08dd-4d3f-9834-d844f5550365", + "panelRefName": "panel_3", + "title": "DFW Allowed Count", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "DFW Denied Count" + }, + "gridData": { + "h": 9, + "i": "9628e969-1f18-4659-a8d9-e9409f11f3a9", + "w": 8, + "x": 16, + "y": 5 + }, + "panelIndex": "9628e969-1f18-4659-a8d9-e9409f11f3a9", + "panelRefName": "panel_4", + "title": "DFW Denied Count", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "Denied Destination IPs" + }, + "gridData": { + "h": 11, + "i": "37787af1-b5ef-467e-8c5e-b0dfba56c9f9", + "w": 24, + "x": 24, + "y": 5 + }, + "panelIndex": "37787af1-b5ef-467e-8c5e-b0dfba56c9f9", + "panelRefName": "panel_5", + "title": "Denied Destination IPs", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "Traffic by Workload" + }, + "gridData": { + "h": 14, + "i": "efafcbff-a163-4475-8d12-59f716e5a3ef", + "w": 12, + "x": 0, + "y": 14 + }, + "panelIndex": "efafcbff-a163-4475-8d12-59f716e5a3ef", + "panelRefName": "panel_6", + "title": "Traffic by Workload", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "Client to Server FW Action" + }, + "gridData": { + "h": 14, + "i": "52506949-eb15-4b23-b50c-2e5083df5e0f", + "w": 12, + "x": 12, + "y": 14 + }, + "panelIndex": "52506949-eb15-4b23-b50c-2e5083df5e0f", + "panelRefName": "panel_7", + "title": "Client to Server FW Action", + "version": "7.8.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 13, + "i": "077406bd-aa47-4dc9-b1f6-04cae0ae34b6", + "w": 24, + "x": 24, + "y": 16 + }, + "panelIndex": "077406bd-aa47-4dc9-b1f6-04cae0ae34b6", + "panelRefName": "panel_8", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 14, + "i": "58e763b7-a23a-480a-a984-24dd115aba2c", + "w": 12, + "x": 0, + "y": 28 + }, + "panelIndex": "58e763b7-a23a-480a-a984-24dd115aba2c", + "panelRefName": "panel_9", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "table": null, + "title": "Dest Port by DSC", + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 14, + "i": "36fc48c8-0044-4af6-a8b2-da8023806f32", + "w": 12, + "x": 12, + "y": 28 + }, + "panelIndex": "36fc48c8-0044-4af6-a8b2-da8023806f32", + "panelRefName": "panel_10", + "title": "Dest Port by DSC", + "version": "7.8.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 13, + "i": "a1d34501-4d64-4213-b192-1b4ca2d88793", + "w": 24, + "x": 24, + "y": 29 + }, + "panelIndex": "a1d34501-4d64-4213-b192-1b4ca2d88793", + "panelRefName": "panel_11", + "version": "7.8.0" + } + ], + "timeRestore": false, + "title": "[Filebeat Pensando] DFW Overview", + "version": 1 + }, + "id": "2713ee40-f3b1-11ea-ba07-c1efedbf0bf9", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "a73c8dc0-cc8d-11ea-918e-c778f7abe5d7", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "39e26d70-cc4d-11ea-918e-c778f7abe5d7", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "bc6a36b0-cdba-11ea-a0ef-8f5241e594be", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "fa745d10-cc88-11ea-918e-c778f7abe5d7", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "1d2d5f00-cc89-11ea-918e-c778f7abe5d7", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "bf9d4650-cc8a-11ea-918e-c778f7abe5d7", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "07983660-cd38-11ea-a0ef-8f5241e594be", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "fd2202d0-cc86-11ea-918e-c778f7abe5d7", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "2aa5d850-cc85-11ea-918e-c778f7abe5d7", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "b8bfd3e0-e8b7-11ea-ba07-c1efedbf0bf9", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "c6188140-cdb9-11ea-a0ef-8f5241e594be", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "0583e120-cc8f-11ea-918e-c778f7abe5d7", + "name": "panel_11", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2020-09-10T22:32:33.177Z", + "version": "WzI1NjMsMTFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Client/Server - input list [Filebeat Pensando]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "controls": [ + { + "fieldName": "client.ip", + "id": "1595471403191", + "indexPatternRefName": "control_0_index_pattern", + "label": "Client", + "options": { + "dynamicOptions": true, + "multiselect": false, + "order": "desc", + "size": 500, + "type": "terms" + }, + "parent": "", + "type": "list" + }, + { + "fieldName": "server.ip", + "id": "1595471807689", + "indexPatternRefName": "control_1_index_pattern", + "label": "Server", + "options": { + "dynamicOptions": true, + "multiselect": false, + "order": "desc", + "size": 500, + "type": "terms" + }, + "parent": "", + "type": "list" + }, + { + "fieldName": "log.source.address", + "id": "1595471848091", + "indexPatternRefName": "control_2_index_pattern", + "label": "DSC", + "options": { + "dynamicOptions": false, + "multiselect": false, + "order": "desc", + "size": 500, + "type": "terms" + }, + "parent": "", + "type": "list" + } + ], + "pinFilters": true, + "updateFiltersOnChange": true, + "useTimeFilter": true + }, + "title": "Client/Server - input list [Filebeat Pensando]", + "type": "input_control_vis" + } + }, + "id": "a73c8dc0-cc8d-11ea-918e-c778f7abe5d7", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "control_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "control_1_index_pattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "control_2_index_pattern", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T21:58:28.390Z", + "version": "WzI0OTMsMTFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": { + "match_all": {} + } + } + } + }, + "title": "Logo [Filebeat Pensando]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 