From 3f85f3deb44bb27ab46dbfef27d4fe6fffa10fa6 Mon Sep 17 00:00:00 2001 From: Taylor Swanson Date: Wed, 26 Feb 2025 14:09:55 -0600 Subject: [PATCH 1/3] [watchguard_firebox] Support email addresses in 2500-0000 and 2500-0001 events - Support email addresses in 2500-0000 and 2500-0001 events and append email address to related.user --- packages/watchguard_firebox/changelog.yml | 5 + .../_dev/test/pipeline/test-diagnostic.log | 2 + .../test-diagnostic.log-expected.json | 139 ++++++++++++++++++ .../ingest_pipeline/pipeline_diagnostic.yml | 15 +- .../data_stream/log/fields/fields.yml | 2 + packages/watchguard_firebox/docs/README.md | 1 + packages/watchguard_firebox/manifest.yml | 2 +- 7 files changed, 163 insertions(+), 3 deletions(-) diff --git a/packages/watchguard_firebox/changelog.yml b/packages/watchguard_firebox/changelog.yml index c55d415e073..5b886672cdf 100644 --- a/packages/watchguard_firebox/changelog.yml +++ b/packages/watchguard_firebox/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.0" + changes: + - description: Support email addresses in 2500-0000 and 2500-0001 events. + type: enhancement + link: https://github.com/elastic/integrations/pull/1 - version: "1.1.0" changes: - description: ECS version updated to 8.17.0. diff --git a/packages/watchguard_firebox/data_stream/log/_dev/test/pipeline/test-diagnostic.log b/packages/watchguard_firebox/data_stream/log/_dev/test/pipeline/test-diagnostic.log index 374b9b7c9a2..b07f9c2a36f 100644 --- a/packages/watchguard_firebox/data_stream/log/_dev/test/pipeline/test-diagnostic.log +++ b/packages/watchguard_firebox/data_stream/log/_dev/test/pipeline/test-diagnostic.log @@ -175,5 +175,7 @@ <142>May 10 15:19:05 WatchGuard-Firebox FVE6035FD3AE3 (2024-05-10T09:49:05) firewall[10]: msg_id="021A-0020" IKEv2 IKE_AUTH exchange from 81.2.69.144:500 to 81.2.69.144:500 failed. Gateway-Endpoint='m500-197'. Reason=Received message with the wrong interface IP address 81.2.69.144. Expecting peer to use remote gateway endpoint IP address 81.2.69.144. <142>May 10 15:19:05 WatchGuard-Firebox FVE6035FD3AE3 (2024-05-10T09:49:05) firewall[10]: msg_id="2500-0000" Mobile VPN with SSL user tsmith logged in. Virtual IP address is 192.168.113.2. Real IP address is 81.2.69.144. <142>May 10 15:19:05 WatchGuard-Firebox FVE6035FD3AE3 (2024-05-10T09:49:05) firewall[10]: msg_id="2500-0001" Mobile VPN with SSL user tsmith logged off. Virtual IP address is 192.168.113.2. +<142>May 10 15:19:05 WatchGuard-Firebox FVE6035FD3AE3 (2024-05-10T09:49:05) firewall[10]: msg_id="2500-0000" Mobile VPN with SSL user user@example.com logged in. Virtual IP address is 192.168.113.2. Real IP address is 81.2.69.144. +<142>May 10 15:19:05 WatchGuard-Firebox FVE6035FD3AE3 (2024-05-10T09:49:05) firewall[10]: msg_id="2500-0001" Mobile VPN with SSL user user@example.com logged off. Virtual IP address is 192.168.113.2. <142>May 10 15:19:05 WatchGuard-Firebox FVE6035FD3AE3 (2024-05-10T09:49:05) firewall[10]: msg_id="5B01-0004" Updated Mobile VPN with L2TP session for user 'Firebox-DB\test', virtual IP address '192.168.113.2'. <142>May 10 15:19:05 WatchGuard-Firebox FVE6035FD3AE3 (2024-05-10T09:49:05) firewall[10]: msg_id="5B01-0005" Deleted Mobile VPN with L2TP session for user 'Firebox-DB\test', virtual IP address '192.168.113.2'. \ No newline at end of file diff --git a/packages/watchguard_firebox/data_stream/log/_dev/test/pipeline/test-diagnostic.log-expected.json b/packages/watchguard_firebox/data_stream/log/_dev/test/pipeline/test-diagnostic.log-expected.json index 336964e6e7e..cc68e52a366 100644 --- a/packages/watchguard_firebox/data_stream/log/_dev/test/pipeline/test-diagnostic.log-expected.json +++ b/packages/watchguard_firebox/data_stream/log/_dev/test/pipeline/test-diagnostic.log-expected.json @@ -11022,6 +11022,145 @@ } } }, + { + "@timestamp": "2025-05-10T15:19:05.000+05:30", + "destination": { + "ip": "192.168.113.2" + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "authentication" + ], + "kind": "event", + "original": "<142>May 10 15:19:05 WatchGuard-Firebox FVE6035FD3AE3 (2024-05-10T09:49:05) firewall[10]: msg_id=\"2500-0000\" Mobile VPN with SSL user user@example.com logged in. Virtual IP address is 192.168.113.2. Real IP address is 81.2.69.144.", + "outcome": "success", + "timezone": "+05:30", + "type": [ + "start" + ] + }, + "log": { + "syslog": { + "appname": "firewall", + "hostname": "WatchGuard-Firebox", + "priority": 142, + "procid": "10" + } + }, + "message": "Mobile VPN with SSL user user@example.com logged in. Virtual IP address is 192.168.113.2. Real IP address is 81.2.69.144.", + "observer": { + "hostname": "WatchGuard-Firebox", + "product": "Firebox", + "serial_number": "FVE6035FD3AE3", + "type": "firewall", + "vendor": "WatchGuard" + }, + "related": { + "hosts": [ + "WatchGuard-Firebox" + ], + "ip": [ + "192.168.113.2", + "81.2.69.144" + ], + "user": [ + "user@example.com" + ] + }, + "source": { + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "email": "user@example.com" + }, + "watchguard_firebox": { + "log": { + "log_type": "diagnostic", + "msg_id": "2500-0000", + "real_ip_address": "81.2.69.144", + "serial_number": "FVE6035FD3AE3", + "syslog_timestamp": "2025-05-10T15:19:05.000+05:30", + "timestamp": "2024-05-10T09:49:05.000Z", + "user_email": "user@example.com", + "virtual_ip_address": "192.168.113.2", + "vpn_user_type": "Mobile VPN with SSL user" + } + } + }, + { + "@timestamp": "2025-05-10T15:19:05.000+05:30", + "destination": { + "ip": "192.168.113.2" + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "authentication" + ], + "kind": "event", + "original": "<142>May 10 15:19:05 WatchGuard-Firebox FVE6035FD3AE3 (2024-05-10T09:49:05) firewall[10]: msg_id=\"2500-0001\" Mobile VPN with SSL user user@example.com logged off. Virtual IP address is 192.168.113.2.", + "outcome": "success", + "timezone": "+05:30", + "type": [ + "end" + ] + }, + "log": { + "syslog": { + "appname": "firewall", + "hostname": "WatchGuard-Firebox", + "priority": 142, + "procid": "10" + } + }, + "message": "Mobile VPN with SSL user user@example.com logged off. Virtual IP address is 192.168.113.2.", + "observer": { + "hostname": "WatchGuard-Firebox", + "product": "Firebox", + "serial_number": "FVE6035FD3AE3", + "type": "firewall", + "vendor": "WatchGuard" + }, + "related": { + "hosts": [ + "WatchGuard-Firebox" + ], + "ip": [ + "192.168.113.2" + ], + "user": [ + "user@example.com" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "email": "user@example.com" + }, + "watchguard_firebox": { + "log": { + "log_type": "diagnostic", + "msg_id": "2500-0001", + "serial_number": "FVE6035FD3AE3", + "syslog_timestamp": "2025-05-10T15:19:05.000+05:30", + "timestamp": "2024-05-10T09:49:05.000Z", + "user_email": "user@example.com", + "virtual_ip_address": "192.168.113.2", + "vpn_user_type": "Mobile VPN with SSL user" + } + } + }, { "@timestamp": "2025-05-10T15:19:05.000+05:30", "destination": { diff --git a/packages/watchguard_firebox/data_stream/log/elasticsearch/ingest_pipeline/pipeline_diagnostic.yml b/packages/watchguard_firebox/data_stream/log/elasticsearch/ingest_pipeline/pipeline_diagnostic.yml index 19b37883f0a..6827a9a5fcd 100644 --- a/packages/watchguard_firebox/data_stream/log/elasticsearch/ingest_pipeline/pipeline_diagnostic.yml +++ b/packages/watchguard_firebox/data_stream/log/elasticsearch/ingest_pipeline/pipeline_diagnostic.yml @@ -600,8 +600,8 @@ processors: - grok: field: watchguard_firebox.log.body patterns: - - '^%{DATA:watchguard_firebox.log.vpn_user_type} %{WORD:watchguard_firebox.log.user_name} logged in. Virtual IP address is %{IP:watchguard_firebox.log.virtual_ip_address}. Real IP address is %{IP:watchguard_firebox.log.real_ip_address}.$' - - '^%{DATA:watchguard_firebox.log.vpn_user_type} %{WORD:watchguard_firebox.log.user_name} logged off. Virtual IP address is %{IP:watchguard_firebox.log.virtual_ip_address}.$' + - '^%{DATA:watchguard_firebox.log.vpn_user_type} (?:%{USERNAME:watchguard_firebox.log.user_name}|%{EMAILADDRESS:watchguard_firebox.log.user_email}) logged in. Virtual IP address is %{IP:watchguard_firebox.log.virtual_ip_address}. Real IP address is %{IP:watchguard_firebox.log.real_ip_address}.$' + - '^%{DATA:watchguard_firebox.log.vpn_user_type} (?:%{USERNAME:watchguard_firebox.log.user_name}|%{EMAILADDRESS:watchguard_firebox.log.user_email}) logged off. Virtual IP address is %{IP:watchguard_firebox.log.virtual_ip_address}.