Last active
January 30, 2023 19:43
-
-
Save JorgeMarinoDev/937fd416cdab736f707bac49b25d31ed to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: decoder/f5-afm/0 | |
| metadata: | |
| module: F5 | |
| title: F5 AFM Decoder | |
| description: Decodes F5 BIG-IP Advanced Firewall Manager logs | |
| compatibility: > | |
| New Wazuh Engine | |
| author: | |
| name: Wazuh, Inc. | |
| date: 2023/01/10 | |
| references: | |
| - TBD | |
| sources: | |
| - decoder/queue-syslog/0 | |
| - decoder/queue-localfile/0 | |
| parse: | |
| logpar: | |
| # iusm modtempo olab6078.home olaboris tur itv [F5@odoco acl_policy_name=ria acl_policy_type=min acl_rule_name=ite action=Closed hostname=tatemac3541.api.corp bigip_mgmt_ip=10.228.193.207 context_name=liqua context_type=ciade date_time=Jan 29 2016 06:09:59 dest_ip=10.125.114.51 dst_geo=umq dest_port=2288 device_product=pexe device_vendor=nes device_version=1.2262 drop_reason=reveri errdefs_msgno=boNemoe errdefs_msg_name=equepor flow_id=eni ip_protocol=ipv6 severity=low partition_name=ehend route_domain=ritquiin sa_translation_pool=umqui sa_translation_type=reeufugi source_ip=10.208.121.85 src_geo=sperna source_port=884 source_user=billoi translated_dest_ip=10.165.201.71 translated_dest_port=6153 translated_ip_protocol=tatemU translated_route_domain=deF translated_source_ip=10.11.196.142 translated_source_port=5222 translated_vlan=iatnu vlan=3810 | |
| - event.original: <~>F5@<~tmp> <~kv1> date_time=<@timestamp/%b %d %Y %H:%M:%S> <~kv2> | |
| normalize: | |
| - map: | |
| - ~kv : +s_concat/$~kv1/ /$~kv2 | |
| - ~kvMap : +parse_kv/$~kv/=/ /'/' | |
| - destination.geo.country_name : $~kvMap.dst_geo | |
| - destination.nat.ip : $~kvMap.translated_dest_ip | |
| - destination.nat.port : $~kvMap.translated_dest_port | |
| - destination.port : $~kvMap.dest_port | |
| - event.action : $~kvMap.action | |
| - event.code : $~kvMap.errdefs_msgno | |
| - event.dataset : f5.bigipafm | |
| - event.module : f5 | |
| - event.provider: +ef_delete | |
| - fileset.name : bigipafm | |
| - host.ip : $~kvMap.bigip_mgmt_ip | |
| - host.name : $~kvMap.hostname | |
| - input.type : log | |
| - log.level : $~kvMap.severity | |
| - network.protocol : $~kvMap.ip_protocol | |
| - observer.product : $~kvMap.device_product | |
| - observer.type : Firewall | |
| - observer.vendor : F5 | |
| - observer.version : $~kvMap.device_version | |
| - related.hosts : +a_append/$~kvMap.hostname | |
| - related.ip : +a_append/$~kvMap.bigip_mgmt_ip | |
| - related.ip : +a_append/$~kvMap.source_ip | |
| - related.ip : +a_append/$~kvMap.translated_dest_ip | |
| - related.ip : +a_append/$~kvMap.translated_source_ip | |
| - related.user : +a_append/$~kvMap.source_user | |
| - rsa.internal.messageid: BIGIP_AFM | |
| - rsa.investigations.ec_activity: "Disable" | |
| - rsa.investigations.ec_subject: "NetworkComm" | |
| - rsa.investigations.ec_theme: "Communication" | |
| - rsa.misc.action : +a_append/$~kvMap.action | |
| - rsa.misc.context : $~kvMap.context_name | |
| - rsa.misc.event_type : $~kvMap.errdefs_msg_name | |
| - rsa.misc.obj_name: $~tmp | |
| - rsa.misc.policy_name : $~kvMap.acl_policy_name | |
| - rsa.misc.rule_name : $~kvMap.acl_rule_name | |
| - rsa.misc.severity : $~kvMap.severity | |
| - rsa.misc.version : $~kvMap.device_version | |
| - rsa.network.alias_host: +a_append/$~kvMap.hostname | |
| - rsa.network.vlan : $~kvMap.vlan | |
