diff --git a/VMWare/vmware-esxi/_meta/fields.yml b/VMWare/vmware-esxi/_meta/fields.yml index a4ec4fea6..782f4d178 100644 --- a/VMWare/vmware-esxi/_meta/fields.yml +++ b/VMWare/vmware-esxi/_meta/fields.yml @@ -1,3 +1,18 @@ +vmware.esxi.log.category: + description: Log category + name: vmware.esxi.log.category + type: keyword + +vmware.esxi.log.type: + description: Infos about the event type of the log + name: vmware.esxi.log.type + type: keyword + +vmware.esxi.operation.id: + description: Operation ID + name: vmware.esxi.operation.id + type: keyword + wmware.esxi.event.serial_number: description: Serial number name: wmware.esxi.event.serial_number diff --git a/VMWare/vmware-esxi/ingest/parser.yml b/VMWare/vmware-esxi/ingest/parser.yml index 8c5e5e0cc..a81a0304e 100644 --- a/VMWare/vmware-esxi/ingest/parser.yml +++ b/VMWare/vmware-esxi/ingest/parser.yml @@ -10,7 +10,7 @@ pipeline: properties: input_field: "original.message" output_field: result - pattern: "%{EVENT_LOG_SSH_AUTH}|%{PROCESS_LOG_SSH_AUTH}|%{PROCESS_LOG_SSH_PASSWORD}|%{AUTH_CONNECTION_EVENT}|%{AUTH_CONNECTION_DISCONNECTED}|%{AUTH_CONNECTION_RECEIVE_DISCONNECTED}|%{AUTH_SESSION_EVENT}|%{PROCESS_LOG_AUTH_USER}|%{PROCESS_LOG_CHANGE_USER}|%{AUTH_PUBLIC_KEY}|%{NETWORK_SOURCE}|%{NETWORK_HOSTNAME}|%{PROCESS_COMMAND}|%{PROCESS_COMMAND_USER_WITH_PID}|%{PROCESS_COMMAND_USER_WITHOUT_PID}|%{PROCESS_LOG_LAUNCHING}|%{VARIOUS_FILE_ACTION}|%{VARIOUS_FILE_ACTION_FILENAME_ONLY}|%{VARIOUS_KEY_REASON}|%{VARIOUS_SERIAL_NUMBER}|%{VARIOUS_DEVICE_OUTCOME_REASON}|%{VARIOUS_REASON_1}|%{VARIOUS_REASON_2}|%{DEFAULT_EVENT_LOG}|%{DEFAULT_PROCESS_LOG}|%{DEFAULT_PROCESS_LOG_WITH_ADDITIONAL_INFO}|%{SSHD_INFO}" + pattern: "%{EVENT_LOG_SSH_AUTH}|%{PROCESS_LOG_SSH_AUTH}|%{PROCESS_LOG_SSH_PASSWORD}|%{AUTH_CONNECTION_EVENT}|%{AUTH_CONNECTION_DISCONNECTED}|%{AUTH_CONNECTION_RECEIVE_DISCONNECTED}|%{AUTH_SESSION_EVENT}|%{PROCESS_LOG_AUTH_USER}|%{PROCESS_LOG_CHANGE_USER}|%{AUTH_PUBLIC_KEY}|%{NETWORK_SOURCE}|%{NETWORK_HOSTNAME}|%{PROCESS_COMMAND}|%{PROCESS_COMMAND_USER_WITH_PID}|%{PROCESS_COMMAND_USER_WITHOUT_PID}|%{PROCESS_LOG_LAUNCHING}|%{VARIOUS_FILE_ACTION}|%{VARIOUS_FILE_ACTION_FILENAME_ONLY}|%{VARIOUS_KEY_REASON}|%{VARIOUS_SERIAL_NUMBER}|%{VARIOUS_DEVICE_OUTCOME_REASON}|%{VARIOUS_REASON_1}|%{VARIOUS_REASON_2}|%{DEFAULT_EVENT_LOG}|%{DEFAULT_PROCESS_LOG_WITH_ADDITIONAL_INFO}|%{DEFAULT_PROCESS_LOG}|%{SSHD_INFO}" custom_patterns: ## Freestyle patterns to be used for messages that contains connection event information ## To identify auth event we can use `auth_action` field or `auth_category` described below @@ -31,7 +31,7 @@ pipeline: NETWORK_SOURCE: '^(?:\s*)(?PConnection|connection) from (?:%{SSHD_CLIENT_ADDRESS:ip_address}) port %{NUMBER:port}%{DATA}?' ## Freestyle patterns to be used for messages that contains network hostname information - NETWORK_HOSTNAME: '^(?:\s*)%{WORD} on %{DATA:network_category} to (?:%{SSHD_CLIENT_ADDRESS:ip_address}) port %{NUMBER:port}%{DATA}?' + NETWORK_HOSTNAME: '^(?:\s*)%{WORD:log_lvl} on %{DATA:network_category} to (?:%{SSHD_CLIENT_ADDRESS:ip_address}) port %{NUMBER:port}%{DATA}?' ## Freestyle patterns to be used for messages that contains command and user PROCESS_COMMAND: '^(?:\s*)(?PExecuting) %{GREEDYDATA:command}?' @@ -71,7 +71,7 @@ pipeline: PROCESS_HEADER: '^(%{WORD}: )?