Merge pull request SEKOIA-IO#1140 from SEKOIA-IO/fix/vcenter_format

vCenter - parse more events
HarishHary · Jul 8, 2024 · 71ec6ea · 71ec6ea
2 parents 20830a2 + dbf256f
commit 71ec6ea
Show file tree

Hide file tree

Showing 5 changed files with 147 additions and 3 deletions.
diff --git a/VMWare/vmware-vcenter/ingest/parser.yml b/VMWare/vmware-vcenter/ingest/parser.yml
@@ -6,11 +6,11 @@ pipeline:
       properties:
         input_field: "{{original.message}}"
         output_field: message
-        pattern: "%{SESSION_TYPE_1}|%{SESSION_TYPE_2}|%{SESSION_TYPE_3}|%{SESSION_TYPE_4}|%{SESSION_TYPE_5}|%{SESSION_TYPE_6}|%{CONNECTIONS}|%{FAULT}|%{FAULT_TYPE_2}|%{HTTP_LOGS_1}|%{HTTP_LOGS_2}|%{OTHERS_EVENTS_TYPE_6}|%{OTHERS_EVENTS}|%{OTHERS_EVENTS_TYPE_2}|%{OTHERS_EVENTS_TYPE_3}|%{OTHERS_EVENTS_TYPE_5}|%{GREEDYDATA}"
+        pattern: "%{SESSION_TYPE_1}|%{SESSION_TYPE_2}|%{SESSION_TYPE_3}|%{SESSION_TYPE_4}|%{SESSION_TYPE_5}|%{SESSION_TYPE_6}|%{CONNECTIONS}|%{FAULT}|%{FAULT_TYPE_2}|%{HTTP_LOGS_1}|%{HTTP_LOGS_2}|%{OTHERS_EVENTS_TYPE_6}|%{OTHERS_EVENTS}|%{OTHERS_EVENTS_TYPE_2}|%{OTHERS_EVENTS_TYPE_3}|%{OTHERS_EVENTS_TYPE_5}|%{OTHERS_EVENTS_TYPE_7}"
         custom_patterns:
           SESSION_TYPE_1: 'Event \[%{INT:id}\] \[1-1\] \[%{TIMESTAMP_ISO8601:timestamp}\] \[%{DATA:event_code}\] \[%{DATA:log_level}\] \[%{DATA:source_user_name}\] \[%{HOSTNAME:hostname}\] \[%{INT}] \[Cannot login %{USERNAME:username}@%{IP:ip_address}\]'
           SESSION_TYPE_2: 'Event \[%{INT:id}\] \[1-1\] \[%{TIMESTAMP_ISO8601:timestamp}\] \[%{DATA:event_code}\] \[%{DATA:log_level}\] \[%{DATA}\] \[%{DATA}\] \[%{INT}\] \[User (%{DATA:source_user_domain}\\)?%{DATA:source_user_name}@%{IP:ip_address} logged in as %{DATA:username}\]'
-          SESSION_TYPE_3: 'Event \[%{INT:id}\] \[1-1\] \[%{TIMESTAMP_ISO8601:timestamp}\] \[%{DATA:event_code}\] \[%{DATA:log_level}\] \[%{DATA}\] \[%{HOSTNAME:hostname}\] \[%{INT}\] \[User %{DATA}@%{IP:ip_address} logged out \(login time: %{GREEDYDATA:login_time}, number of API invocations: %{INT:api_invocations}, user agent: %{GREEDYDATA:user_agent}\]'
+          SESSION_TYPE_3: 'Event \[%{INT:id}\] \[1-1\] \[%{TIMESTAMP_ISO8601:timestamp}\] \[%{DATA:event_code}\] \[%{DATA:log_level}\] \[%{DATA}\] \[%{HOSTNAME:hostname}?\] \[%{INT}\] \[User (%{DATA:user_domain}\\)?%{DATA:username}@%{IP:ip_address} logged out \(login time: %{GREEDYDATA:login_time}, number of API invocations: %{INT:api_invocations}, user agent: %{GREEDYDATA:user_agent}\)\]'
           SESSION_TYPE_4: 'Event \[%{INT:id}\] \[1-1\] \[%{TIMESTAMP_ISO8601:timestamp}\] \[%{DATA:event_code}\] \[%{DATA:log_level}\] \[%{DATA}\] \[%{HOSTNAME:hostname}\] \[%{INT}\] \[SSH session was opened for %{DATA}%{USERNAME:username}@%{IP:ip_address}%{DATA}.\]'
           SESSION_TYPE_5: 'Event \[%{INT:id}\] \[1-1\] \[%{TIMESTAMP_ISO8601:timestamp}\] \[%{DATA:event_code}\] \[%{DATA:log_level}\] \[%{DATA}\] \[%{HOSTNAME:hostname}\] \[%{INT}\] \[SSH session was closed for %{DATA}%{USERNAME:username}@%{IP:ip_address}%{DATA}.\]'
           SESSION_TYPE_6: 'Event \[%{INT:id}\] \[1-1\] \[%{TIMESTAMP_ISO8601:timestamp}\] \[%{DATA:event_code}\] \[%{DATA:log_level}\] \[%{HOSTNAME:hostname}\] \[%{DATA}\] \[%{INT}\] \[User cannot logon since the user is %{GREEDYDATA:reason}\]'
@@ -24,6 +24,7 @@ pipeline:
           OTHERS_EVENTS_TYPE_3: '%{TIMESTAMP_ISO8601:timestamp}: %{DATA}: \[%{GREEDYDATA:reason}\]'
           OTHERS_EVENTS_TYPE_5: '\[%{TIMESTAMP_ISO8601:timestamp}\] \[%{DATA:log_level} \] %{GREEDYDATA:reason}'
           OTHERS_EVENTS_TYPE_6: 'Event \[%{INT:id}\] \[1-1\] \[%{TIMESTAMP_ISO8601:timestamp}\] \[%{DATA:event_code}\] \[%{DATA:log_level}\] \[%{DATA}\] \[%{DATA}\] \[%{INT}\] \[A ticket for %{USERNAME:username} of type %{DATA} on %{IP:ip_address} in %{DATA} has been acquired\]'
+          OTHERS_EVENTS_TYPE_7: 'Event \[%{INT:id}\] \[1-1\] \[%{TIMESTAMP_ISO8601:timestamp}\] \[%{DATA:event_code}\] \[%{DATA:log_level}\] \[%{DATA:source_user_name}?\] \[%{HOSTNAME:hostname}?\] \[%{INT}] \[%{GREEDYDATA:reason}\]'
   - name: parsed_date
     external:
       name: date.parse
@@ -40,6 +41,7 @@ stages:
       - set:
           "@timestamp": "{{parsed_event.message.timestamp}}"
           user.name: "{{parsed_event.message.username}}"
+          user.domain: "{{parsed_event.message.user_domain}}"
           source.ip: "{{parsed_event.message.source_ip}}"
           destination.ip: "{{parsed_event.message.destination_ip}}"
           source.user.name: "{{parsed_event.message.source_user_name}}"