| - rsa.time.event_time_str : $@timestamp | |
| - rule.name: $~kvMap.acl_rule_name | |
| - service.type : f5 | |
| - source.geo.country_name : $~kvMap.src_geo | |
| - source.ip : $~kvMap.source_ip | |
| - source.nat.ip : $~kvMap.translated_source_ip | |
| - source.nat.port : $~kvMap.translated_source_port | |
| - source.port : $~kvMap.source_port | |
| - tags : +a_append/$event.dataset | |
| - tags : +a_append/forwarded | |
| - user.name : $~kvMap.source_user | |
| - ~kv1: +ef_delete | |
| - ~kv2: +ef_delete | |
| - ~kv: +ef_delete | |
| - ~kvMap: +ef_delete | |
| - ~tmp: +ef_delete |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: decoder/f5-apm-own/0 | |
| metadata: | |
| module: F5 | |
| title: F5 APM Decoder for own providers | |
| description: Decodes HEADER F5 BIG-IP Access Policy Manager logs of own providers. | |
| compatibility: > | |
| New Wazuh Engine | |
| author: | |
| name: Wazuh, Inc. | |
| date: 2023/01/10 | |
| references: | |
| - TBD | |
| sources: | |
| - decoder/queue-syslog/0 | |
| - decoder/queue-localfile/0 | |
| parse: | |
| logpar: | |
| - event.original: <~> <@timestamp/%Y\/%m\/%d %T> <~> <log.level> <~payload> | |
| parse: | |
| logpar: | |
| - ~payload: <~>[<process.pid>]<~/ignore/:> <event.provider>:<~/ignore/ ><~content> | |
| - ~payload: <~>[<process.pid>]<~/ignore/:> <event.provider>:<~/ignore/:><~content> | |
| - ~payload: <~>[<process.pid>]<~/ignore/:> <event.provider>:<~>:<~/ignore/ ><~content> | |
| - ~payload: <~>:<~/ignore/:> <event.provider>:<~/ignore/:><~content> | |
| normalize: | |
| # 011f0005 | |
| # March 2017/03/04 11:21:59 unte very-high ueipsa[748]: 011f0005: :cti: failure (Client side: vip=https://www5.example.com/olli/rever.html?rsp=oluptat#metco profile=ipv6-icmp pool=edolorin client_ip=10.104.110.134) | |
| - check: event.provider==011f0005 | |
| logpar: | |
| - ~content: <~/ignore/:><~>:<~/ignore/ ><~tmp.rsa_misc_result> <~/literal/(Client side:><~/ignore/ >vip=<~url/uri> profile=<network.protocol> pool=<~> client_ip=<source.ip>\) | |
| map: | |
| - rsa.internal.messageid : $event.provider | |
| - event.code : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.log_session_id | |
| - url : +ef_rename/$~url | |
| # 01490106 | |
| # oremagn[2121]: 01490106: :itseddo: uptatev: AD module: authentication with 'oditem' failed in allow: Preauthentication failed, principal name: inimaven. failure olor | |
| - check: event.provider==01490106 | |
| logpar: | |
| - ~content: <~tmp.log_session_id>:<~/ignore/:> <~>:<~/ignore/:> <~>'<~tmp.user>' <~>:<~/ignore/:> <~>, <~>. <~tmp.rsa_misc_result> <~> | |
| map: | |
| - ~tmp_f5_01490106 : +ef_delete | |
| - rsa.internal.messageid : $event.provider | |
| - event.code : $event.provider | |
| - related.user : +ef_rename/$~tmp.user | |
| - user.name : $related.user | |
| - rsa.misc.result : +ef_rename/$~tmp.rsa_misc_result | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.log_session_id | |
| # 01490107 | |
| # mip[5899]: 01490107: :lamc: mvolupta: AD module: authentication with 'Utenima' failed: Clients credentials have been revoked, principal name: iqua@luptat2979.internal.local. unknown cididu | |
| # laudan[7589]: 01490107: :oconse: mag: AD module: authentication with 'tob' failed: Client 'dolores2519.mail.host' not found in Kerberos database, principal name:deF itempo | |
| - check: event.provider==01490107 | |