$' if: ctx.watchguard_firebox?.log?.msg_id != null && ['2500-0000','2500-0001'].contains(ctx.watchguard_firebox.log.msg_id) tag: grok_for_message_id_2500-0000_2500-0001 ignore_failure: true @@ -1177,6 +1177,11 @@ processors: tag: set_destination_ip_from_log_virtual_ip_address copy_from: watchguard_firebox.log.virtual_ip_address ignore_empty_value: true + - set: + field: user.email + tag: set_user_email_from_log_user_email + copy_from: watchguard_firebox.log.user_email + ignore_empty_value: true - gsub: field: watchguard_firebox.log.mac tag: gsub_watchguard_firebox_log_mac @@ -1283,6 +1288,12 @@ processors: value: '{{{watchguard_firebox.log.user_name}}}' allow_duplicates: false if: ctx.watchguard_firebox?.log?.user_name != null + - append: + field: related.user + tag: append_log_user_email_into_related_user + value: '{{{watchguard_firebox.log.user_email}}}' + allow_duplicates: false + if: ctx.watchguard_firebox?.log?.user_email != null - date: field: watchguard_firebox.log.next_update_time target_field: watchguard_firebox.log.next_update_time diff --git a/packages/watchguard_firebox/data_stream/log/fields/fields.yml b/packages/watchguard_firebox/data_stream/log/fields/fields.yml index 1ac4dfa27b2..1ee979f01db 100644 --- a/packages/watchguard_firebox/data_stream/log/fields/fields.yml +++ b/packages/watchguard_firebox/data_stream/log/fields/fields.yml @@ -608,6 +608,8 @@ type: keyword - name: user_domain type: keyword + - name: user_email + type: keyword - name: user_name type: keyword - name: user_response_time diff --git a/packages/watchguard_firebox/docs/README.md b/packages/watchguard_firebox/docs/README.md index e757b331741..3e1f9ac49c3 100644 --- a/packages/watchguard_firebox/docs/README.md +++ b/packages/watchguard_firebox/docs/README.md @@ -555,6 +555,7 @@ An example event for `log` looks as following: | watchguard_firebox.log.updated_role | | keyword | | watchguard_firebox.log.user_auth_protocol | | keyword | | watchguard_firebox.log.user_domain | | keyword | +| watchguard_firebox.log.user_email | | keyword | | watchguard_firebox.log.user_name | | keyword | | watchguard_firebox.log.user_response_time | | date | | watchguard_firebox.log.user_type | | keyword | diff --git a/packages/watchguard_firebox/manifest.yml b/packages/watchguard_firebox/manifest.yml index 4c94474e4bc..2fdf7cd9f9b 100644 --- a/packages/watchguard_firebox/manifest.yml +++ b/packages/watchguard_firebox/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.1.4 name: watchguard_firebox title: WatchGuard Firebox -version: "1.1.0" +version: "1.2.0" description: Collect logs from WatchGuard Firebox with Elastic Agent. type: integration categories: From c115021be3334941da3fe6fb5468abf071025dac Mon Sep 17 00:00:00 2001 From: Taylor Swanson Date: Wed, 26 Feb 2025 14:16:19 -0600 Subject: [PATCH 2/3] changelog --- packages/watchguard_firebox/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/watchguard_firebox/changelog.yml b/packages/watchguard_firebox/changelog.yml index 5b886672cdf..dee00e50899 100644 --- a/packages/watchguard_firebox/changelog.yml +++ b/packages/watchguard_firebox/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Support email addresses in 2500-0000 and 2500-0001 events. type: enhancement - link: https://github.com/elastic/integrations/pull/1 + link: https://github.com/elastic/integrations/pull/12909 - version: "1.1.0" changes: - description: ECS version updated to 8.17.0. From 69508f83baf5aeaddeacdb6b8b5ca45912d7c023 Mon Sep 17 00:00:00 2001 From: Taylor Swanson Date: Thu, 27 Feb 2025 14:42:05 -0600 Subject: [PATCH 3/3] add watchguard_firebox.log.user_email to remove list --- .../log/elasticsearch/ingest_pipeline/pipeline_diagnostic.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/watchguard_firebox/data_stream/log/elasticsearch/ingest_pipeline/pipeline_diagnostic.yml b/packages/watchguard_firebox/data_stream/log/elasticsearch/ingest_pipeline/pipeline_diagnostic.yml index 6827a9a5fcd..df7e04de32d 100644 --- a/packages/watchguard_firebox/data_stream/log/elasticsearch/ingest_pipeline/pipeline_diagnostic.yml +++ b/packages/watchguard_firebox/data_stream/log/elasticsearch/ingest_pipeline/pipeline_diagnostic.yml @@ -1347,6 +1347,7 @@ processors: - watchguard_firebox.log.server_name - watchguard_firebox.log.source_ip - watchguard_firebox.log.source_port + - watchguard_firebox.log.user_email - watchguard_firebox.log.user_name - watchguard_firebox.log.virtual_ip_address tag: remove_custom_duplicate_fields