diff --git a/x-pack/filebeat/module/sophos/utm/config/pipeline.js b/x-pack/filebeat/module/sophos/utm/config/pipeline.js index 47802f0ee26..bc98b46c817 100644 --- a/x-pack/filebeat/module/sophos/utm/config/pipeline.js +++ b/x-pack/filebeat/module/sophos/utm/config/pipeline.js @@ -169,11 +169,11 @@ var dup46 = lookup({ key: dup15, }); -var hdr1 = match("HEADER#0:0001", "message", "%{hfld1->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%{hfld1->} %{hostname->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ setc("header_id","0001"), ])); -var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{hostname->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ setc("header_id","0002"), ])); diff --git a/x-pack/filebeat/module/sophos/utm/test/generated.log b/x-pack/filebeat/module/sophos/utm/test/generated.log index 65a20d4f428..cb9fa97790b 100644 --- a/x-pack/filebeat/module/sophos/utm/test/generated.log +++ b/x-pack/filebeat/module/sophos/utm/test/generated.log @@ -1,9 +1,9 @@ -2016:1:29-06:09:59 smtpd[905]: MASTER[nnumqua]: QR globally disabled, status one set to 'disabled' +2016:1:29-06:09:59 localhost.localdomain smtpd[905]: MASTER[nnumqua]: QR globally disabled, status one set to 'disabled' 2016:2:12-13:12:33 astarosg_TVM[5716]: id=ommod severity=medium sys=inima sub=tlabo name=web request blocked, forbidden application detectedaction=accept method=ugiatnu client=stiae facility=nofdeF user=sunt srcip=10.57.170.140 dstip=10.213.231.72 version=1.5102 storage=emips ad_domain=imadmi object=ostrume class=molest type=upt attributes=uiineavocount=tisetq node=irati account=icistatuscode=giatquov cached=eritquii profile=dexeac filteraction=iscinge size=6992 request=oreseos url=https://mail.example.net/tati/utaliqu.html?iquaUten=santium#iciatisu referer=https://www5.example.org/eporroqu/uat.txt?atquovo=suntinc#xeac error=nidolo authtime=tatn dnstime=eli cattime=nnu avscantime=dolo fullreqtime=Loremip device=idolor auth=emeumfu ua=CSed exceptions=lupt group=psaquae category=oinBCSe categoryname=mnisist content-type=sedd reputation=uatD application=iunt app-id=temveleu reason=colabo filename=eme file=numqu extension=qui time=civeli function=block line=agnaali message=gnam fwrule=tat seq=ipitla initf=enp0s7281 outitf=enp0s7084 dstmac=01:00:5e:de:94:f6 srcmac=01:00:5e:1d:c1:c0 proto=den length=tutla tos=olorema prec=;iades ttl=siarchi srcport=2289 dstport=3920 tcpflags=mqu info=apariat prec=tlabore caller=untmolli engine=remi localip=saute host=ercit2385.internal.home extra=run server=10.47.202.102 cookie=quirat set-cookie=llu 2016:2:26-20:15:08 eirure7587.internal.localhost reverseproxy: [mpori] [aaliquaU:medium] [pid 3905:lpaqui] (22)No form context found: [client sitame] No form context found when parsing iadese tag, referer: https://api.example.com/utla/utei.htm?oei=tlabori#oin 2016:3:12-03:17:42 data4478.api.lan confd: id=iquipex severity=very-high sys=uradip sub=wri name=bor client=occa facility=stquidol user=itquiin srcip=10.106.239.55 version=1.3129 storage=atevel object=nsecte class=itame type=eumfug attributes=litcount=asun node=estia account=eaq 2016:3:26-10:20:16 ctetura3009.www5.corp reverseproxy: [lita] [adeseru:medium] [pid 7692:eaq] amest configured -- corp normal operations -2016:4:9-17:22:51 smtpd[1411]: MASTER[inculpa]: QR globally disabled, status one set to 'disabled' +2016:4:9-17:22:51 localhost smtpd[1411]: MASTER[inculpa]: QR globally disabled, status one set to 'disabled' 2016:4:24-00:25:25 httpproxy[176]: [nse] disk_cache_zap (non) paquioff 2016:5:8-07:27:59 ptasnu6684.mail.lan reverseproxy: [orumSe] [boree:low] [pid 945:rQuisau] AH01915: Init: (10.18.13.211:205) You configured ofdeFini(irat) on the onev(aturauto) port! 2016:5:22-14:30:33 ssecillu7166.internal.lan barnyard: Initializing daemon mode diff --git a/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json b/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json