| logpar: | |
| - ~content: <~/ignore/ >:<~> <~tmp.log_session_id>:<~/ignore/:> <~>'<~tmp.user>' <~>Client '<~tmp.rsa_web_fqdn>' <~>name:<~> <~tmp.rsa_db_index> | |
| - ~content: <~/ignore/ >:<~> <~tmp.log_session_id>:<~/ignore/:> <~>Clients <~> name:<~tmp.user>@<~tmp.rsa_web_fqdn> <~tmp.rsa_misc_result> <~> | |
| map: | |
| - ~tmp_f5_01490106 : +ef_delete | |
| - rsa.internal.messageid : $event.provider | |
| - event.code : $event.provider | |
| - related.user : +ef_rename/$~tmp.user | |
| - user.name : $related.user | |
| - rsa.misc.result : +ef_rename/$~tmp.rsa_misc_result | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.log_session_id | |
| - rsa.web.fqdn : +ef_rename/$~tmp.rsa_web_fqdn | |
| - rsa.db.index : +ef_rename/$~tmp.rsa_db_index | |
| - related.hosts : +a_append/$rsa.web.fqdn | |
| # 01490008 | |
| # uaeab[5960]: 01490008: :licabo: enimadmi: Connectivity resource utaliqu assigned | |
| - check: event.provider==01490008 | |
| logpar: | |
| - ~content: :<~/ignore/ ><~tmp.log_session_id>:<~/ignore/:> <~> resource <network.application> assigned | |
| map: | |
| - rsa.internal.messageid : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.log_session_id | |
| - event.code : $event.provider | |
| # 01260009 | |
| # ntin[4646]: 01260009: :rcitat: Connection error:cinge | |
| - check: event.provider==01260009 | |
| logpar: | |
| - ~content: <~/ignore/ >:<~>:<~/ignore/:> Connection error<~/ignore/:><~tmp.rsa_event_desc> | |
| map: | |
| - rsa.internal.messageid : $event.provider | |
| - event.code : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.log_session_id | |
| - rsa.internal.event_desc : +ef_rename/$~tmp.rsa_event_desc | |
| # 01490166 || 01490167 || 0149016a | |
| # nisiut: 01490166: :rumwri: Current snapshot ID: velill retrieved from session db for access profile: ore | |
| # isqu: 01490167: :uis: Current snapshot ID: idolore updated inside session db for access profile: onse | |
| # February 2019/02/17 03:30:32 etconse medium uinesci: 0149016a: :otamr: Initiating snapshot creation: tsed for access profile: rExc | |
| - check: event.provider==01490166 OR event.provider==01490167 OR event.provider==0149016a OR event.provider==0149016b | |
| logpar: | |
| - ~content: <~/ignore/ >:<~>:<~/ignore/:> Current snapshot ID:<~> | |
| - ~content: <~/ignore/ >:<~>:<~/ignore/:> <~/literal/Initiating>?<~/literal/Completed> snapshot<~> | |
| map: | |
| - rsa.internal.messageid : $event.provider | |
| - event.code : $event.provider | |
| # 01420002 | |
| # February 2018/02/24 19:26:15 oeiusmo very-high cusanti[5019]: 01420002: : AUDIT - pid=4996 user=rem folder=tseddoei module=teursint status=success cmd_data=remagnaa | |
| - check: event.provider==01420002 | |
| logpar: | |
| - ~content: :<~/ignore/ >AUDIT - pid=<~tmp.process.parent.id> user=<user.name> folder=<~tmp.file.directory> module=<~> status=<~tmp.rsa.misc.result> cmd_data=<~tmp.rsa.db.index> | |
| map: | |
| - rsa.internal.messageid : $event.provider | |
| - event.code : $event.provider | |
| - process.parent.id : +ef_rename/$~tmp.process.parent.id | |
| - file.directory : +ef_rename/$~tmp.file.directory | |
| - rsa.misc.result : +ef_rename/$~tmp.rsa.misc.result | |
| - rsa.db.index : +ef_rename/$~tmp.rsa.db.index | |
| # 01490000 | |
| # July 2019/07/10 01:56:14 tatemse low vitae[72]: 01490000: :samvolu: dip | |
| - check: event.provider==01490000 | |