(?:\s*)(?:%{WORD:log_lvl}) %{PROCESS_WITH_PID}' # e.g. `error hostd[2099655]` or `hostd: error hostd[2099655]` PROCESS_WITH_PID: '%{DATA:process}\[%{NUMBER:pid}\]' # e.g. `hostd[2099655]` - PROCESS_ORIGINATOR: '\[%{WORD}\@%{NUMBER} %{DATA}\]' # e.g. `[Originator@6876 sub=Vimsvc.ha-eventmgr]` + PROCESS_ORIGINATOR: '\[Originator\@%{NUMBER}( sub=%{NOTSPACE:sub})?( opID=%{NOTSPACE:op_id})?( user=%{USER:username}(\:%{NOTSPACE:user_domain})?)?%{DATA}\]' # e.g. `[Originator@6876 sub=Vimsvc.ha-eventmgr]` PROCESS_HEADER_WITH_ORIGINATOR: "%{PROCESS_HEADER} %{PROCESS_ORIGINATOR}" # e.g. `error hostd[2099655] [Originator@6876 sub=Vimsvc.ha-eventmgr]` ## This is log pattern to work with ssh process. Based on `DEFAULT_PROCESS_LOG_WITH_ADDITIONAL_INFO` @@ -137,10 +137,7 @@ pipeline: ### info hostd[2099655] [Originator@6876 sub=Vimsvc.ha-eventmgr] DEFAULT_PROCESS_LOG: "%{PROCESS_HEADER_WITH_ORIGINATOR} %{GREEDYDATA:message}?" - ## Difference between this one and previous is that meta info can contain various info like `user=`, `Req `, `opID=` and so on - ## Example of log: - ### info hostd[2099655] [Originator@6876 sub=Vimsvc.ha-eventmgr opID=233816e0 user=vpxuser Req 06028] - DEFAULT_PROCESS_LOG_WITH_ADDITIONAL_INFO: "%{PROCESS_HEADER_WITH_ORIGINATOR} %{GREEDYDATA:message}?" + DEFAULT_PROCESS_LOG_WITH_ADDITIONAL_INFO: '%{PROCESS_HEADER_WITH_ORIGINATOR} \[%{NOTSPACE:log_category}\] %{GREEDYDATA:message}?' # More SSHD patterns: https://github.com/SEKOIA-IO/intake-formats/blob/main/OpenSSH/openssh/ingest/parser.yml SSHD_CLIENT_ADDRESS: "%{IP:ip_address}|%{HOSTNAME:source_domain}" @@ -187,6 +184,7 @@ stages: # Fields by definition that we get from messages - set: user.name: "{{parsed_event.result.username}}" + user.domain: "{{parsed_event.result.user_domain}}" source.ip: "{{parsed_event.result.ip_address}}" source.port: "{{parsed_event.result.port}}" source.user.name: "{{parsed_event.result.source_username}}" @@ -195,6 +193,13 @@ stages: wmware.esxi.key.id: "{{parsed_event.result.key_id | trim}}" wmware.esxi.event.serial_number: "{{parsed_event.result.serial_number}}" host.name: "{{parsed_event.result.server_name}}" + process.name: "{{parsed_event.result.process}}" + vmware.esxi.operation.id: "{{parsed_event.result.op_id}}" + vmware.esxi.log.category: "{{parsed_event.result.auth_category or parsed_event.result.log_category}}" + + - set: + vmware.esxi.log.type: "{{parsed_event.result.log_lvl or parsed_event.result.network_category | lower }}" + filter: "{{parsed_event.result.log_lvl != None or parsed_event.result.network_category != None}}" # It is necessary to postprocess the command line because it might contain `'` at the beginning and/or at the end - set: @@ -206,7 +211,7 @@ stages: filter: > {{ parsed_event.result.pid != None and - parsed_event.result.process_category != None + parsed_event.result.process_category != None }} set_event_reason: @@ -217,9 +222,9 @@ stages: event.reason: "{{parsed_event.result.reason}}" filter: > {{ - parsed_event.result.key_id != None or - parsed_event.result.serial_number != None or - parsed_event.result.outcome != None + parsed_event.result.key_id != None or + parsed_event.result.serial_number != None or + parsed_event.result.outcome != None }} - set: @@ -301,15 +306,15 @@ stages: filter: > {{ parsed_event.result.auth_category == None and - parsed_event.result.auth_action == None and - parsed_event.result.network_category == None and - parsed_event.result.network_action == None and - parsed_event.result.configuration_category == None and - parsed_event.result.configuration_action == None and - parsed_event.result.file_action == None and - parsed_event.result.file_category == None and - parsed_event.result.session_category == None and - parsed_event.result.session_action == None + parsed_event.result.auth_action == None and + parsed_event.result.network_category == None and + parsed_event.result.network_action == None and + parsed_event.result.configuration_category == None and + parsed_event.result.configuration_action == None and + parsed_event.result.file_action == None and + parsed_event.result.file_category == None and + parsed_event.result.session_category == None and + parsed_event.result.session_action == None }} # SSHD events diff --git a/VMWare/vmware-esxi/tests/AUTH_SESSION_change_user.json b/VMWare/vmware-esxi/tests/AUTH_SESSION_change_user.json index 8ab09fa6b..5bc757ad8 100644 --- a/VMWare/vmware-esxi/tests/AUTH_SESSION_change_user.json +++ b/VMWare/vmware-esxi/tests/AUTH_SESSION_change_user.json @@ -16,6 +16,9 @@ "product": "ESXi", "vendor": "VMware" }, + "process": { + "name": "hostd" + }, "related": { "ip": [ "127.0.0.1" @@ -34,6 +37,16 @@ }, "user": { "name": "pyvmomi" + }, + "vmware": { + "esxi": { + "log": { + "type": "info" + }, + "operation": { + "id": "esxcli-76-ecbf" + } + } } } } \ No newline at end of file diff --git a/VMWare/vmware-esxi/tests/AUTH_SESSION_change_user_with_user_agent.json b/VMWare/vmware-esxi/tests/AUTH_SESSION_change_user_with_user_agent.json index f47da851e..9b71d3ee1 100644 --- a/VMWare/vmware-esxi/tests/AUTH_SESSION_change_user_with_user_agent.json +++ b/VMWare/vmware-esxi/tests/AUTH_SESSION_change_user_with_user_agent.json @@ -16,6 +16,9 @@ "product": "ESXi", "vendor": "VMware" }, + "process": { + "name": "hostd" + }, "related": { "ip": [ "127.0.0.1" @@ -44,6 +47,16 @@ "os": { "name": "Other" } + }, + "vmware": { + "esxi": { + "log": { + "type": "info" + }, + "operation": { + "id": "esxcli-76-ecbf" + } + } } } } \ No newline at end of file diff --git a/VMWare/vmware-esxi/tests/AUTH_SESSION_user.json b/VMWare/vmware-esxi/tests/AUTH_SESSION_user.json index aeff0a3e5..f14611d71 100644 --- a/VMWare/vmware-esxi/tests/AUTH_SESSION_user.json +++ b/VMWare/vmware-esxi/tests/AUTH_SESSION_user.json @@ -16,6 +16,9 @@ "product": "ESXi", "vendor": "VMware" }, + "process": { + "name": "hostd" + }, "related": { "user": [ "root" @@ -23,6 +26,17 @@ }, "user": { "name": "root" + }, + "vmware": { + "esxi": { + "log": { + "category": "Auth", + "type": "info" + }, + "operation": { + "id": "esxcli-a5-20ae" + } + } } } } \ No newline at end of file diff --git a/VMWare/vmware-esxi/tests/AUTH_SSH_PASSWORD.json b/VMWare/vmware-esxi/tests/AUTH_SSH_PASSWORD.json index d06e586ef..a7dffbe6d 100644 --- a/VMWare/vmware-esxi/tests/AUTH_SSH_PASSWORD.json +++ b/VMWare/vmware-esxi/tests/AUTH_SSH_PASSWORD.json @@ -16,6 +16,9 @@ "product": "ESXi", "vendor": "VMware" }, + "process": { + "name": "hostd" + }, "related": { "ip": [ "127.0.0.1" @@ -30,6 +33,16 @@ }, "user": { "name": "root" + }, + "vmware": { + "esxi": { + "log": { + "type": "info" + }, + "operation": { + "id": "esxcli-76-ecbf" + } + } } } } \ No newline at end of file diff --git a/VMWare/vmware-esxi/tests/AUTH_SSH_event_closed.json b/VMWare/vmware-esxi/tests/AUTH_SSH_event_closed.json index a1b49ad2a..d7b27e0a7 100644 --- a/VMWare/vmware-esxi/tests/AUTH_SSH_event_closed.json +++ b/VMWare/vmware-esxi/tests/AUTH_SSH_event_closed.json @@ -16,6 +16,9 @@ "product": "ESXi", "vendor": "VMware" }, + "process": { + "name": "vob.user.ssh.session.closed" + }, "related": { "ip": [ "1.2.3.4" diff --git a/VMWare/vmware-esxi/tests/AUTH_SSH_event_opened.json b/VMWare/vmware-esxi/tests/AUTH_SSH_event_opened.json index 6c1638bcd..4d5bab4b1 100644 --- a/VMWare/vmware-esxi/tests/AUTH_SSH_event_opened.json +++ b/VMWare/vmware-esxi/tests/AUTH_SSH_event_opened.json @@ -16,6 +16,9 @@ "product": "ESXi", "vendor": "VMware" }, + "process": { + "name": "vob.user.ssh.session.opened" + }, "related": { "ip": [ "1.2.3.4" diff --git a/VMWare/vmware-esxi/tests/AUTH_SSH_login_failed.json b/VMWare/vmware-esxi/tests/AUTH_SSH_login_failed.json index f6ac1f03a..760c7197b 100644 --- a/VMWare/vmware-esxi/tests/AUTH_SSH_login_failed.json +++ b/VMWare/vmware-esxi/tests/AUTH_SSH_login_failed.json @@ -17,6 +17,9 @@ "product": "ESXi", "vendor": "VMware" }, + "process": { + "name": "vob.user.ssh.session.failed" + }, "related": { "ip": [ "1.2.3.4" diff --git a/VMWare/vmware-esxi/tests/AUTH_SSH_process_closed.json b/VMWare/vmware-esxi/tests/AUTH_SSH_process_closed.json index f40a3c555..6b0b5b634 100644 --- a/VMWare/vmware-esxi/tests/AUTH_SSH_process_closed.json +++ b/VMWare/vmware-esxi/tests/AUTH_SSH_process_closed.json @@ -16,6 +16,9 @@ "product": "ESXi", "vendor": "VMware" }, + "process": { + "name": "hostd" + }, "related": { "ip": [ "1.2.3.4" @@ -30,6 +33,13 @@ }, "user": { "name": "root" + }, + "vmware": { + "esxi": { + "log": { + "type": "error" + } + } } } } \ No newline at end of file diff --git a/VMWare/vmware-esxi/tests/AUTH_SSH_process_opened.json b/VMWare/vmware-esxi/tests/AUTH_SSH_process_opened.json index 9f6c6e214..2ab083748 100644 --- a/VMWare/vmware-esxi/tests/AUTH_SSH_process_opened.json +++ b/VMWare/vmware-esxi/tests/AUTH_SSH_process_opened.json @@ -16,6 +16,9 @@ "product": "ESXi", "vendor": "VMware" }, + "process": { + "name": "hostd" + }, "related": { "ip": [ "1.2.3.4" @@ -30,6 +33,13 @@ }, "user": { "name": "root" + }, + "vmware": { + "esxi": { + "log": { + "type": "info" + } + } } } } \ No newline at end of file diff --git a/VMWare/vmware-esxi/tests/NETWORK_HOSTNAME.json b/VMWare/vmware-esxi/tests/NETWORK_HOSTNAME.json index 771a56af3..605123c67 100644 --- a/VMWare/vmware-esxi/tests/NETWORK_HOSTNAME.json +++ b/VMWare/vmware-esxi/tests/NETWORK_HOSTNAME.json @@ -25,6 +25,13 @@ "address": "255.255.255.255", "ip": "255.255.255.255", "port": 67 + }, + "vmware": { + "esxi": { + "log": { + "type": "DHCPDISCOVER" + } + } } } } \ No newline at end of file diff --git a/VMWare/vmware-esxi/tests/PROCESS_BEGIN.json b/VMWare/vmware-esxi/tests/PROCESS_BEGIN.json new file mode 100644 index 000000000..e9a69d670 --- /dev/null +++ b/VMWare/vmware-esxi/tests/PROCESS_BEGIN.json @@ -0,0 +1,41 @@ +{ + "input": { + "message": "info vpxa[2100523] [Originator@6876 