-
Notifications
You must be signed in to change notification settings - Fork 421
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
409 additions
and
0 deletions.
There are no files selected for viewing
6 changes: 6 additions & 0 deletions
6
packages/panw_metrics/data_stream/vpn/agent/stream/stream.yml.hbs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| metricsets: ["vpn"] | ||
| period: {{period}} | ||
| host_ip: {{host_ip}} | ||
| port: {{port}} | ||
| apiKey: {{apiKey}} | ||
| apiDebugMode: {{apiDebugMode}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| - name: cloud | ||
| title: Cloud | ||
| group: 2 | ||
| description: Fields related to the cloud or infrastructure the events are coming from. | ||
| footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' | ||
| type: group | ||
| fields: | ||
| - name: image.id | ||
| type: keyword | ||
| description: Image ID for the cloud instance. | ||
| - name: host | ||
| title: Host | ||
| group: 2 | ||
| description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' | ||
| type: group | ||
| fields: | ||
| - name: containerized | ||
| type: boolean | ||
| description: > | ||
| If the host is a container. | ||
| - name: os.build | ||
| type: keyword | ||
| example: "18D109" | ||
| description: > | ||
| OS build information. | ||
| - name: os.codename | ||
| type: keyword | ||
| example: "stretch" | ||
| description: > | ||
| OS codename, if any. | ||
12 changes: 12 additions & 0 deletions
12
packages/panw_metrics/data_stream/vpn/fields/base-fields.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| - name: data_stream.type | ||
| type: constant_keyword | ||
| description: Data stream type. | ||
| - name: data_stream.dataset | ||
| type: constant_keyword | ||
| description: Data stream dataset. | ||
| - name: data_stream.namespace | ||
| type: constant_keyword | ||
| description: Data stream namespace. | ||
| - name: '@timestamp' | ||
| type: date | ||
| description: Event timestamp. |
211 changes: 211 additions & 0 deletions
211
packages/panw_metrics/data_stream/vpn/fields/fields.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,211 @@ | ||
| - name: panw.vpn | ||
| type: group | ||
| fields: | ||
| - name: globalprotect.session.domain | ||
| type: keyword | ||
| dimension: true | ||
| description: > | ||
| Domain of the GlobalProtect session | ||
| - name: globalprotect.session.is_local | ||
| type: boolean | ||
| description: > | ||
| Indicates if the session is local | ||
| - name: globalprotect.session.username | ||
| type: keyword | ||
| dimension: true | ||
| description: > | ||
| Username of the session | ||
| - name: globalprotect.session.primary_username | ||
| type: keyword | ||
| dimension: true | ||
| description: > | ||
| Primary username of the session | ||
| - name: globalprotect.session.region_for_config | ||
| type: keyword | ||
| dimension: true | ||
| description: > | ||
| Region for configuration | ||
| - name: globalprotect.session.source_region | ||
| type: keyword | ||
| dimension: true | ||
| description: > | ||
| Source region of the session | ||
| - name: globalprotect.session.computer | ||
| type: keyword | ||
| dimension: true | ||
| description: > | ||
| Computer name in the session | ||
| - name: globalprotect.session.client | ||
| type: keyword | ||
| dimension: true | ||
| description: > | ||
| Client information of the session | ||
| - name: globalprotect.session.vpn_type | ||
| type: keyword | ||
| dimension: true | ||
| description: > | ||
| Type of VPN used in the session | ||
| - name: globalprotect.session.host_id | ||
| type: keyword | ||
| dimension: true | ||
| description: > | ||
| Host ID of the session | ||
| - name: globalprotect.session.app_version | ||
| type: keyword | ||
| description: > | ||
| Application version used in the session | ||
| - name: globalprotect.session.virtual_ip | ||
| type: ip | ||
| description: > | ||
| Virtual IP address of the session | ||
| - name: globalprotect.session.virtual_ipv6 | ||
| type: ip | ||
| description: > | ||
| Virtual IPv6 address of the session | ||
| - name: globalprotect.session.public_ip | ||
| type: ip | ||
| description: > | ||
| Public IP address of the session | ||
| - name: globalprotect.session.public_ipv6 | ||
| type: ip | ||
| description: > | ||
| Public IPv6 address of the session | ||
| - name: globalprotect.session.tunnel_type | ||
| type: keyword | ||
| description: > | ||
| Type of tunnel used in the session | ||
| - name: globalprotect.session.public_connection_ipv6 | ||
| type: ip | ||
| description: > | ||
| Public connection IPv6 address of the session | ||
| - name: globalprotect.session.client_ip | ||
| type: ip | ||
| description: > | ||
| Client IP address of the session | ||
| - name: globalprotect.session.login_time | ||
| type: date | ||
| description: > | ||
| Login time of the session | ||
| - name: globalprotect.session.login_time_utc | ||
| type: date | ||
| description: > | ||