| logpar: | |
| - ~content: :<~>:<~/ignore/ ><~tmp.rsa.internal.event_desc> | |
| map: | |
| - rsa.internal.messageid : $event.provider | |
| - event.code : $event.provider | |
| - rsa.internal.event_desc : +ef_rename/$~tmp.rsa.internal.event_desc | |
| # 01490004 | |
| # November 2017/11/02 11:05:41 iquip very-high sedquian[4212]: 01490004: :etdolore: magnaa: Executed agent 'sumquiad', return value iusmodt | |
| - check: event.provider==01490004 | |
| logpar: | |
| - ~content: :<~>:<~/ignore/ ><~>'<~tmp.network.application>', return value <~tmp.rsa.misc.result_code> | |
| map: | |
| - rsa.internal.messageid : $event.provider | |
| - event.code : $event.provider | |
| - rsa.misc.result_code : +ef_rename/$~tmp.rsa.misc.result_code | |
| # 01490005 | |
| # February 2017/02/03 21:16:50 sBono high equ[4808]: 01490005: :amvo: siuta: Following rule urmagn from item dquia to ending temporin | |
| - check: event.provider==01490005 | |
| logpar: | |
| - ~content: :<~>:<~/ignore/ ><~tmp.rsa.misc.log_session_id>:<~> | |
| map: | |
| - rsa.internal.messageid : $event.provider | |
| - event.code : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.rsa.misc.log_session_id | |
| # 01490007 | |
| # July 2019/07/24 08:58:48 Dui medium nostrude[7057]: 01490007: :ione: ecillum: Session variable 'maccu' set to ame | |
| - check: event.provider==01490007 | |
| logpar: | |
| - ~content: :<~>:<~/ignore/ ><~tmp.rsa.misc.log_session_id>:<~>Session variable '<~tmp.rsa.misc.change_attrib>' set to <~tmp.rsa.misc.change_new> | |
| map: | |
| - rsa.internal.messageid : $event.provider | |
| - event.code : $event.provider | |
| - rsa.misc.change_attrib : +ef_rename/$~tmp.rsa.misc.change_attrib | |
| - rsa.misc.change_new : +ef_rename/$~tmp.rsa.misc.change_new | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.rsa.misc.log_session_id | |
| # 01490013 || 01490019 | |
| # July 2017/07/25 09:47:41 gelitse very-high arc[2412]: 01490013: :radip: upta: AD agent: Retrieving AAA server: tetura | |
| # November 2019/11/15 17:19:22 ationevo very-high datatno[3538]: 01490019: :siar: orisnis: AD agent: Query: query with '(sAMAccountName=texp)' successful | |
| - check: event.provider==01490013 OR event.provider==01490019 | |
| logpar: | |
| - ~content: :<~>:<~/ignore/ ><~tmp.rsa.misc.log_session_id>:<~>(?sAMAccountName=<user.name>) | |
| map: | |
| - rsa.internal.messageid : $event.provider | |
| - event.code : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.rsa.misc.log_session_id | |
| - user.name : +r_ext/$user.name/(.+)\) | |
| # 01490079 | |
| - check: event.provider==01490079 | |
| logpar: | |
| - ~content: <~/ignore/ >:<~>:<~/ignore/ ><~tmp.rsa.misc.log_session_id>:<~> | |
| map: | |
| - rsa.internal.messageid : $event.provider | |
| - event.code : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.rsa.misc.log_session_id | |
| # 01490101 | |
| - check: event.provider==01490101 | |
| logpar: | |
| - ~content: <~/ignore/ >:<~>:<~/ignore/ ><~tmp.rsa.misc.log_session_id>:<~>applied. <~tmp.rsa.counters.dclass_c1_str>:<~/ignore/ ><~tmp.rsa.counters.dclass_c1/long> | |
| map: | |
| - rsa.internal.messageid : $event.provider | |
| - event.code : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.rsa.misc.log_session_id | |
| - rsa.counters.dclass_c1 : +ef_rename/$~tmp.rsa.counters.dclass_c1 | |
| - rsa.counters.dclass_c1_str : +ef_rename/$~tmp.rsa.counters.dclass_c1_str | |
| # 01490102 | |
| - check: event.provider==01490102 | |
| logpar: | |
| - ~content: :<~>:<~/ignore/ ><~tmp.rsa.misc.log_session_id>:<~>Access policy result<~/ignore/:><~/ignore/ ><~tmp.rsa.misc.result> | |
| map: | |
| - rsa.internal.messageid : $event.provider | |
| - event.code : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.rsa.misc.log_session_id | |
| - rsa.misc.result : +ef_rename/$~tmp.rsa.misc.result | |
| # 01490103 | |
| - check: event.provider==01490103 | |
| logpar: | |
| - ~content: :<~>:<~/ignore/ ><~tmp.rsa.misc.log_session_id>:<~>Retry Username '<user.name>' | |
| map: | |
| - rsa.internal.messageid : $event.provider | |
| - event.code : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.rsa.misc.log_session_id | |
| - rsa.misc.result : +ef_rename/$~tmp.rsa.misc.result | |
| # 01490113 | |
| - check: event.provider==01490113 | |
| logpar: | |
| - ~content: :<~>:<~/ignore/ ><~tmp.rsa.misc.log_session_id>:<~>protocol is <~tmp.rsa.network.network_service> | |
| - ~content: :<~>:<~/ignore/ ><~tmp.rsa.misc.log_session_id>:<~>session.<~tmp.rsa.db.index> | |
| map: | |
| - rsa.internal.messageid : $event.provider | |
| - event.code : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.rsa.misc.log_session_id | |
| - rsa.network.network_service : +ef_rename/$~tmp.rsa.network.network_service | |
| - rsa.db.index : +ef_rename/$~tmp.rsa.db.index | |
| # 01490128 | |
| - check: event.provider==01490128 | |
| logpar: | |
| - ~content: :<~>:<~/ignore/ ><~tmp.rsa.misc.log_session_id>:<~>Webtop <~tmp.network.application> assigned | |
| map: | |
| - rsa.internal.messageid : $event.provider | |
| - event.code : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.rsa.misc.log_session_id | |
| - network.application : +ef_rename/$~tmp.network.application | |
| # 01490142 | |
| - check: event.provider==01490142 | |
| logpar: | |
| - ~content: :<~>:<~/ignore/ ><~tmp.rsa.misc.log_session_id>:<~/ignore/ ><~tmp.rsa.internal.event_desc> | |
| map: | |
| - rsa.internal.messageid : $event.provider | |
| - event.code : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.rsa.misc.log_session_id | |
| - rsa.internal.event_desc : +ef_rename/$~tmp.rsa.internal.event_desc | |
| # 01490165 | |
| - check: event.provider==01490165 | |
| map: | |
| - rsa.internal.messageid : $event.provider | |
| - event.code : $event.provider | |
| # 01490500 | |
| - check: event.provider==01490500 | |
| logpar: | |
| - ~content: :<~>:<~/ignore/ ><~>:<~>:<~tmp.rsa.misc.logsession_id>:<~/ignore/ >New session from client IP <source.ip> \(<~tmp.geodata>\) at <~> <destination.ip> <~>\(Reputation=<~tmp.rsa.misc.category>\) | |
| map: | |
| - ~tmp.slash : / | |
| - ~tmp.geodata : +s_replace/$~tmp.slash/* | |
| - ~tmp.geokv : +parse_kv/$~tmp.geodata/=/*/'/' | |
| - destination.geo.city_name : +ef_rename/$~tmp.geokv.C | |
| - destination.geo.country_name : +ef_rename/$~tmp.geokv.CC | |
| - destination.geo.region_name : +ef_rename/$~tmp.geokv.ST | |
| - event.code : $event.provider | |
| - related.ip : +a_append/$source.ip | |
| - related.ip : +a_append/$destination.ip | |
| - rsa.internal.messageid : $event.provider | |
| - rsa.misc.category : +ef_rename/$~tmp.rsa.misc.category | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.rsa.misc.log_session_id | |
| # 01490501 | |
| - check: event.provider==01490501 | |
| logpar: | |