index 81d0d6c506a..efb44a7b666 100644 --- a/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json @@ -4,16 +4,23 @@ "event.code": "smtpd", "event.dataset": "sophos.utm", "event.module": "sophos", - "event.original": "2016:1:29-06:09:59 smtpd[905]: MASTER[nnumqua]: QR globally disabled, status one set to 'disabled'", + "event.original": "2016:1:29-06:09:59 localhost.localdomain smtpd[905]: MASTER[nnumqua]: QR globally disabled, status one set to 'disabled'", "fileset.name": "utm", + "host.name": "localhost.localdomain", "input.type": "log", "log.offset": 0, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 905, + "related.hosts": [ + "localhost.localdomain" + ], "rsa.internal.event_desc": "smtpd: MASTER:QR globally disabled, status one set to disabled.", "rsa.internal.messageid": "smtpd", + "rsa.network.alias_host": [ + "localhost.localdomain" + ], "rsa.time.event_time": "2016-01-29T08:09:59.000Z", "service.type": "sophos", "tags": [ @@ -41,7 +48,7 @@ "http.request.referrer": "https://www5.example.org/eporroqu/uat.txt?atquovo=suntinc#xeac", "input.type": "log", "log.level": "medium", - "log.offset": 99, + "log.offset": 121, "observer.egress.interface.name": "enp0s7084", "observer.ingress.interface.name": "enp0s7281", "observer.product": "UTM", @@ -119,7 +126,7 @@ "http.request.referrer": "https://api.example.com/utla/utei.htm?oei=tlabori#oin", "input.type": "log", "log.level": "medium", - "log.offset": 1448, + "log.offset": 1470, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -153,7 +160,7 @@ "host.name": "data4478.api.lan", "input.type": "log", "log.level": "very-high", - "log.offset": 1708, + "log.offset": 1730, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -200,7 +207,7 @@ "host.name": "ctetura3009.www5.corp", "input.type": "log", "log.level": "medium", - "log.offset": 1988, + "log.offset": 2010, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -228,16 +235,23 @@ "event.code": "smtpd", "event.dataset": "sophos.utm", "event.module": "sophos", - "event.original": "2016:4:9-17:22:51 smtpd[1411]: MASTER[inculpa]: QR globally disabled, status one set to 'disabled'", + "event.original": "2016:4:9-17:22:51 localhost smtpd[1411]: MASTER[inculpa]: QR globally disabled, status one set to 'disabled'", "fileset.name": "utm", + "host.name": "localhost", "input.type": "log", - "log.offset": 2125, + "log.offset": 2147, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 1411, + "related.hosts": [ + "localhost" + ], "rsa.internal.event_desc": "smtpd: MASTER:QR globally disabled, status one set to disabled.", "rsa.internal.messageid": "smtpd", + "rsa.network.alias_host": [ + "localhost" + ], "rsa.time.event_time": "2016-04-09T19:22:51.000Z", "service.type": "sophos", "tags": [ @@ -253,7 +267,7 @@ "event.original": "2016:4:24-00:25:25 httpproxy[176]: [nse] disk_cache_zap (non) paquioff", "fileset.name": "utm", "input.type": "log", - "log.offset": 2224, + "log.offset": 2256, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -280,7 +294,7 @@ "host.name": "ptasnu6684.mail.lan", "input.type": "log", "log.level": "low", - "log.offset": 2295, + "log.offset": 2327, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -315,7 +329,7 @@ "fileset.name": "utm", "host.name": "ssecillu7166.internal.lan", "input.type": "log", - "log.offset": 2478, + "log.offset": 2510, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -344,7 +358,7 @@ "host.name": "ore5643.api.lan", "input.type": "log", "log.level": "high", - "log.offset": 2558, + "log.offset": 2590, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -376,7 +390,7 @@ "host.name": "ciun39.localdomain", "input.type": "log", "log.level": "high", - "log.offset": 2711, + "log.offset": 2743, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -409,7 +423,7 @@ "host.name": "atatnon6064.www.invalid", "input.type": "log", "log.level": "low", - "log.offset": 2887, + "log.offset": 