diff --git a/VMWare/vmware-esxi/ingest/parser.yml b/VMWare/vmware-esxi/ingest/parser.yml index a81a0304e..3721ff426 100644 --- a/VMWare/vmware-esxi/ingest/parser.yml +++ b/VMWare/vmware-esxi/ingest/parser.yml @@ -40,7 +40,7 @@ pipeline: ## Freestyle patterns to work with filename VARIOUS_FILE_ACTION: '^(?:\s*)%{WORD:file_action} (?P([\w\/]*?)([\w\.]*)\.(\w*))?' - VARIOUS_FILE_ACTION_FILENAME_ONLY: '^(?:\s*)%{DATA}(?PfileName) = \"%{DATA:filename}\"%{DATA}?' + VARIOUS_FILE_ACTION_FILENAME_ONLY: '^(?:\s*)%{DATA}(?PfileName) = \"%{DATA:filename}\"(, %{WORD} = %{DATA})*(?:, uuid = \"%{UUID:file_uid}\")%{DATA}?(?:capacityInBytes = %{NUMBER:file_size})%{DATA}?' ## Freestyle patterns to work with key and reason VARIOUS_KEY_REASON: '^(?:\s*)%{DATA} key (?:ID|id|Id) %{DATA:key_id} to %{WORD:reason}?' @@ -189,7 +189,10 @@ stages: source.port: "{{parsed_event.result.port}}" source.user.name: "{{parsed_event.result.source_username}}" user_agent.original: "{{parsed_event.result.user_agent | trim}}" - file.name: "{{parsed_event.result.filename}}" + file.path: "{{parsed_event.result.filename | dirname}}" + file.name: "{{parsed_event.result.filename | basename}}" + file.uid: "{{parsed_event.result.file_uid}}" + file.size: "{{parsed_event.result.file_size}}" wmware.esxi.key.id: "{{parsed_event.result.key_id | trim}}" wmware.esxi.event.serial_number: "{{parsed_event.result.serial_number}}" host.name: "{{parsed_event.result.server_name}}" diff --git a/VMWare/vmware-esxi/tests/VARIOUS_FILE_ACTION_1.json b/VMWare/vmware-esxi/tests/VARIOUS_FILE_ACTION_1.json index 4d8a4eefc..21aec1134 100644 --- a/VMWare/vmware-esxi/tests/VARIOUS_FILE_ACTION_1.json +++ b/VMWare/vmware-esxi/tests/VARIOUS_FILE_ACTION_1.json @@ -13,7 +13,10 @@ ] }, "file": { - "name": "ds:///vmfs/volumes/63985d53-c3598817-6688-5c6f69e18ad0/HDD01-835/HDD01-835.vmdk" + "name": "HDD01-835.vmdk", + "path": "ds:///vmfs/volumes/63985d53-c3598817-6688-5c6f69e18ad0/HDD01-835", + "size": 107374182400, + "uid": "6000C299-dd5c-07cb-b868-3600b53d2781" }, "observer": { "product": "ESXi",