| - ~content: :<~>:<~/ignore/ ><~tmp.rsa.misc.log_session_id>:<~/ignore/ ><~tmp.rsa.internal.event_desc> | |
| map: | |
| - event.code : $event.provider | |
| - rsa.internal.event_desc : +ef_rename/$~tmp.rsa.internal.event_desc | |
| - rsa.internal.messageid : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.rsa.misc.log_session_id | |
| # 01490504 | |
| - check: event.provider==01490504 | |
| logpar: | |
| - ~content: :<~>:<~/ignore/ ><~tmp.rsa.misc.log_session_id>:<~/ignore/ ><~tmp.rsa.web.fqdn> <~> | |
| map: | |
| - event.code : $event.provider | |
| - rsa.internal.event_desc : +ef_rename/$~tmp.rsa.internal.event_desc | |
| - rsa.internal.messageid : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.rsa.misc.log_session_id | |
| - rsa.web.fqdn : +ef_rename/$~tmp.rsa.web.fqdn | |
| - related.hosts : +a_append/$rsa.web.fqdn | |
| # 01490505 | |
| - check: event.provider==01490505 | |
| logpar: | |
| - ~content: :<~>:<~/ignore/ ><~tmp.rsa.misc.log_session_id>:<~/ignore/ ><~> | |
| map: | |
| - event.code : $event.provider | |
| - rsa.internal.messageid : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.rsa.misc.log_session_id | |
| # 01490506 | |
| - check: event.provider==01490506 | |
| logpar: | |
| - ~content: :<~>:<~/ignore/ ><~tmp.rsa.misc.log_session_id>:<~/ignore/ >Received User-Agent header:<~/ignore/ ><~tmp.user_agent.original> | |
| map: | |
| - event.code : $event.provider | |
| - rsa.internal.messageid : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.rsa.misc.log_session_id | |
| - user_agent.original : +ef_rename/$~tmp.user_agent.original | |
| - user_agent.device.name: Other | |
| - user_agent.name: Other | |
| # 01490511 | |
| - check: event.provider==01490511 | |
| logpar: | |
| - ~content: :<~>:<~/ignore/ ><~tmp.rsa.misc.log_session_id>:<~/ignore/ >Initializing Access profile <~> with max concurrent user sessions limit<~/ignore/:> <~tmp.rsa.counters.dclass_c1/long> | |
| map: | |
| - event.code : $event.provider | |
| - rsa.internal.messageid : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.rsa.misc.log_session_id | |
| - rsa.counters.dclass_c1 : +ef_rename/$~tmp.rsa.counters.dclass_c1 | |
| - rsa.counters.dclass_c1_str : "Max Concurrent User Sessions Limit" | |
| # 01490514 | |
| - check: event.provider==01490514 | |
| logpar: | |
| - ~content: :<~>:<~/ignore/ ><~tmp.rsa.misc.log_session_id>:<~/ignore/ >Access encountered error:<~/ignore/ ><~tmp.rsa.misc.action>. File:<~/ignore/ ><file.name>, Function:<~/ignore/ ><~tmp.rsa.misc.result>, Line:<~/ignore/ ><~> | |
| map: | |
| - event.code : $event.provider | |
| - rsa.internal.messageid : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.rsa.misc.log_session_id | |
| - rsa.misc.action : +ef_rename/$~tmp.rsa.misc.action | |
| # 01490517 | |
| - check: event.provider==01490517 | |
| logpar: | |
| - ~content: :<~>:<~/ignore/ ><~tmp.rsa.misc.log_session_id>:<~/ignore/ ><~> | |
| map: | |
| - event.code : $event.provider | |
| - rsa.internal.messageid : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.rsa.misc.log_session_id | |
| - rsa.misc.action : +ef_rename/$~tmp.rsa.misc.action | |
| # 01490520 | |
| - check: event.provider==01490520 | |
| logpar: | |
| - ~content: :<~>:<~/ignore/ ><~tmp.rsa.misc.log_session_id>:<~/ignore/ ><~tmp.rsa.internal.event_desc> | |
| map: | |
| - event.code : $event.provider | |
