f5 apm decoder

apm.yml

---
name: decoder/f5-apm-base/0

metadata:
  module: f5
  title: f5 APM Decoder Base
  description: Decodes HEADER F5 BIG-IP Access Policy Manager logs
  compatibility: >
    This decoder is under development.
  author:
    name: Wazuh, Inc.
    date: 2023/01/10
  references:
    - TBD

sources:
  - decoder/queue-syslog/0
  - decoder/queue-localfile/0

parse:
  logpar:
    - event.original: <~> <@timestamp/%Y\/%m\/%d %T> <~> <log.level> <event.outcome>

normalize:
  - map:
      - event.dataset : f5.bigipam
      - event.module : f5
      - event.type : log
      - rsa.misc.severity : $log.level
      - rsa.time.event_time : $@timestamp
      - fileset.name : bigipam
      - observer.product : Big-IP
      - observer.type : Access
      - observer.vendor : F5
      - service.type : f5
      - tags : +a_append/$event.dataset
      - tags : +a_append/forwarded
 # - check: event.code=="crond" OR event.code=="CROND"


parse:
  logpar:
    # ------------------------------
    # crond 
    # ------------------------------
    # March 2016/03/12 03:17:42 seq high crond[5738]: (ccaecat) veleumi
    # July 2016/07/18 18:40:50 lum high CROND[1675]: (sitvolup) CMD (cancel)
    # January 2019/01/19 13:25:23 volup very-high crond[4071]: (iconsequ) CMD (block)
    # April 2019/04/29 14:43:23 Nequepo high CROND[2977]: (emac) CMD (cancel)
    - event.outcome: <event.code>[<process.pid>]:<~/ignore/ >\(<~user_name>\) (?CMD \(<~user_command>\))<?~rsa_index>

normalize:
  - check: event.code==crond OR event.code==CROND
  map:
    - ~tmp_cron : +ef_delete
    - rsa.internal.messageid : crond
    - rsa.misc.action : +a_append/$~user_command
    - ~user_command : +ef_delete
    - user.name : +ef_rename/$~user_name