diff --git a/packages/cyberarkpas/changelog.yml b/packages/cyberarkpas/changelog.yml index f9762a4881b..041e9674009 100644 --- a/packages/cyberarkpas/changelog.yml +++ b/packages/cyberarkpas/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.28.0" + changes: + - description: Handle syslog header in the monitor data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/16739 - version: "2.27.0" changes: - description: Update Kibana constraint to support 9.0.0. diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json index d1868793091..3cf6878b656 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json @@ -54,7 +54,7 @@ ] }, { - "@timestamp": "2025-03-08T03:00:20.000Z", + "@timestamp": "2026-03-08T03:00:20.000Z", "cyberarkpas": { "audit": { "action": "Auto Clear Users History start", @@ -100,4 +100,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json index 2b145726242..520f5e7d0d8 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json @@ -54,7 +54,7 @@ ] }, { - "@timestamp": "2025-03-08T03:00:20.000Z", + "@timestamp": "2026-03-08T03:00:20.000Z", "cyberarkpas": { "audit": { "action": "Auto Clear Users History end", @@ -100,4 +100,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json index 34e9034090a..b5c73b3fe55 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json @@ -54,7 +54,7 @@ ] }, { - "@timestamp": "2025-03-08T02:48:07.000Z", + "@timestamp": "2026-03-08T02:48:07.000Z", "cyberarkpas": { "audit": { "action": "Monitor DR Replication start", @@ -100,4 +100,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json index d9dc7c7e91e..187d663dea6 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json @@ -54,7 +54,7 @@ ] }, { - "@timestamp": "2025-03-08T02:48:07.000Z", + "@timestamp": "2026-03-08T02:48:07.000Z", "cyberarkpas": { "audit": { "action": "Monitor DR Replication end", @@ -100,4 +100,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json index 8dc740f3a58..f0911327941 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json @@ -54,7 +54,7 @@ ] }, { - "@timestamp": "2025-03-08T02:32:56.000Z", + "@timestamp": "2026-03-08T02:32:56.000Z", "cyberarkpas": { "audit": { "action": "Monitor FW rules start", @@ -100,4 +100,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json index 30c17c293ec..a10116dccb1 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json @@ -54,7 +54,7 @@ ] }, { - "@timestamp": "2025-03-08T02:32:56.000Z", + "@timestamp": "2026-03-08T02:32:56.000Z", "cyberarkpas": { "audit": { "action": "Monitor FW Rules end", @@ -100,4 +100,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json index db2d6e3c095..e4e48324c77 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json @@ -57,7 +57,7 @@ ] }, { - "@timestamp": "2025-03-08T07:46:54.000Z", + "@timestamp": "2026-03-08T07:46:54.000Z", "cyberarkpas": { "audit": { "action": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.", @@ -106,4 +106,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json index 73ca5246970..fe6efef07d0 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json @@ -55,7 +55,7 @@ ] }, { - "@timestamp": "2025-03-08T03:10:31.000Z", + "@timestamp": "2026-03-08T03:10:31.000Z", "cyberarkpas": { "audit": { "action": "Clear Safe History", @@ -156,4 +156,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json index 33f03e6dc4e..200f82921ed 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json @@ -107,7 +107,7 @@ ] }, { - "@timestamp": "2025-03-08T02:54:46.000Z", + "@timestamp": "2026-03-08T02:54:46.000Z", "cyberarkpas": { "audit": { "action": "Set Password", @@ -1071,4 +1071,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json index 4dc8877e0d3..e973824eff6 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2025-03-08T03:41:01.000Z", + "@timestamp": "2026-03-08T03:41:01.000Z", "cyberarkpas": { "audit": { "action": "Retrieve File", @@ -52,4 +52,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/cyberarkpas/data_stream/monitor/_dev/test/pipeline/test-monitor.log b/packages/cyberarkpas/data_stream/monitor/_dev/test/pipeline/test-monitor.log index 2d62f027633..903ca23427d 100644 --- a/packages/cyberarkpas/data_stream/monitor/_dev/test/pipeline/test-monitor.log +++ b/packages/cyberarkpas/data_stream/monitor/_dev/test/pipeline/test-monitor.log @@ -27,4 +27,4 @@ {"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:26:00","IsoTimestamp":"2024-10-15T00:26:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0026","AverageExecutionTime":"14","MaxExecutionTime":"170","AverageQueueTime":"4","MaxQueueTime":"54","NumberOfParallelTasks":"0","MaxParallelTasks":"20","TransactionCount":"307","CPUUsage":"10","MemoryUsage":"60","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} {"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:27:00","IsoTimestamp":"2024-10-15T00:27:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0027","AverageExecutionTime":"10","MaxExecutionTime":"184","AverageQueueTime":"0","MaxQueueTime":"102","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"316","CPUUsage":"12","MemoryUsage":"60","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"1"}}} {"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:28:00","IsoTimestamp":"2024-10-15T00:28:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0028","AverageExecutionTime":"11","MaxExecutionTime":"101","AverageQueueTime":"1","MaxQueueTime":"62","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"302","CPUUsage":"0","MemoryUsage":"63","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} -{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:29:00","IsoTimestamp":"2024-10-15T00:29:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0029","AverageExecutionTime":"10","MaxExecutionTime":"148","AverageQueueTime":"0","MaxQueueTime":"37","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"315","CPUUsage":"7","MemoryUsage":"62","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} +2026-01-01T00:00:01-00:00 hostname0001 {"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:29:00","IsoTimestamp":"2024-10-15T00:29:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0029","AverageExecutionTime":"10","MaxExecutionTime":"148","AverageQueueTime":"0","MaxQueueTime":"37","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"315","CPUUsage":"7","MemoryUsage":"62","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}} diff --git a/packages/cyberarkpas/data_stream/monitor/_dev/test/pipeline/test-monitor.log-expected.json b/packages/cyberarkpas/data_stream/monitor/_dev/test/pipeline/test-monitor.log-expected.json index 2b29acb7b08..10b9892518d 100644 --- a/packages/cyberarkpas/data_stream/monitor/_dev/test/pipeline/test-monitor.log-expected.json +++ b/packages/cyberarkpas/data_stream/monitor/_dev/test/pipeline/test-monitor.log-expected.json @@ -1476,7 +1476,7 @@ }, "event": { "kind": "metric", - "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:29:00\",\"IsoTimestamp\":\"2024-10-15T00:29:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0029\",\"AverageExecutionTime\":\"10\",\"MaxExecutionTime\":\"148\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"37\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"315\",\"CPUUsage\":\"7\",\"MemoryUsage\":\"62\",\"DriveFreeSpaceInGB\":\"20\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" + "original": "2026-01-01T00:00:01-00:00 hostname0001 {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:29:00\",\"IsoTimestamp\":\"2024-10-15T00:29:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0029\",\"AverageExecutionTime\":\"10\",\"MaxExecutionTime\":\"148\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"37\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"315\",\"CPUUsage\":\"7\",\"MemoryUsage\":\"62\",\"DriveFreeSpaceInGB\":\"20\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}" }, "host": { "cpu": { @@ -1501,4 +1501,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/cyberarkpas/data_stream/monitor/elasticsearch/ingest_pipeline/default.yml b/packages/cyberarkpas/data_stream/monitor/elasticsearch/ingest_pipeline/default.yml index 743214d899b..9a43f847458 100644 --- a/packages/cyberarkpas/data_stream/monitor/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cyberarkpas/data_stream/monitor/elasticsearch/ingest_pipeline/default.yml @@ -17,10 +17,34 @@ processors: target_field: event.original if: ctx.event?.original == null ignore_missing: true + # + # Parse syslog headers (if any) and extract JSON payload. + # + - grok: + tag: grok_event_original + field: event.original + patterns: + # RFC5424 from CyberArk. + # UseLegacySyslogFormat=No + # <5>1 2021-03-04T17:28:23Z VAULT {"format":"elastic","version":"1.0",...} + - "^<%{NONNEGINT:log.syslog.priority:long}>%{NONNEGINT} %{TIMESTAMP_ISO8601:_tmp.syslog_ts} %{SYSLOGHOST:_tmp.hostname} %{JSON_PAYLOAD:_tmp.payload}" + + # Legacy format. + # UseLegacySyslogFormat=Yes + # Mar 08 02:57:42 VAULT {"format":"elastic","version":"1.0",...} + - "^%{SYSLOGTIMESTAMP:_tmp.syslog_ts} %{SYSLOGHOST:_tmp.hostname} %{JSON_PAYLOAD:_tmp.payload}" + + # Catch-all mode, just JSON payload. + - "%{JSON_PAYLOAD:_tmp.payload}" + pattern_definitions: + JSON_PAYLOAD: '{"format":"elastic","version":"1.0",.*}' + on_failure: + - fail: + message: "unexpected event format: {{{_ingest.on_failure_message}}}" - json: - tag: json_event_original - field: event.original + tag: json_tmp_payload + field: _tmp.payload target_field: _tmp.json on_failure: - fail: diff --git a/packages/cyberarkpas/manifest.yml b/packages/cyberarkpas/manifest.yml index 7c28b85198b..8d7c8a92d58 100644 --- a/packages/cyberarkpas/manifest.yml +++ b/packages/cyberarkpas/manifest.yml @@ -1,6 +1,6 @@ name: cyberarkpas title: CyberArk Privileged Access Security -version: "2.27.0" +version: "2.28.0" description: Collect logs from CyberArk Privileged Access Security with Elastic Agent. type: integration format_version: "3.0.3"