| - rsa.internal.messageid : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.rsa.misc.log_session_id | |
| - rsa.internal.event_desc : +ef_rename/$~tmp.rsa.internal.event_desc | |
| # 01490521 | |
| - check: event.provider==01490521 | |
| logpar: | |
| - ~content: :<~>:<~/ignore/ ><~tmp.rsa.misc.log_session_id>:<~/ignore/ >Session statistics - bytes in:<~/ignore/ ><destination.bytes>, bytes out:<~/ignore/ ><source.bytes> | |
| map: | |
| - event.code : $event.provider | |
| - rsa.internal.messageid : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.rsa.misc.log_session_id | |
| # 01490538 | |
| - check: event.provider==01490538 | |
| logpar: | |
| - ~content: :<~>:<~/ignore/ ><~tmp.rsa.misc.log_session_id>:<~/ignore/ ><~tmp.rsa.internal.event_desc> | |
| map: | |
| - event.code : $event.provider | |
| - rsa.internal.messageid : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.rsa.misc.log_session_id | |
| - rsa.internal.event_desc : +ef_rename/$~tmp.rsa.internal.event_desc | |
| # 01490544 | |
| - check: event.provider==01490544 | |
| logpar: | |
| - ~content: :<~>:<~/ignore/ ><~tmp.rsa.misc.log_session_id>:<~/ignore/ >Received client info - <~tmp.http.request.referrer> | |
| map: | |
| - event.code : $event.provider | |
| - rsa.internal.messageid : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.rsa.misc.log_session_id | |
| - http.request.referrer : +ef_rename/$~tmp.http.request.referrer | |
| # 01490549 | |
| - check: event.provider==01490549 | |
| logpar: | |
| - ~content: :<~>:<~/ignore/ ><~tmp.rsa.misc.log_session_id>:<~/ignore/ >Assigned PPP Dynamic IPv4:<~/ignore/ ><source.nat.ip> Tunnel Type:<~/ignore/ ><~tmp.rsa.misc.group> <~> Resource:<~/ignore/ ><rule.name> Client IP:<~/ignore/ ><source.ip> <~> | |
| map: | |
| - event.code : $event.provider | |
| - rsa.internal.messageid : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.rsa.misc.log_session_id | |
| - related.ip : +a_append/$source.nat.ip | |
| - related.ip : +a_append/$source.ip | |
| # 014d0001 | |
| - check: event.provider==014d0001 | |
| logpar: | |
| - ~content: :<~>:<~/ignore/ ><~tmp.rsa.misc.log_session_id>:<~/ignore/ ><~>, SERVER :<~/ignore/ ><~tmp.rsa.db.index> | |
| map: | |
| - event.code : $event.provider | |
| - rsa.internal.messageid : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.rsa.misc.log_session_id | |
| - rsa.db.index : +ef_rename/$~tmp.rsa.db.index | |
| # 014d0002 | |
| - check: event.provider==014d0002 | |
| logpar: | |
| - ~content: <~/ignore/ >:<~>:<~/ignore/ ><~tmp.rsa.misc.log_session_id>:<~/ignore/ ><~> | |
| map: | |
| - event.code : $event.provider | |
| - rsa.internal.messageid : $event.provider | |
| - rsa.misc.log_session_id : +ef_rename/$~tmp.rsa.misc.log_session_id | |
| - rsa.misc.disposition : Failed | |
| # 014d0044 | |
| - check: event.provider==014d0044 | |
| logpar: | |
| - ~content: :<~>:<~/ignore/ ><~tmp.rsa.db.index> | |
| map: | |
| - event.code : $event.provider | |
| - rsa.internal.messageid : $event.provider | |
| - rsa.db.index : +ef_rename/$~tmp.rsa.db.index |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: decoder/f5-apm-third/0 | |
| metadata: | |
| module: F5 | |
| title: F5 APM Decoder for third party providers | |
| description: Decodes HEADER F5 BIG-IP Access Policy Manager logs of third party providers. | |
| compatibility: > | |
| New Wazuh Engine | |
| author: | |
| name: Wazuh, Inc. | |