8, + "markdown": "[![Pensando](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAASAAAABJCAYAAACdD/umAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAF42lUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS42LWMxNDggNzkuMTY0MDM2LCAyMDE5LzA4LzEzLTAxOjA2OjU3ICAgICAgICAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iIHhtbG5zOmRjPSJodHRwOi8vcHVybC5vcmcvZGMvZWxlbWVudHMvMS4xLyIgeG1sbnM6cGhvdG9zaG9wPSJodHRwOi8vbnMuYWRvYmUuY29tL3Bob3Rvc2hvcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RFdnQ9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZUV2ZW50IyIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgMjEuMCAoV2luZG93cykiIHhtcDpDcmVhdGVEYXRlPSIyMDIwLTA3LTIyVDE0OjQ3OjMwLTA2OjAwIiB4bXA6TW9kaWZ5RGF0ZT0iMjAyMC0wNy0yMlQxNDo0OToyMi0wNjowMCIgeG1wOk1ldGFkYXRhRGF0ZT0iMjAyMC0wNy0yMlQxNDo0OToyMi0wNjowMCIgZGM6Zm9ybWF0PSJpbWFnZS9wbmciIHBob3Rvc2hvcDpDb2xvck1vZGU9IjMiIHBob3Rvc2hvcDpJQ0NQcm9maWxlPSJzUkdCIElFQzYxOTY2LTIuMSIgeG1wTU06SW5zdGFuY2VJRD0ieG1wLmlpZDpkMTUyMWZhMi0wZjgzLWMzNDItYmQzZC03ZGVkYmRiNThmNjQiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6ZTc4NjkzZWMtOGViNC03NTRlLWFiMzgtMTZmMGY3ZDRhNzg1IiB4bXBNTTpPcmlnaW5hbERvY3VtZW50SUQ9InhtcC5kaWQ6ZTc4NjkzZWMtOGViNC03NTRlLWFiMzgtMTZmMGY3ZDRhNzg1Ij4gPHhtcE1NOkhpc3Rvcnk+IDxyZGY6U2VxPiA8cmRmOmxpIHN0RXZ0OmFjdGlvbj0iY3JlYXRlZCIgc3RFdnQ6aW5zdGFuY2VJRD0ieG1wLmlpZDplNzg2OTNlYy04ZWI0LTc1NGUtYWIzOC0xNmYwZjdkNGE3ODUiIHN0RXZ0OndoZW49IjIwMjAtMDctMjJUMTQ6NDc6MzAtMDY6MDAiIHN0RXZ0OnNvZnR3YXJlQWdlbnQ9IkFkb2JlIFBob3Rvc2hvcCAyMS4wIChXaW5kb3dzKSIvPiA8cmRmOmxpIHN0RXZ0OmFjdGlvbj0ic2F2ZWQiIHN0RXZ0Omluc3RhbmNlSUQ9InhtcC5paWQ6ZDE1MjFmYTItMGY4My1jMzQyLWJkM2QtN2RlZGJkYjU4ZjY0IiBzdEV2dDp3aGVuPSIyMDIwLTA3LTIyVDE0OjQ5OjIyLTA2OjAwIiBzdEV2dDpzb2Z0d2FyZUFnZW50PSJBZG9iZSBQaG90b3Nob3AgMjEuMCAoV2luZG93cykiIHN0RXZ0OmNoYW5nZWQ9Ii8iLz4gPC9yZGY6U2VxPiA8L3htcE1NOkhpc3Rvcnk+IDwvcmRmOkRlc2NyaXB0aW9uPiA8L3JkZjpSREY+IDwveDp4bXBtZXRhPiA8P3hwYWNrZXQgZW5kPSJyIj8+LBGpEgAAMvVJREFUeJztvXecXkd97/+eOe3p27sk27Il27KQbVkGG7Ax2DRjMK70EmpCICSEy025N8ANhOAE8ruFFLi5JBSDCxjiggXYuADuNm5qlmWtyq6216efM/P7Y85TdvfZ1e5qJRnyfF6vZ8tzzpQzZ+Y73z5i11PPQi5H8amnzszfeecVemIiKlzXp4466qhjpaC10Pm8bZ911j7v4kv+j1zVw7qXbMAWnocaGyPYtu0KcrlrhGVFgOB497eOOur4nYIQtm2pgwf7gj17HrJOXvsIgO0/9dSm4pNPXZ7feudnrZ5V4Lqg9fHubB111PG7BCHAdVH79p2Uu+nGn8qO9lex/uSnrA/6wafUgf0fkslkAsc53t2so446flehNSIWQ0DE37lzqutt1/5cMj0NSmXrxKeOOuo46tAaPA+mpwGwMQrnoC521VFHHccEWhPSHeTx7ksdddTxnxd1AlRHHXUcN9QJUB111HHcUCdAddRRx3FDnQDVUUcdxw11AlRHHXUcN9QJUB111HHcUCdAddRRx3FDnQDVUUcdxw11AlRHHXUcNxx3AqTLP81fYgUiQkT4UUdeFWKe7/V8F44TBNWjOPsKoBQoFd4zt/OayrgdSR+OH2o//dFoZbGt6Vl/Cb0y83tp0OF7FabPWiOUQrxIQq/sla5Qq8qDmcFW5YlZulL+XwikMr+1AIQiEBKhwdIKLZdOH0uER2uQGrTUJgp30RRDh30RoM1LE1VFtQaURgiN0BotKsu2/OTCkAMhjs2SVISTG1BCIxX4hTxqagrtK7QELBs0iCBAobEsgYjFcSJRlAVCS0OwxfIJidIaLTRWoFFCoBHhDmfIm5CiMkYlirf4yuctpBAoIbDDLUcLcfSIoQrQaNACUV7WZRJDacHr8CoiJFZCmfmuZWXxH4vpoQWBJRHFAsHwCAECbVlorRBBgBQSy3Ox4gmUYx9zjmTlCJAwg+2Pj6OKRbQwE2GhbUJqAE2AmbRowJbYiQQqEkEKEcbILoNaCxBmqlAcn4RiYRGFzASX8SQyGUMEasZkFpaFmp6mODllJpmoTMDSpFNK4zYmsKIxtOKYTDKpBYEEUcihxqbIqgC7s43UxpfhrVmD09GGnWpEaE0wMUluYIBgYICpPXuYPtiHU1Q4DQlUIoYVCITQSx5xAQQW2D7kxyZRqoClwRcl4qyxGpuwIxFQCiUWx34LKVGFAsXREeYbTA04XhTV1IgIfCwNaqXHXQgEimBigqJvCK0oz7DyTVRzO1JrFDrkfDRKgOVFsONxhL3ie39taNC5LCoep/Hd7yTRsxod9fDTGfzhYYpDw6Sff4703r1Yg1mcRByrIRVuwEefS1qxUdC+j/Z9Ot7xNtwTTwSlsGyr6hkqL8f8K0ApgsBHBz46nSE/NkGh9wDpbdvI9PXhxKM4jQ1ILBSKxexrGkPYAsAPiiBdWt79TuKd7Sh/4UyzQgiwLMZ++RDpRx9BJGM4WpTFLX9yksg5m+l6+Xn4SiEViDJPLRDSQhUK9P3gBzA0gh1Poo4Sz60BoRVCWICmODiIlpKGC15JxyteTtO5Z5FcfcKCdeQGhxh78kkmHnyY8XvvITjQT6ytDeU5oLThIBe5kDUgs3l0soGOj78dJxZF+j5KGMKtfZ/+H96CGhhBxmLhuB2+8iCdxu3qouOD70dIiVazBGshEVIy9rN7mP7NYzgtraijIIoJv0g+0DS/6x2k1pwESqNcw8HPhhYCoTTaL+L7RWQhT2FsksLQMJm9e8k9vwc1NYWbTGAnUyEXfZQWuwAyWUR7F2s++Ud4NW4pZrJMbnuG9MOPMfSLX5DZ/TyxpmZEPI7WIVdZVd1KYuXIcBCgc3naL72U6EknLrsaBaT372P0rnsZ2nonmZ07ibe0IzyXxb4kLczuExQDlBvQc80VRFvbF92HwtQkk7+4Cy8eNyJNyOcUJ6do3HQG3VdeuXD5YpG+r/5PEok4R4MFMsQHwEIFAflDA3hnbGD1Rz5Ey4WvXDQbHWlvo+u1l9D12kuYuPoK+r7xTcYefghXJrEsq6znWPQTKMhls7S/4RJirR1zLqd3v8DwTT8kHo2EHIrkcO/UT6eJNzfTc801C97nnbGBHR/8ME4ug45EFrVZLQXaDyj6itY3XEbT2jXLrqeQLZDe9izD99/H5K8eIPvcCzgNSeyG5FziugLQQoOUaK1QU9OQTMy5x4lFadlyLi1bzqXtHdfQ993vM3jDDVhDaZzW1pCLOwLZfAGsnMgnBEhJcXx82VUozHRMrl7DCe9/Dxu/8XVa3/N+smPDkE0jlqoTCsWnYGxiaeWyWSNuzRpwYVnoTAZYeNmsuvpK3FNPxp+cnKlAWiEYHYQGpckO9pN6wxvZ+PV/pC0kPnoJrHOJyDScfjqnf/U6ej75cXJTU8iiXxYzFgvheqihQUbu+yUwN7F4dNNLKNoWaI1e5NQTUqIPw7lqoOXUU2l+/espDo8gj8ZKEQIhwB8fq2p18QSjdLcbdWk652zW/fEn2fCNf6bjDz5I0REUBg4ZDvwo6Q0FHJbAaSDa1MLJH/9DTvnKVwla2/D7B7C1UTAeDWb+6OucFtFpH6NjFAosXVkUkUSc0/7k43R+5r+QnpoiyOYoiXKzLTlaq/LHWHuCUHEZ4OtKVw73ATNRlABbydmC46xnq2EL0Ro3FqPlzW8iMzmF1PPoU0LdlkYglChXJao6I4KQzsx6VgkgBOnBA8QuuogNX/o8biyGQqO1Nv3XeoZBoHb3NVrNNBwU+vtwkBAS+8MuBwW+VqA0vqWxgoDMU8/U5JxaX/4y4qu7CTIZ09cVEjtK9Lbr2mvxkw2oXHah7objrVE6MCJU1biX3oNGLVsHMpc0mUbKlsqwkWhjI2s/+hE2/su/YG3cRPpgHwQKtQQipAnfX+CjgwB8hQ4qH+ErZOCjtJp3A9fazBuhK8/c9tItnPF//xm9fh35Q0MhcVzOaCyMo0qANKEy0Iz6vPfZgBQgJGUrjClm9tC1115D63vfTX54BKECZkil4csqjIyS6x8gPzBIbmCI7MAwfv8A6cFhrHjM3LqID4DtxRGBD0KjscplF/fMpl+rrngrsVPX449PlgWNuSNgbHaZ0WHyB/vJ9/eT7e8n199P/uABitlppHSQSs1YrAJBcXIcZ/UaTv/vf1num0QghLE8CVGxOk317mXw1w9w6J57GX78CfJTk+HQmcGW0tSw/UtfZuj/fRuvIUlgWzWUrFWQEq0C/MEhCv0D5Ib6Uf2D+LkM/T/9OelDh+ZMrmhzK8lNGymkM1hqsTzQ4VEa38ZT19H0+kvIjU7My0gIQNngT02TPzhApr+PXP8hM+4HD+KPjaClQCpr2eRRMHthyZJNzHxE9WyD5Mlr2fi1fyB+wXnk+w6FxplFQErwfYojI+TGxsiPjZMfG6M4OkpxdJTC6CjZ8VGCyTTSiyDjHr4KyIyOUqgi0qJsKJjJgaU6Oznj77+MXrOKwsgQUqw8uTjKqngdLjGBFND/6wcZ2roVL5Ew5kmlkK5NpKWN1Lnn0njaqTNKB0iE0lhSsPajH2XqVw9S7O1FNrUY9gDDngspab3qCpy2NlQuByUGP9D4rsvEI48y9eBDCOtwAygQjsP0tqexEo0EIjCTQSywEGc8ruE+JODFk7S95TJ6/+7vSaVSSDHTMqMFUAwILEHidRcRa+1EFYqmHSGwPIf0s9sp7HwOO+IhtFXmgQVQmE6z6qMfIdLYVG6z/BThJBq45xcM/+BHpHfvNuKg0uA4RHt6SGzZQve1VxNfvQqA5/7hfzH23RuJdHegpTy8n0ixSCAEDddeTqS1A/IFDOsQkCsE+MVizWLRDRsZvG0rEYzyfCWgMdYmC0nPtVcz8dO70NkcIhKZ04JQmiCXxjt7E43rTkXn0ggMsbE9l3TfQbKPP4kjQQt7SZv+xNPPMrD1DpxYCtvzwLERUQ9n1SqaNm/G9WqpgM0TeJEYZ/zt3/D4x/6I4tPbiXR1orRiPkOqQBBkMwS+pvPDH8Dr7oK8j5LhXAjnrRWLoqVm4K572f2Xn6M4PIY/MYEVc4muXkXq1RfT9ZqLEELMEd01EO/pZu2f/1d2fPJTeLkswousGOcKR5kACUR5UYJgatcuRr75LeLtbRXfHxTKV5BsoO2tb+aEj30U14sQaONHI0OTsOs4dFzxVvZd9xUSWoWWA9CFAngeJ374Q9iNjTX78cynPsPILbfgti9OEW0n4rgNKVTgs/jtyEBWme07L38zh275IcWBEazG1Cx9ikb4BYrS5dSPfYxUZ/ecunq/ewMHHngQq6eHKg8a/Ewad82JdLzh9WFVeo7u4MCdd/Lcn/034oDd0oSbaght5VDYf5DBZ55m9K5fsPpTnyA3OMDwt79NrLMdteCxTCXTrMYfm8DbtJFTPvNf53AyWisGH38cVq+uelrTfOOWc+lrbkYXchCZb0EuFZWRbVi/nqbXvoqxH96O192FEmoGDyu0pjg+Tc8bXkfXGy+dU1P/ju0898sHiERcfNdhKURyaucuDnztX4g3txgijkZpgXIdomvX0nrpa+l55zuwavB+AQonmuD0z3+WbR/4CIWpCUQyCYFAigA9g/tQaC3JjY7R/va3ccKHPrhgv164/jtkH3kcNTKK4zkIz8EPfCaefJah237C+FVXcupf/BnWbBFNawIBbS89l/Err2Dwe98j0tONCOVLyeKtpPPhqItg1Y3Y8RheVyduRztuRzuR9na89i5i3d1EbUHf1/6JPdf9gykjzL4kqhZ00/nnYnW1o7OZypOHC684UVvRrAE7ESXa1k6kteWwn2hrC3Y0ilbBHFb5sBBiBpHxkik6rriSXHrCmOxnvS0tBBKNSqdrV5fLIixpiG1V0UI6S3zT