Pleasant Password Server extraction improvements

packages/pps/_dev/deploy/docker/sample_logs/log.log

@@ -7,4 +7,7 @@
 <134>Jan 23 13:47:25 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - [email protected] -  - Error - Identity Not Verified - User <[email protected]> failed to verify themselves	127.0.0.1	23/01 13:47:25.593	
 <134>Jan 23 13:47:25 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - [email protected] -  - Error - Sign-in Failed - User <[email protected]> sign-in denied	127.0.0.1	23/01 13:47:25.641	
 <134>Jan 23 14:05:54 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - [email protected] -  - Success - Entry Created - User <[email protected]> created entry <TOP/SECRET/PASSWORD> as a duplicate	127.0.0.1	23/01 14:05:54.404	
-<134>Jan 23 14:05:54 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - [email protected] -  - Success - Entry Duplicated - User <[email protected]> duplicated entry <TOP/SECRET/PASSWORD>	127.0.0.1	23/01 14:05:54.450	
+<134>Jan 23 14:05:54 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - [email protected] -  - Success - Entry Duplicated - User <[email protected]> duplicated entry <TOP/SECRET/PASSWORD>	127.0.0.1	23/01 14:05:54.450
+<134>Jan 23 14:05:54 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - [email protected] -  - Success - Entry Updated - User <[email protected]> updated entry <TOP/SECRET/PASSWORD> changing the name from <PASSWORD> to <PASSWORD2> changing the notes
+<134>Jan 23 14:05:54 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - [email protected] -  - Success - Entry Updated - User <[email protected]> updated entry <TOP/SECRET/PASSWORD> changing the name from <PASSWORD> to <PASSWORD2> changing the username from <entry_username> to <entry_username2> changing the password changing the notes changing the expiry date from <> to <2027-09-23 00:00>
+<134>Jan 23 14:05:54 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - [email protected] -  - Success - Entry Updated - User <[email protected]> updated entry <TOP/SECRET/PASSWORD> changing the username from <entry_username> to <entry_username2> changing the password changing the expiry date from <> to <2027-10-02 08:00>

packages/pps/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.1.0"
+  changes:
+    - description: Improved field extraction.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15666
 - version: "1.0.1"
   changes:
     - description: Remove duplicated installation instructions from the documentation.

packages/pps/data_stream/log/_dev/test/pipeline/test-log.log

@@ -7,4 +7,7 @@
 <134>Jan 23 13:47:25 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - [email protected] -  - Error - Identity Not Verified - User <[email protected]> failed to verify themselves	127.0.0.1	23/01 13:47:25.593	
 <134>Jan 23 13:47:25 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - [email protected] -  - Error - Sign-in Failed - User <[email protected]> sign-in denied	127.0.0.1	23/01 13:47:25.641	
 <134>Jan 23 14:05:54 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - [email protected] -  - Success - Entry Created - User <[email protected]> created entry <TOP/SECRET/PASSWORD> as a duplicate	127.0.0.1	23/01 14:05:54.404	
-<134>Jan 23 14:05:54 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - [email protected] -  - Success - Entry Duplicated - User <[email protected]> duplicated entry <TOP/SECRET/PASSWORD>	127.0.0.1	23/01 14:05:54.450	
+<134>Jan 23 14:05:54 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - [email protected] -  - Success - Entry Duplicated - User <[email protected]> duplicated entry <TOP/SECRET/PASSWORD>	127.0.0.1	23/01 14:05:54.450
+<134>Jan 23 14:05:54 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - [email protected] -  - Success - Entry Updated - User <[email protected]> updated entry <TOP/SECRET/PASSWORD> changing the name from <PASSWORD> to <PASSWORD2> changing the notes
+<134>Jan 23 14:05:54 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - [email protected] -  - Success - Entry Updated - User <[email protected]> updated entry <TOP/SECRET/PASSWORD> changing the name from <PASSWORD> to <PASSWORD2> changing the username from <entry_username> to <entry_username2> changing the password changing the notes changing the expiry date from <> to <2027-09-23 00:00>
+<134>Jan 23 14:05:54 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - [email protected] -  - Success - Entry Updated - User <[email protected]> updated entry <TOP/SECRET/PASSWORD> changing the username from <entry_username> to <entry_username2> changing the password changing the expiry date from <> to <2027-10-02 08:00>

packages/pps/data_stream/log/_dev/test/system/test-logfile-config.yml

@@ -7,4 +7,4 @@ data_stream:
   vars:
     preserve_original_event: true
 assert:
-  hit_count: 10
+  hit_count: 13

packages/pps/data_stream/log/_dev/test/system/test-tcp-config.yml

@@ -8,4 +8,4 @@ data_stream:
     listen_port: 9037
     preserve_original_event: true
 assert:
-  hit_count: 10
+  hit_count: 13

packages/pps/data_stream/log/_dev/test/system/test-udp-config.yml

@@ -8,4 +8,4 @@ data_stream:
     listen_port: 9038
     preserve_original_event: true
 assert:
-  hit_count: 10
+  hit_count: 13