| date: 2023/01/10 | |
| references: | |
| - | |
| sources: | |
| - decoder/f5-apm-own/0 | |
| parse: | |
| logpar: | |
| # Rule | |
| - ~payload: <event.provider>[<process.pid>]:<~/ignore/ ><~tmp.rsa.internal.messageid>:<~/ignore/ ><~tmp.rsa.misc.rule_name> \<\<<~tmp.rsa.internal.event_desc>>:<~/ignore/ >APM_EVENT=<event.action> | <user.name> | <~rest> ***<~tmp.rsa.misc.result>*** | |
| # crond | |
| # March 2016/03/12 03:17:42 seq high crond[5738]: (ccaecat) veleumi | |
| # July 2016/07/18 18:40:50 lum high CROND[1675]: (sitvolup) CMD (cancel) | |
| # January 2019/01/19 13:25:23 volup very-high crond[4071]: (iconsequ) CMD (block) | |
| # April 2019/04/29 14:43:23 Nequepo high CROND[2977]: (emac) CMD (cancel) | |
| - ~payload: <event.provider>[<process.pid>]:<~/ignore/ >\(<~tmp.user_name>\) (?CMD \(<~tmp.user_command>\))<?~tmp.rsa_index> | |
| # syslog-ng - auditd | |
| # November 2019/11/01 10:16:48 erc low tasnu: [syslog-ng] | |
| - ~payload: <~tmp.rsa_misc_client>:<~/ignore/:> [<event.provider>] | |
| # June 2018/06/04 20:44:15 lorumw high tdolo[3872]: syslog-ng: | |
| - ~payload: <~tmp.rsa_misc_client>[<process.pid>]:<~/ignore/ ><event.provider>:<~/ignore/ > | |
| # April 2018/04/08 16:33:58 liq low mvolupta: syslog-ng: | |
| - ~payload: <~tmp.rsa_misc_client>:<~/ignore/:> <event.provider>:<~/ignore/ > | |
| # March 2017/03/18 18:24:33 ptasnula high syslog-ng[2638]: ill | |
| - ~payload: <event.provider>[<process.pid>]:<~/ignore/ ><~tmp.rsa_misc_client> | |
| normalize: | |
| # crond | |
| - check: event.provider==crond OR event.provider==CROND | |
| map: | |
| - rsa.internal.messageid : crond | |
| - rsa.misc.action : +a_append/$~tmp.user_command | |
| - user.name : +ef_rename/$~tmp.user_name | |
| # syslog-ng | |
| - check: event.provider==syslog-ng | |
| map: | |
| - rsa.internal.messageid : syslog-ng | |
| - rsa.misc.client : +ef_rename/$~tmp.rsa_misc_client | |
| # auditd | |
| - check: event.provider==auditd | |
| map: | |
| - event.code : $event.provider | |
| - rsa.db.index : +ef_rename/$~tmp.rsa_misc_client | |
| - rsa.internal.messageid : $event.provider | |
| - rsa.misc.client : $event.provider | |
| # Rule | |
| - check: ~tmp.rsa.internal.messageid==Rule | |
| map: | |
| - event.code: Rule | |
| - rsa.internal.messageid: Rule | |
| - rsa.internal.event_desc: +ef_rename/$~tmp.rsa.internal.event_desc | |
| - rsa.misc.action: $event.action | |
| - rsa.misc.rule_name: +ef_rename/$~tmp.rsa.misc.rule_name | |
| - rsa.misc.result: +ef_rename/$tmp.rsa.misc.result | |
| - rule.name: $rsa.misc.rule_name | |
| # SMTP | |
| - check: event.provider==sSMTP | |
| map: | |
| - event.code: $event.provider | |
| - rsa.db.index: $~tmp.rsa_misc_client | |
| - rsa.internal.messageid: $event.provider | |
| - rsa.misc.client : $event.provider | |
| - map: | |
| - ~content : +ef_delete | |
| - ~payload : +ef_delete | |
| - ~tmp: +ef_delete | |
| - event.dataset : f5.bigipam | |
| - event.module : f5 | |
| - event.provider: +ef_delete | |
| - input.type : log | |
| - rsa.misc.severity : $log.level | |
| - rsa.time.event_time : $@timestamp | |
| - fileset.name : bigipam | |
| - observer.product : Big-IP | |
| - observer.type : Access | |
| - observer.vendor : F5 | |
| - service.type : f5 | |
| - tags : +a_append/$event.dataset | |
| - tags : +a_append/forwarded |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment