Addition of a few fields for file action events

VMWare/vmware-esxi/ingest/parser.yml

@@ -40,7 +40,7 @@ pipeline:
 
           ## Freestyle patterns to work with filename
           VARIOUS_FILE_ACTION: '^(?:\s*)%{WORD:file_action} (?P<filename>([\w\/]*?)([\w\.]*)\.(\w*))?'
-          VARIOUS_FILE_ACTION_FILENAME_ONLY: '^(?:\s*)%{DATA}(?P<file_category>fileName) = \"%{DATA:filename}\"%{DATA}?'
+          VARIOUS_FILE_ACTION_FILENAME_ONLY: '^(?:\s*)%{DATA}(?P<file_category>fileName) = \"%{DATA:filename}\"(, %{WORD} = %{DATA})*(?:, uuid = \"%{UUID:file_uid}\")%{DATA}?(?:capacityInBytes = %{NUMBER:file_size})%{DATA}?'
 
           ## Freestyle patterns to work with key and reason
           VARIOUS_KEY_REASON: '^(?:\s*)%{DATA} key (?:ID|id|Id) %{DATA:key_id} to %{WORD:reason}?'
@@ -189,7 +189,10 @@ stages:
           source.port: "{{parsed_event.result.port}}"
           source.user.name: "{{parsed_event.result.source_username}}"
           user_agent.original: "{{parsed_event.result.user_agent | trim}}"
-          file.name: "{{parsed_event.result.filename}}"
+          file.path: "{{parsed_event.result.filename | dirname}}"
+          file.name: "{{parsed_event.result.filename | basename}}"
+          file.uid: "{{parsed_event.result.file_uid}}"
+          file.size: "{{parsed_event.result.file_size}}"
           wmware.esxi.key.id: "{{parsed_event.result.key_id | trim}}"
           wmware.esxi.event.serial_number: "{{parsed_event.result.serial_number}}"
           host.name: "{{parsed_event.result.server_name}}"

VMWare/vmware-esxi/tests/VARIOUS_FILE_ACTION_1.json

@@ -13,7 +13,10 @@
       ]
     },
     "file": {
-      "name": "ds:///vmfs/volumes/63985d53-c3598817-6688-5c6f69e18ad0/HDD01-835/HDD01-835.vmdk"
+      "name": "HDD01-835.vmdk",
+      "path": "ds:///vmfs/volumes/63985d53-c3598817-6688-5c6f69e18ad0/HDD01-835",
+      "size": 107374182400,
+      "uid": "6000C299-dd5c-07cb-b868-3600b53d2781"
     },
     "observer": {
       "product": "ESXi",