packages/pps/data_stream/log/_dev/test/system/test-udp-tz-config.yml

@@ -9,4 +9,4 @@ data_stream:
     preserve_original_event: true
     tz_offset: "+0500"
 assert:
-  hit_count: 10
+  hit_count: 13

packages/pps/data_stream/log/elasticsearch/ingest_pipeline/default.yml

@@ -15,9 +15,30 @@ processors:
   - grok:
       field: event.original
       patterns:
-        - '^<%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:event.created}\s+%{NOTSPACE:host.hostname}\s%{DATA}:%{IP:client.ip}\s-\s%{USERNAME:user.name}@%{DATA:user.domain}\s%{DATA}(?<event.outcome>(Success)|(Error))\s-\s%{GREEDYDATA:message}'
-        - '^<%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:event.created}\s+%{NOTSPACE:host.domain}\s%{DATA}:%{IP:client.ip}%{DATA}(?<event.outcome>(Success)|(Error))\s-\s%{GREEDYDATA:message}'
+        - '^<%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:event.created}\s+%{NOTSPACE:host.hostname}\s%{DATA}:%{IP:client.ip}\s-\s%{USERNAME:user.name}@%{DATA:user.domain}\s%{DATA}(?<event.outcome>(Success)|(Error))\s-\s%{DATA:event.reason}\s-\s%{GREEDYDATA:message}'
+        - '^<%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:event.created}\s+%{NOTSPACE:host.domain}\s%{DATA}:%{IP:client.ip}%{DATA}(?<event.outcome>(Success)|(Error))\s-\s%{DATA:event.reason}\s-\s%{GREEDYDATA:message}'
         - '^%{GREEDYDATA:message}$'
+  - grok:
+      field: message
+      ignore_failure: true
+      ignore_missing: true
+      patterns:
+      - backing\sup\sdatabase\sto\s<%{DATA:pps.entry.path}>
+      - '[created|updated]\sentry\s<%{DATA:pps.entry.path}>'
+      - fetched\sthe\spassword\sfor\s<%{DATA:pps.entry.path}>$
+      - fetched\sthe\spassword\sfor\s<%{DATA:pps.entry.path}>\s-\s%{DATA:pps.entry.reason}$
+      - on\sentry\s<%{DATA:pps.entry.path}>\sfor\suser
+      - moved\sentry\s<%{DATA:pps.entry.path}>\sto\s<%{DATA:pps.entry.target.path}>
+      - created\sfolder\s<%{DATA:pps.entry.path}>$
+      - comment\srequirement\s<.*>\s[from|to]\s<%{DATA:pps.entry.path}>$
+      - notification\s.*>\s[from|to]\s<%{DATA:pps.entry.path}>$
+      - updated\sentry\s<%{DATA:pps.entry.path}>\schanging\sthe\sname\sfrom\s<%{DATA:pps.entry.name}>\sto\s<%{DATA:pps.entry.target.name}>
+  - grok:
+      field: message
+      ignore_failure: true
+      ignore_missing: true
+      patterns:
+      - \schanging\sthe\susername\sfrom\s<%{DATA:pps.entry.username}>\sto\s<%{DATA:pps.entry.target.username}>
   # Set the Event Outcome to Lower Case to be ECS Compliant
   - lowercase:
       field: event.outcome

packages/pps/data_stream/log/fields/fields.yml

@@ -0,0 +1,18 @@
+- name: pps.entry.path
+  type: keyword
+  description: Password Path
+- name: pps.entry.reason
+  type: keyword
+  description: Reason the user interacted with a password
+- name: pps.entry.name
+  type: keyword
+  description: The name of an entry in the password manager
+- name: pps.entry.target.name
+  type: keyword
+  description: The new name of an entry in the password manager if it was changed
+- name: pps.entry.username
+  type: keyword
+  description: The username of an entry in the password manager
+- name: pps.entry.target.username
+  type: keyword
+  description: The new username of an entry in the password manager if it was changed

packages/pps/docs/README.md

@@ -135,4 +135,10 @@ An example event for `log` looks as following:
 | input.type | Input type | keyword |
 | log.offset | Log offset | long |
 | log.source.address | Log source address | keyword |
+| pps.entry.name | The name of an entry in the password manager | keyword |
+| pps.entry.path | Password Path | keyword |
+| pps.entry.reason | Reason the user interacted with a password | keyword |
+| pps.entry.target.name | The new name of an entry in the password manager if it was changed | keyword |
+| pps.entry.target.username | The new username of an entry in the password manager if it was changed | keyword |
+| pps.entry.username | The username of an entry in the password manager | keyword |
 

packages/pps/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.0.3
 name: pps
 title: "Pleasant Password Server"
-version: "1.0.1"
+version: "1.1.0"
 source:
   license: "Apache-2.0"
 description: "Integration for Pleasant Password Server Syslog Messages"