diff --git a/VMWare/vmware-vcenter/tests/other_tests_example1_type_7.json b/VMWare/vmware-vcenter/tests/other_tests_example1_type_7.json
@@ -0,0 +1,39 @@
+{
+  "input": {
+    "message": "Event [11111111] [1-1] [2024-06-18T23:41:05.366919Z] [vim.event.ScheduledTaskCompletedEvent] [info] [com.vmware.vcIntegrity] [] [22222222] [Task VMware vSphere Update Manager Check Notification on Datacenters in datacenter completed successfully]"
+  },
+  "expected": {
+    "message": "Event [11111111] [1-1] [2024-06-18T23:41:05.366919Z] [vim.event.ScheduledTaskCompletedEvent] [info] [com.vmware.vcIntegrity] [] [22222222] [Task VMware vSphere Update Manager Check Notification on Datacenters in datacenter completed successfully]",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "code": "vim.event.ScheduledTaskCompletedEvent",
+      "reason": "Task VMware vSphere Update Manager Check Notification on Datacenters in datacenter completed successfully",
+      "type": [
+        "connection"
+      ]
+    },
+    "@timestamp": "2024-06-18T23:41:05.366919Z",
+    "log": {
+      "level": "info"
+    },
+    "observer": {
+      "product": "VCenter",
+      "vendor": "VMWare"
+    },
+    "related": {
+      "user": [
+        "com.vmware.vcIntegrity"
+      ]
+    },
+    "source": {
+      "user": {
+        "name": "com.vmware.vcIntegrity"
+      }
+    },
+    "vmware_vcenter": {
+      "event_id": "11111111"
+    }
+  }
+}
diff --git a/VMWare/vmware-vcenter/tests/other_tests_example2_type_7.json b/VMWare/vmware-vcenter/tests/other_tests_example2_type_7.json
@@ -0,0 +1,42 @@
+{
+  "input": {
+    "message": "Event [11111111] [1-1] [2024-06-18T23:28:06.155764Z] [vim.event.EventEx] [info] [System] [Datacenter] [11111111] [Hardware Sensor Status: Processor Green, Memory Green, Fan Green, Voltage Green, Temperature Green, Power Green, System Board Green, Battery Green, Storage Green, Other Green]"
+  },
+  "expected": {
+    "message": "Event [11111111] [1-1] [2024-06-18T23:28:06.155764Z] [vim.event.EventEx] [info] [System] [Datacenter] [11111111] [Hardware Sensor Status: Processor Green, Memory Green, Fan Green, Voltage Green, Temperature Green, Power Green, System Board Green, Battery Green, Storage Green, Other Green]",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "code": "vim.event.EventEx",
+      "reason": "Hardware Sensor Status: Processor Green, Memory Green, Fan Green, Voltage Green, Temperature Green, Power Green, System Board Green, Battery Green, Storage Green, Other Green",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-06-18T23:28:06.155764Z",
+    "host": {
+      "name": "Datacenter"
+    },
+    "log": {
+      "level": "info"
+    },
+    "observer": {
+      "product": "VCenter",
+      "vendor": "VMWare"
+    },
+    "related": {
+      "user": [
+        "System"
+      ]
+    },
+    "source": {
+      "user": {
+        "name": "System"
+      }
+    },
+    "vmware_vcenter": {
+      "event_id": "11111111"
+    }
+  }
+}
diff --git a/VMWare/vmware-vcenter/tests/session_logs_type3.json b/VMWare/vmware-vcenter/tests/session_logs_type3.json
@@ -28,14 +28,20 @@
     "related": {
       "ip": [
         "127.0.0.1"
+      ],
+      "user": [
+        "root"
       ]
     },
+    "user": {
+      "name": "root"
+    },
     "user_agent": {
       "device": {
         "name": "Other"
       },
       "name": "Other",
-      "original": "pyvmomi Python/3.8.13 (VMkernel; 7.0.3; x86_64))",
+      "original": "pyvmomi Python/3.8.13 (VMkernel; 7.0.3; x86_64)",
       "os": {
         "name": "Other"
       }