| Login time in UTC of the session | ||
| - name: globalprotect.session.lifetime | ||
| type: long | ||
| description: > | ||
| Lifetime of the session | ||
| unit: s | ||
| - name: globalprotect.session.request_login | ||
| type: keyword | ||
| description: > | ||
| Request login information of the session | ||
| - name: globalprotect.session.request_get_config | ||
| type: keyword | ||
| description: > | ||
| Request get configuration information of the session | ||
| - name: globalprotect.session.request_sslvpn_connect | ||
| type: keyword | ||
| description: > | ||
| Request SSL VPN connect information of the session | ||
| - name: globalprotect.gateway.name | ||
| type: keyword | ||
| dimension: true | ||
| description: > | ||
| Name of the GlobalProtect gateway | ||
| - name: globalprotect.gateway.current_users | ||
| type: long | ||
| description: > | ||
| Current number of users connected to the GlobalProtect gateway | ||
| metric_type: gauge | ||
| - name: globalprotect.gateway.previous_users | ||
| type: long | ||
| description: > | ||
| Previous number of users connected to the GlobalProtect gateway | ||
| metric_type: gauge | ||
| - name: globalprotect.total_current_users | ||
| type: long | ||
| description: > | ||
| Total current number of users connected to GlobalProtect | ||
| metric_type: gauge | ||
| - name: globalprotect.total_previous_users | ||
| type: long | ||
| description: > | ||
| Total previous number of users connected to GlobalProtect | ||
| metric_type: gauge | ||
| - name: ipsec_tunnel.id | ||
| type: keyword | ||
| dimension: true | ||
| description: > | ||
| ID of the IPsec tunnel | ||
| - name: ipsec_tunnel.name | ||
| type: keyword | ||
| dimension: true | ||
| description: > | ||
| Name of the IPsec tunnel | ||
| - name: ipsec_tunnel.gw | ||
| type: keyword | ||
| dimension: true | ||
| description: > | ||
| Gateway of the IPsec tunnel | ||
| - name: ipsec_tunnel.TSi_ip | ||
| type: ip | ||
| description: > | ||
| Traffic Selector Initiator IP. This is the local IP (0.0.0.0 means any IP address) | ||
| - name: ipsec_tunnel.TSi_prefix | ||
| type: keyword | ||
| description: > | ||
| Network prefix for the TSi IP, 0 means no specific network is defined. | ||
| - name: ipsec_tunnel.TSi_proto | ||
| type: keyword | ||
| description: > | ||
| Protocol associated with the TSi (0 means any protocol) | ||
| - name: ipsec_tunnel.TSi_port | ||
| type: long | ||
| description: > | ||
| Port number associated with TSi (0 means any port) | ||
| - name: ipsec_tunnel.TSr_ip | ||
| type: ip | ||
| description: > | ||
| Traffic Selector Responder IP. | ||
| - name: ipsec_tunnel.TSr_prefix | ||
| type: keyword | ||
| description: > | ||
| Network prefix for the TSr IP. Similar to TSi_prefix | ||
| - name: ipsec_tunnel.TSr_proto | ||
| type: keyword | ||
| description: > | ||
| TSr protocol of the IPsec tunnel | ||
| - name: ipsec_tunnel.TSr_port | ||
| type: long | ||
| description: > | ||
| TSr port of the IPsec tunnel | ||
| - name: ipsec_tunnel.proto | ||
| type: keyword | ||
| description: > | ||
| Protocol of the IPsec tunnel | ||
| - name: ipsec_tunnel.mode | ||
| type: keyword | ||
| description: > | ||
| This specifies the IPsec mode. e.g., 'tunl' | ||
| - name: ipsec_tunnel.dh | ||
| type: keyword | ||
| description: > | ||
| Diffie-Hellman group of the IPsec tunnel | ||
| - name: ipsec_tunnel.enc | ||
| type: keyword | ||
| description: > | ||
| Encryption algorithm of the IPsec tunnel | ||
| - name: ipsec_tunnel.hash | ||
| type: keyword | ||
| description: > | ||
| Hash algorithm of the IPsec tunnel | ||
| - name: ipsec_tunnel.life | ||
| type: long | ||
| description: > | ||
| The lifetime of the IPsec Security Association (SA) in seconds | ||
| unit: s | ||
| - name: ipsec_tunnel.kb | ||
| type: long | ||
| description: > | ||
| Traffic volume limit for SA rekeying | ||
| unit: byte |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| title: "Palo Alto Networks VPN" | ||
| type: metrics | ||
| streams: | ||
| - input: panw/metrics | ||
| title: Palo Alto Networks system metrics | ||
| description: Collect system metrics from Palo Alto Networks. | ||
| vars: | ||
| - name: period | ||
| type: text | ||
| title: Period | ||
| default: 10s | ||
| multi: false | ||
| required: true | ||
| show_user: true | ||
| - name: host_ip | ||
| type: text | ||
| title: Host IP | ||
| default: 127.0.0.1 | ||
| multi: false | ||
| required: true | ||
| show_user: true | ||
| - name: port | ||
| type: text | ||
| title: Port | ||
| default: 443 | ||
| multi: false | ||
| required: false | ||
| show_user: true | ||
| - name: apiKey | ||
| type: text | ||
| title: API Key | ||
| secret: true | ||
| multi: false | ||
| required: true | ||
| show_user: true | ||
| - name: apiDebugMode | ||
| type: bool | ||
| title: Debug Mode | ||
| default: false | ||
| multi: false | ||
| required: false | ||
| show_user: true |
Oops, something went wrong.