6URbW81YzSqXGRxk///+R+JRD3f1akQ0apzPpIVyLOyGBlInnIjITtH72b9m6J++TrS9DRWNsJBiVaBAgxKCYqFA83kvLbdttG2m7PB9v6TvezfVrCO59kTiG083HNkKKRWEYIbiueft70Sl4pDLIrUsb1YQ+qZZFjqbq1mXSmfK+gBrif2woxG8zk689na89lbcjg6inW0kGlL4e3bzwhe+zLZPfKosAlc9AcbLCFJrTqDj/e8hNz6BUD4WUJSzRkpDkJnG7uxh1e+9b+4zoMtvccd117H/r7+MDbjdHVgtjchECqehGWd1D9HWFka/9W12ffHLNUhtRXHQ8953YbW3o6emQczWSi4fxzUUQ4c/NUAsTnzNKka33snErp1VPqUVRHt6iK9ag8rl5lLe6l1bz7YEiXBSHf6jxdKHVlceZg7a33Qp3gknoyYmjUm0Vvl5rBPzWrOUJtLVWfl/VpenHvsNxcEBoqlGdBDMseZpNIEGN57ETsXxYkmQjvGO1fNPCQ0oqRDFIiIVJ37ulnJ9ukrtPPn8c0zedz/B8Gi5ZLXpIHXOZorKP7JwgAWKJtedQsNFF1IYGUeGHutzis87tpV3cWSCRkWvoiwLp7mZ5JoTmLj7bnb8xV+V33l5ieuKCLT62muInrEBf2IaJRVSixl9UcIiOzVJ00WvKG9C1ZDhp+/22xj6zvXEVq9GeA5CK1SoMdOYkAzpxYifeAKDN9xA/9ats55dlj3kYx0dtFz6RgoTU6EVU6+Is+dxjwUrQ2scN0KhkGd893PA3P3RljZWWwvFoLZK9zANrEQv5yAIa67Fimog1tRE+xWXk02nUSsQnSY0IMGy3KpWZiE9ia1LXsgzw1AkhhYH4VeOdNCOhZIaga5yrJzVLqB1aCXIZLE7O0mccnJ4TSARWOEby/f2IgYHGXn6mUoXdWXXTG7ciIgl0H5tPdHhoDHqrIXo16p3vQPVEMcv5I6FM/phIRBIRxI/YQ2Td9/L7n/858rFMLTHCjc/2/VouugCCtkMUtUIIyr6yGiC1te8Cpg5A8yYCIq5LH3fvZFoNIbleWYMaiiRBQq8CLFUkr5vX08+Mx12ybwvKSpEouXVr0KmolAMwrJHjhcPAQK0kLhKw9hsFrUCFfGWeXD9UfKv0EbhnZ2aZGx4eM41gK63vAlnzZqQfT2yfmgR6jFyRoTQiLnUr7k5tOAFaGHPUGNVi8XVhHNmZNM8bUuQWGTT06S2nIsTjc25p5ieIv98L9JxmNy5LaxcoETF6TC+/hT0qm7jVrGM4dCYeD0NTPQPEARzZ0Tj+lNpeOUFFAaHay68Y42yIdiyiXe0MXjjTUyGnL6qYeFufNn5yGQSZinzBYIgM0187VpSmzaZ73T1dYPhe+4nu30HsrkFdMU3vOZwa43b3ERu206G7robwFi8Zt3ccPppuGvXEUyl0YedLYvD8X8zVRAIAq3QdiWEcTa0X0Sij1z7tUIoDWBhcoLnv39DmbUuGc4VGq+pmdYrLyM3MY0VKMOWA0fClQVjY0DFK6q6pobNmxGrV5MfHApNv0c+UTTGu1wWi/gRh+aXn1/+vhqTu3eT238AryFFdseOKp5PgRYEgBeN03HeeeSn0yYYeYl2FQFYQiMF7L/1P5jctqPUQhizaghS97vfAakkKpcBBEKvxEgcIbRGxqPoyWkG77gTmGuWB2g4YyPx008ln5mesUg1oHN5vFNOwna88ndlhNWMPvQQFgrk4jRZWkgsC9KPPjGjrWpYtkNkwwYK+QysUMDLi4oABcUMMpGiMaTss6EARkYR9lHxdV0ewo5EWpqZuvc+hu65t+qaKA9w99VX4p64Bn9qHCMWLZ/82NEo2ed2U8gadlnrmbtgpLGRdX/xF4i2djL79hLkCyviYauBIJsj0dND4oxTa94z9diTqKkpZGOKyd17yO4/ABjCoBBlbqzlZS/D8lx8vwhqaV621YRE7e2l/z9undHHku6w6fTTaHzVheSHxsscSK3YrWMNrcGNRRh78imK+Ty1tlvLEkRPXkdQKM7YawWaoq+Ir+qplJr1av1Ckdz+fTjR+Lwi9dw+aZxIlPTeXorZDHNJokHzhg3maGWl5uhol4PjQIBE1af0lcDSgum+Q8TP3Uzj6Rtq+j8UhoYI9vdhux5LWb6F8XFyfX3kBwbm/xwaINd/iGBqCrmcNCBeBJHP0fe9G8KnNCZrrQ23E0k00HbppWQmMuXUGct9gXY8Rnrnbobv+7Vpa5aVTGtN65ZzeMm//l8a33o5+XyGbO9+dDoT3h/et/SnJJeZJnLqBqINTeE3FQTA5NNP4TgOwouiB4aYfPLJ8D5prCfCcCfeqadgdXWGXstiyb0paZQi8QQDt9xCdnQ4VL4aF40SnWm7+iqCeBRyOYIlulQcLWjAikVRfQNke3vD78SM6wBedzdCODMU40IpAkdCe0f57tmzKDc4iBoeRkRclhIuYnke/uAhsgcPzupJ5e/omh5IJBHByhCPo54TQAmF1IYNVIGPKuRRhXyYyiL0E8rnSQ8P4Z12Gif98ScA40uitDRbY8hJjD3+BNmDB4g0tyw4ZbXQhOErKDSJLVuQ0sJOJSs3icquq4VACIV2IhR791HcuxfhujXrng9aa7yWFqZ/9QDjv3mSxrPONES0ijZ0vuNqBm+/k+LoMLIhZdJVLKmVsC1p4diCwe/dTOfrXodxZDZ7vwqJu0ARX9XNGX/9OUaffCuDt9zK1IMPkT94kEgijpNMoaSs6UM0H6QOCLQmec7m8JkppT4CAYXRMfL7D6BjLiBwg4Cxp5+k67I3YZWJnuFeo41NRM94CVO33YqdSFUqWczzC102u4vGBMXefQzcejsnvu99xuCpK06fbWeeyeCrL2Ty9p/h9rQTyJXYt48MAhCWQ3E6zfSBg6TWr5/lIWbucVqawBIzJrryfbx4jHhPl/k/HNHq8mp0kGBqEtdy0Fos8vUKhGtRmJggs+8AqVPW1eg1WE3NePEETE6i3SMnH0fZERE0Vjn3iw4UfrFAEOYLUuHgyMZGmt58KSf93vuItbbhY5zHtDCGWwsIVMDBG25GWhIp5YL7ZZmwhKLJ2ve+G9777kX1ue/Ht/LC3/wt8daWJZvkhesgCjn2fed6UmediZxVPppsoPWy19P3f75GoiHJchXjSgjclmayv3mcnX97Haf/+WcAQaA0UqiQKlT2p+Yzz6L5zLOY2tfLyE/vYuC228nvO4CbjOEmUyb2aBEmcZ3L4nV10nz+y8zzhkul9H5zO3YQ9A3gJmOGSEQjZHe/QFDMYzke5SRdIZrO38LET36CDAKUbbNYLmjGqAlBpCHJ4A9+TMdllxJtaTNEqOqWrquvZvzue6BQAHulnB+PDEIKRFA0EerzwE3EEY5t5NdQlaODACueINLcMm+5wmQaP5fHS0SWLnr7GsZLRqC5ZZ1oBCfqURg3PkpHSsyPOgckMMoOhaDrNa+hZd16LMc0GyiF9myiXauItTQDhpOwkEZNW8U99P6/f6Pw+BNEuzrRZbpfG1oIE2QpFrfbzdh7i4XlDarWJtKhuZWp++5n7NFHadlS8ZMpLbzuK97K8G13osaGEW5kOS1haYUSEqeznbGbb2QXsPYzf4ptWWF7qio8I/T5QJJccwLJD32A9qsuZ+AnWxm88YdkevcS7ehAOy5CBwuKhcXpNLFzNhPv7AxrNj9Kc3zikcdQmQyi2XA0MhIj6D1ApreX5CnrmT1dmzafQ++qTorjE1jx1PJms9bIVILc3l4Gf3QrJ3zwA3N4qaazzqTxkouZvv0neB0dLCY13dGGFgIr8BHZzJxrJcIuIhGwrfC9hFKEUliRGE40Gt47F0HeRxQDY0NfNGNpMhRIpSmkQ91iraK2jbIthPotMcNXB+ElujppfukWGs4+i4azz6L5nM20bNxUJj6gKyKLEOWy/T+5g75//Xcirc1gWyDkwoRdl9qGUD453K1Ve69e3siGrL9wXSzlc/D7N1bVrcveqdHWVtoveyOZ8alFKwjn9tkocy3HI9bWzvCNN/H0xz/OyAMPhF0xxDnQRn1Qci4s2ZpiTS2c9M53csY/f43k5W9hemgEP2NSh+jZ3trhRwKFoiJ22hkhZ6vKFEhgNpOxHdtxIhGMX7IEz6E4PMTIQ4+VhmgGYp0dJE45BZXOHoFRU4CWxBpSDP7H7eTGxmaJM6Z/3W+7hqLnGS7oRQHjPhH4c3U0Zb8fKdFCzkxqpzXCsZB2iSUScxT4Ktz0BUs0FguB0IpimD20ZlFLoqV1JAbcGTg2SmixeDm0wvaYfaD3+u+z9wtfJOK6iFh8UaICQiOkyaDo64WVcLNV4jIaMyk9ljXAAqE1Tmsz4/f8kuEHHzR1aglalA2XXW++FHv1Kvzp6WVvI1pg/Dscl1h3F/nHnmDnn36a7X/1OYYfeyI0VYeR7qLcu7AHhhwmOjvY+Lm/oudPPkF+Mo0/nZnjMlMaG13IQ1MjTee91LQPJnVrWHdm/34K+/Zjxyu+QdqSKNtiIlRE10Jy40byQbBsYmz6IrFTCTK9L9B/8y0172k64wwaL3wl+ZGxY5areyFoQEmBdGqYyUvvyy+llJlVVi/suCAtkwlhyX3SGi3Bi0fLfazVcYFY9rydjaMqglVzFUvJqKaA0Uce48D132P6nl/gtbQgYzFQi3dBFGEqValh/y0/Ird9O1ZibjY4MItZoBFujOyOnUSSyaUPsK44lNm2iy0CDt30A9rOO8/Ur3RIhDWRzi7ar3gzh77yP7Ebm45sNwkT47vtHVAoMHn7nUz87C4ObDmb7rdcRtOFF+F4bunWcFesRPcL4KR3vwvpehz48t8Rd110KCKXdNtKgD85RdO559C04XRzTcswtMQw6ukdO1FDw9DaUtU1jROPo17YS25ygkiqoWq4jFja9IrzOPjd6xG5HNpbnkiK8AFJPNXE8B0/ofttV+OlUoZbEJic4whWvePtPHPPfVj5PCu2gpYJoRVaCkSNCPmS6ONncyYZm+dUyglJUCziF4s4c0oaeNEoVsRFBQqs0Ht9UX0CpIVTY52UxbFCAVEwbh2LNxvMj6OfGTs8KUEhUPk8qpCDIDxRQit8P0CiCfJ5cn39pJ9+hvFHHiP97DasQoFEV7cJpDxMcq1qGD8RHXIBktG772HiRz8+bDS81honmcBpbDAvb4kQGI5AIYi2tjHxy18x8MCDdJxviJBU2qR4FRYdb7mMsW9fjz+dXrqisGbbIFwPr7sTVSyQeeghdv/qYSKnraf1isvovuoq7LJTmqjSoJlpdMK1V5N5+mnG7thKrLsz3GWNHg0tKBaKxDZuqLQnSq0aTG/bhi765URmIJA6QLou2b4Bsrt2EdlybqV8uCE1rFtP47pTyT3xBNayCJBGYrx27YYE6b372H/99zjl9z8a+v7oskjfeOYmms4/j+Gbf1jWda3EIloOhFJo20YnknOulfoUTE8hgiJCVBEES0I6g5qehvZQTpj1LmRzCzoeh1wR4VhLsHJqlO2gGoxKpFapYmaaYjqNtEoq6COTxY6+FSz08rQE9G79KYNf/waxZAq0mRyBChBo/FyewsQETE1hRRy8ZBNWYyOl9KNHMkm8pkYiPT04rfNbDqqxHOIzG8J2sH2fgZtupOP880y+FUoaE02ivZOmt7yF3n/7FiuVmkuXZH/LItLWAYFG7d7DwS9ex/Btd7D69z9K2/nnzzH5aq2RQrDqwx9g4uFH0bkceMZqhdZYxSJBPEFq8+a5z4mJjJ94/DdYIeteqVkgbJtiZpjJZ7bTVEWAqkNAnNNPZfLBB4nVyElTvl8f/pgjDUSScUbvuIPc26/Ga2xBa4VFZbfues+7GLrjDkSxFA0/O5vSsYHSCtuNEOuYG0xaesrC6JgJ/KVi9ZW2TX5ykvSBfuJrT6lJJZyWFuxkA366H5fooklE4Ps4yTixzjZgJnEu/S4Oj1FMTxO1l5oroDaOQUrWCvEIJiYo7Hqe4oGDFPr7KR7qRw0NEQyNYKUzxKIRYt1deC0dCNddUM59sUNrhdvWxvSvH2H4oYfMl0KEAYehLuiaqxAd7ajpqdp1CMpOi0uBEsYzRFoCq72VSHc3hWeeZccn/5T9txqvYU3FRa20sJNrTqDp5S83G4E2GiOBIJ9JkzjpRBrPPGtWB82vqV27yO/djx2Lzrwc5gl3PJeJ3zxR6Z82C7CU8bLxnLPR0QjUzP28yGRwYX+sVIL8/j4O3nAzAhO7Vi1yNm0+m+TLziM/ZCL1F39e3MqhJF7Z7W0kTzyx0vmq6wCFgUOoWW7uwrYIcjmmX9gbfiPnWC69hhROqgHlF5a0goJ8Hre9mURPKTfV3NLTe/aYmEbrt4AAlbpfGh7L87CbGrFSSaxkAiuZxEoksBJxRCwKjgth0OJKRu0cL2lfOA7CL9D/vRtn9cMMe2zNaprf+Dpyo2PzVLC8dmVYtrTwlJREu7rxbMme677C1J49MwSwam/Z5IbT8ZVRUoswmZyfzdG0+Sys2c6ZYSXZHTtR2SyWPVsrYdKbuLEE2V3PMX1wf7mYRcUjqOXss/FOXmvE0dk1hPRaLfLECCUkXirGyI9uIzs8FFpVKyKnANqveit+JFbVwDGGAH8yTWLLWTjJVBVnXEGgAjK7d2O5kVkcq8SxLfJ7ni9VNWeaSMvCOXENfnoJLiVCoLI5IieejBWNl10sZmNy2zZEoBByZTJavqhiwY4WjhcfpbXGbW1m8sGHGHzwgdlXAVj79rcRX3vS/JWIyr01L8/cIGsWF9rk/3Gam2F8kuFf3F11DaiOrWppoGjZYR5qiVY+wnNInHvOvG2kt+9CzMnaV+mX7bmosUnSu3aWLxjxzkJhYtsaN70EP5Oe50mX8Aa1xkmkKPQdou/mH1TVUPJOhc5LXkP7xRcd03lRVtcLgcpkUakYHZeZjIyiLJhXnnRi23amd+zCjSXwq16wxoxXbudO8tNzfYhKz9nyipcT2A5aHd7XXgMy0ORRxKvE5NnUq5DJkt25AzsWw1+hDAP/KQjQMcOcGa0QlocsFuj79vXlNCLmFAIzWZI9PTSdNA8BUqVTNWfucxoQKjxrQRkfo4UkiVKwtdQC13Eojo2b78ufqrpDvxSJ8bgW2Syyo4P4GWfUrLswPcXEtmdxo/MrkLVlQbFAdldl11ZU+XwByZdsIrAs8IPwdIaqZ9XmtJTS/zOGaNYqkdo4XUYbkwzc8h+kB4cq94aKdSeeoHEhon80oI05UQcBmcFB2i+/nKbTNgDaiKOzHmzi1w/C+Di49gwuTaCxoxGye/cz8Yjxr5pZ1NzbdsH5JDZtpDg8UtMkb96BKB9hXhgdJXbqejouuYhypbMOBpncvoPc3l6sWAShV0ZKqROgFUP1/mUgEGihibS2kHv4UUYeNn5BQUkpugj9w3zeC0oKbAXZ8VH80TGk0guKEyVDSVH7RDq6wn4wJ92rM53GUgG+kFhakZucpPG8c4k2NtYMa5x4+hny+/djRRNzp2NVvZbrMPnks6GSeaZIBJDctBHZ2orO59CoxWfb0zNJUCAFvgArGUUPDDD0ox+Fzxq2Wa1PWWQTS0WteqWQSBTZ/QeIbtnCSR//A9MvbY7hEeiyJKyKecbvvR87Fg/rm7lMlSORfpHhrT+t0V4YJ2C5rH7vO8n5Cp2ubWkV4blvgZ8nMz3Fqne/Cy8aDzMXhMdPC1XeOEfu+jkik0faDos8tOmwWFkCNMe8Uvrj2GMmOTCWtNmf0nlIs79D6fIhiXPyOM/TRngYzqx7pdmRHQ8hJAf//TsU0VgCBGrZ3r9CgFA+maEhkq+7mNgrX8H0gT7UxJQ50huM8r88/saC5I9PYMdTNL7yPMCoL0te2iXkh4ZwtEZLCUERXJvml5r7axGg9M7nsLNZtO0sKAs68RjTu3czUcp2OeveWFcXqbM3kZueCsetanBEyZpqUD3ucta4V85kl0Qbmhi85VYm+/uwqORoOjKYtkxdYtYV415SzpIZ9lYoTXFynOkX9uJtPovTr/sbnEg0HHcLGTqpqjAH2IEbb2Zq2zbcVIPxLVMzW9dKYjc2MPHQA0ztfK7cH0KDhQxP02i/6CJWffSDTB48RJBJm/zq2uibAsJxKuSY6t1P+7VX0vHGN4Q9VqF5X6AxubGn9u9j7Kc/J9LQMO+muBysnBlea1AKp6HB/F/uZIXGiXiifNb0UYWxHldMh2Pj5PoPoRbhyKiExlEWTnMLgWehwr0TQAcBMlI5Y6ws2wCOZSNsa2bqhPJL1LgtjaQffISx+39J+wUXoBZxfud8JmmhNZn9fcQveTUv+fznCYDeDd9i+KYbye7bj+NFkXEPyzFR6RR9cuMTFHyfE//s06ROqqRSLbVTWt9T27djeR4SjZ/N4Z50Mk2vugCoPVmmtu9ESMew5Auc9y4cFz06SmbXLhrXraeWB07LuZsZv/NutBJYUoeHCCqw7fKRSjP5JrAiMbQfUMpJXf1eRCpBcf9+Rm6+hdQn/tAEzc7fxYWhNWiF1WL8dmSNvVvaDvm+Q4hCHm05CC0QKsCXAqenm/Zrr+GE33sfXjxR7m0pXKsUb5o+1Ef/t64nlkqBbSFnWcE0xrNee3H04H72/du/s+FLX0Ag8DHPJ0Xl3I21v/9RAsti8BvfJD8yihuLmqT8gaaQyaCFoPN972PdZ/6kYiwK9TvViRIOfvt61Ng4VnenGYoVokArRoCEZSFcj/67fk5k71pUoZRKMgzEdD3Sjz+OG4stK/H70lAK/jQBom1veTOpDadjxWKzb6soQnQoMjkWQTHP8G0/g9EhiETKE9ZJJshv286hO+5E+YVQVyHBkfhBEXt8EhGdaYouw3ZwpWDghptpveACSsdGLwlCILUmc7CPyCvP54wv/Q/AkPi1v/deOl5/MYd+spXsM8+S6e01x2RriYhGib5kA2svfxMdF79ubrVhT0YeeYSpR58wnuCAEBInGmVo61ZEYNKplDxShOPgT02Sfm4XTipp0pnoBWL0hDnDLbPjOXgTqBpLOHLa6YjmJkQhh46YcZTRKP7YOH0/+jGWY6P8wFjnhIXwXDI7toWb3tyGNRBpauTQHXfQetWVJLu75j0Y4LCwbVwhGLv9dgonrYW8H7ZhiLdSikI6S8+n/hjHscKc1QovnsRa1UXT5nOIhn5ogVJIWZ0ZwLhnBH6R5z7/RdTIMF53d83DCjSgpUbqALe5jfGtP6P/olfQ/fo3mswdNR5v3Yc/RNPmlzK89Xbye1+gmM5iRzwSq1bRfPGr6bzwVaZu7SNEhSSUOJ2B++9j+Me3EmttrlKXrwxWjgOybaRtM/Sd61G+X1EihgrEwJK4EQc3lVq0SXXZCEWPkrt/52svgddesqTiA/f/Gtm3r8zxADgNKbKPP86e+3+FpVSYLsRE7gsEbmMzxGMzuKBKpRq3pZmxhx5l8L776bzwgiX1R2mQKiCfzRK/6EJO+9xfYUfiJnm4Am1J4t09nBxGg2f7+ikMDhrv7uZmEiesKddVzaiIcJsLgP1f/yZWIQdOA2iNlUygDvXT+9dfRisjWMxwBhTgpBqQsQiohY9q0QI812N623YK+TxOjRCE+Mnria9dQ/7Jp7CiUZNgLJGgODLCvi9fVzIjVctf2LEYblNT2L+5Y24lkhT37af/hhtI/skfszz2B7BtHNth7PqbGQoKIQsQrlClyQ0O0P2Hf8D6T//pgtWY4Q5Jj9aoMNeVAnZ+9gvkfv0Q7qraxAdK+6UJv7GcKG4iSu/f/X/E1p5C47p15fEppbIJ02nRes4mWs/ZRDFQqFwG23VDDtkg0BqJTSl1rg77ld63jxf+7qtEpI3wIrXn9hFgZUUwwI0nZpDhEr0UgJby6BMfoJIKdXnCqp/PI4LARP1WlVeBwvIiRN1QtJkNKRd8Qdpx8FAM3nQTHRdesOiuCUwq0aCYQwnBiZ/8I9yGRlMnPgh35smoQKy7i1h3V826ZjQcEpQXvvq/mH7sUeJdHeX3p7UGaeM1pubvm5TmvsNwtVKDFU+Q7u0ls3s3jbOsagpwHJuGczZz4NEnSIQxbiiFsCy8puZZNepQHpFoPb9orbQm0ZBi7Kd3kXnX24m1d85774IIA0CthhTWbDZDa/CLyCo/qPkkvZJfkgq9zyWQOXSI5677e6bvvpdoV+cigmVLvFOA29iMOjTArs98hvVfuY7GteuMCkIZ81Y58V8Ix5IQnxvrZZU89ZXR/0kge6iPHZ/+c1T/ALKza0mxmIvFylvBpDRekuFHV/9+EUQhLwYlJVxNL2QhTKJvKed+FqzTcDGR5ibGHnqYQ3f/fHF9ESVODrQTxZKCPV/4EsNPGBOsJdw5EexLZZB3f+0f6f/ut4m1tFDzBIlazxp+FtuWEhrt2OjxcaaeembO9dI4JzZvQaRSaH9W2ow5bYdzrJojqgGpQadS5Pv6OfCd7x22n4KSona+G0TtsajyDDYK6IVHRgpBQfsc/OEtPP2hP2D63nuId7WjLAeWoCcNVIDT0Q59gzz7sT+i/+d3mfqlRCIXaSqvYhik0R8NPvoQT3/kYxT37iba3mGIz5Gc4zYPjn4w6tFGeFSw2zx7h1w+XC+Ktly0DjiMdXtJkErjOzZRZTHw/R/S9ZqFxUIrFoViaH2yAmwshBUj/8yz7PrEpxm+9A10v+0qUiefMqNcZfc1mbVL1prZjzG2YzsHvvFNpn5xD4nWFpNs/ChMshKk0FhaM7Vz+5xrpb61btnMwfXryT/zFE7TSmQv1AhtEWtKMXLHT8i8593E2trmvdtJpQhQpWm1aA5aBcqIopTEpNoFFZrpPc8zev+DjN93L9O/+Q1eNE6ie7WJW9MKLRZ/6IIwTgu47R1YY6M8/98+y8QDD7LqA+8n0dNTNqBU51gXZRJpNpBql4jsyDAHvnMDwzfdjAwKRDo6zc65gIHhSPBbT4CEbRy1Dty5FbdnlclbcwTQtkWQyyKnM+BGynqkI+4ngDDmVqelgfzOXez5138jdtopBAXfHE9TDiQXCNdlYudu7ESCcoa8cF/12loJMhlGbryRiXvvJXX++TScdRbJTRtJrD2piq2d662RGxhg7JltTDz4EJP33EMwOkqsswNt2UvaeZf+/CZ1q5tMkd65m/0//Zk5AjuM/9LaLAThOUjPRVjOEas7BcYvSCiNHY/hj4yw93//E82vvxhdKBgiU7W7yIjH6LbtuK6HkBCEOaUW8/adWJzc83vo+9X96IIyXJTQWMUCejpDbnwMf2iQfO9+0nuexz80QsRziXS0IaWDKo39krUGAkuDJsBqbiKezTJ8yy1MPfwIzRddRPK8c2k6cxPOjKj7CokUQDGTZeLpp5l85GFG77mPwnN7cVsaseONoXh9dIgPgHj8TW/5InAtcMrhbn4xQoQR1LmJCaNfOsId3OQ3FsSSSbTjhKdWrkxfNYQKYyAIKI5NUJDG50XM9lIRAjsax4m5yMBEbM8wfWrMd9kMxckJAgR2ayuxdSfh9azCaW03uhvbojg1TX5oEP9QP9nn95A7eAhZ9HEbkoh47Ji5ainCU1nzPrnpKSPtldOshMGvWuI2xpGOs5QDHeZFea/XxhmwMDlBIQiMb42YKSppKbAsl1gigRLBwla9WRBS4mey5LJpZJgYquQHZPnKuDpohbQtnHgC4bkEUoT3lnQ1KwFpZtL0JMHkNH4kQvzkk4ifsh67vQ2vuQntuehikeLoKPn+foov9DK9ew8qkyGaiCNSSZSQoQvAinSqFv7m7Nt+/Je/9RxQyVcmmkwuiWWev8Jw57Rk6NuywutThmdTSQu3uQmvzN5CdedF6AyolZgTY1W6VaMQsQheLGKcKgt5Mo8+zvSDD4ebXKmcNoRUWljxKLHmJpDmzO9jRXwgPJhAg+VaJBobZrwvQRieAeZ5V4gZK+/1wlRpJ5M4SlGTsoTitgrPv5ZLePdKKSzPJRkmcyttFrrM0lSsZjOkO1np58pAYWlQiRRWMokbKIq9+xndscu0WtJVGo0zCIHleURTcWhqQId8tuSoEp8yfusJUAl6GWd5zVsXlbFfyfVZrrMsjAu0Vfst6xp/zVtfWJfwIjjVSb10FWGramYuuTt2KGkb9Kz4JD3r99GBDsd8/lQSep6/D4eyiL2INBVzx31l30Qpw2fJSminklA6kqpaQpjlXV7661jOi98ZAlRHDfyWWB3rOIZ4kc2JejBqHXXUcdxQJ0B11FHHcUOdANVRRx3HDXUCVEcddRw31AlQHXXUcdxQJ0B11FHHcUOdANVRRx3HDXUCVEcddRw31AlQHXXUcdxQJ0B11FHHcYOkULAJAuvF5qJdRx11/I5CCCgUbACbRALy+SjFAtjOUU1IVUcddfwnh5SQz0PCpIW1I297+3f9Z5+eLm7d+j9kS8tx7l0dddTxuwydzYNljUXe9vbvAtjelnOesjo6nsoOTowG05lG6XmHP0y6jjrqqGMZUJmMGzv7JXd7W855CkDMd/hdHXXUUcfRxv8PZuvrdOGxiisAAAAASUVORK5CYII=)](https://pensando.io)", + "openLinksInNewTab": true + }, + "title": "Logo [Filebeat Pensando]", + "type": "markdown" + } + }, + "id": "39e26d70-cc4d-11ea-918e-c778f7abe5d7", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-09-10T22:03:40.485Z", + "version": "WzI1MDIsMTFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Active Workload Count [Filebeat Pensando]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Active Workloads", + "field": "client.ip" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": false + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 36, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Active Workload Count [Filebeat Pensando]", + "type": "metric" + } + }, + "id": "bc6a36b0-cdba-11ea-a0ef-8f5241e594be", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T22:32:05.773Z", + "version": "WzI1NjIsMTFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "DFW Allowed Count [Filebeat Pensando]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "", + "exclude": "denied", + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": false + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 30, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "DFW Allowed Count [Filebeat Pensando]", + "type": "metric" + } + }, + "id": "fa745d10-cc88-11ea-918e-c778f7abe5d7", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T21:55:19.408Z", + "version": "WzI0ODQsMTFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "DFW Denied Count [Filebeat Pensando]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "packet count" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "", + "exclude": "allowed", + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": false + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 30, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "DFW Denied Count [Filebeat Pensando]", + "type": "metric" + } + }, + "id": "1d2d5f00-cc89-11ea-918e-c778f7abe5d7", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T22:21:26.142Z", + "version": "WzI1NDAsMTFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "Denied Destination IPs", + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.action", + "negate": false, + "params": { + "query": "denied" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.action": "denied" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.action: \"denied\" " + } + } + }, + "title": "Denied Destination IPs [Filebeat Pensando]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "server.ip", + "json": "", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 25 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "maxFontSize": 36, + "minFontSize": 14, + "orientation": "single", + "scale": "linear", + "showLabel": false + }, + "title": "Denied Destination IPs [Filebeat Pensando]", + "type": "tagcloud" + } + }, + "id": "bf9d4650-cc8a-11ea-918e-c778f7abe5d7", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T21:57:10.267Z", + "version": "WzI0ODgsMTFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Traffic by Workload Pie [Filebeat Pensando]", + "uiStateJSON": { + "vis": { + "legendOpen": false + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "client.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 25 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": false, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Traffic by Workload Pie [Filebeat Pensando]", + "type": "pie" + } + }, + "id": "07983660-cd38-11ea-a0ef-8f5241e594be", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T21:57:31.753Z", + "version": "WzI0ODksMTFd" + }, + { + "attributes": { + "description": "Inner ring is client IP, middle ring is server IP and the outer ring is Allow vs Deny actions performed by the FW", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Client to Server FW Action [Filebeat Pensando]", + "uiStateJSON": { + "vis": { + "legendOpen": false + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "client.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 100 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "server.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": false + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Client to Server FW Action [Filebeat Pensando]", + "type": "pie" + } + }, + "id": "fd2202d0-cc86-11ea-918e-c778f7abe5d7", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T21:56:22.329Z", + "version": "WzI0ODYsMTFd" + }, + { + "attributes": { + "description": "Firewall denies and allows plotted against each other in time series", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "DFW Deny vs Allow [Filebeat Pensando]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "kuery", + "query": "event.dataset:\"pensando.dfw\" " + }, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "filebeat-*", + "interval": "", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "filter": { + "language": "kuery", + "query": "pensando.dfw.action : \"allow\" " + }, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "line_width": 1, + "metrics": [ + { + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "count" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_color_mode": "kibana", + "split_mode": "terms", + "stacked": "none", + "terms_field": "pensando.dfw.action" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(150,10,3,1)", + "fill": 0.5, + "filter": { + "language": "kuery", + "query": "pensando.dfw.action : \"deny\" " + }, + "formatter": "number", + "id": "b6c562c0-cc84-11ea-a4da-c770c13b4387", + "line_width": 1, + "metrics": [ + { + "id": "b6c562c1-cc84-11ea-a4da-c770c13b4387", + "type": "count" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "terms", + "stacked": "none", + "terms_field": "pensando.dfw.action" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(188,186,0,1)", + "fill": 0.5, + "filter": { + "language": "kuery", + "query": "pensando.dfw.action :\"none\" " + }, + "formatter": "number", + "id": "2dd6bef0-cd1f-11ea-98bc-ef8e168e330d", + "line_width": 1, + "metrics": [ + { + "id": "2dd6bef1-cd1f-11ea-98bc-ef8e168e330d", + "type": "count" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "terms", + "stacked": "none", + "terms_field": "pensando.dfw.action" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "DFW Deny vs Allow [Filebeat Pensando]", + "type": "metrics" + } + }, + "id": "2aa5d850-cc85-11ea-918e-c778f7abe5d7", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-09-10T21:54:41.152Z", + "version": "WzI0ODAsMTFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Top Destination IPs [Filebeat Pensando]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "destination.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": false, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Top Destination IPs [Filebeat Pensando]", + "type": "pie" + } + }, + "id": "b8bfd3e0-e8b7-11ea-ba07-c1efedbf0bf9", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "0d0216f0-2fe0-11e7-9d02-3f49bde5c1d5", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T21:59:43.129Z", + "version": "WzI0OTYsMTFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Destination Port by DSC Pie [Filebeat Pensando]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "destination.port", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 25 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "log.source.address", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Destination Port by DSC Pie [Filebeat Pensando]", + "type": "pie" + } + }, + "id": "c6188140-cdb9-11ea-a0ef-8f5241e594be", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T21:58:55.571Z", + "version": "WzI0OTQsMTFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Top Destinations - table [Filebeat Pensando]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Network Packets" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Top Servers", + "field": "server.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 300 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": true, + "showPartialRows": true, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Top Destinations - table [Filebeat Pensando]", + "type": "table" + } + }, + "id": "0583e120-cc8f-11ea-918e-c778f7abe5d7", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T22:27:54.232Z", + "version": "WzI1NTAsMTFd" + } + ], + "version": "7.8.0" +} diff --git a/filebeat/module/pensando/dfw/_meta/fields.yml b/filebeat/module/pensando/dfw/_meta/fields.yml new file mode 100644 index 00000000000..72422c32121 --- /dev/null +++ b/filebeat/module/pensando/dfw/_meta/fields.yml @@ -0,0 +1,55 @@ +- name: dfw + type: group + release: beta + default_field: false + description: > + Fields for Pensando DFW + fields: + - name: action + type: keyword + description: > + Action on the flow. + - name: app_id + type: integer + description: > + Application ID + - name: destination_address + type: keyword + description: > + Address of destination. + - name: destination_port + type: integer + description: > + Port of destination. + - name: direction + type: keyword + description: > + Direction of the flow + - name: protocol + type: keyword + description: > + Protocol of the flow + - name: rule_id + type: keyword + description: > + Rule ID that was matched. + - name: session_id + type: integer + description: > + Session ID of the flow + - name: session_state + type: keyword + description: > + Session state of the flow. + - name: source_address + type: keyword + description: > + Source address of the flow. + - name: source_port + type: integer + description: > + Source port of the flow. + - name: timestamp + type: date + description: > + Timestamp of the log. diff --git a/filebeat/module/pensando/dfw/config/dfw.yml b/filebeat/module/pensando/dfw/config/dfw.yml new file mode 100644 index 00000000000..404eac5f138 --- /dev/null +++ b/filebeat/module/pensando/dfw/config/dfw.yml @@ -0,0 +1,23 @@ +{{ if eq .input "syslog" }} + +type: udp +udp: +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +processors: + - add_locale: ~ + - add_fields: + target: '' + fields: + ecs.version: 1.7.0 diff --git a/filebeat/module/pensando/dfw/ingest/pipeline.yml b/filebeat/module/pensando/dfw/ingest/pipeline.yml new file mode 100644 index 00000000000..c8d1d57792f --- /dev/null +++ b/filebeat/module/pensando/dfw/ingest/pipeline.yml @@ -0,0 +1,218 @@ +--- +description: Pipeline for parsing Penando DFW logs +processors: +- set: + field: event.ingested + value: "{{_ingest.timestamp}}" +- rename: + field: message + target_field: event.original +- grok: + field: event.original + patterns: + - "%{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) +(?:%{IPORHOST:syslog5424_host}|-) +(-|%{SYSLOG5424PRINTASCII:syslog5424_app}) +(-|%{SYSLOG5424PRINTASCII:syslog5424_proc}) +(?::-|%{SYSLOG5424PRINTASCII:syslog5424_msgid}) +\\[%{GREEDYDATA:payload_raw}\\]$" +- json: + field: payload_raw + target_field: json +- remove: + field: [syslog5424_sd,syslog5424_app,syslog5424_host,syslog5424_msgid,syslog5424_pri,syslog5424_proc,syslog5424_ver,host] + ignore_missing: true +- date: + field: json.time + target_field: '@timestamp' + ignore_failure: true + formats: + - ISO8601 +- rename: + field: json.action + target_field: pensando.dfw.action + ignore_failure: true +- rename: + field: json.app-id + target_field: pensando.dfw.app_id + ignore_failure: true +- rename: + field: json.destaddr + target_field: pensando.dfw.destination_address + ignore_failure: true +- rename: + field: json.destport + target_field: pensando.dfw.destination_port + ignore_failure: true +- rename: + field: json.direction + target_field: pensando.dfw.direction + ignore_failure: true +- rename: + field: json.protocol + target_field: pensando.dfw.protocol + ignore_failure: true +- rename: + field: json.rule-id + target_field: pensando.dfw.rule_id + ignore_failure: true +- rename: + field: json.session-id + target_field: pensando.dfw.session_id + ignore_failure: true +- rename: + field: json.session-state + target_field: pensando.dfw.session_state + ignore_failure: true +- rename: + field: json.srcaddr + target_field: pensando.dfw.source_address + ignore_failure: true +- rename: + field: json.srcport + target_field: pensando.dfw.source_port + ignore_failure: true +- set: + field: event.category + value: ['network'] +- set: + field: observer.vendor + value: Pensando Systems +- set: + field: observer.type + value: 'firewall' +- set: + field: observer.product + value: 'Distributed Services Platform' +- set: + field: network.type + value: 'ipv4' +- set: + field: network.transport + value: '{{pensando.dfw.protocol}}' + ignore_failure: true +- lowercase: + field: network.transport + ignore_missing: true + ignore_failure: true +- set: + field: source.address + value: "{{pensando.dfw.source_address}}" + ignore_failure: true + ignore_empty_value: true +- convert: + field: pensando.dfw.source_port + target_field: source.port + type: integer + ignore_failure: true + ignore_missing: true +- set: + field: destination.address + value: "{{pensando.dfw.destination_address}}" + ignore_failure: true + ignore_empty_value: true +- convert: + field: pensando.dfw.destination_port + target_field: destination.port + type: integer + ignore_failure: true + ignore_missing: true +- set: + field: client.ip + value: '{{pensando.dfw.source_address}}' + ignore_failure: true + if: ctx.pensando.dfw?.source_port > ctx.pensando.dfw?.destination_port +- set: + field: client.ip + value: '{{pensando.dfw.destination_address}}' + ignore_failure: true + if: ctx.pensando.dfw?.destination_port > ctx.pensando.dfw?.source_port +- set: + field: client.ip + value: '{{pensando.dfw.source_address}}' + ignore_failure: true + if: ctx.pensando.dfw?.protocol == 'ICMP' +- set: + field: server.ip + value: '{{pensando.dfw.source_address}}' + ignore_failure: true + if: ctx.pensando.dfw?.source_port < ctx.pensando.dfw?.destination_port +- set: + field: server.ip + value: '{{pensando.dfw.destination_address}}' + ignore_failure: true + if: ctx.pensando.dfw?.destination_port < ctx.pensando.dfw?.source_port +- set: + field: server.ip + value: '{{pensando.dfw.destination_address}}' + ignore_failure: true + if: ctx.pensando.dfw?.protocol == 'ICMP' +- set: + field: server.port + value: '{{pensando.dfw.source_port}}' + ignore_failure: true + if: ctx.pensando.dfw?.source_port < ctx.pensando.dfw?.destination_port +- set: + field: server.port + value: '{{pensando.dfw.destination_port}}' + ignore_failure: true + if: ctx.pensando.dfw?.destination_port < ctx.pensando.dfw?.source_port +- set: + field: server.port + value: 0 + ignore_failure: true + if: ctx.pensando.dfw?.protocol == 'ICMP' +- set: + field: event.kind + value: 'event' +- set: + field: event.action + value: 'allowed' + if: '[''allow''].contains(ctx.pensando.dfw?.action)' +- set: + field: rule.id + value: '{{pensando.dfw.rule_id}}' + ignore_failure: true +- set: + field: event.outcome + value: success + if: '[''allow'', ''deny''].contains(ctx.pensando.dfw?.action)' +- set: + field: event.action + value: denied + if: '[''deny''].contains(ctx.pensando.dfw?.action)' +- set: + field: event.type + value: ['connection', 'allowed'] + if: '[''allow''].contains(ctx.pensando.dfw?.action)' + ignore_failure: true +- set: + field: event.type + value: ['connection', 'denied'] + if: '[''deny''].contains(ctx.pensando.dfw?.action)' + ignore_failure: true +- geoip: + field: pensando.dfw.source_address + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: pensando.dfw.source_address + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- remove: + field: + - syslog5424_ts + - json + - payload_raw + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/filebeat/module/pensando/dfw/manifest.yml b/filebeat/module/pensando/dfw/manifest.yml new file mode 100644 index 00000000000..5de3a973547 --- /dev/null +++ b/filebeat/module/pensando/dfw/manifest.yml @@ -0,0 +1,13 @@ +module_version: 1.0 + +var: + - name: syslog_host + default: 0.0.0.0 + - name: syslog_port + default: 9001 + - name: input + default: syslog + +ingest_pipeline: + - ingest/pipeline.yml +input: config/dfw.yml diff --git a/filebeat/module/pensando/dfw/test/test.log b/filebeat/module/pensando/dfw/test/test.log new file mode 100644 index 00000000000..bf582967660 --- /dev/null +++ b/filebeat/module/pensando/dfw/test/test.log @@ -0,0 +1,3 @@ +<14>1 2020-12-14T18:41:01Z esx01-dsc pen-tmagent 1402 - [{"time":"2020-12-14T18:41:01Z","destaddr":"10.29.95.101","destport":80,"srcaddr":"10.29.95.102","srcport":46554,"protocol":"TCP","action":"allow","direction":"from-host","rule-id":5413257681574708646,"session-id":6881552,"session-state":"flow_create"}] +<14>1 2020-12-14T18:41:16Z esx01-dsc pen-tmagent 1402 - [{"time":"2020-12-14T18:41:16Z","destaddr":"10.29.95.101","destport":80,"srcaddr":"10.29.95.102","srcport":46594,"protocol":"TCP","action":"allow","direction":"from-host","rule-id":5413257681574708646,"session-id":6881572,"session-state":"flow_create"}] +<14>1 2020-12-14T18:41:16Z esx01-dsc pen-tmagent 1402 - [{"time":"2020-12-14T18:41:16Z","destaddr":"10.29.95.101","destport":80,"srcaddr":"10.29.95.102","srcport":46582,"protocol":"TCP","action":"allow","direction":"from-host","rule-id":5413257681574708646,"session-id":6881566,"session-state":"flow_create"}] diff --git a/filebeat/module/pensando/dfw/test/test.log-expected.json b/filebeat/module/pensando/dfw/test/test.log-expected.json new file mode 100644 index 00000000000..d43ffdea29c --- /dev/null +++ b/filebeat/module/pensando/dfw/test/test.log-expected.json @@ -0,0 +1,134 @@ +[ + { + "@timestamp": "2020-12-14T18:41:01.000Z", + "client.ip": "10.29.95.102", + "destination.address": "10.29.95.101", + "destination.port": 80, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.dataset": "pensando.dfw", + "event.kind": "event", + "event.module": "pensando", + "event.original": "<14>1 2020-12-14T18:41:01Z esx01-dsc pen-tmagent 1402 - [{\"time\":\"2020-12-14T18:41:01Z\",\"destaddr\":\"10.29.95.101\",\"destport\":80,\"srcaddr\":\"10.29.95.102\",\"srcport\":46554,\"protocol\":\"TCP\",\"action\":\"allow\",\"direction\":\"from-host\",\"rule-id\":5413257681574708646,\"session-id\":6881552,\"session-state\":\"flow_create\"}]", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "allowed" + ], + "fileset.name": "dfw", + "input.type": "log", + "log.offset": 0, + "network.transport": "tcp", + "network.type": "ipv4", + "observer.product": "Distributed Services Platform", + "observer.type": "firewall", + "observer.vendor": "Pensando