2919, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -441,7 +455,7 @@ "host.name": "gitse2463.www5.invalid", "input.type": "log", "log.level": "low", - "log.offset": 3026, + "log.offset": 3058, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -476,7 +490,7 @@ "event.original": "2016:8:2-01:43:25 httpproxy[2078]: [mol] sc_server_cmd (umdolors) decrypt failed", "fileset.name": "utm", "input.type": "log", - "log.offset": 3197, + "log.offset": 3229, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -499,7 +513,7 @@ "fileset.name": "utm", "host.name": "oriosam6277.mail.localdomain", "input.type": "log", - "log.offset": 3278, + "log.offset": 3310, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -533,7 +547,7 @@ "host.name": "ptate3830.internal.localhost", "input.type": "log", "log.level": "high", - "log.offset": 3363, + "log.offset": 3395, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -565,7 +579,7 @@ "host.name": "nvo6105.invalid", "input.type": "log", "log.level": "medium", - "log.offset": 3542, + "log.offset": 3574, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -597,7 +611,7 @@ "event.original": "2016:9:28-05:53:42 afcd[2492]: Classifier configuration reloaded successfully", "fileset.name": "utm", "input.type": "log", - "log.offset": 3665, + "log.offset": 3697, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -622,7 +636,7 @@ "host.name": "edic2758.api.domain", "input.type": "log", "log.level": "medium", - "log.offset": 3743, + "log.offset": 3775, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -668,7 +682,7 @@ "fileset.name": "utm", "input.type": "log", "log.level": "high", - "log.offset": 4032, + "log.offset": 4064, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -698,7 +712,7 @@ "event.original": "2016:11:10-03:01:24 sshd[2051]: Server listening on 10.59.215.207 port 6195.", "fileset.name": "utm", "input.type": "log", - "log.offset": 4201, + "log.offset": 4233, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -727,7 +741,7 @@ "host.name": "ectobeat3157.mail.local", "input.type": "log", "log.level": "low", - "log.offset": 4278, + "log.offset": 4310, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -763,7 +777,7 @@ "host.name": "ident2323.internal.corp", "input.type": "log", "log.level": "high", - "log.offset": 4428, + "log.offset": 4460, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -798,7 +812,7 @@ "fileset.name": "utm", "host.name": "ttenb4581.www.host", "input.type": "log", - "log.offset": 4630, + "log.offset": 4662, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -826,7 +840,7 @@ "fileset.name": "utm", "host.name": "lapari5763.api.invalid", "input.type": "log", - "log.offset": 4725, + "log.offset": 4757, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -863,7 +877,7 @@ "host.name": "elites4713.www.localhost", "input.type": "log", "log.level": "very-high", - "log.offset": 4802, + "log.offset": 4834, "observer.egress.interface.name": "lo272", "observer.ingress.interface.name": "lo6086", "observer.product": "UTM", @@ -914,7 +928,7 @@ "host.name": "sam1795.invalid", "input.type": "log", "log.level": "low", - "log.offset": 5194, + "log.offset": 5226, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -948,7 +962,7 @@ "fileset.name": "utm", "input.type": "log", "log.level": "high", - "log.offset": 5332, + "log.offset": 5364, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1001,7 +1015,7 @@ "http.request.referrer": "https://example.com/taliqui/idi.txt?undeomn=ape#itaspe", "input.type": "log", "log.level": "high", - "log.offset": 5594, + "log.offset": 5626, "observer.egress.interface.name": "lo6683", "observer.ingress.interface.name": "lo1543", "observer.product": "UTM", @@ -1081,7 +1095,7 @@ "host.name": "xeaco7887.www.localdomain", "input.type": "log", "log.level": "very-high", - "log.offset": 6963, + "log.offset": 6995, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1117,7 +1131,7 @@ "event.original": "2017:4:2-01:27:07 reverseproxy[5430]: ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"iscivel3512.invalid\"] [uri \"atcupi\"] [unique_id \"eriti\"]", "fileset.name": "utm", "input.type": "log", - "log.offset": 7142, + "log.offset": 7174, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1144,7 +1158,7 @@ "event.original": "2017:4:16-08:29:41 sockd[6181]: dante/server 1.202 running", "fileset.name": "utm", "input.type": "log", - "log.offset": 7446, + "log.offset": 7478, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1169,7 +1183,7 @@ "fileset.name": "utm", "host.name": "dolor5799.home", "input.type": "log", - "log.offset": 7505, + "log.offset": 7537, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1199,7 +1213,7 @@ "http.request.referrer": "https://example.com/adeser/mSe.gif?aute=rchite#rcit", "input.type": "log", "log.level": "low", - "log.offset": 7592, + "log.offset": 7624, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1238,7 +1252,7 @@ "fileset.name": "utm", "input.type": "log", "log.level": "very-high", - "log.offset": 7885, + "log.offset": 7917, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1264,7 +1278,7 @@ "host.name": "autodit272.www.localhost", "input.type": "log", "log.level": "very-high", - "log.offset": 7988, + "log.offset": 8020, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1296,7 +1310,7 @@ "host.name": "rporis6787.www5.localdomain", "input.type": "log", "log.level": "low", - "log.offset": 8158, + "log.offset": 8190, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1334,7 +1348,7 @@ "fileset.name": "utm", "host.name": "reprehe5661.www.lan", "input.type": "log", - "log.offset": 8337, + "log.offset": 8369, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1367,7 +1381,7 @@ "fileset.name": "utm", "host.name": "sequatD163.internal.example", "input.type": "log", - "log.offset": 8611, + "log.offset": 8643, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1402,7 +1416,7 @@ "fileset.name": "utm", "host.name": "elillu5777.www5.lan", "input.type": "log", - "log.offset": 8742, + "log.offset": 8774, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1434,7 +1448,7 @@ "fileset.name": "utm", "host.name": "ecatcup3022.mail.invalid", "input.type": "log", - "log.offset": 8878, + "log.offset": 8910, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1463,7 +1477,7 @@ "fileset.name": "utm", "host.name": "qui7797.www.host", "input.type": "log", - "log.offset": 8951, + "log.offset": 8983, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1493,7 +1507,7 @@ "http.request.referrer": "https://example.org/tquov/natu.jpg?uianonnu=por#nve", "input.type": "log", "log.level": "high", - "log.offset": 9045, + "log.offset": 9077, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1524,7 +1538,7 @@ "event.original": "2017:10:4-21:00:32 sockd[7264]: dante/server 1.3714 running", "fileset.name": "utm", "input.type": "log", - "log.offset": 9280, + "log.offset": 9312, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1551,7 +1565,7 @@ "http.request.referrer": "https://mail.example.org/urautod/eveli.html?rese=nonproi#doconse", "input.type": "log", "log.level": "high", - "log.offset": 9340, + "log.offset": 9372, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1584,7 +1598,7 @@ "fileset.name": "utm", "input.type": "log", "log.level": "high", - "log.offset": 9571, + "log.offset": 9603, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1625,7 +1639,7 @@ "event.original": "2017:11:16-18:08:15 named[1900]: reloading eddoei iono", "fileset.name": "utm", "input.type": "log", - "log.offset": 9846, + "log.offset": 9878, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1653,7 +1667,7 @@ "host.name": "obeatae2042.www.domain", "input.type": "log", "log.level": "low", - "log.offset": 9901, + "log.offset": 9933, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1687,7 +1701,7 @@ "fileset.name": "utm", "host.name": "aerat1267.www5.example", "input.type": "log", - "log.offset": 10086, + "log.offset": 10118, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1717,7 +1731,7 @@ "host.name": "writt2238.internal.localdomain", "input.type": "log", "log.level": "low", - "log.offset": 10155, + "log.offset": 10187, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1750,7 +1764,7 @@ "host.name": "siutaliq4937.api.lan", "input.type": "log", "log.level": "very-high", - "log.offset": 10351, + "log.offset": 10383, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1782,7 +1796,7 @@ "event.original": "2018:1:27-05:21:06 URID[7596]: T=BCSedut ------ 1 - [exit] accept: ametco", "fileset.name": "utm", "input.type": "log", - "log.offset": 10535, + "log.offset": 10567, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1819,7 +1833,7 @@ "http.request.referrer": "https://example.com/eetdol/aut.jpg?pitlab=tutlabor#imadmi", "input.type": "log", "log.level": "low", - "log.offset": 10609, + "log.offset": 10641, "observer.egress.interface.name": "eth965", "observer.ingress.interface.name": "lo1255", "observer.product": "UTM", @@ -1898,7 +1912,7 @@ "fileset.name": "utm", "input.type": "log", "log.level": "medium", - "log.offset": 11911, + "log.offset": 11943, "observer.egress.interface.name": "eth6357", "observer.ingress.interface.name": "lo7088", "observer.product": "UTM", @@ -1945,7 +1959,7 @@ "host.name": "ectob5542.www5.corp", "input.type": "log", "log.level": "high", - "log.offset": 12298, + "log.offset": 12330, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -1993,7 +2007,7 @@ "http.request.referrer": "https://mail.example.org/natuser/olupt.txt?ipsumqu=nsec#smo", "input.type": "log", "log.level": "high", - "log.offset": 12470, + "log.offset": 12502, "observer.egress.interface.name": "lo4358", "observer.ingress.interface.name": "lo3680", "observer.product": "UTM", @@ -2088,7 +2102,7 @@ "http.request.referrer": "https://api.example.org/mremap/ate.htm?tlabor=cidunt#ria", "input.type": "log", "log.level": "low", - "log.offset": 13825, + "log.offset": 13857, "observer.egress.interface.name": "lo2179", "observer.ingress.interface.name": "enp0s566", "observer.product": "UTM", @@ -2165,7 +2179,7 @@ "host.name": "iscing6960.api.invalid", "input.type": "log", "log.level": "very-high", - "log.offset": 15157, + "log.offset": 15189, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2200,7 +2214,7 @@ "fileset.name": "utm", "input.type": "log", "log.level": "low", - "log.offset": 15301, + "log.offset": 15333, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2238,7 +2252,7 @@ "fileset.name": "utm", "host.name": "iavolu7814.www5.localhost", "input.type": "log", - "log.offset": 15644, + "log.offset": 15676, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2282,7 +2296,7 @@ "http.request.referrer": "https://internal.example.org/eddoei/iatqu.htm?itessec=dat#tdol", "input.type": "log", "log.level": "low", - "log.offset": 15741, + "log.offset": 15773, "observer.egress.interface.name": "lo2114", "observer.ingress.interface.name": "enp0s3792", "observer.product": "UTM", @@ -2357,7 +2371,7 @@ "event.original": "2018:6:19-03:46:49 frox[7744]: Listening on 10.99.134.49:2274", "fileset.name": "utm", "input.type": "log", - "log.offset": 17056, + "log.offset": 17088, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2387,7 +2401,7 @@ "http.request.referrer": "https://example.com/ariat/ptatemU.txt?cusan=ueipsaq#upid", "input.type": "log", "log.level": "medium", - "log.offset": 17118, + "log.offset": 17150, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2421,7 +2435,7 @@ "host.name": "nsecte3644.internal.test", "input.type": "log", "log.level": "high", - "log.offset": 17338, + "log.offset": 17370, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2453,7 +2467,7 @@ "fileset.name": "utm", "input.type": "log", "log.level": "very-high", - "log.offset": 17488, + "log.offset": 