filebeat.config: modules: path: ${path.config}/modules.d/*.yml enabled: false setup.ilm.enabled: false setup.template.enabled: false setup.dashboards.enabled: false # Notes: # # - Field _ is an internal object used to pass the ES index and pipeline to # the ouput. This is because these can be set dynamically but only from field # values. Unfortunately it cannot be droped before output, so it should be # droped on ES at ingest time. # # - Field tmp holds temporary stuff and is droped before output. filebeat.inputs: # Live input from SMC - type: tcp host: 0.0.0.0:3514 line_delimiter: "\n" max_connections: 20 timeout: 300s fields: { _.input: tcp_raw } fields_under_root: true enabled: true # Input for reinjecting old logs exported from the SMC, # eg: cat export.log > /dev/tcp/127.0.0.1/4514 - type: tcp host: 0.0.0.0:4514 line_delimiter: "\n" max_connections: 20 timeout: 300s fields: { _.input: tcp_raw_rj } fields_under_root: true enabled: true processors: # Add ECS field event.created to current time, assume it is the reception # time for this agent, in contrast with @timestamp, which is supposed to be # the time reported by the source. - script: lang: javascript file: scripts/event-created.js # This condition should be removed if input is only CEF, # you save one regex. - if: regexp.message: "^(<[0-9]+>)?CEF:" then: - rename: ignore_missing: true fields: - { from: "message", to: "event.original" } - decode_cef: field: event.original ecs: true - if: and: - equals.observer.vendor: FORCEPOINT - equals.observer.product: Firewall then: # Forcepoint timestamps do not contain the timezone, assume ${TZ} # from evironment. Reparse the date because we were not able to alter # the @timestamp field parsed by the CEF decoder. - script: lang: javascript file: scripts/set-cef-rt-to-tmp-timestamp.js # Could not modify the @timestamp field parsed by the CEF decoder. # This may be due to the fact that it is typed as date internally. - timestamp: when.has_fields: [ "tmp.timestamp" ] field: tmp.timestamp target_field: "@timestamp" timezone: ${TZ} layouts: [ "Jan _2 2006 15:04:05" ] test: - "Mar 25 2020 17:19:04" - "Mar 05 2020 17:19:04" - "Mar 5 2020 17:19:04" - "Mar 5 2020 17:19:04" - rename: ignore_missing: true fields: # Fields parsed from CEF that were not recognized with an ECS equivalent # or where the ECS equivalent does not fit well enough - { from: "cef.extensions.deviceFacility", to: "forcepoint.facility" } # non-standard - { from: "cef.name", to: "forcepoint.situation" } # non-standard - { from: "cef.extensions.deviceEventCategory", to: "forcepoint.situation_type" } # non-standard - { from: "cef.extensions.deviceCustomString1", to: "rule.id" } - { from: "cef.extensions.deviceCustomString2", to: "rule.nat.id" } # non-standard - { from: "cef.extensions.deviceExternalId", to: "observer.name" } - { from: "cef.extensions.deviceInboundInterface", to: "observer.ingress.interface.id" } - { from: "cef.extensions.deviceOutboundInterface", to: "observer.egress.interface.id" } - { from: "cef.extensions.requestURL", to: "url.domain" } # seen domains only so far # Fields not properly named according to ECS - { from: "network.transport", to: "network.iana_number" } # The CEF header name, initialy parsed as cef.name, is mapped to ECS # field message. Problem is that CEF extension msg, initialy parsed as # cef.extensions.message, is also mapped to the ECS field message. # To fix it: # - cef.name goes to non-standard field forcepoint.situation (rename above) # - ECS message is kept only if cef.extensions.message was set - drop_fields: when.not.has_fields: [ "cef.extensions.message" ] ignore_missing: true fields: [ "message" ] # Set network.transport from network.iana_number - script: lang: javascript file: scripts/iana-proto-num2name.js # When reinjecting old logs exported from the SMC, # CEF field act=Discard is missing - add_fields: when.and: - not.has_fields: [ "event.action" ] - equals.forcepoint.situation: "Connection_Discarded" target: event fields: action: Discard - add_fields: target: "_" fields: index: ecs-forcepoint-firewall # Drop useless fields - drop_fields: ignore_missing: true fields: [ "tmp", "agent", "cef", "ecs", "event.original", "host", "input", "log" ] # Default index - add_fields: when.not.has_fields: [ "_.index" ] target: "_" fields: index: ecs-default # Append -rj to index if coming from the reinject input - script: when.equals: _.input: tcp_raw_rj lang: javascript file: scripts/set-index-rj.js output.file: path: /dev/shm filename: filebeat-output-debug.log rotate_every_kb: 10240 number_of_files: 3 permissions: 0600 enabled: false output.elasticsearch: hosts: [ "zelk1:9200", "zelk2:9200", "zelk3:9200" ] protocol: https ssl.certificate_authorities: ${path.config}/zca.crt username: elastic password: password index: "%{[_.index]}" pipeline: "%{[_.pipeline]:}" enabled: true monitoring.enabled: true http.enabled: false logging.level: info logging.to_stderr: false logging.to_files: true logging.files: path: ${path.logs} name: filebeat.log rotateeverybytes: 5242880 keepfiles: 3 rotateonstartup: false