Systems", + "pensando.dfw.action": "allow", + "pensando.dfw.destination_address": "10.29.95.101", + "pensando.dfw.destination_port": 80, + "pensando.dfw.direction": "from-host", + "pensando.dfw.protocol": "TCP", + "pensando.dfw.rule_id": 5413257681574708646, + "pensando.dfw.session_id": 6881552, + "pensando.dfw.session_state": "flow_create", + "pensando.dfw.source_address": "10.29.95.102", + "pensando.dfw.source_port": 46554, + "rule.id": "5413257681574708646", + "server.ip": "10.29.95.101", + "server.port": "80", + "service.type": "pensando", + "source.address": "10.29.95.102", + "source.port": 46554 + }, + { + "@timestamp": "2020-12-14T18:41:16.000Z", + "client.ip": "10.29.95.102", + "destination.address": "10.29.95.101", + "destination.port": 80, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.dataset": "pensando.dfw", + "event.kind": "event", + "event.module": "pensando", + "event.original": "<14>1 2020-12-14T18:41:16Z esx01-dsc pen-tmagent 1402 - [{\"time\":\"2020-12-14T18:41:16Z\",\"destaddr\":\"10.29.95.101\",\"destport\":80,\"srcaddr\":\"10.29.95.102\",\"srcport\":46594,\"protocol\":\"TCP\",\"action\":\"allow\",\"direction\":\"from-host\",\"rule-id\":5413257681574708646,\"session-id\":6881572,\"session-state\":\"flow_create\"}]", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "allowed" + ], + "fileset.name": "dfw", + "input.type": "log", + "log.offset": 311, + "network.transport": "tcp", + "network.type": "ipv4", + "observer.product": "Distributed Services Platform", + "observer.type": "firewall", + "observer.vendor": "Pensando Systems", + "pensando.dfw.action": "allow", + "pensando.dfw.destination_address": "10.29.95.101", + "pensando.dfw.destination_port": 80, + "pensando.dfw.direction": "from-host", + "pensando.dfw.protocol": "TCP", + "pensando.dfw.rule_id": 5413257681574708646, + "pensando.dfw.session_id": 6881572, + "pensando.dfw.session_state": "flow_create", + "pensando.dfw.source_address": "10.29.95.102", + "pensando.dfw.source_port": 46594, + "rule.id": "5413257681574708646", + "server.ip": "10.29.95.101", + "server.port": "80", + "service.type": "pensando", + "source.address": "10.29.95.102", + "source.port": 46594 + }, + { + "@timestamp": "2020-12-14T18:41:16.000Z", + "client.ip": "10.29.95.102", + "destination.address": "10.29.95.101", + "destination.port": 80, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.dataset": "pensando.dfw", + "event.kind": "event", + "event.module": "pensando", + "event.original": "<14>1 2020-12-14T18:41:16Z esx01-dsc pen-tmagent 1402 - [{\"time\":\"2020-12-14T18:41:16Z\",\"destaddr\":\"10.29.95.101\",\"destport\":80,\"srcaddr\":\"10.29.95.102\",\"srcport\":46582,\"protocol\":\"TCP\",\"action\":\"allow\",\"direction\":\"from-host\",\"rule-id\":5413257681574708646,\"session-id\":6881566,\"session-state\":\"flow_create\"}]", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "allowed" + ], + "fileset.name": "dfw", + "input.type": "log", + "log.offset": 622, + "network.transport": "tcp", + "network.type": "ipv4", + "observer.product": "Distributed Services Platform", + "observer.type": "firewall", + "observer.vendor": "Pensando Systems", + "pensando.dfw.action": "allow", + "pensando.dfw.destination_address": "10.29.95.101", + "pensando.dfw.destination_port": 80, + "pensando.dfw.direction": "from-host", + "pensando.dfw.protocol": "TCP", + "pensando.dfw.rule_id": 5413257681574708646, + "pensando.dfw.session_id": 6881566, + "pensando.dfw.session_state": "flow_create", + "pensando.dfw.source_address": "10.29.95.102", + "pensando.dfw.source_port": 46582, + "rule.id": "5413257681574708646", + "server.ip": "10.29.95.101", + "server.port": "80", + "service.type": "pensando", + "source.address": "10.29.95.102", + "source.port": 46582 + } +] \ No newline at end of file diff --git a/filebeat/module/pensando/fields.go b/filebeat/module/pensando/fields.go new file mode 100644 index 00000000000..e791a74dfa9 --- /dev/null +++ b/filebeat/module/pensando/fields.go @@ -0,0 +1,36 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package pensando + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "pensando", asset.ModuleFieldsPri, AssetPensando); err != nil { + panic(err) + } +} + +// AssetPensando returns asset data. +// This is the base64 encoded gzipped contents of module/pensando. +func AssetPensando() string { + return "eJy0k92qnDAQx+99inmBsw/gRaGwHOhFYekp9FJSM3HDiU5IRmTfviSrbrSR/aidy5n4//+cjzf4xEsJFjsvOkkFAGs2WMJpzEABINHXTlvW1JXwpQCA+QP4TrI3WAAojUb6MlbfoBMtLmRD8MViCY2j3o6ZjHKI96gFylF7AzHU+MP4JDVLDaUaYE7mDEM4NCg8lvAbWSR5iUr0hqsoXoISxuOinGVNcMndaI/vv5Ina96UWdRBclGayD/xMpCTq9o2SIyvUQ+oAz4jKEPDAfLG1lZ6LX411h1jgw6edLbW6FpE+2/HvKlEz7qLbyohpUPv1y6Lf38WYZQklTptNCBlseQ4D/JaL05B7zEK7fA6sv124DhrkprXIG9vHTHVZHZ0P02Sd81db7DSfw35XzbgR28wbB+fBcMgPLSC6zPKje579D7Mfwvitel/XFUDx90eTASeBeOOjZgYom6KsdUJ6l2N/+MoP6IyiNttPoay902OHHY8zTsQrFv0LFqbR5Chq8/5/5wVR3dDzQGKPwEAAP//dBvr3Q==" +} diff --git a/filebeat/module/pensando/module.yml b/filebeat/module/pensando/module.yml new file mode 100644 index 00000000000..ed97d539c09 --- /dev/null +++ b/filebeat/module/pensando/module.yml @@ -0,0 +1 @@ +--- diff --git a/filebeat/modules.d/pensando.yml.disabled b/filebeat/modules.d/pensando.yml.disabled new file mode 100644 index 00000000000..72350a5dcb6 --- /dev/null +++ b/filebeat/modules.d/pensando.yml.disabled @@ -0,0 +1,13 @@ +# Module: pensando +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-pensando.html + +- module: pensando +# Firewall logs + dfw: + enabled: true + var.syslog_host: 0.0.0.0 + var.syslog_port: 9001 + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + # var.paths: diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index c9e00d6993d..17718427099 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1649,6 +1649,18 @@ filebeat.modules: #var.external_zones: +#------------------------------- Pensando Module ------------------------------- +- module: pensando +# Firewall logs + dfw: + enabled: true + var.syslog_host: 0.0.0.0 + var.syslog_port: 9001 + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + # var.paths: + #------------------------------ PostgreSQL Module ------------------------------ #- module: postgresql # Logs