sub=vpxLro opID=PollQuickStatsLoop-37dc5435-21] [VpxLRO] -- BEGIN lro-437646 -- vpxa -- vpxapi.VpxaService.fetchQuickStats -- 12345678-abcd-ef90-1234-abcdef123456", + "sekoiaio": { + "intake": { + "dialect": "VMware ESXi", + "dialect_uuid": "2b13307b-7439-4973-900a-2b58303cac90" + } + } + }, + "expected": { + "message": "info vpxa[2100523] [Originator@6876 sub=vpxLro opID=PollQuickStatsLoop-37dc5435-21] [VpxLRO] -- BEGIN lro-437646 -- vpxa -- vpxapi.VpxaService.fetchQuickStats -- 12345678-abcd-ef90-1234-abcdef123456", + "event": { + "category": [ + "process" + ], + "reason": "-- BEGIN lro-437646 -- vpxa -- vpxapi.VpxaService.fetchQuickStats -- 12345678-abcd-ef90-1234-abcdef123456", + "type": [ + "info" + ] + }, + "observer": { + "product": "ESXi", + "vendor": "VMware" + }, + "process": { + "name": "vpxa" + }, + "vmware": { + "esxi": { + "log": { + "category": "VpxLRO", + "type": "info" + }, + "operation": { + "id": "PollQuickStatsLoop-37dc5435-21" + } + } + } + } +} \ No newline at end of file diff --git a/VMWare/vmware-esxi/tests/PROCESS_CLOSED_STREAM.json b/VMWare/vmware-esxi/tests/PROCESS_CLOSED_STREAM.json new file mode 100644 index 000000000..148db63d3 --- /dev/null +++ b/VMWare/vmware-esxi/tests/PROCESS_CLOSED_STREAM.json @@ -0,0 +1,37 @@ +{ + "input": { + "message": "verbose rhttpproxy[2099517] [Originator@6876 sub=Proxy Req 56374] The client closed the stream, not unexpectedly.", + "sekoiaio": { + "intake": { + "dialect": "VMware ESXi", + "dialect_uuid": "2b13307b-7439-4973-900a-2b58303cac90" + } + } + }, + "expected": { + "message": "verbose rhttpproxy[2099517] [Originator@6876 sub=Proxy Req 56374] The client closed the stream, not unexpectedly.", + "event": { + "category": [ + "process" + ], + "reason": "The client closed the stream, not unexpectedly.", + "type": [ + "info" + ] + }, + "observer": { + "product": "ESXi", + "vendor": "VMware" + }, + "process": { + "name": "rhttpproxy" + }, + "vmware": { + "esxi": { + "log": { + "type": "verbose" + } + } + } + } +} \ No newline at end of file diff --git a/VMWare/vmware-esxi/tests/PROCESS_INFO.json b/VMWare/vmware-esxi/tests/PROCESS_INFO.json new file mode 100644 index 000000000..568bbe54a --- /dev/null +++ b/VMWare/vmware-esxi/tests/PROCESS_INFO.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "info hostd[2100582] [Originator@6876 sub=Libs opID=sps-Main-845080-412-fa-fc-87e0 user=vpxuser:USER.LOCAL\\vpxd-extension-12345678-abcd-ef90-1234-abcdef123456] (403)", + "sekoiaio": { + "intake": { + "dialect": "VMware ESXi", + "dialect_uuid": "2b13307b-7439-4973-900a-2b58303cac90" + } + } + }, + "expected": { + "message": "info hostd[2100582] [Originator@6876 sub=Libs opID=sps-Main-845080-412-fa-fc-87e0 user=vpxuser:USER.LOCAL\\vpxd-extension-12345678-abcd-ef90-1234-abcdef123456] (403)", + "event": { + "category": [ + "process" + ], + "reason": "(403)", + "type": [ + "info" + ] + }, + "observer": { + "product": "ESXi", + "vendor": "VMware" + }, + "process": { + "name": "hostd" + }, + "related": { + "user": [ + "vpxuser" + ] + }, + "user": { + "domain": "USER.LOCAL\\vpxd-extension-12345678-abcd-ef90-1234-abcdef123456", + "name": "vpxuser" + }, + "vmware": { + "esxi": { + "log": { + "type": "info" + }, + "operation": { + "id": "sps-Main-845080-412-fa-fc-87e0" + } + } + } + } +} \ No newline at end of file diff --git a/VMWare/vmware-esxi/tests/PROCESS_LOG_LAUNCHING.json b/VMWare/vmware-esxi/tests/PROCESS_LOG_LAUNCHING.json index 35fda8516..1c1c9c5ac 100644 --- a/VMWare/vmware-esxi/tests/PROCESS_LOG_LAUNCHING.json +++ b/VMWare/vmware-esxi/tests/PROCESS_LOG_LAUNCHING.json @@ -17,13 +17,21 @@ "vendor": "VMware" }, "process": { - "command_line": "/usr/lib/vmware/healthd/plugins/bin/ssdStorage.py ++group=healthd-plugins,mem=40 -u http://localhost:9996" + "command_line": "/usr/lib/vmware/healthd/plugins/bin/ssdStorage.py ++group=healthd-plugins,mem=40 -u http://localhost:9996", + "name": "healthd" }, "url": { "domain": "localhost", "original": "http://localhost:9996", "port": 9996, "scheme": "http" + }, + "vmware": { + "esxi": { + "log": { + "type": "info" + } + } } } } \ No newline at end of file diff --git a/VMWare/vmware-esxi/tests/PROCESS_WARNING.json b/VMWare/vmware-esxi/tests/PROCESS_WARNING.json new file mode 100644 index 000000000..f639fbc4d --- /dev/null +++ b/VMWare/vmware-esxi/tests/PROCESS_WARNING.json @@ -0,0 +1,37 @@ +{ + "input": { + "message": "warning hostd[2102845] [Originator@6876 sub=VigorStatsProvider(000000609e3d09a0).GuestStats(28)] SetVigorNotificationTime: Not connected", + "sekoiaio": { + "intake": { + "dialect": "VMware ESXi", + "dialect_uuid": "2b13307b-7439-4973-900a-2b58303cac90" + } + } + }, + "expected": { + "message": "warning hostd[2102845] [Originator@6876 sub=VigorStatsProvider(000000609e3d09a0).GuestStats(28)] SetVigorNotificationTime: Not connected", + "event": { + "category": [ + "process" + ], + "reason": "SetVigorNotificationTime: Not connected", + "type": [ + "info" + ] + }, + "observer": { + "product": "ESXi", + "vendor": "VMware" + }, + "process": { + "name": "hostd" + }, + "vmware": { + "esxi": { + "log": { + "type": "warning" + } + } + } + } +} \ No newline at end of file diff --git a/VMWare/vmware-esxi/tests/SSHD_ERROR_INVALID_USER.json b/VMWare/vmware-esxi/tests/SSHD_ERROR_INVALID_USER.json index 2414edc24..4df968c7d 100644 --- a/VMWare/vmware-esxi/tests/SSHD_ERROR_INVALID_USER.json +++ b/VMWare/vmware-esxi/tests/SSHD_ERROR_INVALID_USER.json @@ -17,6 +17,9 @@ "product": "ESXi", "vendor": "VMware" }, + "process": { + "name": "sshd" + }, "related": { "ip": [ "1.2.3.4" diff --git a/VMWare/vmware-esxi/tests/SSHD_MESSAGE_DISCONNECTED.json b/VMWare/vmware-esxi/tests/SSHD_MESSAGE_DISCONNECTED.json index 281c89090..c9425789b 100644 --- a/VMWare/vmware-esxi/tests/SSHD_MESSAGE_DISCONNECTED.json +++ b/VMWare/vmware-esxi/tests/SSHD_MESSAGE_DISCONNECTED.json @@ -17,6 +17,9 @@ "product": "ESXi", "vendor": "VMware" }, + "process": { + "name": "sshd" + }, "related": { "ip": [ "1.2.3.4" diff --git a/VMWare/vmware-esxi/tests/VARIOUS_REASON_1.json b/VMWare/vmware-esxi/tests/VARIOUS_REASON_1.json index 9ab1f191f..27fd1be75 100644 --- a/VMWare/vmware-esxi/tests/VARIOUS_REASON_1.json +++ b/VMWare/vmware-esxi/tests/VARIOUS_REASON_1.json @@ -16,6 +16,9 @@ "observer": { "product": "ESXi", "vendor": "VMware" + }, + "process": { + "name": "vob.iscsi.connection.stopped" } } } \ No newline at end of file diff --git a/VMWare/vmware-esxi/tests/VARIOUS_REASON_10.json b/VMWare/vmware-esxi/tests/VARIOUS_REASON_10.json index fd0288373..a223c4f2a 100644 --- a/VMWare/vmware-esxi/tests/VARIOUS_REASON_10.json +++ b/VMWare/vmware-esxi/tests/VARIOUS_REASON_10.json @@ -16,6 +16,19 @@ "observer": { "product": "ESXi", "vendor": "VMware" + }, + "process": { + "name": "fdm" + }, + "vmware": { + "esxi": { + "log": { + "type": "info" + }, + "operation": { + "id": "SWI-1b24a1a7" + } + } } } } \ No newline at end of file diff --git a/VMWare/vmware-esxi/tests/VARIOUS_REASON_11.json b/VMWare/vmware-esxi/tests/VARIOUS_REASON_11.json new file mode 100644 index 000000000..d08684c1c --- /dev/null +++ b/VMWare/vmware-esxi/tests/VARIOUS_REASON_11.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "cpu7:2097868)WARNING: ql_fcce:vmhba65:FipVlanTimeoutWork:249: FAP VLAN Max Retries reached, cur vlan and pri: 1002", + "sekoiaio": { + "intake": { + "dialect": "VMware ESXi", + "dialect_uuid": "2b13307b-7439-4973-900a-2b58303cac90" + } + } + }, + "expected": { + "message": "cpu7:2097868)WARNING: ql_fcce:vmhba65:FipVlanTimeoutWork:249: FAP VLAN Max Retries reached, cur vlan and pri: 1002", + "event": { + "category": [ + "network" + ], + "reason": "ql_fcce:vmhba65:FipVlanTimeoutWork:249: FAP VLAN Max Retries reached, cur vlan and pri: 1002", + "type": [ + "info" + ] + }, + "observer": { + "product": "ESXi", + "vendor": "VMware" + }, + "vmware": { + "esxi": { + "log": { + "type": "warning" + } + } + } + } +} \ No newline at end of file diff --git a/VMWare/vmware-esxi/tests/VARIOUS_REASON_12.json b/VMWare/vmware-esxi/tests/VARIOUS_REASON_12.json new file mode 100644 index 000000000..6987c00e1 --- /dev/null +++ b/VMWare/vmware-esxi/tests/VARIOUS_REASON_12.json @@ -0,0 +1,38 @@ +{ + "input": { + "message": "error hostd[5806021] [Originator@6876 sub=Default] [LikewiseGetDomainJoinInfo:354] QueryInformation(): ERROR_FILE_NOT_FOUND (2/0):", + "sekoiaio": { + "intake": { + "dialect": "VMware ESXi", + "dialect_uuid": "2b13307b-7439-4973-900a-2b58303cac90" + } + } + }, + "expected": { + "message": "error hostd[5806021] [Originator@6876 sub=Default] [LikewiseGetDomainJoinInfo:354] QueryInformation(): ERROR_FILE_NOT_FOUND (2/0):", + "event": { + "category": [ + "process" + ], + "reason": "QueryInformation(): ERROR_FILE_NOT_FOUND (2/0):", + "type": [ + "info" + ] + }, + "observer": { + "product": "ESXi", + "vendor": "VMware" + }, + "process": { + "name": "hostd" + }, + "vmware": { + "esxi": { + "log": { + "category": "LikewiseGetDomainJoinInfo:354", + "type": "error" + } + } + } + } +} \ No newline at end of file diff --git a/VMWare/vmware-esxi/tests/VARIOUS_REASON_2.json b/VMWare/vmware-esxi/tests/VARIOUS_REASON_2.json index 5ddea19cf..6c22c512c 100644 --- a/VMWare/vmware-esxi/tests/VARIOUS_REASON_2.json +++ b/VMWare/vmware-esxi/tests/VARIOUS_REASON_2.json @@ -16,6 +16,13 @@ "observer": { "product": "ESXi", "vendor": "VMware" + }, + "vmware": { + "esxi": { + "log": { + "type": "connection" + } + } } } } \ No newline at end of file diff --git a/VMWare/vmware-esxi/tests/VARIOUS_REASON_3.json b/VMWare/vmware-esxi/tests/VARIOUS_REASON_3.json index 6272f3c3b..da7b9bd15 100644 --- a/VMWare/vmware-esxi/tests/VARIOUS_REASON_3.json +++ b/VMWare/vmware-esxi/tests/VARIOUS_REASON_3.json @@ -16,6 +16,27 @@ "observer": { "product": "ESXi", "vendor": "VMware" + }, + "process": { + "name": "hostd" + }, + "related": { + "user": [ + "vpxuser" + ] + }, + "user": { + "name": "vpxuser" + }, + "vmware": { + "esxi": { + "log": { + "type": "info" + }, + "operation": { + "id": "233816e0" + } + } } } } \ No newline at end of file diff --git a/VMWare/vmware-esxi/tests/VARIOUS_REASON_4.json b/VMWare/vmware-esxi/tests/VARIOUS_REASON_4.json index fd61b6307..5b0ef8f81 100644 --- a/VMWare/vmware-esxi/tests/VARIOUS_REASON_4.json +++ b/VMWare/vmware-esxi/tests/VARIOUS_REASON_4.json @@ -16,6 +16,16 @@ "observer": { "product": "ESXi", "vendor": "VMware" + }, + "process": { + "name": "rhttpproxy" + }, + "vmware": { + "esxi": { + "log": { + "type": "info" + } + } } } } \ No newline at end of file diff --git a/VMWare/vmware-esxi/tests/VARIOUS_REASON_5.json b/VMWare/vmware-esxi/tests/VARIOUS_REASON_5.json index 98978d8a4..3a35cca9f 100644 --- a/VMWare/vmware-esxi/tests/VARIOUS_REASON_5.json +++ b/VMWare/vmware-esxi/tests/VARIOUS_REASON_5.json @@ -16,6 +16,16 @@ "observer": { "product": "ESXi", "vendor": "VMware" + }, + "process": { + "name": "rhttpproxy" + }, + "vmware": { + "esxi": { + "log": { + "type": "verbose" + } + } } } } \ No newline at end of file diff --git a/VMWare/vmware-esxi/tests/VARIOUS_REASON_6.json b/VMWare/vmware-esxi/tests/VARIOUS_REASON_6.json index 274b3aecd..c782af724 100644 --- a/VMWare/vmware-esxi/tests/VARIOUS_REASON_6.json +++ b/VMWare/vmware-esxi/tests/VARIOUS_REASON_6.json @@ -16,6 +16,19 @@ "observer": { "product": "ESXi", "vendor": "VMware" + }, + "process": { + "name": "kmxa" + }, + "vmware": { + "esxi": { + "log": { + "type": "error" + }, + "operation": { + "id": "InitCache-52a74d0e-554c-1fc3-1b1f-bd3c439fd0a3-0" + } + } } } } \ No newline at end of file diff --git a/VMWare/vmware-esxi/tests/VARIOUS_REASON_7.json b/VMWare/vmware-esxi/tests/VARIOUS_REASON_7.json index 3578de403..0538c0362 100644 --- a/VMWare/vmware-esxi/tests/VARIOUS_REASON_7.json +++ b/VMWare/vmware-esxi/tests/VARIOUS_REASON_7.json @@ -16,6 +16,19 @@ "observer": { "product": "ESXi", "vendor": "VMware" + }, + "process": { + "name": "fdm" + }, + "vmware": { + "esxi": { + "log": { + "type": "verbose" + }, + "operation": { + "id": "SWI-1361339f" + } + } } } } \ No newline at end of file diff --git a/VMWare/vmware-esxi/tests/VARIOUS_REASON_8.json b/VMWare/vmware-esxi/tests/VARIOUS_REASON_8.json index 0797d429b..c98ff4389 100644 --- a/VMWare/vmware-esxi/tests/VARIOUS_REASON_8.json +++ b/VMWare/vmware-esxi/tests/VARIOUS_REASON_8.json @@ -16,6 +16,27 @@ "observer": { "product": "ESXi", "vendor": "VMware" + }, + "process": { + "name": "hostd" + }, + "related": { + "user": [ + "vpxuser" + ] + }, + "user": { + "name": "vpxuser" + }, + "vmware": { + "esxi": { + "log": { + "type": "info" + }, + "operation": { + "id": "2338d373" + } + } } } } \ No newline at end of file diff --git a/VMWare/vmware-esxi/tests/VARIOUS_REASON_9.json b/VMWare/vmware-esxi/tests/VARIOUS_REASON_9.json index 355cf67ed..51dbcabe7 100644 --- a/VMWare/vmware-esxi/tests/VARIOUS_REASON_9.json +++ b/VMWare/vmware-esxi/tests/VARIOUS_REASON_9.json @@ -16,6 +16,19 @@ "observer": { "product": "ESXi", "vendor": "VMware" + }, + "process": { + "name": "fdm" + }, + "vmware": { + "esxi": { + "log": { + "type": "info" + }, + "operation": { + "id": "SWI-1b24a1a7" + } + } } } } \ No newline at end of file