diff --git a/VMWare/vmware-vcenter/tests/session_logs_type3_wo_hostname.json b/VMWare/vmware-vcenter/tests/session_logs_type3_wo_hostname.json
@@ -0,0 +1,55 @@
+{
+  "input": {
+    "message": "Event [11111111] [1-1] [2024-06-18T22:45:08.003776Z] [vim.event.UserLogoutSessionEvent] [info] [root\\example] [] [22222222] [User root\\[email protected] logged out (login time: Tuesday, 18 June, 2024 10:45:07 PM, number of API invocations: 2, user agent: VMware vim-java 1.0)]"
+  },
+  "expected": {
+    "message": "Event [11111111] [1-1] [2024-06-18T22:45:08.003776Z] [vim.event.UserLogoutSessionEvent] [info] [root\\example] [] [22222222] [User root\\[email protected] logged out (login time: Tuesday, 18 June, 2024 10:45:07 PM, number of API invocations: 2, user agent: VMware vim-java 1.0)]",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "code": "vim.event.UserLogoutSessionEvent",
+      "type": [
+        "end"
+      ]
+    },
+    "@timestamp": "2024-06-18T22:45:08.003776Z",
+    "host": {
+      "ip": "127.0.0.1"
+    },
+    "log": {
+      "level": "info"
+    },
+    "observer": {
+      "product": "VCenter",
+      "vendor": "VMWare"
+    },
+    "related": {
+      "ip": [
+        "127.0.0.1"
+      ],
+      "user": [
+        "example"
+      ]
+    },
+    "user": {
+      "domain": "root",
+      "name": "example"
+    },
+    "user_agent": {
+      "device": {
+        "name": "Other"
+      },
+      "name": "Other",
+      "original": "VMware vim-java 1.0",
+      "os": {
+        "name": "Other"
+      }
+    },
+    "vmware_vcenter": {
+      "api_invocations": "2",
+      "event_id": "11111111",
+      "login_time": "Tuesday, 18 June, 2024 10:45:07 PM"
+    }
+  }
+}