HEX

Warning: set_time_limit() [function.set-time-limit]: Cannot set time limit - prohibited by configuration in /home/u547966/brikov.ru/www/wp-content/plugins/admin-menu-editor/menu-editor.php on line 745
Server: Apache
System: Linux 4.19.0-0.bpo.9-amd64 x86_64 at red40
User: u547966 (5490)
PHP: 5.3.29-mh2
Disabled: syslog, dl, popen, proc_open, proc_nice, proc_get_status, proc_close, proc_terminate, posix_mkfifo, chown, chgrp, accelerator_reset, opcache_reset, accelerator_get_status, opcache_get_status, pcntl_alarm, pcntl_fork, pcntl_waitpid, pcntl_wait, pcntl_wifexited, pcntl_wifstopped, pcntl_wifsignaled, pcntl_wifcontinued, pcntl_wexitstatus, pcntl_wtermsig, pcntl_wstopsig, pcntl_signal, pcntl_signal_dispatch, pcntl_get_last_error, pcntl_strerror, pcntl_sigprocmask, pcntl_sigwaitinfo, pcntl_sigtimedwait, pcntl_exec, pcntl_getpriority, pcntl_setpriority
$ pwd: /usr/share/filebeat/module/santa/log/ingest/
Upload Files
File: //usr/share/filebeat/module/santa/log/ingest/pipeline.yml
description: Pipeline for parsing Google Santa logs.
processors:
- set:
    field: event.ingested
    value: '{{_ingest.timestamp}}'
- grok:
    field: message
    patterns:
    - '\[%{TIMESTAMP_ISO8601:process.start}\] %{NOT_SEPARATOR:log.level} santad: action=%{NOT_SEPARATOR:santa.action}\|decision=%{NOT_SEPARATOR:santa.decision}\|reason=%{NOT_SEPARATOR:santa.reason}\|sha256=%{NOT_SEPARATOR:process.hash.sha256}\|path=%{NOT_SEPARATOR:process.executable}(\|args=%{NOT_SEPARATOR:santa.args})?(\|cert_sha256=%{NOT_SEPARATOR:santa.certificate.sha256})?(\|cert_cn=%{NOT_SEPARATOR:santa.certificate.common_name})?\|pid=%{NUMBER:process.pid:long}\|ppid=%{NUMBER:process.parent.pid:long}\|uid=%{NUMBER:user.id}\|user=%{NOT_SEPARATOR:user.name}\|gid=%{NUMBER:group.id}\|group=%{NOT_SEPARATOR:group.name}\|mode=%{WORD:santa.mode}'
    - '\[%{TIMESTAMP_ISO8601:timestamp}\] %{NOT_SEPARATOR:log.level} santad: action=%{NOT_SEPARATOR:santa.action}\|mount=%{NOT_SEPARATOR:santa.disk.mount}\|volume=%{NOT_SEPARATOR:santa.disk.volume}\|bsdname=%{NOT_SEPARATOR:santa.disk.bsdname}\|fs=%{NOT_SEPARATOR:santa.disk.fs}\|model=%{NOT_SEPARATOR:santa.disk.model}\|serial=%{NOT_SEPARATOR:santa.disk.serial}\|bus=%{NOT_SEPARATOR:santa.disk.bus}\|dmgpath=%{NOT_SEPARATOR:santa.disk.dmgpath}?'
    pattern_definitions:
      NOT_SEPARATOR: '[^\|]+'
- rename:
    field: message
    target_field: event.original
- date:
    field: process.start
    target_field: process.start
    formats:
    - ISO8601
    ignore_failure: true
- set:
    field: '@timestamp'
    value: '{{ process.start }}'
    ignore_failure: true
    ignore_empty_value: true
- split:
    field: santa.args
    separator: ' '
    ignore_failure: true
- date:
    field: timestamp
    target_field: '@timestamp'
    formats:
    - ISO8601
    ignore_failure: true
- remove:
    field: timestamp
    ignore_missing: true
- append:
    field: process.args
    value: "{{process.executable}}"
    if: "ctx?.process?.executable != null"
- foreach:
    field: santa.args
    processor:
      append:
        field: process.args
        value: "{{_ingest._value}}"
    ignore_missing: true
- remove:
    field: santa.args
    ignore_missing: true
- set:
    field: event.kind
    value: event
- append:
    field: event.category
    value: process
    if: "ctx?.santa?.action == 'EXEC'"
- append:
    field: event.type
    value: start
    if: "ctx?.santa?.action == 'EXEC'"
- set:
    field: event.outcome
    value: success
    if: "ctx?.santa?.decision == 'ALLOW'"
- set:
    field: event.outcome
    value: failure
    if: "ctx?.santa?.decision == 'DENY'"
- set:
    field: event.action
    value: "{{santa.action}}"
    ignore_empty_value: true
- lowercase:
    field: event.action
    ignore_missing: true
- append:
    field: related.user
    value: "{{user.name}}"
    if: "ctx?.user?.name != null"
- append:
    field: related.hash
    value: "{{santa.certificate.sha256}}"
    if: "ctx?.santa?.certificate?.sha256 != null"
- append:
    field: related.hash
    value: "{{process.hash.sha256}}"
    if: "ctx?.process?.hash != null"
- set:
    field: file.x509.issuer.common_name
    value: "{{santa.certificate.common_name}}"
    ignore_empty_value: true
on_failure:
- set:
    field: error.message
    value: '{{ _ingest.on_failure_message }}'
@ Telegram