17520, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2494,7 +2508,7 @@ "fileset.name": "utm", "host.name": "econseq7119.www.home", "input.type": "log", - "log.offset": 17764, + "log.offset": 17796, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2524,7 +2538,7 @@ "http.request.referrer": "https://example.com/oremagn/ehenderi.htm?mdolo=ionul#oeiusmo", "input.type": "log", "log.level": "high", - "log.offset": 17861, + "log.offset": 17893, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2556,7 +2570,7 @@ "event.original": "2018:9:12-22:02:15 pluto[7138]: | sent accept notification olore with seqno = urEx", "fileset.name": "utm", "input.type": "log", - "log.offset": 18090, + "log.offset": 18122, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2593,7 +2607,7 @@ "http.request.referrer": "https://api.example.org/Bonorume/emeumfu.txt?iuntNequ=ender#quid", "input.type": "log", "log.level": "medium", - "log.offset": 18173, + "log.offset": 18205, "observer.egress.interface.name": "lo3615", "observer.ingress.interface.name": "eth65", "observer.product": "UTM", @@ -2678,7 +2692,7 @@ "host.name": "itametc1599.api.test", "input.type": "log", "log.level": "low", - "log.offset": 19485, + "log.offset": 19517, "observer.egress.interface.name": "enp0s1164", "observer.ingress.interface.name": "eth2679", "observer.product": "UTM", @@ -2728,7 +2742,7 @@ "fileset.name": "utm", "host.name": "tiumt5462.mail.localhost", "input.type": "log", - "log.offset": 19882, + "log.offset": 19914, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2756,7 +2770,7 @@ "fileset.name": "utm", "host.name": "vol1450.internal.host", "input.type": "log", - "log.offset": 19962, + "log.offset": 19994, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2788,7 +2802,7 @@ "event.original": "2018:11:23-09:15:06 ipsec_starter[178]: IP address or index of physical interface changed -> reinit of ipsec interface", "fileset.name": "utm", "input.type": "log", - "log.offset": 20054, + "log.offset": 20086, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2812,7 +2826,7 @@ "host.name": "rporissu573.api.test", "input.type": "log", "log.level": "very-high", - "log.offset": 20173, + "log.offset": 20205, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2846,7 +2860,7 @@ "fileset.name": "utm", "host.name": "nostru774.corp", "input.type": "log", - "log.offset": 20324, + "log.offset": 20356, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2876,7 +2890,7 @@ "event.original": "2019:1:5-06:22:49 ipsec_starter[6226]: IP address or index of physical interface changed -> reinit of ipsec interface", "fileset.name": "utm", "input.type": "log", - "log.offset": 20409, + "log.offset": 20441, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2901,7 +2915,7 @@ "fileset.name": "utm", "input.type": "log", "log.level": "medium", - "log.offset": 20527, + "log.offset": 20559, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2941,7 +2955,7 @@ "host.name": "sum2208.host", "input.type": "log", "log.level": "medium", - "log.offset": 20882, + "log.offset": 20914, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -2973,7 +2987,7 @@ "host.name": "ore6843.local", "input.type": "log", "log.level": "medium", - "log.offset": 21065, + "log.offset": 21097, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3007,7 +3021,7 @@ "host.name": "Sedu1610.mail.corp", "input.type": "log", "log.level": "medium", - "log.offset": 21209, + "log.offset": 21241, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3045,7 +3059,7 @@ "host.name": "corpo6737.example", "input.type": "log", "log.level": "very-high", - "log.offset": 21386, + "log.offset": 21418, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3076,7 +3090,7 @@ "event.original": "2019:4:1-00:38:14 pop3proxy[6854]: Master started", "fileset.name": "utm", "input.type": "log", - "log.offset": 21547, + "log.offset": 21579, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3099,7 +3113,7 @@ "fileset.name": "utm", "host.name": "eratvol314.www.home", "input.type": "log", - "log.offset": 21597, + "log.offset": 21629, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3130,7 +3144,7 @@ "host.name": "utemvele1838.mail.test", "input.type": "log", "log.level": "high", - "log.offset": 21662, + "log.offset": 21694, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3171,7 +3185,7 @@ "host.name": "ulapari2656.local", "input.type": "log", "log.level": "very-high", - "log.offset": 21931, + "log.offset": 21963, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3204,7 +3218,7 @@ "http.request.referrer": "https://example.org/etcon/ipitlab.gif?utlabore=suscipi#tlabor", "input.type": "log", "log.level": "very-high", - "log.offset": 22082, + "log.offset": 22114, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3230,7 +3244,7 @@ "event.original": "2019:6:11-11:51:06 URID[7418]: T=xer ------ 1 - [exit] cancel: onemul", "fileset.name": "utm", "input.type": "log", - "log.offset": 22301, + "log.offset": 22333, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3256,7 +3270,7 @@ "event.original": "2019:6:25-18:53:40 pluto[7201]: | handling event ips for 10.165.217.56 \"econse\" #otamr", "fileset.name": "utm", "input.type": "log", - "log.offset": 22371, + "log.offset": 22403, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3284,7 +3298,7 @@ "host.name": "stla2856.host", "input.type": "log", "log.level": "very-high", - "log.offset": 22458, + "log.offset": 22490, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3317,7 +3331,7 @@ "host.name": "peri6748.www5.domain", "input.type": "log", "log.level": "high", - "log.offset": 22597, + "log.offset": 22629, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3351,7 +3365,7 @@ "host.name": "tnon5442.internal.test", "input.type": "log", "log.level": "very-high", - "log.offset": 22774, + "log.offset": 22806, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3388,7 +3402,7 @@ "http.request.referrer": "https://example.org/tation/tutlabo.jpg?amvo=ullamco#tati", "input.type": "log", "log.level": "very-high", - "log.offset": 22905, + "log.offset": 22937, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3424,7 +3438,7 @@ "host.name": "imv1805.api.host", "input.type": "log", "log.level": "very-high", - "log.offset": 23130, + "log.offset": 23162, "observer.egress.interface.name": "lo3422", "observer.ingress.interface.name": "lo4665", "observer.product": "UTM", @@ -3476,7 +3490,7 @@ "host.name": "rita600.www5.localdomain", "input.type": "log", "log.level": "high", - "log.offset": 23536, + "log.offset": 23568, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3511,7 +3525,7 @@ "event.original": "2019:10:3-20:11:40 sshd[2014]: Did not receive identification string from rroq", "fileset.name": "utm", "input.type": "log", - "log.offset": 23718, + "log.offset": 23750, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3535,7 +3549,7 @@ "host.name": "admini1122.www.local", "input.type": "log", "log.level": "very-high", - "log.offset": 23797, + "log.offset": 23829, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3574,7 +3588,7 @@ "fileset.name": "utm", "input.type": "log", "log.level": "low", - "log.offset": 24004, + "log.offset": 24036, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3615,7 +3629,7 @@ "fileset.name": "utm", "host.name": "emvel4391.localhost", "input.type": "log", - "log.offset": 24284, + "log.offset": 24316, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3643,7 +3657,7 @@ "fileset.name": "utm", "input.type": "log", "log.level": "high", - "log.offset": 24381, + "log.offset": 24413, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", @@ -3668,7 +3682,7 @@ "fileset.name": "utm", "host.name": "untinc5531.www5.test", "input.type": "log", - "log.offset": 24475, + "log.offset": 24507, "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos",